TCCA Cyber Security Workshop

Critical communications for all professional users

1

TCCA Cyber Security Workshop19th May 2021


22Presentation on behalf of TCCA www.tcca.info @TCCAcritcomms

Welcoming words

Tony Gray, TCCA CEO



Cyber Security Workshop 19th May

Objectives

• Understand the meaning of Cyber Security in Critical Communications context

• Identify current gaps

• Agree next steps to address them


4

Agenda

Setting the scene• Definition of terminology

• What is already being covered by TCCA SFPG

Search for cyber security solutions and gaps• Network vendor view

• Public safety operator view

• User agency challenges

Search for best ways to address gaps• Open discussion

Next steps

Mika Laitinen, TCCA SFPG

Partik Wikberg, Ericsson

Harald Loktu, Nødnett, DSB

Anthony Leather, Westlands Advisory


5

Setting the scene


6

Cybersecurity WorkshopTerminology

Mika Laitinen


7Presentation on behalf of TCCA www.tcca.info @TCCAcritcomms 7

Many related terms – Can you tell the difference?

Data

Information

Information Security

ICT Security

Cybersecurity



Data to Information

‘Data is processed, stored, or transmitted by a computer.‘

‘Information is data with meaning.‘



Information security

'The state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.‘ LEXICO - Oxford English and Spanish Dictionary



Cybersecurity

'The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.‘ LEXICO - Oxford English and Spanish Dictionary



Cybersecurity vs. Information Security

'Cyber security goes beyond the boundaries of traditional information security to include not only the protection of information resources, but also that of other assets, including the person him/herself.‘

Published in Computers & Security, Oct 2013From information security to cyber securityR. V. Solms, J. V. Niekerk



Three terms – different meanings

Published in Computers & Security, Oct 2013From information security to cyber securityR. V. Solms, J. V. Niekerk

Information Security

Information & Communication

Technology Security

Cybersecurity

Information based assets stored or transmitted

NOT using ICT

Information based assets stored or transmitted

using ICT

Non-information based assets that are VULNERABLE

to threats via ICT



Conclusion

Data - 2804

Information – 2804 Mika's birthday → Classification → PII →Privacy → GDPR

Information Security – Protect Confidentiality, Integrity, Availability of Information

ICT Security – Protect transmitted data in electronic format

Cybersecurity – Protect data in electronic format in addition to other assets including person himself/herself


14

Thank youQuestions or comments?


15

Cybersecurity WorkshopTCCA SFPG

Mika Laitinen



Role of SFPG - Mission

The TCCA Security and Fraud Prevention Group (SFPG) provides solutions to:• technical issues and • operational issues in the area of security and fraud prevention in critical communication systems.



Role of SFPG – Critical Communication Systems

The critical communication systems:

• involve interests of critical communications system operators, manufacturers and government bodies;

• are relevant to national solutions;

• are not, or cannot be, managed within the open standards.



Role of SFPG – Operational

Operational issues to be solved include:• Security of the critical communications network (incl. TETRA and BB systems)

• End-to-End security

• Key management

• Use and management of Smart Cards

• Secure interworking of critical communications systems

• Physical and information security

• Potential operational threats and fraud



Role of SFPG – Tasks

Tasks of the SFPG include:• Producing SFPG Recommendations for security procedures in, and secure

interworking of, critical communications equipment and systems

• Advising on the management criteria for TETRA standard algorithms

• Proposing work items for further standardisation

• Identifying threats in such systems and recommend solutions as appropriate

• Liaising with ETSI TC TCCE to develop and enhance critical communications security

• Seminars, papers, liaisons, etc.



Role of SFPG – Publications

• Rec 01 – Key distribution

• Rec 02 – End-to-end encryption

• Rec 03 – Threat analysis

• Rec 04 – Implementation and use of security features

• Rec 05 – Secure Cross Border TETRA Operation

• Rec 06 – Management of Static Cipher keys in DMO

• Rec 07 – End-to-end encrypted SDS

• Rec 08 – Using a smart card for end to end encryption

• Rec 09 – Guidelines for physical security of TETRA equipment

• Rec 11 – End-to-end encrypted packet data

E2EE Recommendations



Role of SFPG – Publications cont.

