NIST Cyber Security Framework - OASIS



MQTT Supplemental PublicationNIST Cyber Security FrameworkIntroductionThe purpose of this supplemental publication is to introduce implementors and senior executives to the NIST Cyber Security Framework and its assimilation with the MQTT security recommendations. The NIST Cyber Security Framework purpose is two-fold:understand and assess the cybersecurity capabilities, readiness, and risks of their organization;identify areas of strength and weakness and aspects of cybersecurity on which they should productively focus, and learn what informative standards, guidelines, and practices are available and applicable to their organization. The Framework offers a way to take an overarching view of an organization’s cybersecurity management risk by focusing on key “functions” of an organization’s approach to this security: Know, Prevent, Detect, Respond, and Recover. In the context of MQTT security, these functions should offer a high-level view of an organization’s M2M/IoT cyber security risk. This document is divided in three sections:A description of the five functions where each is associated with a list of relevant components along with references.An example of “Security Profile” metric that can help implementors and senior executives determine their organization’s level of security.An example use case implementing the above two sections.Cybersecurity Management FunctionsThis section describes the 5 cybersecurity management functions and how they can be used to manage M2M/IoT centric organizations where the MQTT protocol is prevalent. The list of components associated to each function is non-exhaustive and serves as an onset for a cybersecurity management framework tailored to a specific organization. Furthermore, the components here essentially limit their scope to the MQTT protocol and the required underlying infrastructure. Keep in mind that a complete cybersecurity management framework can include a wide variety of topics that must be tailored for specific needs according to the organization's missions, environments of operation, and technologies used. Please refer to the NIST Cyber Security Framework for more information.KnowThis function describes the knowledge required to protect an organization from cybersecurity attacks and security breaches. The list below illustrates some of the components that may need to be addressed in an organization in order to ensure a thorough knowledge base of M2M cyber critical infrastructure.Asset ManagementList of hardware devicesSoftware inventoryNetwork mappingLifecycle trackingRisk ManagementDefining Risk ToleranceRisk IdentificationRisk AssessmentAnalysis of AlternativesComplianceBusiness RequirementsLegislative and RegulatoryContractual RequirementsTechnology CertificationInformation Sharing and CommunicationsUnderstand Data FlowsInternal CommunicationsExternal CommunicationsCryptographic suites versioning and implementation how-toEnvironmental AwarenessLocation of (client-side) end-devices Location of end-to-end communication infrastructuresLocation of (server-side) brokers and vicinityTypical referencesISO/IEC 27001HITRUSTCOBITFFIECNational Infrastructure Protection PlanHIPAANIST SP 800-18NIST SP 800-53 Rev. 4PreventThis function describes the preventive measures that should be implemented within an organization to avoid MQTT related cybersecurity threats. Security AwarenessUser Awareness TrainingFormal TrainingExercise and EvaluationIdentity, Credential and Access ManagementUse of PKI (e.g. TLS, VPN)Choose a well-known Certificate AuthorityAuthentication of Clients by the ServerAuthentication of the Server by the ClientsAuthorization of Clients by the ServerInformation ProtectionUse of cryptographic suites (e.g. TLS, VPN)Integrity of Application Messages and Control PacketsPrivacy of Application Messages and Control PacketsNon-repudiation of message transmissionSecure Random Number Generation for all involved devicesServer-side ProtectionCompliance with MQTT specification Automatic Client disconnect mechanisms Suspicious behavior detectionDynamic Access Control Listing (e.g. IP address or Client ID)Rate limiting and/or blocking (e.g. IP address)Data-at-rest encryptionFrequent session renegotiation to establish new cryptographic parameters (e.g. replace session keys or change cipher suites)Client-side ProtectionTamper proof end-devicesProper storage of the client certificate (key management considerations)Two-factor authenticationTypical ReferencesMQTT SpecificationISO 29129NIST Interagency Report 7628NERC CIPDetectThis function describes how to identify potential security work MonitoringRepeated connection attemptsAbnormal termination of connectionsPhysical MonitoringClient availability verificationEnd-devices and their vicinity physical inspectionIntrusion DetectionRepeated authentication attemptsTopic scanning (attempts to send or subscribe to many topics)Sending undeliverable messages (no subscribers to the topics)Clients that connect but do not send dataTypical ReferencesSANS Top 20 ControlsNIST 800-12NIST SP 800-83NIST SP 800-94Respond This function describes how to respond to an M2M security breach. Revoke lost and/or compromised certificatesRevoke lost and/or compromised Client or Server authentication credentialsDisconnect suspicious or compromised end-devicesBlock compromised telemetry channelsIncrease Firewall policiesShutdown compromised brokers and serversTypical ReferencesNIST SP 800-53 Rev. 4NIST SP 800-61NIST SP 800-83NIST 800-86RecoverThis last function describes system and disaster recoveryPerform information system recovery (e.g. restart broker, create new telemetry