Securing our interconnected world: standardization and vendor product development
- Cyberthreats pose an imminent risk to vital telecom networks, jeopardizing their stability and security.
- Safeguarding against these threats necessitates a comprehensive four-pronged holistic approach that centers on standardization, development, deployment and operations.
- This blog delves into the initial phases of this process: telecom standardization and vendor product development. Examining the intricate relationship between these aspects reveals how their collaboration not only drives innovation but also enhances security measures, ultimately fortifying the foundation of next-generation networks.
As our digital landscape expands so too do the ominous threats looming over our telecommunications networks. To counter the projected $8 trillion USD cybercrime economy in 20231—placing it as the world's third-largest 'economy' after the US and China—we must ensure the confidentiality, integrity, and availability of our digital infrastructure. Meeting this challenge requires a holistic security approach, covering four key processes:
telecommunications standardization, vendor product development, deployment and operations.
A holistic security approach: the four key processes
Telecommunications standardization: This process involves operators, vendors, and other stakeholders setting standards for how networks worldwide will operate and should be protected.
Vendor product development: Network vendors design, develop, and implement agreed standards for functional network elements and systems, playing a crucial role in ensuring the end network product is both functional and secure.
Deployment: During deployment, networks are configured to achieve a targeted security level meeting basic security hygiene, pivotal in establishing security parameters and further fortifying network security and resilience.
Operations: These day-to-day operational processes enable networks to function and meet defined security baselines. Improving the security baseline according to CSP security objectives is iterative operational task. Understanding the interactions and influences between these processes and identifying effective control entities is imperative.
This four-step approach isn't solely aimed at enhancing technology; it's also focused on establishing clear rules and guidelines to ensure the safety and security of telecommunications, from the inception phase through to operation. It's a collaborative effort involving policymakers, regulators, vendors and Communication Service Providers (CSPs)—each playing a crucial role in maintaining smooth and secure operations.
These key entities form the essential roles in the network security ecosystem:
- CSPs: Operating the networks, overseeing network deployments, vendor selection, and integration
- Vendors: Driving product development and influencing its security
- Standards: Crucial for ensuring product interoperability and security
- Regulations: Aiding policymakers in setting global security baselines
Getting a grip on these processes and their collaborative nature is key to making smart choices. After all, security isn't a one-time thing; it's a constant effort involving different players across the board. Below we’ll dive into the first two processes —telecom standardization and the intricate world of vendor product development—to uncover how they form the backbone of super-secure networks.
Standardization serves as the linchpin, uniting key entities toward a common goal: regulatory bodies and policymakers establish the overarching security baseline, vendors lead innovative developments with a focus on security, while CSPs ensure deployment and operations, This collective responsibility relies on robust standardization efforts that bind these roles together, ensuring interoperability and fortified security measures across the interconnected landscape of telecommunications networks.
The rising surge
As telecommunications progress through generations, the demand for standardization has surged. In the 3G era, engagement was limited to a select few players. However, the advent of 5G witnessed a remarkable shift. Diverse participants, including CSPs and vendors and other stakeholders, actively contributed to establishing global standards focused on ensuring network and user security. Regulatory bodies and agencies, such as the European Union Agency for Network and Information Security (ENISA), are increasingly instrumental in setting requirements for ensuring 5G network security.
Standards Developments Organizations (SDO) like 3GPP develop standards for the 5G system that builds upon proven 4G security mechanisms while introducing enhancements. They actively establish security measures, including algorithms, protocols and system architectures, setting crucial guidelines for telecommunications security. Furthermore, 5G standardization efforts (including work done in 3GPP and other SDOs) now include security considerations related to the overall 5G system, encompassing:
- System-wide security (horizontal security)
- Network-level security
- Slicing security
- Application-level security
- Confidentiality and integrity protection
- Interconnect and Service Based Architecture (SBA)
- 5G network function security assurance
- Network Function Virtualization infrastructure (NFVi), whether virtualized or cloud-native
- Appliance-based functions
- Distributed clouds and edge computing
Evolving technologies and standards in 5G
As the realm of 5G continues to rapidly evolve, constant adaptation in standards becomes essential. For instance, virtualization and cloud-native technologies are instrumental in providing flexible support for 5G networks. The standardization of these technologies within mobile networks, particularly for security in dynamic multivendor management environments, holds paramount importance. Entities such as ETSI ISG NFV and 3GPP focus on standardizing security aspects of virtualization, and O-RAN Alliance addresses risks in cloud-native Open RAN deployments. These combined efforts aim to address various security aspects of mobile networks by balancing standardized and non-standardized elements, fostering an environment conducive to innovation.
