Automated IoT Security
draft-garciamorchon-t2trg-automated-iot-security-01

Document Type Active Internet-Draft (individual)
Last updated 2018-10-19
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                  O. Garcia-Morchon
Internet-Draft                                                   Philips
Intended status: Informational                                   T. Dahm
Expires: April 22, 2019                                           Google
                                                        October 19, 2018

                         Automated IoT Security
          draft-garciamorchon-t2trg-automated-iot-security-01

Abstract

   The Internet of Things (IoT) concept refers to the usage of standard
   Internet protocols to allow for human-to-thing and thing-to-thing
   communication.  The security needs are well-recognized but the design
   space of IoT applications and systems is complex and exposed to
   multiple types of threats.  In particular, threats keep evolving at a
   fast pace while many IoT systems are rarely updated and still remain
   operational for decades.

   This document describes a comprehensive agile security framework to
   integrate existing security processes such as risk assessment or
   vulnerability assessment in the lifecycle of a smart object in an IoT
   application.  The core of our agile security approach relies on two
   protocols: the Protocol for Automatic Security Configuration (PASC)
   and the Protocol for Automatic Vulnerability Assessment (PAVA).  PASC
   is executed during the onboarding phase of a smart object in an IoT
   system and is in charge of automatically performing a risk assessment
   and assigning a security configuration - applicable to the device or
   the system - to defeat the identified risks.  The assigned security
   configuration fits the specific environment and threat model of the
   application in which the device has been deployed.  PAVA is executed
   during the operation of the IoT object and ensures that
   vulnerabilities in the smart object and IoT system are discovered in
   a proactive way.

   These two protocols can benefit users, manufactures and operators by
   automating IoT security.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

Garcia-Morchon & Dahm    Expires April 22, 2019                 [Page 1]
Internet-Draft           Automated IoT Security             October 2018

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 22, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Conventions and Terminology Used in this Document . . . . . .   2
   2.  Integrating automated security processes in the IoT lifecycle   3
     2.1.  Automated Security Processes for Manufacturers  . . . . .   3
     2.2.  Automated Security Processes for Users  . . . . . . . . .   3
     2.3.  Automated Security Processes for System Integrators . . .   4
   3.  Integrating security workflows in the IoT lifecycle . . . . .   4
     3.1.  Security workflows: which ones and how they are
           traditionally applied.  . . . . . . . . . . . . . . . . .   4
     3.2.  Automating security workflows . . . . . . . . . . . . . .   6
   4.  Automated IoT security protocols: PASC and PAVA . . . . . . .   7
     4.1.  PASC: Protocol for Automatic Security Configuration . . .   8
     4.2.  Protocol for Automatic Vulnerability Assessment (PAVA)  .  10
   5.  Conclusions and security considerations . . . . . . . . . . .  10
   6.  Next steps  . . . . . . . . . . . . . . . . . . . . . . . . .  11
   7.  Informative References  . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Conventions and Terminology Used in this Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in "Key words for use in
Show full document text