Networking infrastructure, and the software and hardware that it consists of, is critical infrastructure of the utmost importance. Failing to protect these systems carries not only a heightened business risk but also a risk to the technologies that our entire society relies on to function. Today, misconfigured or end-of-life products represent a massive attack surface for adversaries, and communication gaps between product vendors and consumers add additional challenges.

To that end, the Network Resilience Coalition makes several recommendations on best practices for both vendors and users of network products. The Coalition believes that any potential additional costs incurred by these practices are outweighed by the downstream mitigation of disruptive or damaging incidents and further justified by the broad impact of increasing network resilience across the board.

The NRC recommends that vendors of network products:

  • Align their software development practices with the NIST Secure Software Development Framework (SSDF)
  • Provide clear and concise details on product “end-of-life” by providing specific dates, date ranges, and details on what level of support to expect for each date range
  •  Avoid combining critical security fixes from updates with new features or functionality enhancements
  • Consider participation in the OpenEoX effort in OASIS, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.

The NRC recommends that consumers and purchasers of network products:

  • Align their product procurement requirements with the above recommendations by favoring vendors that are aligned with the SSDF, that provide clear end-of-life information, and that plan to provide separate critical security fixes
  • Increase cybersecurity vigilance (vulnerability scanning, configuration management) on products they elect to rely upon outside of their support period
  • Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age
  • Consider participation in the OpenEoX effort in OASIS, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.

Coalition members, both vendors and consumers, agree that these recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure. It is the opinion of the group that this is mutually beneficial to all participants of the network product market, and that it also makes major strides in better protecting the critical infrastructure that people rely on for their livelihoods and well-being. 

Stephen Banghart

Read Next

Risks Associated with IT Monoculture Needs Further Examination

IT concentration risk is a relatively new term but due to recent cyberattacks it has been front and center. To examine the issue the Center conducted an exercise to look at the threats of IT concentration risk and offer recommendations.

Addressing Concentration Risk in Federal IT

The Center conducted a multi-stakeholder tabletop exercise in April to explore a form of concentration risk where a single software, configuration, service, or hardware becomes dominant in an ecosystem.

Breaking the endless loop and reframing the encryption debate

Encryption advocates and law enforcement are stuck in an endless loop when it comes to debating encryption. It's time for industry and law enforcement to sit down, discuss challenges, listen to one another, and work together to create solutions.