While NESAS, a framework developed jointly by 3GPP and GSMA, defines security testing of network nodes. Additionally, regulatory bodies and agencies like ENISA, along with initiatives such as the EU toolbox, establish further security requirements. Similar governmental initiatives in India and the UK aim to enhance product and network security, contributing to global standards like NESAS and emphasizing the pivotal role of mobile networks in societal security.
The vendors' role in network security optimization
While Standards Development Organizations (SDOs) define initial system design levels, forming the basis for product development, it's crucial to recognize their role as frameworks rather than a single security standard for mobile networks – there is no one single security standard for mobile networks. The blog Security standards and their role in 5G and 6G digs deeper into this topic. Vendors hold the responsibility of translating these standards into functional and secure network elements. Ultimately, standardization establishes the foundation for essential security features, providing vendors with a level of flexibility akin to the autonomy CSPs have in deployment and operation.
The growing complexity of mobile networks, coupled with the entry of diverse players, demands this delicate equilibrium of simplicity and flexibility. Within standardization discussions, which often encompass diverse interests, maintaining focus on the primary objective becomes paramount: crafting solutions that are both robust and adaptable.
Using telecom standards as a base, the critical role of vendors is to craft and fortify network products to ensure functionality and robust security. Achieving comprehensive security requires seamless collaboration between CSPs and vendors across the standardization-development-to-deployment spectrum.
Vendors demonstrate adaptability by implementing shared technologies in various ways, resulting in distinct features, qualities and security strategies. Evolving threats, regulatory demands and market competition encourage vendors to consistently improve product-level security measures. For instance, to stay ahead, Vendor A might invest in advanced encryption methods while Vendor B might prioritize frequent security updates. These drivers ensure that each vendor continually refines their products' security, contributing to a safer and more resilient network environment.
Mitigating risks: a risk-based approach and risk management
In this landscape product security assurance and supply chain security play crucial roles.
- Product security assurance encompasses various vendor software development processes, ensuring the product's intended functionality and security. It involves thorough vulnerability assessments, penetration testing, risk evaluations, and privacy impact analyses. Each code fragment undergoes meticulous scrutiny to guarantee comprehensive security.
- Supply chain security is vital in the vendor’s overall security strategy. Enforcing stringent security standards among component suppliers and third-party software providers is critical. This approach helps combat vulnerabilities originating from commonly used software components in live networks.
Models like the Security Reliability Model (SRM) serve as examples of best practices, encompassing operational procedures and contributions to standard development.
The SRM method assesses new features or product releases through risk and privacy impact evaluations, as shown below. It examines assets, such as interfaces and data, gauges their importance, identifies threats, and implements measures to minimize risks within customer networks. These measures might include functional requirements, assurance activities, or a mix of both, aiming to proactively manage and reduce potential risks.
Looking at it from a big picture perspective, ensuring product security goes beyond building a robust product initially. It necessitates the capability to react swiftly to unforeseen vulnerabilities discovered later, akin to adapting a car designed for smooth roads to traverse rugged terrains. Stakeholders across the whole supply chain share responsibilities, each playing a part in ensuring secure and reliable products. Understanding the intricate interactions among different processes and identifying entities in effective control is crucial. For example, a chief architect takes the lead across product areas to ensure integrated security and privacy measures throughout the portfolio. While a network of security masters and champions—experts specializing in security and privacy—excel in product development, architectural design, customer service, and network integration, donning the security and privacy hats as they fulfill their roles.
Building a robust security network: Uniting stakeholders for advanced defense
The strength of a security chain lies in its weakest link. Achieving robust security in network products demands a comprehensive approach—prioritizing compatibility, interoperability and stringent security measures. Collaboration among diverse stakeholders, from major vendors to niche operators, is pivotal to minimize redundancies and ensure a secure landscape for evolving technologies. Only through a unified effort can the network security landscape continue to evolve while mitigating potential vulnerabilities and risks.
The next blog will delve deeper into the role of the deployment and operations process and its implications in telecom network security – don’t miss out!
- 5G security blog series: Deciphering the evolving threat landscape: security in a 5G world
- Our 5G security blog series
- Securing 5G networks in our Ericsson Mobility Report article.
- Telecom security for a connected world.
- Security standards and their role in 5G and 6G
- Mikko Karikytö, Ericsson Chief Product Security Officer, talks security and privacy in resilient 5G systems.
- Securing the 5G network, a Mobile World Live panel discussion
1 Cybercrime Magazine ’Cybercrime to cost the world 8 trillion annually in 2023’ and Statista. ’Cost of Cybercrime worldwide’.
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.