Defending cellular utility networks: Advanced security in the zero trust era

The telecommunications landscape has fundamentally shifted. Recent high-profile attacks like Salt Typhoon, where bad threat actors infiltrated major US telecom networks, and the devastating SK Telecom breach in South Korea have made one thing crystal clear: traditional perimeter-based security is no longer sufficient. For utilities deploying cellular networks for critical infrastructure, the stakes couldn’t be higher.

The days of thinking about network security like a medieval castle — with strong walls and a protective moat — are over. Today’s reality demands a zero trust architecture that assumes attackers are already inside your network and moving laterally. This paradigm shift is particularly crucial for utility organizations that are increasingly relying on cellular networks for everything from smart grid communications to remote monitoring of critical assets.

The zero trust imperative for utilities

Zero trust architecture represents a fundamental reimagining of network security. Rather than focusing primarily on perimeter defenses, zero trust assumes a breach and builds security controls throughout the entire network infrastructure. For utility cellular networks, this means implementing comprehensive security measures that address four core principles.

First, encrypt everything. All data must be encrypted both in transit and at rest, with no exceptions. This isn’t just about protecting customer information, it’s about safeguarding the operational data that keeps the power grid running.

Second, authenticate and authorize every connection. This goes beyond just users and devices to include every single network flow, whether it’s human-initiated or machine-to-machine communication. In a utility environment where sensors, meters and control systems are constantly communicating, this granular approach is essential.

Third, implement comprehensive network segmentation. The management network must be isolated from the control network, which in turn must be separated from user traffic. This segmentation creates barriers that slow down attackers and limit the scope of potential breaches.

Fourth, establish continuous monitoring, logging and alerting capabilities. This is where many organizations struggle, but it’s arguably the most critical component. You need systems that can continuously process logs and telemetry from across your cellular network infrastructure, running behavioral and rules-based programs to identify anomalous behavior in real-time.  Continuous monitoring deals with three types of data flows: logs and telemetry, network flow data, and full packet capture data.  Each will be discussed further in this blog.

Industry standards and regulatory guidance

The Alliance for Telecommunications Industry Solutions (ATIS) has developed 12 critical security control groups specifically for zero trust in cellular networks. These controls are designed to work within the telecommunications infrastructure itself, covering everything from encryption requirements and identity management to network segmentation and threat detection.

Following the Salt Typhoon attack, the Cybersecurity and Infrastructure Security Agency (CISA) issued specific recommendations that also impact utility cellular networks. Their guidance emphasizes strengthening network visibility, securing networks by design, and hardening systems and devices. For utilities, this translates to immediate action items including mastering vendor-hardening guides, implementing continuous monitoring architectures and adding endpoint detection and response capabilities.

Implementing advanced security controls

One of the most critical components in this advanced security framework is understanding a telco security manager (TSM). These specialized systems address use cases that traditional IT security tools simply weren’t designed to handle. While enterprise security information and event management (SIEM) systems work well for traditional IT environments, they fall short in certain use cases when dealing with the unique protocols and architectures found in cellular networks.

A telco security manager fills this gap by handling several specialized functions that are critical for utility networks. Attack surface management provides baseline automation of security configurations across all network elements. If a security configuration gets changed — whether for legitimate emergency reasons or due to suspicious/malicious activity — the system automatically audits and can restore proper configuration settings. This automation eliminates the manual processes that utilities have traditionally relied on for configuration management.

The system also uses threat intelligence from different sources such as MITRE ATT&CK to provide network threat detection. Additionally, it processes logs and telemetry from the Operations, Administration, and Maintenance (OAM) cellular network components and Cloud Native Infrastructure to report suspicious activity to your existing SIEM infrastructure.  This integration ensures that your incident response teams can continue working with familiar tools while gaining visibility into telco-specific threats. The system provides protection and detection capabilities for the entire telecom stack from infrastructure layer to the network application layer.

Additionally, these systems can detect false base stations that might be deployed within utility spectrum. Using software-defined radios that cost just a few thousand dollars, bad actors can set up rogue base stations to attract and attack endpoint devices. The TSM leverages built-in 3GPP functionality like Automatic Neighbor Relation (ANR) feature on the basebands and LTE security- initiated measurements that already exist in all cellular endpoints. These features continuously monitor the spectrum and report any base stations they can see. By analyzing this data, the security system can identify unauthorized base stations and plot their locations on a map for utility security teams.

The build-versus-buy decision

When implementing these advanced security capabilities, utilities face a fundamental choice: develop the capabilities in-house or purchase them from vendors. This decision significantly impacts both the complexity of implementation and long-term operational requirements.

For TSM capabilities, organizations can choose to develop their own monitoring and threat detection systems. This approach requires deep technical expertise in the specific logging formats and telemetry information from your cellular network vendor. A utility’s security engineers would need to understand these data formats and write correlation rules for their existing SIEM platform, whether that’s Splunk, IBM QRadar or another solution. While this approach provides maximum customization and control, it demands significant ongoing engineering resources and specialized knowledge of cellular protocols.

