Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 wbin2006@gmail.com

Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 achelics@gmail.com

Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 dzwanli@126.com

CICS-CERT

No.35, Lugu Rd., Shijingshan Dist Beijing 100040 CN lijun@cics-cert.org.cn

Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 xing.wang.email@gmail.com

Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 yanhaonan.sec@gmail.com

Hikvision

555 Qianmo Road, Binjiang District Hangzhou 310051 CN +86 571 8847 3644 532874282@qq.com

Security Internet Engineering Task Force IoT secure access smart terminals It is difficult to supervise the great deal of Internet of Things (IoT) smart terminals which are widely distributed. Furthermore, a large number of smart terminals (such as IP cameras, access control terminals, traffic cameras, etc.) running on the network have high security risks in access control. This draft introduces the technical requirements for access management and control of IoT smart terminals, which is used to solve the problem of personate and illegal connection in the access process, and enables users to strengthen the control of devices and discover devices that is offline in time, so as to ensure the safety and stability of smart terminals in the access process.

Introduction With the rapid development of the IoT and the IP-based communication system, a large number of terminals have been interconnected through the network. Due to numerous branches of IoT network and the scattered distribution of smart terminals, it is difficult for human to supervise. Therefore, how to ensure the full-time control and available of IoT network becomes a new problem. A large number of smart terminals (such as IP cameras, access control terminals, traffic cameras and other dumb terminals), which running in the network, have a large security risk in terms of security access control. With the further development of the convergence of IoT systems and information network, if IoT smart terminals are once used by hackers, it is easy for hackers to penetrate the whole network through IoT smart terminals, causing core business systems unable to work and a large amount of confidential information to leak, which will bring huge loss. Therefore, the establishment of a perfect access control mechanism and application control mechanism of smart terminals is an important part of the IoT security system. This draft outlines the technical requirements for secure access and management of smart terminals in the IoT to address the security threats and challenges that exist in the access process of terminals. We discuss the networking structure of common IoT smart terminals in Section 2. Security threats and challenges faced in the access process of IoT smart terminals in will be clarified in Section 3. In Section 4, we review the guidelines and regulations related to the access of IoT terminals. In Section 5, we present the requirements for secure access and management of IoT smart terminals and describes in detail. This draft provides a reference for IoT security access and management .

The Network Structure of IoT System Under normal circumstances, IoT smart terminals are connected to the network through IoT gateway, and then the data of terminals is reported to the application center through IoT gateway, which builds the complete network. The diagram of an IoT system is shown in the figure below. In the perception layer, four types of IoT smart terminals form four subsystems, which are video monitoring subsystem, access control subsystem, alarm subsystem and intercom subsystem. The smart terminals in each subsystem are different. In the video monitoring subsystem, the main terminals are IP cameras and intelligent cameras for collecting video and image data. In the access control subsystem, the main terminals are turnstiles and vehicle access control hosts for collecting vehicle information. In the alarm subsystem, the main terminals are alarm hosts, alarm keyboards and wireless alarm hosts, which are used to set alarm policies, issue alarm warnings and report alarm events, etc. In the intercom subsystem, its main terminals are intercom hosts and individual equipment, which are used to collect voice data. Through this figure, we can know that in the IoT system, smart terminals are heterogeneous and complex, and the data are aggregated into the application layer through the transport layer, which greatly increases the difficulty of the application layer to control the terminals in the sensing layer. +----------------------------------------------------------------------+ | | | Application +------------+ | | Layer +--------+ | Video | | | +--------+ | Storage| +-------+ | Integrated | | | | HOST | | System | | DVI +-----+ Platform | | | +---+----+ +---+----+ +---+---+ +------+-----+ | | | | | | | | | | | | | +------------------+------------+--+----------+----------------+-------+ | | | | | | | Transport +-----+----+ | | Layer | Router | | | +-----+----+ | | | | | +------------------+-+------------+----------------+ | | | | | | | | +-+-------+ +----+----+ +----+----+ +-----+---+ | | | Gateway | | Gateway | | Gateway | | Gateway | | | +-+-------+ +----+----+ +----+----+ +-----+---+ | | | | | | | | | | | | | +----------------------------------------------------------------------+ | | | | | | +-------------+--+ +-------------+--+ +--------+-----+ +--------+-----+ | Video | | Access | | Alarm | | Intercom | | Surveillance | | Control | | Subsystem | | Subsystem | | Subsystem | | Subsystem | | +----------+ | | | | +------------+ | | +------------+ | | |Alarm Host| | | +----------+ | | | IP Camera | | | | Turnstile | | | +----------+ | | |Intercom | | | +------------+ | | +------------+ | | | Alarm | | | | Host | | | | Ip Camera | | | | Vehicle | | | | Keyboard | | | +----------+ | | +------------+ | | | Access | | | +----------+ | | |Individual| | | |Smart Camera| | | |Control Host| | | | Wireless | | | |Equipment | | | +------------+ | | +------------+ | | |Alarm Host| | | | | | +----------------+ +----------------+ | +----------+ | | +----------+ | | +--------------+ +--------------+ | Perception | | Layer | | | +----------------------------------------------------------------------+ Figure: The Network Structure of an IoT System

