Raising the Bar on Gateway Device Security
Today, CableLabs® has publicly released a set of best common practices (BCP) to enhance the security of cable modems, integrated access points, and home routers (collectively, known as “gateway devices”) against malicious activity and other cyber threats. This work builds on and extends CableLabs’ and the cable industry’s longstanding leadership in cybersecurity to ensure a consistent and robust baseline for gateway device security, increased economies of scale, and an ontology for simplified communication and procurement between network operators and device manufacturers.
The BCP Working Group is comprised of security technologists from CableLabs, network operators from around the world, and gateway device manufactures, including representatives from CableOne, Charter, Cisco, Cogeco, Comcast, Commscope, Cox, Liberty Global, MaxLinear, MediaCom, Shaw and Technicolor. In developing the BCP, the Working Group drew heavily upon well-established and widely accepted security controls, recognized broadly by industry and government security experts.
The cable industry has long employed extensive network security practices to ensure the confidentiality, integrity and availability of broadband services, including gateway devices. The BCP expands and standardizes these network security practices for gateway devices and complements cable operators’ broader set of security practices. For instance, DOCSIS® Security testing is performed on all gateway devices to ensure DOCSIS protocol conformance, including the verification of the correct implementation of public key infrastructure (PKI) authentication and identity management, BPI+ encryption, and EAE (Early Authentication and Encryption) secure provisioning requirements.
The BCP document goes beyond DOCSIS Security requirements and provides a framework for the full range of security considerations applicable to gateway devices, including hardware and manufacturing considerations, default security settings, configuration procedures, secure boot, roots of trust, software/firmware development and verification, encryption requirements for both data in transit and data at rest, and physical security, among others. To further ensure the robustness of the BCP, the working group compared and mapped the BCP to NIST’s general guidance for connected devices used by the federal government, to help confirm the scope was fully comprehensive of applicable security considerations.
The BCP represents the industry coalescing around a common set of security baseline requirements that furthers the following critical goals:
- Provide a common framework for security elements and controls within gateway devices, including cable modems, integrated Wi-Fi access points, and home routers, to align the varied approaches to device security across the industry.
- Create a community of manufacturers and network operators collaborating to enhance gateway device security.
- Leverage well-established and well-vetted security controls and practices to minimize the risk of unknowingly introduced vulnerabilities or other security weaknesses.
- Harmonize security requirements across network operators to drive increased economies of scale, lowering the cost of broadband deployment.
- Further protect network resources and broadband service from malicious attacks.
- Provide a framework for network operator assurance that enables verification of testable practices and configurations.
- Enable alignment across standards, regulatory, and compliance regimes through a transparent and open set of best common practices.
- Establish a security framework for gateway devices that builds in flexibility and agility, so that manufacturers and network operators can address and adapt to new threats and changes in the cyber risk landscape.
While this initial release is an important achievement, one that strives to be comprehensive in terms of security posture for gateway devices, we all recognize that this field is constantly evolving and advancing. We see the BCP as a framework that must and will be updated and maintained as network technology, device security, and unfortunately, adversary techniques continue to evolve. To that end, we invite and welcome additional gateway and modem manufacturers as well as additional network operators to join the working group as we continue to progress this effort.
On October 13, 2021, at 3:00 pm ET, we invite you to join our virtual panel session at SCTE Cable-Tec Expo to discuss and further explore Gateway Device Security and our work to develop the BCP.
CableLabs® Micronets Security Reference Code Is Now Open Source
In November, we introduced CableLabs micronets, a next-generation on-premise networking platform focused on providing adaptive security for all devices connecting to home or small business networks. Micronets uses dynamic micro-segmentation to manage the connectivity to each device and is designed to provide seamless and transparent security without burdening end users with the technical aspects of configuring and maintaining the network. Micronets is also a foundational piece of the cable industry’s recently announced 10G vision – supporting increased security for home and small business users.