channels, etc.)Perform reconstitution activitiesProvide alternate work site to recover work activitiesReview Firewall policiesReissue certificates and authentication credentialsInspect end-devicesReview Key Management and cryptographic deploymentsBackup systemsUpdated contingency planTypical ReferencesNIST SP 800-34NIST SP 800-53 Rev. 4SANS Top 20 ControlsSecurity Level Profiles DefinitionBased on the level of compliance with the functions and associated references, it is possible to create a metric that helps implementors and senior executives determine their organization’s level of security with respect to targeted standards and regulations. This qualitative metric could, for example, be measured using a matrix where one can assess, for each function, the number of guidelines and references with which the organization is already compliant with. For instance one could consider 4 levels of security: Unsecured, Base Secured, Industry Secured (Base + Industry customizations), and Cyber Critical Secured. Corresponding scores are: <25%, <50%, <75%, >75%, respectively.Security Profile Implementation Use CaseThis section attempts to illustrate the Cybersecurity Management Function and the Security Level Profile through a use case. Each use case contains its own list of threats and required standards and regulations. The 5 functions are applied to the use case and estimate how much the organization is compliant with the relevant guide lines and references contained in each function. Subsequently the qualitative metric is applied to the use case and returns a security level score. Example Use Case 1: Aircraft Turnaround M2M EcosystemAn airline company establishes an M2M infrastructure that gathers information in order to optimize aircraft turnaround at its home base airport. The information gathered originates from the company’s and partners remote sensors. They include passenger buses and refueling trucks geo-location and real time fuel consumption sensors that use telemetry channels through MQTT. The objective is to optimize routes, locate key assets, forecast unavailability periods, and ultimately reduce turnaround time. However as the information is potentially shared between several organizations, the ability to secure and accurately apportion data to the authorized members is important. The Airline Company follows several recommendation publications such as NIST Special publication 800-26 (Security Self-Assessment Guide for Information Technology Systems" for advice on how to manage IT security and ISO 15408 (Evaluation criteria for IT security) to test the security of the infrastructure. The airline has also established a list of internal regulations that serve as guidelines for risk management, incident response planning, and recovery planning.Applying the NIST Cyber Security Framework to the MQTT component of the Airline’s cybersecurity infrastructure is exposed below.KnowThe Airline has identified the following list of M2M related cyber security threats:Malfunctioning partner sensorsMisconfigured partner authentication mechanismsKey managementQuestionable partner security perimetersAirport Networking Infrastructure Firewall policiesThe company follows a strict asset management policy based on ISO 27001. It has established a list of all company and partner sensors and established a list of all connecting MQTT clients. The Airline has also established network mapping and identified risky routing portions. However the Airline does not consider more specific hardware recommendations such as the SANS Top 20 controls for unauthorized and misconfigured devices. PreventThe Airline implements TLS 1.2 for authentication and encryption and subscribes to a leading Certificate Authority. It also follows recommendations from ISO 29129 that specifies cryptographic primitives suitable for end-devices operating in constrained environments.Because of the key-management complexity problem, Clients are not authenticated and are therefore authorized using single factor authentication (credential access) only.Detect The Airline monitors network activity (repeated connection attempts and abnormal connection terminations) and access control by using firewalls and white listing policies available on the Airline’s broker as recommended in NIST 800-12 and NIST SP 800-83.It does not however possess a well-defined end-device monitoring plan such as specified in NIST SP 800-94. Respond The company has incident management guidelines that staff should follow in case of security breach detection. These guidelines were crafted internally based on the recommendations of NIST SP 800-61 (Computer Security Incident Handling Guide). The guidelines offer insight on how to mitigate:Denial of Service Malicious Code Inappropriate Usage Unauthorized access guidelines are not included. RecoverTo recover from a potential cyber-attack the company has established a contingency and disaster recovery plan based on guidelines specified in NIST SP 800-34.Security Level Profile Score FunctionsTargeted Standards and RegulationsEstimated ComplianceScoreKnowISO 27001NIST SP 800-2670%65%14/20PreventISO 29129SANS Top 20 controlsISO 15408100%20%60%15/20DetectNIST 800-12NIST SP 800-83NIST SP 800-9480%65%15%11/20RespondNIST SP 800-61100%20/20RecoverNIST SP 800-3470%14/20TOTAL SCORE74/100ConclusionThe qualitative metric ranks the Company at 74% secured corresponding to Level 2 “Industry Secured”. To increase its security level, the Company should make efforts to comply with the overlooked guidelines and publications or reconsider the list of targeted standards. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download