Enhancing IoT Secu i y: A S udy
o Secu e Au hen ica ion and
Onboa ding Mechanisms in
Connec ed De ices
Mas e en Cibe segu idad
T abajo Fin de Mas e
Au o :
Ped o Ruza a Alcáza
Tu o /es:
An onio Ska me a Gómez
Sa a Nie es Ma heu Ga cía
26 de Mayo de 2025
Enhancing IoT Secu i y: A S udy o
Secu e Au hen ica ion and Onboa ding
Mechanisms in Connec ed De ices
Au o
Ped o Ruza a Alcáza
Tu o /es
An onio Ska me a Gómez
DIIC
Sa a Nie es Ma heu Ga cía
DIIC
Mas e en Cibe segu idad
Mu cia, 26 de Mayo de 2025
Decla ación i mada sob e o iginalidad del
abajo
D./Dña. Ped o Ruza a Alcáza , con DNI 23833808N, es udian e de la i ulación de Mas-
e en Cibe segu idad de la Uni e sidad de Mu cia y au o del TF i ulado “Enhancing
IoT Secu i y: A S udy o Secu e Au hen ica ion and Onboa ding Mechanisms in
Connec ed De ices”.
De acue do con el Reglamen o po el que se egulan los T abajos Fin de G ado y de Fin de
Más e en la Uni e sidad de Mu cia (ap obado C. de Gob. 30-04-2015, modi icado 22-04-2016
y 28-09-2018), así como la no ma i a in e na pa a la o e a, asignación, elabo ación y de ensa
delos T abajos Fin de G ado y Fin de Más e de las i ulaciones impa idas en la Facul ad
de In o má ica de la Uni e sidad de Mu cia (ap obada en Jun a de Facul ad 27-11-2015)
DECLARO:
Que el T abajo Fin de Mas e p esen ado pa a su e aluación es o iginal y de elabo ación
pe sonal. Todas las uen es u ilizadas han sido debidamen e ci adas. Así mismo, decla a
que no incumple ningún con a o de con idencialidad, ni iola ningún de echo de p opiedad
in elec ual e indus ial
Mu cia, a 26 de Mayo de 2025
Fdo.: Ped o Ruza a Alcáza
Au o del TF
Abs ac
The p oli e a ion o connec ed de ices and he widesp ead adop ion o In e ne o Things
(IoT) echnologies ha e in oduced a pa adigm shi in how ne wo ks, sys ems, and physical
in as uc u es ope a e. F om sma homes and indus ial au oma ion o c i ical in as uc-
u es such as ene gy and heal hca e, IoT de ices now o m he backbone o cybe -physical
sys ems. Howe e , hei explosi e g ow h has b ough signi ican challenges in e ms o li e-
cycle secu i y, pa icula ly du ing he onboa ding and pos -deploymen phases. These s ages
a e c i ical: onboa ding is he poin a which us mus be es ablished, while li ecycle secu-
i y ensu es ha de ices beha e acco ding o de ined policies and emain p o ec ed agains
e ol ing h ea s.
In adi ional IoT deploymen s, onboa ding ypically equi es manual p ocedu es such
as scanning QR codes, en e ing p e-sha ed keys, o con igu ing access c eden ials manually
h ough web in e aces o endo -speci ic pla o ms. These app oaches a e inhe en ly insecu e
and unscalable. They in oduce ope a ional ic ion and a e highly p one o miscon igu a-
ion, especially in en i onmen s whe e la ge numbe s o de ices mus be deployed quickly.
Mo eo e , hese me hods lack in e ope abili y and o en lead o endo lock-in, limi ing he
lexibili y and long- e m sus ainabili y o IoT solu ions.
Beyond he ini ial deploymen , he absence o s anda dized pos -onboa ding policy en o ce-
men mechanisms has p o en o be a signi ican weakness. De ices a e equen ly deployed
wi h de aul o loosely con igu ed access ules, lea ing hem ulne able o abuse, mis ou ing,
o unin ended la e al mo emen wi hin ne wo ks. Exis ing access con ol solu ions a e ei he
oo gene ic— ailing o conside he speci ic beha io p o ile o each de ice—o oo complex
o deploy a scale, especially in cons ained en i onmen s wi h limi ed compu a ional o
adminis a i e esou ces.
To add ess hese challenges, his wo k p esen s an in eg a ed and s anda ds-based secu i y
amewo k o connec ed de ices, combining secu e onboa ding, au oma ic policy en o ce-
men , and dynamic h ea mi iga ion. The a chi ec u e is composed o h ee co e compo-
nen s:
•FIDO De ice Onboa d (FDO) [1]: A p o ocol de eloped by he FIDO Alliance o
enable secu e, ze o- ouch onboa ding o de ices. FDO uses asymme ic c yp og aphy,
ouche s, and a endez ous-based a chi ec u e o secu ely ans e de ice owne ship a
deploymen ime wi hou equi ing p io us ela ionships o manual con igu a ion.
•Manu ac u e Usage Desc ip ion (MUD) [2][3]: A amewo k s anda dized by
he IETF in RFC 8520, which allows de ice manu ac u e s o publish a o mal desc ip-
ion o he in ended ne wo k beha io o hei de ices. MUD policies a e exp essed
in a s uc u ed o ma and can be e ie ed and en o ced au oma ically by ne wo k
manage s, enabling ine-g ained access con ol ailo ed o each de ice ype.
iii
•Th ea MUD [2]: An ex ension p oposed and implemen ed in his wo k ha enables
dynamic secu i y policy upda es in esponse o new ulne abili ies o h ea s. Th ea
MUD iles desc ibe addi ional es ic ions o changes ha mus be applied o de ices
a ec ed by a speci ic h ea , and a e dis ibu ed h ough Cybe Th ea In elligence
(CTI) in eg a ion.
This a chi ec u e c ea es a uni ied li ecycle secu i y model ha begins wi h secu e onboa d-
ing (FDO), ansi ions in o policy en o cemen (MUD), and e ol es in o h ea - esponsi e
beha io (Th ea MUD). By in eg a ing hese componen s, de ices a e no only onboa ded
secu ely bu also go e ned au oma ically acco ding o p ede ined policies, and p o ec ed dy-
namically as new secu i y challenges a ise.
To alida e he p oposal, a comple e p o o ype was implemen ed using open-sou ce ools
and echnologies. The onboa ding wo k low was de eloped using he official p i- idoio
implemen a ion main ained by he FIDO Alliance. The MUD and Th ea MUD componen s
we e de eloped in Py hon, using REST in e aces o emula e eal-wo ld in e ac ions wi h
policy manage s and ne wo k en o ce s. A con aine ized es bed was c ea ed using Docke ,
eplica ing all he oles in he a chi ec u e: de ice emula o , manu ac u e , endez ous se e ,
owne se e , MUD ile se e , policy manage , and en o cemen laye . This modula design
enabled p ecise measu emen s and epea able expe imen s.
Mul iple me ics we e e alua ed o assess he in eg a ion, au oma ion, and esponsi eness
o he p oposed li ecycle secu i y amewo k. The aim was no o e alua e en o cemen
scalabili y o ule p ocessing complexi y, bu a he o alida e he co ec ness and efficiency
o in eg a ing FDO, MUD, and Th ea MUD in o a cohesi e and au oma ed wo k low:
•Onboa ding ime: This me ic cap u es he du a ion om he s a o he FDO
p ocess (TO1) un il he owne ship is ans e ed and he MUD URL is ex ac ed and
o wa ded o he MUD Manage . Resul s consis en ly showed ha onboa ding was com-
ple ed in unde 600 milliseconds. This con i ms ha ex ending he FDO low o include
me ada a exchange wi h MUD in as uc u e in oduces negligible o e head, making i
sui able e en o cons ained en i onmen s o la ge-scale p o isioning scena ios.
•Policy e ie al and coo dina ion la ency: Once he MUD URL is o wa ded, he
sys em e ie es he MUD ile, alida es i s digi al signa u e, and igge s au oma ed
ansla ion and dispa ch o he o ches a o . While he en o cemen phase in ol es
applying basic ule se s (only wo ules pe MUD in his wo k), he pipeline i sel —
pa icula ly he au oma ed hando be ween se ices—was alida ed o comple e in
app oxima ely 374 milliseconds. This highligh s he seamless o ches a ion and in e-
g a ion a he han he pe o mance o bulk policy applica ion.
•Th ea esponse ime: The Th ea MUD mechanism demons a ed ha upon e-
cep ion o a h ea ale (in he o m o a Th ea ID), he sys em could e ie e, al-
ida e, and p opaga e upda ed mi iga ion ules o he en o cemen laye in less han
100 milliseconds. While he ule complexi y emained minimal, he emphasis he e is
on alida ing he eac i e capabili y o he a chi ec u e and i s abili y o inco po a e
dynamic secu i y upda es wi hou human in e en ion.
These esul s con i m ha he ull li ecycle— om onboa ding o beha io de ini ion and
dynamic h ea eac ion—can be o ches a ed in an au oma ed and imely manne . The
ix
a chi ec u e p o es i s iabili y as a s anda ds-based, egula ion- eady amewo k capable
o secu ing IoT de ices om deploymen h ough ope a ional li e, wi h in eg a ion as he
p ima y enable .
Addi ionally, he implemen a ion was benchma ked agains al e na i e solu ions including
manual p o isioning, TPM-based onboa ding, Wi-Fi EasyConnec (DPP)[4], and p op ie a y
cloud-based IoT pla o ms. These compa isons e ealed ha he p oposed a chi ec u e no
only achie es compa able o supe io secu i y gua an ees bu also exceeds in e ms o au-
oma ion, s anda ds compliance, and li ecycle co e age.
