Skip navigation
Like what you’re reading?

Securing our interconnected world: Enhancing deployment and operational resilience

  • While vendors establish the foundation with secure products based on international standards, it is the responsibility of the Communication Service Providers (CSPs) to deploy, operate and continuously improve their security posture.
  • This blog discusses how CSPs can efficiently and effectively maintain control over their risks by ensuring full visibility and control over security with a Zero Trust Architecture approach with systematic processes and automation. 

Strategic Product Manager

Strategic Product Manager

Securing out interconnected world

Strategic Product Manager

Strategic Product Manager

Strategic Product Manager

Contributor (+1)

Strategic Product Manager

Safeguarding networks requires a holistic security approach that encompasses four critical phases: standardization, product development, deployment, and operations.

Building trustworthy mobile networks

Building trustworthy mobile networks


The previous blog, Securing our interconnected world: standardization and vendor product development, discussed the initial phases of our holistic security approach: standardization and security assurance during product development. In this blog, we begin with the demand and drivers for investing in telecom security. We delve into how default product security capabilities can be systematically and efficiently enabled at deployment, as a well-defined state for the contextual security design that will be required on top of the default security to enforce Zero Trust micro-perimeter security across the network. Finally, we dive into the operations phase, discuss the importance of continuous protection and threat detection, and emphasize a risk evaluation-based approach to constantly improve the security posture. All layers of trustworthy mobile network security are glued together with a solution specific defendable architecture.

Demand and drivers for telecom cybersecurity improvements

Security is on every CSP’s agenda but what are the key factors that drive improvements and investments in this area?

Firstly, the number of cyber-attacks targeting specifically mobile networks and their subscribers is growing. Also, the severity of individual attacks is increasing, and we have recently seen several incidents with severe or even disastrous impact. One example is the network-wide outage of the Kyivstar network in Ukraine in January 2024, caused by Russian nation state cyberattack.

Secondly, industry guidance and best practice coupled with stricter regulatory requirements and directives for telecom cybersecurity are emerging in many markets. Failure in meeting the requirements can result in huge fines for the CSP and hold C-level executives personally accountable in case of non-compliances, especially if appropriate safeguards have not been in place when a breach occurs. CSPs should not see increasing regulations as a burden but as a way to help them build secure network. Examples of key industry guidance and regulation for mobile networks are the white paper from ATIS in the U.S. “Zero Trust Architecture for 5G” – an excellent blueprint for holistic security in 5G networks - and the Network and Information Systems 2 (NIS2) directive in the European Union.

Thirdly, awareness is increasing of the reality that generic IT cybersecurity tools do not provide sufficient protection and detection capabilities for mobile networks and their services. Center for Internet Security (CIS) benchmark scanners, Security information and event management (SIEM) platforms and Endpoint Detection & Response (EDR) tools can be applicable for IT infrastructure security, but they do not address telecom applications nor understand 3GPP specific security features.

Lastly, CSPs expect that security automation and orchestration tools support multi-vendor networks for operational efficiency. Very few CSPs are running single vendor networks.

In the end, the balance between understanding, evaluating, and managing risks related to mobile networks and budgeting for related cybersecurity solutions and processes determines to a large extent how the cybersecurity of mobile services evolves. Fear of loss is a big driver.

The deployment phase – the art of making it right from the start

Today most CSPs lack a systematic, automated process for setting up security right in their software deployment pipelines. As a result, we have seen at many CSPs that this has led to exposing critical configuration vulnerabilities in production networks. Examples of these are failures to remove default admin accounts or using weak or no encryption within mobile services. There is also a common misconception that vendors’ product security assurance will automatically enable secure networks. This is not true for modern, containerized telecom applications (CNFs) and even less true for legacy (purpose-built / virtualized) telecom applications (PNFs/VNFs) that are still very widely used in mobile networks globally.

