The most optimistic trend I see in our market concerns cooperation and collaboration. There’s a lot of that going on. Here’s one I didn’t really see coming—the Industry IoT Consortium (IIC) and the International Society of Automation (ISA). They recently announced the IoT Security Maturity Model (SMM): 62443 Mappings for Asset Owners, and Product Suppliers, and Service Suppliers.
“This new guidance adds the service provider role. It extends the previously published IoT Security Maturity Model (SMM): Practitioner’s Guide to provide mappings to existing 62443 standards and specific guidance for the asset owner, product supplier, and service provider roles,” said Ron Zahavi, Chief Strategist for IoT standards at Microsoft and IoT SMM co-author.
The IIC IoT SMM helps organizations choose their security target state and determine their current security state. By repeatedly comparing the target and current states, organizations can identify where they can make further improvements.
The ISA99 committee developed the 62443 series of standards, which the International Electrotechnical Commission (IEC) adopted. The standards address current and future vulnerabilities in Industrial Automation and Control Systems (IACS) and apply necessary mitigation systematically and defensibly. The ISA/IEC 62443 standards focus on maturity, but only on the maturity of security programs and processes.
“Achieving security maturity targets can be difficult to put into practice without concrete guidance,” said Frederick Hirsch, co-chair of the IIC ISA/IIC Contributing Group. “These 62443 mappings enable practitioners to better achieve security maturity by relating IIC IoT SMM practice comprehensiveness levels to ISA/IEC 62443 requirements. In this way, IACS asset owners and product suppliers can achieve appropriate maturity targets more easily.”
Eric Cosman, co-chair of the ISA99, said, “While standards such as ISA/IEC 62443 are needed to codify proven and accepted engineering practices, they are seldom sufficient. Joint efforts such as this provide the practical guidance necessary to promote and support their adoption.”
Pierre Kobes, a member of both ISA99 and IEC Technical Committee 65, said, “It is not about more security but about implementing the appropriate security measures. IoT SMM: 62443 Mappings for Asset Owners and Product Suppliers helps companies select the adequate security levels commensurate with their expected level of risk.”
You can download IoT SMM: 62443 Mappings for Asset Owners, Product Suppliers and Service Providers from IIC and ISA websites. You will find a complete list of the contributing authors in the document. Work is underway to add the service provider role to the document in a future revision.