by Diana Proud-Madruga

This three-part series explores the challenges of securing the Internet of Things (IoT). Part 3 explores applications of MUD as described in the preliminary draft of NIST Special Publication 1800-15, Securing Small-Business and Home Internet of Things Devices.

With the explosion of IoT devices, policymakers are struggling to catch up. As is often the case with new technologies, policies and standards around the implementation, use, security and privacy of IoT devices are behind the public adoption curve. NIST SP 1800-15 is one of many new documents working to close that gap.

Published in three parts: Executive Summary, Approach, Architecture, and Security Characteristics and How-to Guides, NIST SP 1800-15 demonstrates how IoT product developers and implementers can use the Internet Engineering Task Force’s (IETF) manufacturer usage description (MUD) architecture to ensure their IoT devices do what they are intended to do and no more.

Why Is This Important?

I recently heard a radio talk show host discussing different IoT devices. He conveyed that there is now a “smart” hair straightener. He then mentioned how many home fires are started by curling irons and hair straighteners. Extrapolate that to a hair straightener that can be hacked into and made to malfunction and we begin to scratch the surface of the urgency for securing IoT devices.

IoT devices have already been used to launch distributed denial of service attacks (DDOS). These attacks can have significant impacts on businesses and individuals alike, including device manufacturers.

What Can Be Done? Standardize!

A coalition of policy makers, manufacturers, system providers, implementers and users create standards, allowing each group to ensure its needs are addressed. When manufacturers then follow an accepted standard, consumers and system providers know what to expect. And, implementing security and privacy controls becomes easier, as does intended and desired interoperability between devices.

NIST SP 1800-15 was, and continues to be, created in this fashion. Although the current public comment period is closed, NIST clearly states, “This preliminary draft is stable but has some gaps in its content that will be addressed in the next draft.” Early adopters will be instrumental in identifying those gaps as well as possible solutions.

NIST SP 1800-15 Findings and Recommendations

In a nutshell, NIST’s test build and implementation of MUD demonstrated that “It is possible to provide significantly higher security than is typically achieved in today’s (non-MUD-capable) home and small-business networks by deploying and using MUD on those networks.” NIST was able to prevent access to and from the MUD-capable IoT device from unauthorized devices on the same network as well as prevent the MUD-capable device from being used to access unauthorized external domains.

However, NIST points out that MUD implementation is not a “silver bullet” that takes care of all IoT security and privacy needs. IoT manufacturers need to consider all security best practices when developing devices and the MUD infrastructure. The MUD implementation also needs to follow all best practices to protect against compromise.

Some of the biggest barriers to secure implementation right now are a lack of

• MUD-enabled IoT devices, including networking devices
• standards for communications between the MUD manager and the router, the threat signaling server and the MUD manager/router, and the IoT devices and their update servers
• simple, user-friendly interfaces that allow non-technical users to easily manage their devices

While it is possible to implement MUD with non-MUD-enabled devices, it requires a level of knowledge that many small business and home users just don’t have. A lack of IoT and MUD communications standards impedes smooth interoperability between devices from different manufacturers and introduces additional vulnerabilities. Last, many MUD-enabled devices aren’t currently as “plug-and-play” as needed, which can introduce risks that the average user will implement them in a way that isn’t secure.

That said, MUD and IoT technologies are growing and the number of manufacturers and vendors participating in implementing, testing, improving and standardizing them is growing every day. To support this trend, individual and organizational end-users of IoT devices can add “MUD-enabled” to their list of things to look for when purchasing IoT devices. We also can demand clear, user-friendly interfaces and implementation procedures.

IoT devices are here to stay. It’s up to us to set the expectation that they enhance our lives by working as intended and not introduce unwanted security and privacy issues.

Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.