Security
CableLabs Updates Framework for Improving Internet Routing Security
Key Points
- An update to CableLabs’ Routing Security Profile further demonstrates the need to continue to evolve the profile and underlying technical controls to stay ahead of a constantly changing threat landscape.
- The profile provides a wholistic, risk management approach to routing security that is applicable to any autonomous system operator.
- CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG) developed the profile.
Threats to internet routing infrastructure are diverse, persistent and changing — leaving critical communications networks susceptible to severe disruptions, such as data leakage, network outages and unauthorized access to sensitive information. Securing core routing protocols — including the Border Gateway Protocol (BGP) and the Resource Public Key Infrastructure (RPKI) — is an integral facet of the cybersecurity landscape and a focus of current efforts in the United States government’s strategy to improve the security of the nation’s internet routing ecosystem.
CableLabs has released an update to the “Cybersecurity Framework Profile for Internet Routing” (Routing Security Profile or RSP). The profile serves as a foundation for improving the security of the internet’s routing system. An actionable and adaptable guide, the RSP is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which enables internet service providers (ISPs), enterprise networks, cloud service providers and organizations of all sizes to proactively identify risks and mitigate threats to enhance routing infrastructure security.
The RSP is an extension of CableLabs’ and the cable industry’s longstanding leadership and commitment to building and maintaining a more secure internet ecosystem. It was developed in response to a call to action by NIST to submit examples of “profiles” mapped to the CSF that are aimed at addressing cybersecurity risks associated with a particular business activity or operation.
Improvement Through Feedback and Alignment
The first version of the RSP (v1.0) was released in January 2024 in conjunction with an event co-hosted with NCTA — the Internet & Television Association, featuring technical experts and key government officials from NIST, the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), the Cybersecurity and Infrastructure Security Agency (CISA) and the White House Office of the National Cyber Director (ONCD).
Following the release of the first version of the RSP, CableLabs conducted outreach to other relevant stakeholders within the broader internet community to raise awareness about this work and to seek feedback to help improve the profile. In addition, NIST released its updated CSF 2.0 in February 2024.
The RSP update reflects stakeholder input received to date and accounts for changes in the NIST CSF 2.0. In particular, the RSP v2.0:
- Aligns with NIST CSF 2.0’s addition of a “Govern” function and revisions of subcategories in the RSP’s mapping of routing security best practices and standards to the applicable key categories and subcategories of the NIST CSF 2.0’s core functions.
- Adds routing security considerations for most subcategories that previously did not include such information.
- Incorporates informative and relevant references within the context of the mapping rather than as a separate column of citations.
Advancing Routing Security Through Public-Private Partnership
Since its release, the RSP has been cited as a resource by various government stakeholders in recent actions and initiatives, including NTIA's Communications Supply Chain Risk Information Partnership (C-SCRIP)’s BGP webpage, the FCC’s proposed BGP rules and ONCD’s Roadmap to Enhancing Internet Routing Security.
In addition, CableLabs continues to closely engage in public-private stakeholder working groups. They include the joint working group recently established by CISA and ONCD, in collaboration with the Communications and IT Sector Coordinating Councils. The working group was created, according to the ONCD roadmap, “under the auspices of the Critical Infrastructure Partnership Advisory Council to develop resources and materials to advance ROA and ROV implementation and Internet routing security.”
The Ever-Evolving Cybersecurity Puzzle
The RSP remains a framework for improving security and managing risks for internet routing, which is just one key piece of a larger critical infrastructure cybersecurity puzzle. As with any endeavor in security, the RSP will evolve over time to reflect changes to the NIST CSF, advances in routing security technologies and the rapidly emerging security threat landscape.
The RSP was developed by CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG). The group is composed of routing security technologists from CableLabs and NCTA, as well as network operators from around the world.
Learn more about all CableLabs’ working groups, including the CREST WG, and how to join us in this critical work. Download the profile here, or view it using the button below.
Security
A Framework for Improving Internet Routing Security
Key Points
- The Routing Security Profile approaches routing security from a holistic, risk management perspective.
