Holistic Cybersecurity Governance Yields Resilient Telco Services In 5G World

Sponsored Driven by trends toward multi-cloud and the rise of 5G and edge computing, burgeoning technologies like Internet of Things (IoT), big data and artificial intelligence are transforming the technology landscape. On the other hand, cybersecurity concerns are intensifying due to escalating cyberthreats around the world.

For communications and digital service providers, a security-first approach has become mandatory for telecommunications equipment and IT systems – the two main supporting infrastructure platforms of cyberspace.

This is where ZTE Corporation’s holistic cybersecurity governance structure underpins its development strategy. The aim is to assist operators and service providers mitigate security risks and fend off cyberthreats. Security assurance are set by compliance with best practices and standards, constant checks to discover and mitigate threats, and complete openness for external compliance checks.

To achieve this, ZTE focuses on three factors:

• ZTE Cybersecurity Governance implements and manages security by design and by default. The full lifecycle of products and services are governed by internal security policy, which embeds best practices, standards, regulatory demands as well as clients’ specific requests.
• Conformance to best practices and standards is verified for processes, products and services.
• • At the global corporate-wide level, ZTE has implemented ISO 27001 for information security; ISO 28000 for supply chain security; and ISO 22301 for business continuity management.
  • At the product level, ZTE has passed the CC certification (EAL3+) for its 5G RAN solution; the GSMA Network Equipment Security Assurance Scheme (NESAS) audit and the Security Assurance Specifications (jointly defined by 3GPP) for its 5G Core and RAN products; ISO 27701 privacy information management standard for its 5G NR and Unified Management Expert products; and BSIMM for software security, including the supply chain.
  • ZTE also adopts several industry best practices such as the NIST Cybersecurity Framework in managing supply chain security and engineering service security.
• ZTE's cybersecurity labs in Nanjing, Brussels and Rome prioritise openness and transparency. They enable global customers, regulators and other stakeholders to perform independent security assessments of products, services and processes. The labs provide a platform for source code review, document review, penetration testing and security conformance testing, and knowledge transfer for collaboration, capability exchange and certification.

Security assurance

Based on its security governance model, ZTE’s approach to equipment security not only integrates security policies into every phase of a product lifecycle, but also implements its cybersecurity assurance mechanism throughout the entire lifecycle.

This approach encompasses product R&D, supply chain, production, engineering services, management of security incidents, independent verification and audits. Specifically, it begins in R&D, which addresses security concerns, through product development phases that implement security by design, to the product lifecycles and key processes that ensure fail-safe defaults.

Assurance of reliable networks for the entire supply chain also extends to qualifying sub-suppliers and controlling third-party components. This implies that, from the early stages of production, ZTE’s products are tested against industry standards and best practices, which are used as the minimum baseline for equipment security.

“A formal structure is in place that reviews test results and offers the power of veto that is used when non-conformances are identified,” says Mr Antonio Relvas, Director Cybersecurity Strategy of ZTE, “A proper risk analysis is in place that can result in a tested product or release being rejected. These measures culminate in assuring that equipment delivered and installed in our clients’ networks are as secure as possible and, are installed and configured with the proper secure fail-safe defaults, for example, deny all access, unless explicitly authorised.”

Security defects and vulnerabilities are disclosed in a transparent way, and patches are released promptly to customers and other stakeholders. ZTE's Product Security Incident Response Team identifies and analyses security incidents, tracks incident handling processes, and communicates closely with both internal and external stakeholders to disclose security vulnerabilities in a timely manner.

Network resilience

With the advent of 5G, ZTE communications equipment is designed to secure operators’ global interconnections and core-to-edge connectivity while facilitating timely incident response.

Aligned with this aim, ZTE is actively involved in standards organisations and industry associations, including the 3rd Generation Partnership Project (3GPP), European Telecommunications Standards Institute (ETSI), Global TD-LTE Initiative (GTI), International Telecommunication Union (ITU), Global System for Mobile Communications Association (GSMA), Forum of Incident Response and Security Teams (FIRST), as well as CVE Numbering Authorities (CNA).

Engagement in these industry ecosystems improves ZTE’s technical strength in enabling operators to deliver resilient telecommunications services – i.e. security by default, security by design – for their 5G deployments.

“5G is a total game changer,” Mr Relvas says. “New services, architectures and technologies, as well as higher user privacy and protection requirements will bring security challenges and opportunities.”

Already, 5G access and core networks that enable inter-vendor interconnections and interoperability through standard protocols feature security protection mechanisms. “For example, we need to consider the access authentication for third-party slicing service providers and the secure use of ICT resources amid wide adoption of cloud architecture in 5G,” Mr Relvas adds.

Operators needs to harden security posture in three areas:

• Their management plane, where administrative activity of the network infrastructure takes place;
• The international signaling plane that allows operator networks to connect to each other and reach each other’s services;
• Virtualised networks that form the base for the operator’s core running new services and workloads.

“These new “workloads” create a security concern from the network design and implementation perspectives,” explains Mr Relvas. “They require operators to constantly monitor the operations while tapping on real-time industry-wide collaboration and joint responses to new threats.”

Countries and regions must establish a base certification to assure that both vendors’ products and 5G implementations that use them are as secure as they can be. With the growing adoption of IoT and devices connected over mobile broadband, secure 5G networks is a must to support the expected surge in applications.

“Some countries are demanding operators to perform risk assessment of their solution architectures including the vendors and equipment that they use in their 5G networks, from the products to the supply chain that supports the solutions,” says Mr Relvas. “It is obvious that the effort, time and cost needed for an operator to perform such tasks can be eased by the support of vendors.”

Vendors have to test their products and ensure that the services provided are as secure as possible. “Such an assurance from the vendor will make operators’ risk assessment work easier and possible in the necessary time-frame,” Mr Relvas explains. “This is the case for ZTE, with the CC certification, GSMA NESAS/3GPP SCAS and the use of the cybersecurity labs if further tests are necessary.”

Mr Relvas also claim that ZTE is the first vendor to have the CC certifications in place for a full set of 5G RAN products and one with the most 5G products certified under GSMA NESAS.

Sponsored by ZTE