Today we are pleased to announce that the release of the micronets reference implementation as open source software. You’ll find links to files and details on how to build and deploy the different Micronets components here. CableLabs plans to continue to develop and add new features to the open source reference implementation – we also welcome contributions from the broader open source community.
Why Open Source?
Here at CableLabs, we believe in the importance of sharing our code to accelerate the adoption of new ideas and to stimulate industry-wide innovation. In this particular case, there was an even stronger sense of urgency to do so.
The rapid and growing proliferation of Internet-connected devices, or the “Internet of Things” (IoT), has ushered in a new era of connectivity that gives us unprecedented control over our environment at home and at work. Unfortunately, along with all the benefits comes significant risk to end users and the broader Internet, alike. Vulnerable IoT devices are the fuel for botnets and other distributed threats. Compromised IoT devices are used to launch distributed denial of service (DDoS) attacks, spread ransomware, send spam, and more generally, enabling the theft of personal or sensitive information. Moreover, vulnerable IoT devices may also create the risk of physical harm, as many connected devices now provide a bridge between the cyber and physical worlds.
CableLabs and the broader IoT ecosystem are committed to driving improved IoT security, but such efforts are not enough alone to address the risks of insecure IoT. We must also develop network technologies, such as micronets, to help mitigate the risks of insecure IoT. There will always be legacy devices that don’t meet current IoT security best practices and potentially, manufactures that don’t follow best practices.
We believe addressing the risks of insecure IoT is a shared responsibility. By releasing the reference code as open source, we’re hoping to accelerate the adoption of micronets and encourage others to build upon our work.
More on Micronets and How it Fits into Our Security Agenda
The micronets platform leverages advanced mechanisms like device fingerprinting and artificial intelligence to enable real-time detection and quarantining of compromised IoT devices, minimizing the risk to other devices on the local network and to the broader Internet. Micronets can also provide enhanced security for high-value or sensitive devices, further reducing the risk of compromise for these devices and applications. Despite the complex technology under the hood, this self-organizing system is geared toward an everyday consumer and is very easy to use. For a deeper dive into micronets’ security features, please download the micronets whitepaper here. Missed our recent public webinar? You can find it on youtube here.
Micronets is just one of many active security projects at CableLabs. For instance, we’re also working on advancing additional cyber-attack mitigation technologies, such as DDoS information sharing, IP-address spoofing prevention and more, as well as actively contributing to industry and government efforts to drive increased IoT security. And although there’s no single solution that protects every network, we will continue working with our members and vendors and various industry organizations to develop better tools that make our world a safer place—one network at a time.
Click below for details on how to build and deploy the different Micronets components.
Micronets: Enterprise-Level Security Is No Longer Just For Enterprises
Today we are introducing CableLabs® Micronets, a framework that simplifies and helps secure increasingly complex home and small business networks.
As we add devices to our networks such as cell phones, computers, printers, thermostats, appliances, lights and even medical monitors, our networks become more susceptible to intrusions. Micronets automatically segments devices into separate, policy-driven trust domains to help protect the devices, data and the user. Agile and easy-to-use, Micronets gives consumers increased protection and control of their local network without overwhelming them with technical details. Micronets reduces the risks associated with vulnerable devices but is not a substitute for strong device security.
The Micronets Advantage: Smart Security and Ease of Use
CableLabs Micronets is an advanced network management framework that utilizes three components to provide enhanced security:
Automated Networked Devices: While CableLabs is not the first organization to introduce the concept of network segmentation, Micronets’ primary advantage is in its implementation. The Micronets framework uses advanced mechanisms like device fingerprinting and Manufacture Usage Definitions (MUD) to intelligently group networked devices into dynamically managed trust domains or “micronets.”
For example, children’s devices are assigned to one micronet, home automation on another and so on. If one device is compromised, devices on the other micronets will not be visible to the attacker. The system will automatically quarantine the infected device, minimizing the risk to the network and other connected devices. While the system is largely autonomous, the user has the visibility and control to adjust trust domains and add new devices.
