Appendix A List of Acronyms¶
AAA |
Authentication, Authorization, and Accounting |
ACE |
Access Control Entry |
ACK |
Acknowledgement |
ACL |
Access Control List |
AP |
Access Point |
API |
Application Programming Interface |
CIS |
Center for Internet Security |
CMS |
Cryptographic Message Syntax |
COBIT |
Control Objectives for Information and Related Technology |
CRADA |
Cooperative Research and Development Agreement |
DACL |
Dynamic Access Control List |
DDoS |
Distributed Denial of Service |
Devkit |
Development Kit |
DHCP |
Dynamic Host Configuration Protocol |
DNS |
Domain Name System |
DVR |
Digital Video Recorder |
FIPS |
Federal Information Processing Standard |
GCA |
Global Cyber Alliance |
GUI |
Graphical User Interface |
http |
Hypertext Transfer Protocol |
https |
Hypertext Transfer Protocol Secure |
HVAC |
Heating, Ventilation, and Air Conditioning |
IANA |
Internet Assigned Numbers Authority |
IEEE |
Institute of Electrical and Electronics Engineers |
IETF |
Internet Engineering Task Force |
IOS |
Cisco’s Internetwork Operating System |
IoT |
Internet of Things |
IP |
Internet Protocol |
IPv4 |
Internet Protocol Version 4 |
IPv6 |
Internet Protocol Version 6 |
ISA |
International Society of Automation |
ISO/IEC |
International Organization for Standardization/International Electrotechnical Commission |
ISP |
Internet Service Provider |
IT |
Information Technology |
JSON |
JavaScript Object Notation |
LED |
Light-Emitting Diode |
LLDP |
Link Layer Discovery Protocol (IEEE 802.1AB) |
MAC |
Media Access Control |
MQTT |
Message Queuing Telemetry Transport |
MSO |
Multiple-System Operator |
MUD |
Manufacturer Usage Description |
NAT |
Network Address Translation |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NISTIR |
NIST Interagency or Internal Report |
NTP |
Network Time Protocol |
OS |
Operating System |
PEP |
Policy Enforcement Point |
PKI |
Public Key Infrastructure |
PoE |
Power over Ethernet |
PSK |
Pre-Shared Key |
QR |
Quick Response |
RADIUS |
Remote Authentication Dial-In User Service |
REST |
Representational State Transfer |
RFC |
Request for Comments |
RMF |
Risk Management Framework |
SDN |
Software Defined Networking |
SNMP |
Simple Network Management Protocol |
SP |
Special Publication |
SSID |
Service Set Identifier |
SSL |
Secure Sockets Layer |
TCP |
Transmission Control Protocol |
TCP/IP |
Transmission Control Protocol/Internet Protocol |
TLS |
Transport Layer Security |
TLV |
Type Length Value |
TTL |
Time to Live |
UDP |
User Datagram Protocol |
UI |
User Interface |
URL |
Uniform Resource Locator |
VLAN |
Virtual Local Area Network |
VoIP |
Voice Over IP |
VPN |
Virtual Private Network |
WAN |
Wide Area Network |
WFA |
Wi-Fi Alliance |
YANG |
Yet Another Next Generation |
Appendix B Glossary¶
Audit |
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures (NIST SP 800-12 Rev. 1). |
Best Practice |
A procedure that has been shown by research and experience to produce optimal results and that is established or proposed as a standard suitable for widespread adoption (Merriam-Webster). |
Botnet |
The word “botnet” is formed from the words “robot” and ”network.” Cyber criminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer, and organize all the infected machines into a network of “bots” that the criminal can remotely manage. (https://usa.kaspersky.com/resource-center/threats/botnet-attacks) |
Control |
A measure that is modifying risk. (Note: controls include any process, policy, device, practice, or other actions that modify risk.) (NISTIR 8053) |
Denial of Service |
The prevention of authorized access to a system resource or the delaying of system operations and functions (NIST SP 800-82 Rev. 2). |
Distributed Denial of Service (DDoS) |
A denial of service technique that uses numerous hosts to perform the attack (NISTIR 7711). |
Managed Devices |
Personal computers, laptops, mobile devices, virtual machines, and infrastructure components require management agents, allowing information technology staff to discover, maintain, and control them. Those with broken or missing agents cannot be seen or managed by agent-based security products. |
Manufacturer Usage Description (MUD) |
A component-based architecture specified in Request for Comments (RFC) 8250 that is designed to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function. |
Mapping |
Depiction of how data from one information source maps to data from another information source. |
Mitigate |
To make less severe or painful or to cause to become less harsh or hostile (Merriam-Webster). |
