Clear as MUD: NIST Issues Draft Guide for Securing Internet of Things (IoT) Devices

Target audience: Companies manufacturing IoT devices, businesses connecting IoT devices to their networks and seeking to protect those networks, internet service providers and other communications service providers whose networks depend upon network reliability and up-time, and all users of IoT devices seeking to protect their networks.

IoT devices gaining popularity

Internet of Things (IoT) devices — think thermostats, security monitors, smart assistants, lighting control systems or smart televisions that are connected to the internet — are rapidly becoming an integral part of our homes and businesses.

Gartner predicts there will be 20.4 billion connected IoT devices by 2020 (compared with 8.4 billion in 2017), and Forbes forecasts the market for IoT devices to be $457 billion by 2020.

Internet-connected devices present significant risk

While business or home computer networks may be protected by various sophisticated hardware and software tools (firewalls, anti-malware, data loss protection, etc.), inexpensive single-function IoT devices designed for “plug and play” don’t appear to present security concerns. After all, the toaster we’ve known for our entire lives plugged only into the wall, not into a network or the internet.

However, the very connectivity that makes IoT devices attractive to consumers also makes these devices particularly vulnerable to attack- with potentially expensive and damaging consequences.

Malicious actors can detect IoT devices quickly and launch attacks on those devices from virtually anywhere on the internet. In addition, IoT devices can be commandeered and used to launch large-scale Distributed Denial of Service (DDoS) attacks. Moreover, software bugs and flaws on IoT devices are generally more difficult to patch or remedy, creating additional vulnerability to attack.

NIST aims to reduce risk, starting with manufacturers

The National Institute of Standards and Technology (NIST) has issued a draft Practice Guide to help device manufacturers, communications service providers, businesses, and users of IoT devices understand how to secure IoT devices. More secure devices will, in turn, ensure that business and home networks are more resilient and less vulnerable to attack and compromise.

The guide describes an architecture called Manufacturer Usage Description (MUD). MUD helps make home and small business networks more secure by:

• Prohibiting unauthorized traffic from to and from IoT devices
• Preventing a compromised IoT device from being used in an attack requiring the device to send traffic to an unauthorized destination
• Providing a standard method for access control information to be available to network control devices

Businesses can contribute to the guide

NIST is seeking comments on this preliminary draft of the guide, “Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD),” between April 24, 2019 and June 24, 2019.

Comments can be submitted to mitigating-iot-ddos-nccoe@nist.gov.