Security
With Great Bandwidth Comes Great Responsibility
Cable's next generation, 10G networks, holds the promise to deliver symmetrical multi-gigabit speeds that are 100 times faster than what some consumers are currently experiencing today. This great leap forward will enable services and experiences that will drive internet innovation for years to come. It is our mutual responsibility to assure that devices we connect to these blazing 10 gigabit internet connections, are updated and patched, free from default passwords and use proper authentication and authorization.
The lack of following basic cyber-security principals surfaced in the late Fall of 2016, when many popular sites such as Twitter, Amazon, Reddit and Netflix, were unreachable for several periods, lasting hours. The cause was a massive distributed denial of service (DDoS) attack coming from hundreds of thousands of compromised internet of things (IoT) devices. Traffic from these devices overwhelmed the DNS service provider dyn.com and effectively blocked customers and users from reaching these popular Internet locations for hours at a time.
As we approach a world where households are connected at gigabit and greater speeds, building secure devices and getting them in the hands of consumers is essential. Over the last several years CableLabs has been engaged with standard organizations such as, the Consumer Technology Association (CTA) and the Open Connectivity Foundation (OCF), to draft specifications and guide security baselines for IoT devices. This work has culminated in the release of OCF's international ISO\IEC specification for IoT interoperability.
The OCF specification brings together over 450 member companies and work that spans half a decade to apply cyber-security best practices to the IoT. This specification, combined with an open source reference implementation, seven approved global testing and certification labs and an active community of practitioners and member companies (from device vendors, network device venders and network operators), is uniquely positioned to be the secure standard that unites the industry.
With the OCF specification a consumer can buy a certified device from Vendor A and be confident in the knowledge that not only will it work with their certified appliance from Vender B, but it will do so in a way that is encrypted and authenticated. OCF can work with many cloud services but does not inherently need the cloud, promising consumers a good balance between the convenience of the cloud and the privacy and availability of their local networks.
The OCF specification's security-first approach brings it into close alignment with several of the security guidelines from government and industry, including:
- National Institute for Standards and Technology (NIST) NISTIR 8259 draft of recommendations IoT device manufacturers.
— OCF meets 6/6 requirements - The Consumer Technology Association (CTA) C2 Consensus on IoT Device Security Baseline Capabilities.
— OCF meets 10/10 requirements - UK's Code of Practice for Consumer IoT Security.
— OCF meets 11/13 requirements (other two requirements are aimed at service providers not device requirements) - European Union Agency for CyberSecurity (ENISA) Baseline Security Recommendations for IoT.
— OCF meets 40/57 requirements (most unmet requirements are not applicable to a device centric model)
Figure 1: OCF mapping of Security Baselines
The road ahead for 10G and IoT is bright. Ultra-fast networks and connected devices have the potential to change every aspect of daily life, making our surroundings aware and interactive to our presence and able to predict and adjust to our needs. Work, entertainment and social interaction will happen whenever and wherever we are, dynamically and organically. Education and healthcare will be forever changed as sensors and ubiquitous devices allow us to interact in ways never before possible. Yes, the future is bright, but it also must be secure.
