5G industry news Telecommunications Tech | Enhanced Mobile Broadband

Innovation Briefing Issue 10 | Security lessons

  • 15 minute read
  • Published by Crispin Moller on 11 Aug 2022
  • Last modified 2 Aug 2022
The world is a more uncertain place in 2022, and, with their ability to paralyse critical infrastructure, cyber-attacks can seem terrifying. But we should take comfort from the efforts going onto thwart them – which are much less publicised than the attention-grabbing attacks.
  • UK policy is rapidly evolving to cope with a more threatening world.
  • 5G is an opportunity for critical infrastructure to be beefed up.
  • We look at how UK plc can benefit from these initiatives and finds it’s not just technology that matters, but human attention.

The world is a more uncertain place in 2022, and, with their ability to paralyse critical infrastructure, cyber-attacks can seem terrifying. But we should take comfort from the efforts going onto thwart them – which are much less publicised than the attention-grabbing attacks. “There are people in backrooms who are passionate about solving this stuff,” explains David Rogers MBE, CEO of Copper Horse.

No one knows more about securing the next generation of mobile network technology than Rogers: his roles include sitting on the UK’s Telecoms Supply Chain Diversification Advisory Council, and the security initiatives at the mobile industry standards forum, the GSMA, where he chairs the Fraud and Security Group (FASG) and its 5G Security Task Force (5GSTF). Rogers has overseen the introduction of new practices and new thinking, so there’s nobody better to guide you through the work going on to secure 5G.

Two overarching themes have changed how the industry treats security. Mobile is now a more critical part of our lives than 4G, which was developed in the late 2000s.

“It’s not just about preventing someone’s phone getting cut off,” says Rogers. “you’ve got people’s lives in your hands.”

And even more importantly, 5G is much more technically ambitious than its predecessors, and so requires far greater attention than telecoms professionals have given mobile. For example, 15 years ago when the 4G protocols were being written, it was hard to imagine that that key network functions would run anywhere other than inside a sealed box at a given location, and that location would be anywhere else than at or near a radio antennae. But these functions have escaped out of the traditional box, and since they can run in software, that software might be running side by side a Minecraft session, a personal photo collection, or a Slack channel at a fast fashion startup in Hoxton. And the location of that server might move, too, bouncing around the world like a gap year student, with the network operator oblivious. That’s the reality of the cloud, which can now run key core network features.  

“The new challenge for this generation of mobile technology is that realistically, people aren’t going to know where stuff is running at any particular time,” Rogers explains.

In other ways too, mobile traffic will find itself with new neighbours for the first time. Mobile data packets have traditionally been managed broadly the same way by a single operator. But in a virtualised and “sliced” network, different customers may be set different parameters based on their requirements – a sensor may have a slice that allows it to send data once every 24 hours with no need for lots of bandwidth. A video feed from a concert may have a high-bandwidth, low latency slice. Several parties may also be sending their data over the same airwaves, and over the same fibre cable. For example, a public 5G network may nestle alongside a factory’s private 5G network.

“5G will expand traditional relationships between consumers, business users and mobile network operators,” Ericsson writes in its security white paper for network builders. “The expansion will include new relationships in the form of digitised and automated business processes of enterprises, control, and operations of machinery of industry companies.”

The greater attack surface means greater danger, and far more routes into a system to cause mischief. As David Rogers himself wrote for UK 5G Innovation Briefing:

 “The 5G vision is a collection of technologies, including different types of IoT radio and device types across multiple different sectors or ‘verticals’. This opens up a new set of issues around the ‘cyber-physical’ space – that is the attacks no longer just remain virtual. A cyber attack could potentially interact with a real-world object or system causing catastrophic consequences. In farming this could mean the loss of irrigation causing food security issues. In heavy industrial, this could mean the complete destruction of a blast furnace and in the automotive sector it could mean that cars could be stopped in the middle of the road, essentially halting the economy instantly.”

But Rogers isn’t daunted. A new generation of technology allows the opportunity not just for review, but for the introduction of new practices and technologies. We’ll describe some below.

Review Findings

The UK Telecoms Review of 2019 identified three key areas for attention.

  • One was the security challenge posed by vendors; concerns prompted by Huawei’s deep involvement in the UK landscape.
  • The second, which has been covered by UK5G Innovation Briefing in great detail is “sustainable diversity in the telecoms supply chain”. That is to say Governments can only spend a drop in the ocean compared to the incumbent vendors – Ericsson devoted £8.7 million to R&D every day [Kr.32 billion] – but they can send a message to the market that a more diverse marketplace is a priority area. The FRANC competition is one example of sending a message, and more will follow.
  • The third covers operational practice and standards.