• Rec 14 - Security of interworking between TETRA and 3GPP MC systems (published)

• Rec 15 - Key Management in Mission Critical Systems (published)

• Rec 16 - Secure implementation of Mission Critical Systems (target late 2021)

The access to these documents is for TCCA membersNon TCCA members can have access to the SFPG Recommendations, if their request is supported by an TCCA member

NDAs for SFPG Recommendations from [email protected]

mailto:[email protected]



Role of SFPG – Active Members 2021

Manufacturers:

• Airbus

• Ericsson

• Motorola Solutions

• Sepura

• Thales

Operators & Government bodies:

• BDBOS (Ger)

• Erillisverkot (Fin)

• MSB (Swe)

• NCSC (UK)


23

Thank youQuestions?


24

Search for cyber security solutions and gaps


25

Network vendor view

Security for mission critical networks

Patrik WikbergEricsson Security Solutions

May 19, 2021

2021-05-19 | Ericsson Security Solutions

Agenda

Technology shift createschallenges and opportunities 1What a Vendor can do to improve Network Security2What should you require from a Vendor3


Ever-evolvingsecurity threats

Critical infrastructureand increased risks

New deployment scenarios and use-cases

Increasing regulatory requirementsDynamic and distributed networks

Increasing number of connected devices

Factors increasing importance of security


Building secure mobile networks

Secure approach

Secure products

Security deployment

Security operations

Secure product development

Deployment and configuration of

security functions

3GPP security as foundation

Protect assetsDetect threats & vulnerabilities

Respond

Operator

Operator

Vendors

3GPP


Threat actors often leverage vulnerabilities that are avoidable with sound security measures

Organized cyber criminals

Politically-motivated actors

Hacktivists, e.g., “Anonymous”

Terrorist organizations

Insiders

Security policy not enforced or monitored

Operational procedures prone for mistakes

Lack of visibility, control & continuous monitoring

Lack of hardening & insecure configuration of

the network


Mobile network attack vectors

Radio Access Network

Transport Network

Core Network

Management Core Network of other operators

Interconnect Network

User equipment

Public Network

User dataControl Signalling Management traffic

Examples of common attacks

Eavesdropping

Denial of Service (DoS)

Software manipulation/malware

Man-in-the Middle

Physical attack

Insider attackIntentionalUnintentional


Agenda




Secure approach

Secure products

Security deployment

Security operations



security functions



Respond

Operator

Operator

Vendors

3GPP


Secure productsSecurity Reliability Model: The Ericsson framework for securing products and solutions

CustomersDeliverDevelopSourceSuppliers

Security Reliability Model

Functions

— Reqs. for products

— Reqs. for 3PP and FOSS

— Other requirements e.g. for solutions

Assurance

— RA, VA, PIA

— Hardening

— Secure coding

— Design rules and principles

— 3PP assurance

Compliance & Documentation

— Security User Guide

— Privacy User Guide

— Declarations

— E.g. GDPR, NESAS test reports, NIST auditability, IoT

Deployment & Operations

— Requirements for secure aaS, SI, SD

— Incident management

— Vulnerability mgmt

— E.g. reqs. for ISMS, ISO certification

https://www.ericsson.com/en/security/ericssons-security-reliability-model

https://www.ericsson.com/en/security/ericssons-security-reliability-model


Example: Ericsson Vulnerability Management ProcessVulnerability monitoring

PSIRT

Mapping / Alerting

Product data register

EVMS

Vulnerability analysis

Product units

Critical Severity Cases

Internal Communication

Customer CommunicationSecurity Alert

Delivery unit

SW delivery

Product unit

SW update

PSIRT



Secure approach

Secure products

Security deployment

Security operations



security functions



Respond

Operator

Operator

Vendors

3GPP


Security operations evolution

Poor securityvisibility

End-to-endSecurity Visibility

Automated security

processes

Security for dynamic and distributed networks

From To

Focus on setting security parameters once at initial deployment

Manual security configurations, compliance checks, and reactive detection & response

Security constantly evolving to match the changing network and threat landscape

Security automation tools for protect, detect and respondaugmented by AI/ML

Security designed for a static network

Manual securityprocesses

Lack of complete and up-to-date view of the security posture

Security visibility of a multivendor environment in real time


Security operations evolution

Poor securityvisibility

End-to-endSecurity Visibility

Automated security

processes

Security for dynamic and distributed networks

From To

Focus on setting security parameters once at initial deployment

Manual security configurations, compliance checks, and reactive detection & response