Security Threats and Challenges The main security threats and challenges in the process of accessing IoT smart terminals are as follows:

1. Illegal connection: By IoT smart terminals, illegal devices and hosts may access to the network for probing and attacking. The application layer network may be invaded by smart terminals, which will lead to information leakage.
2. Personate connection: Wide distribution of IoT smart terminals and the public deployment environment make it easy for malicious devices to impersonate legitimate devices and upload fake data, which will lead to abnormal function of the devices and causes great damage to the security of IoT.
3. Devices offline: IoT smart terminals are numerous and very vulnerable when they suffer from physical attacks, network anomalies, power supply anomalies, and aging of device, which leads them to work offline. However, offline devices are difficult to discover, causing the loss of some functions.
4. Devices management: There are many kinds of IoT smart terminals, and it is often not clear how many IoT smart terminals are in the whole IoT network and how many IoT smart terminals have security problems, which leads to unable to control IoT smart terminals and sort out device assets.

Current Technology Level

1. On the access control of IoT, many control protocols applied to IoT smart terminals have been proposed, such as Zigbee , DALI , BACNET , which do not contribute to the secure access of IoT devices. The UPnP access protocol defines the access to IoT smart terminals, but does not consider the issue of secure access.
2. There are many specialized and generic security protocols being used in current IP-based deployments of IoT smart device applications. For example, IPsec , TLS , DTLS , HIP , Kerberos , SASL , and EAP , etc. However, these protocols also can not protect against illegal connection, personate connection and offline encountered during device access.
3. There are also a number of groups that focus on IoT device security. For example, the Cloud Security Alliance (CSA) recommended that when enterprises build the IoT network, they should strengthen IoT smart device authentication/authorization . The Global System for Mobile communications Association (GSMA) has published a security guide for IoT systems to bring a set of security guidelines to the research of IoT security product. The United States Department of Homeland Security(DHS) has proposed six IoT security strategic principles to guide IoT developers, manufacturers, service providers, and consumers in considering security issues. These teams give good advice on building security for the IoT, but there is no introduction or description of secure access to the IoT.
4. The current security standards on IoT, such as , introduce the security issues and solutions, but there is no mention of the problems and solutions in the access process of smart terminals.
5. In other related device access standards, there are device access and portal-based authentication based on 802.1x . However, due to IoT smart terminals are mainly dumb terminals, they are not suitable for authentication access through 802.1x or portal, and the two authentication methods cannot be used to solve the illegal and personate connection of devices.

Secure Access and Management of IoT Smart Terminals

Framework of Secure Access Management Comparing to three-layer framework of IoT,a layer of access and management is added for the framework of secure access management, which is between transport layer and application layer. The framework of secure access management for IoT smart terminals is shown in the following figure. In this framework, the access process of IoT is divided into four parts, which are sensing&control domain, access&management domain, application&service domain, and user domain. Among them, access&management domain is the specific implementation of the secure access and management technical requirements to ensure secure access of smart terminals in terms of smart terminals management, access control, strategy management and access log audit. +-------------------------------------------------------User Domain----+ | Application & Service Domain | | +------------------+ +------------------+ +-------------------+ | | |Bussiness System 1| |Bussiness System 2| |Bussiness System...| | | +------------------+ +------------------+ +-------------------+ | +----------------------------------------------------------------------+ ^ ^ ^ | | | +----------+----------------+----------------+----------User Domain----+ | Access & Management Domain | | +-----------------+-----------------+----------------+-------------+ | | | Device | Device Access | Access Policy | Log Audit | | | | Management | +-------------+ | Management | | | | | | | Unique ID | | | | | | | | | Information | | | | | | | +-----+-------+ | +-------------+ | +------------+ | | | | | | IP | Port& | | | Trusted | | | IP&MAC | | +---------+ | | | | | |Service| | |Communication| | +------------+ | |Exception| | | | | +-------------+ | | Protocol | | |IP&MAC&Brand| | +---------+ | | | | |Type | Brand | | +-------------+ | +------------+ | |Behavior | | | | | +-------------+ | | Certificate | | |IP&MAC&Brand| | +---------+ | | | | |Model| MAC | | | access | | | &Model | | |Operation| | | | | +-------------+ | +-------------+ | +------------+ | +---------+ | | | +------------------------------------------------------------------+ | +----------------------------------------------------------------------+ Indirect ^ ^ ^ Direct Connection| | | Connection +----------------------------------------------------------------------+ | Sensing & +-----------+ | | | | Controlling |IoT Gateway| | | | | Domain +------^----+ | | | | | | | | | +------------------------------------------------------------------+ | | | +---------+ +---------+ +--------+ | +------+ | +------+ | | | | |RS-485 | |Zigbee | |IP/WIFI/| | |Video | | |Smart | | | | | |RS232 | |Lora and | |5G/4G | | |and | | |IP | | | | | |and Other| |Other | |Smart +--+ |Audio +-+ |Camera| | | | | |Wired | |Wireless | |Device | |Device| +------+ | | | | |Terminals| |Terminals| +--------+ |RFID | | | | | +---------+ +---------+ +------+ | | | +------------------------------------------------------------------+ | +----------------------------------------------------------------------+ Figure: Framework of Secure Access Management for Smart Terminals

Sensing & Controlling Domain Smart Terminals: Include wired terminals like RS-485, RS-232 and other devices, wireless terminals such as ZigBee, LoRa and other devices, smart devices like smart IP, WiFi, 5G, 4G, audio and video device and RFID, etc. IOT Gateway: An entity used to connect smart terminals and upper layer, which is able to store data, compute data and transform protocol. Among them, smart terminals can be directly connected to the access &-management domain, or indirectly connected to the access & management domain through the IoT gateway.

