The quest for secure telco networks
How ZTE’s cybersecurity assurance is designed to address regulatory complexities and minimize risks
Sponsored Feature One of the concerns for telcos and mobile network operators (MNOs) in the era of fifth generation (5G) networks and the Internet of Things (IoT) is the potential security risks presented by rapidly evolving communication technologies. And in many cases, their attention has been focused on poor cybersecurity inherent to many telecoms-orientated products, software and services and the lack of transparency about their actual capabilities.
The problem is likely to get worse in the future as the number of internet-connected radio equipment (RE) devices continues to grow in parallel with further IoT expansion. So it's little surprise that so many different organizations - including regulators, standards bodies, certification institutions, industrial associations and telcos/MNOs themselves - are actively contributing to new measures designed to guarantee the security of telecoms networks and protect critical infrastructure against growing cyberthreats.
In 2020, the European Union (EU) presented a new "Cybersecurity Strategy for the Digital Decade" which specified areas for cybersecurity enhancements. These include protecting EU citizens' basic rights and digital security, building an EU cybersecurity crisis management framework, and establishing a security operations center covering the entire EU that monitors and warns against cyberattacks.
Since then, increasing cybersecurity risks have galvanized the EU to introduce or update several different pieces of cybersecurity legislation, including the Network and Information Security (NIS) 2 Directive, the Critical Entities Resilience (CER) Directive, the Cyber Resilience Act (CRA), and the Radio Equipment Directive (RED). And to give its telco customers the reassurances they need, equipment supplier ZTE has made significant efforts to support compliance with those regulations in its portfolio.
"ZTE takes cybersecurity and compliance as the premise for its market business operation," said Mr. Zhong Hong, Chief Security Officer of ZTE. "Relevant regulatory requirements are integrated into our regular cybersecurity assurance plans and actions for our entire product lifecycle. We identify the gaps, make continuous improvements, and keep close communication with customers to ensure conformance and compliance of our products, processes and services."
Stronger security and governance
The stricter regulation has challenged telcos and MNOs to make sure they can build secure infrastructure and reliable services. The CRA, for instance, classifies products based on cybersecurity risk categories and specifies requirements for risk-based product design and development process and vulnerability handling.
Industry standards, regulatory requirements and best practices shape ZTE's cybersecurity strategy, security design and internal security assessments. The company applies "secure by design" principles in product development and improves the security level of telecoms equipment through design, implementation, and verification.
As an active industry contributor to standards development and cybersecurity enhancement, ZTE has adopted the GSMA Network Equipment Security Assurance Scheme (NESAS), Building Security In Maturity Model (BSIMM), NIST Cybersecurity Framework and ISO security risk management guidelines. It also aligns with best practices in its product R&D and service delivery so that ZTE products are secure by default. "Nowadays, secure and safe connectivity remains a vital lifeline for every aspect of social life and day-to-day operations of almost all industries," noted Mr. Zhong.
In line with CRA's vulnerability handling requirements, ZTE's risk-based cybersecurity governance entails full lifecycle management of purchased third-party components to achieve rapid closed-loop fixing and security updates.
Monitoring and reviewing the security of products and services - as well as the supply chain from the perspectives of people, process and technology - is perceived as critical. ZTE's cybersecurity assurance shoulders the strict security management and controls of sub-suppliers, materials and manufacturing, says the company. Security control points are set up to mitigate business risks in areas such as R&D, engineering services and supply chain where cybersecurity requirements are built into process evaluation models.
"Online management systems and data dashboards are used to assist in the process evaluation and special inspection of high risk business so as to measure the effect during implementation of the strategy and to track rectifications and improvements," explained Mr. Zhong.
"In security design, we formulated a cybersecurity technical requirement system and operating procedures based on industry standards. We have also built a security technology stack containing an online security requirements library of up-to-date technical standards, such as web security, protocol security, and server operating system security."
ZTE's internal evaluation teams, independent from R&D and delivery, supervise the implementation of regulatory requirements across both products and business units. The teams use leading industry tools to perform comprehensive security assessments that adhere to regulatory requirements and authoritative industry standards.
Assessments include source code review, vulnerability scanning, and fuzz and penetration testing to study and improve the security features embedded in products. Further evaluations keep product and business units alert and responsive to any need for improved capabilities. Even as ZTE continues to adopt strict security standards based on product classification and risk assessment, the company also actively encourages external evaluation and certification for verification.
Transparency and trust
To boost transparency, trust and confidence, ZTE's cybersecurity assurance initiatives are designed to help operators and businesses make informed choices about cyber-secure products and services and receive extended protection throughout the supply chain or the entire product/service lifecycle.
"ZTE maintains an attitude of openness and transparency, complies with the laws and regulations where business happens, and adopts and develops security best practices in the industry," Mr. Zhong asserted. "On the one hand, we actively obtain security certifications to provide customers with authoritative and credible third-party references and guarantees. On the other, we continuously improve security technology in product design and check the security status of our products."
And the company has not only contributed to the development of security standards but also guided successful implementations. Customers' feedback on their security needs are incorporated into strategies to constantly improve security design. Independent third-party security assessments and certifications augment these efforts to assure customers that products and services are secure and trustworthy.
In January 2023, ZTE became the first 5G equipment vendor with a 5G New Radio (NR) product certified by the Germany Federal Office for Information Security (BSI) under the NESAS Cybersecurity Certification Scheme - German Implementation (NESAS CCS-GI) for 5G networks. Beyond complying with process requirements and security specifications, ZTE's practical experience also contributed to advancing the certification.
"In addition, ZTE's 5G RAN solution has been certified with the level of CC EAL 3+, which is the highest level achieved by a whole-set system in the telecommunications field," Mr. Zhong says. "We also passed the GSMA NESAS 2.1 Process Assessment for Communication Equipment Suppliers. Our 5G NR gNodeB and 5GC network equipment passed the NESAS product security assessment (3GPP SCAS), achieving the best coverage among tested 5G products. Our 5GC and RAN products, as well as 5G Flexhaul products completed BSIMM evaluation with a leading performance in the industry."
Securing critical infrastructure
To bolster physical protection and cybersecurity in critical infrastructure networks, ZTE is working to help operators identify, detect, prevent and respond to security incidents. "Our security solutions defend against threats across different scenarios," Mr. Zhong pointed out. "We design and develop secure products to enhance the network's ability to resist attacks and improve security operations and maintenance."
These include a security solution that combats common 5G air interface security threats like DDoS and false base station attacks, for example. "We are planning to implement and test the security of air interface encryption in some pilot projects," Mr. Zhong disclosed.
To embed security into its software and hardware, ZTE focuses on Secure Boot, Root of Trust, Restricted Debug Port, Trusted Execution Environment as well as firmware security-related standards and technologies.
Artificial intelligence (AI) and advanced analytical solutions are used in the research and development of host intrusion detection, malware detection, security configuration compliance inspection, and correlation analysis threat detection, for example.
There's no doubt that secure telecommunications networks are essential to the success of the entire global economy as well as telcos and MNOs. But those networks must be built on stable, trustworthy hardware to give the world the strong defenses against cyber security threats that it needs.
Sponsored by ZTE.