Driving Increased Security in All IoT Devices
CableLabs engages with the IoT industry and the broader stakeholder community, including governments, to help drive increased IoT device security. The rapid proliferation of IoT devices has the potential to transform and enrich our lives and to drive significant productivity gains in the broader economy. However, the lack of sufficient security in a meaningful number of these newly connected devices creates significant risk to consumers and to the basic functionality of the Internet. Insecure IoT devices often serve as building blocks for botnets and other distributed threats that in turn perform DDoS attacks, steal personal and sensitive data, send spam, propagate ransomware, and more generally, provide the attacker access to the compromised devices and their connections.
To help address the challenge of insecure IoT, CableLabs along with 19 other industry organizations came together to develop “The C2 Consensus on IoT Device Security Baseline Capabilities” released earlier this week. The broad industry consensus identifies cybersecurity baseline capabilities that all new IoT devices should have, as well additional capabilities that should be phased in over time. The development kicked off in March with a workshop hosted by the Consumer Technology Association (CTA). Over the past months, the group has coalesced around the identified cybersecurity capabilities. These include capabilities in the areas of device identity, secured access, data protection and patchability, among others.
CableLabs has also engaged with the National Institute of Standards and Technology (NIST) as it develops its recently released draft report, “Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers.” Both industry and governments largely agree on the capabilities that must be included to increase device security. Like the C2 Consensus, NIST focuses on foundational cybersecurity capabilities, including device identity, secure access, patchability of firmware and software, protection of device configuration and device data, and cybersecurity event logging.
The cybersecurity capabilities identified in the C2 Consensus and NIST will help prevent and minimize the potential for exploitation of IoT devices. Both documents provide a strong foundation and help point IoT manufacturers in the right direction on how to increase device security. However, cybersecurity is an ongoing journey, not a destination. Security practices must evolve and continue to improve to address new and emerging threats and changes in technology. This foundation must continue to be built on overtime.
CableLabs has long been a leader in the development of security technologies. For decades, CableLabs has helped guide the cable industry in incorporating many of the identified security capabilities into cable devices and has ensured the maintenance and advancement of these capabilities over time. For instance, since the first DOCSIS specification in 1997, CableLabs has helped ensure the protection of data: All traffic flows between each cable modem and the CMTS are encrypted to protect the confidentiality and integrity of those transmissions. This is not a once-and-done process; CableLabs has and must continue to advance the cryptography used in cable devices to protect against new and more powerful brute force attacks and other potential threats. Similarly, nearly 20 years ago, CableLabs adopted PKI-based digital certificates to support strong device identity and authentication for devices connecting directly to the cable network (e.g., cable modems, Internet gateways, set-top boxes). Since the initial implementation, CableLabs has continued to advance its PKI implementation to address new and emerging threats.
CableLabs has leveraged its experience and success in developing and implementing cybersecurity technologies in cable devices to help drive increased security in IoT devices. The underlying fundamentals, as well as many of the approaches to implementing, are transferable to IoT, as detailed in our white paper, “A Vision for Secure IoT”. We’ve not only engaged with the C2 Consensus and NIST’s IoT security efforts, but also in industry specification organizations, specifically the Open Connectivity Foundation (OCF)—to develop secure interoperability for IoT devices. OCF has implemented nearly all of the identified capabilities in its specification, tests for the capabilities in its certification regime, and provides the capabilities, free of charge, in its open source reference implementation – IoTivity.
Since publishing “A Vision for Secure IoT” in the summer of 2017, industry and the broader stakeholder community, including governments, recognize and have begun to address the challenge of insecure IoT.