Securing IoT Networks: NCCoE and CableLabs Collaborate to Develop Trusted Onboarding Solution

Securing IoT Networks: NCCoE and CableLabs Collaborate to Develop Trusted Onboarding Solution

Kyle Haefner
Senior Security Engineer

May 9, 2023

Billions of Internet of Things (IoT) devices have been added to the internet over the past several years. During that time, millions of insecure IoT devices have contributed to massive Distributed Denial of Services (DDoS) attacks, exposing end users’ private data. To address the problem of insecure IoT devices, CableLabs participates in and contributes to several industry standards development organizations with the goal of building security into the very foundation of new devices and IoT protocols. This work culminates in the release of Matter 1.0, a secure interoperable IoT specification that major industry players are rapidly adopting.

Secure IoT Onboarding

The next critical challenge in enhancing IoT security is to extend interoperability between devices and the networks that connect them. Smart-home networks must be able to facilitate the addition of new devices, validate devices that are connected, help ensure that those devices are fully patched and updated, and safely isolate them if they’re vulnerable.

The next generation of smart-home networking begins with connecting the devices securely the first time. It’s no longer sufficient or secure to ask that consumers share their Wi-Fi password with every device on their smart home network. The network must be smart enough to give each device its own credentials to connect to the network. Crucially, the process for adding (also called onboarding) a device to the smart home network must be simple, seamless and secure.

Industry and Government Collaboration

To address this challenge, CableLabs has joined the National Cybersecurity Center of Excellence (NCCoE) Trusted Device Network-Layer and Lifecycle Management. CableLabs and 10 other companies have been collaborating to develop a reliable network-layer onboarding solution for all IoT devices. This solution leverages established non-proprietary standards and protocols, offering secure onboarding while providing device identification, authentication and authorization. This project covers the following objectives:

  • Provide the device with unique network credentials that can be updated securely and automatically, allowing the network to authenticate the device and eliminating the need for a shared password across all IoT devices.
  • Employ a secure network-layer protocol to facilitate the secure and automatic provisioning of devices with both network and application-layer credentials for connecting with other devices and the cloud.
  • Demonstrate successful interoperability between devices built and configured by participating industry collaborators.

Streamlining the User Experience

CableLabs’ contributions to the Trusted Device Network-Layer and Lifecycle Management project harness the simplicity of Wi-Fi Easy Connect from the Wi-Fi Alliance, the secure interoperability of IoTivity from Open Connectivity Foundation and the powerful technology behind CableLabs’ Micronets to create a secure and streamlined process that allows users to onboard, provision and secure devices on their smart-home networks in a single intuitive step.

CableLabs’ involvement in the Trusted Device Network-Layer and Lifecycle Management project underscores its commitment to advancing IoT security and developing best practices for secure and effortless device onboarding. By collaborating with other industry leaders, CableLabs aims to promote the adoption of secure IoT technologies and ensure that consumers have access to reliable and user-friendly solutions for managing their connected devices.

A draft of this work can be found at NIST Special Publication (SP) 1800.



With Great Bandwidth Comes Great Responsibility

With Great Bandwidth, Comes Great Responsibility.

Kyle Haefner
Senior Security Engineer

May 5, 2020

Cable's next generation, 10G networks, holds the promise to deliver symmetrical multi-gigabit speeds that are 100 times faster than what some consumers are currently experiencing today. This great leap forward will enable services and experiences that will drive internet innovation for years to come. It is our mutual responsibility to assure that devices we connect to these blazing 10 gigabit internet connections, are updated and patched, free from default passwords and use proper authentication and authorization.

The lack of following basic cyber-security principals surfaced in the late Fall of 2016, when many popular sites such as Twitter, Amazon, Reddit and Netflix, were unreachable for several periods, lasting hours. The cause was a massive distributed denial of service (DDoS) attack coming from hundreds of thousands of compromised internet of things (IoT) devices. Traffic from these devices overwhelmed the DNS service provider and effectively blocked customers and users from reaching these popular Internet locations for hours at a time.

As we approach a world where households are connected at gigabit and greater speeds, building secure devices and getting them in the hands of consumers is essential. Over the last several years CableLabs has been engaged with standard organizations such as, the Consumer Technology Association (CTA) and the Open Connectivity Foundation (OCF), to draft specifications and guide security baselines for IoT devices. This work has culminated in the release of OCF's international ISO\IEC specification for IoT interoperability.

The OCF specification brings together over 450 member companies and work that spans half a decade to apply cyber-security best practices to the IoT. This specification, combined with an open source reference implementation, seven approved global testing and certification labs and an active community of practitioners and member companies (from device vendors, network device venders and network operators), is uniquely positioned to be the secure standard that unites the industry.

With the OCF specification a consumer can buy a certified device from Vendor A and be confident in the knowledge that not only will it work with their certified appliance from Vender B, but it will do so in a way that is encrypted and authenticated. OCF can work with many cloud services but does not inherently need the cloud, promising consumers a good balance between the convenience of the cloud and the privacy and availability of their local networks.

The OCF specification's security-first approach brings it into close alignment with several of the security guidelines from government and industry, including:

OCF mapping of Security Baselines

Figure 1: OCF mapping of Security Baselines

The road ahead for 10G and IoT is bright. Ultra-fast networks and connected devices have the potential to change every aspect of daily life, making our surroundings aware and interactive to our presence and able to predict and adjust to our needs. Work, entertainment and social interaction will happen whenever and wherever we are, dynamically and organically. Education and healthcare will be forever changed as sensors and ubiquitous devices allow us to interact in ways never before possible. Yes, the future is bright, but it also must be secure.

Learn More About 10G Security