With the mega-growth in connected devices, IoT security is a big issue and cost for those building out this infrastructure. But are they spending wisely?
The Industrial IoT is a compelling value proposition for enterprises of all types and sizes, but there’s always a catch. In this case, the catch is security — or relative lack thereof. Companies are responding, but the risk is that they will end up spending a lot of money to solutions they don’t need.
A recent analysis from Gartner says attempts to secure IoT have “largely failed,” adding that IoT security is a muddled concept, “with too many meanings dictated by marketing and early vertically oriented implementations, resulting in confusion.” There also has been an “inordinate focus on devices as primary determinants for security decisions is delivering incomplete or inadequate security prevention, detection, response or prediction for IoT,” Gartner says.
With these challenges in mind, the Industrial Internet Consortium recently released its IoT Security Maturity Model, intended to help companies better define their security levels and focus security investments on only what is appropriate. The maturity model is designed to “provide a path for IoT providers to know where they need to be and how to invest in security mechanisms that meet their requirements without over-investing.”
“It can be challenging for organizations to understand where to focus their security budgets, especially with limited resources,” said Ron Zahavi, IIC Security Applicability group co-chair and chief strategist for Azure IoT Standards at Microsoft.
Defining the “Security Maturity Model” for IoT security
Organizations apply the Security Maturity Model by following a process, the IIC report explains. “First, business stakeholders define security goals and objectives, which are tied to risks. Technical teams within the organization, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level. Following this, organizations develop a security maturity target, which includes industry and system-specific considerations, and capture the current security maturity state of the system.” By periodically “comparing target and current states, organizations can identify where they should make improvements,” said Sandy Carielli, white paper co-author and director of security technologies at Entrust Datacard.
The SMM is built on the following attributes:
Fostering collaboration among stakeholders: “Allow for an efficient and productive collaboration process between business stakeholders concerned about the proper strategy for implementing mature security practices, tailoring the needs and constraints of the particular IoT system, and technical stakeholders including analysts, architects, developers, system integrators and other stakeholders who are responsible for technical implementation.”
Identifying security performance indicators: “Provide a framework for defining and identifying the security target according to organizational-level demands so that business and technical stakeholders can use it to ascertain what progress should be made. Guiding the process of achieving the mature state: Provide guidance on the assessment, enhancement and measurement of the current security maturity state in accordance with the defined security maturity target and demonstrate the attainment of all goals set by this target.”
Real-world applicability: “Consider functionality, safety, regulatory and legal requirements or guidelines, risk management, security and privacy policies, performance, costs and other business considerations. Also consider known and emerging threats and affordable ways of countering them.”
Consideration of different perspectives: “Help define security maturity goals from an organizational perspective and security maturity requirements from an implementation perspective.”
Appropriate security guidance: “Provide guidance for the assessment and further enhancement of security maturity that aligns security capabilities with the use case. Security measures in consumer devices are unlikely to be the same as those in critical infrastructure. Guidance should be practical and actionable.”
Adaptable to changing threat environment: “As IoT infrastructure and threats evolve, the security maturity target must be adaptable to remain relevant in the long run. It is insufficient to implement security measures only at the system design stage for IoT systems in operation for a long time.”
Extensibility: Accommodate any changes in “IoT business models, products, guidelines, regulations, technologies and types of organizations will evolve.”