Scaling Security for The Internet of Things with MUD

A proposed IETF standard would create device- and use-specific policies for connected endpoints.
A proposed IETF standard would create device- and use-specific policies for connected endpoints.

In-brief: Cisco’s Marc Blackmer discusses a proposal before the IETF that would create a Manufacturers Usage Description (MUD) standard by which device makers and their customers to specify the kinds of activities and communications are allowed for Internet of Things devices.  

Thinking like the bad guys can be a stretch for the good guys. It’s in the name: Good guys. The good guys are supposed to be all about defense, not offense. But there’s a lot of value for defenders to spend time thinking like attackers. Let’s give it a try: If you’re the bad guy, what’s the soft underbelly of your network that could be exploited right now? It doesn’t take much effort to mentally catalogue the vulnerable applications, devices, and misconfiguration on your network. The struggle is creating a manageable, prioritized list of the vulnerabilities. That’s where I’m going with this exercise.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


The good guys have a growing list of connected “things” to manage and defend, each of which is a potential way into your network. The more things that there are on your network, the easier it becomes for the bad guys. They can pivot from device to device as they work their way through your network while remaining hidden in the massive volume of traffic. Your real enemy here is scale.

Marc Blackmer, Cisco Systems
Marc Blackmer is a Product Marketing Manager for Industry Solutions at Cisco Systems.

By 2020, Gartner estimates that there will be 20 billion connected things in the Internet of Things (IoT), while we at Cisco are putting that number closer to 50 billion. It doesn’t really matter which of these numbers will prove to be more accurate. If we’re using the word “billion,” that, itself, is a problem. Besides, it’s not like the IoT will stop expanding in 2020.

The idea of weaponizing IoT devices is no longer theoretical. The recent large-scale distributed denial of service (DDoS) attacks against journalist Brian Krebs and the web hosting company OVH proved that exploited IoT devices can do major damage to a target. It’s been reported that cameras, thermostats, digital video recorders (DVRs), and more were used in these and earlier, lesser-known attacks. These attacks and the release of the malware source code behind one of these “thing” botnets marked the beginning of a new reality. It’s a reality that many of us expected and predicted –  just maybe not so soon.

So now… here we are.

Last month at the Security of Things Forum, I presented a standards-based approach to IoT cybersecurity developed by Cisco and submitted to the Internet Engineering Task Force (IETF): Manufacturer Usage Descriptions (MUD). The intention of MUD is to prevent inappropriate communications by IoT devices, to prevent lateral movement by attackers across different device types, and to drastically reduce the complications of scale for network and security administrators. The MUD approach is different from existing cybersecurity approaches because it uses the subject matter expertise of device manufacturers, network security vendors and network administrators to minimize the effort of securing IoT endpoints. Importantly: MUD is extremely scalable.

How could MUD help mitigate, if not prevent, such an attack? Here’s how MUD works and could be put to use:

  1. A connected device provides its local, MUD-supporting network controller with a URI that links to the device manufacturer’s MUD server;
  2. The manufacturer explicitly describes the device and what its expected behavior is in a standard XML file format, and that file is retrieved by the network controller from the MUD server;
  3. The network controller creates a security policy for the class of device described in the manufacturer’s MUD file. Approved communications are allowed and everything else is denied. The controller, upon approval from the network administrator, then merges the MUD information into the existing network policy.

The result is that the network policy would allow an IP-enabled camera to communicate with its controller and monitoring station, but not other devices outside of that constrained (and purpose-driven ecosystem). But if it tried to communicate with a point-of-sale device, financial database, or a well-known journalist’s web site, as hundreds of thousands of CCTV cameras have recently been commanded to do, it would violate its MUD policy and those attempts would be blocked and flagged.

MUD is still in the process of being reviewed by the IETF (the MUD RFC is available for review here) and has not yet been ratified. We are encouraging the technology and security communities to provide input and to collaborate to help ensure that the finished standard is something from which we can all benefit.

The scale of the IoT requires collaborative effort where possible if we are to effectively defend our businesses, critical infrastructure, and our personal information from attack and theft. That is why MUD has been conceived as an open, standards-based approach. The more we are able to mount a cooperative defense, the more likely attacks such the ones we saw in September will be a footnote rather than the norm.