The Industrial Internet Consortium (IIC) has released a new white paper that defines the level of security an organisation needs for its industrial IoT deployments based on its security objectives and appetite for risk.

The IIC says the white paper’s “IoT Security Maturity Model” will enable decision makers to invest in only those security mechanisms that meet their organisations’ specific requirements.

Ron Zahavi – the white paper’s co-author, co-chair of the IIC’s security applicability group and chief strategist for Azure IoT standards at Microsoft – said the model would help organisations understand where to focus their security budgets, especially those with limited resources.

“The Security Maturity Model provides organisations with an informed understanding of security practices and mechanisms applicable to their industry and scope of their IoT solution,” he said.

The new white paper, IIC IoT Security Maturity Model: Description and Intended Use, builds on concepts identified in the IIC Industrial Internet Security Framework, which was published in September 2016.

According to the IIC, the paper is “the most in-depth cross-industry-focused security framework comprising expert vision, experience and security best practice … [reflecting] thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments.”

The IIC says organisations should apply its Security Maturity Model by following a process.

“First, business stakeholders define security goals and objectives, which are tied to risks. Technical teams within the organisation, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level. Following this, organisations develop a security maturity target, which includes industry and system-specific considerations, and capture the current security maturity state of the system.”

White paper co-author and director of security technologies at Entrust Datacard, Sandy Carielli, said that by periodically comparing target and current states, organisations would be able to identify where they should make improvements.

“Organisations achieve a mature system security state by making continued security assessments and improvements over time. They can repeat the cycle to maintain the appropriate security target as their threat landscape changes.”

The IIC says the new white paper is only an introduction to its Security Maturity model and that a practitioners guide will be released in the coming months containing the technical guidance for assessment and enhancement of security maturity level for appropriate practices.”

The IIC was founded in March 2014 to “bring together the organisations and technologies necessary to accelerate the growth of the Industrial Internet by identifying, assembling and promoting best practices.

Its members include small and large technology innovators, vertical market player, researchers, universities and government organisations.

Importantly, it collaborates with Plattform Industrie 4.0, the German body developing standards for Industry 4.0 The two organisations have independently developed reference architectures for the Industrial Internet and have been working since 2015 to bring the architectures into alignment.

The IIC is part of the Object Management Group (OMG), an international not-for-profit technology standards consortium founded in 1989 by Hewlett-Packard, IBM, Sun Microsystems, Apple Computer, American Airlines and Data General.