TL;DR: On March 23, 2026, the FCC added all new consumer-grade foreign-made routers to its Covered List, citing Salt Typhoon and related Chinese state-sponsored campaigns that used compromised routers to pivot inside U.S. networks. The ban only blocks new certifications, but CISA guidance makes clear that the routers already deployed in homes and small offices remain a primary attack surface. NC businesses should inventory edge devices, replace end-of-life consumer routers with managed business-class hardware, and segment guest, IoT, and OT traffic this quarter.
Key takeaway: Salt Typhoon compromised over 200 organizations across 80+ countries by leveraging unpatched consumer-grade routers as long-term footholds. Small businesses inherit that risk every time they place a $99 retail router between their data and the internet.
Have your routers been on the FCC Covered List, or are they running unsupported firmware? Preferred Data Corporation provides network assessments and managed firewall services for NC businesses. BBB A+ rated since 1987. Call (336) 886-3282 or request a network assessment.
What did the FCC actually ban in March 2026?
The FCC voted unanimously on March 23, 2026 to update its Covered List to include all consumer-grade routers, gateways, modems, and similar customer premises equipment produced in foreign adversary countries. The order blocks new FCC certifications for affected devices and applies to equipment seeking authorization after March 23, 2026.
Three important clarifications for NC business owners:
- The ban does not seize or recall existing routers. Routers already purchased can continue to operate legally.
- The ban only affects new certifications. Vendors with prior FCC authorizations can continue distributing those specific models, though some manufacturers received conditional approvals through October 2027.
- Enterprise-grade equipment is treated differently. The action focused on consumer-grade gear most likely to enter homes and small businesses without a managed IT relationship.
According to Baker McKenzie's analysis, the FCC referenced Salt Typhoon, Volt Typhoon, and Flax Typhoon as the operational rationale for the rule, describing how unpatched foreign-made routers in homes and small businesses are being leveraged to build proxy networks for espionage.
Why this matters for North Carolina small businesses
Small businesses across the Piedmont Triad, Research Triangle, and Charlotte metro overwhelmingly run on consumer or pro-sumer network gear: ISP-provided gateways, big-box-store routers, or unmanaged switches purchased years ago and never patched. The Salt Typhoon playbook turns this exact equipment into a strategic asset for attackers.
| Network Layer | Typical Small Business Setup | Salt Typhoon-Era Best Practice |
|---|---|---|
| Internet edge | ISP gateway in routed mode | Business firewall with subscription threat feeds |
| Wi-Fi access | Consumer router doubling as AP | Centrally managed enterprise APs with PSK rotation |
| Guest network | Shared with corporate Wi-Fi | Isolated VLAN with no LAN reachability |
| Remote access | Port-forwarded RDP or open VPN | Identity-aware ZTNA or modern IPSec/WireGuard |
| Patching | Manual, sporadic, or never | Automated firmware management with monthly reports |
The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that PRC state-sponsored actors are positioning themselves on U.S. critical infrastructure networks, not for immediate espionage, but to be ready to disrupt operations during a future crisis. Manufacturers, defense suppliers, and professional services firms in NC sit squarely in that target set.
How Salt Typhoon used routers to pivot inside business networks
TechCrunch's reporting on Salt Typhoon and CISA advisories describe a consistent pattern:
- Initial foothold via unpatched router firmware. Attackers exploited known vulnerabilities in widely deployed router platforms, often years after patches were available.
- Persistent implants. Custom malware survived reboots and firmware updates by hooking into low-level firmware components.
- Living-off-the-land traffic. Outbound connections looked like routine management or telemetry traffic, defeating signature-based detection.
- Pivot to internal assets. Once embedded, the router became a launchpad into LAN devices, file shares, and connected OT systems.
- Aggregation into proxy networks. Thousands of compromised devices were chained together to obscure command-and-control traffic and run password-spray attacks against other targets.
For a 25-person manufacturer in High Point or a professional services firm in Durham, the practical risk is that a single $129 consumer router, three firmware versions behind, can quietly become a launchpad against the rest of the business.
Key takeaway: The router is no longer a peripheral. It is the most exposed identity on the network, and treating it like a consumer appliance is one of the most expensive decisions a small business can make.
What NC small businesses should do this quarter
A defensible router posture in 2026 does not require ripping out the entire network. It does require a structured plan.
1. Inventory every internet-facing device
You cannot harden what you cannot list. Document each device by model, firmware version, EOL status, and ownership. Pay close attention to ISP-provided equipment, sites with no IT presence, and shadow networks added by department leaders without coordination.
Network infrastructure services from PDC include discovery sweeps designed for multi-site businesses across the Piedmont Triad and Triangle.
2. Replace EOL or unsupported routers first
If a router stopped receiving firmware updates, it cannot be patched against current threats. Treat it as compromised in waiting. Replacement priority should follow exposure: internet-facing devices first, then internal segmentation gear, then access points.
Choose business-class hardware from vendors with documented vulnerability response programs and FCC certifications that remain in good standing.
