NIST SPECIAL PUBLICATION 1800 -15 Securing Small -Business and Home Internet of Things (IoT) Devices Mitigating Network -Based Attacks Using Manufacturer Usage Description (MUD) Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guide s (C) Donna Dodson Tim Polk Murugiah Souppaya NIST Yemi Fashina Parisa Grayeli Joshua Klosterman Blaine Mulugeta Mary Raguso Susan Symington The MITRE Corporation Jaideep Singh Molex William C. Barker Dakota Consulting Dean Coclin Clint Wilson DigiCert Darshak Thakore Mark Walker CableLabs Eliot Lear Brian Weis Cisco Tim Jones ForeScout Drew Cohen MasterPeace PRELIMINARY DRAFT This publication is available free of charge from: https://www.nccoe.nist.gov/projects/building -blocks/mitigating -iot-based -ddos NIST SPECIAL PUBLICATION 1800 -15 Securing Small -Business and Home Internet of Things (IoT) Devices: Mitigating Network -Based Attacks Using Manufacturer Usage Description (MUD) Includes Executive Summary (A); Approach, Architecture, an d Security Characteristics (B) ; and How -To Guides (C) Donna Do dson Tim Polk Murugiah S ouppaya NIST William C. Barker Dakota Consulting Eliot Lear Brian Weis Cisco Yemi Fashina Parisa Grayeli Joshua Klosterman Blaine Mulugeta Mary Raguso Susan Symington The MITRE Corporation Dean Coclin Clint Wilson DigiCert Tim Jones ForeScout Jaideep Singh Molex Darshak Thakore Mark Walker CableLabs Drew Cohen MasterPeace PRELIMINARY DRAFT April 201 9 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director NIST SPECIAL PUBLICATION 1800 -15A Securing Small -Business and Home Internet of Things (IoT) Devices Mitigating Network -Based Attacks Using Manufacturer Usage Description (MUD) Volume A: Executive Summary Donna Dodson Tim Polk Murugiah Souppaya NIST William C. Barker Dakota Consulting Parisa Grayeli Mary Raguso Susan Symington The MITRE Corporation April 2019 PRELIMINARY DRAFT This publication is available free of charge from https://www.nccoe.nist.gov/projects/building -blocks/mitig ating -iot-based -ddos PRELIMINARY DRAFT NIST SP 1800 -15A: Securing Small -Business and Home IoT Devices 1 Executive Summary 1 The goal of the Internet Engineering Task Force’s manufacturer usage description (MUD) architecture is 2 for Internet of Things (IoT) devices to behave as intended by the manufacturer s of the devices. This is 3 done by providing a standard way for manufacturers to identify each device’s type and to indicate the 4 network communications that it requires to perform its intended function. When MUD is used, the 5 network will automatically permit the IoT device to per form as intended, and the network will prohibit 6 all other device behaviors. 7 ▪ The National Cybersecurity Center of Excellence (NCCoE) has demonstrated for IoT product 8 developers and implementers the ability to ensure that when an IoT device connects to a home 9 or small -business network, MUD can be used to automatically permit the dev ice to send and 10 receive only the traffic it requires to perform its intended function. 11 ▪ A distributed denial of service (DDoS) attack can cause a significant negative impact to an 12 organization that is dependent on the internet to conduct business. A DDoS at tack involves 13 multiple computing devices in disparate locations sending repeated requests to a server with 14 the intent to overload it and ultimately render it inaccessible. 15 ▪ Recently, IoT devices have been exploited to launch DDoS attacks. IoT devices may have 16 unpatched or easily discoverable so