What were the origins of the new TCCA activity related to cyber security?
Security and safety have always been at the core of critical communications as well as in the DNA of TCCA. For years, TCCA’s Security and Fraud Prevention Group (SFPG) has produced recommendations on how to secure communications over TETRA systems as well as, more recently, in the broadband domain.
The operational and technology environment is changing with the introduction of broadband technologies for critical communications. Whereas TETRA networks are dedicated, specialised and standalone systems, the broadband network value chain and range of stakeholders are far more complex, especially where public networks provide part or all of the solution.
Likewise, the content and context are changing. Just a few years ago, the communications focus was mainly based on group voice, supplemented with low bandwidth data and messaging. Today, we are increasingly focused on information-centric operations comprising and combining all kinds of data sources.
Despite this, in many ways the threat environment has not greatly changed. TETRA networks have always needed to support the security mechanisms necessary to connect to command and control systems, national databases and so on. They have also needed to secure user data between users in the field and back-end systems.
However, the need for much greater data rates, the many additional sources of data needed by field users, and the additional formats of information exchanged – for instance video - change that threat environment. The potential for security threats is therefore greater, and the impact of existing threats may have changed. Therefore, there is a need to address this changed environment.
What is cyber security in the critical communications context?
This is the question we addressed through TCCA’s cyber security workshop earlier this year, issuing an open invitation to critical communications stakeholders to participate.
The first section of the workshop was to agree on terminology to enable us to speak the same language. Traditionally we have been more involved in ICT security, and cybersecurity extends that to also cover non-information-based assets that are vulnerable to threats via ICT.
To address that wider cyber security space and to expand the horizons, the topic was approached from three angles. These included network vendor, public safety operator and user agency directions.
How are the responsibilities for cyber security shared in the critical broadband world?
To help us address cyber security in broadband critical communications, the whole end-to-end system must be considered. Then, to realise a secure solution, a layered framework for responsibilities is a great tool.
For the mobile network part, the foundation is the security focused approach in the 3GPP standards which provide the first line of defence against external threats - at least to the air interface. The next layer is in the hands of vendors having secure product development leading to secure products. Understanding the capabilities of these provides the system designer with tools to construct the secure system.
This then leads to a security aware deployment. That means paying attention to the activation and configuration of security functions in the design phase, and then actively protecting assets, detecting threats and vulnerabilities and responding to them in the operational phase. In general, these are the responsibility of the critical communications system operator, working in conjunction with the end users and other communications suppliers, for instance the mobile network operator.
User agencies want to utilise mobile networks with versatile services and applications. They expect confidentiality, integrity and availability of all communications. Their data needs to be protected in an environment that provides high performance, reliability, safety and ease of use.
This is a pretty focused view. In a broader perspective, all actors in the value chain contributing to communications integrity – such as power supply and physical security of infrastructure – need to be considered.
Have ‘bad actors’ always been an issue?
There have always been threats, but with digitalisation the nature of the threat has changed. Cyber-attacks have evolved to be a criminal and even warfare sector of its own. The continuous challenge is that the attacker only needs to find one way to produce an impact, whereas the defender should prepare for everything.
For instance, the consequences of simple human mistakes have exponentially grown. In the past, an unlocked door was only a risk if a malicious actor was nearby to take advantage. Now, if a firewall port is open, it will be detected and probably utilised in a matter of seconds.
What will be the specific areas of work/anticipated outcomes of the group?
In the workshop, a primary identified area for the community was cyber security-related information sharing and training. There is a great demand to increase awareness and understanding, and we will begin simply by answering questions such as why and what, followed by documenting and sharing industry best practice. An example of this could be how to build an action plan for cyber-attack response, or what ‘zero trust’ means in different layers critical communications layers.
There is also open-ended work that must be conducted to identify new vulnerabilities and threats. Although, as new vulnerabilities come to light on an almost daily basis, this is probably beyond the capabilities of an industry group.
Legal and regulatory topics also deserve attention, based on the state of national or international laws and directives. Do they, on the one hand, provide adequate frameworks for protection, and on the other, perhaps prevent optimal operations? An example of this could be information security classification by one agency preventing the sharing of even public information with another.
We would also like to see guidance on ensuring that product security is included as part of the procurement process, as well as service security as part of deployment and operations.
What will happen next?
TCCA is calling for interested volunteers to contribute to this SPFG work, complementing cyber security activity. This initial group will decide how to address the identified topics in praxis. One potential scenario is to form a new TCCA Working Group focused on addressing cyber security topics, in co-operation with other TCCA working groups running task forces to cover topics one by one. The first meeting will take place in late August or early September.
How is the landscape changing with the move towards broadband? To what degree will the landscape change again with 5G, IoT etc?
A move to broadband massively increased both the volume of traffic volume and device volumes and variety. 5G and IoT will only increase this further. Additionally, the likely use of public networks for communications increases the threat surface and reduces the level of control of critical communications users when it comes to their technology. The cumulative amount of information that needs to be protected increases exponentially, hand-in-hand with ever increasing dependency of communication. That could be in public safety, utilities, transport or indeed anywhere in society.
What have been the biggest cybersecurity challenges for the sector up until now?
SFPG has addressed security topics relating to the communications systems. This initially meant TETRA, but more recently also 3GPP mission critical systems over broadband.
Recommendations have been created to look at network threats and deployment issues for TETRA. Approaches to key management and end-to-end encryption have also been specified. Recommendations have been created - or are in the process of being created - to examine similar topics for broadband.
However, SFPG's focus has been on the communications network. Individual projects have taken their own separate approaches to secure the complete operational environment, of which the communications network is just a part. It is this step up, looking specifically at the wider environment, especially regarding broadband, that needs to be addressed next.