Welcome to the November blog. This month we discuss risk and threat management. The range, velocity and dynamics of the current threat landscape make it challenging to adequately address every threat in every dimension. The effective impact of security interventions can be maximised through a risk management approach. Threat and risk assessment allows identification of the most likely and impactful risks considering the technical security threats to which the business may be exposed given its architectural design, legacy network estate, supplier selection, enabling technologies, operation and support arrangements, and software builds, etc.
In the August blog, we provided an update on the revised GSMA Supply Chain Toolbox. Included in the toolbox was a section addressing the benefits of layered defences that go beyond those delivered by a single set of supply chain controls. The defensive layers can include security standards, national regulations, industry best practice and company security practices. The remaining set of controls may be thought of as risk-driven bespoke controls.
By focusing on the areas of threat/risk, a business can examine the gross risk likelihood and impact. Then, considering the effect of existing controls and mitigations, a net risk position can be determined. A review of this net risk position can assess whether the risk profile is within the company risk tolerance or whether additional controls and mitigation activity is required to further reduce the net risk position.
Risk management is a broad process that identifies, assesses, and manages all types of risks facing an organisation. Risk management aims to protect an organisation from potential losses or threats. The process is described in the Risk Management section of strategic security controls within the GSMA Mobile Telecommunications Security Landscape 2025 report – download and take a look at that and the wider content.
Threat intelligence-informed modelling focuses specifically on security threats (that might compromise confidentiality, integrity and / or availability (CIA)) to a system or application. Threat modelling aims to identify and mitigate security vulnerabilities.
Some risk treatment options are:
- Accept the net risk position
- Sharing the risk through a new delivery arrangement
- Avoid the risk, e.g. by closing a platform, system or access
- Transfer the risk to another party, perhaps through a revised supply arrangement
- Risk reduction through implementing additional security controls / architectural re-design to limit the impact and / or reduce the likelihood of a successful attack
Threat and risk assessment can be applied to understand the overall security of the solution. This can be applied in a Secure by Design approach across the system development lifecycle from idea/concept to operations.
- Analysis & Planning: Impact Assessment of architectural design choices and overall cost base
- Procurement: Assess risk coverage provided by responses and likely cost of residual risk. This in turn, supports the development of a business case and selection
- Design & Build: Use threat modelling in architecture and design guidance and reviews, by identifying threats and mitigations of vulnerabilities
- Validation: Penetration Testing to verify approach
- Deployment: Use threat assessment to inform approval to go live after vulnerabilities and risk have been fixed, baseline regression testing, defect management plan tracking etc.
- Operations & Monitoring: Continuous security assurance activities, risk management, security awareness and training
There are many different risk and threat modelling approaches used within a telco environment including:
- Attack Trees
- GSMA risk identification reports such as GSMA documents GSMA PQTN PQ.02 – Guidelines for Quantum Risk Management for Telco and member-only documents such as FS.30 Security Manual & FS.39 5G Fraud Risks
- NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)
- NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
To examine one use case a little further, let’s examine attack trees. The UK’s NCSC has published a report examining the systematic analysis of a telecoms network from an attack tree perspective. The idea being to identify possible attack approaches from an attacker perspective and then break these down into different categories of attack type which can then be considered against the effects of existing controls. The approach began by drawing upon existing threat and attack data, global attacks on telecoms systems, practical industry security practitioner input and international security standards. From this data, a series of attacks was pulled together into ‘attack trees’. Each attack tree was considered for their relative risk of success and likelihood. From this analysis, the most important risks can be listed. Security controls and mitigations can then be considered in order that the net risk position is at an acceptable level for the business.
To conclude, consider developing in-depth expertise, tools and expertise in a risk / threat framework that works for your environment. The aim is to apply knowledge from risk insights to provide impactful multi-layered defensive technologies. The GSMA Mobile Cybersecurity Knowledge Base (MCKB) has been updated to add links to additional security guidance and now features a section dedicated to risk management.