Getting Ready for B(r)each Season with the New IIC Security Maturity Model

With California weather getting warmer, I've been working on my beach body. I'm ok without washboard abs, but I wouldn’t mind trimming down the love handles. My shoulders are a bit strained, so a little physical therapy might be necessary as I crank up the effort.

You may know where I am going with this.

The approach to building your security architecture for "breach season" is really not that different than my fitness plan or any other plan for that matter. The biggest difference is that breach season is all-year round. A flabby security policy or an untreated weak link can leave your systems susceptible to undesired effects. I'm using the generic term because a security failure could occur due to an attack or just complacency.

Like a fitness plan, a security plan starts with defining what you want to achieve and committing to a strategy. Such a plan needs to extend beyond technical considerations and include detailed policies with clear justification. For example, can you satisfy your goals with general security techniques? Or does your system require industry-specific governance to identify what data should be protected and how?

Facebook arguably has stronger security capabilities than most embedded systems, but the most recent negative press regarding the Cambridge Analytica “data breach” is largely due to ambiguous security policies at best, or mal-intended policies at worst. Facebook execs tweeted out of the gate claiming that there was no data breach, and it was eventually revealed that leaders were operating under the mandate to connect people no matter the consequences. In a way this is a security policy related to privacy, albeit possibly unintentional. Whatever the truth, this story has shed light that Facebook would have been wise to invest in governance of its security practices in addition to user-configurable security settings.

Security practices for IT are fairly well established with obvious room for improvement. However, we have only recently started seeing increased connectivity between industrial control systems and IT systems with growing security implications, such as the concern for patient privacy and safety when connecting medical data in an integrated clinical environment. The challenge becomes how to apply security to different stages of IT and OT integration, and how to assess if a desired level has been achieved.

Groups like the Industrial Internet Consortium (IIC) are working to tackle the challenges behind these complex integrations and share guidance with the industry. Last year, RTI helped author the IIC's Industrial Internet Security Framework. This framework provided the blueprint for any industrial company to coordinate security efforts, from business motivations to technical implementations. More recently, we contributed to the IIC's IoT Security Maturity Model: Description and Intended Use, which was just released today. The Security Maturity Model (SMM) guides readers to identify their security maturity target (security goal for their system) and how to achieve that goal by applying security best practices.

Let’s take a look at a simple example. Your company has a very formalized security process that is well established. However, the extent to which you applied any security is categorized as general at best, meaning that the same security measures (i.e., a corporate firewall) could be applied to any company in any industry. Your current security maturity level is “Formalized and General.” The security target for devices in an integrated clinical environment might require some industry specific practices to achieve FDA approval. Therefore your security maturity target needs to be “Formalized + Industry-Specific” and your security plan should reflect steps to achieve that target.

Think of the SMM as your personal fitness assessment and workout plan. Use the SMM to assess the current security maturity of your system and the gaps to close in order to achieve your security maturity target. Like working out, you have to put in the effort to get results, but that doesn’t mean you have to figure it all out on your own.