Authentication & Internet of Things (IoT) Security Abstract / Business Case

Per the recent NIST Cybersecurity, Research, Development and Implementation (CRDI) RFP (recently submitted by TSSG team member Eagle Network Solutions), there is a critical need to research and document a taxonomy for describing and classifying IoT systems along with their respective properties, functionality and characteristics of components. Additionally, IoT sector/vertical/use models need to be developed along with relevant cybersecurity standards, guidelines, regulations, recommended practices and accompanying validation, best practice corrective action plans and remediation recommendations. Clearly, this is an emerging and evolving environment, one in an early stage of development. Recognizing that state of the environment and the critical need to better address IoT security from their current assignments in secure domains, Threat Surface Solutions Group team members Acquired Data Solutions, Eagle Network Solutions, and Ramparts developed a Cyber Physical Test Bench (CPTB). The CPTB is intended to provide a flexible, evolving test platform suitable for addressing the varying IoT challenges facing government and commercial enterprises including, but not limited to:

  • Developing / utilizing a consistent and standardized way of recognizing and testing data intensive devices and applications for cybersecurity integrity
  • Validation and cybersecurity “certification” in IoT devices
  • Modeling the threat environment and providing best practices & guidance for the prevention of cyber hacks that can be catastrophic to end-users

Based upon preliminary and limited engagement with select government and commercial groups, the pilot CPTB appears highly applicable across the IoT spectrum. In proof of concept test cases dealing with IoT IP flows, we have established initial capabilities that allow for the enabling command and control of the infrastructure and IoT appliances through network traffic flow management & tracking; enable the tracking and validation of enterprise assets and usage patterns; better addressing security operations integrity through automated firewall policy and configuration checks against authorized flows; and closed-loop, real-time validation of the mapping of flows to policies to tool configurations.

Problem Statement & Introduction

The IoT is an evolving, complex ecosystem of Internet-connected devices. IoT devices will inevitably become part of the US Government (USG) environment. The USG is interested in the ability to identify IoT devices and/or devices on the network as well as defend against the appearance of unapproved devices on the network. In addition, there is interest in key management for IoT.

New Technical Capability

Given that there currently does not exist an agreed upon taxonomy nor a characterization of IoT properties; functionalities; component characteristics; sector/vertical/use models: relevant cybersecurity standards, guidelines, regulations, recommended practices; nor accompanying validation, best practice corrective action plans and remediation recommendations; clearly, IoT devices are in an early stage of development, emerging and evolving. Recognizing this dynamic state of the environment and the critical need to better address IoT security from their current assignments in secure domains, a small group of cybersecurity, sensor and system engineers banded together and developed a Cyber Physical Test Bench (CPTB) to better facilitate understanding, identification, testing, validation, and the implementation of more secure operational environments.

The CPTB is intended to provide a flexible, evolving test platform suitable for addressing the varying IoT challenges facing government and commercial enterprises including, but not limited to:

  • Developing / utilizing a consistent and standardized way of recognizing and testing data intensive devices and applications for cybersecurity integrity
    • Contributing to / utilizing evolving IoT taxonomy, ontology, other characterization models, standards and guidance
  • Validation and cybersecurity “certification” in IoT devices
    • Conformance to current network device cybersecurity standards - NIST Cyber Security Framework
    • Flexibility to incorporate evolving and future standards
  • Modeling the threat environment and providing best practices & guidance for the prevention of cyber hacks that can be catastrophic to end-users
    • Contributing to /utilizing evolving IoT threat modeling, threats assessment and best practices guidance and remediation to enable more secure operational environments

Description of how and why better than current technologies

Hardware

Network Application Test and Validation Engine (NATVE) is a PERL/Java/SQL based software suite designed to facilitate large-scale TCP/IP network communications testing. This software takes maximum advantage of a virtualized operating system/switching architecture for ease of testing complex network flow scenarios. Parameters such as route hops, delay, jitter, MTU, and latency characteristics are considered to be variable test conditions in a network of arbitrary complexity. The test results reflect: existence of firewall/network connectivity, end-to-end throughput bandwidth and jitter characteristics, and real application layer proxy firewall functionality. FLOW currently operates with either in-band or out-of-band stateful signaling over tcp port 3306 to be initiated from each endpoint to a master console server.

Software

  1. CPTB 1.0 Beta Installer
  2. CPTB Beta Monitor and Control Software
  3. The MySQL 5.0 database engine is the heart of the master console and handles all messaging traffic, reports, and flow information

Architecture Used for Technical Capability

CPTB is a software/hardware platform designed to test connected devices such as IoT devices for safety and function against cybersecurity threats. The CPTB consists of a software suite designed to facilitate large-scale TCP/IP network communications testing, as well as data acquisition hardware to monitor and control physical parameters from the Device Under Test (DUT). The goal of the CPTB is to ensure the safety and function of the DUT as it operates under normal conditions during cyber vulnerability and penetration testing. The CPTB uses the CSF to communicate security categories that are being tested. The CSF can help to identify DUT best practices. While this function is outside the scope of the CPTB, the DUT best practices can be added to the CPTB reports. Our platform takes maximum advantage of a virtualized operating system architectures for ease of testing complex network flow and data acquisition scenarios.

