Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)

Dodson, Donna; Montgomery, Douglas; Polk, W.; Ranganathan, Mudumbai; Souppaya, Murugiah; Johnson, Steve; Kadam, Ashwini; Pratt, Craig; Thakore, Darshak; Walker, Mark; Lear, Eliot; Weis, Brian; Barker, William; Coclin, Dean; Hojjati, Avesta; Wilson, Clint; Jones, Tim; Baykal, Adnan; Cohen, Drew; Yeich, Kevin; Fashina, Yemi; Grayeli, Parisa; Harrington, Joshua; Klosterman, Joshua; Mulugeta, Blaine; Symington, Susan; Singh, Jaideep

doi:https://doi.org/10.6028/NIST.SP.1800-15

SP 1800-15

Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)

Documentation Topics

Date Published: May 2021

Author(s)

Donna Dodson (NIST), Douglas Montgomery (NIST), W. Polk (NIST), Mudumbai Ranganathan (NIST), Murugiah Souppaya (NIST), Steve Johnson (CableLabs), Ashwini Kadam (CableLabs), Craig Pratt (CableLabs), Darshak Thakore (CableLabs), Mark Walker (CableLabs), Eliot Lear (Cisco), Brian Weis (Cisco), William Barker (Dakota Consulting), Dean Coclin (DigiCert), Avesta Hojjati (DigiCert), Clint Wilson (DigiCert), Tim Jones (ForeScout), Adnan Baykal (Global Cyber Alliance), Drew Cohen (MasterPeace Solutions), Kevin Yeich (MasterPeace Solutions), Yemi Fashina (MITRE), Parisa Grayeli (MITRE), Joshua Harrington (MITRE), Joshua Klosterman (MITRE), Blaine Mulugeta (MITRE), Susan Symington (MITRE), Jaideep Singh (Molex)

Abstract

The goal of the Internet Engineering Task Force’s Manufacturer Usage Description (MUD) specification is for Internet of Things (IoT) devices to behave as the devices’ manufacturers intended. MUD provides a standard way for manufacturers to indicate the network communications that a device requires to perform its intended function. When MUD is used, the network will automatically permit the IoT device to send and receive only the traffic it requires to perform as intended, and the network will prohibit all other communication with the device, thereby increasing the device’s resilience to network-based attacks. In this project, the NCCoE demonstrated the ability to ensure that when an IoT device connects to a home or small-business network, MUD can automatically permit the device to send and receive only the traffic it requires to perform its intended function. This NIST Cybersecurity Practice Guide explains how MUD protocols and tools can reduce the vulnerability of IoT devices to botnets and other network-based threats as well as reduce the potential for harm from exploited IoT devices. It also shows IoT device developers and manufacturers, network equipment developers and manufacturers, and service providers who employ MUD-capable components how to integrate and use MUD to satisfy IoT users’ security requirements.

Keywords

access control; bootstrapping; botnets; firewall rules; flow rules; Internet of Things (IoT); Manufacturer Usage Description (MUD); network segmentation; onboarding; router; server; software update server; threat signaling; Wi-Fi Easy Connect

Control Families

Access Control; System and Communications Protection

Documentation

Publication:
SP 1800-15 (DOI)
Local Download

Supplemental Material:
SP 1800-15 files (web)
Project homepage (web)

Related NIST Publications:
White Paper

Document History:
04/24/19: SP 1800-15 (Draft)
11/21/19: SP 1800-15 (Draft)
09/16/20: SP 1800-15 (Draft)
05/26/21: SP 1800-15 (Final)

Topics

Security and Privacy
configuration management; controls; identity & access management; security automation; threats

Technologies
hardware; networks

Applications
cybersecurity framework; Internet of Things; small & medium business

Laws and Regulations
Executive Order 13800