Why MNOs need to consider security when purchasing 5G spectrum

Jimmy Jones.
(Image credit: Future)

According to the GSMA (opens in new tab), 5G deployment will be 'reignited' in 2021, despite the pandemic slowing down new 5G launches last year. We are already witnessing mobile network operators (MNOs) across the globe fast-tracking their 5G deployment and purchasing licenses. Spectrum is considered the lifeblood of the wireless industry and with MNOs ploughing huge amounts of money into the licenses to boost their 5G network coverage, it's also time they put security where their money is. 

"The reality is that 5G networks are going to be the most expensive networks to date, so it’s key that security is in mind from the start."

Jimmy Jones, Positive Technologies.

This month, Ofcom (opens in new tab) closed its auction, where EE, O2 and Vodafone all gained a share to boost their 5G networks’ coverage and speed. Despite the auction (opens in new tab) falling short of analysts’ predictions (raising just £1.36bn for the Treasury compared to the USA's record 5G spectrum auction in February which yielded $81bn (opens in new tab)) the reality is that 5G networks are going to be the most expensive networks to date, so it’s key that security is in mind from the start. 

The value of listed telecoms companies (opens in new tab) dropped almost 20 per cent on average last year, which means with strained balance sheets, it's no surprise they are showing financial discipline. With this in mind, it's important they protect their spectrum investments so far by ensuring their networks are secure.

Telecoms critical to national infrastructure

Telecom networks are a crucial part of society, not just because billions of users are connected remotely due to working from home, but because other industries and services rely on the infrastructure - such as emergency services and factories. Being an essential component of national infrastructure means the risks and dangers to networks being compromised are greater than simply a loss of internet connection for subscribers, it’s a case of national security.

"Last year, the UK government introduced the Telecoms Security Bill which imposes harsher fines for operators who fail to protect their networks and subscribers."

Jimmy Jones, Positive Technologies.

Governments across the globe are responding by introducing tighter restrictions and new laws for mobile network operators (MNOs) to comply with in order to secure their networks and mitigate risks to subscribers. Last year, the UK government introduced the Telecoms Security Bill (opens in new tab)which imposes harsher fines for operators who fail to protect their networks and subscribers. The European Union (opens in new tab) also released the EU Toolkit (opens in new tab), which was supported by a document from ENISA, the European Union’s cyber security advisers. 

When a breach occurs, 75% of customers lose trust and therefore their customer’s loyalty to their brand. With the competitive landscape becoming fiercer and MNOs not only competing with one another, but utility providers, banks, manufacturers and others who are accelerating their own deployments of private 5G, subscriber attacks can be both financially and reputationally damaging. The stakes are high between staying ahead of competition and avoiding regulatory fines, which means that the security of networks should not be an afterthought. 

Security flaws in networks

The security flaws and vulnerabilities in networks need to be plugged, in order to ensure MNOs are optimizing their ROI. Each generation of mobile networks must interoperate with previous ones and because of this, newer generations inherit the weaknesses of their predecessors. The first generation of 5G networks (5G Non-Standalone) is based on the LTE network core, which means that 5G is vulnerable to the same flaws as 4G such as tracking user location, obtaining sensitive information and intercepting calls & SMS.

As MNOs migrate to standalone 5G networks, they must consider not only the old but the new, 5G has security considerations of its own. Recent research shows that the next generation of 5G networks will be susceptible to threats through the sheer complexity of new configuration burdens, not to mention constant changes that mean more vulnerabilities will appear. The vulnerabilities in protocols HTTP/2 and PFCP, which will be used by standalone 5G networks, could include the theft of subscriber profile data, impersonation attacks and faking subscriber authentication.

How can MNOs ensure their networks are secure?

With society becoming more reliant on mobile networks than ever before, securing them must be a priority during the design stage. This is even more true now, as operators shed themselves of previous generation networks and migrate towards standalone 5G networks. 

The 5G security market size (opens in new tab) is projected to grow from $580 million in 2020 to $5.226 billion by 2026, at a compound annual growth rate (CAGR) of 44.3% during the forecast period, according to MarketsandMarkets. Securing networks goes beyond protecting the monetary value of investment. Another key driver stems from the concerns around national security given 5G networks will form a key component of critical national infrastructure.

"In order to achieve full visibility over traffic and messaging, operators need to perform regular security audits."

Jimmy Jones, Positive Technologies.

If we look at the recent UK Telecoms Bill, the security obligations include rules on who has access to sensitive parts of the "core" network, how security audits were conducted, and protecting customer data. This forces operators to improve their security protection for the whole network rather than just 5G. In order to achieve full visibility over traffic and messaging, operators need to perform regular security audits to detect errors in the configuration of network core components to protect themselves and their subscribers.

End-to-end security will be crucial for MNOs as they face the challenges emerging in a multi-domain ecosystem such as 5G. This will include testing all telecom infrastructure domains from in depth audits of signalling protocols and compliance checks with GSMA guidelines and regulations to network perimeter audit and security analysis against HTTP, API, and JSON breaches in web applications.

Both commercial business objectives and increasing accountability from regulators make it clear: mobile service providers must build 5G security infrastructure from the ground up.

Jimmy Jones

 Jimmy Jones’ experience in telecoms spans over twenty years.  Throughout his career he has strengthen his industry knowledge, working in multiple engineering roles within major operators such as WorldCom (now Verizon), and vendors including Nortel and Genband. Jimmy joined Positive Technologies (opens in new tab) in 2017 to help telecom clients transform their network, by leveraging his extensive industry experience.