Evolving the security posture for critical infrastructure
Assume the adversary is already in the network …. because they are
The security of 5G networks is national security. 5G is critical infrastructure that provides the foundation of society - supporting economies, public safety, healthcare, utilities, and our everyday lives. It is the goal of network operators to provide secure, resilient networks and the goal of the hardware and software suppliers of those networks to provide the capabilities and features that enable secure, resilient networks.
Ericsson Americas, Director for Security
Ericsson Americas, Director for Security
Ericsson Americas, Director for Security
The security of mobile critical infrastructure is becoming increasingly challenging due to the evolution of Advanced Persistent Threats (APTs). With APTs, the sophisticated threat actor, typically well-funded, establishes a beachhead in the network, and then moves laterally through the network. The beachhead and lateral movement can be achieved by exploiting compromised credentials, vulnerabilities and misconfigurations. The goal of the APT is to perform reconnaissance, data exfiltration, unauthorized control, or disruption.
The challenge to secure against APTs is that the external threat actor penetrates through a secure perimeter to become an internal threat actor able to persist and move laterally through the network. This challenge is exacerbated in a multi-stakeholder deployment where there could be varying security postures and unclear assignment of responsibilities. Increased due diligence is needed to secure critical infrastructure in open, cloud-native, multi-vendor deployments.
Figure 1. APT Lateral Movement
The telco industry’s robust response
The telco industry was already on its path to building secure networks to protect our nation’s mobile critical infrastructure from sophisticated attacks. Recent APTs attacks on networks have strengthened the industry’s resolve to secure its networks. The best defense against APTs is to build-in security using a multi-pronged approach based upon guidance from US federal agencies:
- Implement Zero Trust Architecture (ZTA)
- Follow secure software development processes
- Apply industry best practices for hardening
- Continuously monitor for visibility.
Each of these is discussed here.
1. Implement Zero Trust Architecture (ZTA)
ZTA is the evolution of zero trust to an implementable plan. The National Institute of Standards and Technology (NIST) in the US Department of Commerce introduced ZTA in 2020 in its Special Publication (SP) 800-207 [1]. ZTA is a network characteristic that should be implemented end-to-end to eliminate any weak point of entry that can serve as a beachhead to the rest of the network. The primary strength of ZTA is that it protects against external and internal threats as if the adversary is already inside. NIST SP 800-207 defines the 7 Tenets of Zero Trust, which is a ZTA when achieved. In telecom networks, ZTA has four basic principles:
- Each network function is a resource secured as a micro-perimeter. (maps to NIST ZT Tenet 1)
- Confidentiality and Integrity protection are provided for data in transit on external and internal interfaces and data-at-rest. Examples of data-in-transit are security protocols TLS and IPsec. (maps to NIST ZT Tenet 2)
- Authentication and authorization are enforced on a per-session basis for external and internal subjects. Examples of authentication are mTLS with PKI X.509 certificates and an example of authorization is access controls using the principle of least privilege. (maps to NIST ZT Tenets 3, 4, and 6)
- Continuous monitoring, logging, and alerting are implemented to detect and respond to security events. (maps to NIST ZT Tenets 5 and 7)
A ZTA is enabled by products with the support of the required security features that operators use in their networks. The complexity, cost, and time to achieve a ZTA is a journey that should be followed in incremental stages. Do not wait for perfect security. US DHS CISA recommends that operators and their suppliers follow its Zero Trust Maturity Model (ZTMM) version 2 [2] with four stages: Traditional, Initial, Advanced, and Optimal. Traditional is the way we have been doing things with perimeter-based security, which alone is no longer sufficient. Initial and Advanced are the attainable stages to implement a ZTA with security controls to protect against external and internal threats. Optimal is a future-looking stage with still evolving artificial intelligence (AI)-based security technologies.
2. Follow secure software development processes
One attack vector APTs use to perform lateral movement is to exploit vulnerabilities once inside the network. This can be mitigated by reducing software vulnerabilities. Secure software development is the evolution of the software development lifecycle to build-in security. Secure software development best practices have been made publicly available by BSA, OWASP, and SAFECode. A fundamental practice for secure software development is to have secure consumption of third-party software, particularly Free Open Source Software (FOSS) that often is not maintained to be secure [3].
NIST used these best practices to establish the Secure Software Development Framework (SSDF) in NIST SP 800-218 [4] to help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences using four groups of practices: Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secure Software (PW), Respond to Vulnerabilities (RV).
3. Apply best practices for hardening
APTs can perform lateral movement by exploiting unpatched software with vulnerabilities, weak or stolen credentials, and security misconfigurations. Exploitations can be mitigated through vulnerability patching, password hygiene, and configuration hardening. Configuration hardening is achieved in two steps: first plan and set the security baseline configuration and then continuously audit for security configuration changes and drift. It is fundamental to maintain the security baseline and necessary to have visibility into any configuration changes that deviate from the baseline. Identity and access management configuration should be a high priority as it is a common attack vector.
CISA has provided excellent hardening guidance for securing products in response to recent APTs [5], [6]. In addition, the US National Security Agency (NSA) Enduring Security Framework (ESF) produced a four-volume set “Security Guidance for 5G Cloud Infrastructures” [7]. This work provides best practices, aligned with the NIST ZTA, specifically for mobile critical infrastructure deployed in cloud-native environments, based upon four guiding principles:
- Prevent and Detect Lateral Movement
- Securely Isolate Network Resources
- Protect Data in Transit, In-Use, and at Rest
- Ensure Integrity of Infrastructure
4. Continuously monitor for visibility
A ZTA also needs to be achieved during operations, which is a challenge as threats are evolving and now leveraging AI to conduct more sophisticated attacks. Defense against APTs is particularly challenging as the external threat actor transforms to appear as an internal threat actor, making it necessary to have end-to-end visibility through continuous monitoring of the network, workloads, and users. A security management system for operations [8] provides the ability to identify, protect, detect, respond, and recover from evolving internal attacks on the micro-perimeters of each network asset and cloud-native infrastructure. Visibility through continuous logging of access attempts and command execution can leverage AI-based security to enable real-time detection of anomalous behavior and the presence of APTs inside the network. Integrating threat detection and anomaly detection with threat intelligence, vulnerability management, and continuous monitoring enables a ZTA in operations to defend against APTs.
It is a continuous journey
Telecom network security is never complete as threats are constantly evolving. The realization of new, sophisticated APTs has alerted us to this reality. The telco industry is continuing its pursuit of a ZTA because that is the right approach to defend against external and internal attacks. Assume the adversary is in the network because they are. Network products with ZTA-enabling security features, security built-in using secure software development processes, product hardening following best practices from industry and government, and continuous monitoring for visibility and AI-based detection will enhance the network security posture to better defend against sophisticated APTs.
References
[1] Zero Trust Architecture, NIST SP 800-207, US DoC NIST, September 2020.
[2] Zero Trust Maturity Model, version 2.0, US DHS CISA, April 2023.
[3] “Open source software security in an ICT context“, Ericsson, January 2021.
[4] Secure Software Development Framework (SSDF), version 1.1, NIST SP 800-218, US DoC NIST, February 2022.
[5] “Enhanced Visibility and Hardening Guidance for Communications Infrastructure”, US DHS CISA, December 2024.
[6] “Product Security Bad Practices”, US DHS CISA, January 2025.
[7] “Security Guidance for 5G Cloud Infrastructures”, US NSA ESF, October 2021.
[8] “Zero Trust Architecture for advancing mobile network security operations”, Ericsson, February 2024.
Read more
Zero trust
Telecom-specific threats require specific measures
Ericsson Security Manager