Enforcing Behavioral Profiles through Software-Defined Networks in the Industrial Internet of Things

Abstract: The fourth industrial revolution is being mainly driven by the integration of Internet of Things (IoT) technologies to support the development lifecycle of systems and products. Despite the well-known advantages for the industry, an increasingly pervasive industrial ecosystem could make such devices an attractive target for potential attackers. Recently, the Manufacturer Usage Description (MUD) standard enables manufacturers to specify the intended use of their devices, thereby restricting the attack surface o… Show more

“…On the right, we show the architecture components required for enabling a secure data sharing process based on the extended MUD profiles, after the device has completed the bootstrapping process. Our approach extends the architecture proposed by Matheu et al [10], in which the MUD architecture was integrated in the bootstrapping phase. In this phase, we obtain the device's information required to protect the device before it joins the network.…”

“…As mentioned above, Figure 1 shows an overview of the main processes involved in our proposal that will be further detailed in Section 6. For the Device Authentication (Step 1) and MUD Obtaining (Step 2) phases, we use a similar approach to the one proposed by Matheu et al [10], which is based on a combination of the Extensible Authentication Protocol (EAP) [42] and the Authentication, Authorization and Accounting (AAA) Framework [43]. Instead of using the Protocol for Carrying Authentication for Network Access (PANA) [44], we employ the Constrained Application Protocol (CoAP) standard as an EAP lower layer specifically designed for devices with constrained memory and computational resources [15].…”

“…Moreover, as in our previous work [10], we use an SDN approach based on the architecture defined in the EU H2020 project ANASTACIA [9] to enforce network access control restrictions included in the MUD file. In particular, we integrate some components of the SDN architecture into the MUD Manager, which represents the main building block of the MUD standard.…”

“…Although the MUD standard proposes mechanisms to communicate the MUD URL from the device, it leaves open the possibility for considering other options for constrained devices that cannot communicate the MUD URL, or in scenarios with limited Internet connection. As described by Matheu et al [10], our approach proposes the usage of the AAA architecture to deliver the MUD URL. In particular, the MUD URL is embedded in the attribute "vendor-specific" of the RADIUS protocol (EAP Success, Message 2).…”

“…It provides a high expressiveness to specify security policies beyond network layer at medium-level abstraction (e.g., with information of the endpoints and communications, such as IP addresses and protocols), in an agnostic way to the enforcement process. Based on this, we extend our architecture proposed in [10], in which the MUD management was integrated in the bootstrapping process of the device (i.e., when the device joins a certain network). This way, MUD restrictions are enforced before the device is connected to the network, thus reducing the attack surface.…”

Security Architecture for Defining and Enforcing Security Profiles in DLT/SDN-Based IoT Systems

“…On the right, we show the architecture components required for enabling a secure data sharing process based on the extended MUD profiles, after the device has completed the bootstrapping process. Our approach extends the architecture proposed by Matheu et al [10], in which the MUD architecture was integrated in the bootstrapping phase. In this phase, we obtain the device's information required to protect the device before it joins the network.…”

“…As mentioned above, Figure 1 shows an overview of the main processes involved in our proposal that will be further detailed in Section 6. For the Device Authentication (Step 1) and MUD Obtaining (Step 2) phases, we use a similar approach to the one proposed by Matheu et al [10], which is based on a combination of the Extensible Authentication Protocol (EAP) [42] and the Authentication, Authorization and Accounting (AAA) Framework [43]. Instead of using the Protocol for Carrying Authentication for Network Access (PANA) [44], we employ the Constrained Application Protocol (CoAP) standard as an EAP lower layer specifically designed for devices with constrained memory and computational resources [15].…”

“…Moreover, as in our previous work [10], we use an SDN approach based on the architecture defined in the EU H2020 project ANASTACIA [9] to enforce network access control restrictions included in the MUD file. In particular, we integrate some components of the SDN architecture into the MUD Manager, which represents the main building block of the MUD standard.…”

“…Although the MUD standard proposes mechanisms to communicate the MUD URL from the device, it leaves open the possibility for considering other options for constrained devices that cannot communicate the MUD URL, or in scenarios with limited Internet connection. As described by Matheu et al [10], our approach proposes the usage of the AAA architecture to deliver the MUD URL. In particular, the MUD URL is embedded in the attribute "vendor-specific" of the RADIUS protocol (EAP Success, Message 2).…”

“…It provides a high expressiveness to specify security policies beyond network layer at medium-level abstraction (e.g., with information of the endpoints and communications, such as IP addresses and protocols), in an agnostic way to the enforcement process. Based on this, we extend our architecture proposed in [10], in which the MUD management was integrated in the bootstrapping process of the device (i.e., when the device joins a certain network). This way, MUD restrictions are enforced before the device is connected to the network, thus reducing the attack surface.…”

Security Architecture for Defining and Enforcing Security Profiles in DLT/SDN-Based IoT Systems

On the Analysis of MUD-Files’ Interactions, Conflicts, and Configuration Requirements Before Deployment

Integrating the manufacturer usage description standard in the modelling of cyber–physical systems