Beyond pe o mance, he design philosophy emphasizes in e ope abili y and u u e ex en-
sibili y. All componen s a e loosely coupled, communica e o e open p o ocols, and ely on
es ablished s anda ds such as RFC 8520 (MUD)[3] and he FDO p o ocol speci ica ion[1].
This ensu es compa ibili y wi h exis ing ne wo k in as uc u e and opens he doo o u -
he in eg a ion wi h So wa e-De ined Ne wo king (SDN), h ea eeds such as MISP, and
compliance au oma ion pla o ms.
In he con ex o upcoming egula o y equi emen s, pa icula ly he Eu opean Union’s Cy-
be Resilience Ac (CRA)[5], his wo k p o ides a conc e e ounda ion o secu e-by-design
and secu e-by-de aul p inciples. By making onboa ding c yp og aphically e i iable, en o c-
ing beha io cons ain s based on manu ac u e in en , and enabling p oac i e esponse o
eme ging h ea s, he a chi ec u e suppo s aceable and audi able de ice secu i y om he
poin o manu ac u e o un ime ope a ion.
The p oposed model also highligh s an a chi ec u al shi in how IoT secu i y should be ap-
p oached: a he han elying solely on eac i e measu es (e.g., pa ching, i mwa e upda es),
he emphasis is placed on p oac i e con ol, o mal beha io desc ip ions, and dynamic adap-
a ion a he ne wo k le el. This pa adigm is no only mo e scalable bu also mo e sui able
o cons ained en i onmen s whe e de ice so wa e canno always be upda ed o us ed.
To conclude, his hesis con ibu es a unc ional, ep oducible, and s anda ds-based ame-
wo k o secu e onboa ding and li ecycle secu i y in connec ed de ices. I combines cu ing-
edge echnologies, aligns wi h egula o y expec a ions, and demons a es signi ican imp o e-
men s in au oma ion, pe o mance, and esilience compa ed o adi ional me hods. The
esul s and lessons lea ned om his wo k p o ide a s ong ounda ion o u u e esea ch
in IoT secu i y o ches a ion, as well as o p ac ical implemen a ions in indus y, sma
en i onmen s, and c i ical in as uc u e p o ec ion.
Lis ings
4.1 Launching p i- idoio wi h Docke Compose . . . . . . . . . . . . . . . . . . . 22
4.2 SampleMUD ile.................................. 24
4.3 Example MUD ule in JSON o ma . . . . . . . . . . . . . . . . . . . . . . . 26
4.4 T ansla ed ip ables ule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1 In oduc ion
The exponen ial g ow h o connec ed de ices and he p oli e a ion o he In e ne o Things
(IoT) a e ans o ming indus ies, homes, and c i ical in as uc u es. These de ices a e
inc easingly deployed in en i onmen s wi h limi ed physical o adminis a i e con ol, making
hem a ac i e a ge s o cybe h ea s. Despi e ad ances in ha dwa e and cloud pla o ms,
undamen al aspec s o de ice onboa ding, con igu a ion, and li ecycle secu i y emain weakly
s anda dized, o en elying on manual p ocesses, endo -speci ic logic, o s a ic c eden ials.
In his con ex , i is impo an o dis inguish be ween wo closely ela ed concep s:
Onboa ding e e s o he ini ial p ocess h ough which a de ice is secu ely in oduced in o
an IoT en i onmen . This in ol es es ablishing us , exchanging c eden ials, and ensu ing
ha he de ice can communica e secu ely wi h i s in ended owne o managemen in as uc-
u e. T adi ionally, onboa ding equi ed manual con igu a ion, including he p o isioning o
p e-sha ed keys o ce i ica es, which o en esul ed in weak secu i y gua an ees and poo
scalabili y.
Boo s apping, on he o he hand, can be seen as a b oade and mo e con inuous p ocess.
While onboa ding is usually a one- ime ac ion, boo s apping encompasses no only he
ini ial au hen ica ion bu also he au oma ed con igu a ion and secu e policy en o cemen ha
ollow. I ensu es ha once he de ice is au hen ica ed, i is also co ec ly in eg a ed in o he
ne wo k’s access con ol and managemen a chi ec u e. In his sense, secu e boo s apping
co e s bo h he es ablishmen o us and he applica ion o cons ain s and policies ha
de ine wha a de ice is allowed o do.
This si ua ion in oduces conside able challenges o ope a o s, manu ac u e s, and egu-
la o s. F om a secu i y pe spec i e, imp ope onboa ding can lead o unau ho ized access,
ogue de ices, and la e al mo emen wi hin ne wo ks. F om an ope a ional s andpoin , he
lack o au oma ion inc eases deploymen ime and cos . Fu he mo e, mos IoT de ices a e
cons ained in compu a ional and memo y esou ces, making i difficul o embed adi ional
endpoin p o ec ion mechanisms. The e o e, secu i y mus be in oduced a he ne wo k and
a chi ec u al le el om he momen a de ice is i s in oduced in o a sys em. This wo k is
pa icula ly ele an in he con ex o inc easing egula o y demands o IoT secu i y, includ-
ing he Eu opean Union’s Cybe Resilience Ac (CRA), which manda es secu e de elopmen ,
deploymen , and main enance o connec ed p oduc s.
To add ess hese issues, his wo k explo es he in eg a ion o h ee complemen a y ech-
nologies:
•FIDO De ice Onboa d (FDO)[6][1]: A secu e and s anda dized p o ocol o ze o-
ouch onboa ding o IoT de ices, enabling owne ship ans e wi h minimal con igu a-
ion o p io us be ween de ice and ope a o .
•Manu ac u e Usage Desc ip ion (MUD)[3]: A ne wo k-laye policy amewo k
allowing manu ac u e s o de ine and publish he in ended communica ion beha io o
2In oduc ion
hei de ices, enabling au oma ed access con ol en o cemen a e onboa ding.
•Th ea MUD[2]: An ex ension o he MUD amewo k ha allows dynamic upda es
o access policies in esponse o de ec ed ulne abili ies o h ea s, closing he loop
be ween cybe h ea in elligence and ne wo k-le el mi iga ion.
This wo k is mo i a ed by he need o add ess h ee c i ical secu i y gaps ha pe sis in
IoT deploymen s: he absence o a s anda dized, secu e, and au oma ed onboa ding mech-
anism; he lack o de ice-speci ic policy en o cemen immedia ely a e deploymen ; and he
inabili y o dynamically mi iga e ulne abili ies as hey a e disco e ed du ing he de ice’s
ope a ional li e ime. The p oposed solu ion add esses hese challenges by combining secu e
onboa ding h ough FDO, access con ol en o cemen based on manu ac u e -decla ed be-
ha io ia MUD, and dynamic, h ea -d i en mi iga ion using Th ea MUD. This in eg a ed
a chi ec u e enables de ice secu i y ha is no only au oma ed and scalable, bu also adap i e
and esilien —essen ial a ibu es in inc easingly in e connec ed and isk-p one IoT en i on-
men s.
By adop ing s anda d p o ocols and ocusing on au oma ion and li ecycle esilience, his
hesis aims o con ibu e a p ac ical and scalable solu ion o one o he mos p essing secu i y
challenges in mode n connec ed en i onmen s.
The p ima y goal o his wo k is o design, implemen , and e alua e a modula a chi ec u e
ha enables secu e onboa ding and li ecycle-awa e secu i y o IoT de ices, in eg a ing FDO,
MUD, and Th ea MUD mechanisms.
This main objec i e add esses he need o au oma ion, scalabili y, and dynamic policy
adap a ion in he con ex o inc easingly connec ed en i onmen s, whe e manual p o isioning
and s a ic con igu a ions a e no longe sufficien .
To achie e his, he ollowing speci ic objec i es ha e been de ined:
1. Analyze he limi a ions o adi ional onboa ding and policy en o cemen
mechanisms in IoT en i onmen s, and iden i y key gaps in au oma ion, s anda diza-
ion, and h ea esponse.
2. In eg a e he FDO p o ocol in o a es bed o demons a e secu e and ze o- ouch
onboa ding, including he deli e y o me ada a such as MUD URLs.
3. Implemen an au oma ic policy en o cemen sys em using MUD, capable o
e ie ing, alida ing, and ansla ing MUD iles in o en o ceable access con ol ules
a he ne wo k laye .
4. Ex end he MUD amewo k wi h Th ea MUD capabili ies, allowing o he
dynamic upda e o policies in esponse o eme ging ulne abili ies h ough a simula ed
cybe h ea in elligence (CTI) channel.
5. De elop a unc ional and ep oducible es en i onmen , using con aine ized
componen s ha simula e all ele an oles (manu ac u e , endez ous, owne , en-
o ce ).
6. E alua e he pe o mance and esponsi eness o he a chi ec u e, measu ing
onboa ding la ency, ule ansla ion o e head, h ea mi iga ion ime, and compa ing
hese o adi ional app oaches.
3
7. Demons a e he easibili y o he a chi ec u e unde eal-wo ld condi ions,
emphasizing au oma ion, s anda ds compliance, and alignmen wi h cu en egula o y
ini ia i es such as he EU Cybe Resilience Ac (CRA).
These objec i es guide he de elopmen and alida ion o a cohesi e, s anda ds-based ap-
p oach o secu e onboa ding and li ecycle p o ec ion o IoT, wi h a ocus on au oma ion,
policy accu acy, and adap i e h ea mi iga ion.
