Security
Driving Industry Development of Zero Trust Through Best Common Practices
Key Points
- As the architecture of networks continues to evolve, we must continue to evolve how we approach security.
- Governments have been pushing zero trust implementation for critical infrastructure, including the broadband industry.
- CableLabs and its members formed the Zero Trust and Infrastructure Security (ØTIS) working group, which aims to develop best common practices (BCP) that focus on zero trust implementation, secure automation and security monitoring, as well as defining consistent and default security controls to infrastructure elements.
In recent years, the U.S. government has undertaken efforts to adopt a zero trust architecture strategy for security to protect critical data and infrastructure across federal systems. It has also urged critical infrastructure sectors — including the broadband industry — to implement zero trust concepts within their networks.
The industry plays a key role in managing the National Critical Functions (NCFs) as a part of the Cybersecurity and Infrastructure Security Agency (CISA) critical infrastructures sections. Therefore, cable operators need to embrace zero trust concepts and do their best to apply them to their infrastructure elements.
What Is Zero Trust?
For quite a long time, some critical infrastructure elements have been considered as trusted because they happen to be physically located within the operator’s perimeter (e.g., back offices, trust domains). However, this approach can’t prevent these infrastructure elements from threat vectors that exist within the operator’s perimeter, such as illegal lateral movements. Additionally, conventional solid, hardware-based network perimeters are vanishing as the industry shifts toward software-define, virtualized and cloud networks.
As specified in the NIST "Zero Trust Architecture" document (NIST SP 800-207), “zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
What Is the Zero Trust Best Common Practices Document?
The Zero Trust Best Common Practices (ØTIS BCP), which will be released on September 24, was developed as a joint effort by CableLabs and steering committee members in the Zero Trust and Infrastructure Security (ØTIS) working group. Taking the aforementioned NIST SP 800-207 document and the CISA Zero Trust Maturity Model (ZTMM) into account during its development, the ØTIS BCP addresses security gaps that our members have identified and develops a zero trust security framework that covers the following areas:
- Credential protection and secure storage
- Identity security and data protection
- Asset and inventory management
- Supply chain risk management
- Secure automation
- Security monitoring and incident responses
- Boot security
- Policy-based access management
- Consistent security control
The ØTIS BCP is intended to serve as a guideline for cable operators and vendors as they implement zero trust concepts and support network convergence and automation. Cybersecurity professionals and decision-makers involved in the security of access networks may also find the ØTIS BCP informational because the document shows the broadband industry’s consensus on how to provide consistent security baselines for infrastructure access networks.
What Is the Next Step?
After releasing this initial version of the ØTIS BCP, we plan to expand the ØTIS working group so that it includes CableLabs’ vendor partners, who will review and further refine the recommendations. Notably, we’ll continue the process of mapping the ØTIS BCP to current and future guidance from relevant government agencies to identify potential gaps in the BCP and address those as appropriate.
How Can You Engage in the Zero Trust Effort?
If you’re a cable operator or vendor interested in taking part in this work, learn more about the ØTIS working group and how to join.
Security
AI and Cybersecurity: Innovation Trends Evolve with Threats
Key Points
- The increasing sophistication of cyber threats poses challenges for individuals and organizations, but it is also driving opportunities for innovation in cybersecurity.
- Specifically, AI/ML-based security and compliance frameworks, such as large language models (LLM) and generative AI, continue to be hot topics after dominating the agenda at RSA Conference 2024.
- A technology brief from CableLabs details more takeaways from the conference, including generative AI-based automation and its impact on SBOM, crypto-agility and zero trust.
We are witnessing a transformation in the security landscape across all aspects of our digital world. As cyber threats become increasingly sophisticated and frequent, they pose new challenges for individuals and organizations alike. A single security breach can have crippling consequences for potentially millions of internet users — from the disruption of daily life and loss of access to everyday services to identity theft and loss of privacy.
A silver lining, though, is that these threats are driving a wave of cutting-edge innovations and solutions that can help safeguard our sensitive data and ensure continuity of operations. At the forefront of this evolution are artificial intelligence and machine learning (AI/ML). These technologies are equipping cybersecurity professionals with tools to identify and mitigate threats more effectively than ever before with unprecedented speed and accuracy.
It’s no surprise that the proliferation of AI/ML has become a central focus at industry conferences and among cybersecurity professionals. This was evident at this year’s RSA Conference, where tracks focused on automation using AI/ML, as well as the benefits and threats due to generative AI and large language models (LLMs).
Other key topics included increased usage of software bills of materials (SBOMs) and security threats associated with it, and zero-trust sessions focused on policy-based authentication. In case you missed it, CableLabs covers these topics and provides more detailed key findings from the RSA Conference 2024 in a recent tech brief, available exclusively to members. Below are a few general observations from the conference.
