National Institute of Science and Technology publishes Methodology for Characterizing Network Behavior of IoT Devices & Supply Chain Traceability: Manufacturing Meta-Framework

September 1, 2025 |

The National Institute of Science and Technology has published the final version of NIST Internal Report (IR) 8349, Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices. and a draft of NIST IR 8536, Supply Chain Traceability: Manufacturing Meta-Framework.

Understanding the scope of the Internet of things and how the network operates is key to determining its cyber security requirements.   This 47 page report is worth consideration.  The Internet of Things will become more not less ubiquitous and more and not less prone to cyber attacks.  The Supply Traceability paper is also important but more specific and technical.

Internet of Things

The summary provides:

Characterizing and understanding the expected network behavior of IoT devices is essential for cybersecurity; it enables the implementation of appropriate network access controls to protect the devices and the networks on which they are deployed. Device characterization techniques that describe the communication requirements of IoT devices, in support of the NCCoE Securing Home IoT Devices Using Manufacturer Usage Description (MUD) project, can aid in securing devices and their networks. 

To properly secure networks, network administrators need to understand what devices are on the network and what network communication each device requires to perform its intended functions. In the case of networks that include IoT devices, it is often difficult to identify each individual device, much less know what network access is required by each device to other network components (and what access other network components need to each device).

NIST’s publication describes recommended techniques to capture, document, and characterize the entire range of an IoT device’s network behavior across various use cases and conditions. Using this methodology, IoT device manufacturers and developers, network operators, cloud providers, and researchers can generate files conforming to the MUD specification, which provides a standard way to specify the network communications that an IoT device requires to perform its intended functions. This publication also introduces MUD-PD, an open-source tool developed by the NIST NCCoE to help automate the characterization of IoT devices and subsequent creation of MUD files.

The project abstract provides:

The goal is to demonstrate how to use device characterization techniques to describe the communication requirements of IoT devices. This publication focuses on the capture of network communications involving IoT devices necessary to generate MUD files. MUD provides a standard way to specify the network communications that a device requires to perform its intended function. The methodology seeks to allow for analysis of the full range of IoT device network traffic behaviors that can reasonably be expected. This includes examining a variety of factors that could potentially alter an IoT device’s behavior at each stage of the device’s lifecycle.

The executive summary provides:

Characterizing and understanding the expected network behavior of Internet of Things (IoT) devices is essential for cybersecurity. It enables the implementation of appropriate network access controls (e.g., firewall rules or access control lists) to protect the devices and the networks on which they are deployed. This may include limiting a device’s communication to only that which is deemed necessary. It also enables identifying when a device may be misbehaving, a potential sign of compromise. The ability to restrict network communications for IoT devices is critically important, especially given the increased number of these devices.

Network behavior for most IoT devices is situationally dependent. For example, many IoT devices are operated and controlled through multiple mechanisms, such as voice commands, physical interaction with a person, other devices (e.g., a smartphone or IoT hub), and services (e.g., cloud-based). Each of these mechanisms may result in different network behavior, even if they achieve the same result (e.g., turning on a lightbulb through a voice command, mobile app, or physically toggling a switch). Additionally, certain patterns of network behavior may only occur in specific stages of a device’s life cycle (i.e., setup, normal operation, and decommissioning). Also, network behavior may change over time as device software is updated. For these reasons, the expected network behavior of a device needs to be characterized and understood for all intended scenarios and during each stage of its life cycle. Otherwise, necessary steps for device setup, operation, or decommissioning may be blocked by network access controls, preventing them from being performed fully or at all.

This publication describes recommended techniques to accurately capture, document, and characterize the entire range of an IoT device’s network behavior across various use cases and conditions. Using this methodology, IoT device manufacturers and developers, network operators and administrators, cloud providers, and researchers can generate files conforming to Manufacturer Usage Description (MUD), which provides a standard way to specify the network communications that an IoT device requires to perform its intended functions. MUD files tell the organizations using IoT devices what access control rules should apply to each IoT device, and MUD files can be automatically consumed and used by various security technologies. MUD files can be augmented for specific network deployments. Network operators, network administrators, and cloud providers can deploy default or custom MUD files in conjunction with environment-based network profiles captured using security tools to protect individual devices as well as entire networks.

