Session Date/Time: 12 Nov 2021 16:00

iotops

Summary

The iotops session covered a diverse range of topics pertinent to the operational aspects and security of IoT devices. Discussions included novel hardware-based authentication methods, a framework for integrating industrial networks with IT, challenges in secure and usable intranet browsing for IoT devices, the impact of supply chain security mandates on IoT signing practices, and the critical "midlife crisis" of IoT device ownership transfer. A key outcome was the formation of an initial effort to address the IoT ownership transfer problem.

Key Discussion Points

Hardware-based IoT Authentication
- Problem: Traditional human-intervention authentication (e.g., 802.1X) is unsuitable for next-generation (6G) heterogeneous IoT environments.
- Proposed Solution: Authenticate devices based on physical sensing (video, audio, gestures, device-specific actions like blinking or playing a melody).
- Enabling Technologies: Wi-Fi sensing (IEEE 802.11 project), 5G/6G sensing (3GPP efforts), and AI/neural networks for processing raw sensor data.
- Challenges: Ensuring resilience against spoofing, noise, and interference.
- Current Status: A draft introduces the concept and surveys existing literature, noting relevance to the EMU WG's E-OOB draft.
- Call to Action: Participants are invited to join the pidlock mailing list to discuss the advancement of this work within the IETF.
Framework for Integrated Industrial Networks
- Motivation: To facilitate the integration of IT technologies (cloudification, virtual PLCs, various media like fieldbuses, Ethernet, TSN) into industrial networks.
- Framework Structure: Divided into defining the network (components, interfaces), infrastructure (connecting sites, cloud interfaces using LDN nomenclature from RFC 8799), and alignment with industrial control architectures (e.g., Purdue Model's 5 levels and security zones).
- Scenarios: Virtualized PLCs in enterprise zones, remote control of factory assets, and the need for low-latency infrastructure.
- Issues Identified: Current application-level encapsulation of industrial data complicates policy enforcement; stateful firewalls are challenging to configure and scale; physical isolation models are inadequate for cloud-integrated environments.
- Proposed Architecture: Adopts IT's management, control, and data planes, emphasizing device management (onboarding, trust, policy distribution) and an optimized data plane for short, high-frequency sensor data.
- Collaboration: Engagements are planned with organizations like IIC, OPC UA, and IEEE 802.15.22.
- Call to Action: Seeking feedback on the document's scope and direction.
Secure Usable Intranet Browsing for IoT Devices
- Problem: Connecting securely and usably to local IoT devices or routers via a web browser is currently difficult. Unencrypted HTTP is common, or HTTPS with self-signed certificates leads to aggressive browser warnings, discouraging manufacturers from implementing secure browsing.
- Current Practice: Manufacturers often resort to promoting dedicated mobile apps, which are not scalable or user-friendly (e.g., multiple apps for different devices).
- Security Gaps: The current situation is antithetical to a zero-trust architecture, making local devices vulnerable to password capture and attacks.
- Potential Solutions Explored:
  - Plex-style Bootstrapping: Provisioning classic CA-signed certificates to individual devices, though DNS bind protection presents implementation challenges.
  - Lobbying Browsers: Softening browser warnings (seen as a superficial fix).
  - Local CA/Gateway as Root: A local gateway or network entity could serve as a root CA for issuing certificates, potentially aligning with BRSKI-like approaches.
- Hypothesis: May require an enhanced browser or a new model for device addressing and trust on local networks.
- Next Steps: Publication of requirements and software solutions, an open GitHub repository, government engagement, and community experimentation.
- Call to Action: Seeking further ideas and input from the group to develop an elegant solution.
Signing in the IoT Supply Chain
- Context: Driven by the US government's executive order on supply chain security and Microsoft's mandate for signed Software Bill of Materials (SBOMs).
- Problem Space: Securing the supply chain for IoT devices (firmware, services, OS, applications) through SBOMs, attestations, and vulnerability databases.
- Challenges:
  - Identity: Deciding between certificate-based and DID-based identities, requiring a flexible technology.
  - IoT Constraints: Existing PKCS#7 mechanisms and cryptographic timestamps may not be optimal for IoT device requirements.
  - Lifetime: IoT products have long lifespans (10-15 years) compared to typical 5-year certificate lifecycles, necessitating solutions for long-term validity.
- Alternative Signing Technologies Under Consideration: COSE (preferred), JWS, and Google's "dead simple signing" (with reservations).
- Current Plan: Proceeding with COSE to address the scale and diverse scenarios of OS and IoT signing.
- Call to Action: Feedback and discussions are welcomed on the mailing list.
IoT Midlife Crisis: Transfer of Ownership
- Problem: The industry focuses on onboarding and credential renewal, but largely neglects the complexities of transferring IoT device ownership when devices change hands (e.g., selling a house, rental property turnover), especially without cooperation from the previous owner.
- Challenges:
  - Discovery: New owners may be unaware of all IoT devices in their environment (e.g., smart sprinkler systems with hidden interfaces).
  - Control/Reset: Physical reset buttons may be inaccessible or unsuitable in enterprise/rental contexts.
- Discussion Insights:
  - A shared vision for "good" ownership transfer is needed.
  - Vendors have disparate approaches, sometimes relying on cloud control or ultimate owner oversight in rentals.
  - The concept of "ownership vouchers" was proposed as a protocol to collect control assertions, analogous to physical keys.
  - Discovery is particularly hard for "lost" devices that have lost network connectivity, emphasizing the need to prevent arbitrary re-registration.
  - Parallels were drawn to physical property management (e.g., master keys for apartment buildings, escrow of credentials/reset methods).
  - A "crazy idea" was floated: devices communicate their presence to each other, allowing a new owner to query one device about others in the former network.

Decisions and Action Items

Hardware-based IoT Authentication:
- Action Item: All interested parties are encouraged to join the pidlock mailing list to further discuss the draft and potential IETF work.
IoT Midlife Crisis: Transfer of Ownership:
- Decision: The group will initiate work on documenting the problem space, scenarios, and principles for IoT device ownership transfer.
- Action Item: Eliot Lear called for co-authors and a small design team to contribute to this effort.
- Next Step: The team aims to present documented scenarios and principles at the next IETF meeting in March.

Next Steps

Hardware-based IoT Authentication: Active discussion on the pidlock mailing list to gauge interest and direction for IETF work.
Framework for Integrated Industrial Networks: Community feedback is sought on the current framework document to refine its scope and ensure alignment.
Secure Usable Intranet Browsing: Continued work by the IoT Security Foundation on requirements and solutions, with plans for an open GitHub repository and government engagement. IETF participants are encouraged to provide input and ideas.
Signing in the IoT Supply Chain: Roy Williams will keep the group updated on progress with COSE and welcomes feedback on the list regarding identity and lifetime challenges.
IoT Midlife Crisis: Transfer of Ownership: Formation of a small design team to draft a problem statement and principles for ownership transfer, with an update expected at the next IETF session.