Security constantly evolving to match the changing network and threat landscape

Security automation tools for protect, detect and respondaugmented by AI/ML

Security designed for a static network

Manual securityprocesses

Lack of complete and up-to-date view of the security posture

Security visibility of a multivendor environment in real time

Ericsson SecurityManager (ESM)

Solution


Ericsson Security Manager

Data feedsSecurity

enforcement

PROTECT

Automation of security

configuration and

compliance

DETECT

Timely detection of

known and unknown

threats

RESPOND

Automation of security

workflows and incident

response

Security

response

SECURITY ORCHESTRATION

Dynamic risk and trust management

Ericsson Security Manager (ESM)

Security management

automation layer

Security function

and data layer

Business Context

TelcoPrivate

NetworksIoT


Agenda



NESAS and SCAS compliance

Ericsson Security Reliability Model

GSMA

Equipment

Vendor

Auditor Accreditation

Body

audits

Test Laboratory

Network

Product

builds

3GPP SA3

defines

defin

es

Evaluation

Report

writes

Mobile Network

Operator

Procedure

descriptions

Test

specifications

Audit Report

accre

dits

provided to

appoints

applie

d

applied

writes & signs

Conformance

Claim

provided to, by agreement

NESAS high level overview

NESAS - Network Equipment Security Assurance SchemeSCAS - SeCurity Assurance Specifications


Security automation requirements1. The network and service architecture includes functionality related to security management automation and security monitoring

2. Security management solution complies with the principles of the ETSI NFV SEC-013 and will be aligned with ETSI NFV SEC-024 when approved

3. Security management solution helps to fulfill the principles of the NIST Cybersecurity Framework

4. Security management solution provides a complete catalog of security policies in accordance with the most common industry standards (i.e. ISO, NIST, CIS, etc.)

5. Security management solution can import network element information from other network management systems

6. Security management solution can configure security policies to network elements according to industry standards (i.e. ISO, NIST, CIS, etc.)

7. Security management solution supports physical and virtualized network elements

8. Security management solution supports network element and/or domain specific security policy definitions and configurations

9. Security management solution can in real-time monitor state of the security policies on network- or domain-level

10. Security management solution can automatically re-enforce security policies to the network elements when deviations are detected

11. Security management solution provides a dashboard view in order to real-time display the general state of security and key security events

12. Security management solution includes analytics functionality for detecting security events e.g. analyzing logs and traffic information collected from network elements

13. Security management solution includes pre-defined threat rules relevant for telecom network elements

14. Security management solution includes analytics functionality which uses machine learning and artificial intelligence in threat detection in near real-time

15. Security management solution includes functionality that can loop-back security analytics results to the management and monitoring of security policies.

16. Security management solution includes functionality to replace manual processes with automated workflows and to link workflows to incident management processes

17. Workflows for a security management solution can be defined to be fully automated or include manual steps which are assisted/operated by a security expert

18. Security management solution includes functionality to track/monitor vulnerability information related to network elements

19. Security management solution includes functionality for using external threat and vulnerability information sources

20. Security management solution includes reporting functionality/interface that can be used to generate reports about the security status for a specific time period

21. Security management solution supports automated risk management

ericsson.com/security


Mastering complete 5G network security

Ericsson has released guide for Mastering complete 5G network security

Security is critical for successful 5G business with an ecosystem of cloud native and distributed networks, private networks, network slices and IoT devices

Automation of security deployments and operations will be key to manage increasing the security complexity and risks

Download the guide:

https://www.ericsson.com/en/digital-services/core-network-automation/guide#networksecurity

https://www.ericsson.com/en/digital-services/core-network-automation/guide#networksecurity

https://portfolio.ericsson.net/Main-Catalog/IoT-and-New-Business/New-Business/Security-and-Risk-Management/Security-Manager/c/securemedias?mediaPK=8932356161566&attachment=true&selectedFormat=pdf


45

COFFEE/BIO BREAK

45


46

Public Safety operator view

TCCA Webinar on

Cybersecurity

An TETRA operator view

Harald Loktu,

Head of Technology management and development, DSB

86 %area coverage

Ca. 100 %population coverage

110indoor installations

99,92 %availability last month

27railway tunnels with Nødnett

installations

2 078TETRA base stations

414road tunnels with Nødnett

installations

The Mission Critical Network – Nødnett (brand!)