Seamless User Experience: Micronets provides a layer of dynamic management and secure credential provisioning that hides the complexity associated with network orchestration and focuses on improving the user experience. It’s a self-organizing platform that’s very easy to use and control which is a major benefit to an average customer who lacks the time and knowledge required for manual network administration.
Adaptive Devices: The Micronets framework also includes an intelligence layer that manages the connectivity between the individual trust domains, the Internet and third-party provider services. Because security threats continuously evolve, Micronets is built to evolve as well. State-of-the-art identity management and cloud-based intelligence technologies, like machine learning and neural networks, are leveraged to provide adaptive security that can evolve over the years, thereby providing a solution that will work for today’s as well as tomorrow’s needs.
Another benefit that Micronets can provide is enhanced security for highly sensitive devices or applications, through secure network extension via APIs. For example, Micronets can be used to establish a secure, end-to-end network connection between an Internet-connected medical device, like a glucose tester, and the cloud services of a healthcare provider. This enhanced capability provides confidentiality, integrity and availability of the medical device and the healthcare data to and from the device.
Micronets provides features, such as network isolation, similar to 5G network slicing but can operate across Wi-Fi and mobile networks. Micronets is focused on security of private networks (e.g., home networks and SMB networks) where 5G slicing is focused on different service segment performance levels of end to end networks. Since Micronets is an overlay technology, it’s compatible with existing networks, even 5G slicing, where 5G slicing is dependent on the broad deployment of the underlying 5G technologies.
Under the Hood: A Deeper Dive into How Micronets Works
Micronets has five major architectural components:
- Intelligent Services and Business Logic: This layer acts as the interface for the Micronets platform to interact with the rest of the world. It functions as a receiver of the user’s intent and business rules from the user’s services and combines them into operational decisions that are handed over to the Micronets Manager for execution.
- Micronets Manager: This critical element orchestrates all Micronets activities, especially flow switching rules between the home network, cable operator and third-party providers that allow the delivery of services. It also provides controls that allow the user to interact with the Micronets platform.
- Micronets Gateway: Micronets Gateway could be a cable modem, router, wireless access point, or LTE hub/femtocell. It’s a core networking component that uses Software Defined Networking (SDN) to define how Micronets services interact with the home network. It also oversees the entire device profile on the user network—both wired and wireless.
- The Home Network: All the devices on the customer’s home or SMB network are automatically organized into appropriate trust domains—or micronets—using the device identity and SDN based logic. However, the customer can always make manual changes through a user-friendly Micronets interface.
- Micronets API: Operator partners and third-party operators can interact with the Micronet manager via secure APIs. Micronets ensure that third-party devices and services are secured through mutual authenticated and encrypted communications channels.
The Rollout: Getting Micronets In Homes and Business
- White Paper: Our white paper lays out the vision and architecture of Micronets in greater detail.
- Industry Partnerships: We’re working with our industry partners and cable operator members to bring Micronets to consumers. We are also working on implementing an easy-onboarding framework that builds on top of features from the Wi-Fi Alliance (WFA), namely EasyConnect, WPA3 security and the Internet Engineering Task Force (IETF) Manufacturer Usage Description framework to enable the secure and seamless configuration and on-boarding of consumer devices. We are also leading the development of a secure interoperability specification for IoT devices in the Open Connectivity Foundation, and with Micronets, we’re making significant strides to simplifying and securing increasingly complex networks.
- Code: We are releasing the reference code, currently under development, to the open source community in the coming months.
- Government Collaboration: We’re participating in and supporting government efforts like NIST’s National Cybersecurity Center of Excellence project on mitigating botnets in home and small business networks.
- Our Members and Vendors: We are planning on developing and publishing specifications for standardized API’s for advanced security services based on machine learning and device fingerprinting in collaboration with our members and vendors.
