HOT TELECOM
insight
Security is not a product it’s a process
CYBERCRIME IS ESTIMATED TO HAVE COST US$6.0 trillion
in 2021
Trust takes years to build, seconds to break and forever to repair There is no way around it, telecom operators must transform the way they deliver solutions to tackle today’s customers’ expectations: secured, tailored, agile, real-time communication services that can be lit-up globally at the click of a button. With the advent of 5G, the cloud and AI, everything is moving towards the expectation of a vertical hyper-personalized experience. No single company can achieve this globally on its own. Telecom operators who master the ecosystem-based business models will dominate the Big Tech decade. But building ecosystems is not enough. The critical step to be taken, even before choosing your partners, is to ensure that the resultant ecosystems can be secured and trusted. One single vulnerability along the value chain can create a serious security risk for all the stakeholders in the service. The telecom world clearly revolves around software,
2
www.tiaonline.org
and the security of both the software and the systems it powers is absolutely critical. In any company, and particularly with network service providers, their future profitability and potentially even their survival is dependent on keeping their systems secure. A software security risk that exists anywhere in the telecom ecosystem or value chain could have resounding impacts around the globe. Not addressing these types of risks could not only result in millions of dollars of losses, but more importantly, the loss of reputation and the trust of your customers. And everyone knows that trust takes years to build, seconds to break and forever to repair. So, tackling ecosystem risks is at the core of success. To put this into context, we share below two recent stories that show how complex this can be and how companies without a clear and auditable plan to maintain security are at significant risk.
Where are the risks? Expect the unexpected Based on a npr.org article entitled: ‘A Worst Nightmare Cyberattack - The Untold Story Of The SolarWinds Hack’, around 18,000 customers installed those infected patches, ranging from the Pentagon and multiple government departments in the USA, Boeing and many Fortune 500 companies, the NHS and Home Office in the UK, NATO, the European Parliament and many more. As a result, the attackers were able to copy and extract countless files, email systems were penetrated and some system data modified or deleted.
SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. Their key product, Orion, is used by companies and governments worldwide. In September 2019, their internal software build control system was penetrated by agents thought to be associated with the Russian state. By design, the builds of new software releases are very tightly controlled, as any software updates issued through this system are normally implemented without question by their 300,000 customers.
Restoration of security was nowhere as simple as removing the affected Orion code, as the attackers could now be in any system and hiding additional backdoors wherever they liked. It was estimated that it could take years to fully evict the attackers from US networks, for instance. The cost of the Solarwinds exploit will never be known, but probably reaches into the billions of dollars. The cost to the company itself in terms of reputation as a trusted partner has been equally massive and their stock price is now just half of what it was in late 2020.
The agents were both cautious and very patient, initially installing extra code in these releases in the tight time window between the Solarwinds engineers confirming that the source code was ready for release and the creation of the executable software patch itself. In this way, the modified code was digitally signed as authentic and implemented worldwide within Solarwinds’ customers’ systems without any further checks. The first code additions did nothing more than report back on what type of processor was running within the affected server. The report went back to servers sitting in public cloud environments in the US and used the normal syntax used by Solarwinds themselves to avoid even the slightest suspicion about the traffic. Even so, the attackers sat back for five more months until they finally installed a more complex backdoor code which allowed them access into almost any system that installed those patches.
More recently, a small piece of open-source Java code, known as Log4j, was found to have a vulnerability that could be exploited to run unapproved code. Opensource software is a component of most systems around the world, as software developers seeking a way to log activity within their own applications, for instance, look for already written and trusted components that carry out that task rather than writing their own applications from scratch.
www.hottelecom.com
3
This particular deficiency had been in Log4J for some time and had never been recognized as such by the many developers that had worked on the code. As far as is known, it had never been exploited. Once identified, patches were quickly written to block the exploit, but now came a huge issue: where was the original code deployed? A race began as attackers scanned systems worldwide looking for the use of Log4J – often to refocus processors on mining digital coins – at the same time as security professionals
searched for instances of this code deep within their many operational systems. The impact of this security risk was huge and on a global scale. In the first 72 hours of this vulnerability becoming public, over 800,000 exploitation attempts were identified. Because 95% of Java programs use Log4J, the removal of this threat will take years and impact almost all companies and enterprises, costing millions.
