The emergence of Internet-connected devices also means new threats are continually evolving as attackers become more organized and determined. Threats to IoT cybersecurity make developing compliance requirements to achieve better security and adequate data protection more crucial.
With the number of IoT connections to reach 3.5 billion by 2023 and IoT technology spending to reach $1.2T in 2022, the Industrial Internet Consortium (IIC) agreed that global industries needed more tailored cybersecurity models for their IoT devices. The result was the development of the IoT Security Maturity Model (IoT SMM). Here are eight things you should know about the IoT SMM:
1. What is the Industrial Internet Consortium (IIC)?
The IIC is a membership program with a mission to accelerate the development and adoption of Industrial IoT machines and devices. The IIC unites 258 participating companies across 30 countries.
2. What is the IoT Security Maturity Model?
Frederick Hirsch is the Chair of the ICC Trustworthiness Task Group. He’s also the co-author of the IoT SMM. He describes the model as a guide that “gives organizations an informed understanding of the security practices and mechanisms applicable to their industry and scope of their IoT solution.” The framework helps organizations compare their current state of protection with the target state, identify the risks and threats they face, and implement security controls.
3. When was IoT SMM developed?
Development of the IoT SMM began in March 2017 as part of the IIC and was based on the ICC’s Industrial Security Framework, published in 2016. By February 2019, the IoT Security Maturity Model: Practitioner’s Guide was released.
4. What is the intention of the IoT Security Maturity Model?
The IoT SMM goal is to give organizations a guide for identifying practices and processes that need enhancement. Recognizing where the focus should be will allow providers to invest in the right cyber threat security mechanisms.
5. What requirements guided the IoT SMM?
The IoT SMM had to be actionable and show real-world applicability. It had to consider different business and implementation perspectives. The SMM had to be adaptable and extensible, mainly because the threat environment is constantly changing.
6. How is the IoT SMM structured?
The model can be broken down into three main security maturity domains: governance, the provision of security or enablement, and security hardening. These can be broken down further into sub-domains.
7. How is the security practice’s target established?
Identifying the target or goal within each security domain and its subdomains begins with establishing the overall goal. Each subdomain will have specific needs that need to be considered. Because each subdomain’s security practice should have a purpose, it should emphasize specific security needs and their contributions to that practice.
8. How does the IoT SMM measure security maturity?
Following the 4 steps below:
- The maturity model is able to map the business objectives to the specific levels of maturity and technology that you need,
- You pick a target for your scenario, you pick the level that you should be at and then a specialized lab could be brought in to do the assessment,
- You establish the current state and address the gaps,
- Finally, you take actions to close these gaps.
The protection method's effectiveness can be measured using two parameters: the implementation’s comprehensiveness and the specificity and scope of the approach. The first parameter involves how well the application is implemented and systemized. Its comprehensiveness is measured based on the consistency of security measures supporting the domains and their subdomains. The second parameter reflects on the customization potential for the specific industry and its domains and subdomains.