The vendor security assurance is the default security settings to be used at deployment, often defined by hardening guidelines or security guides. On top of the default security, it is the CSPs choice how the security functions and capabilities in different products are configured in their network. These choices involve decisions around acceptable level of risk versus investments in higher security maturity. A systematic approach that allows improving security maturity for CSPs by enforcing micro perimeter security across the network is required. This includes comprehensive security monitoring in the telecom context.

A high-level maturity model, following Zero Trust Architecture and NIS2, can be defined as follows with each step building upon the other:  

  1. Secure by default: A highly automated deployment process for products, with default security profiles defined by vendor guidelines and as an outcome of vendor security assurance processes. A network in this state provides basic security hygiene but does not account for CSP-specific yet unacceptable cybersecurity risks. Secure by default profiles typically result in inconsistent and incompatible security settings across different vendors' products.
  2. Contextualized Security Design: A stronger security posture than the “Secure by default” state. Here specific security features and security objectives (such as use of encryption, enablement of context specific threat detection & response capabilities and unified password policies across the network) of the CSP have been enabled. The objective is to achieve a contextualized acceptable cybersecurity risk level and a well-defined security posture based on the CSP’s security objectives, regulations, and relevant industry guidelines.
  3. Repeatable process and continuous improvement: This step introduces repeatability and security posture improvement process aiming for common and consistent security configuration and monitoring across domains, with zero trust micro-perimeter security set up according the CSP’s risk appetite and security objectives. It provides actionable outcomes and is an enabler for continuous protection, detection, response and risk evaluation and improvement that will be discussed further in the operations process section.

Standards and product security assurance are enablers for, but do not guarantee secure network deployment. A systematic, automatable process is needed to ensure that security is configured at deployment in accordance with the CSP’s risk appetite and security objectives. Secure by default is the right term to use in the automation era for the initial, well defined security profile of a given product. Hardening (or sometimes loosening) should be seen as a subprocess to achieve the desired security posture.


Operations phase – the art of continuous protection and detection

A systematic, repeatable deployment process lays a strong foundation for staying in control of security and reducing cybersecurity risks during the full lifetime of the mobile network.

We have seen that for most CSPs, the security operations, overall security governance and generic security tools are inherited from IT. These generic security tools, such as CIS benchmark scanners, SIEM platforms and EDR tools do not provide sufficient protection or detection capabilities for the 3GPP network functions that implement the mobile services.
To operate secure and resilient mobile networks with manageable risk, there must be continuous protection and detection enabled for each network asset from HW servers and cloud infrastructure to the 3GPP network functions. Moreover, when security policy violations, threats or anomalies are detected from configuration data, logs or sensors, a relevant incident response process must be initiated. The outcomes from cybersecurity platforms must be actionable in the mobile network context and adhere to the related processes.

One way to further automate and strengthen continuous protection is to enable security policy enforcement, for example, automatically restore security configuration settings to expected values when violations occur. This requires a change of mindset for the CSPs Change Management process.

Considering the complexity and dynamicity of mobile networks the active threat landscape and the increasing pace for upgrades and patches, security automation is the only sustainable alternative to achieve continuous protection and threat detection of networks and to manage cybersecurity risk. This will require a change in the way many CSP have today set up their security governance and operational security processes. As the threat landscape is evolving, new risks will emerge, and security must follow. The objective is to constantly evaluate the effectiveness of the defense measures and increase the security maturity of the CSP to reduce cyber risks.

Thinking about risks

Defining and improving the operative security baseline is the operator's responsibility, entailing a clear security governance, understanding and management of the chosen security measures. For example, threat actors compromising basebands from transport network may not be frequent, but it does not mean it is low risk security event. Would you have doors and windows unlocked and burglar alarm inactivated in your house even though there are no known burglars in your area today? Risk is a combination of likelihood and impact. Likelihood factors in threat landscape, threat actor capability & motivation, security posture and defenses, and all relevant factors, not just frequency. Impact is also not just the immediate monetary loss but includes wider long term consequences for business, company, personnel, subscribers and society in general. By the way, do you know if your windows and doors are locked, your burglar alarm covers your whole house and has been validated to work when burglars enter and move in your house?  This comparison highlights the importance of tailoring security measures based on individual risk evaluation. While standards and development processes establish crucial safety protocols like locked doors, deployment and operations involve embracing and managing the appetite for risk.