This publication also presents MUD-PD, an open-source tool developed by the NIST National Cybersecurity Center of Excellence (NCCoE) to help automate the characterization of IoT devices and subsequent creation of MUD files. This tool can be used to catalog and analyze the collected data, as well as generate both reports about the device and deployable MUD files.

Supply Chain Traceability: Manufacturing Meta-Framework 

The summary provides:

This paper presents a framework to improve traceability across complex and distributed manufacturing ecosystems. It enables structured recording, linking, and querying of traceability data across trusted repositories. This initial research is intended to explore approaches that may support stakeholders in verifying product provenance, meeting contractual obligations, and assessing supply chain integrity. 

This framework builds on previous NIST research (NIST?IR 8419) and incorporates insight and feedback from industry, standards bodies, and academia. It is designed to enhance national security, economic resilience, and supply chain risk management, particularly across manufacturing and other critical infrastructure sectors.

The overview and abstract provides:

Presently, end operating environments within critical infrastructure sectors have limited ability to obtain trusted pedigree and provenance information for the components supporting their operational environments. Insufficient traceability information for critical components reduces effectiveness of risk-based evaluations of security, safety, sustainability, and other compliance needs within end operating environments, including reduced ability to detect vectors of adversarial attack.

A decentralized data approach to help manufacturers and critical infrastructure sectors to secure their supply chains and end operating environments

This effort delivers a Minimal Viable Product (MVP) Reference Implementation (RI) to support experimental supply chain ecosystems in a controlled lab environment. These implementations are designed to explore the practical mechanics of sharing manufacturing supply chain traceability information across industries and critical end-use environments. Guided by real-world use cases, the MVP RI enables targeted investigation into key challenges such as interoperability, cybersecurity, governance, and traceability data analysis. The MVP RI builds upon the foundational work of NIST IR 8419 and is based on the Meta-Framework introduced in NIST IR 8536. This Meta-Framework provides a technology-neutral foundation for organizing, linking, and querying traceability data across various systems and stakeholders. It acts as the architectural blueprint for implementing and testing traceability solutions for industry managed ecosystems, supporting enhanced transparency, risk management, and resilience in modern supply chains.

The MVP RI offers an architecture for testing traceability across manufacturing supply chains. It enables the investigation of non-repudiable claims regarding product pedigree and provenance using distributed, authoritative data sources. This effort builds on the core concepts introduced in NIST IR 8419 and is guided by the Meta-Framework presented in NIST IR 8536. The implementation is designed as a flexible foundation for further refinement and adaptation by industry, academia, and other entities. It can be expanded with specific data standards and customized to suit different supply chain contexts. 

The Executive Summary provides:

This paper introduces a meta-framework designed to enhance traceability across diverse supply chains by enabling structured recording, linking, and retrieval of traceability data. Through trusted data repositories, stakeholders can access supply chain information needed to verify product provenance, demonstrate compliance with external stakeholder requirements and contractual obligations, and assess supply chain integrity.  The framework establishes several key principles to ensure visibility, reliability, and integrity in supply chain traceability:

    • Common Data and Ontologies: Stakeholders are empowered to establish traceability consistency, ensuring that data remains structured, interoperable, and understandable across industries.
    • Trusted Repositories and Ecosystems: The Meta-Framework supports the use of secure, trusted data repositories within industry ecosystems to manage traceability records.
    • Traceability Record Model: Traceability is built from records created from supply chain events (e.g., manufacturing, shipping, receiving). These are linked using cryptographically verifiable connections to form traceability chains—sequentially linked records that allow stakeholders to validate product history and movement across the supply network.

Offering a scalable solution for improving traceability across industry sectors, the Meta- Framework enables organizations to exchange required supply chain data securely. As global supply chains grow more complex, this approach strengthens supply chain integrity, supports fulfillment of external obligations (e.g., legal, contractual, operational), and fosters stakeholder trust.

Crucially, the design allows organizations to share only the traceability data necessary for external validation, while retaining control over sensitive intellectual property and proprietary information. This principle of controlled disclosure balances transparency with confidentiality, helping stakeholders mitigate business risk while promoting accountability.

Successful implementation depends on effective ecosystem governance, risk-informed identity management, and data integrity Readers are advised to consult Appendices C and G for additional guidelines and security considerations.  

Leave a Reply