Five Eyes Launch Guidance to Improve Edge Device Security

The UK’s leading cybersecurity agency and its Five Eyes peers have produced new guidance for manufacturers of edge devices designed to improve baseline security.

GCHQ’s National Cyber Security Centre (NCSC) and allies in Australia, Canada, New Zealand and the US published the document yesterday in response to mounting threats to virtual and physical devices that sit at the network edge.

These include perimeter security solutions, routers, network attached storage (NAS), IoT devices, sensors and cameras.

“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” said NCSC technical director, Ollie Whitehouse.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber-attacks but also provide investigative capabilities require post intrusion.”

Read more on edge devices: Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks

The document is designed to ensure manufacturers follow a minimum set of security best practices, and that their customers know what to look for when choosing new physical and virtual network devices.

It focuses on a series of logging requirements to support threat detection and response, and forensic data acquisition requirements.

“Device manufacturers are encouraged to include and enable standard logging and forensic features that are robust and secure by default, so that network defenders can more easily detect malicious activity and investigate following an intrusion,” the guidance noted.

“By following the minimum levels of observability and digital forensics baselines outlined in this guidance, device manufacturers and their customers will be better equipped to detect and identify malicious activity against their solutions. Device manufacturers should also use it to establish a baseline of standard features to include in the architecture of network devices and appliances.”

Edge Devices Under Attack

Financially motivated and state-backed threat actors are targeting edge devices with increasing frequency.

A June 2024, a WithSecure report found that, while the monthly number of software flaws added to CISA’s Known Exploited Vulnerabilities (KEV) catalog dropped 56% annually, the monthly addition of edge service and infrastructure CVEs rose by 22% over the same period.

What’s more, the latter CVEs were said, on average, to have an 11% higher severity scoring.

Ivanti products have been particularly badly hit. Last month, researchers warned that critical zero-day bug CVE-2025-0282 – which affects Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways – had been exploited in the wild from mid-December 2024.

A year previously, Dutch intelligence services discovered that Chinese threat actors had exploited a zero-day in FortiGate devices to infiltrate defense networks and deploy novel malware dubbed “Coathanger.”

Juilette Hudson, CTO of CybaVerse, argued that when edge devices are insecure, the whole network they’re running on is more exposed to attack.

“Today all businesses are digital businesses, where they rely on smart devices and the internet to deliver services. But this expands the enterprise attack surface,” she added.

“Having good visibility across network assets and running proactive monitoring for threats are essential, but device manufacturers also have a key role to play, and it is essential they practice good security hygiene in the development process.”