CableLabs has long been a leader in the development of security technologies for the delivery of video and broadband Internet access services. With Micronets we are bringing our expertise to the growing world of connected devices, for which security is a shared responsibility across the Internet ecosystem. Micronets helps mitigate the risks associated with insecure IoT, but is not a substitute for or alternative to the ongoing efforts to drive increased device security, to prevent vulnerabilities at their source.
Download our white paper by clicking below or learn more here.
Interested in working with the CableLabs team or hearing more about Micronets? Contact Darshak Thakore (firstname.lastname@example.org).
Where is that Set-top Box?
As a technology developer in the cable industry, my friends often ask me questions like, "Why do I need all these boxes in front of my TV?", "Why do I need to use so many remotes?" , and "When will I be able to watch TV on my mobile/tablet?" My enthusiastic response has been, "Very soon!” And then I explain the Digital Living Network Alliance's CVP-2 Guidelines, and how this new technology leverages the latest HTML5 web standards to allow consumers to view their TV content on any device of their choice. The responses I receive range from the optimistic "Great! How Soon?" to the skeptical "I'll believe it when I see it", which is why I was really excited when DLNA launched the VidiPath Certification Program.
VidiPath enables TV services to be viewed on various devices like tablets, phones, Smart TVs, and game consoles within the consumer's home. More details about CVP-2 are available as a previous post to this blog. However, the relationship between CVP-2 and the VidiPath Certification deserves some explanation. CVP-2 was geek-speak for the technology guidelines while they were being developed in the industry. Now completed, the VidiPath™ brand has been born.
Ok, back to my excitement about the VidiPath Certification Program. The reasons are twofold. First and foremost, the certification launch means that the industry is just one final step from getting the CVP-2 technology into the market and in consumers’ homes. The other reason is that the CableLabs CVP-2 Server was qualified by DLNA as a CVP-2 Reference Server and selected for use in the VidiPath Certification Testbed.
Benefits of VidiPath to Consumers
VidiPath will allow a consumer to watch premium TV content on any VidiPath certified device within their home, and that is just the tip of the iceberg. Consumers will also be able to enjoy the following benefits with their VidiPath devices:
- Putting aside that extra remote to navigate and watch content.
- No longer needing multi-room set-top boxes.
- Watching TV on tablets or mobile phones while everyone else is watching something else on the big TV.
- Gaining a modern yet consistent user interface on all devices to navigate and bookmark content.
- Reclaiming entertainment center real estate by moving the set-top box to the basement or a closet.
CableLabs CVP-2 Reference Server (or How Has CableLabs Contributed?)
To support the success of VidiPath, CableLabs has been actively involved in the development of the CVP-2 guidelines and has also developed a CVP-2 Server utilizing a number of existing open source components to accelerate the development and adoption of VidiPath in the industry. To that effect, we had: a) good success right from the start with the Intel OTC team contributing code to Rygel, b) various companies utilizing our code base for their testing/development and providing us feedback, and c) our collaboration with Elliptic Technologies and utilizing their robust tVault for DTCP-IP solution in the CableLabs Reference Server to provide content protection and authentication. We are already shipping out the Reference Server to various DLNA members who are preparing to get their clients certified. Now we look forward to VidiPath clients getting certified and hitting the market.
In addition, CableLabs holds CVP-2 interoperability events (interops) about twice a year. During these interops, manufacturers and cable operators come together to evaluate how their client or server interacts with other CVP-2 clients and servers. We just finished up another successful interop, with sixteen different companies participating.
And finally, CableLabs has a VidiPath Interoperability Lab, where VidiPath client developers can develop and test against MSO VidiPath guides, as well as work with the CableLabs CVP-2 Reference Server and other DLNA CVP-2 test tools.
Contact info: Darshak Thakore is a Lead Architect in the Applications Technologies Group at CableLabs.