233control rooms

60 281subscriptions

1 488 040calls last month

1 023organizations

9 700talk groups

Major Cyber attacks in Norway

Target: National

assembly administration

Target: Regional hospital

Target: Major tech

industry company

Trusselbildet

Source: Telenor

Threat Pyramid

Threat Landscape for Nødnett• Intelligence Report Summary (2019)

– Intelligence operations from state actors, is the most comprehensive and offensive security challenges against Norway and norwegian interests

– Digital operations initiated by state actors, represents an ever lasting threat against norwegian values. Such operations are cheap, effective and continously being improved

• DSB’s evaluation concludes that the threat landscape encountered by commercial mobile operatores, largely show significant similarities with that of Nødnett

– Due to use of the same basic IT technology and architectures, weakness and vulnerabilities are inherited

What is there to be defended in Nødnett?

Nødnett base station

Nødnett radiolink

Nødnett Core Network

& Functions

Nødnett Core Network

& Functions

Fire Control

RoomsPolice Control

Rooms

Health Control

Rooms

Backbone

Access Network

• Confidentiality

• Integrity

• Availability

Cybersecurity frameworks

• A systematic approach based on agreed best practice

• Alternatives considered

– NIST (US based)

– ISO 27001

– National basic principles for ICT security

• Broad approach adopted

– Used elements from several frameworks

– Adopted National basic principles as overlay for all activities

3. Detect2. Protect and

maintain1. Identify

and survey

4. React and

restore

Establishing insight on current status of Nødnett

• Cybersecurity revision by National Security Authority

• Indentification of critical assets in Nødnett

– Data&information, systems, services

– Which are the most valueable assets to protect?

– How critical are they with respect to confidentiality, integrity and availability?

• Cybersecurity Risk Assessment

– Security risk analysis of Nødnett and Fire agency control rooms

– Analysis of phycial security at selected location

– Specific gap analysis of the Nødnett systems and operations compared to NIST framework.

Some examples on measures taken

• Site locations and vendors

– Closing gaps on location security

– DSB has conducted security revisions and signed security

aggrements with selected vendors

– DSB has conducted vendor clearance of major vendors

• Solutions and services

– Connection to Norwegian digital border defence

– New high security data centre taken into use

– Regulare updates/upgrades of Nødnett systems

Nødnett base

station

Nødnett

radiolink

Nødnett Core

Network &

Functions

Nødnett Core

Network &

Functions

Fire Control

RoomsPolice Control

Rooms

Health

Control

Rooms

Backbone

Access

Network

Major upgrade of core network & functions

«Brains» of Nødnett – manages all traffic

• Reduce risk for

national and regional

loss of service

• Full hardware and

software refresh

allowing for new

security functions and

improve operations

Detecting and managing cyber attacks• To handle cyber attacks, they should be detected as early as possible,

managed accordingly and allow for restoration of operation back to normal, with minimum damage

– To achieve this, a common prerequisite is to have updated information on ongoing «activities» in relevant systems

• To support this requirement, a common approach is to establish 24/7 security monitoring

– Central logging database with tools for integration

– Monitoring of digital incidents in relevant systems

– Analysis of data related to digital incidents to detect if they are indicators of cyber attacks

• Establish capabilities for handling intended digital incidents – Professional support from subject matter expertss

– Have a team of trained staff to run a dedicated response team

• DSB is signing an agreement shortly, to provide these capabilities in operation of Nødnett

Questions?


