Industrial IoT: Consortium sets out new IoT security benchmarks

Industrial IoT: Consortium sets out new IoT security benchmarks

The Industrial Internet Consortium maturity model sets out practical ways to achieve better IoT security via a benchmarking and maturity process.

The Industrial Internet Consortium (IIC) has launched a new white paper setting out guidance for organisations that are seeking to secure Internet of Things (IoT) projects.

The IIC is a global industry organisation dedicated to furthering expertise in industrial internet deployments. Its dozens of blue-chip members include IBM, SAP, Dell EMC, Bosch, GE, Huawei, Accenture, Boeing, China Mobile Communications, PwC, Samsung, Toshiba, and a number of universities and government organisations.

The white paper, The IIC IoT Security Maturity Model: Description and Intended Use, builds on concepts identified in the IIC’s Industrial Internet Security Framework. The new Security Maturity Model (SMM) defines the levels of security maturity that an organisation should aim to achieve, based on its own security goals and business objectives, as well as its appetite for risk.

The IIC believes that this should help decision makers to invest in only those security mechanisms that meet their specific business requirements.

How does it work?

According to the IIC, organisations should apply the SMM by following a step-by-step process.

First, business stakeholders should define their security goals and objectives, which are tied to risks within their sector or organisation. Technical teams or third-party assessment vendors should then map these objectives onto tangible techniques and capabilities, and identify the maturity level that results from this process.

Following this, organisations should develop a security maturity target, which includes industry and system-specific considerations, and capture the maturity state of the system based on those industry benchmarks.

Sandy Carielli, white paper co-author and director of Security Technologies at Entrust Datacard, said that by periodically comparing target and current states, organisations can identify where they need to make critical improvements.

“Organisations achieve a mature system security state by making continued security assessments and improvements over time. They can repeat the cycle to maintain the appropriate security target as their threat landscape changes,” he said.

“The Internet of Things has brought a lot of innovation to industries, but it also introduces new security threats. The security landscape is complex and always changing,” added co-author Ron Zahavi, IIC Security Applicability group co-chair and chief strategist for Azure IoT Standards at Microsoft.

“It can be challenging for organisations to understand where to focus their security budgets, especially with limited resources. The Security Maturity Model provides organisations with an informed understanding of the security practices and mechanisms that are applicable to their industry, and the scope of their IoT solution.”

Security challenges

Over one-third of enterprise operational technology (OT) professionals have identified security concerns as the biggest impediment to production deployments of IoT programmes, according to analysts at 451 Research.

“This is consistent with the feedback we have received from information technology professionals over the last two years, and highlights the criticality of a common, extensible model for IoT security to move the industry forward,” said Christian Renaud, research director Internet of Things, at 451 Research.

The IIC said that its IIC Security Maturity Model: Practitioners Guide will be released in the coming months and will contain the technical guidance for the assessment and enhancement of maturity levels when it comes to IoT security.

Internet of Business says

A number of recent reports have identified the same core challenges when it comes to IoT security.

First, non-expert vendors are rushing products to market that lack enterprise-grade security. Second, many organisations are deploying connected devices without changing factory default passwords and other customisable settings, which creates unnecessary risks of malicious attack. Third, most organisations are aware of the enlarged threat surface that the IoT creates for hackers and other hostile actors, but few have adopted a strategic approach to tackling or managing these problems, often leaving it up to line of business departments to muddle through. And four, with GDPR incoming, these problems need urgent consideration.

Any step-by-step benchmarking guide that leads organisations through this minefield is therefore a welcome addition to the IoT security environment.

Internet of Business is committed to providing solutions to security problems, as well as to reporting news of any emerging or common threats. Here are some of our recent reports on this challenging problem, and on related areas.

Read more: IoT security: Half of IT departments don’t change default passwords

Read more: IIoT security: How to secure the ‘Internet of Threats’, by IBM

Read more: Gartner: IoT security spend hitting $1.5 billion – but strategy poor

Read more: IoT Security: How to fight attacks on health, energy, and transport

Read more: How to secure 5G to prevent IoT disasters: expert panel