Cybersecurity: new ways, new vigilance
Following TCCA’s recent cyber security co-ordination meeting, Simon Creasey talks to a variety of industry experts on the challenges presented by the ongoing transition from narrowband to broadband
During the pandemic, cyber criminals ramped up the number of attacks on companies and organisations.
No-one was out of the firing line, not even public safety organisations, with nation-state attacks increasing as well. At the same time, the threat to public safety organisations has also come into focus due to the ongoing shift from TETRA to mission-critical broadband taking place in several countries.
One result of the increased threat is a stepping up of TCCA activity in this area. Earlier this year, for instance, it hosted a workshop to discuss these challenges. Last month, meanwhile, it held a co-ordination meeting attended by a range of stakeholders in order to discuss issues relating to cyber security for critical broadband networks.
So just how severe is the current cyber-security threat to critical communications? More to the point, what can be done to mitigate the risk?
The original TETRA technology used for critical communications was very effective, reliable and safe. Broadband for mission-critical apparently creates a whole new set of challenges, however. “TETRA is a tightly controlled private infrastructure network, whereas mission-critical broadband can run on commercial cores and protocols,” says Aaron Maben, corporate solutions engineer for security at Cradlepoint.
“Threat actors are much more versed in these protocols and standards and know more of their weak points, as they have been attacking them for decades.”
As the threat environment continues to evolve and proliferate, this presents a major challenge for mission-critical broadband users, who could conceivably find themselves targeted by cyber criminals.
“While mobile operator networks are well protected today, they will inevitably become more attractive targets to attack,” says Jason Johur, chair of TCCA’s Broadband Industry Group. “Their services are [after all] becoming increasingly critical to consumers, industries and governments.”
This is of course not to say that MNOs such as AT&T and EE – the latter of which is providing coverage to the UK Emergency Services Network – are unaware of the threat. Indeed, as CCT readers will remember, critical comms cyber-security expert Brian Murgatroyd expressed a high level of confidence in ESN security earlier this year. This is because ESN and other public safety networks, superimposed over public networks, will have additional security measures to ensure their protection.
Another factor in this evolving situation, meanwhile, is the increased complexity, comparatively speaking, of broadband technology. Discussing this, head of product security for Secure Land Communications at Airbus, Louis Granboulan, says: “When critical communications end-users use broadband, they use devices which are more complex than for legacy [systems]. Therefore, the security challenge [also] becomes more complex, but [the level of] complexity also depends on how the technology is organised and used.
“In particular, if the end-users have a [broadband] device which is not necessarily dedicated to critical communications, managing security risks becomes more complex. The more complex the end-user device is, the higher the security challenges are.”
Colin Tankard, managing director at cyber-security consultancy Digital Pathways, also says he is concerned about the potential issues presented by modern devices, which he views as potential weaknesses within the system. “Generally speaking, devices that are intended for a secure network, which could be TETRA or something for the military, are designed with security in mind. A commercial phone is generally not designed [with that level of high security].” Again, as with the MNOs mentioned earlier, this does not mean that broadband device manufacturers aren’t acting on the potential threats discussed in this article.
At the same time, there are also challenges on the server side. “Servers are less ‘monolithic’ than they were, and there are a wider variety of settings,” says Granboulan. “Cyber-security challenges can therefore depend on whether the server side is a dedicated system kept on-premises, or a shared one, which makes the security risk analysis more complex.”
'Expanding the attack surface'
Another issue, according to Maben, is that by introducing broadband for critical comms, users are “expanding the attack surface”. “This results,” he says, “in increased complexity in managing risk and security, as IT teams now have more to monitor. It can also create a supply chain risk if companies are relying on commercial providers instead of deploying private infrastructure.”
This is a view shared by Johur, who says: “Historically, many mission-critical narrowband networks were closed, often with no internet access. Going forwards, deployment of broadband technologies will inevitably result in implementing a network-of-networks. This naturally increases the complexity of any system. That said, security technology and expertise has also moved on to cope with these changing and more complex environments.”
While some of these challenges are common across all critical communication users, there are also different challenges for different mission-critical verticals, thereby complicating the situation further. Speaking of this, Granboulan says: “One big challenge depends on whether the network infrastructure is dedicated or shared. This choice of setting is very dependent on the verticals.
“There are different security threats on a network shared by multiple entities who use the system as a service, something which will often be the case for the transport, utility and industry verticals. One challenge here is to be able to trust the service provider to dedicate necessary resources when needed.”
As more industries converge on 4G LTE/5G ‘shared’ networks and future 3GPP technologies, the threats on different industries begin to overlap and coalesce"
Jason Johur, chair of TCCA’s Broadband Industry Group
Historically, the types of threats each vertical encountered were subtly different. Johur says that some sectors, such as public safety, would have implemented the full gamut of security features, whereas others might only be able to justify implementing a subset of features “commensurate with the perceived risks” to their business.
“But, as more and more industries converge on 4G LTE/5G ‘shared’ networks and future 3GPP technologies, the threats on different industries begin to overlap and coalesce,” he says. “Security solutions designed to protect the network will provide spillover benefits to protect a much wider range of industries than ever before, improving security for the many.”
