Telecom security: How to safeguard your open source telco infrastructure

From pure voice to data, and now with the connectivity provided to devices and machines, telco systems make it possible to deliver digital services to society. Thanks to telecom systems, we can keep in touch with each other and reach the information sources we need at any time and anywhere.

As we have become increasingly reliant on these systems, we also need to be vigilant about telecom security.

Telecom infrastructure security: Why does it matter?

First and foremost, telecom systems hold sensitive data. These networks carry information about millions of customers, including personal information, such as user identity. Second, we rely on telco networks when providing essential public services, ensuring our physical and digital security, and running our economy.

This is why cyber or physical attacks on telecom infrastructure can have significant impact and  substantial negative outcomes for a country:

• They can cause disruption to networks, affecting operations or equipment,
• They can lead to access to and malicious use of sensitive information,
• Attackers could gain administrative access to networks and systems, which gives them the power to manipulate those systems.

Increasing cyber-attacks on telecom 

The fact that sensitive user information is carried over telecom networks at a massive scale attracts malicious actors. Attackers typically aim to:

• Disrupt or downgrade services, for instance with Distributed Denial of Service (DDoS) attacks,
• Inflict privacy, confidentiality and integrity breaches, for instance by tracking users and devices,
• Obtain user identity information. 

The telco sector has seen an upwards trend on cyber attacks over the years. Today, telco is among the mostly targeted sectors. 

• Average weekly attacks on organisations have reached over a thousand. 
• Around 40% of businesses in the United Kingdom say they have had a cyber attack in 2022. 
• There were around 50% more attacks on telco in 2021 compared to the previous year. 

Cyber attacks have been targeted at disrupting running services in particular. DNS attacks are predominantly observed on telecom networks, with over 80% of telecom networks having reported them at least once.

DDoS attacks are also common. For instance, the European Union reported (ENISA report) a significant rise in DDoS attacks against general availability of services in 2021 compared to the levels in 2020.

More strict regulations on the sector

As a result, governments consider telecom networks and systems as critical national infrastructure. Rules and regulations get tougher and more strict each year for operators and service providers to follow and safeguard their systems. Among others, such regulations cover the following: 

• Definitions of critical functions in a telecom system, such as those that enable network service operations, and the requirements to follow in order to secure those functions.
• Securing the infrastructure itself, which runs those network functions. 
• Protecting any software and system that monitors a telecom network, and analyses user and control plane traffic. 
• Stringent data protection laws to safeguard subscriber identity and data.

Increasing cyber attack risks and the resulting regulations have therefore led to more and more investment in security solutions. As a result, the global IT and telecom security market is expected to grow rapidly to around over $80 billion USD by 2030.

Increasing attack surface

Our telecom infrastructure continuously evolves with newly added technologies and features. Hardware and software improve over time, and new standards are defined to bring higher quality services to users. With these improvements, new telecommunication solutions with more capabilities can be  provided to subscribers and business customers. However, this innovation cycle also brings about challenges. Let’s go through these challenges briefly.

Various types of devices

Large numbers and a variety of devices are now getting connected to networks, including IoT devices, like smart home hubs, security cameras, storage devices, etc. These networks then get connected to the telecom infrastructure. This means that there are now various origins of attack from devices and adjunct networks, as these devices and/or networks may be compromised.

Virtualisation of infrastructure control and management

Telecom infrastructure is increasingly adopting virtualisation, so that mobile networking software can be run as virtual software instances. This provides operators with more flexibility, scalability, fault tolerance, control, cost-reduction, and energy efficiency benefits in running their networking services. However, virtualisation also results in a broader attack surface, as operators must now safeguard the infrastructure software, besides the running software instances.

Networks as a service

5G vendor software workloads that provide control and management functions are now more modular and run as microservices on containers and virtual machines as cloud-native network functions (CNF) and virtual network functions (VNF). Furthermore, a vast ecosystem of software vendors now provide assisting technologies that also run as micro-services on virtual instances. 

The software supply chain where all this software is sourced from must be secured, including software libraries, instance images, and the tooling that creates them.

Private mobile networks

Enterprises now look into setting up their own private mobile networks, and many more deploy them at their sites. This means that measures must be taken to secure these networks owned by enterprises, to keep them secure and protected from cybersecurity risks.

A broader software ecosystem

Open source and the flexibility provided by infrastructure virtualisation have been catalysts for a widening ecosystem of software vendors, offering solutions for various telco use cases. Open source provides transparency, which makes it inherently more secure. However, a wider ecosystem also broadens the attack surface on telco, if software is not managed correctly. There is a need for compliance to security standards, and a scalable system that ensures that the sheer volume of software used by telco has no vulnerabilities.

The need for secure telco software 

The increasing attack surface and the need for extra measures to safeguard  telco infrastructure make security an imperative. 

