How Cable Networks Secure Communications
The email you sent, the website you visited, the internet searches you performed, the internet purchases you just made—they all require strong security to protect against eavesdropping, changes to your messages, and those who would make these services unavailable to you. These service examples demonstrate the foundational triad of security: confidentiality, integrity, and availability.
Securing the confidentiality, integrity, and availability of broadband traffic can be applied at different layers of networking technology. Some messaging applications encrypt traffic (for confidentiality) at the upper levels of the OSI network model (the application, presentation, and session layers), but broadband traffic transits below just those top network layers.
The cable industry’s security technology ensures that the confidentiality, integrity, and availability of cable broadband technology happens at the lowest levels of the networking stack by encrypting the internet packets from cable subscribers’ homes and businesses. This security is provided through the cable industry’s use of its own public key infrastructure (PKI), the same type of security used by banks and the U.S Department of Defense for their own protection.
The cable industry created and manages a PKI with strong security. The digital keys used in the cable PKI have a very long private key (1024 bits and 2048 bits long), that is unique to each cable modem and part of each cable modem’s digital certificate. Digital certificates securely identify the modem and are used to help encrypt the traffic going to and from that modem. You may think of a digital certificate as a driver’s license for a cable modem to get onto the internet through a cable operator’s broadband network. The information in a digital certificate provides an immutable and mathematically attestable identifier that is embedded during the modem’s manufacture. The cable PKI encryption technology protects each cable network user from having anyone eavesdrop on their internet traffic, change, corrupt their communications, or introduce malware into the cable modem. Cable operators and cable device manufacturers use the cable PKI to securely update and manage cable devices in homes and businesses.
The cable modem and customer premise equipment (CPE) that help homes connect securely to the internet requires the same kind of patches and updates that other devices require to drive efficient and secure operation within the configuration required by the network to which they attach. Security specifications support SNMPv3 and TR-069, which are internet standards that provide commercial-grade security with ease of administration, and which include methods for authentication, authorization, access control and privacy in the configuration of devices. In the case of cable equipment, the firmware for these devices can be updated through a special secure channel by the network operator; this channel is secured similar to how the cable modem establishes its link. Firmware is the collection of all the software, memory, and operations that, akin to the medulla oblongata in the human body which passes messages between the brain and spinal cord, manages traffic to and from the subscriber home, and keeps the modem functioning. The firmware image is digitally signed by both the cable modem manufacturer and the network operator, whose public keys are accepted and recognized by the cable modem; this, and a special secure boot process, help make it increasingly difficult for malicious actors to compromise the device or network.
In addition to the cable PKI security controls, cable networks provide mechanisms to protect the routing and switching of broadband traffic once it leaves the cable broadband subscriber’s home or business. For example, source address verification ensures that origination packets are coming from proper, non-spoofed addresses. Additionally, the cable industry’s DOCSIS® Security provides several methods of filtering traffic, including enabling access control lists and security filters both at the cable modem and at the cable operator’s cable modem termination system, which connects a cable modem connects to the internet.
The cable industry uses security mechanisms that are broad and robust. These security mechanisms are continuously reviewed and improved as technology changes and security threats to cable broadband subscribers change. You can find more details in these blog posts The Cable Security Experience and 10G Integrity: The DOCSIS® 4.0 Specification and Its New Authentication and Authorization Framework.
CableLabs continues to work with cable operators and cable device manufacturers to increase cable broadband security beyond providing the encryption technology. These BCP’s, developed based on input from cable operators and cable device manufacturers, provide recommended security practices for cable operators and cable manufacturers and are aimed at improving the cybersecurity posture of devices and the networks they connect to. The BCP document strongly aligns with other industry and governmental security recommendations, such as the M3AAWG CPE Best Practices and recent publications from NIST and ENISA. Through continuous strengthening of security tools and practices, the cable industry works to protect its subscribers against those who would seek to eavesdrop, corrupt, or disrupt cable broadband access
Reference Gateway Device Security Best Common Practices:
Documentation: Gateway Device Security Best Common Practices Version V01