Understanding EU Compliance Mandates: Telecommunications-5G and Beyond

In part one of this blog series, I discussed the compliance landscape and how different industries each have their own governing mandates or guidance on cybersecurity. This was followed by a post on regulation and security controls in the Critical Systems and Operational Technology sector, an area I’ve had direct experience in. From there, we discussed the financial services regulations present in the EU. Finally, GDPR, and Cyber Essentials/Cyber Essentials Plus as a set of NCSC (UK National Cyber Security Centre) guidelines on cybersecurity.

Today, I’ll concentrate on a rapidly developing area for security: telecoms and the communication platforms they build. 5G is the current focus, of course, but the security guidance and laws being put in place today set the scene for the future beyond 5G as well.

The Telecoms Industry

In recent years, there has been a significant shift in focus within the industry and government to look at the implications weak security has in the increasingly important telecoms business. Some of this concerns high-level nation-state type implications. For example, the use of networking equipment from specific vendors or countries in the “packet core,” the base platform through which calls and data are routed. This shows the importance that these networks have for the future of the world – any potential compromise or backdoor that has even the slightest potential to exist has wide-ranging ramifications.

This also leads to a focus on peripheral systems, organizations, and suppliers. The NCSC in the UK, for example, first concentrated on the supply chain to the telecoms industry before moving onto guidance and law on the 5G networks themselves.

The UK Telecoms Supply Chain Review Report, published in July 2019 from an initial review in 2018, says that “the most significant cyber threat to the UK telecoms sector comes from states,” but also advises against the reliance on a single vendor for all supporting systems. Security risks outlined include:

• National dependence on any one vendor, especially ones deemed high risk;
• Faults or vulnerabilities in network equipment;
• The ‘backdoor’ threat – the embedding of malign functionality in vendor equipment; and
• Vendor administrative access to provide equipment support or as part of a managed services contract.

The NCSC then goes on to outline the varying security sensitivity of different network types and functions:

5G infrastructure

As new network technologies such as 5G mature, the ways in which we connect devices and manage these connected systems fundamentally change. 5G is about more than just increased speed, with massively reduced latency, vastly improved reliability and uptime, and up to 100x the number of connected devices for a given area. 5G allows direct control of IoT devices, real-time remote control of technologies such as drones without the latency issues associated with earlier technologies, vehicle-to-vehicle comms, and much less reliance on traditional wired/wifi connectivity for critical systems.

The use cases this enables significantly change the resulting security model.

5G incorporates a number of built-in security improvements, such as those outlined by Ericsson here. Improvements include end-to-end encryption with IMSI (International Mobile Subscriber), also known as the Subscription Permanent Identifier (SUPI) in 5G parlance.

However, 5G is more assuredly “critical infrastructure” than previous data-specific telecoms networks. The emphasis on the reliability, uptime, and control of critical systems, such as those in cars, means that 5G is a required backbone piece of infrastructure instead of the more entertainment/data-specific use of 4G. This is outlined neatly in the below diagram from Ericsson:

The enhanced mobile broadband section, including smartphone data connectivity, highlights the most obvious 5G use cases, but below that illustrates a whole raft of machine-to-machine communication.

At the bottom, we see critical industrial systems, traffic safety etc., all utilizing 5G for direct communication rather than bespoke networks for each purpose.

Guidance – then law

From the initial supply chain review, the NCSC in the UK first moved to review security for the UK telecoms sector.

This found that “the majority of the highest scoring attack vectors fitted into one of the following five categories:

• exploitation via the operators’ management plane
• exploitation via the international signaling plane
• exploitation of virtualized networks
• exploitation via the supply chain
• loss of the national capability to operate and secure our networks (dependency)”

From here, the rapid development was then the retirement of the earlier Telecoms Assurance Scheme - CAS(T), and the drafting of the Telecoms Security Requirements (TSR) guidance with a differing remit.

This is still currently in draft but is known to contain specific requirements in the following areas:

• Understanding the attack surface of in-scope systems
• Minimising the impact of an attack, through the reduction of connectivity – and hence lateral movement
• Strong segmentation of the management and core areas

Lastly, we have seen related requirements pass into a newly minted law: the Telecommunications Security Bill.

It’s a lot to cover! As mentioned throughout this post, the development of these new guidance sets, laws, and reviews is taking place very quickly: from basic reviews to actual law within two years in the UK.

In the wider European Union, we’re working from the much older Article 13a of Directive 2009/140EC, part of the wider ENISA telecom package. Written in 2009, this doesn’t yet take account of the many additional use cases and scenarios around 4G and 5G, although it does still include (relatively vague) points such as:

“Member States shall ensure that undertakings providing public communications networks or publicly available electronic communications services take appropriate technical and organizational measures to appropriately manage the risks posed to security of networks and services. Having regard to the state of the art, these measures shall ensure a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimize the impact of security incidents on users and interconnected networks.”

We can expect to see significant updates to this in order that bring it in-line with guidance, such as that from the NCSC.

In conclusion

The rapid escalation of analysis, guidance, and subsequent law that the NCSC process outlines in the UK shows the huge potential attack surface and implications that a move to 5G-backed telecommunications brings, along with the clear advantages in many areas of life. We’ve seen an increasing number of related projects within the industry as a result of the rapidly improving and specific guidance available.

At Illumio, we’ve been involved in a number of telecoms projects and helped with the visibility and segmentation requirements these complex, critical infrastructure environments require.

To learn about Illumio’s approach to micro-segmentation, check out:

• A quick overview of Illumio Core: https://www.illumio.com/resource-center/video/illumio-core
• How it works: https://www.illumio.com/products/core/architecture