This wo k has been de eloped wi hin he scope o he Eu opean esea ch p ojec DOSS
(Secu e-by-Design IoT Ope a ion wi h Supply Chain Con ol), which aims o en-
hance he secu i y and us wo hiness o IoT ecosys ems by in eg a ing secu e-by-design
p inciples ac oss he en i e de ice li ecycle— om manu ac u ing o ope a ion and decommis-
sioning. The con ibu ion o his hesis di ec ly aligns wi h he objec i es o DOSS by add ess-
ing secu e onboa ding h ough FDO, beha io -based access con ol ia MUD, and dynamic
h ea mi iga ion using Th ea MUD. The in eg a ion and e alua ion o hese mechanisms
in a uni ied a chi ec u e demons a e a p ac ical app oach o au oma ing de ice p o ision-
ing and policy en o cemen . Mo eo e , he wo k se es as a ounda ional implemen a ion o
suppo u u e demons a ions and alida ions wi hin DOSS, pa icula ly in en i onmen s
whe e supply chain in eg i y and li ecycle policy au oma ion a e c i ical.
This memo y is sepa a ed in o abs ac , esume, and he nex six chap e s:
This documen is s uc u ed in six chap e s. Chap e 1 in oduces he con ex o he In-
e ne o Things secu i y landscape, highligh ing he mo i a ion and objec i es o his wo k.
Chap e 2 e iews he s a e o he a , explo ing exis ing solu ions o secu e onboa ding, ac-
cess con ol, and dynamic h ea mi iga ion, wi h a ocus on s anda ds such as FDO, MUD,
and ecen p oposals ela ed o Th ea MUD. Chap e 3 p esen s he analysis o he p oblem
and he speci ic goals o be achie ed, along wi h he me hodology used o design and ali-
da e he p oposed a chi ec u e. Chap e 4 desc ibes he sys em design and implemen a ion
in de ail, including he in eg a ion o open-sou ce componen s, he communica ion low be-
ween modules, and he es bed con igu a ion. Chap e 5 epo s he expe imen al esul s,
p o iding quan i a i e e alua ions o onboa ding la ency, policy en o cemen ime, and mi -
iga ion e ec i eness, as well as compa isons wi h adi ional app oaches. Finally, Chap e 6
concludes he wo k, summa izing he key con ibu ions and ou lining u u e lines o esea ch
and possible imp o emen s o he p oposed amewo k.
2 S a e o a
As he numbe o connec ed de ices con inues o g ow, es ablishing secu e, scalable, and
au oma ed ini ializa ion p ocesses has become a co ne s one o IoT secu i y. Two key concep s
eme ge in his con ex : onboa ding and boo s apping. Al hough hey a e closely ela ed, each
add esses a di e en phase in he secu e in eg a ion o de ices in o a ne wo ked ecosys em.
This sec ion e iews he s a e o he a in secu e onboa ding and li ecycle secu i y o IoT
sys ems, ocusing on he echnical challenges and eme ging s anda ds ha add ess di e en
s ages o he de ice li ecycle. Secu ely in eg a ing IoT de ices in o ne wo k en i onmen s
in ol es complex issues ac oss bo h he onboa ding and pos -deploymen phases, compounded
by he e ogeneous de ice capabili ies, cons ained esou ces, he absence o uni ied s anda ds,
and e ol ing cybe h ea s. Be o e de ailing conc e e solu ions, i is essen ial o unde s and
he isks and limi a ions ha comp omise secu i y a hese s ages. Two pa icula ly p omising
app oaches a e examined: he FDO p o ocol, which au oma es and secu es he onboa ding
p ocess h ough c yp og aphic owne ship ans e , and he MUD amewo k, which suppo s
pos -onboa ding access con ol and adap i e policy en o cemen . Toge he , hese echnologies
o m a ounda ion o scalable, s anda ds-based, and h ea -awa e IoT secu i y.
2.1 Secu i y Challenges in IoT Onboa ding
The onboa ding and li ecycle managemen o IoT de ices p esen mul iple secu i y challenges
ha impac de ice in eg i y, da a p i acy, and ne wo k secu i y. Recen esea ch highligh s
se e al c i ical secu i y conce ns ha mus be add essed o ensu e he obus ness o IoT
ecosys ems [7, 8, 9].
•Lack o s anda dized onboa ding p o ocols. The di e si y o IoT de ice manu ac-
u e s and he absence o widely accep ed onboa ding s anda ds esul in agmen ed
secu i y p ac ices. T adi ional onboa ding app oaches o en ely on p e-sha ed keys
o manual con igu a ions, making hem ulne able o a acks [7]. Some amewo ks,
such as he Eclipse A owhead p ojec , in oduce au oma ed and secu e onboa ding
mechanisms o Sys em o Sys ems (SoS) en i onmen s o mi iga e hese isks [7].
•Weak au hen ica ion mechanisms. Many IoT de ices employ inadequa e au hen-
ica ion echniques, such as de aul c eden ials o weak c yp og aphic me hods, which
can be easily exploi ed. The FDO p o ocol a emp s o add ess his by in oducing
Owne ship Vouche s and c yp og aphic a es a ion, bu conce ns emain ega ding i s
eliance on po en ially weak ellip ic cu es (SECP256 1/SECP384 1) and cen alized
us models [8].
•Supply chain ulne abili ies. A majo challenge in IoT onboa ding is he isk o
comp omise a di e en poin s in he supply chain. T us delega ion om manu ac u e s
6S a e o a
o dis ibu o s and e aile s in oduces mul iple a ack ec o s, including malicious
ampe ing o key exposu e. The ASOP p o ocol p oposes an al e na i e ha applies
ze o- us p inciples and pos -quan um c yp og aphy (CRYSTALS-Kybe ) o mi iga e
hese isks [8].
•Insecu e communica ion channels. Many IoT de ices ope a e o e insecu e o
poo ly con igu ed communica ion p o ocols, exposing hem o man-in- he-middle a -
acks and ea esd opping. Resea ch highligh s he impo ance o mu ual au hen ica ion
and enc yp ion du ing onboa ding, pa icula ly in indus ial en i onmen s whe e com-
p omised communica ion can ha e se e e ope a ional consequences [7].
•Scalabili y issues in secu e de ice managemen . As IoT ne wo ks expand, manag-
ing secu i y a scale becomes inc easingly complex. The he e ogenei y o de ices, each
wi h unique secu i y equi emen s, makes cen alized managemen difficul . S udies
sugges ha a se ice-o ien ed a chi ec u e (SoA)-based app oach, such as he Eclipse
A owhead amewo k, can imp o e scalabili y and in e ope abili y while main aining
s ong secu i y pos u es [7].
•Li ecycle managemen and secu e decommissioning. IoT secu i y mus ex end
beyond he onboa ding phase o include secu e li ecycle managemen and decommis-
sioning. Imp ope ly decommissioned de ices may s ill e ain sensi i e c eden ials o
con igu a ion da a, posing pe sis en secu i y isks. Au oma ed onboa ding p ocedu es
should inco po a e ce i ica e e oca ion mechanisms and secu e key disposal o p e en
unau ho ized access pos -deploymen [7].
Recen esea ch in secu e onboa ding p o ocols, such as ASOP and FDO, aim o mi iga e
hese challenges, bu conce ns emain ega ding cen alized us , supply chain secu i y, and
c yp og aphic obus ness [7, 8]. The in eg a ion o pos -quan um c yp og aphy and decen-
alized us models p esen s a p omising di ec ion o u u e wo k.
Fu he mo e, ensu ing he secu e deploymen o IoT de ices in eal-wo ld en i onmen s
equi es con inuous policy en o cemen and dynamic esponse mechanisms. Secu e deploy-
men implies ha once a de ice is au hen ica ed and in eg a ed in o he ne wo k, i s beha io
emains cons ained o a de ined se o legi ima e ope a ions. This is especially ele an in
con ex s whe e unau ho ized communica ion o unexpec ed beha io could pose signi ican
isks o ope a ional con inui y o da a con iden iali y. The MUD amewo k eme ges as a
ounda ional ool in his space, enabling he au oma ic en o cemen o access con ol policies
based on manu ac u e -p o ided speci ica ions.
In pa allel, he g owing egula o y landscape in Eu ope—pa icula ly wi h he upcoming
CRA—is ein o cing he need o buil -in secu i y mechanisms ac oss he en i e de ice li ecy-
cle. The CRA in oduces binding obliga ions o manu ac u e s o p o ide secu e-by-design
p oduc s, en o ce s ic access con ol policies, and ensu e con inued ulne abili y manage-
men pos -deploymen . These egula o y p essu es unde sco e he impo ance o in eg a ing
solu ions like FDO and MUD, no only om a echnical pe spec i e bu also as pa o com-
pliance and isk managemen s a egies. This b oade con ex se es as a key mo i a ion o
he cu en esea ch, which explo es how he combina ion o secu e onboa ding and policy
en o cemen can mee bo h secu i y and egula o y expec a ions in IoT deploymen s.
