What we need from routers

Introduction

The router is a key defence in the protection of networks - in our homes, in business and in industrial and infrastructure. With the rapid growth in so-called 'smart' (= insecure) devices, we can no longer fall-back on anti-virus programmes to protect us from malicious actors gaining a foothold on our devices.

We are calling for all routers to have a good level of security designed-in and for security updates to be provided throughout their lifecycle. The time for this to happen is now - with any new router taking around 2 years to be designed and fielded, and with many routers remaining in-service for several years, if we do not improve router security today then our networks will remain insecure into the 2030s, when there will be order of magnitude more smart devices in use. Malicious actions, such as the Mirai botnet [add German incidents], will not only impact the users' network, but may also severely degrade ISPs' core networks and national infrastructure. Therefore, router security must be addressed by legislators, ISPs and users (consumers and businesses).

The accompanying requirements for routers can be used by end users to judge the products being provided retailers and broadband providers; by ISPs as a basis of a procurement specification; and by manufacturers as an aggregation of policies becoming enforced by regulators and customers across all the major regions. Regulators may also find the details informative as to what risks need to be mitigated if widespread disruption of communication networks [by malicious actors] are to be avoided.

Approach to requirements

The IoTSF's [ManySecured project] approach is to provide best-practice guidance to industry and consumers to raise overall security. Using this guidance throughout the lifecycle of any IoT product enables designers, manufacturers, suppliers and users of equipment to understand and address the key issues. We take a global view of existing legislation and frameworks so that following our guidelines should create a secure product to take into formal testing in any region. We also deliberately adopt the same language as the existing legislation and guidelines wherever possible in order to avoid fragmentation and to promote coherency globally.

IoTSF best-practice guides, such as the Assurance Framework, are periodically updated, enabling us to capture emerging requirements in advance of them being mandated in regulations; in fact, our guides can be shown to have influenced many other frameworks and regulations globally.

A router is fundamentally a complex device and must be designed and produced with security at the forefront. The IoTSF Assurance Framework, which is aligned with ETSI Baseline Requirements for Cyber Security for Consumer IoT and the NIST 8259 Series, provides the core principles for ensuring a connected device is built securely and is maintained secure throughout its life. At a high-level, the 'Top 13' requirements are summarised in the ETSI EN 303 645 document, namely:

    No universal default passwords

    Implement a means to manage reports of vulnerabilities

    Keep software updated

    Securely store sensitive security parameters

    Communicate securely

    Minimize exposed attack surfaces

    Ensure software integrity

    Ensure that personal data is secure

    Make systems resilient to outages

    Examine system telemetry data

    Make it easy for users to delete user data

    Make installation and maintenance of devices easy

    Validate input data

However, in addition to the core security requirements above, a router presents additional challenges based upon its functionality and critical position in the network. Many of these have been identified by industry (e.g.: Broadband Forum and Deutsche Telekom), regulators (e.g.: Germany's Federal Office for Information Security BSI and Singapore's Info-communications Media Development Authority) and other advisory bodies such as the ITU and CISA. The IoTSF has consolidated these requirements into a single document to strengthen security across all router providers.

Structure of requirements

To promote alignment across the industry, we have adopted the same headings as the Broadband Forum's Functional Requirements for Broadband Residential Gateway Devices TR-124: GEN - General device requirements WAN - Wide Area Networking LAN - Local Area Networking MGMT - Management and Diagnostics IF - Interface Modules RGSMART - Smart Residential Gateway

The requirements have been cross-referenced to related requirements in the reference documents where more information may be available. In some cases, several individual atomic requirements have been combined into a single topic to help understanding of the overall security aim. Such grouped requirements may need to be decomposed into individually verifiable requirements if they are to be used in a procurement specification.

How to use these requirements

These requirements can be used by ISPs, manufacturers and informed users (both in business and consumer environments).

ISPs can develop procurement specifications tailoring the requirements to their own commercial processes and core network details.

Manufacturers should consider each of the requirements from the initial concept and design of any future device. The requirements allow manufacturers to anticipate the demands that their customers (and potentially regulators) will be demanding from routers.

Users should be demanding and assessing security as an essential criteria, such as they do with speed, coverage and price. Although users may not be able to directly verify some of the requirements, they should at least be asking for a declaration from the supplier as to how their product and support achieves the necessary security outcomes. A future version of the requirements will offer a simplified checklist of security features for users to ask for in a router.

Next steps

TBC - To include: D3 and smart analytics that will be necessary to meet the demands of growth in ubiquitous IoT/Smart Homes. Consumer/Regulator version of requirements - what you should be looking for in a router - even those supplied by ISP (comparison web-sites should include security). Assurance scheme - (procurement) test spec

Call to action

TBC - join MS SIG. Get involved with a trusted non-aligned organisation in influencing the security of the next generation of routers at an early stage, rather than having regulations enforced later on.