This post is by Günther Horn from Nokia Solutions and Networks.
Mobile security risks on the rise
Today’s mobile networks no longer rely on obscure or proprietary protocols from the telecom industry, but leverage IP-based protocols. IP protocols have allowed mobile networks to easily interface with web servers, spawned a massive growth of user applications, and provide a superior mobile user experience. While this is a cornerstone of the mobile communication success, it has also made the infrastructure more vulnerable to the same type of security threats that the Internet and Web have been experiencing.
If our mobile networks are to withstand various attacks, the network products need to fulfill a number of security requirements. These include:
• the use of secure software development and patch
• the implementation of security functions like authentication, access control, and encryption
• hardening*, protocol resilience, and others
Only a small part of these requirements are already covered by today’s standards. Two things need to be done to establish a reasonable measure of confidence in the security of the mobile network infrastructure. First, define a set of detailed security requirements for network products, and second, agree on how to test and evaluate if the requirements are fulfilled. This process of providing confidence in the security of a product is also called security assurance.
The role of standards in security assurance
So, what is new in this? After all, vendors have already used secure development guidelines and implemented security functions to some degree. The new aspect is the increased awareness of these security risks, which has led to various activities both from the regulators’ and the operators’ side. We are seeing government-initiated mobile security activities (e.g. in the United States, the European Union and India) and an increasing number of NSN’s customers providing elaborate security requirements that our products are to fulfill. While NSN welcomes this interest, the divergent requirements complicate development and lead to higher product costs. This problem has been recognized by 3GPP, the body defining a majority of the cellular standards, and work on security assurance specifications has started in mid 2012. This work will attempt to harmonize security requirements and opens the possibility of industry self-regulation instead of regulation imposed by governments in the context of cyber security.
3GPP has already completed a study phase and agreed on a lightweight security assurance methodology (called SECAM) that is captured in the approved 3GPP Technical Report TR 33.916. SECAM prevailed in 3GPP over a proposal to use the well-known Common Criteria, as the latter proved too heavy-handed for our fast-paced industry from a procedural point of view. 3GPP has now decided to move the SECAM work forward to the normative stage and produce so-called Security Assurance Specifications (SCASs) that will have the status of 3GPP technical specifications. SCASs will contain security requirements with the associated test cases and hardening requirements. 3GPP decided that the first product class, for which an SCAS will be written, will be the MME product class. Other LTE product classes, e.g. eNodeBs, are probably next in line, after which 3G product classes will be covered by SCASs.
In parallel, the GSMA is developing rules for the vendor product development process and for security test labs that will form the basis for the accreditation of vendors and test labs by the GSMA in the context of SECAM. The GSMA can draw on their experience with the accreditation of smart card vendors and related test labs.
It is clear that, once operators and regulators will require testing according to SECAM, the impact on the way mobile network vendors, including NSN, develop and sell their products will be tremendous, and business units are likely to be impacted in a more comprehensive way than through traditional standardisation activities. So, undeniable challenges meet undeniable benefits, and NSN will remain at the forefront, supporting this 3GPP work through active contributions.
*3GPP defines the purpose of hardening as contributing to reduce the attack surface of the network product. This can be achieved by both software, and hardware and configuration methods. Examples of software methods are to remove unnecessary services and unused user accounts. An example of a hardware method is to physically remove unused USB ports. An example of a configuration method is to prevent the local access to an eNB.
Read about NSN’s recently established mobile broadband security center in Berlin here.
To share your thoughts on the topic, join the discussion with @NSNtweets using #telcosecurity #CSPCX #mobilebroadband #NSNnews #TechVision2020 #CEM #FutureWorks #Innovation.