Mobile Telecom Security Landscape Blog: July 24

Our July blog post discusses cryptographic and software bills of materials, GSMA’s Mobile Threat Intelligence Framework and physical security threats to critical infrastructure.

OWASP CycloneDX have recently announced their Authoritative Guide to CBOM, Implement Cryptography Bill of Materials for Post-Quantum Systems and Applications.  CycloneDX was developed for the software supply chain including use to capture a software bill of materials (SBOM).  The main objective of a CBOM is to provide a construct that allows modelling of cryptographic assets in a structured format.  Knowing one’s cryptographic inventory is an essential first step in building a robust cryptographic migration plan to a quantum-safe regime – a topic linked to in the previous post about the GSMA’s Post Quantum Telco Networks group.  As an aside, last month, our blog reported the activity in the UK to establish their UK Telecommunications Lab (UKTL).  More recently, additional detail was observed on the Indian approach to telco equipment testing.  GSMA has its own accredited test labs linked to the NESAS Scheme.

On the subject of SBOM, take a look at this interesting summary of the topic.  It has a great discussion on leveraging the SBOM and integrated vulnerability management (i.e. the main point of having an SBOM is not its existence per se but to be able to extract operational value).  Also, note a new release from CISA covering software transparency in Software-as-a-Service (SaaS) environments.  This is an angle that has not often been discussed as more focus has been placed on software transparency in packaged software.  The paper identifies four key differences for SaaS:

(1) the frequency at which SaaS is updated;

(2) the volume of software and services intertwined with SaaS;

(3) the lack of definitive boundaries that determine the horizontal and vertical extent of software composition data;

(4) the opacity of SaaS systems.

The Mobile Threat Intelligence Framework (MoTIF) developed within the GSMA’s Fraud and Security Group (FASG) is the first version of a framework for describing, in a structured way, how adversaries attack and use mobile networks, based on their tactics, techniques and procedures (TTPs).  MoTIF is focused on mobile network-related attacks that are not already covered by existing public frameworks like MITRE ATT&CK® and MITRE FiGHT™. MoTIF is intended for GSMA member and non-member use.  FS.57 MoTIF Principles provides an overview of MoTIF and defines the techniques and sub-techniques used in the framework. It also describes how MoTIF can be represented in STIX, a structured language for describing cyber threat information. The main focus of work until now has been around capturing cyber attack types; however, further work is underway to examine how MoTIF could be applied to fraud threats.

In the 2023 GSMA Mobile Telecommunications Security Landscape report, there is content relating to attacks on critical national infrastructure such as submarine cables. Given the lengthy mean-time-to-repair for infrastructure compromises, resilient network design, with adequate redundancy and effective pre-emptive physical protection controls, is key to building effective defences.  The establishment of the NATO Maritime Centre for Security of Critical Undersea Infrastructure (CUI) was reported.  The initial operating capability focuses on networking and a knowledge hub to aid decision-making and action coordination.  Linked to this topic, there were some great talks at the recent 2024 Telecom & Digital Infrastructure Security Forum.  One of the talks referred to a report from the European Commission, Cybersecurity and resiliency of Europe’s communications infrastructures and networks.  The report identified a number of threat types including physical attacks and sabotage targeting data centres, underground cables, submarine cables, cable landing points or satellite stations. 

The full threat list is: Wiper/ransomware attacks, supply chain attacks, attacks on a Managed Service Provider(s) (MSP), network intrusions, distributed denial-of-service (DDoS), physical attack/sabotage, nation-state interference on a supplier, interconnection attacks, power cuts affecting communications networks and infrastructures and Insider threats.   

If you’d like to discuss these themes or to get more closely involved, please email [email protected].