Why should you care? The two global issues discussed above are just the tip of the iceberg, unfortunately. Breaches of security happen continuously in companies around the world, whether by social engineering using a compromised email account, by persuading an employee to give up a password for instance, or by technical attacks on an unpatched system. This will only get worse, as most of the telecom hardware environment is being ‘softwarized’ and migrated to the cloud. We therefore believe that the risk of untrusted ecosystems will be one of the biggest threats to telecom operators’ business over the next decade. To put this into context, a recent comprehensive IBM report, discussing the Cost of a Data Breaches in 2021, noted that the global average cost of a single data breach was US$4.24 million and in the USA this increased to over US$9 million. It is interesting to note that lost business accounts for almost 40% of the loss. To put the complexity in focus, on average, breaches take 212 days to identify and a further 75 days to resolve. And how many breaches did IBM find in that 12-month window: 537! Is this a risk you are willing to take? A report from Cybersecurity Ventures, also estimates that global cybercrime and cyber terrorism will cost more than US$6 trillion in 2021 alone. Furthermore, a recent report from Darktrace reported that they found that the IT and communications sector was the most targeted industry globally in 2021.
4
www.tiaonline.org
Regulators in Europe are so concerned about the risks here that new laws and regulations are being implemented putting onerous requirements on telecom providers. In the UK, for instance, the new Telecommunications (Security) Act puts strong legal duties on telecoms providers to defend their networks with fines of up to 10% of turnover. So, this is not a problem that anyone can sweep under the carpet. With a potential threat environment that is so wide, what is the best way to tackle it?
Data breaches take 212 days to indentify Loss of business accounts for 40% of the cost of a data breach
Data breaches take 75 days to resolve Cybercrime to cost US$6.0 trillion in 2021
The need for trusted ecosystems In the same way that companies worldwide have looked to Quality Management Systems to manage and control their businesses and the delivery of services, these breaches have clearly identified that a similar approach to security, throughout the ecosystem or value chain, is the key solution. Both of the breaches described earlier in this article highlight the fact that security is not something that you can just think about as an internal issue. Solarwinds was a trusted vendor whose solutions were used to manage the very networks that were then at risk. How many other vendors’ equipment and systems have we fully integrated in our globally deployed networks which represent a similar risk? The Log4J exploit on the other hand highlighted a broader issue.
Software developers make continuous use of pre-built components and audits have suggested that 99% of deployed software systems now contain at least one open-source component. The key is to know what components have been used in an internal system perhaps years after it was first deployed. Developing controlled “Bill of Materials” records is perhaps as important a task as any other in the development and deployment of applications and is probably one of the least understood. And, of course, in an interconnected business such as telecoms, we must be able to trust our vendors and other partners. This means that we must have auditable systems in place for ourselves and have clear confirmation that these types of checks are also in place with our vendors, so that the whole ecosystem is secured end-to-end.
Building security and trust together It is clear that telecom service providers are the definition of fully interconnected environments, with their latest networks dependent on components from vendors world-wide. As solutions from trusted vendors also contain hardware and software components from their own suppliers the range of potential entry points is almost limitless. Furthermore, 5G networks are interconnecting billions of new endpoints to create the largest interconnected fabric ever created. So, this risk will only grow and must be rapidly addressed through a cooperative effort from all stakeholders for the industry to have any chance to create a truly trusted and secured global telecom fabric. The Telecommunications Industry Association (TIA) is one of those rare organizations that can achieve just that.
The need for cooperation TIA’s QuEST Forum Business Performance Community has been developing what they believe is the solution to this massive challenge. They have been building and maintaining the industry’s process-based quality management standard, called TL 9000, for over 20 years. Service providers and vendors around the globe have been involved in creating and updating this standard and over the years thousands of locations have achieved certification. More recently however, they have been focusing on developing the SCS 9001 standard, with a goal of empowering trust and security throughout the ecosystem. Their Supply Chain Security (SCS) workgroup, which comprises of over 100 equipment providers, service providers and security experts, has been busy since 2020 developing a process-based standard that will address gaps specific to securing our industry’s supply chain against attacks.
