The Industrial Internet Consortium Announces Practitioner’s Guide for Assessing the Maturity of IoT System Security

Technical Guidance for IoT Stakeholders

NEEDHAM, Mass.–(BUSINESS WIRE)–lt;a href=”” target=”_blank”gt;#IIConsortiumlt;/agt;–The Industrial
Internet Consortium
® (IIC™), now incorporating OpenFog,
announces the Security
Maturity Model (SMM) Practitioner’s Guide
, which provides detailed
actionable guidance enabling IoT stakeholders to assess and manage the
security maturity of IoT systems. Along with the publication of the SMM
Practitioner’s Guide is an update to the IoT
SMM: Description and Intended Use White Paper
, which provides an
introduction to the concepts and approach of the SMM. This white paper
has been updated for consistency with the SMM Practitioner’s Guide,
including revised diagrams and updated terminology.

As organizations connect their systems to the internet, they become
vulnerable to new threats, and they are rightly concerned with security.
Addressing these concerns requires investment, but determining
investment focus and amount is a difficult business decision. The SMM
helps by enabling a structured top-down approach toward setting goals as
well as a means toward assessing the current security state, taking into
account various specific practices. The SMM allows an organization to
trade off investment against risk in a sensible manner.

Building on concepts identified in the groundbreaking IIC
Industrial Internet Security Framework
published in 2016, the SMM
defines levels of security maturity for a company to achieve based on
its security goals and objectives as well as its appetite for risk.
Organizations may improve their security state by making continued
security assessments and improvements over time, up to their required

“This is the first model of its kind to assess the maturity of
organizations’ IoT systems in a way that includes governance, technology
and system management,” said Stephen Mellor, CTO, IIC. “Other models
address part of what is addressed by the SMM: they may address a
particular industry, IoT but not security, or security but not IoT. The
SMM covers all these aspects and points to parts of existing models,
where appropriate, to recognize existing work and avoid duplication.”

The practitioner’s guide includes tables describing what must be done to
reach a given security comprehensiveness for each security domain,
subdomain and practice and can be extended to address specific industry
or system scope needs. Following each table is an example using various
industry use cases to demonstrate how an organization might use the
table to pick a target state or to evaluate a current state.

One example is that of an automotive manufacturer considering the
possible threats interfering with the operations of a vehicle key fob.
The manufacturer sets its target maturity comprehensiveness level to “1”
as it considers some IT threats, such as a Denial of Service attack that
may prevent a driver from opening the car door using the key fob. Over
time, as new threats emerge, the manufacturer realizes it needs
additional threat modeling and enhanced practices so raises its target
maturity comprehensiveness level to a higher level “2.”

The practitioner’s guide contains three case studies that show IoT
stakeholders how to apply the process based on realistic assessments,
showing how the SMM can be applied in practice. The case studies include
a smarter data-driven bottling line, an automotive gateway supporting
OTA updates and security cameras used in residential settings.

The IIC designed the SMM to be extended for industry and system specific
requirements. The IIC is collaborating with various industry groups to
develop industry profiles that extend the model. Industry associations
interested in developing profiles are encouraged to contact the IIC.
Please send an email to [email protected].

For more information about the IIC SMM Practitioner’s Guide, IIC members
have prepared a webinar “Get
a True Sense of Security Maturity
,” which will air on March 18th
at 12:00 pm for 60 minutes. Register at

The full IIC SMM Practitioner’s Guide and a list of IIC members who
contributed can be found on the IIC website at

About Industrial Internet Consortium
The Industrial Internet
Consortium, now incorporating OpenFog, is the world’s leading membership
program transforming business and society by accelerating the Industrial
Internet of Things (IIoT). The IIC delivers a trustworthy IIoT in which
the world’s systems and devices are securely connected and controlled to
deliver transformational outcomes. The Industrial Internet Consortium is
a program of the Object Management Group (OMG). For more information,

Note to editors: Industrial Internet Consortium is a registered
trademark of OMG. For a listing of all OMG trademarks, visit
All other trademarks are the property of their respective owners.


Karen Quatromoni
Industrial Internet Consortium
[email protected]

error: Content is protected !!