2.2. O e iew o he FIDO De ice Onboa d (FDO) P o ocol 7
2.2 O e iew o he FIDO De ice Onboa d (FDO) P o ocol
The FIDO De ice Onboa d (FDO) p o ocol [6] is a secu i y amewo k designed o sim-
pli y and s eng hen he p ocess o in oducing IoT de ices in o hei ope a ional en i on-
men s. FDO add esses long-s anding challenges associa ed wi h secu e onboa ding, pa icu-
la ly hose ela ed o manual p o isioning, p e-sha ed sec e s, and in lexible manu ac u ing-
o-deploymen pipelines. Ra he han elying on s a ic c eden ials embedded du ing p oduc-
ion, FDO allows de ice c eden ials and owne ship o be assigned du ing deploymen using
a p inciple known as la e binding [1].
A he co e o FDO is a c yp og aphic mechanism based on owne ship ouche s. These
digi ally signed okens a e issued by he manu ac u e and passed down h ough he sup-
ply chain, enabling he inal de ice owne o asse con ol secu ely and e i iably. The
de ice, upon i s boo , con ac s a endez ous se e included in he ouche me ada a.
This endez ous se e se es as an in e media y, edi ec ing he de ice o he app op ia e
owne se ice wi hou equi ing p e-es ablished con igu a ion. Owne ship is hen ans e ed
h ough a sequence o au hen ica ed exchanges ha include c yp og aphic key nego ia ion,
a es a ion, and enc yp ed p o isioning da a deli e y.
Figu e 2.1: FDO Onboa ding P ocess Sequence Diag am
As we can see in Figu e 2.1 FDO inco po a es mul iple owne ship ans e p o ocols, each
se ing a speci ic unc ion in secu ely ansi ioning a de ice om manu ac u e o owne :
• De ice Ini ialize P o ocol (DI) - Es ablishes ini ial de ice c eden ials du ing manu ac-
u ing.
• T ans e Owne ship P o ocol 0 (TO0) - Regis e s he de ice owne wi h a Rendez ous
Se e .
14 S a e o a
go e ning how hese iles should be c ea ed o wha us ancho s should be used o e i y
hei au hen ici y. This c ea es po en ial isks in en i onmen s whe e malicious o inco ec
h ea policies could be injec ed in o he ne wo k in as uc u e.
In addi ion, he en o cemen o dynamically upda ed policies equi es a eliable and secu e
communica ion channel be ween CTI pla o ms, MUD manage s, and en o cemen poin s.
Any comp omise o miscon igu a ion along his chain could esul in delays, inco ec policy
applica ion, o e en denial o se ice due o o e ly agg essi e policy blocking. Fu he mo e,
he e ec i eness o Th ea MUD elies hea ily on imely in elligence and manu ac u e sup-
po . I endo s ail o publish Th ea MUD upda es o known ulne abili ies, a ec ed
de ices may emain exposed e en in well-managed ne wo ks.
Ano he limi a ion is ope a ional: equen o agg essi e policy upda es could in oduce
ins abili y in la ge-scale deploymen s, pa icula ly i upda es a e no p ope ly alida ed o
es ed. Ne wo k adminis a o s mus also manage po en ial con lic s be ween exis ing MUD
ules and new h ea -based di ec i es, ensu ing ha he o e all policy se emains cohe en
and does no inad e en ly block legi ima e se ices.
In summa y, Th ea MUD ep esen s a p omising e olu ion o he MUD amewo k, adding
essen ial capabili ies o dynamic h ea mi iga ion. Howe e , o ealize i s ull po en ial, u-
u e wo k is needed o add ess s anda diza ion gaps, ensu e us wo hy upda e mechanisms,
and p o ide in eg a ion guidelines ha minimize ope a ional isk while maximizing secu i y
esponsi eness.
Despi e hese challenges, Th ea MUD ep esen s a majo ad ancemen in IoT secu i y,
p o iding an au oma ed, in elligence-d i en app oach o mi iga ing de ice ulne abili ies.
3 Ta ge s analysis and me hodology
3.1 Ta ge s analysis
The analysis ocuses on e alua ing he secu i y and ope a ional e ec i eness o in eg a ing
FIDO De ice Onboa d (FDO) o secu e onboa ding and Manu ac u e Usage Desc ip ion
(MUD) o li ecycle secu i y. The s udy aims o assess ulne abili ies, limi a ions, and po en-
ial imp o emen s in secu e de ice p o isioning, policy en o cemen , and li ecycle p o ec ion.
Technical Scope
The scope o he analysis includes i e main componen s:
1. The FIDO FDO onboa ding p ocess, using he official p i- idoio implemen a ion.
2. A cus om Py hon-based MUD amewo k o en o cing access con ol policies.
3. Th ea MUD ex ensions o dynamic secu i y upda es based on eal- ime h ea in el-
ligence.
4. In eg a ion o bo h sys ems in a es bed o simula ed IoT de ices.
5. Secu i y e alua ion h oughou he de ice’s li ecycle, om onboa ding o policy adap-
a ion.
Each o hese componen s is examined indi idually and in combina ion, wi h a pa icula
ocus on in e ope abili y, scalabili y, and esilience o a acks.
Onboa ding Secu i y Assessmen
A co e objec i e o his s udy is o analyze he secu i y o he onboa ding p ocess using FIDO
FDO. The FDO p o ocol aims o emo e adi ional onboa ding weaknesses by in oducing
c yp og aphic owne ship delega ion. Ins ead o con igu ing a de ice du ing manu ac u ing
wi h s a ic c eden ials o p ede ined cloud endpoin s, FDO allows owne ship o be assigned
la e , du ing deploymen . This concep , known as ”la e binding”, educes isks in he supply
chain and simpli ies de ice in eg a ion in a ied en i onmen s.
Secu i y in FDO is es ablished h ough a sequence o owne ship ans e p o ocols (TO0,
TO1, TO2), e i ied by digi al signa u es and ce i ica es. The analysis in his wo k e alua es
he esis ance o his p ocess o common a acks such as impe sona ion, man-in- he-middle,
and eplay. Pa icula a en ion is gi en o he use o owne ship ouche s and he us
assump ions placed on he endez ous se e .
The ollowing aspec s will be e alua ed:
16 Ta ge s analysis and me hodology
• Resis ance o man-in- he-middle (Mi M) a acks du ing owne ship ans e .
• S eng h o c yp og aphic mechanisms, including ellip ic cu e-based au hen ica-
ion and owne ship ouche e i ica ion.
• Po en ial eplay a ack scena ios exploi ing unsecu ed owne ship handshakes.
• The e ec i eness o endez ous se e au hen ica ion and edi ec ion mecha-
nisms.
Li ecycle Secu i y and MUD Policy En o cemen
Beyond onboa ding, he s udy assesses he abili y o MUD o en o ce secu i y h oughou
he de ice li ecycle. Key aspec s include:
• Abili y o es ic unau ho ized ne wo k access h ough p ede ined MUD policies.
• E ec i eness o dynamic policy upda es ia Th ea MUD o mi iga e new ulne a-
bili ies.
• Scalabili y o policy en o cemen ac oss mul iple de ices in an en e p ise o indus ial
IoT en i onmen .
In eg a ion Challenges and Limi a ions
The esea ch also iden i ies challenges in in eg a ing FDO wi h MUD, including:
•In e ope abili y issues: Di e ences in how FDO and MUD de ine secu i y policies
and en o ce access con ol.
•La ency conce ns: The impac o onboa ding and policy e ie al on de ice ac i a ion
ime.
•Policy con lic s: Po en ial inconsis encies be ween p ede ined MUD ules and dy-
namic Th ea MUD upda es.
3.2 Me hodology
This sec ion p esen s he esea ch me hodology used o analyze he in eg a ion o FIDO
De ice Onboa d (FDO) o secu e onboa ding and Manu ac u e Usage Desc ip ion (MUD)
o li ecycle secu i y. The objec i e is o e alua e he secu i y and ope a ional e ec i eness
o combining hese amewo ks, add essing hei s eng hs and limi a ions.
3.2.1 Resea ch App oach
The s udy ollows an expe imen al esea ch app oach, ocusing on:
• Implemen ing FIDO De ice Onboa d (FDO) o secu e onboa ding using he open-
sou ce eposi o y p i- idoio p o ided by he FIDO Alliance [6].
3.2. Me hodology 17
• De eloping a cus om Py hon-based MUD amewo k, which will be esponsible o
de ining and en o cing secu i y policies pos -onboa ding.
• Conduc ing secu i y e alua ions o iden i y ulne abili ies and analyze he in eg a ion
challenges o FDO and MUD.
3.2.2 E alua ion Me ics
To assess he secu i y and pe o mance o he in eg a ion, he ollowing e alua ion me ics
will be used:
• Onboa ding secu i y. E alua ing he s eng h o FDO’s au hen ica ion mechanisms,
including owne ship ouche s and c yp og aphic binding.
• Boo s apping ime. Measu ing he ime equi ed o de ice egis a ion and owne ship
ans e .
• Policy en o cemen e ec i eness. Tes ing he abili y o he MUD implemen a ion o
es ic unau ho ized ne wo k ac i i y.
• Scalabili y. Assessing how well he in eg a ed sys em handles mul iple simul aneous
de ice onboa dings and policy applica ions.
• Li ecycle secu i y. Analyzing he abili y o MUD o en o ce secu i y upda es, ne wo k
es ic ions, and policy adjus men s dynamically.
3.2.3 Expe imen al Se up
The expe imen s will be conduc ed in a con olled es bed o e alua e he secu e onboa ding
and li ecycle secu i y mechanisms.
Tes bed En i onmen
The expe imen al se up consis s o :
• IoT de ices. Simula ed IoT endpoin s ep esen ing cons ained de ices, deployed in a
sandboxed en i onmen .
