In recent years, the U.S. government has undertaken efforts to adopt a zero trust architecture strategy for security to protect critical data and infrastructure across federal systems. It has also urged critical infrastructure sectors — including the broadband industry — to implement zero trust concepts within their networks.
The industry plays a key role in managing the National Critical Functions (NCFs) as a part of the Cybersecurity and Infrastructure Security Agency (CISA) critical infrastructures sections. Therefore, cable operators need to embrace zero trust concepts and do their best to apply them to their infrastructure elements.
What Is Zero Trust?
For quite a long time, some critical infrastructure elements have been considered as trusted because they happen to be physically located within the operator’s perimeter (e.g., back offices, trust domains). However, this approach can’t prevent these infrastructure elements from threat vectors that exist within the operator’s perimeter, such as illegal lateral movements. Additionally, conventional solid, hardware-based network perimeters are vanishing as the industry shifts toward software-define, virtualized and cloud networks.
As specified in the NIST “Zero Trust Architecture” document (NIST SP 800-207), “zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
What Is the Zero Trust Best Common Practices Document?
The Zero Trust Best Common Practices (ØTIS BCP), which will be released on September 24, was developed as a joint effort by CableLabs and steering committee members in the Zero Trust and Infrastructure Security (ØTIS) working group. Taking the aforementioned NIST SP 800-207 document and the CISA Zero Trust Maturity Model (ZTMM) into account during its development, the ØTIS BCP addresses security gaps that our members have identified and develops a zero trust security framework that covers the following areas:
- Credential protection and secure storage
- Identity security and data protection
- Asset and inventory management
- Supply chain risk management
- Secure automation
- Security monitoring and incident responses
- Boot security
- Policy-based access management
- Consistent security control
The ØTIS BCP is intended to serve as a guideline for cable operators and vendors as they implement zero trust concepts and support network convergence and automation. Cybersecurity professionals and decision-makers involved in the security of access networks may also find the ØTIS BCP informational because the document shows the broadband industry’s consensus on how to provide consistent security baselines for infrastructure access networks.
What Is the Next Step?
After releasing this initial version of the ØTIS BCP, we plan to expand the ØTIS working group so that it includes CableLabs’ vendor partners, who will review and further refine the recommendations. Notably, we’ll continue the process of mapping the ØTIS BCP to current and future guidance from relevant government agencies to identify potential gaps in the BCP and address those as appropriate.
How Can You Engage in the Zero Trust Effort?
If you’re a cable operator or vendor interested in taking part in this work, learn more about the ØTIS working group and how to join.