Cybersecurity threats are evolving faster than ever, and connected home devices can be a pathway for malicious actors to gain access to home networks.

At the center of home networks are gateway devices — cable modems, integrated access points and home routers. Their security isn’t just important, it’s essential. That’s why CableLabs is pleased to announce the release of the Gateway Device Security Best Common Practices (GDS BCP 2.0), an update designed to keep pace with the latest industry standards and strengthen the security posture of cable broadband networks for the future.

Why It Matters

In 2021, the first version of the GDS BCP set the bar for securing gateway devices across the broadband industry. The GDS BCP even earned recognition in the 2024 U.S. National Institute of Standards and Technology’s Internal Report “Recommended Cybersecurity Requirements for Consumer-Grade Router Products” (NIST IR 8425A) as a recommended resource to use for the cybersecurity of consumer-grade router products.

However, as the threat landscape evolves, so must our practices. The GDS BCP 2.0 closes gaps identified in the NIST crosswalk and integrates feedback from industry experts to ensure these practices remain relevant and resilient.

What’s New in the GDS BCP 2.0?

Here are the major updates:

• Gap Analysis & Clarifications - The GDS BCP 2.0 addressed gaps highlighted by NIST IR 8425A, adding clearer guidance and additional requirements for asset identification, device configuration and access control across network interfaces.
• SBOM Best Practices - A software bill of materials (SBOM) — defined as “a nested inventory for software, a list of ingredients that make up software components” — is a “key building block in software security and software supply chain risk management.” With government stakeholder guidance on SBOMs increasing and industry adoption maturing since the first release, the GDS BCP 2.0 now incorporates recommendations for SBOM practices to boost software supply chain transparency, improve vulnerability mitigation and management, and ensure alignment with applicable rules and requirements.
• Cryptographic Agility - As governments worldwide ramp up efforts to address the cryptographic risks posed by quantum computing, critical infrastructure operators are taking action to future-proof their networks by enabling cryptographic agility and shifting to post-quantum cryptographic paradigms. The GDS BCP 2.0 phases out legacy cryptographic algorithms and recommends quantum-resistant key encryption protocols, aligning with Internet Engineering Task Force (IETF) standards on post-quantum computing readiness and CableLabs initiatives including its Future of Cryptography, Zero Trust Infrastructure and DOCSIS Security working groups.

Collaborative Industry Effort

Gateway Device Security BCP 2.0 is more than an update. It’s a continued commitment to safeguarding broadband networks in an era of rapid technological change.

This release represents the culmination of a collaborative industry effort, developed through the invaluable contributions of CableLabs’ working group members and vendor participants. By closing gaps, promoting supply chain transparency and preparing for a quantum-secure future, we are helping the industry remain resilient and ready for what lies ahead.

If you’re a member or part of our vendor community, consider joining the working group to get involved in this work.

Download the GDS BCP 2.0 here, or view it using the button below.

Threats to internet routing infrastructure are diverse, persistent and changing — leaving critical communications networks susceptible to severe disruptions, such as data leakage, network outages and unauthorized access to sensitive information. Securing core routing protocols — including the Border Gateway Protocol (BGP) and the Resource Public Key Infrastructure (RPKI) — is an integral facet of the cybersecurity landscape and a focus of current efforts in the United States government’s strategy to improve the security of the nation’s internet routing ecosystem.

CableLabs has released an update to the “Cybersecurity Framework Profile for Internet Routing” (Routing Security Profile or RSP). The profile serves as a foundation for improving the security of the internet’s routing system. An actionable and adaptable guide, the RSP is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which enables internet service providers (ISPs), enterprise networks, cloud service providers and organizations of all sizes to proactively identify risks and mitigate threats to enhance routing infrastructure security.

The RSP is an extension of CableLabs’ and the cable industry’s longstanding leadership and commitment to building and maintaining a more secure internet ecosystem. It was developed in response to a call to action by NIST to submit examples of “profiles” mapped to the CSF that are aimed at addressing cybersecurity risks associated with a particular business activity or operation.

Improvement Through Feedback and Alignment

The first version of the RSP (v1.0) was released in January 2024 in conjunction with an event co-hosted with NCTA — the Internet & Television Association, featuring technical experts and key government officials from NIST, the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), the Cybersecurity and Infrastructure Security Agency (CISA) and the White House Office of the National Cyber Director (ONCD).

Following the release of the first version of the RSP, CableLabs conducted outreach to other relevant stakeholders within the broader internet community to raise awareness about this work and to seek feedback to help improve the profile. In addition, NIST released its updated CSF 2.0 in February 2024.

The RSP update reflects stakeholder input received to date and accounts for changes in the NIST CSF 2.0. In particular, the RSP v2.0:

• Aligns with NIST CSF 2.0’s addition of a “Govern” function and revisions of subcategories in the RSP’s mapping of routing security best practices and standards to the applicable key categories and subcategories of the NIST CSF 2.0’s core functions.
• Adds routing security considerations for most subcategories that previously did not include such information.
• Incorporates informative and relevant references within the context of the mapping rather than as a separate column of citations.