Alternatively, utilities can purchase these capabilities directly from their cellular network vendor, such as Ericsson. This approach leverages the vendor’s deep understanding of their own systems’ logging formats and telemetry data, potentially reducing implementation complexity and time-to-deployment.

The same build-versus-buy decision applies to endpoint detection and response (EDR) capabilities. Commercial EDR solutions from vendors can be deployed in cellular environments, but this requires the utility’s team to develop expertise in writing rule sets for the unique protocols and architectures involved. Utility engineers must understand cellular-specific protocols like SCTP (Stream Control Transmission Protocol), PFCP (Packet Forwarding Control Protocol) and GTP (GPRS Tunnelling Protocol), as well as specialized roaming and signaling protocols.

They also need deep knowledge of the Linux security functions that vendors build into their products, including such technologies as SELinux, AppArmor and vendor-specific hardening measures. This expertise requirement shouldn’t be underestimated—cellular networks operate in ways that are very different from traditional enterprise IT environments.

EDR agents represent another critical security layer but implementing them in cellular networks presents unique challenges. In traditional enterprise environments, EDR agents are deployed on every laptop, desktop and server to create a comprehensive security grid. They’re so important that cyber insurance providers won’t even issue policies without them.

However, deploying EDR agents in cellular environments is significantly more complex. These systems run entirely on Linux-based containers, requiring agents that can operate both within the container where applications run and at the operating system level below for maximum effectiveness.

Here, too, organizations have two primary options for EDR implementation, each with distinct advantages and challenges. The build-it-yourself approach offers maximum control and customization but requires substantial expertise and ongoing resource commitment. The vendor-provided solution typically offers faster deployment and better integration but creates additional dependencies.

The complexity of this decision shouldn’t be underestimated. The cellular environment operates with protocols and architectures that are fundamentally different from traditional IT systems. For many utilities, especially those without extensive cellular networking expertise in-house, partnering with their network vendor for these critical security capabilities provides the most practical and reliable path forward.

Network visibility and threat detection

Network detection and response (NDR) systems provide another crucial layer of security by analyzing IP flows across the network infrastructure. These systems excel at identifying anomalous network behavior and command-and-control communications.

For utility networks, NDR systems are particularly valuable for detecting external communications that could indicate compromise. When attackers gain access to your network, they typically need to communicate with their “mother ship”—external command-and-control servers. These communications often stand out dramatically from normal network patterns, making them detectable with proper monitoring.

NDR systems also provide historical analysis capabilities that are invaluable during incident response. If you discover an attack, these systems can provide a complete record of where the attacker moved within your network and which systems they accessed and may have compromised. NDR systems have been in use now for some time and may have been deployed in the utility IT and OT environments.  It is recommended to extend them into the management network for the cellular network for visibility and protection.

Advanced monitoring in containerized environments

Modern cellular networks operate as Linux Kubernetes containers, which presents unique challenges for security full packet inspection monitoring. Unlike traditional virtual machine environments where you could tap a single interface to monitor the network functions, containerized environments can have network functions distributed across multiple physical servers.

This distributed architecture requires software-based monitoring solutions that can aggregate traffic from across the containerized environment and send it to the full packet capture analysis tools. If your organization requires full packet capture capabilities for security analysis, you’ll need to ensure your vendor can provide appropriate software probe solutions.

Real-world threat scenarios

Recent attacks demonstrate the practical importance of these advanced security controls. The SK Telecom attack utilized BFPDoor malware, a Linux-based tool used to target telecommunications infrastructure. A properly configured telco security manager could detect this malware, identify unusual data queries and implement protective controls to prevent lateral movement.

Similarly, the Erlang SSH attack targeted secure terminal access across telecommunications infrastructure. EDR agents or other security controls deployed on radio access network basebands could detect these exploit attempts and trigger additional security control actions around SSH and related protocols.

Building a comprehensive defense

The security landscape for utility cellular networks demands a layered approach that goes far beyond traditional perimeter defenses. Zero trust architecture provides the framework, but successful implementation requires careful attention to the unique challenges of cellular infrastructure.

The key is micro-perimeter protection and integration. Your telco security manager should monitor every cellular infrastructure network node as a micro-perimeter and feed into your existing SIEM infrastructure. Your EDR agents need to work within the constraints of containerized environments while providing comprehensive visibility. Your network detection systems must understand both traditional IT traffic and cellular-specific protocols.

Most importantly, these aren’t one-time implementations. The threat landscape continues to evolve, and your security architecture must evolve with it. Regular reviews of vendor hardening guides, continuous updates to monitoring rules, and ongoing assessment of your security posture are essential.

For energy utilities, the stakes are too high to accept anything less than comprehensive security. The attacks on SK Telecom and the Salt Typhoon campaign demonstrate that sophisticated threat actors are actively targeting telecommunications infrastructure. Your cellular network is both a critical operational asset and a potential attack vector — it deserves security measures that match its importance to your organization’s mission.

Read more

Dive deeper—Watch the webinar Defending Cellular Utility Network Infrastructure in an Increasing Volatile World