Six threats out of 26 identified were regarded as critical in the 5G Security Landscape Threat report for DCMS in 2021. These are:

  • systems security maintenance – keeping it up to date. Also identified were:
  • physical security
  • vulnerability scanning
  • network slice security
  • the implications of using open components
  • and one emerging area: the lack of guidance as computing was moved to the edge of the network, closer to the devices and equipment users deploy.

A report for DCMS by innovation consultants Plexal explained: “there is only limited guidance on securing MEC (Multi Access Edge Compute), which is responsible for 5G’s performance promises. “Considerable work needs to be driven (sic) to protect the security and privacy of these networks and increase trust in 5G Private Networks for mission-critical applications.”

Much work is already underway on these issues. Known in the industry as recommendation FS.40, the GSMA’s 5G Security Guide shows how comprehensive and detailed the new techniques and practices are.

“FS.40 developed over a period of time, the 5GSTF were looking at 5G operational deployment and what we needed to do, based on the 3GPP specifications,” Rogers explained. “Encryption on the network was once a new thing. Each generation has allowed us as an industry to do a step change to raise the overall bar of security” Rogers explains. The goal was to give networks and ultimately their customers confidence.

“If you pick up the phone to make a call, you don’t have a concern that you’re going to get the wrong person. Or that a random person is listening in. That level of confidence people take for granted is a testament to the legacy.”

Security and authentication were amongst the highest priorities. Rogers says of all the shifts, the most significant can be found in the evolution of what are called signalling protocols, and the evolution of these processes into HTTP/2.

“HTTP/2 is the main difference”, says Rogers. This is one of a myriad examples of the telecoms world borrowing good ideas and practices from IT. The traditional distinction between IT on one side, and telecoms and networks on the other, has all but disappeared.

Mobile networks were originally analog with no security. But it was conspicuously absent even from the first generation of digital, 2G. These used the ETSI or ANSI implementations of SS7, or Signalling System No.7, which was developed in the 1970s, and governed how the landline or POTS network established and handled a telephone call. It specified dedicated circuits for controlling calls – a big step forward at the time.. But plenty was missing, Rogers explains.

“SS7 meant a completely open network with no authentication and no integrity checking. In GSM we also didn’t have mutual authentication, meaning the base station didn’t have to authenticate itself to the mobile device. It had the potential for a lot of fraud and malfeasance. To rewrite the SS7 protocol and deploy a revised secure version on 2G and 3G is, and was uneconomically unviable”

Alongside SS7, 4G introduced a set of protocols called Diameter.

“Diameter is more of an authentication specification, but like the SS7 it replaces both are ways of containing your data to put them from one point to another. Diameter receives an authorisation requisition, then goes and gets a JSON object, of key / value pairs,” says Steve Bucklin, a network veteran who consults on building 5G networks.

In 5G those control instructions are now wrapped up in HTTP/2, a superset of the web client/server protocols that engineers at Google devised to speed up low latency mobile connections. “There is not a huge difference but HTTP/2 speeds things up. You can make three or four requests and get them back when they’re ready,” Bucklin explains.

Encrypted links

Many of us understand that cyber-attacks or compromise come from “outside the network” – and here, the media loves to use stock art of a young man in a hoodie with a laptop before him. He’s an outsider. But in the mobile industry, being “outside the network” is where you are when you roam.

“Most telecom networks are closed networks, built on trust and are probably not sufficient to handle advanced attacks that originate outside their networks,” Ericsson signalling expert Lalit Garg explained in 2019.

 These outstanding trust issues on roaming are finally being addressed. Roaming in China, or allowing Chinese devices to roam on US networks, for example, is an entirely new and recent challenge.

“What we’re trying to do in the next generation world is implement encryption in the interconnection between operators. The practical implementation of that is quite hard,” says Rogers. A UK network may not know what is happening with a device in another country, but real-time data analysis can help here.

 FS.40 is the primary document in a series detailing the security and threat landscape. Another anticipated threats:

“With FS.39, we’re trying to predict where fraudsters are going to go in the future,” Rogers explains.

One initiative in particular brought a lot of brains to the process. The global community of trusted security researchers and academics has contributed hugely to IT security, but less so traditionally to telecoms. Rogers wanted to bring them into the fold. He helped establish what he describes as the only industry-wide CVD programme in the world.

“There’s lots of spotlight on what are really stunt hacks – but not on the defenders of networks, because it’s perceived as boring work. That so much has been achieved in the mobile industry’s security groups of GSMA FASG and 3GPP SA3 (the security umbrella) is a credit to these people.”

One of the new “surfaces”, as security experts call them, are virtual machines. It means one focused attack could bring down tens of thousands of machines in many different kinds of businesses, and can be thought of as the original sin of the cloud.