A Double-Edged Sword
Generative AI and LLM came up in summits hosted by organizations including the Cloud Security Alliance (CSA), the Open Worldwide Application Security Project (OWASP) and the Techstrong Group. Among the topics were:
- The use of LLM and generative AI to accelerate code analysis and patch code vulnerabilities, speed up incident responses, detect multimodal malware as well as improvements in threat detection, continuous vulnerability and risk management for organizations.
- Demonstrations of LLM attacks that can produce outputs that are entirely or partially incorrect and/or harmful. Common attacks presented in various sessions included prompt injection, insecure output handling, poisoning of training data, denial of service on the LLM, exfiltration, etc.
The OWASP Foundation provided a summary of their work on the “Top 10 for LLM” project that addresses common LLM security risks and provides guidance and checklists when implementing and managing LLMs.
There are also several policy-related challenges of generative AI like copyright protection of AI-generated work and tracing back the training data to the original owners, lack of recommendations or regulations from the United States Patent and Trademark Office regarding AI and human inventorship and also around privacy of personal data shared with generative AI vendors with the risk of such data being reidentified by the AI tools.
Long Live Shorter Certificates
An ongoing trend in the public key infrastructure (PKI) world is the shortening of the lifespan of operational certificates. Specifically for web and cloud infrastructure environments, Google published a roadmap that limits the TLS certificates’ validity period from 398 days to 90 days. The primary benefits touted for shorter validity certificates include reduced exploitation time of compromised certificates and crypto-agility, collectively termed as certificate agility.
However, this also poses challenges for access network operators and certificates meant for device identities whose validity period can extend into decades. Typically, the purpose of such device certificates is to provide immutability, attestability and uniqueness and, they are primarily used for access network authentication. In this context, providing a consistent identity using rotating certificates necessitates a change from existing deployment models. It highlights the need for implementing automated certificate management tools and incorporates the additional costs and time to deploy it as part of the network infrastructure upgrade.
Software and Cryptographic Bills of Materials
SBOMs are gaining traction as one of the key ingredients of the software development lifecycle. The RSA Conference also included some interesting sessions and demonstrations of adversarial use of SBOMs and developing guidance on how to correctly use them.
From the security perspective, cryptographic bills of materials (CBOMs) provide a mechanism to track cryptographic assets and their dependencies. It also provides a path toward introducing and tracking quantum-safe solutions by making it easier to track deprecated ciphers. This is one area with rapid development and many vendors demonstrating SBOM tools and SBOM best practices.
Other Hot Topics
Other notable technologies and topics covered at the conference included:
- Zero Trust and Identity Protection — Identity compromise continues to be a top threat and the root cause of data breaches. With the current trends around remote work, virtualization and cloud deployments, data and identities are now stored outside of corporate perimeters. Incorporating a zero-trust model (never trust, always verify) plays a crucial role in protecting identity and corporate assets.
- Multi-Factor Authentication — More and more companies are moving towards MFA to reduce account compromises. However, different attack methods to bypass MFA — like MFA fatigue, SIM swapping and session hijacking — complicate this.
- Post Quantum Cryptography (PQC) — The discussion around PQC continues with the general guidance that the industry incorporate a “hybrid mode” of deployment for any new cryptographic solutions. As of August 2024, there is not yet a stable quantum computer capable of widespread practical use; however, cybercriminals continue to steal encrypted data with the expectation of decrypting it in the future. NIST plans to publish the first set of PQC standards by the end of this summer.
The RSA Conference is the flagship conference for cybersecurity experts. This year it brought together 41,000+ professionals, 650 speakers across 425 sessions and over 600 exhibitors in San Francisco. Read more about these cybersecurity trends and more RSA Conference topics in the tech brief, available exclusively to CableLabs member operators.
Did you know?
In addition to in-depth tech briefs covering events like the RSA Conference, CableLabs publishes short event recap reports — written by our technologists, exclusively for our members. Catch up on recent recaps (member login required).
Security
Cybersecurity Awareness Month and Beyond: How We’re Safeguarding Network Integrity
In the digital age, cybersecurity is the first line of defense against an ever-expanding and continually evolving array of threats. The increasing sophistication of cyber threats and a deepening dependence on interconnectivity have elevated cybersecurity technologies from a peripheral consideration to a critical priority.
October is Cybersecurity Awareness Month, but safeguarding digital integrity is a year-round commitment for CableLabs. In our Security Lab, we work to identify and mitigate threats to the access network. We proactively develop innovative technologies that make it easier for internet users to protect their digital lives.
Let’s take a look at some of the CableLabs technologies that are enhancing network security and reshaping the way we protect ourselves online.
