Measuring Mobile Network Security 

In today's interconnected world, mobile networks have become the backbone of our daily lives. They serve as the crucial communication infrastructure that keeps society functioning smoothly. From powering the energy sector and managing bustling harbors to ensuring security in defense operations, enabling smart city technologies, and supporting hospital operations, private mobile networks are indispensable in countless critical settings. 

This prominence, however, paints a big target onto their back. All of these sectors rely on equipment from vendors, integrators, or service providers. Many of them have little to no knowledge about telecommunication security, as it’s not their primary focus. Yet, they all recognise the need for secure and resilient mobile networks. 

Purchasing decisions often hinge on price points and services, such as bandwidth, the number of connected devices, and coverage. Security is frequently taken for granted. Companies need to ask themselves why a vendor would invest in security if there is no clear benefit, only additional costs. In a market with tight margins, it might seem more practical to stick to the bare essentials. 

If a company wants security, it must specify and demand it in the contract and ensure its delivery, just like any other software, hardware, or service. But how do you measure mobile network security? What kinds of questions should be asked of vendors? 

Baseline Security 

To start with baseline security, consider the 3rd Generation Partnership Project (3GPP) Security Assurance Specifications (SCAS). This set of specifications includes test cases for basic security measures that should be in place. Here are some important points to consider when requesting SCAS from a vendor: 

• SCAS Specifications: Determine if the nodes you plan to purchase have a SCAS specification. Not all nodes do. For those without SCAS, seek out trustworthy tests or other certification schemes like Common Criteria. 
• Latest Standards: Ensure tests are conducted according to the latest SCAS standards, as threats evolve continuously. 
• Independent Testing: Verify that an independent entity performed the tests, especially if the nodes do not have a SCAS specification. 
• Additional Security Tests: Check if additional security tests, such as independent penetration testing, were conducted and understand what those tests really entail. 

Supply Chain Security 

Supply chain security is becoming a mandatory requirement for many businesses, particularly due to regulations like NIS2. Here are some selected items to evaluate a vendor's supply chain security: 

• Secure Software Development: What processes are in place to prevent the inclusion of malicious or compromised third-party software? 
• Developer Training: Does the supplier or integrator provide job-specific training to their developers? 
• Software Bill of Material (SBOM): Can the supplier provide a full SBOM? 
• Right to Audit: Do you have the right to audit the supplier or access independent audit results? 
• Incident Notification: What procedures are in place to inform customers about major breaches, such as a compromised software development environment? 

Managing Vulnerabilities 

No security is perfect, so it’s best to be prepared and account for vulnerabilities during procurement: 

• Remediation Time: What is the expected time frame for remediating vulnerabilities in the acquired network, and does this match the vendor's average remediation time? 
• Network Lifecycle: Is the support for spare parts, incident handling, patching, and updates aligned with the expected lifetime of the network? 
• Proactive Information: Will the customer receive proactive vulnerability and threat information from the vendor, or must they source this information independently? 
• Incident Reporting: Governments often have strict guidelines for incident notification timelines. Does your vendor provide sufficient support to meet these regulatory requirements? 

There are numerous other items required to properly capture security for mobile networks in a contract and during the procurement process, but the points above should serve as a starting point for any company looking to acquire mobile network software, hardware, or services. For more details, feel free to contact us and discuss further the hard security requirement for your use case. 

Read next