• FIDO FDO Se e . A deploymen o he p i- idoio implemen a ion, ac ing as he
onboa ding in as uc u e.
• Rendez ous Se e . A componen used by FDO o es ablish de ice owne ship ans e s
secu ely.
• MUD Manage (Cus om Implemen a ion). A Py hon-based MUD se e esponsible
o e ie ing and en o cing MUD policies.
• MUD Policy S o age. A da abase main aining p ede ined and dynamically upda ed
MUD policies.
• Th ea MUD In eg a ion. An ex ension ha enables dynamic policy upda es in e-
sponse o new ulne abili ies.
18 Ta ge s analysis and me hodology
Onboa ding and Secu i y Policy En o cemen Wo k low
The wo k low o in eg a ing FIDO FDO and MUD-based li ecycle secu i y consis s o he
ollowing s eps:
1. The IoT de ice ini ia es onboa ding using FIDO FDO, con ac ing he Rendez ous
Se e o e ie e owne ship c eden ials.
2. The de ice es ablishes us wi h he FDO Se e , and owne ship ans e is comple ed.
3. Upon success ul onboa ding, he FDO Se e p o ides he de ice MUD URL o he
MUD Manage , which e ie es i s secu i y policy.
4. The MUD En o ce applies access con ol ules based on he policy, es ic ing ne wo k
in e ac ions.
5. I a secu i y h ea is de ec ed, a Th ea MUD File is gene a ed and dis ibu ed dy-
namically ia he MUD Manage .
6. The upda ed MUD policy is en o ced, ensu ing con inuous li ecycle secu i y.
Secu i y and Pe o mance Tes ing
Secu i y e alua ions will include:
• E alua ing he e ec i eness o MUD in p e en ing unau ho ized communica ions.
• Measu ing he impac o Th ea MUD upda es on secu i y en o cemen and de ice
esponse imes.
• P obe he e ec i eness in eg a ion o FDO and MUD wo k low.
3.2.4 Expec ed Con ibu ions
The in eg a ion o FIDO FDO and MUD aims o es ablish a secu e, au oma ed, and adap i e
IoT secu i y amewo k. This esea ch will:
• Demons a e he easibili y o combining onboa ding and policy en o cemen o im-
p o ed IoT secu i y.
• Iden i y he s eng hs and limi a ions o FDO and MUD in eal-wo ld deploymen
scena ios.
• P o ide insigh s in o enhancing MUD wi h dynamic h ea esponse capabili ies.
4 Design and Implemen a ion
This sec ion p esen s he ull echnical implemen a ion o he secu e onboa ding and li ecycle
policy en o cemen sys em p oposed in his wo k. Building on he ounda ions explo ed in
p e ious sec ions—speci ically he onboa ding mechanisms o e ed by FDO and he beha io al
policy en o cemen o MUD, his sec ion de ails how bo h a e in eg a ed in o a cohe en
and ope a ional secu i y amewo k. The implemen a ion connec s all phases o he de ice
li ecycle, om manu ac u ing o deploymen , onboa ding, and con inuous policy go e nance.
4.1 Sys em A chi ec u e O e iew
Figu e 4.1: Comple e A chi ec u al low o FDO, MUD and Th ea MUD
The comple e sys em implemen a ion is s uc u ed a ound wo sequen ial and complemen a y
phases: he secu e onboa ding and s a ic policy en o cemen phase using FDO and MUD,
and he dynamic policy upda e phase enabled by Th ea MUD. These phases co e he ull
secu i y li ecycle o an IoT de ice, om he ini ial momen i is deployed and us ed, o i s
ongoing p o ec ion agains eme ging h ea s. Figu e 4.1 illus a es he ull a chi ec u e and
he di ision be ween onboa ding and adap i e secu i y ope a ions.
4.1.1 Phase 1: Secu e Onboa ding and Policy En o cemen (FDO + MUD)
The i s phase begins wi h he manu ac u e p o isioning he de ice du ing he FDO DI
s age. This includes embedding c yp og aphic c eden ials and a e e ence o a endez ous
20 Design and Implemen a ion
se e . Addi ionally, he manu ac u e hos s he MUD ile desc ibing he de ice’s expec ed
communica ion beha io on a dedica ed MUD File Se e .
Once he de ice is deployed, i ini ia es onboa ding by con ac ing he Rendez ous Se e
(FDO TO1). Meanwhile, he ope a o o owne egis e s i s owne ship in en and co e-
sponding Owne Se e endpoin du ing FDO TO0. The endez ous phase comple es wi h
he de ice ob aining he Owne Se e ’s IP, ini ia ing he secu e owne ship ans e p o ocol
(FDO TO2), which in ol es mu ual au hen ica ion and p o isioning o deploymen -speci ic
me ada a.
A e success ul onboa ding, he Owne Se e sends he MUD URL associa ed wi h he
de ice o he MUD Manage . The MUD Manage is esponsible o e ie ing he MUD ile
and e i ying i s digi al signa u e o ensu e i s au hen ici y. Upon alida ion, he policy is
pa sed and ansla ed in o en o ceable ne wo k ules, which a e applied by he Domain O -
ches a o . This s ep ensu es ha he de ice is only pe mi ed o communica e in acco dance
wi h i s decla ed beha io , as de ined by he manu ac u e .
4.1.2 Phase 2: Th ea MUD and Dynamic Policy Response
While MUD p o ides a s a ic and manu ac u e -de ined policy baseline, eal-wo ld secu i y
demands equi e he abili y o upda e hese policies in esponse o e ol ing h ea s. The
second phase in oduces he Th ea MUD mechanism, which enables he injec ion o dynamic
policies when ulne abili ies a e disco e ed a e deploymen .
When a new h ea is iden i ied—ei he by he manu ac u e o an ex e nal h ea in elli-
gence sou ce— he in o ma ion is i s p ocessed h ough a CTI pla o m such as MISP. The
manu ac u e hen gene a es a Th ea MUD ile con aining upda ed access con ol ules o
mi iga ion ac ions, such as blocking known malicious domains o en o cing p o ocol es ic-
ions. This ile is published on a Th ea MUD File Se e along wi h a digi al signa u e.
The Th ea MUD Manage , ope a ing wi hin he owne domain, ecei es he h ea e en
(s ep 2) and e ie es he Th ea MUD ile and i s signa u e om he manu ac u e (s ep 4).
Once he signa u e is alida ed (s ep 5), he policy is o wa ded o he Th ea MUD En o ce
(s ep 6), which applies he upda ed ules wi hin he ne wo k in as uc u e.
As in he MUD case, he Th ea MUD ile is also con e ed in o an ac ionable policy
and sha ed wi h he Domain O ches a o o ensu e consis en policy in e p e a ion ac oss
domains and sys ems (s ep 7). This in eg a ion allows he sys em o adap dynamically o
new isks wi hou equi ing manual econ igu a ion, p ese ing au oma ion and minimizing
eac ion ime.
Toge he , hese wo phases o e a laye ed and esilien secu i y model. FDO p o ides
s ong us ancho s o ini ial onboa ding, MUD en o ces manu ac u e -decla ed beha io ,
and Th ea MUD in oduces eac i i y and adap abili y— o ming a con inuous secu i y chain
ha p o ec s he de ice h oughou i s li ecycle.
4.2 FDO Implemen a ion – Secu e Onboa ding
The ounda ion o his a chi ec u e is buil upon he FDO p o ocol, which p o ides a s an-
da dized and secu e me hod o ze o- ouch onboa ding o IoT de ices. The goal o he
onboa ding phase is o secu ely ans e owne ship o a de ice om he manu ac u e o he
4.2. FDO Implemen a ion – Secu e Onboa ding 21
ope a o , while embedding c i ical in o ma ion needed o subsequen secu i y en o cemen —
such as he MUD URL.
Figu e 4.2 illus a es he main s ages o his onboa ding p ocess. I begins du ing he
De ice Ini ializa ion (DI) phase, whe e he manu ac u e p o isions he de ice wi h c yp-
og aphic c eden ials, a e e ence o he endez ous se e , and—in his implemen a ion—a
p econ igu ed MUD URL. By embedding he MUD URL a his s age, he de ice can la e
in o m he owne abou i s in ended ne wo k beha io in an au oma ed and e i iable way.
Once deployed, he de ice connec s o he endez ous se e o begin he owne ship ans e
p ocess. This in ol es FDO TO1, du ing which he de ice iden i ies i sel and eques s he
endpoin o i s designa ed Owne Se e . In pa allel, he ope a o has al eady egis e ed
wi h he endez ous se e ia FDO TO0, decla ing i s willingness o assume owne ship o
he speci ic de ice.
In he inal s ep o he onboa ding p ocess (FDO TO2), he de ice and Owne Se e
es ablish mu ual us h ough c yp og aphic exchanges. Du ing his s age, he owne ship
ouche is alida ed and he de ice ecei es deploymen -speci ic ins uc ions. C ucially, he
Owne Se e also ecei es he MUD URL ha was injec ed du ing he DI phase. This
ensu es ha , immedia ely a e onboa ding, he owne can e ch he co esponding MUD
ile and en o ce beha io al cons ain s wi hou equi ing manual in e en ion o addi ional
de ice-side con igu a ion.
This design le e ages he modula i y o FDO o no only au oma e secu e onboa ding bu
also se e as a anspo channel o con eying pos -deploymen secu i y me ada a—such as
he MUD e e ence. By in eg a ing his in o ma ion ea ly in he li ecycle, he ansi ion om
onboa ding o policy en o cemen becomes seamless and obus .