3. Segment the network
A flat /24 with the warehouse PLC, the office printer, the boss's laptop, and the guest Wi-Fi all in the same broadcast domain is the default state for most small businesses. It is also exactly what makes a router compromise catastrophic. Minimum recommended segmentation:
- Corporate user VLAN
- Guest Wi-Fi VLAN (no LAN routes)
- IoT / printer VLAN
- OT / production VLAN (for manufacturers)
- Server / management VLAN
Network segmentation for manufacturers is one of the highest-leverage controls a small NC manufacturer can implement.
4. Move to identity-aware remote access
Port-forwarded RDP and credential-only VPN are how a lot of small businesses still let staff in from home. Both are heavily targeted in Verizon's 2025 DBIR. Modern alternatives:
- ZTNA (zero trust network access) with conditional access policies
- Identity-bound SD-WAN
- Cloud-managed firewalls with built-in client VPN and MFA
5. Automate patching and monitoring
A managed firewall service should give you, at minimum, a monthly firmware status report, automated patching for critical CVEs, threat-intel feed updates, and 24/7 alerting on anomalous outbound connections. Without those, the most secure router on the market becomes obsolete within a single quarter.
Preferred Data's managed cybersecurity services include continuous monitoring designed to catch the kind of low-and-slow router beaconing that Salt Typhoon is known for.
Cost reality: what router modernization looks like for an NC small business
Order-of-magnitude budgets for a typical 25 to 75 person business with one or two locations:
| Component | One-time cost | Recurring (monthly) |
|---|---|---|
| Business firewall(s) with HA | $2,500 to $8,500 | $100 to $400 (licenses) |
| Managed Wi-Fi (5 to 15 APs) | $2,000 to $6,500 | $25 to $75 per AP |
| Network switching (managed) | $3,000 to $10,000 | Optional management $200 |
| ZTNA / VPN platform | Included or $0 | $5 to $12 per user |
| Managed firewall + monitoring | - | $300 to $1,200 |
Comparing this to the Center for American Progress finding that small business importers averaged $306,000 in tariff costs in their first year, or the Astra Security average breach cost of $254,445, a full router and edge modernization typically lands in the $15,000 to $40,000 range, plus modest monthly fees. That is one to two orders of magnitude less than a single ransomware event triggered by a compromised router.
Ready to inventory and harden your edge? Call Preferred Data Corporation at (336) 886-3282 or request an assessment.
Beyond the ban: what comes next
Northeastern University's analysis of the rule suggests the FCC's action is the leading edge of a broader telecom supply chain reset. Expect additional categories of network equipment to enter the Covered List as Salt Typhoon investigations continue, and expect cyber insurance carriers to begin asking, on their renewal questionnaires, whether your edge gear appears on the FCC list.
The market is also shifting on the consumer side. Consumer Reports' reporting confirms that several major brands have either received conditional approvals or moved production. The upshot for NC small businesses: the long-term affordable, well-supported router landscape is going to be smaller, and the gap between consumer and business-class hardware will widen.
Key takeaway: The cheapest router is rarely the cheapest decision. With Salt Typhoon, Volt Typhoon, and Flax Typhoon all actively targeting U.S. small business networks through edge devices, the right time to upgrade was last year. The next best time is this quarter.
About Preferred Data Corporation
Preferred Data Corporation (PDC) is a managed IT and cybersecurity services provider headquartered in High Point, North Carolina, serving small and mid-sized businesses across the Piedmont Triad and Research Triangle. PDC has been helping NC businesses design and operate secure networks since 1987, including business firewall deployments, network segmentation, site-to-site connectivity, and 24/7 monitoring.
Talk to a network engineer about the FCC ruling and your environment:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
Frequently Asked Questions
Does the FCC ban require me to throw away my current router?
No. The March 2026 order applies only to new FCC certifications. Existing devices remain legal to operate, but if your router is end-of-life, unpatched, or from a manufacturer on the Covered List, CISA guidance recommends replacement on a risk-based schedule. The legal status of a device does not equal its security status.
How do I know if my business router is vulnerable to Salt Typhoon-style attacks?
Three quick signals: the device is more than five years old, the manufacturer has stopped publishing firmware updates, or remote management is exposed to the public internet. Any one of those should trigger a deeper assessment. A managed network provider can run a structured audit against CISA technical advisories.
Do cyber insurance carriers care about the FCC router ban?
Increasingly, yes. Renewal questionnaires now ask about EOL hardware, patching cadence, and segmentation. Underwriters are aware of Salt Typhoon and routinely deny or surcharge policies that depend on consumer-grade edge gear. Replacing covered or unsupported routers can both reduce premiums and unblock coverage.
Are business-class routers really worth the extra cost for a small business?
For most NC small businesses, yes. Business-class firewalls and routers ship with active vulnerability management, integrated threat intelligence, central policy, role-based access, and longer support lifecycles. The functional difference shows up the first time a CVE is disclosed and the business-class device receives a same-week patch while a consumer model never gets one.
What about my home office routers for remote staff?
CISA considers home routers used for remote work to be part of the corporate attack surface. Practical mitigations include: routing all corporate traffic through a managed ZTNA or VPN, providing employer-managed Wi-Fi pucks where possible, and providing clear remote work security guidance. The same risk profile that drove the FCC ruling applies to remote workforce devices.