The role of the vendor
It is clear that vendors need to play a key role in locking down security in order to ensure that the transition from TETRA to broadband is as smooth as possible. This effort, of course, is something which is already taking place. One of the major challenges for vendors in relation to this, however, is understanding the fundamental differences between commercial and mission critical.
Manufacturers therefore need to ensure that they have the relevant in-house resources and experience to help them bridge any potential knowledge gap. Illustrating this point, Maben states that his own company hires and consults with public safety veterans on any key issues that need addressing.
Elaborating on this, he says: “Vendors should also consult with public safety organisations to ensure that the offering meets their stringent requirements. Vendor offerings should consider redundancy and assist public safety agencies on their PACE [primary, alternate, contingency, emergency] planning.
“For example, Cradlepoint produces products that allow for multiple communications options. This could either be through mobile communications – cellular, Wi-Fi, ethernet – or via ethernet/IP interface with an endpoint [satcom, LMR, MANET].”
At the same time, vendors also need to be fully aware of compliance and regulatory requirements within mission-critical communications, developing products that subsequently meet those requirements. Maben says they also need to put in place a robust cyber-security programme, while at the same time communicating how they manage their own risk.
One vendor that is at the forefront of this particular push is Ericsson. Anders Ripa, who is principal security expert at the company, says that it “continues to be a recognised driving force in all aspects of security and privacy in our mobile networks”. He adds that “security is a fundamental building block” for making sure systems are stable and reliable.
To this end, he says: “Our product security incident response team is actively monitoring the international threat situation, feeding that [information] to our product development teams. The security team also supports our customers in incident handling and forensics.”
Other vendors have also put in place similarly robust protocols. Scott Kaine, vice-president and general manager, cyber-security services at Motorola Solutions, says safety is at the heart of everything his company does.
“Our philosophy is that security should be embedded in every phase in our product and software solutions, from the time before a developer even touches a keyboard all the way to the product being in the hands of our customers,” he says. “Our focus is on delivering secure solutions and educating our customers about areas of shared responsibility, including endpoint detection and identity and access management.
“They can [then] manage and maintain these solutions to a high standard of security to help ensure they are not compromised. We also offer a wide range of cyber-security services to help customers if they don’t have the expertise or resources to do this themselves.”
Evolution to broadband
The support offered by the likes of Ericsson and Motorola will make it easier for critical communication users to safely make the switch from TETRA to mission-critical broadband. But, again, it is a move that is not without its challenges.
Digital Pathways’ Tankard says the ongoing evolution from narrowband to broadband is also going to require a significant mindset shift by some users themselves.
Part of this issue, he says, is that many ‘mission critical’ organisations are more ‘information security’-orientated than ‘cyber security’ orientated. The reason for this, for him, is that a lot of the devices currently used in the mission-critical space are designed with security already in place.
According to Tankard, another problem is a relative slowness to embrace change on the part of some of these organisations when compared with other industry sectors. That is not the attitude of TCCA, however, whose Security and Fraud Prevention Group has provided advice for years on how to secure communications over TETRA systems.
Addressing the challenges
At TCCA’s recent cyber security co-ordination meeting, attendees discussed a wide range of issues, including how to share information around threats and protection in the most efficient and effective way. They also talked about industry best practice for critical communications broadband, and how to identify new system and network vulnerabilities and threats.
In addition, attendees also agreed what the first step might be when it comes to establishing a new task force. This would focus on a specific cyber-security issue relating to mission-critical comms. What that topic might be is still under discussion and has not yet been agreed upon.
Speaking of TCCA’s involvement in this area of work, the chair of its Critical Communications Broadband Group, Tero Pesonen, says: “There is absolute consensus that we should do this, but the big question is what is the most important thing that we should tackle first. We are looking forward to getting the taskforce co-ordinated and getting it to work as soon as possible.”
Once the topic has been agreed, he anticipates the task force will spend three to six months exploring the issue in question. After this, it will report back, and a decision will be made as to whether to create another taskforce with a new topic, or to set up a working group.
Regardless of the path taken, says Pesonen, good progress has been made. He adds that TCCA is committed to working with critical communications operators and users to advise, enhance and add value to their cyber-security processes and procedures.
Discussing this further, he says he is confident that the challenges spoken about in this article can be addressed if everyone pulls together to meet them head on. He also cautions that – given the wider threat landscape associated with the move from narrowband to broadband – doing nothing is not an option.
“[Organisations need to] think to themselves, what do we know about cyber security? What is the environment?” he says. “They also need to understand what they can influence and whether their processes and knowledge base are in order.
“What things are going to change for you, when you move to broadband and when your organisation moves to broadband? And if you feel that something hasn’t been done yet in terms of cyber-security provision or operating procedure, then maybe it’s about time to start planning for it.
“We know that broadband is coming to every Western European country during this decade. The sooner user organisations manage to get their part done – as well as, of course, vendors, applications providers and operators – the smoother things will be, and the more benefits we will enjoy.”
The move to broadband will likely revolutionise mission-critical comms. With these new opportunities, however, also comes the need for increased vigilance.