Industry IoT Consortium Publishes Practical Mapping Guides for the IoT Security Maturity Model

The Industry IoT Consortium (IIC) developed the IoT Security Maturity Model (SMM) in 2020 with the intent to provide guidance on implementing appropriate cybersecurity mechanisms in industrial environments. It has accompanied the SMM with various other resources since then, including an Intended Use Paper and a Practitioner’s Guide. In July 2022, the IIC published two more derivative documents: IoT Security Maturity Model Digital Twin Profile and the IoT Security Maturity Model: 62443 Mappings for Asset Owners, Product Suppliers, and Service Providers. Both have been developed together with industry associations: the Digital Twin Consortium (DTC) and the International Society of Automation (ISA99), making them highly practical and pertinent to specific industrial applications.

The IoT SMM has a prescribed process to determine a desired maturity target, assess the current maturity state, compare the current and target, identify gaps, and  necessary improvements. A hierarchical structure splits various practices into three main domains: governance, enablement, and hardening. However, the application of these concepts can vary depending on the industry and use cases. For this reason, the digital twin profile provides specific security maturity guidance relevant to digital twin implementations and the 62443 profile provides a direct mapping of the SMM to specific security requirements. This has the advantage of making generic considerations much more applicable by adding a granular level of detail of what needs to be done from a practical perspective relative to that industry. This is especially useful because the SMM general practitioner’s guide guidance can be combined with SMM industry profile guidance to determine what needs to be done to achieve necessary maturity and then SMM mappings can aid with that implementation.

The IIC’s effort in collaborating with industry consortia to develop practical guidance is not only important to foster adoption and implementation of industrial cybersecurity, but it is also timely. Industrial cybersecurity has been a critical, yet underdeveloped discipline for more than a decade now, slow to mature and lacking widespread, comprehensive adoption. In part, this is due to technology fragmentation, broad end-market diversity, and highly heterogenous environments that make the uniform application of a security technology (or even a security standard) difficult at best.

Further, industrial ecosystems are not often incentivized to invest significantly in security where they are not regulated, relying either on security through obscurity methods or through an assembly of ill-fitted Information Technology (IT) security solutions. What the industry lacks overall is not so much the security tools, but the practical guidance for implementation in specific use cases that aligns with technology usage and standards implementation.

The IoT SMM Digital Twin Profile and the 62443 Mapping embody those practical guides that will help implementers put in place and manage effective security frameworks, vertically tailored to their appropriate industries. The IIC’s efforts have not gone unnoticed, and it is currently working with other standards development bodies (i.e., the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO)) to map the IoT SMM to some of their respective standards. The IIC is also working to enable certification labs to effectively assess and certify IoT SMM implementations.

Accompanying these guidelines and standards development efforts is an increasingly mature industrial cybersecurity market. By no means nascent, it has taken some time to effectively take off. The acceleration of standards development and market dynamics is driven by various factors. On one hand, there is increased digital transformation within industrial organizations generally, and an understanding that security adds value to processes and operations overall (it is not just about threat diffusion and risk minimization). But more critically, the industrial ecosystem is under immense stress as it emerges from the pressures of the pandemic (with little easing of supply chain issues), and is beset by a looming economic downturn, a global energy crisis, and becoming collateral damage in a very real cyberwar.

Critical infrastructure is particularly fragile, but industrial operations overall are set to suffer. Industrial stakeholders will be looking to bootstrap and streamline, while strengthening the underlying trust within their infrastructure to weather the storm. Security investment will be key, and is not likely to be scrimped, and operators will look to make the most of these and extract maximum value. Guidelines from consortia like the IIC, DTC, ISA, and IEC are  key to ensuring that industry has relevant and applicable guidance for strengthening cybersecurity.