Advancing Routing Security Through Public-Private Partnership

Since its release, the RSP has been cited as a resource by various government stakeholders in recent actions and initiatives, including NTIA's Communications Supply Chain Risk Information Partnership (C-SCRIP)’s BGP webpage, the FCC’s proposed BGP rules and ONCD’s Roadmap to Enhancing Internet Routing Security.

In addition, CableLabs continues to closely engage in public-private stakeholder working groups. They include the joint working group recently established by CISA and ONCD, in collaboration with the Communications and IT Sector Coordinating Councils. The working group was created, according to the ONCD roadmap, “under the auspices of the Critical Infrastructure Partnership Advisory Council to develop resources and materials to advance ROA and ROV implementation and Internet routing security.”

The Ever-Evolving Cybersecurity Puzzle

The RSP remains a framework for improving security and managing risks for internet routing, which is just one key piece of a larger critical infrastructure cybersecurity puzzle. As with any endeavor in security, the RSP will evolve over time to reflect changes to the NIST CSF, advances in routing security technologies and the rapidly emerging security threat landscape.

The RSP was developed by CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG). The group is composed of routing security technologists from CableLabs and NCTA, as well as network operators from around the world.

Learn more about all CableLabs’ working groups, including the CREST WG, and how to join us in this critical work. Download the profile here, or view it using the button below.

Reliable and secure routing is essential for the connectivity of critical communications networks, ensuring that data packets reach their intended destinations without being intercepted, altered or dropped. Inadequate routing security can make the entire network susceptible to attacks such as Internet Protocol (IP) spoofing, route hijacking and man-in-the-middle attacks.

With the increasing complexity and ubiquity of IP network infrastructures across the globe, the security of core routing protocols — including the Border Gateway Protocol (BGP) and the Resource Public Key Infrastructure (RPKI) — is an integral facet of the cybersecurity landscape. Malicious actors and threat vectors that target the network routing layer can lead to severe disruptions, such as data leakage, network outages and unauthorized access to sensitive information.

To address the issue, CableLabs has just released a “Cybersecurity Framework Profile for Internet Routing” (Routing Security Profile, or RSP) that serves as a foundation for improving the security of the internet’s routing system. The RSP is an actionable and adaptable guide, aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), that enables Internet Service Providers (ISPs), enterprise networks, cloud service providers and organizations — large and small — to proactively identify risks and mitigate threats to enhance routing infrastructure security.

The RSP was developed as an extension of CableLabs’ and the cable industry’s longstanding leadership and commitment to building and maintaining a more secure internet ecosystem. It also was developed in response to NIST’s call to action to submit examples of “profiles” mapped to the CSF that are aimed at addressing cybersecurity risks associated with a particular business activity or operation.

What Is the Routing Security Profile, and Who Can Use It?

Network engineers, IT managers, cybersecurity professionals and decision-makers involved in network security risk management are prime candidates for using the RSP — with its exclusive focus on routing protocols and services — as one tool in an overall network strategy to enhance existing security policies and risk management procedures within their organizations.

The RSP describes various technologies and techniques used for internet routing security, including BGP, Internet Routing Registries (IRRs), Autonomous System (AS) path filtering and RPKI. In addition, it outlines several key recommendations for improving BGP security that include Route Origin Authorizations (ROAs), Route Origin Validation (ROV), BGP peer authentication, prefix filtering and monitoring for anomalies.

What Can the Routing Security Profile Do?

By mapping routing security best practices and standards to the applicable key categories and subcategories of the NIST CSF 1.1’s Core Functions — Identify, Protect, Detect, Respond and Recover — the RSP can help organizations with the following tasks:

• Identifying systems, assets, data and risks that pertain to IP networks.
• Protecting IP networks by performing self-assessments and adhering to cybersecurity principles.
• Detecting cybersecurity-related disturbances or corruption of IP network services and data.
• Responding to IP network service or data anomalies in a timely, effective and resilient manner.
• Recovering the IP network to proper working order after a cybersecurity incident.

The RSP is a framework for improving security and managing risks for internet routing, which is one key piece of a larger critical infrastructure cybersecurity puzzle. As with any endeavor in security, the RSP will evolve over time to reflect changes to the NIST CSF, including the CSF 2.0 update coming in early 2024, advances in routing security technologies and the rapidly emerging security threat landscape.

The RSP was developed by CableLabs’ Cable Routing Engineering for Security and Trust Working Group (CREST WG). The CREST WG is composed of routing security technologists from CableLabs, NCTA — The Internet & Television Association, as well as network operators from around the world, including representatives from Armstrong, Charter, Comcast, Cox, Eastlink, Liberty Global, Midco, Rogers/Shaw and Videotron. For more information on the CREST WG, please contact us.

We welcome feedback on the RSP from other internet ecosystem stakeholders as we continue to advance this work. Please send comments to Tao Wan. We will also engage with the broader internet community through forums such as M 3AAWG to drive awareness and to further improve the profile for the benefit of all AS operators, including ISPs, cloud service providers, government agencies, universities and other organizations.