Cybersecurity Series: CATV and Broadband Providers (Part 4/5)
In the early days of cable service, providers encountered attackers who tried to steal service, customer data, and video content. As service offerings expanded to include broadband Internet, attacks have grown to be even more extensive, more frequent, and more sophisticated.
In the United States, cable operators provide video service to approximately 53 million subscribers. Broadband internet delivers service to approximately 63 million subscribers. Each year, even greater numbers of people and devices are connected to the Internet, and broadband network capacity continues to expand. The growth of these industries relies on trust from consumers in their cable and broadband companies. Is the industry prepared to protect millions of customers from cyberattacks?
Current Challenges
Non-secure IoT not only creates risk for individual end-users, but also for the basic functioning of the Internet. Compromised devices can be used by hackers to launch attacks—attacks so powerful that they can take down entire networks and major online services.
Commonly, when a cybersecurity event affects customers, infected home devices can:
- Send email spam
- Steal sensitive customer information, like finance or identity
- Be used in Distributed Denial of Service (DDoS) attacks
- Hold data hostage in ransomware attacks, asking the user to pay to retrieve data
Work needs to be done quickly to dramatically improve the security of these devices and to mitigate the damaging effects of insecure devices.
Current State of Cybersecurity
Traditional cable video delivery and Internet delivery are two separate logical networks. While they are operated over the same physical (coaxial cable and optical fiber) medium, data is transmitted over separate channels (or frequencies). Video encoding and broadband are not yet interchangeable, creating a layer of protection to each service from intrusion by the other.
To provide the quality of service that consumers expect, CATV providers continuously address new security threats as they grow and change. Providers use a layered, end-to-end approach to security, ensuring video content is delivered as intended, and minimizing the risk of piracy. This approach includes:
- BPI – Encrypted Communications - BPI encrypts all traffic flows between each cable modem to ensure those transmissions remain confidential.
- Secure Device Authentication using PKI - A public key infrastructure (PKI) uses digital certificates to perform device authentication and data encryption, ensuring the secure electronic transfer of information.
- Secure PKI Implementation - This ensures digital certificates are not put into insecure network devices or devices designed to harm.
- Secure Software Updates - Digital certificates ensure that only software updates that come from either the cable modem manufacturer or from the cable operator can be downloaded into the cable modem.
- Increasing Cryptographic Strength - Cable has continued to strengthen the implementation of its PKI, following the guidelines of the National Institute of Standards and Technology (NIST).
- Prevention of IP Address Spoofing - Cable operators have incorporated technology to prevent spoofed Internet Protocol (IP) addresses, which can be used to conceal a person’s identity when they are committing illegal acts and in DDoS attacks.
- Protection Against Cloned Cable Modems - A cloned modem can be used to steal broadband service and is also to mask criminal activity. Security measures to thwart cable modem cloning include: preventing a cloned cable modem from downloading old files to further its impersonation, IP address verification, message integrity checks, and using digital certificates uniquely assigned to each modem.
- Customer Notification and Remediation Systems - Major providers can detect and identify consumer devices infected by malware that are participating in a botnet.
- DDoS Mitigation - Cable operators have implemented DDoS mitigation technologies to protect their networks and guard against widespread service disruptions and outages. These systems identify abnormal Internet traffic and separate it from normal traffic, so the attack does not negatively impact Internet access broadly.
In recent years, cable operators have come to recognize that cybersecurity is a shared responsibility across the entire Internet ecosystem. The proliferation of non-secure IoT devices pollutes the Internet with malicious traffic and risks the theft of sensitive customer information. Addressing the problem will involve stakeholders from across the ecosystem, not just one industry.
Industry Cooperation and Regulations on Cybersecurity
- Broadcast equipment at the head end that encrypts and transmits video to the set-top box
- Set-top boxes that receive signals and transmit them to a security module (typically dedicated hardware) within the box
- A security module that determines if the set-top box is authorized to receive the video and decrypts accordingly
Security technology and thought-leadership for CATV and Broadband are also addressed by:
- Internet Engineering Task Force (IETF)
- Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
- Wi-Fi Alliance
- Broadband Internet Technical Advisory Group
- Open Connectivity Foundation (OCF), which provides standards for the Internet of Things
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
How Can Electric Power Companies Become More Secure?
For example, users should not have to remember passwords as the dominant authentication method. Secure PKI certificates can enable devices to automatically authorize Wi-Fi access points and adjust to load demands. This can dramatically reduce or eliminate device spoofing and facilitates secure end-to-end encryption with mutual authentication.
In connected homes, residents can centrally manage smart devices, and when the house is sold, the seller can reset the devices to remove personally identifiable information. Software "keys" to the home can be securely transferred from the seller to the buyer without worry that the seller still has access to the devices or the home.
To achieve the needed level of security, an IoT security standard must provide:
- Device identity
- Authentication, authorization, and accountability (on-boarding)
- Confidentiality
- Integrity
- Availability
- Lifecycle management
- Future (upgradable) security
CATV and broadband companies should to work together to continue to ensure high levels of security and to advance the industry’s management of cyber threats. Technology that enables secure communication among joint use partners can help advance this goal. We work better when we work together.
Stay tuned for the last post in this series regarding best practices for cybersecurity.
To read the previous posts in this series, click the title below:
- Cybersecurity Series: Managing Risks in Critical Infrastructure
- Cybersecurity Series: What are Electric Power Companies Facing?
- Cybersecurity Series: What are Communications Companies Facing?
Ask us questions about cybersecurity, or share your thoughts, in the comment section below.
To learn more about the interconnected web of joint use infrastructure and about managing infrastructure assets, download our free e-book.