Industrial Internet Consortium Announces Practitioner’s Guide for Assessing the Maturity of IoT System Security

IIC Openfog Report

Apr 14, 2019

The Industrial Internet Consortium, now incorporating OpenFog, announces the Security Maturity Model (SMM) Practitioner’s Guide, which provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems. Along with the publication of the SMM Practitioner’s Guide is an update to the IoT SMM: Description and Intended Use White Paper, which provides an introduction to the concepts and approach of the SMM. This white paper has been updated for consistency with the SMM Practitioner’s Guide, including revised diagrams and updated terminology.

As organizations connect their systems to the internet, they become vulnerable to new threats, and they are rightly concerned with security. Addressing these concerns requires investment, but determining investment focus and amount is a difficult business decision. The SMM helps by enabling a structured top-down approach toward setting goals as well as a means toward assessing the current security state, taking into account various specific practices. The SMM allows an organization to trade off investment against risk in a sensible manner.

Building on concepts identified in the IIC Industrial Internet Security Framework published in 2016, the SMM defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk. Organizations may improve their security state by making continued security assessments and improvements over time, up to their required level.

“This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,” said Stephen Mellor, CTO, IIC. “Other models address part of what is addressed by the SMM: they may address a particular industry, IoT but not security, or security but not IoT. The SMM covers all these aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.”

The practitioner’s guide includes tables describing what must be done to reach a given security comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Following each table is an example using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state.

One example is that of an automotive manufacturer considering the possible threats interfering with the operations of a vehicle key fob. The manufacturer sets its target maturity comprehensiveness level to “1” as it considers some IT threats, such as a Denial of Service attack that may prevent a driver from opening the car door using the key fob. Over time, as new threats emerge, the manufacturer realizes it needs additional threat modeling and enhanced practices so raises its target maturity comprehensiveness level to a higher level “2.”

The practitioner’s guide contains three case studies that show IoT stakeholders how to apply the process based on realistic assessments, showing how the SMM can be applied in practice. The case studies include a smarter data-driven bottling line, an automotive gateway supporting OTA updates and security cameras used in residential settings.

IOT SMM: PRACTITIONER’S GUIDE

The Practitioner’s Guide provides a pragmatic approach, enabling implementation teams to communicate an IoT system’s current state of security through confident discussions with business stakeholders about the desired state of security maturity, where gaps exist and a roadmap for achieving their goal. The Practitioner’s Guide describes how to reach a given security comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Various industry use case examples demonstrate how an organization might select a target state or evaluate a current state.

PRIMARY AUTHORS

  • Sandy Carielli – Entrust Datacard
  • Matthew Eble – Praetorian
  • Frederick Hirsch – Fujitsu
  • Ekaterina Rudina – Kaspersky Lab
  • Ron Zahavi – Microsoft Azure IoT

OTHER CONTRIBUTORS

  • Tata Consultancy Services / NetFoundry
  • Wibu-Systems

Go HERE to download the report

Related Articles


Latest Articles


Changing Scene

  • Save the Date: Ontario Apprenticeship Summit 2026 – November 4, 2026

    Save the Date: Ontario Apprenticeship Summit 2026 – November 4, 2026

    July 6, 2026 Skilled Trades Ontario (STO) is pleased to announce that the third annual Ontario Apprenticeship Summit will take place during National Skilled Trades and Technology Week. Industry partners, skilled trades professionals, and apprentices are invited to attend the Toronto Congress Centre on Wednesday, November 4, 2026. The Ontario Apprenticeship Summit 2026 is focused… Read More…

  • Fort McMurray Apprentice Electrician to Represent Canada at Skilled Canada National Competition

    Fort McMurray Apprentice Electrician to Represent Canada at Skilled Canada National Competition

    July 6, 2026 In recognition of World Youth Skills Day, which underscores the vital role of skills development among young people, Skills/Compétences Canada (SCC) is proud to officially announce the 31 talented members of WorldSkills Team Canada 2026.These young competitors will begin their training to prepare for the 48th WorldSkills Competition, in Shanghai, China, which will be held… Read More…

  • Westburne Celebrates 100 Years with Brandon Trade Show

    Westburne Celebrates 100 Years with Brandon Trade Show

    July 6, 2026 Recently, Westburne hosted over 200 guests and over 60 partners and suppliers at their Brandon Trade Show to celebrate 100 years of Westburne. “Westburne’s annual Midwest Tradeshow welcomed more than 220 attendees in Brandon this year, including representatives from over 60 partner businesses and suppliers. Taking place annually for over 15 years,… Read More…

  • B.C. Expands Energy Efficiency Program to Provide No-Cost Retrofits to Homeowners, Tenants

    B.C. Expands Energy Efficiency Program to Provide No-Cost Retrofits to Homeowners, Tenants

    July 3, 2026 Together with BC Hydro, FortisBC and Natural Resources Canada, the Province is supporting families with lower incomes to save money on their utility costs through home-energy improvements.  “We are taking action to help people lower their utility bills by expanding our home energy-efficiency programming for lower-income families,” said Adrian Dix, B.C.’s Minister… Read More…