The Industrial Internet Consortium (IIC) published April 9 its "IIC IoT Security Maturity Model (SMM): Description and Intended Use" white paper (Download here). Building on concepts identified in the IIC Industrial Internet Security Framework, SMM defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk, enabling decision makers to only invest in security mechanisms meeting their specific requirements.
“The Internet of Things has brought a lot of innovation to industries, but it also introduces new security threats. The security landscape is complex and always changing,” says Ron Zahavi, IIC Security Applicability group co-chair, white paper co-author, and chief strategist for Azure IoT Standards at Microsoft. “It can be challenging for organizations to understand where to focus their security budgets, especially with limited resources. The SMM provides organizations with an informed understanding of security practices and mechanisms applicable to their industry and scope of their IoT solution.”
Organizations apply the SMM by following a process. First, business stakeholders define security goals and objectives, which are tied to risks. Next, technical teams in the organization or third-party assessors map these objectives into security techniques and capabilities, and identify an appropriate security maturity level. Following this, organizations develop a security maturity target, which includes industry and system-specific considerations, and capture the current security maturity state of the system.