By: Florin Neamtu, Signaling and Security Product Lead
In July 2020, 5G Americas considered that 5G will likely be one of the most significant technological and societal disruptors of the upcoming decade and stated concerns in relation to 5G NSA/SA vulnerabilities through their downgrades to SS7 and Diameter signaling.
By introducing 5G services in NSA (Non-Standalone) mode, the coexistence of 2, 3, 4, and 5G network elements will be common for many years to come as SS7 and Diameter problems will be inherited by 5G, especially at the interconnection points.
The data extracted from SS7 and Diameter signaling network testing and the security breaches trends are worrying. Despite the fact that security investments (such as in signaling firewalls) have been growing, the current threats remain very high; some of them, such as call interception, have begun to increase again (see chart below). Tested networks results show that Subscriber Information Disclosure occurs in 100% of cases, while SMS interception happens in 86% of the tested cases. This clearly shows that current existing investments are underutilized and underperforming, supporting government and regulator concerns.
CUMULATIVE STATISTICS: 2015-2019¹
After agreements made during the Prague 5G Security Conference in May 2019, many national authorities now require mobile operators to audit and monitor the security of their networks (2G, 3G, 4G and 5G) and report incidents and/or results to the regulator.2 As part of the agreement, in December 2020 the UK introduced fines of £100,000 a day or 10 percent of revenue for non-compliance. Other countries are expected to introduce fines in the same range in the near future.
Furthermore, on December 16, 2020 the European commission stated that relative to the EU 5G Toolbox, most Member States are already well on track to implement the recommended measures. They should now aim to complete their implementation by the second quarter of 2021 and ensure that identified risks are adequately mitigated. According to The European Commission, once the proposal is agreed to and consequently adopted, Member States will have to transpose the NIS2 (Network and Information Systems 2) directives into laws within 18 months.
From an investment point of view, cybersecurity is a priority also reflected in the EU’s next long-term budget (2021-2027). Under the Digital Europe Programme, the EU will support cybersecurity research, innovation and infrastructure, cyber defense and the EU’s cybersecurity industry.3 In addition, the US strategy on Huawei’s accelerated Open RAN initiatives (the initiative to diversify the radio access element of the mobile networks) will boost investments, according to Dell Oro Group.
Countries will need to define for their telecom infrastructure what their “acceptable risk” would be, as it will be prohibitive in the value chain to control everything end-to-end. The most advanced requirements have been laid down and published by the EU’s cyber security advisory organization, ENISA.4
Lastly, regarding “Clean Network Initiative” progress: on January 1st, 2021 the US, Bulgaria, Macedonia, and Kosovo signed the MOUs secure 5G networks in European countries, making the Clean network coalitions now more than 50 countries and 170 telecommunication companies strong, according to the US Department of State.
Recommendation: Building audits and monitoring into companies’ security budgets is considered a good working practice to ensure long term legal compliance.
At iBASIS that’s exactly what we do: we are “the middle man” providing global connectivity to tier one carriers, mobile networks operators and IoT service providers, in the most efficient and secure ways. Secured delivery of global telecom services is possible due to advanced algorithms and sophisticated technology, but foremost to human intelligence: iBASIS has experts in-house such as data scientists and has forged strong partnership to make sure any investments already made by our customers are fully utilized, as well as keeping up to date with ever-evolving threats.
Please join us and leading cybersecurity partner, Positive Technologies, on February 17 to learn more about the trends in signaling security threats. Learn more about the webinar, Building Trust in Telecom Networks Through Signaling Security Intelligence.
1 Positive Technologies, Cumulative Data, Public White Papers 2015-2019
3 Digital Europe Programme: Europe investing in digital: the Digital Europe Programme | Shaping Europe’s digital future (europa.eu)