Sponsored Feature The widespread and global deployment of 5G telecommunications equipment and systems is already well underway. The GSMA predicts that by 2025, 29% of mobile connections in Europe – including those linking critical infrastructure such as remote power grids – will be via 5G.
But unlike previous generations of 3G/4G LTE infrastructure networks, 5G uses a new network slicing technology that divides a physical network into multiple logical networks to provide communication services. This may theoretically make it more vulnerable to hacking due to the fact that the initially built-in security mechanisms depend on old 3GPP definitions, although these are continually evolving and transposed to ETSI standards.
To this end, telcos, mobile network operators (MNOs), and other communications service providers are already leveraging legacy 3G/4G security controls. And they are now complementing them with purpose-built 5G security controls to enhance their network and service security processes, while simultaneously introducing best practices and policies to provide the necessary resiliency.
The ultimate goal for these operators is to implement end-to-end security frameworks across all layers and domains, which will allow them to stay ahead of the technological innovation needed to thwart possible cyberattacks. “Clearly, telecom operators and MNOs need to continuously improve their operational defensive capabilities, including active/line defense, attack mitigation and incident response,” says Giuseppe Bianchi, professor at Università di Roma Tor Vergata. “Indeed, they are already paying critical attention to these issues in order to adequately protect their infrastructure.”
But Bianchi also urges operators to dramatically improve their ability to prevent cyber threats, rather than just defending against them. “Beyond the adoption of secure design methodologies, which concern manufacturers and service developers more than operators, prevention mainly concerns two crucial areas: security assurance and cyber threat intelligence (CTI ),” he says. “With regard to security assurance, telecom operators have historically relied on a priori security certification of physical components and devices, for example via common criteria. The “softwarization” of network components – at heart of 5G service-oriented architecture – requires much more agile means to test security.”
Essential tests and CTIs for prevention
This growing reliance on virtualization and software features has prompted operators to equip their infrastructure with tools to extend security testing beyond the initial development and deployment stages. They now integrate it throughout the lifecycle of network components, including DevSecOps frameworks. In parallel, the 3rd Generation Partnership Project (3GPP) – the main standards body for 5G networks and systems – has initiated work on several Security Assurance Specification (SCAS) test sets.
“Each set of tests addresses a particular network function and challenges some of the expected security and access control properties, such as network slice isolation,” Bianchi explains. “Therefore, telecom operators and MNOs should not only pay close attention to these emerging testing methodologies, which are likely to be included in upcoming security certification schemes for Union Agency network functions. European Union for Cybersecurity (ENISA), but also try to integrate them into their DevOps/DevSecOps tools and methodologies.”
According to Bianchi, another priority area for telecom operators is cyber threat intelligence (CTI). Operators must effectively collect and share information and extract insights from multiple public or commissioned information sources to understand the goals, tactics, and techniques of potential attackers. “Understanding in advance what a security team needs to monitor or control, or know who the adversaries are and their attack patterns, makes a huge difference to properly defending against a cyberthreat,” Bianchi suggests. “The ability to exchange and process actionable information that can be directly used to (re)configure security policies and detection mechanisms is equally essential.”
Support for EU compliance acts
Many telecom equipment vendors are working with telecom operators and MNOs to help them meet these challenges. These include ZTE, which has implemented a security governance system based on industry standards and best practices that underpins a top-down, risk-based approach to managing cybersecurity throughout of the life cycle of its products.
ZTE’s cybersecurity governance structure and security-focused culture aim to align with cybersecurity-related laws and regulations such as the European Union (EU) Cyber Resilience Act (CRA) introduced in September 2022. The CRA covers a wide range of products with digital elements, including software, and has strong links to other important European cybersecurity laws such as the Cybersecurity Act, the NIS2 directive on the security of networks and information systems, the general regulation on data protection (GDPR) and the AI law.
In particular, the NIS2 directive defines cybersecurity requirements for supply chain security measures and incident notification obligations to increase the resilience of telecommunications services. Although currently applicable to manufacturers supplying ICT solutions to telecom operators and MNOs specifically in EU member states, the CRA-based standards could become an international reference point to underpin more global regulations. widely implemented in other parts of the world.
ZTE has adopted the objectives of CRA and NIS2 by strengthening the assurance elements of cybersecurity within its supply chain. This includes integrating security controls across the entire product lifecycle based on security-by-design and security-by-default principles that provide controllable processes and standardized engineering operations designed to better protect its products and services against cyber threats. This, in turn, allows business users and consumers alike to benefit from greater transparency about the security of the hardware and software products they purchase from the company, ZTE says.
Already, he has implemented an organizational architecture based on the three-line model, which is issued by the Institute of Internal Auditors. This represents an approach to providing structure around risk management and internal controls within the organization, to drive this cybersecurity governance.
“The advantage of the three-line model is to allow multiple interested parties to manage and oversee cybersecurity risks from different angles to achieve the overall cybersecurity assurance goal for their customers,” says Zhong Hong. , chief security officer of ZTE. “Business units are the first line that implements product cybersecurity self-management; the second line performs internal independent security assessment and oversight of first-line security work; the third line audits the effectiveness of first and second line systems work.”
The model covers all security management processes such as vulnerability management, assessment of supplied third-party software, hardware and components, production, delivery, operations and maintenance (O&M), and response to incidents.
“Our labs continue to improve their skills on cyberattack and defense technologies to counter ever-evolving cyberthreats and minimize potential risks that threaten the networks of our telecom and MNO customers.” adds Zhong Hong.
With risk-based internal control audits, ZTE aims to continuously monitor the maturity and effectiveness of its cybersecurity assurance system to ensure that the security needs of customers and stakeholders are met. Together with external security certification and assessment bodies, the company verifies its security maturity based on the latest technical standards and security specifications from the International Organization for Standardization (ISO) and organizations developing standards such as the International Telecommunications Union (ITU) and the European Telecommunications Standards Institute. (AND IF).
Common technical standards, certification frameworks and rating systems such as the GSMA’s Network Equipment Security Assurance Scheme (NESAS) and relevant parts of the Common Criteria define the benchmarks against which ZTE products are verified. For example, ZTE’s 5G product lines passed the NESAS 2.1 audit for product development and lifecycle processes this year.
Meanwhile, ZTE’s cybersecurity labs and transparency centers around the world enable customers, regulators and stakeholders to independently assess and verify the security of its products and services.
“Adhering to the principle of openness and transparency, the labs provide various services that focus on safety testing and support. It provides an open collaboration platform between ZTE and institutions, universities and industry stakeholders interested in capacity building and knowledge transfer. underlines Luca Bongiorni, director of ZTE’s Italy cybersecurity laboratory.
“This collaboration identifies all risks associated with 4G/5G products and potential security vulnerabilities. They generate solutions and results that can be studied and verified to produce a contribution to standardization as well as products and architectures that can take supporting sustainable and secure mobile environments.”
ZTE is committed to supporting customers and regulators globally in managing cyber risks. At the heart of this goal are strong commitments to meet the requirements of cybersecurity laws, regulations, and industry standards, as well as certification programs; conduct open dialogues to improve transparency and establish cooperation with customers and regulators; and maintain cooperation to contribute to the standardization of cybersecurity.
The overall message rings loud and clear. When it comes to integrating adequate cybersecurity and regulatory compliance measures into their 5G infrastructure, European telecom operators and MNOs can be sure that ZTE will be there to help.
Sponsored by ZTE.