Hold on to that thought and put it in cybersecurity context. Potential risks include:

  1. Mobile service degradation and disruption: Cyber-attacks affecting network performance and availability, potentially with almost unbearable impact such as bringing down whole mobile networks for several days, impacting critical services, emergency calls and generating significant revenue loss.
  2. Subscriber privacy, fraud and surveillance: Breaches leading to exfiltration of network data or active/passive false base stations extracting subscriber data, open the possibility for fraud and extortion, espionage and surveillance and can provide necessary information for other attacks.
  3. Business impact with personal C-level accountability: Companies affected by security breaches often experience a loss of customers and market share, long-term impact on brand value and share price, and demands for compensation from customers or fines from regulatory bodies, including job suspension and personal fines.

CSP business units and leaders need to take the driver’s seat in mobile network cyber risk management, determining the security posture they need to have and budgeting for the investment needed to achieve it. Consider the case where a CSP is aiming to build the most secure global network and the CEO (or more likely the CFO) inquires about the cost. If the cost was estimated at 500 million euros annually, the CFO is unlikely to agree to such a high cost, highlighting the need to balance risks and mitigating investments thoughtfully. Hence, when establishing cyber defense for mobile networks, it's the CSP's responsibility to decide target level of cyber security posture and match the corresponding investment. The chosen security posture in mobile network design dictates the security features to activate. This includes factors such as the extent of deployment of security-related infrastructure and features. For example, increasing encryption in the network increases costs—both in terms of capital expenditure (Capex) and operational expenditure (Opex)—and potentially also reduces data throughput.

In the dynamic telecom threat landscape, regulations adapt and increase as threats evolve. Fraud, ransomware, and espionage—among other threats—demand distinct defense strategies. Espionage, with its direct impact on national security, requires a focused approach.

Image 1


The expanding and growing threat landscape

CSPs face threats from various actors —Advanced Persistent Threats (APTs), nation states, cybercriminals, hacktivists, and insiders—each with unique motivations targeting sensitive information, financial gain, disruption, or espionage. These threats exploit telecom vulnerabilities, utilize sophisticated malware and employ advanced techniques across evolving weak points including identity-based attacks, false base stations, supply chain infiltrations, and social engineering. Vigilance and robust security measures across interfaces are crucial in combating these evolving threats. Learn more about the threat landscape in the first blog in this series, Deciphering the evolving threat landscape: security in a 5G world.

Security automation is essential

Considering the complexity and dynamicity of mobile networks, the active threat landscape and the increasing pace for upgrades and patches, the only advisable approach to stay in control of risks coming from both external and insider threats is to adopt automated zero trust security across the whole mobile network, with continuous protection and detection on micro-perimeter level. For many CSPs this will be a transformation journey to uplift their security governance and operational security processes to support automation. The objective is to constantly evaluate the effectiveness of the security countermeasures and increase the security maturity of the CSP with more security automation to reduce risks further. Finally, as the threat landscape is evolving, new risks will emerge, and security countermeasures must follow.

Ericsson Security Manager

ESM is the first offering in the market that provides continuous protection and detection on micro-perimeter level for every layer in multi-vendor mobile network, from infrastructure to telecom applications with a zero-trust approach. ESM is purpose built for mobile network defense by considering relevant aspects from people, processes and technology point of view and bridges the gap between IT security and telecom security. ESM helps customers in elevating their security processes and security team competencies with respect to mobile network defense to reach the full potential of security automation. ESM provides an efficient and effective context specific tool for CSPs to stay in control of their cyber risks in mobile networks and subscribers.