MUD-Capable |
An Internet of Things (IoT) device that can emit a MUD uniform resource locator in compliance with the MUD specification. |
Network Address Translation (NAT) |
A function by which internet protocol addresses within a packet are replaced with different IP addresses. This function is most commonly performed by either routers or firewalls. It enables private IP networks that use unregistered IP addresses to connect to the internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded to another network. |
Non-MUD-Capable |
An IoT device that is not capable of emitting a MUD URL in compliance with the MUD specification (RFC 8250). |
Onboarding |
The process by which a device obtains the credentials (e.g., network SSID and password) that it needs in order to gain access to a wired or wireless network. |
Operationalization |
Putting MUD implementations into operational service in a manner that is both practical and effective. |
Policy |
Statements, rules, or assertions that specify the correct or expected behavior of an entity. For example, an authorization policy might specify the correct access control rules for a software component (NIST SP 800-95 and NISTIR 7621 Rev. 1). |
Policy Enforcement Point (PEP) |
A network device on which policy decisions are carried out or enforced. |
Risk |
The net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level (NIST SP 800-30). |
Router |
A computer that is a gateway between two networks at open system interconnection layer 3 and that relays and directs data packets through that internetwork. The most common form of router operates on IP packets (NIST SP 800-82 Rev. 2). |
Security Control |
A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements (NIST SP 800-53 Rev. 4). |
Server |
A computer or device on a network that manages network resources. Examples include file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries) (NIST SP 800-47). |
Shall |
A requirement that must be met unless a justification of why it cannot be met is given and accepted (NISTIR 5153). |
Should |
This term is used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results (NIST SP 800-108). |
Threat |
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability (Federal Information Processing Standards 200). |
Threat Signaling |
Real-time signaling of DDoS-related telemetry and threat-handling requests and data between elements concerned with DDoS attack detection, classification, trace back, and mitigation (https://joinup.ec.europa.eu/collection/rolling-plan-ict-standardisation/cybersecurity-network-and-information-security). |
Traffic Filter |
An entry in an access control list that is installed on the router or switch to enforce access controls on the network. |
Uniform Resource Locator (URL) |
A reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address. |
Update |
New, improved, or fixed software, which replaces older versions of the same software. For example, updating an operating system brings it up-to-date with the latest drivers, system utilities, and security software. The software publisher often provides updates free of charge. (https://www.computerhope.com/jargon/u/update.htm) |
Update Server |
A server that provides patches and other software updates to IoT devices. |
VLAN |
A broadcast domain that is partitioned and isolated within a network at the data link layer. A single physical local area network (LAN) can be logically partitioned into multiple, independent VLANs; a group of devices on one or more physical LANs can be configured to communicate within the same VLAN, as if they were attached to the same physical LAN. |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source (NIST SP 800-37 Rev. 2). |
Appendix C References¶
- B1
E. Lear, R. Droms, and D. Romascanu, Manufacturer Usage Description Specification, Internet Engineering Task Force (IETF) Request for Comments (RFC) 8520, March 2019. Available: https://tools.ietf.org/html/rfc8520.
- B2
The Guardian, “DDoS attack that disrupted internet was largest of its kind in history, experts say” [Online]. Available: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
- B3
Wi-Fi Alliance. Wi-Fi Easy Connect. Available: https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect.
- B4
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
- B5
NIST, Guide for Conducting Risk Assessments, Special Publication (SP) 800-30 Revision 1, September 2012. Available: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf.