Figu e 4.2: FDO onboa ding low wi h MUD URL deli e y du ing owne ship ans e
Re e ence Implemen a ion: p i- idoio
To ealize he onboa ding wo k low desc ibed abo e, he open-sou ce e e ence implemen a-
ion o FDO p o ided by he FIDO Alliance was used 1.
1h ps://gi hub.com/ ido-de ice-onboa d/p i- idoio
22 Design and Implemen a ion
The se ices we e launched using he official docke -compose.yml p o ided in he eposi-
o y. Con igu a ion iles we e cus omized o injec he MUD URL in o he de ice me ada a
du ing DI. Addi ionally, c yp og aphic keys we e p e-gene a ed using he ools bundled in
he p ojec , and he owne ship ouche s we e signed wi h he Manu ac u e ’s key and s o ed
in he app op ia e egis y o e ie al du ing he onboa ding session.
A minimal ep oducible se up was de ined wi h he ollowing command:
Lis ing 4.1: Launching p i- idoio wi h Docke Compose
1gi clone h ps://gi hub.com/ ido-de ice-onboa d/p i- idoio .gi
2cd p i- idoio /p i- idoio /componen -samples/demo/aio
3docke compose up --build
4cd p i- idoio /p i- idoio /componen -samples/demo/de ice
5docke compose up --build
This commands ini ializes he ull onboa ding s ack: Manu ac u e , Rendez ous, Owne ,
and De ice se ices. Once unning, he simula ed de ice ini ia es onboa ding, and he MUD
URL is ansmi ed as pa o he TO2 payload. The Owne Se e hen passes his URL o
he MUD Manage o policy e ie al and en o cemen , as desc ibed in he nex sec ion.
4.3 MUD Policy En o cemen
Figu e 4.3: FDO-based onboa ding and MUD policy en o cemen low
Once he de ice has been success ully onboa ded h ough he FDO p o ocol and he owne ship
has been ans e ed o he ope a o , he nex c i ical s ep is o es ablish un ime con ol o e
he de ice’s ne wo k beha io . This is achie ed h ough he MUD amewo k, which enables
4.3. MUD Policy En o cemen 23
he au oma ic e ie al and en o cemen o secu i y policies de ined by he manu ac u e .
These policies cons ain he de ice’s ne wo k ac i i y o wha is s ic ly necessa y o i s
legi ima e ope a ion.
The MUD in eg a ion begins a he end o he FDO TO2 phase, when he Owne Se e
ecei es he MUD URL associa ed wi h he de ice. This URL, which was injec ed du ing
he De ice Ini ializa ion phase by he manu ac u e , poin s o a JSON- o ma ed MUD ile
hos ed on a MUD File Se e unde he manu ac u e ’s con ol. The Owne Se e o wa ds
his URL o he MUD Manage , which is esponsible o o ches a ing he policy en o cemen
wo k low.
The MUD Manage pe o ms se e al key unc ions. Fi s , i e ie es he MUD ile and i s
associa ed digi al signa u e. Au hen ici y and in eg i y a e hen e i ied using he manu ac-
u e ’s public key. This alida ion s ep is c ucial o p e en malicious ac o s om subs i u ing
o ampe ing wi h he policy de ini ions. Once e i ied, he MUD ile is pa sed acco ding o
he IETF RFC 8520 schema.
The MUD ile con ains de ini ions o allowed communica ion beha io s. These a e yp-
ically exp essed in e ms o pe mi ed p o ocols, DNS names, and po s. Fo example, a
sma senso may be pe mi ed o con ac only a speci ic cloud endpoin o e HTTPS, while
being blocked om accessing local o pee - o-pee se ices. These policy elemen s a e hen
ansla ed in o ac ionable policy. This allows he policy o be in eg a ed in o a highe -le el
o ches a ion amewo k, e e ed o he e as he Domain O ches a o . The o ches a o
main ains a global iew o ac i e de ice policies and enables audi ing, con lic esolu ion, and
li ecycle managemen a a sys em-wide le el.
In his implemen a ion, a simpli ied Domain O ches a o is used o di ec ly gene a e and
apply ip ables commands based on he pa sed MUD en ies. This app oach suppo s apid
p o o yping and alida ion o en o cemen logic while main aining a clea pa h o in eg a ion
wi h mo e scalable en o cemen engines (e.g., ia SDN con olle s o en e p ise i ewalls).
The combina ion o policy alida ion, ule gene a ion, and cen alized o ches a ion ensu es
ha he de ice is immedia ely placed unde a se o s ic beha io al cons ain s ha e lec
he manu ac u e ’s in ended ope a ion. This signi ican ly educes he a ack su ace o he
de ice and p e en s unau ho ized o anomalous communica ions om occu ing—e en in he
e en o pa ial de ice comp omise.
By delega ing en o cemen o in as uc u e-le el componen s and au oma ing he en i e
e ie al and alida ion pipeline, he sys em aligns wi h he p inciples o ze o- us ne wo king
and leas p i ilege. Mo e impo an ly, i enables seamless ansi ion om onboa ding o
con inuous secu i y en o cemen , ensu ing ha de ice beha io is p edic able, audi able, and
bounded om he i s momen o deploymen .
4.3.1 In e p e ing a MUD File
The MUD ile used in his implemen a ion co esponds o a Siemens IoT de ice model
10294230 and is hos ed a he speci ied URL . This ile ollows he IETF MUD speci ica ion
(RFC 8520) [3] and se es as he basis o de ining he legi ima e communica ion beha io
expec ed om he de ice. Unlike in p e ious a chi ec u al e sions, he MUD Manage in
his implemen a ion no longe ac s as he en o ce . The key elemen s de ined in he ile a e:
•Me ada a: The ile decla es gene al in o ma ion such as mud- e sion,las -upda e,
30 Design and Implemen a ion
me ada a—such as he de ice’s MUD URL—is deli e ed o he owne ’s domain. This me a-
da a becomes he en y poin o he nex s age: policy en o cemen .
As soon as onboa ding is comple e, he MUD Manage e ie es he MUD ile and applies
he manu ac u e -de ined policies o con ol he de ice’s ne wo k beha io . These ules a e
en o ced immedia ely, na owing he a ack su ace by allowing only he communica ions
explici ly decla ed as necessa y. This aligns he deploymen wi h leas p i ilege and ze o-
us p inciples om he ou se .
The a chi ec u e hen ex ends beyond ini ial policy en o cemen by inco po a ing Th ea
MUD, which enables dynamic esponse o secu i y e en s. When a h ea a ec ing a spe-
ci ic de ice o i mwa e e sion is iden i ied, he CTI sys em igge s he gene a ion and
dis ibu ion o a Th ea MUD ile con aining upda ed mi iga ion ac ions. The Th ea MUD
Manage ecei es he h ea no i ica ion, e ie es he co esponding ile, alida es i s au hen-
ici y, and seamlessly upda es he policy en o cemen laye . This eedback loop ensu es ha
policy en o cemen emains ele an and esponsi e h oughou he de ice’s li ecycle.
The Domain O ches a o plays a cen al coo dina ing ole. I collec s he policies om
bo h MUD and Th ea MUD p ocesses, main ains a uni ied iew o he ac i e ules ac oss
all de ices, and suppo s audi ing, compliance checking, and con lic esolu ion. In his
way, local en o cemen decisions emain au onomous and efficien , while global o e sigh and
aceabili y a e p ese ed.
Taken oge he , he a chi ec u e suppo s he secu e onboa ding and ope a ion o IoT
de ices unde changing h ea condi ions. De ices a e au oma ically us ed a deploymen ,
go e ned acco ding o known-good beha io , and p o ec ed agains eme ging h ea s wi hou
equi ing i mwa e upda es o use in e en ion. This con inuous secu i y pos u e p o ides
a scalable and s anda ds-based model o deploying and managing secu e-by-design IoT in-
as uc u es.
5 E alua ion
This sec ion p esen s he e alua ion o he p oposed li ecycle secu i y a chi ec u e, ocusing
on h ee main aspec s: (1) he secu i y pipeline, which includes onboa ding and MUD policy
en o cemen ; (2) he dynamic secu i y esponse p o ided by Th ea MUD; and (3) he o e all
end- o-end pe o mance and in eg a ion o he en i e sys em. Each aspec is e alua ed using
eal execu ion imes ex ac ed om he implemen ed es bed, wi h emphasis on au oma ion,
modula i y, and la ency.
The e alua ion is no cen e ed on es ing he scalabili y o en o cemen ules in a la ge
en i onmen . Ins ead, he expe imen s use minimal bu ealis ic con igu a ions (speci ically,
o cons ained de ices like IoT en i onmen s) o alida e he ull in eg a ion o FDO, MUD,
and Th ea MUD in a con olled scena io. This allows us o ocus on he managemen o he
wo k low and he in e ope abili y be ween componen s, which is he co e con ibu ion o his
wo k.
5.1 Tes -bed
To alida e he p oposed a chi ec u e and measu e i s pe o mance, a dedica ed es bed was
de eloped, simula ing a ealis ic bu con olled en i onmen in which onboa ding, policy
en o cemen , and h ea mi iga ion ope a ions could be obse ed and measu ed.
The es bed includes he ull li ecycle secu i y pipeline: he onboa ding in as uc u e using
FDO, he MUD policy en o cemen in as uc u e, and he dynamic policy upda e mechanism
ia Th ea MUD. All componen s we e deployed using ligh weigh con aine s and execu ed
on a single se e o ensu e iming consis ency and acili a e apid i e a ion.
