Boosting telcos’ 5G cyber resilience

Sponsored Feature The widespread, global deployment of 5G telecommunications equipment and systems is already well underway. The GSMA forecasts that by 2025, 29 percent of the mobile connections in Europe – including those linking mission-critical infrastructure such as remotely operated power grids – will be made through 5G.

But unlike previous network generations of 3G/4G LTE infrastructure, 5G uses new network slicing technology that divides one physical network into multiple logical networks to provide communications services. That can theoretically make it more vulnerable to hacking due to the fact that the initially embedded security mechanisms depend on older 3GPP definitions, though these are continually evolving and being transposed to ETSI standards.

To that end, telecommunications companies, mobile network operators (MNOs) and other communication service providers are already taking advantage of the security controls inherited from 3G/4G. And they are now supplementing them with purpose built 5G security controls to enhance their network and service security processes, while simultaneously introducing best practices and policies to deliver the necessary resilience.

The ultimate objective for these operators is to implement end-to-end security frameworks across all layers and domains which will keep them one step ahead in terms of the technological innovation required to thwart possible cyber-attacks. "Clearly, telcos and MNOs must continuously improve operational defensive capabilities, including active/online defense, attack mitigation and incident response," says Giuseppe Bianchi, Professor at Università di Roma Tor Vergata. "Indeed, they are already paying crucial attention to these issues so as to adequately protect their infrastructure."

But Bianchi also urges operators to significantly improve their ability to prevent cyber threats, rather than just defend against them. "Beyond the adoption of secure design methodologies, which is more of a concern for manufacturers and service developers than operators, prevention is primarily concerned with two crucial areas: security assurance and cyber threat intelligence (CTI)," he emphasizes. "Regarding security assurance, telcos have historically relied on a priori security certification of physical components and devices, such as through Common Criteria. The 'softwarization' of network components – central to the 5G service-oriented architecture – requires much more agile ways to test security."

Testing and CTI essential for prevention

That increasing reliance on virtualization and software functions has prompted operators to equip their infrastructure with tools to extend security testing beyond the initial stages of development and deployment. They now integrate it throughout the lifecycle of network components, including DevSecOps frameworks. In parallel, the 3rd Generation Partnership Project (3GPP) – the main standardization body for 5G networks and systems – has initiated work on several sets of Security Assurance Specification (SCAS) tests.

"Each set of tests addresses a particular network function and challenges some of the expected security and access control properties, such as network slice isolation," Bianchi explains. "Hence, telcos and MNOs not only should pay close attention to such emerging testing methodologies, which are likely to be included in the next security certification schemes for network functions from the European Union Agency for Cybersecurity (ENISA), but also attempt to integrate them in their DevOps/DevSecOps tools and methodologies."

Another area of priority for telcos believes Bianchi, is cyber threat intelligence (CTI). Operators must efficiently gather and share information and extract knowledge from multiple public or commissioned sources of information so as to understand the goals, tactics and techniques of potential attackers. "Understanding in advance what a security team should monitor or control, or knowing who are the adversaries and their modes of attack, makes a huge difference in properly defending against a cyber threat," Bianchi suggests. "Equally critical is the ability to exchange and process actionable information that can be directly used to (re)configure security policies and detection mechanisms."

Supporting the acts of EU compliance

Many telecommunications equipment suppliers are working with telcos and MNOs to help them tackle these challenges. These include ZTE, which has implemented a security governance system based on industry standards and best practices that underpins a top-down, risk-based approach to managing cybersecurity throughout its product life cycle.

ZTE's cybersecurity governance structure and security-first culture is intended to align with cybersecurity-related laws and regulations such as the European Union (EU) Cyber Resilience Act (CRA) introduced in September 2022. The CRA covers a broad scope of products with digital elements, including software, and has strong links to other important EU cyber security laws such as the Cyber Security Act, the NIS2 Directive on network and information systems security, the General Data Protection Regulation (GDPR) and the AI-Act.

In particular, the NIS2 Directive sets cybersecurity requirements for supply chain security measures and incident reporting obligations to increase the resilience of telco services. Though they currently apply to manufacturers supplying ICT solutions to telcos and MNOs specifically in member states of the EU, the standards based on the CRA could become an international point of reference to underpin broader global regulations implemented in other parts of the world.

ZTE has embraced the objectives of the CRA and NIS2 by strengthening the cybersecurity assurance elements within its supply chain. That includes integrating security controls into the entire product life cycle based on the principles of security by design and security by default which deliver controllable processes and standardized engineering operations designed to better protect its products and services from cyber threats. This in turn enables business users and consumers to benefit from improved transparency on the security of the hardware and software products they buy from the company, says ZTE.

Already, it has set up an organizational architecture based on the three lines model, which is issued by the Institute of Internal Auditors. This represents an approach to providing structure around risk management and internal controls within the organization, to drive that cybersecurity governance.

"The advantage of the three lines model is to allow multiple interested parties to manage and oversee cybersecurity risks from different perspectives to meet the overall objective for cybersecurity assurance for their customers," explains ZTE Chief Security Officer, Zhong Hong. "The business units are the first line that implement self-management over the cybersecurity of products; the second line performs internal independent security assessment and supervision of first-line security work; the third line audits the effectiveness of the first- and second-line work."

The model covers every process of security management such as vulnerability management, evaluation of supplied software, hardware and third-party components, production, delivery, operations and maintenance (O&M), and incident response.

"Our labs continue to improve their competence on cyber offense and defense technologies so as to counter the ever-evolving cyber threats, and minimize the potential risks that threaten our telco and MNO customers' networks." adds Zhong Hong.

Verifiably mature

With risk-based internal control audits, ZTE aims to constantly scrutinize the maturity and effectiveness of its cybersecurity assurance system to ensure that the security needs of customers and stakeholders are met. Working with external security certification and assessment bodies, the company verifies its security maturity based on the latest technical standards and security specifications from the International Organization for Standardization (ISO) and standards development organizations such as International Telecommunication Union (ITU) and European Telecommunications Standards Institute (ETSI).

Common technical standards, certification frameworks, and evaluation schemes such as the GSMA's Network Equipment Security Assurance Scheme (NESAS) and relevant parts of the Common Criteria set the benchmarks against which ZTE products are verified. For example, ZTE's 5G products lines passed the NESAS 2.1 audit for development and product lifecycle processes this year.

Meanwhile, ZTE's cybersecurity labs and transparency centers worldwide enable customers, regulators and stakeholders to independently assess and verify the security of its products and services.

"Adhering to the principle of openness and transparency, the labs provide different services that focus on security testing and support. It provides an open collaborative platform between ZTE and institutions, universities, and industry stakeholders interested in capacity building and knowledge transfer." points out Luca Bongiorni, Italy Cybersecurity Lab Director of ZTE.

"This collaboration identifies any risks associated with 4G/5G products and potential security gaps. They generate solutions and results which can be studied and verified to produce a standardization contribution as well as products and architectures which can support sustainable and secure mobile environments."

ZTE has pledged to support customers and regulatory agencies globally in managing cyber risks. At the heart of this goal lie strong commitments to meet the requirements of cybersecurity laws, regulations and industry standards as well as certification schemes; conduct open dialogues to enhance transparency and establish cooperation with customers and regulatory agencies; and sustain cooperation to contribute to cybersecurity standardization.

The overall message rings loud and clear. When it comes to embedding adequate cyber security and regulatory compliance measures into their 5G infrastructure, European telcos and MNOs can be sure ZTE will be there to help.

Sponsored by ZTE.