PARTNER FEATURE: Security experts from Orange and Omantel were joined by other operator and industry representatives to discuss progress in implementing industry association GSMA’s Mobile Cybersecurity Knowledge Base (CKB) in a dedicated session held as part of the GSMA M360 UK Mobile Security and Industries event in London.

Representatives from 16 global operators and more from ecosystem players attended the briefing, during which speakers emphasised the need for unity when tackling security challenges raised by growing deployments of 5G technology.

Samantha Kight, Head of Industry Security at GSMA, explained action was needed due to an increasingly fragmented security landscape.

“We know that mobile networks are crucial to society and they need to be robust and reliable. The security requirements are at risk of fragmentation, we’re already seeing that,” Kight explained.

As the name suggests, the initiative aims to enable companies in the mobile industry to understand, map and mitigate current and likely future security threats.

The GSMA issued the guidance in 2021 as it moved to address emerging threats to the mobile ecosystem by conducting a thorough analysis of risks, speaking with industry experts from operators, vendors, service providers and regulators.

“We want it to be best-practice across the industry”, Kight said, noting the goal is to deliver a comprehensive knowledge base “for all players”, not just mobile network operators.

The Mobile CKB leverages best practice from industry standard organisations and groups including 3GPP, ENISA and NIST, with all of the information used to link potential threats to effective security measures.

Results of this analysis was collated by the GSMA to create the knowledge base, which the association describes as providing “useful guidance on a range” of mobile “security risks and mitigation measures”.

The Mobile CKB offers GSMA members access to guidance from a broad range of industry experts, with the goal of improving overall trust in next-generation networks and services to “make the interconnected world as secure as possible”.

The Mobile CKB is not a static entity, with Kight noting the GSMA plans to continue working with the ecosystem to evolve the advice and measures as fresh threats emerge to ensure all industry players understand the potential dangers faced by all generations of mobile networks today.

Collaboration is key. The Mobile CKB is designed to enable and encourage operators, service providers, vendors, regulators and application developers to work together on protecting networks and services against disruption and unauthorised access, alongside prevention and mitigation efforts.

The Mobile CKB enhances the ecosystem’s security competence by providing detailed instructions on how to establish trust and offer security assurance in end-to-end networks.

In action
During his presentation, Eric Gauthier, Director Technical Fraud and RA with Orange, highlighted growth in the attack surfaces as the industry evolution to 5G continues.

Virtualisation means operators will “rely more and more on external service providers”, for example cloud-based managed services, all of which must be considered from a security perspective.

The network slicing capabilities of 5G networks are another area operators must consider, along with a rising number of app developers creating services which “take advantage of all the network functions”, Gauthier said.

Gauthier (pictured standing, left) highlighted the importance of FS.31 which provides baseline security controls within a suite of Mobile CKB information also covering threats and potential solutions.

Gauthier noted FS.31 is “structured according to how an operator is structured,” to enable them to take individual controls and develop those with specific teams within the operator.

Omantel experience
Muhammad Moqeet ur rab, Senior Manager for Security Architecture and Operation with Omantel, referred to the FS.31 document as a “lifeline” which offers the tools to provide networks with “resilience, protection against attack” and safeguards.

Like Gauthier, he explained the document is designed to work with operators’ current systems, in particular in-house security teams: “this document can be used while you are evaluating all the…requirements”.

Various other documents within the Mobile CKB provide “a complete view of the entire network”, which Moqeet ur rab explained help Omantel to decide strategies for end-to-end security spanning several years.

Moqeet ur rab (pictured, left) noted internal collaboration has been a key element in Omantel’s approach to employing the Mobile CKB, aiding it in marrying together the work of the various teams outlined by Gauthier by creating proposals for the Omani operator’s management.

Once a green light is given, the operator developed relevant controls, for example for RAN, which can then be employed by internal departments to create guidelines which Omantel uses to “start a comprehensive assessment” of the security needs and approaches.

The process enabled Omantel to identify weaknesses in existing security set-ups “and also where we need to plan” for future threats.

Of course, no operator is an island and the whole point of the Mobile CKB is a broad collaboration from all players in the ecosystem. Like Orange, Omantel is feeding what it learns when implementing updated security measures back into the knowledge base. The process is “not like a one-time exercise. This is continuous improvement and we need to do complete monitoring”, testing and assessment.

For more information on the Mobile CKB, click here.