59

User agency challenges

Cyber Security in Critical

Communications

End User Challenges

19th May 2021

Over the next 20 minutes…

Increasing and evolving threats

A changing operational environment

Challenges and issues

Areas of focus and what should be addressed

61

62

Source; Westlands Advisory analysis of CVE Details

Threat IncidentsRisk

Source; Westlands Advisory analysis of IT Governance

Cyber Risk Continues to Grow

0

500 000 000

1 000 000 000

1 500 000 000

2 000 000 000

2 500 000 000

Data Records Lost by Month

2017-2019

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Vuln

era

bili

ties

Vulnerabilities 2000-2019

0%

10%

20%

30%

40%

2018 2019

Changing Attitudes to Cyber Risk, UK

2018-2019

% of businesses who conducted a risk assessment

% of businesses investing in threat intelligence

% of businesses where staff have been to training courses

% of businesses with cyber GRC policy

% of businesses with cyber ownership at board level

% of businesses with cyber policy for third party suppliers

Source; UK Cyber Security Breaches Survey 2019, UK Government Official Statistics, DCMS

• There is a gradual improvement in

organisational approaches to risk.

• The cyber threat and vulnerabilities remain

high.

1 2 • Cyber incidents are an important driver of

investment in cyber security.

3

Threat landscape continues to evolve...

63

99.9% of accounts

compromised do not have

multifactor authentication

There are Ransomware

victims every 11 seconds

$2.7 billion lost to victims

of cyber crime in 2018

196 days on average to identify

a data breach

65% of targeted attacks use

spear phishing

On average, only 5% of a

company’s folders are properly

protected

Sources: Symantec, Internet Crim Compliant Center, Microsoft, Varonis, IT Governance

Examples of attacks reported in 2020 and 2021

64

Ransomware attack on

Universal Health Systems

diverted ambulances and

surgery delayed

Attacks on pharma to

steal COVID -19 vaccine

DDoS on New Zealand

Stock Exchange

Spanish railway firm Adif

lost 800GB of data

through a ransomware

attack

Seven semiconductor

vendors in Taiwan

targeted including source

code, and chip design

SCADA systems on wind

turbines in Azerbaijan

targeted

Multiple attacks on

airlines to steal passenger

data, including easyJet

Mitsubishi targeted and

8,000 PII data

compromised as well as

partner businesses.

Australia subject to

sustained state actor

attack on government

agencies

Three telecom companies

in Pakistan had IT systems

compromised

DarkSide attacks Colonial

Pipeline taking operations

offline and theft of

sensitive data

Hundreds of thousands of

police departments files

leaked online

Growing focus on resilient systems to address the changing dynamic

Recover

Physical

Cyberspace

Respond Protect

RESILIENT

SYSTEMS

Identify

Detect

Develop an organizational understanding

to manage security risk to operations,

systems, people, assets, data, and

capabilities.

Develop and implement appropriate

safeguards to ensure delivery of

critical services, protection of

people, infrastructure and

information.

Develop and implement appropriate activities to identify

the occurrence or potential occurrence of a security

event in the shortest time possible.

Develop and implement appropriate activities to

take action regarding a detected security to reduce

any threat to life and limit any disruption or

damage.

Develop and implement appropriate activities

to maintain plans for resilience and to restore

any capabilities or services that were impaired

due to a security incident

Source: WA Analysis, NIST Framework, NCSC Cyber

Assessment Framework

Legacy

Equipment

New

Tech

Policy &

Legislation

Growing

Security

Industry

Increasing adoption of digital technology across operations

PEOPLE

Engage

OPERATIONS

ImproveINFRASTRUCTURE

Enhance

Information Sharing

Training

Communication

Streamline

Prioritise

Deliver

Identification of Threats

Data Centric

Digital replaces analog

Connectivity

TECHNOLOGY

Enabler

Digital approach to operations provides a better

service to the public

Data aggregation, workflow integration and visualisation 1 New operational and enterprise value2

Driving better operational performance but creating potential vulnerabilities

Artificial

IntelligenceData

Digital

Ecosystems

Virtual &

ImmersiveCommunications Computing

User Experience Productivity

Security & RiskPerformanceOperational

Financial

Resilient Systems at the Core of Operations

Command &

Control Layer

Operations

Reporting

Analytics

Integration

Access Control

Video

Surveillance Critical

Communication

Networks

Vehicles

Data Storage

RMS

PNDGIS, CAD, PSAPCloud

Biometrics

Unmanned Systems

Services

Connected Officers

Body worn

video

Voice Emails Online Social

Media

SensorsVideo Images Text

Cyberspace

RESILIENT

SYSTEMS

Recover

Protect

Identify

Detect

Asset Discovery &

Management

Governance, Risk &

Compliance Platforms

Cyber Security Awareness &

Training Platforms

Vulnerability and

Penetration Testing

PlatformsThreat Intelligence

Identity & Access

Management (IAM)

