Holistic cybersecurity governance generates resilient telecommunications services in the 5G world • The Register



Sponsored Driven by multi-cloud trends and the rise of 5G and edge computing, booming technologies such as the Internet of Things (IoT), big data and artificial intelligence are transforming the landscape technological. On the other hand, cybersecurity challenges are escalating due to the escalation of cyber threats around the world.

For communications and digital service providers, a security-focused approach has become mandatory for telecommunications equipment and computer systems – the two primary supporting infrastructure platforms in cyberspace.

This is where ZTE Corporation’s holistic cybersecurity governance structure underpins its development strategy. The goal is to help operators and service providers mitigate security risks and fend off cyber threats. Security assurance is defined by compliance with best practices and standards, constant checks to discover and mitigate threats, and full openness for external compliance checks.

To achieve this, ZTE focuses on three factors:

  • ZTE Cybersecurity Governance implements and manages security by design and by default. The entire life cycle of products and services is governed by an internal security policy, which incorporates best practices, standards, regulatory requirements as well as specific customer requests.
  • Compliance with best practices and standards is verified for processes, products and services.
    • At the global enterprise-wide level, ZTE has implemented ISO 27001 for information security; ISO 28000 for supply chain security; and ISO 22301 for business continuity management.
    • At the product level, ZTE has passed CC (EAL3 +) certification for its 5G RAN solution; GSMA Network Equipment Security Assurance Scheme (NESAS) audit and security assurance specifications (jointly defined by 3GPP) for its 5G Core and RAN products; ISO 27701 privacy information management standard for its 5G NR and Unified Management Expert products; and BSIMM for software security, including the supply chain.
    • ZTE also adopts several industry best practices such as the NIST Cybersecurity Framework to manage supply chain security and engineering services security.
  • ZTE’s cybersecurity laboratories in Nanjing, Brussels and Rome favor openness and transparency. They enable global customers, regulators and other stakeholders to perform independent safety assessments of products, services and processes. Laboratories provide a platform for source code review, document review, security penetration and compliance testing, and knowledge transfer for collaboration, capacity exchange and certification .

Security guarantee

Based on its security governance model, ZTE’s approach to device security not only integrates security policies into each phase of a product’s lifecycle, but also implements its mechanism for security. cybersecurity assurance throughout the lifecycle.

This approach encompasses product R&D, supply chain, production, engineering services, security incident management, independent verification and audits. Specifically, it starts with R&D, which addresses safety issues, through the phases of product development that implement safety from design, through to product lifecycles and key processes that guarantee defects. of security.

The assurance of reliable networks for the entire supply chain also extends to the qualification of subcontractors and the control of third-party components. This implies that, from the earliest stages of production, ZTE’s products are tested against industry standards and best practices, which are used as a minimum benchmark for equipment safety.

“A formal structure is in place that reviews test results and provides the veto power that is used when non-compliances are identified,” says Mr. Antonio Relvas, ZTE’s director of cybersecurity strategy, “An analysis of Appropriate risks are in place which may result in a tested product or a rejected version. These measures result in ensuring that the equipment delivered and installed in our customers’ networks is as secure as possible and that it is installed and configured with the appropriate secure defaults, for example denying all access, unless explicitly authorized.

Security flaws and vulnerabilities are disclosed transparently, and fixes are quickly communicated to customers and other stakeholders. ZTE’s Product Security Incident Response team identifies and analyzes security incidents, tracks incident management processes, and communicates closely with internal and external stakeholders to disclose security vulnerabilities in a timely manner.

Network resilience

With the advent of 5G, ZTE’s communications equipment is designed to secure global carrier interconnections and end-to-end connectivity while facilitating rapid incident response.

In line with this goal, ZTE is actively involved in standards organizations and industry associations, including the 3rd Generation Partnership Project (3GPP), the European Telecommunications Standards Institute (ETSI), the TD Global Initiative LTE (GTI), the International Telecommunication Union (ITU), Global System for Mobile Communications Association (GSMA), Forum of Incident Response and Security Teams (FIRST), as well as CVE Numbering Authorities (CNA).

Engagement in these industrial ecosystems enhances ZTE’s technical strength by enabling operators to deliver resilient telecommunications services – i.e. security by default, security by design – for their 5G deployments.

“5G is a game changer,” says Relvas. “New services, architectures and technologies, as well as higher requirements for privacy and user protection will bring security challenges and opportunities. “

Already, 5G access and core networks that allow interconnections and interoperability between providers via standard protocols include security protection mechanisms. “For example, we need to consider access authentication for third-party slicing service providers and secure use of ICT resources as part of a broad adoption of cloud architecture in 5G,” adds Mr. Relvas.

Operators need to strengthen their security posture in three areas:

  • Their management plan, where the administrative activity of the network infrastructure takes place;
  • The international signaling plan which allows operator networks to connect to each other and reach each other’s services;
  • Virtualized networks that form the basis of the heart of the operator running new services and workloads.

“These new ‘workloads’ create a security problem from a network design and implementation perspective,” says Relvas. “They require operators to continuously monitor operations while taking advantage of real-time industry-wide collaboration and joint responses to emerging threats. “

Countries and regions need to establish basic certification to ensure that vendor products and the 5G implementations that use them are as secure as possible. With the growing adoption of IoT and connected devices over mobile broadband, secure 5G networks are essential to support the expected increase in applications.

“Some countries require operators to perform a risk assessment of their solution architectures, including the vendors and the equipment they use in their 5G networks, from the products to the supply chain that supports the solutions.” , said Mr. Relvas. “It is obvious that the effort, time and cost required for an operator to perform such tasks can be facilitated by the support of suppliers. “

Sellers should test their products and ensure that the services provided are as secure as possible. “Such supplier assurance will make the work of operator risk assessment easier and possible within the necessary timeframe,” says Relvas. “This is the case for ZTE, with CC certification, GSMA NESAS / 3GPP SCAS and the use of cybersecurity labs if further testing is required.”

Mr. Relvas also claims that ZTE is the first vendor to have CC certifications in place for a full set of 5G RAN products and one with the highest number of 5G products certified under GSMA NESAS.

Sponsored by ZTE


Leave A Reply

Your email address will not be published.