Tag Archives: security

“IoT Security Maturity Model: 62443 Mappings for Asset Owners  and Product Suppliers” published

We have just published the IoT Security Maturity Model: 62443 Mappings for Asset Owners  and Product Suppliers white paper. This paper is a joint publication of the Industry IoT Consortium® (IIC™) and the International Society of Automation™ (ISA). Our collaboration has been a good experience and will continue. Next is planned an update to include Service Providers. The IIC press release has comments by some of the contributors.

This document extends our previously published technical report, the IoT Security Maturity Model (SMM): Practitioner’s Guide. That document describes the principles and process for setting targets and assessments for security maturity, breaking down the expanse of security concerns into eighteen practices in the three domains of governance, enablement and hardening. These practices include governance, technical and non-technical controls and operational aspects. This is shown in the following diagram from the Practitioner’s Guide:

SMM Domains, Subdomains and Practices

Each practice description gives information and guidance on the four comprehensiveness levels of minimum (1) , ad hoc (2), consistent (3) and formalized (4) with descriptions of each, including what needs to be done to achieve the level, and indicators of accomplishment (useful for assessments). A key idea is that unlike other maturity models, higher levels are not necessarily better. Rather, the appropriate comprehensiveness level for each practice should be chosen to match the need, limiting investment to what is required and makes sense.

The SMM is designed to be extensible, with profiles that expand the scope to industry or system specifics, and with mappings that relate the guidance to other frameworks and requirements.

SMM Extensibility with Profiles and Mappings

Profiles are one way of extending the SMM Security Maturity Model. While the practitioner’s guide describes the general case, or general scope, it also permits guidance appropriate to industry or system specific scope to be added to the general guidance. For example, we have previously published in collaboration with the OMG the IoT SMM: Retail Profile for Point-of-Sale Devices offering additional guidance relevant to retail. It includes industry scope level guidance, such as using Data Security Standard (PCI-DSS), Payment Application Data Security Standard (PA- DSS), and the PIN Transaction Security Devices (PTS) to achieve the consistent comprehensiveness level (level 3) for the compliance management practice, to give an example. It also includes device scope guidance for the compliance management level 3 with the requirement to ensure compliance with PIN Transaction Security Devices.

Another way of extending the SMM is with mappings. This newest publication is a set of mappings to the 62443 standards. This provides a linkage between the guidance for a specific comprehensiveness level in a practice to related 62443 requirements. One way to use this is to determine the maturity target, setting comprehensiveness levels for each practice using the Practitioner’s Guide for guidance. Once this is done then the mappings for the appropriate comprehensiveness levels (and the lower ones which must also be met to achieve a comprehensiveness level) can be used to review the appropriate 62443 requirements.

The current 62443 mappings focus on the needs of Asset Owners and Product Suppliers as defined in that document, a subsequent revision will add service providers. The following diagram from the mappings publication (derived from ISA documentation) shows the roles:

Roles in 62443

We are working on a later update to add Service Providers to the mappings document.

Thus with the general guidance of the IoT Security Maturity Model (SMM): Practitioner’s Guide, industry and system profiles such as the IoT SMM: Retail Profile for Point-of-Sale Devices (with more coming) and with mappings guidance such as the IoT Security Maturity Model: 62443 Mappings for Asset Owners  and Product Suppliers we believe security maturity assessment should be thorough, actionable and can be related and managed in conjunction with other approaches such as the use of the 62443 standards.

We are excited about this work and hope you find it useful.

IIC IoT Security Maturity Model (SMM)

The Industrial Internet Consortium (IIC) has just published the IoT Security Maturity Model Practitioner’s Guide or SMM (IIC press release). Also published is an update to the earlier IoT Security Maturity Model: Description and Intended Use white paper.

This IoT Security Maturity Model is timely, needed and new since it incorporates business, process, technology and operations aspects, and considers the security need from an integrated perspective including various contexts (end-end, device, edge, cloud, etc) and viewpoints such as information technology (IT) as well as Operational Technology (OT).

The IoT Security Maturity Model is a strategic document addressing the challenge of how to invest appropriately to address security needs and as a strategy provides an approach and model as well as actionable guidance. The need is to invest appropriately to address concerns, without investing too much or too little and by focusing in the areas that matter. The strategy is holistic, considering business, process, technology and operations.

An important concept is that of maturity. This is not the same as security levels, since it is about the degree of fit of the solution to the need. Thus if a situation does not require much security then even if few security mechanisms are applied the solution can be mature, since it is possible to demonstrate confidence that the correct approach has been taken.

The general approach is for business owners and technology owners to work together to set targets, then perform an assessment to determine the current state, identify and mitigate gaps, and then repeat this process periodically as threats, technologies and business concerns change. This creates a continuous improvement cycle.

The model has domains of governance (roughly process), enablement (technology) and hardening (operations) as well as the corresponding sub-domains and practices as shown in the following figure from the SMM:

Each domain, sub-domain and practice can have a comprehensiveness level associated with it, indicating the depth and completeness of that item, ranging from none, to minimal (1), ad hoc (2), consistent (3) and formalized (4). In addition, the model is extensible to address the needs of specific verticals (e.g. manufacturing, retail, medical etc) through the use of scope, to enable specifics relative to certain comprehensiveness levels to be defined. Scope also allows system specifics as well. A set of comprehensiveness levels including scope may be defined as an industry profile.

The IoT Security Maturity Model has a table for each of the eighteen practices, providing detail for each of the comprehensiveness levels, including an objective that can be used by business stakeholders, as well as a general description of the level, what needs to be done to achieve it, and indicators of accomplishment. Such indicators can be used to determine in an assessment if the level has been achieved.

The IoT Security Maturity Model includes examples drawn from different verticals for each of the practice comprehensiveness tables as well as case studies at the end. The case studies are based on real assessments that were done previously, recast into the IoT Security Maturity Model to demonstrate that it works for real cases as well as to provide examples that can be understood.

Best Practices from the IIC and elsewhere can be used to provide detailed guidance on addressing the gaps. We are also working on additional guidance in the form of mappings from IoT Security Maturity Model comprehensiveness levels to details in other frameworks like the IIC Security Framework, and IEC 62443, the NIST Cybersecurity Framework and others (e.g. comprehensiveness level 3 maps to this specific guidance). We also are looking to work with partners on creating profiles for verticals.

Thinking long term we have looked at how this model might also be applicable to the concept of Trustworthiness, which includes security, safety, reliability, resilience and privacy taken together and outlined some thoughts on this in the IIC Journal of Innovation Trustworthiness issue.

This post just introduces the IoT Security Maturity Model. For more complete details, definitions and explanations please refer to the Practitioner’s guide itself. If you would like to participate in further developing this work please join us at the IIC.