« ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 | Main | 中国が「グローバル データ セキュリティ イニシアティブ」構想を米国の「クリーン ネットワーク」プログラム発表の1ヶ月後に提案 »

2020.09.09

NISTが信頼性の高いIoTデバイスネットワーク層別オンボーディングとライフサイクル管理に関する白書のドラフトを公表していますね。。。

こんにちは、丸山満彦です。

NISTがNISTが信頼性の高いIoTデバイスネットワーク層別オンボーディングとライフサイクル管理に関する白書のドラフトを公表していますね。。。

信頼できるネットワーク層のオンボーディング・メカニズムを使用するメリットとして次の2点を挙げていますね。。。

  • 不正なデバイスがネットワークに接続するのを防ぐ
  • 不正なネットワークに乗っ取られないようにする

 

● NIST

・2020.09.08 (Publication)  White Paper (Draft) Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management

・[PDF]  White Paper


Abstract

 

  



Table of Contents

1 Introduction
1.1 Challenges with current onboarding mechanisms
1.2 Genesis of This Paper
1.3 Objectives
1.4 Scope
1.5 Assumptions

2 Definitions
2.1 Onboarding
2.2 Onboarding Credentials
2.3 Network Onboarding Component
2.4 Bootstrapping
2.5 Device Bootstrapping Credentials
2.6 Network Bootstrapping Credentials
2.7 Device Information Declaration
2.8 Network-Layer Versus Application-Layer Onboarding

3 High-Level Description of Onboarding
3.1 Pre-onboarding
3.2 Network-Layer Onboarding
3.3 Critical Information

4 Onboarding Life-cycle Management
4.1 Supply chain
4.2 Device Use

5 Functional Roles

6 Onboarding Solution Characteristics
6.1 Characteristics of interest to users
6.2 Characteristics of Interest to Manufacturers and Vendors
6.3 Characteristics of Interest to Service Providers
6.4 Security-Specific Characteristics

7 Onboarding Use Cases

8 A Set of Recommended Security Capabilities for Onboarding

9 Next Steps

List of Figures
Figure 2-1 Onboarding and related terminology
Figure 3-1 Pre-onboarding activities performed by the IoT device manufacturer
Figure 3-2 Pre-onboarding activities performed by the owner of the onboarding network
Figure 3-3 Flow diagram illustrating the general network-layer onboarding process
Figure 4-1 High-level overview of the IoT device life cycle from an onboarding perspective
Figure 4-2 Supply chain phase of the IoT device life cycle from an onboarding perspective
Figure 4-3 Use phase of the device life cycle from an onboarding perspective
Figure 4-4 Complete IoT device life cycle from an onboarding perspective
Figure 6-1 Types of onboarding solution characteristics


List of Tables
Table 3-1 Summary of IoT Device-Related Pre-Onboarding Activities
Table 3-2 Summary of Network-Related Pre-Onboarding Activities
Table 3-3 Summary of IoT Device Network-Layer Onboarding
Table 6-1 Onboarding Solution Characteristics that Mainly Interest Users
Table 6-2 Onboarding Solution Characteristics that Mainly Interest Manufacturers and Vendors
Table 6-3 Onboarding Solution Characteristics that Mainly Interest Service Providers and Operators
Table 6-4 Security-Specific Attributes and Capabilities of an Onboarding Solution
Table 7-1 Consumer Versus General Enterprise Use Case Characteristics
Table 8-1 Proposed Set of Recommended Security Capabilities of an Onboarding Solution

List of Appendices
Appendix A— Acronyms
Appendix B— References


Itroduction

Internet of Things (IoT) devices are typically single-purpose, smart objects that are connected to each other, to other components on a local network, or to a cloud via a network to provide functional capabilities. As with any device, to connect to a network securely, an IoT device needs appropriate credentials. A typical commercially available, mass-produced IoT device cannot be pre-provisioned with local network credentials by the manufacturer at manufacturing time. Instead, these local network credentials have to be provisioned to the device at deployment.

We refer to the steps that are performed to provision a device with its local network credentials as network-layer onboarding (or simply onboarding).

The wide variety of IoT devices differ regarding power, memory, computation, and other resource characteristics. Another key difference among these devices is in how they are onboarded. Ideally, the onboarding process should be trusted, efficient, and flexible enough to meet the needs of various use cases. Because IoT devices typically lack screens and keyboards, trying to provision their credentials can be cumbersome. For consumers, trusted onboarding should be easy; for enterprises, it should enable large numbers of devices to be quickly provisioned with unique credentials. Security attributes of the onboarding process assure that the network is not put at risk as new IoT devices are added to it.

This paper proposes a taxonomy for IoT device onboarding that can be used to clearly express the capabilities of any particular onboarding solution. By providing a common language that describes and clarifies various onboarding characteristics, this taxonomy assists with discussion, characterization, and development of onboarding solutions that can be adopted broadly. To provide context for the proposed onboarding taxonomy and to try to ensure its comprehensiveness, this paper also describes a generic onboarding process, defines onboarding functional roles, discusses onboarding-related aspects of IoT lifecycle management, presents onboarding use cases, and proposes recommended security capabilities for onboarding.


1.3 Objectives

The objectives of this paper are to:

  • propose a taxonomy for IoT device onboarding that clearly expresses the capabilities of any particular onboarding solution

  • promote this taxonomy as a common vocabulary to be referenced in future work as a means for describing and classifying characteristics, roles, use cases, steps, challenges, and other information related to IoT device onboarding

  • elicit feedback from IoT device manufacturers, IoT device users, service providers, industry consortia, standards development organizations, and other stakeholders to ensure that the taxonomy fully captures the elements required to define and compare onboarding solutions in product-agnostic terms

  • encourage stakeholders to use the taxonomy to express their onboarding requirements, clarify what characteristics are required, and specify the optional capabilities to clearly bound the onboarding challenge

  • propose recommended security capabilities for onboarding and solicit feedback for the recommendations

 

|

« ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 | Main | 中国が「グローバル データ セキュリティ イニシアティブ」構想を米国の「クリーン ネットワーク」プログラム発表の1ヶ月後に提案 »

Comments

Post a comment



(Not displayed with comment.)




« ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 | Main | 中国が「グローバル データ セキュリティ イニシアティブ」構想を米国の「クリーン ネットワーク」プログラム発表の1ヶ月後に提案 »