CableLabs has published Gateway Device Security Best Common Practices, a document that describes how manufacturers, operators, and others can reduce the risk of cyberattacks on leased and retail cable modems, integrated access points, and home routers. The product of a CableLabs Working Group convened earlier this year, the document provides a baseline for gateway device security as well as a set of terminology for operators and vendors to discuss security requirements and solutions, according to a CableLabs executive who was part of the Working Group.
The group developed a best practices document instead of a set of standards because of the wide range of elements, stakeholders, and existing standards and practices that had to be considered, according to Brian Scriber, vice president, security technologies at CableLabs. For example, the Working Group discussed security aspects of hardware and manufacturing, software and firmware development and verification, default security settings and configuration procedures, secure boot and root of trust, encryption requirements for data transmission and storage, physical security, and other elements. The working group also wanted to provide the industry with the flexibility to continue security innovation, particularly as threats evolve, Scriber said.
Therefore, the members of the working group – which included representatives from CableOne, Charter, Cisco, Cogeco, Comcast, Commscope, Cox, Liberty Global, MaxLinear, MediaCom, Shaw, and Technicolor, according to a CableLabs blog on the subject – set out to establish a framework through which operators and vendors could collaborate to improve gateway device security now and in the future. Their work focused on eight areas:
- Development of a common framework for gateway device security elements and controls.
- Harmonization of requirements among network operators.
- Creation of an environment for collaboration on security between manufacturers and network operators.
- Leveraging of existing, trusted security controls.
- Construction of a practices and configurations verification framework.
- Alignment of security efforts with existing standards, regulatory, and compliance regimes.
- Increased protection of network resources and broadband services from attacks.
- Establishment of flexible security approaches for gateway devices that can adapt to new threats.
The framework the document describes is intended to be updated as circumstances and security techniques and technologies evolve, Scriber emphasized. Meanwhile, he expects that operators will leverage the practices within the document when discussing security requirements with their technology suppliers. While he doesn’t envision CableLabs creating a certification process based on the document, he anticipates that Kyrio will be able to provide resources to enable operators and vendors to evaluate the security of products.