- B6
NIST, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, SP 800-37 Revision 2, December 2018. https://doi.org/10.6028/NIST.SP.800-37r2
- B7
NIST, Risk Management Framework (RMF): Quick Start Guides. Available: https://csrc.nist.gov/projects/risk-management/rmf-quick-start-guides
- B8
K. Boeckl et al., Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, NIST Interagency or Internal Report (IR) 8228, June 2019. Available: https://doi.org/10.6028/NIST.IR.8228
- B9
NIST, Security and Privacy Controls for Information Systems and Organizations, SP 800-53 Revision 5, September 2020. Available: https://doi.org/10.6028/NIST.SP.800-53r5.
In addition, the following is a bibliography of additional sources used during the course of this project.
FIDO Alliance. Specifications Overview [Website]. Available: https://fidoalliance.org/specifications/overview/.
IETF, Internet-Draft draft-srich-opsawg-mud-manu-lifecycle-01. (2017, Mar.) “MUD Lifecyle: A Manufacturer’s Perspective” [Online]. Available: https://tools.ietf.org/html/draft-srich-opsawg-mud-manu-lifecycle-01.
IETF, Internet-Draft draft-srich-opsawg-mud-net-lifecycle-01. (2017, Sept.) “MUD Lifecyle: A Network Operatorʼs Perspective” [Online]. Available: https://tools.ietf.org/html/draft-srich-opsawg-mud-net-lifecycle-01.
IETF, RFC 2131. (1997, Mar.) “Dynamic Host Configuration Protocol” [Online]. Available: https://tools.ietf.org/html/rfc2131.
IETF, RFC 2818. (2000, May.) “HTTP Over TLS” [Online]. Available: https://tools.ietf.org/html/rfc2818.
IETF, RFC 5280. (2008, May.) “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile” [Online]. Available: https://tools.ietf.org/html/rfc5280.
IETF, RFC 5652. (2009, Sept.) “Cryptographic Message Syntax (CMS)” [Online]. Available: https://tools.ietf.org/html/rfc5652.
IETF, RFC 6020. (2010, Oct.) “YANG—A Data Modeling Language for the Network Configuration Protocol (NETCONF)” [Online]. Available: https://tools.ietf.org/html/rfc6020.
Internet Policy Task Force, National Telecommunications Information Administration. Multistakeholder Working Group for Secure Update of IoT Devices [Website]. Available: https://www.ntia.doc.gov/category/internet-things.
NIST IR 7823. (2012, Jul.) Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework [Online]. Available: http://csrc.nist.gov/publications/drafts/nistir-7823/draft_nistir- 7823.pdf.
NIST SP 800-18 Revision 1. (2006, Feb.) Guide for Developing Security Plans for Federal Information Systems [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf.
NIST SP 800-30. (2002, Jul.) Risk Management Guide for Information Technology Systems [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
NIST SP 800-40 Rev. 3. (2013, Jul.) Guide to Enterprise Patch Management Technologies [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final.
NIST SP 800-52 Revision 2. (2019, Aug.) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations [Online]. Available: https://doi.org/10.6028/NIST.SP.800-52r2.
NIST SP 800-57 Part 1 Revision 4. (2016, Jan.) Recommendation for Key Management [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf.
NIST SP 800-63-3. (2017, Jun.) Digital Identity Guidelines [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-63/3/final.
NIST SP 800-63-B. (2017, Jun.) Digital Identity Guidelines: Authentication and Lifecycle Management [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-63b/final
NIST SP 800-137. (2011, Sept.) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.
NIST SP 800-147. (2011, Apr.) BIOS Protection Guidelines [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-147/final.
NIST SP 800-147B. (2014, Aug.) BIOS Protection Guidelines for Servers [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-147B.pdf.
NIST SP 800-193. (2018, May.) Platform Firmware Resiliency Guidelines [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf.
Office of Management and Budget (OMB) Circular A-130 Revised. (2016, Jul.) Managing Information as a Strategic Resource [Online]. Available: https://obamawhitehouse.archives.gov/omb/circulars_a130_a130trans4/.
SANS Institute. CWE/SANS Top 25 Most Dangerous Software Errors [Website]. Available: https://www.sans.org/top25-software-errors/.
Wi-Fi Alliance. DRAFT Device Provisioning Protocol Specification Version 1.2, 2020. Available: https://www.wi-fi.org/file/device-provisioning-protocol-draft-specification.