- It is applicable for use by any autonomous system operator — large or small — to enhance routing security.
- The profile and the underlying technical controls must continue to evolve to stay ahead of a constantly changing threat landscape.
- Our next step is to engage with the broader internet community to drive awareness and further improve and advance this work.
Reliable and secure routing is essential for the connectivity of critical communications networks, ensuring that data packets reach their intended destinations without being intercepted, altered or dropped. Inadequate routing security can make the entire network susceptible to attacks such as Internet Protocol (IP) spoofing, route hijacking and man-in-the-middle attacks.
With the increasing complexity and ubiquity of IP network infrastructures across the globe, the security of core routing protocols — including the Border Gateway Protocol (BGP) and the Resource Public Key Infrastructure (RPKI) — is an integral facet of the cybersecurity landscape. Malicious actors and threat vectors that target the network routing layer can lead to severe disruptions, such as data leakage, network outages and unauthorized access to sensitive information.
To address the issue, CableLabs has just released a “Cybersecurity Framework Profile for Internet Routing” (Routing Security Profile, or RSP) that serves as a foundation for improving the security of the internet’s routing system. The RSP is an actionable and adaptable guide, aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), that enables Internet Service Providers (ISPs), enterprise networks, cloud service providers and organizations — large and small — to proactively identify risks and mitigate threats to enhance routing infrastructure security.
The RSP was developed as an extension of CableLabs’ and the cable industry’s longstanding leadership and commitment to building and maintaining a more secure internet ecosystem. It also was developed in response to NIST’s call to action to submit examples of “profiles” mapped to the CSF that are aimed at addressing cybersecurity risks associated with a particular business activity or operation.
What Is the Routing Security Profile, and Who Can Use It?
Network engineers, IT managers, cybersecurity professionals and decision-makers involved in network security risk management are prime candidates for using the RSP — with its exclusive focus on routing protocols and services — as one tool in an overall network strategy to enhance existing security policies and risk management procedures within their organizations.
The RSP describes various technologies and techniques used for internet routing security, including BGP, Internet Routing Registries (IRRs), Autonomous System (AS) path filtering and RPKI. In addition, it outlines several key recommendations for improving BGP security that include Route Origin Authorizations (ROAs), Route Origin Validation (ROV), BGP peer authentication, prefix filtering and monitoring for anomalies.
What Can the Routing Security Profile Do?
By mapping routing security best practices and standards to the applicable key categories and subcategories of the NIST CSF 1.1’s Core Functions — Identify, Protect, Detect, Respond and Recover — the RSP can help organizations with the following tasks:
- Identifying systems, assets, data and risks that pertain to IP networks.
- Protecting IP networks by performing self-assessments and adhering to cybersecurity principles.
- Detecting cybersecurity-related disturbances or corruption of IP network services and data.
- Responding to IP network service or data anomalies in a timely, effective and resilient manner.
- Recovering the IP network to proper working order after a cybersecurity incident.
The RSP is a framework for improving security and managing risks for internet routing, which is one key piece of a larger critical infrastructure cybersecurity puzzle. As with any endeavor in security, the RSP will evolve over time to reflect changes to the NIST CSF, including the CSF 2.0 update coming in early 2024, advances in routing security technologies and the rapidly emerging security threat landscape.
The RSP was developed by CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG). The CREST WG is composed of routing security technologists from CableLabs, NCTA — The Internet & Television Association, as well as network operators from around the world, including representatives from Armstrong, Charter, Comcast, Cox, Eastlink, Liberty Global, Midco, Rogers/Shaw and Videotron. For more information on the CREST WG, please contact us.
We welcome feedback on the RSP from other internet ecosystem stakeholders as we continue to advance this work. Please send comments to Tao Wan. We will also engage with the broader internet community through forums such as M 3AAWG to drive awareness and to further improve the profile for the benefit of all AS operators, including ISPs, cloud service providers, government agencies, universities and other organizations.