IIC Io T Security Maturity Model
The IIC Io T security maturity model3 provides a guideline re- garding the current maturity of
an organization and how it should invest
in security mechanisms to meet desired
objectives. The security maturity level is a
measure of the understanding of the current security level, its benefits, and costs.
The maturity model is based on the Plan-
Do-Check-Act (PDCA) cycle for a specific
system. Initially, a target security maturity
for a specific system is established, then the
security improvement processes are start-
ed and, as security threats and processes
change, the cycle is repeated again
based on the requirements.
The IIC SMM has three stages:
Dimensions, Domains and Practices. The dimension is the high-level
view of the security priorities of the
organization, where domains are
the specific means to obtain those
priorities and practices are specific
activities associated with domains.
The IIC SMM has three dimensions: Governance, Enablement and
Hardening. Each dimension has domains and each domain has associated security practices. For example,
Security Governance Dimension (to
facilitate legal, regulatory and contractual compliances) has Security
Program Management and Compliance Management Practice.
There are five comprehensive
levels (0: None, 1: Minimum, 2:
Ad-hoc, 3: Consistent and 4: Formalized) and three scope levels (1:
General, 2: Industry, and 3: System).
Based on these levels, the current
security maturity and target maturity (as desired by the organization)
at dimension, domain, and practice levels
are determined for a particular scope of the
organization. After that, a gap analysis is
performed and phased security action plans
are generated for implementation. A sample gap analysis is presented in Table 2.
NIST’s Cybersecurity Framework
NIST has developed a cybersecurity framework4 for the manufacturing industry. The framework has five
core functions: Identify, Protect, Detect, Respond and Recover. The core functions and
categories are presented in Table 1.
The framework has defined a manufacturing profile to implement cybersecurity con-
Functions and Categories