Telco runs on software, from the edge to its network core. In addition, the services provided by  telecom companies also run as software workloads, either for the operators themselves or for the tenants of an operator. All in all, software is everywhere in the  stack. 

The general best practice is to adopt a cybersecurity approach in your organisation, with two key pillars that can help you provide a secure foundation for your systems: conducting effective vulnerability management and  operating system hardening.

Vulnerability management 

Virtual application images may have common vulnerability exposures (CVE). These CVEs may be at the OS, the virtualisation software, or the running instances.

It is essential to have confined execution spaces to run applications. This ensures that if a workload is compromised, their access to the rest of the system is restricted, and other instances are not affected. For instance, xApps that work with RAN Intelligence Controllers in O-RAN systems are ideal candidates to be run in controlled execution environments.

Software dependencies pose another big challenge when keeping packages up to date and secure. Most packages have numerous dependencies; it is hard to track each and every package. On the average, there are around 70 dependencies per package, according to Snyk 2022 State of Open Source Security report. 

In this complex chain of software dependencies, CVEs spread easily. A software piece may be consumed by many others – when it has a common vulnerability exposure (CVE), this affects many others.

When a CVE is detected, it takes a lot of time to fix it:  around 100 days on average, according to Synk’s 2022 report. Once the vulnerability has been detected and fixed, there are further complications:

• A patch is needed for every single vulnerability; support is needed to continuously patch against renewed vulnerabilities. 
• Fixing a patch only once is not enough; multiple versions of the patch may need to be applied over time. This requires a versioning system in place for software patches. 
• Fixing vulnerabilities should not interfere with system operations, as these systems run services offered to customers with certain SLAs. 
• Assigning the task of fixing vulnerabilities to a system/personnel manually is tedious and not scalable.  
• It is tricky to manually fix all vulnerabilities that may emerge, as there is a vast ecosystem of software sources.

Security certifications and compliance

In the complicated software landscape offering solutions with often overlapping and conflicting constraints, it is necessary to have robust security systems that can withstand the latest threats with standardised defence mechanisms in place. 

There are various frameworks developed by national bodies, aiming to have standard and vendor-agnostic protocols and schemes that embody the latest industry standards and best practices in software security. When your operating system complies with such standards, you can be sure that your system is equipped with the latest security features and cryptographic measures. You then also have the ability to demonstrate to your telco customers that your system complies with commonly known and trusted security standards. 

Hardening the operating system and auditing it at scale for every deployment is tedious and error prone. There are many hundreds of individual steps in the process, which is time consuming. What operators need is the ability to not only ensure security hardening and auditing for their operating system, but also automate the process.

The OS as a trusted source for software 

To help organisations implement a scalable security policy and get their software from a secure source, Canonical launched Ubuntu Pro, a comprehensive subscription for security, compliance and support.

Ubuntu Pro offers comprehensive security coverage for open source. CVEs are dealt with by Canonical’s security team, so your team does not have to keep track of patches – they simply need to apply them. The complex chain of software package dependencies and propagation of CVEs across application packages is no longer an issue. Ubuntu Pro handles the complexity, and overcomes this challenge on behalf of the operator.

Ubuntu Pro provides these patches for 10 years, for packages in Ubuntu’s Main and Universe repositories, and automation tools like Landscape and Livepatch.

Ubuntu Pro also comes with security certifications and hardening features. Canonical provides Ubuntu Security Guide (USG), a security and hardening tool for remediation and auditing at scale, which includes profiles for industry hardening standards. With different cybersecurity frameworks in place, organisations get OS hardening and compliance profiles like CIS, DISA/STIG, and FIPS 140-2. With USG, the operator gets a single command for hardening and a single command for audit reports.

Summary

The ever increasing security risks and attacks on the telco sector call for automated, scalable, and trusted solutions that can safeguard telecom infrastructure. With the evolving telecommunications standards comes growing attack surfaces on infrastructure and the running workloads. 

On the way to achieving a fully cloud-native telco delivered with open source 5G, Ubuntu Pro is your trusted source of secure open source software. It provides the largest scope of secure and trusted open source applications, delivered with long-term security coverage guarantees. With Ubuntu Pro, your telecom infrastructure can be kept secure from common vulnerabilities, thanks to the regular and fast updates and patches. It delivers operating system hardening and auditing with automated tooling, and compliance for a wide range of standards.

Check out our webinar on telecom security to learn more about Ubuntu Pro’s security features.

Contact us

Canonical provides a full stack for your telecom infrastructure. To learn more about our telco solutions, visit our webpage at ubuntu.com/telco.

Further reading

• Reduce the cost of your 5G infrastructure
• How to secure your database
• How to ensure business continuity with IT infrastructure support