Figu e 5.1 illus a es he a chi ec u e o he es bed used o alida e he in eg a ion o
FDO and MUD du ing he de ice egis a ion p ocess in an o ganiza ional IoT en i onmen .
The depic ed sequence ep esen s he poin whe e de ices, ha ing al eady unde gone he DI
(De ice Ini ializa ion) s ep a he manu ac u e ’s si e, a e onboa ding in o he o ganiza ion’s
ne wo k ia he FDO p o ocol.
Ha dwa e En i onmen
The expe imen s we e conduc ed on a Linux wo ks a ion wi h he ollowing cha ac e is ics:
• CPU: AMD Ryzen 7 7800X3D @ 4.2GHz
• RAM: 64 GB DDR5
• S o age: 1 TB NVMe SSD
• Ope a ing Sys em: Ubun u 22.04.3 LTS (64-bi ) unde WSL2
32 E alua ion
All se ices we e hos ed locally using Docke con aine s o ensu e p ocess isola ion while
a oiding ex e nal ne wo k-induced noise in measu emen s.
So wa e S ack
The sys em was implemen ed using a mix o open-sou ce componen s and cus om se ices:
•FDO Implemen a ion: p i- idoio (FIDO Alliance) 1 o onboa ding and owne -
ship ans e .
•MUD Manage : De eloped in Py hon, using Flask o he REST in e ace and di ec
gene a ion o ip ables ules o en o cemen .
•Th ea MUD Manage : Py hon-based mic ose ice capable o pa sing Th ea IDs
ecei ed ia POST messages and e ie ing he co esponding Th ea MUD ile.
•CTI Simula o : A minimal h ea simula o componen ha mimics he MISP be-
ha io by sending a POST eques o he Th ea MUD Manage wi h a Th ea ID.
•Domain O ches a o : A simpli ied O ches a o ha collec s and logs all en o ced
policies in a cen alized s uc u e o inspec ion and isualiza ion.
Ne wo k Simula ion
Each de ice li ecycle was simula ed in a sel -con ained Docke ne wo k, wi h isola ed subne s
ep esen ing he manu ac u e domain, he endez ous se e , and he owne domain. This
allowed p ecise emula ion o p o ocol lows be ween:
•Manu ac u e Se e →De ice: C eden ial and me ada a injec ion ia FDO DI.
•De ice →Rendez ous Se e : Disco e y o he Owne Se e (FDO TO1).
•De ice →Owne Se e : Secu e owne ship ans e and me ada a deli e y (FDO
TO2).
•Owne Se e →MUD Manage : MUD URL no i ica ion and policy e ie al.
•CTI →Th ea MUD Manage : Th ea ale s ia HTTP POST and mi iga ion
ac i a ion.
Me ics and Ins umen a ion
To cap u e execu ion imes and en o ce policy alida ions, logging hooks we e embedded a
he bounda ies o each p o ocol phase. Times amps we e ex ac ed a :
• Onboa ding eques ini ia ion and owne ship ouche con i ma ion (FDO TO0–TO2).
• MUD ile e ie al, signa u e alida ion, and ule injec ion.
1h ps://gi hub.com/ ido-de ice-onboa d/p i- idoio
5.2. MUD Rule En o cemen and T ansla ion La ency 33
Figu e 5.1: Tes -bed a chi ec u e
• Th ea MUD POST eceip and policy upda e con i ma ion.
Logs we e p ocessed using Py hon sc ip s o compu e a e ages, dis ibu ion, and compa -
a i e isualiza ions included in Sec ion 5.
This modula es bed p o ided an accu a e and ep oducible en i onmen o alida ing
he a chi ec u al claims and pe o mance cha ac e is ics o he p oposed secu e onboa ding
and policy li ecycle sys em.
5.2 MUD Rule En o cemen and T ansla ion La ency
This sec ion analyzes he pe o mance o he MUD en o cemen phase a e he FDO on-
boa ding comple es. Once he de ice inishes he TO2 s ep, he Owne Se e ex ac s he
MUD URL and ini ia es a POST eques o he MUD Manage , which igge s he e ie al,
pa sing, and ansla ion o he MUD ile. This eques in oduces a sligh delay, bu as
i in ol es only a single HTTP POST ansac ion, i s con ibu ion o he o e all delay is
negligible.
I is impo an o cla i y ha each MUD ile used in his e alua ion de ines only wo ules:
one o ou bound affic and one o inbound affic. This decision was made delibe a ely o
educe noise in iming measu emen s and o shi ocus owa d alida ing he in e ope abili y
be ween FDO and he policy manage . Consequen ly, he esul s shown he e a e no mean
o demons a e scalabili y in e ms o ule complexi y o quan i y. Ins ead, he emphasis lies
in showing ha he comple e FDO- o-MUD policy applica ion p ocess wo ks eliably and
wi hin la ency h esholds sui able o cons ained en i onmen s.
34 E alua ion
Figu e 5.2: To al Time om FDO TO1 o MUD Policy Applied
The i s e alua ion ocuses on measu ing he o al ime equi ed o secu ely onboa d a
de ice and apply i s MUD policy. This co esponds o he ime be ween he s a o he TO1
phase and he comple ion o he policy applica ion igge ed by he MUD Manage . The ex-
pe imen was pe o med o e a ba ch o 20 simula ed de ices, each con igu ed wi h a unique
MUD ile con aining wo ACL ules de ining pe mi ed communica ion beha io s.
Figu e ?? shows he o al measu ed ime equi ed o comple e he en i e li ecycle— om
he s a o he FDO p ocess (TO1) h ough he success ul applica ion o he MUD policy.
The esul s ac oss a se o 20 dis inc de ice execu ions demons a e an a e age end- o-end
comple ion ime o app oxima ely 838 ms, wi h a median alue o 840 ms. Indi idual
de ice imes anged be ween oughly 600 ms and sligh ly abo e 1000 ms, indica ing some
a iabili y p ima ily a ibu able o con aine scheduling o e head and mino ne wo k la ency
luc ua ions wi hin he Docke en i onmen .
The li ecycle la ency is u he b oken down in o wo dis inc phases in Figu e ??: he
onboa ding phase (FDO TO1→TO2) and he policy en o cemen phase (MUD e ie al,
ansla ion, and en o cemen ). He e, we obse e ha he onboa ding phase comple es in
app oxima ely 256 ms, while he subsequen policy en o cemen phase a e ages a ound
374 ms. The en o cemen phase includes he sligh addi ional la ency in oduced by o -
wa ding he MUD URL h ough a single HTTP POST eques om he Owne Se e o
he MUD Manage . This HTTP ansac ion in oduces minimal delay and does no signi i-
can ly impac o e all pe o mance, demons a ing he easibili y o adding in eg a ion poin s
be ween FDO and ex e nal managemen componen s wi h negligible la ency penal y.
Figu e 5.4 o e s a de ailed b eakdown o he execu ion imes o each phase o he li ecycle
5.2. MUD Rule En o cemen and T ansla ion La ency 35
Figu e 5.3: End- o-End Li ecycle Secu i y: Execu ion Time by Phase (A e age)
secu i y p ocess ac oss indi idual de ices. Speci ically, i dis inguishes clea ly be ween he
onboa ding phase (FDO TO1→TO2, ep esen ed in blue) and he MUD policy en o cemen
phase (MUD Recei ed a MUD Manage →Policy Applied, ep esen ed in o ange).
The esul s indica e some a iabili y in execu ion imes ac oss di e en de ices, e lec ing
mino luc ua ions in sys em load, esou ce a ailabili y, and Docke con aine scheduling.
Despi e his a iabili y, he onboa ding phase emains ela i ely consis en ac oss de ices,
gene ally a ound 200–300 ms. Con e sely, he policy en o cemen phase exhibi s g ea e
a iabili y, anging app oxima ely om 100 ms up o 700 ms. This a iabili y in he en o ce-
men phase p ima ily s ems om he ope a ions in ol ed in e ie ing, pa sing, ansla ing,
and also some ne wo k la ency wi hin Docke en i onmen .
De ice-speci ic obse a ions also highligh ins ances such as De ice1 and De ice5, which
p esen no iceably highe en o cemen imes compa ed o he es . These ins ances could be
a ibu ed o ansien con aine esou ce cons ain s o empo a y ne wo k delays wi hin
he es bed en i onmen . Ne e heless, e en in hese mo e delayed cases, he o al li ecycle
comple ion emains com o ably wi hin sub-second la ency, indica ing a obus and eliable
in eg a ion pipeline capable o apid onboa ding and policy en o cemen .
O e all, his pe -de ice analysis unde sco es he consis en pe o mance o he onboa ding
p ocess (FDO), while also highligh ing a eas whe e mino op imiza ions in he policy en o ce-
men pipeline could u he s abilize esponse imes ac oss a ying deploymen condi ions.
Table 5.1 p esen s a compa a i e analysis be ween he p oposed FDO and MUD-based
app oach and o he ele an s a e-o - he-a onboa ding and policy en o cemen solu ions.
