Welcome to the December blog.  This month, we discuss the potential to reduce security risk by systematically aiming to reduce complexity. 

Part of the complexity is driven by the need to maintain legacy infrastructure.  Legacy kit and protocols can have weaker defences against modern attack techniques, may be less spectrally efficient, be harder to obtain vendor support, require niche skills requirement, require extra ‘bolt-on’ security enhancements, be harder to patch and consume relatively more power.  The underlying legacy hardware may also not attract significant investment as focus may be applied to newer technologies and services. These systems may also be outside their active development phase and maintenance period and frequently experience limited patching/support.  However, legacy equipment and services are often still providing vital customer services that need to be maintained for regulatory needs, to support customer demand and to enable associated legacy infrastructure (e.g. ‘smart’ meters).  It is vital that appropriate security maintenance activities are undertaken to avoid the legacy estate becoming a viable attack vector.

Complexity is emerging as a critical cybersecurity risk for operators and complexity reduction has the potential to be a foundational step toward a stronger, more resilient security posture for operators.  Examples of this complexity are the deployment of a diverse range of technologies, a reliance on an ecosystem of multiple third parties and a growing attack surface. Other drivers of complexity include disaggregated radio access networks (i.e., Open RAN and virtualised RAN), the increasing numbers of connected devices, and coverage provided by non-terrestrial networks (i.e., satellite connectivity), and physical infrastructure variability.  Against this backdrop, telcos face significant challenges in maintaining a robust security posture.  In some cases, there have been some successes in reducing complexity by decommissioning 2G, 3G, and PSTN networks and their associated copper access networks.

The challenges of improving legacy security were discussed at a recent presentation from BT on their efforts to move to a zero-trust arrangement with legacy infrastructure.  It described three levels:

• Level Zero: assumed trust. The default position in some legacy networks.  For example, traditionally, the interconnect traffic between mobile operators relied on the underlying signalling protocols for effective and secure operation, and the inherent trust model assumed that only those entities that needed signalling access actually had it.  This trust model means that all parties with access must use their interconnect networks appropriately.
• Level One: puts policy decision points and policy enforcement points in front of the network or applications.  Examples might be placing additional protections (e.g. an overlay virtual private network) to protect previously exposed management interfaces and the use of signalling firewalls, message filtering and blocking capabilities and intelligence/best practice sharing.  Although these are practical steps, these can, in turn, add to complexity so there is a need to deploy trusted and proven previous designs.
• Level Two: Zero Trust consciousness where all users, both inside and outside of an organisation’s network, are identified and authorised before accessing the network.

Third-party and supply chain dependencies are important and the reliance on multiple vendors and partners for critical components of operators’ technology stack can limit flexibility but can add resilience.  Each third-party supplier brings their own technology architecture and security approach, adding layers of complexity.  The key is to balance the benefits of reduced complexity with the gain of additional vendor diversity.

To mitigate these risks, operators can prioritise reducing complexity within their networks and technology stack and architecting for reusability. Key measures include:

• The systematic decommissioning of legacy technologies
• The harmonisation of systems
• Reducing implicit trust in legacy infrastructure
• Maintaining legacy kit properly
• Segregation of trust domains (i.e. break complexity into separate trust domains and manage each accordingly)
• Employing design re-use
• Using consistent system design approaches as a means to avoid complexity increasing further. 

This approach can result in a reduced attack surface, improved patch management, enhanced focus for security teams and fewer legacy risks.  Overall, delivering a stronger security posture.

If you’d like to discuss these topics or to get more closely involved, please email [email protected].