Access & Management Domain Access & management domain is the core, which is used to manage and control the access of smart terminals, including four parts: device management, device access, access policy management and log audit. The contents of each part are clarified as follows: Device Management: It mainly manages device asset information, including status, IP address, MAC address, type, brand, model, firmware version, open port and service of smart terminals. Device Access: It refers to the device access mode supported by smart terminals, including access based on unique identification information of smart terminals (the composition of it can be one or more sets of device asset information), access based on trusted communication protocol of smart terminals and access based on certificate authentication. Access Policy Management: It refers to the access policy management based on the unique identification information of smart terminals. The access policy includes IP&MAC access policy, IP&MAC&brand access policy, IP&MAC&brand&model access policy. Log Audit: Used to record, store and audit the log information generated in the access process of smart terminals, including exception log audit, behavior log audit and operation log audit.

Application & Service Domain Application & service domain is the core business system, which provides informational application services for information collecting, exchanging and processing. The information provided by the smart terminals is verified by the access & management domain to ensure security and stability of the system.

User Domain User domain refers to the users of smart terminals who can directly access the core business system in application & service domain, and view the access condition of smart terminals and manage them in access & management domain.

Requirements for Device Security Access

Requirements for Devices Access Authentication Identity Information The identity information of devices should include one or more of the following characteristics: 1.IP Address 2.MAC Address 3.Brand 4.Type 5.Model 6.Firmware Version 7.Port & Service

Requirements for Access Status of Devices There should be at least four types of access status: 1.Online: The device that has been authenticated and is still working well. 2.Offline: The device that has been authenticated whereas is not connected to network. 3.Replacement: The device that has not been authenticated whereas its authentication information is as the same as other authenticated device. 4.Illegal connection: The device that has not been authenticated and its information is different from other authenticated device.

Recommendation of Access Policy 1.The device access policy should have at least five combinations:
a. IP + MAC
b. IP + MAC + Brand
c. IP + MAC + Brand + Model
d. IP + MAC + Brand + Model + Type
e. IP + MAC + Brand + Model + Type + Firmware Version 2.The illegal access of replacement device and illegal connection device can be quickly discovered and prevented. 3.The configuration of access policy can be done manually and automatically. 4.The access policy can be customized by any combination of recommendation of access policy shown in requirement 1.

Requirements for Management of Terminals Device management requires to monitor status of terminals in real time, to profile terminals, to identify and manage applications running on terminals, to identify and manage asset information of terminals, and to manage IP addresses of terminals. 1.Requirements for condition monitoring and management of terminals a.It should be able to monitor the offline and online status of smart terminals in real time. b.It should be able to discover whether there is a weak password information of the smart terminal. c.It should be able to discover the risky ports of smart terminals. d.It should be able to alert offline devices or the devices with weak passwords and risky ports. 2.Requirements for management of terminal profiling a.It should be able to visualize the information of smart terminals, including IP address, brand, type, model, etc. 3.Requirements for management of identifying applications a.It should be able to automatically identify and manage the devices' open services and service ports. b.It should be able to automatically discover andidentify the application system of B/S architecture or C/S architecture running in the network where the IoT smart terminal located, including IP, service port, application name. 4.Requirements for management of identifying asset information of the device a.It should be able to manage IP address, MAC address, brand, model, type, firmware version, open port, and online time of smart terminals. b.It should be able to manage the communicationprotocol information. c.It should be able to manage the geographiclocation information of terminals

Requirements for Device Protocol Access Device Protocol Access requires the ability to release trusted protocol of IoT smart terminals and block untrusted protocols. 1.It should release IoT protocols, such as http, mqtt, onvif, coap, etc. 2.It should block illegal protocols in real time, such as ssh, ftp, telnet, etc. 3.It should select the corresponding protocols based on the specific business scenario, such as rtsp, onvif, and other protocols that used in the video surveillance field.

Requirements for Access Log Audit Access log audit requires the ability to audit all types of operations, such as abnormal and malicious behavior of access. 1.It should record abnormal behavior log information of access in real time and provide analysis and audit functions. 2.It should record malicious behavior log information of access in real time and provide analysis and audit functions. 3.It should record the management, access and blocking of access devices and other types of operations in real time, and provide analysis and audit functions.

Security Considerations This entire memo deals with security issues.

IANA Considerations This documents has no IANA actions.

Informative References American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) ISO/IEC/IEEE ISO/IEC