Vulnerability (VM) & Threat

Management

Data Security

Unified Threat Management

(UTM)

Application Security

Cloud Security

Mobile & Endpoint Security

Anomaly Detection

User Behaviour Analytics (UEBA)

Deception Technologies

Threat Hunting

Security Information & Event

Management

Security Orchestration &

Automated Response

Managed Detection &

Response Platforms

Incident Response &

Forensics

Business Continuity

Platforms

Information Security Requirement versus Operational Requirement Shapes the Ecosystem

The IT security triad of CIA must evolve to meet the safety critical requirements of process industries. Security must ensure CIA of operational data without compromising safety,

reliability or performance of critical systems.

Confidentiality

Availability

Information

Integrity

Information Requirement Operational Requirement

Reliability

Safety

Products &

Processes

Performance

OT Security Requirement

Protecting operational data whilst

ensuring reliable, safe and high

performance operations.

Focus Areas for the Foreseeable Future

70

IDENTITY AND

AUTHENTICATION

NETWORK AND

ANOMALY DETECTION

ASSET DISCOVERY DATA AND CLOUD

SECURITY

THREAT INTELLIGENCE ZERO TRUST

Final Thoughts – What Can be Addressed

71

TRAINING CULTURE AWARENESS FRAMEWORKS BEST PRACTICE

Contact

Anthony Leather

[email protected]

www.westlandsadvisory.com


73

Search for best ways to address gaps


74

YOUR CONTRIBUTION REQUIRED


75

Thoughts based on network view

• Is there a difference in security policy between critical communications vs. Business/Enterprise sectors?

• Are there particular vulnerabilities for critical communications? How about hardening aspects?

• What is the impact of dynamic updates on different layers?

• Is there anything critical communications specific that should be included in NESAS / SCAS?

• Do we need a cyber security related procurement guide?


76

Thoughts based on public safety operator view

• What would be the requirements for 3rd party access network/backbone for critical communications?


77

Thoughts based on user challenges

• Is some guidance to take legacy equipment into account required?

• How to share information (of mixed confidentially levels) between stakeholder in a cyber secure way?

• How can these low-tech threats / vulnerabilities be closed off effectively?

• Critical communications cyber security training needs?

• How to bridging the gap between IT and OT cybersecurity?



Gaps

Information sharing and training – why & what

Identify additional vulnerabilities & threats

How to address dynamic updates impact?

Industry best practises for critical comms

What does zero trust mean in critical communications?

Ways to optimise information classification

How to build a plan? Evaluate relevant directives


79

Next steps


80

• Is a new TCCA Working Group / Task Force(s) or similar format required to address these and related issues?

• If so is there volunteer support to contribute to such a group?

• Is there interest to contribute to the identified gaps?


81

Tero Pesonen

TCCA Vice Chair & Director, CCBG chair

E-mail [email protected]

Mobile +358 50 544 7347

fi.linkedin.com/in/teropesonen

LinkedIn

Facebook www.facebook.com/tandcca

Twitter @tandcca

YouTube www.youtube.com/user/tandcca

TCCA CCBGhttps://tcca.info/broadband/critical-

communications-broadband-group/

Find TCCA also onLinkedIn www.linkedin.com/company/tcca-critical-communications/Facebook www.facebook.com/tccacritcomms

Twitter @TCCAcritcomms

YouTube www.youtube.com/user/tandcca

http://www.facebook.com/tandcca

http://www.youtube.com/user/tandcca

https://tcca.info/broadband/critical-communications-broadband-group/

http://www.youtube.com/user/tandcca


82

Key items coming up in Q2/21

• May/June:• Session on Critical Communications 3GPP Rel 18 common view

• CCBG Task Force launches • Callout

• MC (massive) video

• CCBG white paper reviews• Broadband applications

• Device API

• Device Procurement

• 15th June ETSI FRMCS plugtests – observer program

• 2nd July: TCCA Legal and regulatory working group kick-off

Documents

TCCA Cyber Security Workshop