DOCSIS 4.0 Security
The new DOCSIS® 4.0 protocol is another promising chapter in the successful life of hybrid fiber coax (HFC) networks, and it brings with it notable security enhancements to the broadband community.
It’s important to note that DOCSIS 4.0 cable modems (CMs) are compatible with existing DOCSIS 3.1 networks. This allows the CMs to take advantage of higher speed tiers even without needing to upgrade the network at the same time. To fully leverage the new upstream bandwidth efficiency and security features of the protocol, both modems and cable modem termination systems (CMTSs) need to support DOCSIS 4.0 technology.
Another key security-enhancing element of the technology is that DOCSIS 4.0 networks come with upgradable security. The technology continues to support the Baseline Privacy protocol (BPI+ V1) used in DOCSIS 3.1 specifications. It also integrates the new version that can be enabled as needed (BPI+ V2).
The new version introduces mutual authentication between devices and the network, eliminates the dependency on the Rivest Shamir Adleman (RSA) algorithm and implements modern key exchange mechanisms. This change enhances device authentications with Perfect Forward Secrecy and cryptographic agility and aligns DOCSIS key exchange mechanisms with the latest Transport Layer Security (TLS) protocol, v1.3.
Further upgrades include enhanced revocation-checking capabilities with support for both Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) in DOCSIS 4.0 certificates. DOCSIS 4.0 also introduces standardized interfaces for managing edge device access (SSH) aimed at limiting the exposure of corporate secrets (e.g., technicians’ passwords) and incorporates a Trust on First Use (TOFU) approach for downgrade protection across BPI+ versions.
Ultimately, the new DOCSIS 4.0 security is designed to provide several options for network risk management. These features include new speeds and capabilities that can be utilized alongside today’s security properties and procedures (e.g., BPI+V1 with DOCSIS 3.1 or DOCSIS 4.0 CMTSs) and advanced protections when needed.
Matter Device Onboarding
Passwords are meant to be secret, so why are users sharing them with all of their Internet of Things (IoT) devices? At CableLabs, we’re working to make it easy for end-users to add devices to their home networks without needing to share a password with every device.
Because so many devices are communicating with one another, standardization is critical — especially when it comes to security. That’s where Matter comes in. The open-source connectivity standard is designed to enable seamless and secure connectivity among the devices in users’ smart home platforms.
Our vision is for each device to have its own credential to get on the Wi-Fi network. The access point (AP) would use this unique credential to grant the device access to the network, and the device then would verify the AP’s credential. This has three incredibly significant advantages for subscribers:
1. It vastly increases the security of the home network. This is because a compromised device cannot divulge a global network password and lead to a compromise of the entire network.
2. It’s possible to leverage the device attestation certificate that comes with every Matter device to inform the network that it’s a verified and certified device.
3. There's no need to reset every single device on the network if the Wi-Fi password is changed.
Join us for a demonstration of Matter at SCTE® Cable-Tec Expo®, which is October 17–19 in Denver, Colorado. Come see us in CableLabs’ booth 2201 to see the future of networked IoT devices and how scanning a QR code can get a device on a network with its own unique credential.
CableLabs Custom Connectivity for MDUs
One of the fastest-growing market segments for broadband providers worldwide is the multi-dwelling unit (MDU) segment. The opportunities here include fast-growing apartment communities, as well as segments such as emergency/temporary housing, low-cost housing, the hospitality and short-term rental markets, and even emergency services.
A common theme across these is the need for an alternate deployment model that allows on-demand service activation and life-cycle management, as well as custom connectivity to various devices. The traditional deployment model of installing customer premises equipment (CPE) on a per-subscriber and/or per-unit basis has hindered operators in delivering services to these segments in a cost-effective manner.
The CableLabs Custom Connectivity architecture is designed to address these constraints by providing dynamic, on-demand subscription activation and device-level management to consumers across the operator’s footprint — without the need to deploy a CPE. The architecture leverages the security controls and mechanisms designed within the CableLabs Micronets technology to provide dynamic, micro-segmentation-based subscription delivery where a subscriber’s devices can connect to their “home subscription” from anywhere on the network and across different access technologies (Wi-Fi, cellular, etc.).
Additionally, it provides consistent operational interfaces for device authentication and service provisioning, as well as billing and subscription management interfaces to enable on-the-fly subscription activation and management.
Safer Networks, Empowered Users
The importance of proactive cybersecurity measures can’t be overstated, and these cutting-edge technologies are proof of CableLabs’ ongoing commitment to enhancing network security. These innovations not only make our networks safer, but they also empower users to take charge of their own online security.
By staying at the forefront of cybersecurity advancements, CableLabs continues to ensure we can all navigate the digital world with greater confidence and peace of mind.