www.hottelecom.com
5
They built the architecture of the standard from the ground up based on the following key factors: • • • • • • •
Defined security measures Security domain control Additional supply chain requirements ICT-specific supply chain process Zero trust architecture/asset inventory Principles of trust for suppliers Certified quality management systems
For clarity, this is not a proposal for some new technical standards. Rather it is a complete definition of all the controls that service providers must put in place to ensure that they are building and operating products and services in a secure way. The standard covers the following 10 key security domains: • • • • • • • • • •
Access control Audit and accountability Cryptographic controls Data center security Identification and authentication Maintenance Media protection Physical protection System and information integrity System and comms protection
The standard also provides 7 proposed supply chain processes as an added layer to ensure a secure environment: • • • • • • •
Incident management process Technical vulnerability management Risk assessment and mitigation process HW, SW & component provenance process Secure development process Software usage process Counterfeit HW, SW and parts process
Taken as a whole, this new standard will allow service providers, vendors and manufacturers to ensure that their supply chains are secure. More importantly, it will be able to demonstrate this via professional audits. The benchmarks created via this process will allow companies to improve their internal processes. But when shared anonymously via TIA, they will also allow each company to compare itself with its peers. Furthermore, when seeking bids for new network or system components, service providers can request confirmation and proof of an audited security process in place with their potential vendors and use those benchmarks as an added requirement in the final selection process.
SCS9001 standard components
6
www.tiaonline.org
With this in place, we can increase trust in our services and solutions, demonstrate this trust to our governments and regulators and prevent exposure to future cyberattacks that threaten to endanger national security, disrupt critical infrastructure and impede economic growth. “We believe that security is a subset of quality, and you can’t have a quality product if it is not secure,” said David Stehlin, CEO of TIA. “As networks become more software-driven and are almost always developed by multiple authors, risk has significantly increased. Our global community depends on connectivity and while technology continues to outpace security, we now have a process-based, verifiable standard to significantly mitigate threats to the ICT supply chain.”
the recommendations are both comprehensive and workable in the global industry we operate in. With this standard in place, service providers will have the ability to confirm that their vendors are following the best practices available and use their buying power to enforce compliance. Only if all our industry’s stakeholders take security risks seriously and get involved globally, can we ensure that we create trusted ecosystems, with checks and audits end-to-end throughout the value chain. Then and only then can we be sure that the solutions delivered are secure and can be trusted and, in this way, safeguarding the future of our industry and society.
TIA has already released the initial standards documentation, but is seeking help and assistance from telecom experts globally to make sure that
Interview: Dave Stehlin, CEO of TIA
www.hottelecom.com
7
the author Steve has a lifetime of experience in designing, engineering and operating networks, both domestic and international. With leadership experience in small technology startups through to global service providers, he has deep experience in a wide range of products, technologies and geographies. He has the rare skill of being able to explain complex technical issues in easily understood concepts and uses that extensively in his consulting work with HOT TELECOM. Steve Heap CTO, HOT TELECOM
about the TIA The Telecommunications Industry Association (TIA) brings together communities of interest across -Technology, Government Affairs, Standards, and Business Performance -- to enable high-speed networks and accelerate next-generation Information and Communications Technology (ICT) innovation. With a global membership of more than 400 companies, TIA is at the center of a vibrant connected ecosystem of companies delivering technologies and services that are revolutionizing the way the world communicates. Our members include ICT manufacturers and suppliers, network operators and service providers, distributors and systems integrators. Community is at the center of TIA, which convenes the industry’s thought leaders and brightest minds, regardless of the size of their business, to solve common challenges, and develop new ideas and approaches that bring tangible value to companies by enhancing their bottom line.
TIA is the industry voice that leads the conversations and provides timely information and resources to help expand global investment and trade opportunities and encourage innovation throughout the entire value chain. Built upon a values-based culture of accountability, teamwork, engagement, innovation, and being member-driven, TIA delivers results – driving scalable, repeatable, consistent processes that deliver outcomes and value for our members. To find out how you can get involved in building a secured and trusted telecom ecosystem, contact us at: info@tiaonline.org or visit www.tiaonline.org
www.hottelecom.com
8