ESM features include:

  • Continuous protection and security configuration auditing for multi-vendor mobile networks with a zero-trust approach
  • Contextualized asset inventory and data collection pipeline for effective threat and risk identification and evaluation
  • Actionable detection engineering embedded in log and sensor-based security analytics for cloud-native telecom functions
  • Detection and localization of false base stations threatening network performance, subscriber privacy, and exploitation for fraud
  • Telco grade Public Key Infrastructure (PKI) solution for X.509 certificate provisioning
  • Automated online enrollment and life-cycle management for trusted and end-entity certificates

 

A collective pursuit of security excellence

The realm of telecommunications security is not a solitary endeavor - it's a collective pursuit ingrained in every aspect of mobile network defendable architecture. While standards lay the groundwork for improved mobile network security, true resilience and risk management emerges from a comprehensive proactive approach encompassing people, processes and technology. Like a symphony, the role of every entity is vital, orchestrating a continuously improving defense against the evolving threats that target mobile networks. Extensive security automation technology is not effective if the related processes and involved people are not efficiently making use of its capabilities. Achieving comprehensive defenses is an ongoing journey, continuously striving for the next level in security excellence.

Summary and looking ahead

Security has been a paramount concern in the industry, but we are witnessing a paradigm shift in how CSPs address this evolving challenge. There is a growing recognition that breaches within and around mobile networks are not a matter of if, but when, prompting a new mindset characterized by four emerging actions for successful defense.

The first action focuses on clarifying where the responsibilities lie. Vendors are developing product security capabilities based on the threat landscape, known incidents and continuously evolving 3GPP standards. It is important to understand that the most 3GPP security features are optional. Consequently, the activation of these features is not part of the vendor default security guidelines. It is the CSP’s responsibility to ensure that the essential but optional security capabilities are enabled in the security posture at deployment, that the security features stay operational across the network during run time operations, and that the security posture is continuously improved to address new threats and risks.

The second action starts with the acknowledgement that traditional perimeter protections are inadequate. A Zero Trust Architecture (ZTA) approach to continuous defense on micro-perimeter level externally and internally is necessary to stay in control of risks, protect from attacks and detect and respond to all threats. Defense is based on assuming a breach may have already occurred and threat actors may be moving laterally within the network. ZTA is also necessary to comply with telecom directives and regulations.

The third action pertains to the traditional reliance on IT security solutions by CSPs to operate security mainly for the cloud infrastructure and IT domains in their networks which, as discussed above, no longer bring sufficient piece of mind for CSP executives. The recent surge in public security breaches highlights the need for purpose-built mobile network security solutions that can safeguard the 3GPP powered mobile service, the network functions and the subscribers. Only context-aware cyber defense solutions can bridge the gap and provide actionable risk insights and mitigations.  

As a final action, CSPs need to move away from manual security approaches and recognize their inefficiency and risk. Consequently, there is a growing emphasis on automating and orchestrating active on-line risk management, with a longer-term vision to provide AI-driven adaptive security for cognitive intent-based mobile networks. Very few companies in the world have the sufficient scale and know-how to turn that vision into reality. Ericsson stands as number one on that short list.

By implementing these four essential actions, a significantly more secure, privacy shielding and resilient mobile network will emerge, benefiting not only the CSPs and their subscribers, but also all businesses and the entire society.

Sign up for the 5G Security blog series

Don't miss out - sign up today and be notified of each episode as it is released.

Sign up now

 

Learn more

Read the third second episode of the 5G Security blog series: Standardization and vendor product development - Ericsson

Read the second episode of the 5G Security blog series: APIs, network security lessons from enterprise - Ericsson

Read the first part of 5G security blog series: Deciphering the evolving threat landscape: security in a 5G world

Read more about our 5G security blog series

Learn more about securing 5G networks in our Ericsson Mobility Report article.

Find out more about telecom security for a connected world.

Listen as Mikko Karikytö, Ericsson Chief Product Security Officer, talks security and privacy in resilient 5G systems.

The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.