Date Published: May 3, 2023
Comments Due:
Email Questions to:
Author(s)
Michael Fagan (NIST), Jeffrey Marron (NIST), Paul Watrobski (NIST), Murugiah Souppaya (NIST), William Barker (Dakota Consulting), Chelsea Deane (MITRE), Joshua Klosterman (MITRE), Charlie Rearick (MITRE), Blaine Mulugeta (MITRE), Susan Symington (MITRE), Dan Harkins (Aruba, a Hewlett Packard Enterprise company), Danny Jump (Aruba, a Hewlett Packard Enterprise company), Andy Dolan (CableLabs), Kyle Haefner (CableLabs), Craig Pratt (CableLabs), Darshak Thakore (CableLabs), Peter Romness (Cisco), Tyler Baker (Foundries.io), David Griego (Foundries.io), Brecht Wyseur (Kudelski IoT), Alexandru Mereacre (NquiringMinds), Nick Allott (NquiringMinds), Julien Delaplanke (NXP Semiconductors), Michael Richardson (Sandelman Software Works), Mike Dow (Silicon Labs), Steve Egerter (Silicon Labs), Steve Clark (WISeKey)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has published a preliminary public draft of NIST SP 1800-36B-E: Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The comment period is open until June 20, 2023.
About the Project
Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.
This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.
Join the IoT Community of Interest
If you have expertise in IoT and/or network security and would like to help shape this project, consider joining the IoT Onboarding Community of Interest. Contact the project team at iot-onboarding@nist.gov declaring your interest.
Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one is where a device is convinced to join an unauthorized network, which would take control of the device. The other side is where a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network as part of the network-layer onboarding process. Additional safeguards, such as verifying the security posture of the device before other operations occur, can be performed throughout the device lifecycle. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, recommended practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices. We show how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.
Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one...
See full abstract
Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one is where a device is convinced to join an unauthorized network, which would take control of the device. The other side is where a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network as part of the network-layer onboarding process. Additional safeguards, such as verifying the security posture of the device before other operations occur, can be performed throughout the device lifecycle. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, recommended practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices. We show how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.
Hide full abstract
Keywords
application-layer onboarding; bootstrapping; Internet of Things (IoT); Manufacturer Usage Description (MUD); network-layer onboarding; onboarding; Wi-Fi Easy Connect
Control Families
None selected