I Am Not a Security Engineer
By Michael Garramone
“It’s not the ’80s. Nobody says hack anymore.”
— Tony Stark
My work password is not WARMACHINEROX, but that doesn’t make me an expert on security. I can write a decent access control list, but that also doesn’t make me an expert on security. The things I talk about here may be rudimentary and obvious, even laughable to a security expert, but that’s my point. It’s probably a safe bet that most of us DOCSIS engineers aren’t also security experts, so we need to accept that and engage those who are. If you don’t have your own people, hire an outside firm and give them all the internal support they need.
My colleague, Alan Skinner, wrote an excellent piece on securing the access part of the remote PHY network in Aug 2020 (https://broadbandlibrary.com/securing-the-access-network/). I’m writing more about general mindset. When you talk about security, it can be easy to dismiss things as unlikely, or think you’ve already accounted for the probable scenarios. Admittedly, it can be easy to get defensive too.
“There’s no way that can happen.” After all, you’re responsible for the network elements, nothing bad has happened to them (yet), and you think you have things pretty well locked down. Think again. There’s not only a way, there are a hundred other ways you’ve never heard or thought of that the attackers (and security experts) have.
“Come on. You’re telling me someone is going to crack open that device, figure out how to get a plug with that connector on it, get through the authentication, and walk right in?” YES! That’s exactly what they’re going to do. Don’t be quick to discount unlikely scenarios. Not to veer too far off topic, but the global political landscape has literally been altered by hackers.
Those experts in your company or that you hire have thought of all this, and they need to be welcomed in. This is not to say we have got our heads in the sand, or that DOCSIS hasn’t cared about security from day one. It is a new world, and since we don’t know what we don’t know then we must bring in folks that do. And this is just for the DOCSIS network, not even more critical customer data such as telephony, marketing, and billing information.
Every IP connected device is open to attack, which makes every IP connected device vulnerable. SSH? Check. SNMP? Check. HTTP? Check. Those other open ports you didn’t know were there and shouldn’t be? Got it. That serial port that was supposed to be disabled before it left the factory? Oh. IPv6? Okay, no more “private” addresses and some new ports. Critical vendor security advisories that make it sound like the world is gonna end? 10-4.
As Alan described with remote PHY, now we have devices that are not in protected facilities and can be physically accessed in the field. We already had CCAP and modem infrastructure to secure, but now DAA has brought in new equipment that did not exist before like timing clocks, optical modules, and the nodes themselves that are all IP managed. When you release the hounds to go look for holes, it’s quite revealing what they might dig up. Review what they find with your security organization, make a list of mandatory and discretionary items, and develop a timeline for resolution. Lean on the vendors to provide fixes with urgency. Listen when they say you need to upgrade firmware. Don’t sit on it. Implement any short-term workarounds you can develop, because ignoring the issue won’t avoid your company and CTO being the lead story on the evening news when your network goes down. If you spend a lot of money and put a lot of hard work into security and nothing ever happens, then congratulations. It worked! Also, just because it could still happen does not mean you should not keep doing everything you can to try to prevent it.
You probably already had a door with a pretty good lock on it. When that door gets opened, and it will, you want five more doors after it with different locks. Attackers who really want in may keep trying, but the goal is to convince them to give up and try that other house down the street with the open window. This is not just someone watching me or my kids on a home camera, which is already horrifying, or someone using my Disney+ account. We shouldn’t be willing to treat a network with millions of customers the same. The point is that if security is doing its job, it’s super inconvenient. Don’t fight it. This is what should be keeping us up at night. For security engineers and any of us who’ve watched all of Mr. Robot, it does. Embrace it and maybe, just maybe sleep a little better.
Michael Garramone,
Cable Access Engineer,
Cox Communications
michael.garramone@cox.com
Michael Garramone is a 23-year veteran at Cox Communications, spending his first 13 years in the Las Vegas market before moving to the Access Engineering Design team at the Atlanta corporate headquarters in 2011. His current efforts center around CCAP design, standards development and documentation, and lab management and evaluation.
Feature Image: Shutterstock
