3 minute read 5 Apr 2021
Engineers of wind turbine

How to adopt a security-by-design approach to telecoms operations

By Tim Best

EY Sweden Advisory, Risk, Cybersecurity, AM&M Cyber Leader

Cybersecurity specialist with over 18 years of experience in IT and Cybersecurity consulting and project delivery. Worked across EMEIA in a wide range of cybersecurity roles.

3 minute read 5 Apr 2021
Related topics TMT Telecommunications

If the global pandemic had impacted us only two years ago, we wouldn’t have been able to cope as well as we have now.

This article is part of the EY NextWave Telecommunications Journal

In brief:
  • Understanding security in a 5G environment is complex and enabling it in a way that doesn’t prohibit imagination is challenging.
  • Taking a look at new capabilities and having a deep understanding of data indicates an opportunity to know what matters to end users.

I’ve personally been involved in IT for over 20 years and things have certainly come a long way since then. I now look after EY cybersecurity teams predominantly within the Nordics, and most of the work I do is around providing support to Nokia specifically. What I’ve seen is that the technological advancements made within the past 24 months have surpassed almost anything I’ve ever experienced, and it’s enabled us to adapt to a rapidly changing environment seamlessly.

As a society, we now have technology that connects and unites. And underpinning all of this, of course, are the networks. While once a network was a physical entity and fairly static, it’s now the polar opposite. A network can be spun up, wound down, altered and adapted on the fly as situations change. And that’s why the communications service providers (CSPs) and the services they offer have become far more meaningful to us as individuals.

Selling the dream of endless possibility

Digital transformation is continuing to accelerate because we’ve seen what’s possible in a short space of time. And as we look to a future of 5G-enabled networks, it’s quickly apparent that adaptive, flexible and automated capabilities will enable new slices of network with new processes and power that’s pushed out to the edge. Almost anything will be possible thanks to virtualization. But are telcos equipped to deliver on these promises?

For the most part, it’s fair to say that telcos are generally well-prepared for 5G. We just need to set expectations that new use cases may take a while to establish as staff are upskilled. After years of requiring network engineers and architects, we now need software engineers and architects – as well as security engineers and architects – which are in short supply. That’s because understanding security in a 5G environment is complex and enabling it in a way that doesn’t prohibit imagination is challenging. So, where do you start?

The key areas of consideration

If we’re working with a customer that wants to secure all of these areas, we’ll perform an in-depth assessment of each environment. From there we’ll construct a set of recommendations and put measures in place that protect the things that matter most to the customer. The business case is very important to us – and understanding what the customer wants to achieve in the long run.

We can then help to implement the recommendations. We also monitor networks and track the impact of any changes made. This is, in part, how my teams provide support to Nokia. The EY organization provides specific IT security skills and support – helping the organization to maintain, manage and deliver performance in its network operation and security operation centers.

Embedded security

Security isn’t something that you simply bolt on to 5G. It should be built into all of your hardware and software components from the outset. That’s why we work with our customers to help them understand their security requirements and what needs to be included from the start. Additionally, because the concept of perimeter security doesn’t apply to 5G because everything is the network – not just the core – your security needs to cover all areas of the network as opposed to the edges. And you need to understand what threats look like in each area.

Network slicing

Slicing is where your network is divided into several end-to-end virtualized environments – so you need to think about how you isolate each of these network slices. For example, how will you separate a network slice that a bank is using from that of a government department or a hospital? With each slice potentially hosted in physical machines mere meters apart that may even share the same cabling, how do you guarantee data security from end to end; from back-end database to bank teller or hospital nurse? You need to be able to control the access and authentication and monitor each slice.

Roaming

Cloud and virtualized environments need a flexible yet robust level of security to meet the demands of roaming and interconnectivity. Before, during and no doubt after the impact of COVID-19, people have and will roam across networks and countries, so you need to extend security across the roaming network as well.

Back-end systems

While there are many more areas, an important one is the back end – the core systems that drive the network. It’s essential to make sure that the back end has dedicated security too, because of its potential knock-on effect to all other areas of your infrastructure.

The ultimate goal

Securing the supply chain all the way down to the end business user is the ultimate goal. And to achieve that, cybersecurity needs to be embedded, end-to-end and everywhere across the network.

To read more about Future Network Now take a look at the full NextWave Journal (pdf)

Summary

Unlike traditional models, 5G networks are much harder to learn and predict. The environment could be vastly different from one minute to the next. Therefore, we’re constantly looking to find ways to use machine learning and AI to understand the data, create patterns and raise alerts for humans to action. It’s a never-ending challenge, but one that we relish tackling on a daily basis. 

About this article

By Tim Best

EY Sweden Advisory, Risk, Cybersecurity, AM&M Cyber Leader

Cybersecurity specialist with over 18 years of experience in IT and Cybersecurity consulting and project delivery. Worked across EMEIA in a wide range of cybersecurity roles.

Related topics TMT Telecommunications