Abstract
Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data, make IoT devices an attractive target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection, and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices’ data, which are shared through a blockchain platform. The resulting approach was implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices’ communication before they join a certain network.
Highlights
The exponential growth of the Internet of Things (IoT) brings endless possibilities to improve our daily lives based on the data exchanged among interconnected devices and systems
In a previous paper we proposed a Manufacturer Usage Description (MUD) extension [8], it was limited to access control policies and specific security aspects
The extension proposed in this paper integrates the MUD model with the usage of the Medium-level Security Policy Language (MSPL), which has been used in the scope of the EU H2020 project ANASTACIA [9]
Summary
The exponential growth of the Internet of Things (IoT) brings endless possibilities to improve our daily lives based on the data exchanged among interconnected devices and systems. This work proposes an architecture and process to obtain and enforce the policies described in an extended MUD profile. The extension proposed in this paper integrates the MUD model with the usage of the Medium-level Security Policy Language (MSPL), which has been used in the scope of the EU H2020 project ANASTACIA [9]. We extend our architecture proposed in [10], in which the MUD management was integrated in the bootstrapping process of the device (i.e., when the device joins a certain network). This way, MUD restrictions are enforced before the device is connected to the network, reducing the attack surface.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
