We Need Zero-Trust for Private Cellular Networks
For years, there were IP networks and public cellular networks. Each had its own functions, goals and purpose, and never did the ‘twain meet. But with the growth of private LTE and 5G networks, cellular technology now serves the same purposes that IP networks did for years: IoT connectivity. As a result, the traditional security issues associated with the latter—C&C malware, ransomware, DDoS attacks—have migrated to private cellular networks as well.
That said, the tools to defend each type of network are quite different. Tools that protect IP networks are largely useless on cellular networks because of differences between them in protocols, architecture and data flow. In parallel, tools that are built to protect cellular networks are meant to defend different needs.
Organizations need to develop and implement an organized plan to deal with private cellular network security; using familiar IT security concepts such as authentication, segmentation, network context and monitoring. This is especially important now as more organizations are embracing advanced cellular technology—with its reliable and always-on connectivity—especially for robot technology, advanced production, automated warehouse operations and much more. These are tasks that, until now, would have been handled by IP networks.
To better protect the cell networks they have come to rely on, organizations should embrace zero-trust architecture (ZTA), a multi-step process well known in IP networks, that has proven to be a better, safer way of securing networks than the traditional perimeter security model.
In a ZTA scenario, connections—from devices inside and outside the network—must continually prove that they meet security standards at every instance of digital interaction. The advantage, of course, is that with ZTA hackers have a much harder time compromising devices and using them to attack network assets than they do in a perimeter defense system, where a device or connection can be compromised once it is admitted as “safe” by the defense system.
Security officials, however, need to realize that the ZTA will operate differently on these networks than they do on IP networks. Simply repurposing the tools used in IP ZTA won’t work; a ZTA system based on cellular protocols needs to address the security risks specific to private cellular networks—including diameter attacks, N6/UPF attacks, DNS & DHCP hijacking, inter/intra APN movement, compromised device return from different connectivity, GTP-C and GTP-U injection, ModBus/ MQTT hijacking, IMP4GT, Core/RAN API and Core-RAN HTTP2 attacks, and many more.
But as with traditional IP networks, ZTA on cell networks is a comprehensive process, requiring at least four factors.
Cellular Network Authentication
Contextual authentication: Cellular network authentication works differently than on IP networks; mainly because on cellular networks, SIM cards play the main role in authenticating the device.
But SIM authentication is just the first step. Although many believe that SIM authentication provides ZTA on these networks, it is only a preliminary part of the necessary steps; even if a device carries an authorized SIM, it can still be compromised. A ZTA model requires constant automated authentication of these systems, as 2FA and other authentication models are not relevant. One of the major issues involved is that 5G networks support connections and authentication for both 3GPP and non-3GPP devices—and the latter need to be contextually authenticated. In addition, there needs to be an easy way to add devices—new robots or IoT systems—to these dynamic networks, which will control essential functions in organizations.
Contextual visibility: Because a cellular network has so many moving parts—dynamic robots, IoT devices constantly moving data, and zero-latency connections moving data around at super-fast speeds—monitoring to ensure that all connections are legitimate is even more crucial than in IP networks. Any unidentified or unauthenticated connections need to be shut out—and kept out until the requisite authentication information is provided. A ZTA model requires that the role of each device or connection in the context of the network needs to be clear—even before that connection is made.
Contextual authorization: As important as authenticating a device or user is, authenticating the context in which it is being used—location, IP address, time of connection, network identification and other issues surrounding how and where a connection is being made is just as important. Advanced security systems need to ensure that this contextual data makes sense; that is, that its location is one from which the network expects a connection, that the timestamp returned by a connection is in the correct time zone, etc. Similar to IP network spoofing, hackers could falsify connections on a cellular network. A ZTA model for these networks needs to account for this contextual information.
Contextual monitoring: Hackers will seek out weak links in the network in an attempt to hijack them for their nefarious purposes. Thus constant monitoring is needed to ensure that any potential breach is discovered and mitigated before an attack occurs. That includes using advanced monitoring to constantly assess whether devices on the network, like IoT devices, are being queried by unknown agents, seeking out devices that may still, for example, use factory-installed authentication information (“Admin:Password”). Monitoring systems also need to provide updated data and what the implications of that data are, such as whether a DDoS attack is taking place.
Carriers, infrastructure companies and researchers are aware of these problems and are working to develop a ZTA model for advanced private cellular networks. Leading telecommunications and cybersecurity companies all have their take on how this could be done. While the methods differ, the objective is the same: Ensuring that private cellular networks remain secure,and provide the benefits that businesses and enterprises need. When ZTA becomes a go-to security strategy—taking into consideration all the onboarding, authentication and other security issues—expect many more organizations to take advantage of the benefits available with private cellular networks.
