Security by Design for Telecommunications Networks

David Rogers writes about future telecoms network security.

The UK5G Innovation Network recently published an article on the topic of Security by Design which I wrote a little while back, covering both IoT and managing risk in future networks. You can only fit so much into a couple of pages, so here’s a little bit more that I wrote on future telecommunications networks and the challenges of supply chain security.

An area that can’t have escaped anyone’s notice is the debate over what are now known as ‘High Risk Vendors’ in telecommunications networks. This mostly distils into a question over whether products and services are designed with security in mind. Risk can never be truly eliminated, but it can be reduced and managed. Equally, trust is something that needs to be gained and relied upon and is not simply about technology. Between businesses and governments, trust is about keeping promises and whether statements or actions are truthful and verifiable. Future networks in telecommunications both rely on secure technology and trust.

Food security could be significantly disrupted by attacks on connected agriculture

In general, it is often difficult to justify security measures to businesses as there is no obvious return on investment. Some companies have taken the attitude that they can weather any storm from a cyber attack because there is no real financial downside. This is beginning to change. Large businesses have been affected by ransomware attacks that have crippled their operations, in some cases taking them out of business, through to governments finally beginning to acknowledge and take cyber-crime seriously.

Increasing Resilience

As telecommunications networks have developed, we’ve slipped into a world where our reliance on them is such that we can’t afford for them to be disrupted.

The 5G vision is a collection of technologies, including different types of IoT radio and device types across multiple different sectors or ‘verticals’. This opens up a new set of issues around the ‘cyber-physical’ space – that is the attacks no longer just remain virtual. A cyber attack could potentially interact with a real-world object or system causing catastrophic consequences. In farming this could mean the loss of irrigation causing food security issues. In heavy industrial, this could mean the complete destruction of a blast furnace and in the automotive sector it could mean that cars could be stopped in the middle of the road, essentially halting the economy instantly.

Disruption to connected vehicles could cripple economies

Hostile nation states are already seeking to take advantage of the fact that the weakest links can be the most effective points of attack. Taking over a consumer or small business router can allow the attacker to create a bridgehead inside the UK, opening up all sorts of possibilities, including distribution of disinformation or ‘fake news’.

In addition, networks are shifting from a world where individual hardware boxes make up a network to one which those functions are ‘virtualised’; with all the functions now built into software. This means greater speed and reliability on the one hand, but also means that you’re really putting your eggs in one basket on the other.

Increasingly, there has been a drive to reduce costs and this has meant that in some cases security is at the end of a long list of requirements. This is where government has a role – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market in the first place, thus affording every citizen in a country a certain guarantee of protection from the disruption of security compromise of a telecoms network or equipment vendor.

The supply chain that we’ve slipped into also means that companies are increasingly relying on open source software – that is, software that is developed by a community of individuals openly and collaboratively and released for anyone to use under a license. The challenge that has been faced for years is that companies are very happy to ‘take’ software for free, but rarely contribute back. This is a particular issue for security. While open source is openly visible for peer-review, attackers aren’t going to submit a fix for security flaws they find! This combined with many companies not keeping up-to-date with open source libraries in their products and services can be a real issue for security.

Addressing the Challenges of Supply Chain Security

These risks mean that extra attention has to be paid to the fundamentals of how networks are built from the ground up and how to make them more resilient. From a security design perspective, that means building defence-in-depth, mobile network operators not relying on single vendors in order to spread the risk more evenly, and validating that what is being built doesn’t contain known security vulnerabilities and flaws. It isn’t possible to create a flawless system and it isn’t possible to design software and hardware without the possibility of security vulnerabilities, however acknowledging this fact leads us to the necessity that companies need to stay on top of security research and have systems and processes in place to quickly deal with security vulnerabilities and exploitation as they arise. While the country-of-origin of a product or service is clearly a security consideration for both companies and governments, if it can be thoroughly validated and meets a good level of product security together with other cyber security measures, it matters much less. The overriding concern is that if a product or service supplied from anywhere in the world is fundamentally insecure, any country could theoretically attack it successfully; it doesn’t matter where the product originally came from.

There are many factors in the telecommunications supply chain to consider including hardware security, cryptographic key management, logistics, testing, auditing and working on security vulnerability management. From an industry perspective: for network operators – many of these are areas that have been opaque for some time, with vendors supplying products which have had little-to-no security and basic issues like default passwords. For vendors – operators have not been willing to pay more for security and have squeezed vendors for lower-priced products. They’re not really questioned when products are delivered with basic security flaws. For the entire world, there is a shortage of engineers who understand security; a failure by governments and the education system to understand that security must be a core component of modern engineering degrees and training. While some action has been taken, it cannot currently supply the demands needed now and in the future. Companies therefore need to step-up and ensure that as part of their efforts to increase security they must invest in their own existing staff to train them on product and cyber security.