 “The ramifications are large,” Rogers muses. “It’s shifting things into one basket again With some of the attack surfaces, such as hypervisors on which the virtual machines run, the software is relatively new. The attacker wants to get under those virtualised environments and get to the root of the system. A lot of vulnerabilities have been reported in hypervisors over the years. You can see where future attacks come from.”

Although more reliance on the cloud, using virtual machines and computing protocols such as HTTP/2 and TLS means vulnerabilities in them can expose telecoms to a new generation of risks, it also brings in benefits. Perhaps the best example of this is how it’s possible to implement better monitoring.

“We can patch stuff immediately which we couldn’t do before. Or we can raise alarms immediately which we couldn’t before, if there’s a DDoS situation,” says Rogers.

The 5G world represents a generational leap in the sophistication and complexity of network security, but also new opportunities for better addressing them.

“We’ve tried to put in recommendations for vendors and operators to have this stuff in place but we’re not resting on our laurels, really. We expect to see new and sophisticated attacks.”

“There’s lots of spotlight on what are really stunt hacks – but not on the defenders of networks, because it’s boring work.

Thousands of security managers are trying to deal with this stuff. That’s the boring reality – that it’s a continual process,” says Rogers. 

Stung by stingray

IMSI grabbers - international mobile subscriber identity-catcher – are eavesdropping devices first deployed on 2G networks. These could then turn off the network encryption, identify users, and interfere with the network in other ways, such as degrading performance. The best known is sold under the Stingray brand, by the large US defence contractor Harris, which has a significant presence in the UK. This was bought by police and other state agencies. Building and operating an IMSI became harder in 3G and 4G, and is harder still in 5G. The Stingray series sold today is used for ad hoc battlefield networks regulation and legislation.

Why did Government get involved in telecoms security? It was long overdue, say experts.

“There has been a drive to reduce costs and this has meant that in some cases security was at the end of

a long list of requirements,” David Rogers of Copper Horse notes. “This is where government has a role – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market in the first place, so every citizen in a country is afforded a certain guarantee of protection.”

November 2021 saw new amendments to the 2003 Telecommunications Act. The new National Security (Telecoms) Act.

The biggest change comes with a shift away from voluntary best-practice. Government and security experts clearly didn’t think that these were sufficient, and the Act allows the Secretary of State to issue codes of practice. A draft code, along with a consultation on the code, was published by Julia Lopez, the Minister of State for Media, Data and Digital Infrastructure in March, The consultation concluded in May. The National Cyber Security Centre (NCSC) advised on both the new regulations and the code.

The Act requires all telecomunication providers to take “appropriate and proportionate measures to identify and reduce the risks of security compromises occurring, as well as preparing for the occurrence of security compromises”. Security compromises are broadly defined. They cover anything that compromises the availability, performance or functionality of a network or service, any unauthorised access that interferes with a network or service, anything that “causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider”, as well as the more conventionally understood hacks. It also holds a provider responsible if a breach compromises another provider.

Telecoms providers are obliged to take action which includes limiting the damage. Providers include everyone from traditional MNOs and newer networks. The code of practice will apply to the largest national-scale (‘Tier 1’) telecoms providers, “whose availability and security is critical to people and businesses across the UK”, and these will be subject to intensive monitoring and oversight from Ofcom.

Noting that seven companies serve 88 per cent of the UK broadband and landline market, and four operators count 85 per cent of mobile subscribers, the Government defines Tier 1 as a public provider with turnover of £1 billion or more. “Compromise of smaller providers — including those who provide services rather than networks — poses much less risk to the security and resilience of UK communications. Such providers may not be able to bear the financial burdens of intensive regulatory scrutiny,” the Government notes.

To a lesser extent, the code will also apply to medium-sized (‘Tier 2’) telecoms providers, who will be subject to some Ofcom oversight and monitoring. These providers are expected to have more time to implement the security measures set out in the code of practice.

The smallest (‘Tier 3’) telecoms providers, however, including small businesses and micro enterprises, will also need to comply.

It’s wide-ranging: covering international connectivity via undersea cables, and botnet attacks. One example of a specific requirement to ameliorate known vulnerabilities with software ‘patches’, or updates, if possible within 14 days of the patch becoming available.

It’s far from the only effort to beef up critical infrastructure. In 2016 the Security by Design exercise focused on open consumer infrastructure. It brought together experts to look at IoT gear ranging from the smart speakers and TVs that consumers have in their homes, to items like smart doorbells, to fridges. This led to a Security by Design Team in March 2018. This became ETSI Standard EN 303 645. It covered a range of areas: attack surface, software updats, data flows and deletion, and maintenance.

In addition, the UK Telecoms Supply Chain Review looked at the bigger economic picture of supply,