kevingbrady
commented
3 years ago "Thank you for your comments. They've been reviewed and have been useful to our technical team. You will soon see the updated versions of these catalogs on the new GitHub page: IoT Device Cybersecurity Requirements Catalog."
Cybersecurity is an evolving field and the manufacturer may not be able to predict future vulnerabilities. That said, the requirement to describe normal behavior of the device is reasonable, though a widely used standard to convey this information to various security components in the system is lacking.
“Describing expected behavior of the normal operation of the IoT device” is a useful step, as any deviation from the normal operation can be an indicator of a security incident. If the “normal operation” can be described in a machine-readable format and provided to other components in the system, the agency can put in place automated alerts and containment actions to defend itself. If the normal operation is merely described in human-readable language, manual configuration of firewall rules and other mitigations is error-prone. The Manufacturer Usage Description (MUD) described in IETF RFC 8520 contains one method to describe network behavior of the IoT device and there is ongoing NIST work on the subject of “Characterizing Network Behavior of Internet of Things Devices”. Additionally, machine learning (ML) is a form of AI that can learn the normal behavior patterns of an IoT device.
“Describing the indicators of attacks on the IoT device” and “indicators that could occur when an attack is being launched” should reference a standard taxonomy or nomenclature for such a description. Ideally a machine-readable standard for conveying this information could be used, but it doesn’t currently exist – it would be much more complex than IETF MUD and may be device specific. Additionally, since new attacks may be developed after the device is use, new attack descriptions may need to be delivered with CVE bulletins or similar advisories.
In conclusion we recommend only requiring description of the normal behavior, as a basis on which everything else can be deemed abnormal, rather than requiring description of both normal behavior and attack or post-attack behavior.