Mobile Telecom Security Landscape Blog: January 25

Welcome to 2025 and our January blog. This month, we discuss the benefits of multi-layer defences. Unfortunately, we continue to see attacks directly on mobile network operators. A single or basic security defence can only do so much to protect against attacks, whereas multi-layer defences can work in concert to provide effective defence.

There have been a number of attacks on operators throughout 2024.  One response to this type of attack explained their security approaches and how their layered defences helped defend against this attack.

This layered approach was captured in an infographic released by the UK’s National Cyber Security Centre that illustrates the cumulative effect of multiple security layers in defending against phishing attacks.  The security layers identified in the infographic include email filtering services, user training, user reporting of suspect emails, effective patching regimes, security operations to detect malware allied to message reporting and blocking and finally, direct intervention on the device.

More generally, the layers can be driven by a range of external and internal factors and include:

  • International Security Standards such as 3GPP, ETSI and IETF.  In large part, industry-developed international standards have had huge success in developing mobile network specifications that deliver multivendor, interconnected networks from the early 2G GSM networks on through 5G today. 
  • Industry Best Practice.  There are a range of industry security best practices that can be adopted, notably GSMA’s set of Fraud and Security recommendations.  These fraud and security best practices are developed and ratified by industry experts using their real-world experience and cover the end-to-end scope of mobile networks from the device, the mobile network, interconnect and signalling.  The GSMA has developed baseline security controls to help mobile network operators understand and develop their security posture to a foundation (base) level. 
  • Industry Assurance and Certification.  Global industry assurance and certification schemes offer a route to assure a common level of security, enabling re-use of equipment, designs and documentation with global recognition.  Whilst there are a range of assurance and certification schemes in existence, this blog notes the NESAS Scheme developed by GSMA and 3GPP that defines a globally applicable security baseline that network equipment vendors can meet. 
  • National Regulations.  There is an increasing range of national and regional regulations covering cloud, IoT, AI, data protection and network security.  Strict national controls will often necessitate a design, configuration and operational response from operators and product vendors that should be aligned to reflect the baseline of security already in place due to the use of international standards, availability of industry best practices and global assurance and certification schemes.  Alignment allows the maximum benefit to be extracted from existing controls and then additional security measures can be established on a risk basis on top.
  • Company Security Practices.  Every operator will have established security controls and approaches, procurement requirements, penetration test schemes, known improvement activities and security operations experience that have been shaped and refined over time.  These will reflect the installed network and can be improved as network enhancements are planned and delivered. 
  • Risk-driven Controls. Given that a strong security base will have been established from the previously described security approaches, a bespoke risk management activity can be used to identify and assess any residual areas of weakness or tactical mitigations that may enhance the overall security posture.

A holistic and efficient security strategy may be composed of multiple layers.  The combination of security controls taken from each layer build to deliver a bespoke security solution for each operator.   Efficient and cost-effective security approaches can be delivered by matching security controls to the threat model, understanding the security benefits built-in by lower-level and existing security controls and by customising the security decisions in the higher-level security levels.  Areas showing co-incident requirements demonstrate a potential duplication meaning it might be possible to remove duplicate controls.  There are initiatives (e.g. the CIS Controls Navigator) to assist in mapping the variety of security controls to understand efficient security risk coverage.  

The benefits of multi-layered defences are clear and can be applied across multiple frameworks.  The resulting set of security approaches can build an effective and efficient overall security strategy.

If you’d like to discuss these topics or to get more closely involved, please email [email protected].