The esul s clea ly highligh ha he solu ion de eloped in his wo k (FDO + MUD)
achie es apid onboa ding and immedia e policy en o cemen , wi h an onboa ding ime o
app oxima ely 256 ms and a policy en o cemen delay o abou 374 ms pe MUD, which is
36 E alua ion
Figu e 5.4: End- o-End Li ecycle Execu ion Time by De ice and Phase
Table 5.1: Compa ison o Onboa ding and Policy En o cemen Times
App oach / Solu ion Onboa ding
Time
Policy En o cemen
Time
FDO + MUD ~256 ms ~374 ms
Wi-Fi EasyConnec [4] Seconds No in eg a ed
ASOP [8] 1.5–2.0 s No explici ly measu ed
ONOS SDN Con olle [10] N/A ~320 ms pe ule
5.3. Th ea MUD E alua ion and Response 37
187 ms pe Rule. This posi ions ou solu ion as highly compe i i e, signi ican ly ou pe -
o ming he onboa ding la ency o al e na i e app oaches such as he ASOP p o ocol, which
epo s onboa ding imes in he ange o 1.5–2.0 seconds, and Wi-Fi EasyConnec , which
only p o ides quali a i e iming da a on he o de o seconds wi hou explici in eg a ion o
subsequen policy en o cemen .
Rega ding policy en o cemen , he closes compa able solu ion is he ONOS SDN Con-
olle , which achie es en o cemen la encies o a ound 320 ms pe ule. While he ONOS
solu ion demons a es a simila en o cemen la ency, i does no di ec ly inco po a e on-
boa ding wi hin i s scope. Thus, he ad an age o ou p oposed a chi ec u e lies no only in
i s compa able en o cemen speed bu also in i s seamless in eg a ion o secu e onboa ding
wi h immedia e en o cemen , p o iding an end- o-end li ecycle secu i y solu ion in unde one
second.
O e all, he compa ison unde sco es he efficacy and efficiency o he p oposed a chi ec u e,
emphasizing i s s eng hs in in eg a ing and au oma ing secu e onboa ding and apid policy
en o cemen wi hin a uni ied, s anda ds-complian amewo k.
5.3 Th ea MUD E alua ion and Response
This sec ion de ails he e alua ion o he Th ea MUD componen , emphasizing he espon-
si eness and in eg a ion capabili ies o dynamic h ea mi iga ion wi hin he li ecycle secu i y
a chi ec u e. Simila o he p e ious e alua ion, he p ima y aim he e is o demons a e co -
ec ope a ional in eg a ion a he han o e alua e he scalabili y o complexi y o he ule
en o cemen . The e o e, each Th ea MUD ile es ed includes only wo s aigh o wa d mi -
iga ion ules (one inbound and one ou bound). This simpli ica ion acili a es clea iming
measu emen s and keeps he ocus i mly on in eg a ion and p ocess au oma ion.
Th ea no i ica ions we e simula ed using con olled HTTP POST eques s con aining
unique h ea iden i ie s. Upon ecei ing hese no i ica ions, he Th ea MUD Manage au-
oma ically e ie es he co esponding Th ea MUD ile, alida es i s au hen ici y, ansla es
he included mi iga ion ules in o ip ables commands, and inally p opaga es hese ules o
he en o cemen poin .
Figu e 5.5 p o ides he execu ion imes o p ocessing each dis inc h ea no i ica ion.
Resul s indica e consis en esponsi eness, wi h measu ed imes anging om 63 ms o 85 ms
and a median esponse ime o 67 ms, e lec ing high p edic abili y and eliabili y in h ea
esponse ac oss di e en scena ios. The mean alue ac oss all e alua ed h ea s was ap-
p oxima ely 70 ms, eaffi ming ha he a chi ec u e p o ides a apid and e ec i e secu i y
esponse ha mee s eal- ime ope a ional equi emen s.
The cumula i e la ency measu ed a each s ep is shown in Figu e 5.5, wi h esul s ob ained
om 5 di e en h ea s. The ull p ocess om h ea de ec ion o en o cemen was comple ed
in unde 100 milliseconds, demons a ing ha he p oposed sys em is capable o eac ing o
eme ging h ea s in nea eal- ime, wi hou equi ing manual in e en ion o s a ic pa ching
logic.
A c i ical aspec e alua ed was he abili y o in eg a e Th ea MUD dynamically and seam-
lessly in o he exis ing MUD in as uc u e wi hou equi ing manual in e en ion o signi -
ican addi ional o e head. The Th ea MUD Manage was de eloped o le e age exis ing
38 E alua ion
Figu e 5.5: Th ea MUD Phase Execu ion Time pe Th ea
MUD managemen p ocedu es, allowing s aigh o wa d inco po a ion o new h ea - ela ed
me ada a. The a chi ec u e demons a ed an efficien mechanism o au oma ically handle
h ea -d i en policy upda es, highligh ing i s adap abili y o dynamic h ea in elligence en-
i onmen s.
The mos no able in eg a ion challenge a he p ojec ’s incep ion was he lack o a s an-
da dized mechanism wi hin he exis ing FDO o MUD speci ica ions o inco po a e h ea -
speci ic me ada a dynamically. To add ess his, he Th ea MUD ex ension was designed
o ope a e independen ly ye emain ully compa ible wi h he s anda d MUD a chi ec u e.
This equi ed de ining clea in e ac ions and da a lows be ween he Th ea MUD Manage ,
o ches a o , and en o cemen poin s. Ensu ing compa ibili y and seamless ansi ions be-
ween MUD policies and dynamic h ea -d i en policies cons i u ed a signi ican design and
implemen a ion achie emen o his wo k.
To con ex ualize he pe o mance o he Th ea MUD ex ension, le s compa es he p ocess
la ency om he h ea ecei ed un il applied ules agains o he s a e-o - he-a dynamic
secu i y sys ems.
Table 5.2 compa es en o cemen delays o he Th ea MUD mechanism de eloped in his
wo k agains o he con empo a y h ea mi iga ion sys ems. The esul s clea ly highligh
he excep ional esponsi eness o he Th ea MUD solu ion, achie ing en o cemen delays
consis en ly below 100 ms. This low la ency in he p ocess is mainly a ibu ed o he ully
au oma ed pipeline designed o apid h ea me ada a e ie al, alida ion, ansla ion, and
en o cemen .
By compa ison, he ONOS SDN Con olle —commonly conside ed a high-pe o mance
5.4. End- o-End Li ecycle Secu i y Summa y 39
Table 5.2: Compa ison o En o cemen Delays o Th ea Mi iga ion Sys ems
Solu ion En o cemen
Delay
No es / Sou ce
Th ea MUD <100 ms Fully au oma ed mi iga ion
pipeline, including ule ansla-
ion
ONOS SDN Con olle [10] ~320 ms In en inse ion la ency using low
ules in SDN
AWS IoT De ice De ende
[11]
>1.5 s <5 s Uses cloud-based IAM and ale - o-
ac ion model ia Lambda
Manual Secu i y Response Minu es–Hou s Human-in- he-loop i ewall o DNS
ule upda es
en o cemen solu ion—exhibi s app oxima ely 320 ms o delay, signi ican ly highe han he
Th ea MUD app oach. The AWS IoT De ice De ende , le e aging cloud in as uc u e and a
Lambda-based ale - o-ac ion model, in oduces conside ably longe delays, ypically anging
om 1.5 o 5 seconds. Las ly, adi ional manual secu i y esponses, which equi e human
in e en ion o i ewall o DNS ule upda es, esul in la ency anging om se e al minu es
up o hou s.
The compa ison unde sco es ha he Th ea MUD app oach de eloped in his wo k o e s
subs an ial ad an ages in au oma ed h ea esponse speed and in eg a ion simplici y, making
i especially sui able o en i onmen s equi ing immedia e eac ion o eme ging h ea s.
5.4 End- o-End Li ecycle Secu i y Summa y
To e alua e he o e all e ec i eness o he p oposed sys em, he onboa ding, policy en o ce-
men , and h ea esponse s ages we e execu ed in sequence, simula ing he ull li ecycle o
an IoT de ice unde ac i e secu i y managemen . The measu emen s cap u e he cumula i e
la ency in oduced a each phase and e lec he esponsi eness o he sys em unde no mal
and ad e se condi ions.
As shown in Figu es 5.5 and 5.3, he en i e p ocess om secu e onboa ding using FDO,
h ough MUD-based policy applica ion, o dynamic esponse wi h Th ea MUD—comple es
in app oxima ely 800 milliseconds. Each componen con ibu es p edic ably o he li ecycle,
and he design allows o ully au onomous execu ion once he de ice is deployed.
The FDO onboa ding s ep accoun s o jus less han 300 milliseconds, ollowed by 374 mil-
liseconds o MUD policy e ie al, alida ion, and en o cemen . In he case o a h ea , he
Th ea MUD componen can comple e de ec ion o en o cemen wi hin ano he 100 millisec-
onds. Compa ed o con en ional al e na i es, which equi e human in e en ion, i mwa e
upda es, o manual i ewall ule changes, he au oma ed li ecycle managemen p esen ed he e
is signi ican ly as e and inhe en ly scalable.
Beyond la ency me ics, he sys em achie es a high deg ee o policy ideli y and compliance
wi h bes p ac ices such as ze o- ouch deploymen , leas p i ilege, and h ea -in o med These
esul s demons a e ha he in eg a ion o FDO, MUD, and Th ea MUD p o ides no
46 Bibliog aphy
[12] Alejand o Molina Za ca, Jo ge Be nal Be nabe, Ruben T ape o, Diego Ri e a, Jesus
Villalobos, An onio Ska me a, S e ano Bianchi, Anas asios Za ei opoulos, and Panagio is
Gou as. Secu i y managemen a chi ec u e o n /sdn-awa e io sys ems. IEEE In e ne
o Things Jou nal, 6(5):8005–8020, 2019. doi: 10.1109/JIOT.2019.2904123.
