The Industrial Internet Consortium (IIC) today published a white paper to help companies meet industrial Internet of Things (IoT) security goals and prioritize spending on security tools and mechanisms.
The industrial IoT group, founded by AT&T, Cisco, GE, IBM, and Intel, in September 2016 released a common framework for security. At the time, the IIC said the next step would be to put the security framework into practice.
Today’s release is part one of that next step, said Sandy Carielli, white paper co-author and director of security technologies at Entrust Datacard. The new publication, titled “IIC IoT Security Maturity Model: Description and Intended Use,” introduces the IIC’s security maturity model, which defines levels of security maturity for a company to achieve based on its goals.
Part two, the “The IIC Security Maturity Model: Practitioners Guide,” will be released in the coming months and will include technical guidance for assessing security maturity levels.
Not all IoT systems require the same security tools and procedures. “What you need to do for smart lightbulbs is pretty different from manufacturing floors,” Carielli said.
This framework allows individual industries and companies to determine their own security priorities, and these mechanisms and processes are deemed “mature” if they are expected to be effective in addressing those security goals.
This also helps companies focus their spending, Carielli said. “The security maturity model allows organizations to prioritize their security investments and have an ongoing roadmap — it doesn’t have to be ‘oh my god we have to do everything at once,’” she explained.
Organizations apply the model by following a process. First, business stakeholders define security goals and objectives, which are tied to risks. Technical teams within the organization, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level. After this, organizations develop a security maturity target.
It’s an ongoing process, and companies should repeatedly compare the target to their current state to identify further improvements they can make, Carielli added. “We felt it was important for organization to create a target they can consistently measure against and see where the gaps are between their desired target and actual state.”
The new white paper comes as major companies ramp up their IoT investments. Last week Microsoft pledged to spend $5 billion on IoT research and development over the next four years. In February Google said it reached a $50 million deal to buy IoT platform company Xively from LogMeIn. And Dell Technologies in October said it will create a new IoT division and funnel $1 billion over three years for IoT research and development.