Network parameters such as route hops, delay, jitter, MTU, and latency characteristics, as well as physical parameters such as data acquisition rates and tolerances are considered to be variable test conditions to provide arbitrary complexity. The test results reflect: existence of firewall connectivity, end-to-end throughput, bandwidth and jitter characteristics, and real application layer proxy firewall functionality. CPTB operates with either in-band or out-of-band stateful signaling over TCP based SQL port 3306 to be initiated from each EndPoint to the Master Console server. In addition, CPTB will have Statistical Process Control and Test Data Management for analysis such as First (1st) Pass Yield and Process Capability (Cp, Cpk) . Figure 1 indicates the high-level overview of system inputs and outputs (IO) for the CPTB software suite. The software operational states are broken into three main functions: EndPoint Mode, Master Console Mode, and finally Reporting Mode. The Graphical User Interface (GUI) is the preferred method of all non-EndPoint operations.

Volume and Types of Data Handled

At the Missile Defense Agency, prior to CPTB implementation, pre-deployment validation of ~1,000 data flows took over two weeks to complete with available lab staff levels. When the CPTB was implemented, we demonstrated that over 400,000 data flows are tested and validated between full meshed endpoints within several hours – to include the output of pass/fail and gap reports.

Benchmarks and Validation Methods

When the CPTB was implemented, at MDA we demonstrated that over 400,000 data flows are tested and validated between full meshed endpoints within several hours – to include the output of pass/fail and gap reports. The introduction of CPTB provided more functionality, transparency and greater understanding on operational flows (and the identification of anomalies), delivered vast efficiency improvements (here 20 x’s faster, 1000% in productivity), and allowed network flow changes to be analyzed in near real-time, creating a far more secure operational environment. Post test run, the FLOW endpoint will upload its test results to the master console unless an un-recoverable client error occurs during this phase (i.e. severed communication between the client and master console).

FLOW Reports

The FLOW reporting software is accessible by launching FLOW.pl –r command (see Figure 5) or alternatively through the FLOW REPORT ENGINE GUI (see Figure 5’). The FLOW.pl report capability is readily available on any of the endpoints and/or the master console. There are no restrictions on pulling the reporting information other than subnet restrictions based on 1.x address space. (This is subject to change.) The FLOW REPORT ENGINE GUI is available via the master console only. The reporting engine takes the latest information accessible at the time of execution – this means if a test just uploaded a result 2 seconds before the FLOW.pl –r IS executed, the results will reflect this test run.

The specific reporting options will have the following format unless specified otherwise: Test Time: the time that the test was imported from the client into the master console as reflected by the master console system clock. The endpoint uploads the test results immediately after the test completes.

  1. Endpoint TRAF Flow
    • TRAF testing software is the primary DUT software for simulating network traffic to specific source IP, destination IP, protocol, destination port TUPLES. These TUPLES fully represent current user input flow parameters. (These input parameters could expand to include other flow parameters)
  2. Endpoint Real-Service test flows
    • Real-Service test flows currently include: client-server transactions for DNS, sshV2, ftp passive mode, http, https. The current configurable parameters include the TUPLE: source IP and destination IP. (These input parameters could expand to include other service parameters). Specifics regarding each transaction can be found in APPENDIX G – Client Server Real Service Flow

Other Information Assessing Viability of Technical Capability

The team’s experience with the identification and application of system boundaries and security controls (SP 800-53) within a heterogeneous environment for enterprise and worldwide systems provides the logic and reasoning necessary for the application of such approach to the IoT related technologies. The CPTB platform is designed specifically to SP 800-53.

The NIST SP 800-53 provides a robust listing of security controls that may be applied to a variety of technology systems. The team will analyze the system requirements applicable to IoT technologies, evaluate the IoT technology concerns and determine the necessary system security controls (as described in NIST SP 800-53) to mitigate IoT vulnerabilities. For specific IoT technologies, the team will enumerate the controls that are applicable to that technology in tables by IoT Class, technology group, and sector. The output will be manifest in a document with tables represented as an Excel spreadsheet to include the functions, categories, sub‐categories, references, etc. Through an iterative and incremental approach, different reference frameworks will be generated and tested. Our team engages with vertical-specific subject matter experts utilizing AI and analytical tools to assure integrity of the mapping model. Once the team generates what they deem is a reasonable reference framework, the product of this iterative approach will be captured in the FLOW Reports described above

Where Else Submitted

Our team, as a prime vendor, along with partnering companies Acquired Data Solutions (ADS), Ramparts and Tesla Laboratories, recently submitted to NIST, as part of its Cybersecurity Research Development & Implementation solicitation response the CPTB platform in support of their IoT task area. In addition to the existing platform at MDA the CPTB platform is soon to be utilized at Defense Advanced Research Projects Agency (DARPA).