The National Cybersecurity Center of Excellence (NCCoE) has released a preliminary draft practice guide, SP 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD), and is seeking public comments. The popularity of IoT devices is growing rapidly, as are concerns over their security. IoT devices are often vulnerable to malicious actors who can exploit them directly and use them to conduct network-based attacks.
This guide’s example solution is based on the Internet Engineering Task Force’s (IETF) Manufacturer Usage Description (MUD) Specification and is intended for IoT manufacturers and implementers. However, the guide also demonstrates to IoT device users the crucial role MUD can play in network security.
The MUD architecture enables IoT devices to behave only as intended by the manufacturers of these devices. This is done by providing a standard way for manufacturers to indicate the network communications that each device requires to perform its intended function. When MUD is used, the network will automatically permit the IoT device to send and receive only this required traffic. Even if an IoT device is compromised, MUD prevents it from being used in any attack that would require the device to communicate with an unauthorized destination.
Don’t miss this opportunity to share your expertise with us. For instance:
We will use this feedback to help shape the next version of this document.
Submit your comments online or send an email to mitigating-iot-ddos-nccoe@nist.gov until June 24, 2019.
NOTE: A call for patent claims is included on page v of 1800-15B. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Security and Privacy: access authorization, access control, botnets, configuration management, security automation
Technologies: firewalls, sensors
Applications: Internet of Things, small & medium business