Five reasons private mobile network security will ascend the CISO priority list in 2023 | OneLayer

Question

Accepted Answer

If you ask a typical CISO about their ‘worry list,’ private mobile network security probably isn’t on there today. After all, most security leaders already have their hands full defending employee endpoints, traditional enterprise networks, and an ever-expanding cloud footprint.

Plus, most are accustomed to leaving mobile network security in the hands of mobile network operators (MNOs). But the growing use of private LTE and 5G networks and other technology developments in the mobile industry will thrust mobile network security onto the enterprise CISO agenda in 2023.

Here are five reasons why.

As IoT and private mobile network usage accelerates, device security will become significantly more complex

In industries like utilities, manufacturing, healthcare, and mining, Internet of Things (IoT) sensors are rapidly moving from the lab to the real world. The data insights that can be gained from IoT devices are often central to these organizations’ digital transformation and growth plans. But IoT devices are only effective when they have persistent network connectivity.

And while existing enterprise Ethernet and WiFi networks can sometimes serve as a starting point, many enterprises are hesitant to overwhelm their business-critical networks with sensor traffic. For this reason, private mobile networks are emerging as the optimal choice for IoT connectivity.

Cellular networks have the range and flexibility to support the unique demands of IoT sensors. And deploying a separate network for IoT needs also keeps core enterprise IT networks isolated from any IoT device risks.

However, this industry shift also creates new challenges for security teams. Many enterprises already struggle to find and remediate hidden software and hardware vulnerabilities, and IoT device adoption severely exacerbates this problem. IoT devices have a particularly poor track record with vulnerabilities, and they also appear in much greater numbers than end-user devices.

The greater overlap between the physical and digital works created by IoT devices and private mobile networks is another important new consideration for enterprise security teams.

In many industries, IoT sensors must be placed well beyond the reach of existing enterprise networks, including at very remote locations. This makes it nearly impossible for security teams to prevent motivated threat actors from gaining physical access to devices. Since physical access to an IoT device opens the door to attack techniques like SIM cloning or SIM swapping, there is added pressure placed on monitoring efforts and a greater need for network segmentation to prevent lateral movement from compromised IoT devices to other areas of the enterprise network.

As the cost and complexity of private mobile network deployment decreases, security teams will quickly face an entirely new category of threats

In addition to being well-suited for the network demands of IoT, private mobile networks are also more practical and cost-effective to deploy than they once were. Cellular networks previously required specialized and extremely costly hardware infrastructure to operate. But this is now changing. Increasingly, the “brains” for a cellular network, known as the packet core, can be run as a virtual instance in the cloud. Just as the cloud changed the economics of enterprise data center infrastructure, the same is now happening with cellular network technologies.

Network slicing

In addition, as the MNOs evolve their networks to 5G technology, a technique called 5G network slicing becomes possible. 5G network slicing allows for the creation of multiple virtualized networks on the same physical network infrastructure. One application of 5G network slicing is to provide private mobile networks to enterprises without any physical network buildout. This is another way that private mobile networks are becoming much more practical and cost-effective for enterprises to adopt.

Unfamiliar architecture for security teams

The downside of these faster-to-deploy and less expensive private mobile network architectures is that they are unfamiliar to most enterprise security teams. While MNOs have deep experience protecting cellular networks, a typical enterprise does not. In addition, there are likely mobile attack vectors that do pose a risk to a stand-alone MNO infrastructure but do introduce significant risks when private mobile networks and enterprise networks are interconnected.

A broader geographic footprint creates new enterprise security challenges

While geographic reach is a necessity when it comes to IoT, it also creates a new set of security challenges, particularly when it comes to physical security. After all, it’s difficult for a threat actor to walk into a secure enterprise data center and access a traditional enterprise system. But climbing a utility pole in an isolated location to gain physical access to an IoT device is much easier to pull off.

As IoT devices multiply and find their way into less conventional, very remote locations, the game changes dramatically for enterprise security teams. When physical control over enterprise devices can’t be assured, approaches like Zero Trust Architecture stop being aspirational and instead become a necessity.

Existing enterprise security tools cannot see or stop cellular network threats

As enterprises face mounting pressure to innovate, security teams are often forced to play catch-up with risk mitigation measures. This will be more difficult than usual as IoT and private mobile network initiatives gain momentum. Most new security requirements in the enterprise setting can be addressed by using existing security tools in new ways. But most of these tools are entirely incompatible with cellular network technologies. Cellular networks are different from traditional enterprise networks in two important ways. First, they use a completely different network topology. The traditional IP-based networks used by most enterprises today have a mesh topology that includes granular access controls to govern traffic flow.

In contrast, cellular networks use a star topology. All traffic flows through a centralized packet core, and very little can be done natively to govern and segment traffic, since traditional security approaches like access control lists cannot be extended to private mobile networks. The second factor that renders existing tools and practices ineffective is that cellular devices use different identifiers. Enterprise security tools that rely on IP addresses and MAC addresses to identify fingerprint devices will not be able to do the same for cellular devices that use specialized device identifiers such as international mobile equipment identifiers (IMEI). This makes it impossible for security tools to put cellular devices into a business context and assess risk – if they even see them at all.

The first wave of cellular-based attacks will hit enterprises in 2023

Market indicators suggest that private mobile network adoption is accelerating. Nokia, one of the leading providers of mobile network technologies, reported a greater than 2.5 times increase in private mobile network customers between Q2 2020 and Q2 2022 in their Q3 2022 investor presentation. Ericsson, another key mobile network technology leader, is seeing similar momentum and projects 20 to 30 percent annual growth in enterprise wireless networks in their 2021 annual report. While many organizations are proactively implementing private mobile network security strategies, we’ll likely see enterprises get blindsided by major cellular-based attacks in 2023 as these new deployments come online.

For example, one type of attack that we can expect to see regularly as enterprise adoption of cellular networks increases is SIM hijacking. Traditionally, SIM hijacking has involved using social engineering techniques to convince an MNO to reassign a number to a threat actor’s device. These attacks will now be directed at enterprises with less mature cellular security workflows.

Additionally, in IoT scenarios, it is more likely that threat actors will be able to gain physical access to SIM cards. To revisit our utility pole example above, if a threat actor gains physical access to an IoT device in a remote location, they can attempt to remove the SIM, install it in a more capable device, and use it to access the private mobile network.

Getting started: the top mobile security priorities to pursue in 2023

While private mobile networks create new security considerations for enterprise security leaders, proactive measures can be taken to mitigate these risks and stay a step ahead. The following are some recommended areas to focus on in 2023 as private mobile network security earns a spot on the CISO priority list.

Top Priorities

Integrate existing security products with mobile device identity tools to enhance visibility.
Ensure that your device vulnerability management efforts extend to IoT and other cellular-connected devices.
Implement a Zero Trust network segmentation model on all private cellular networks.

These steps will provide a sound security foundation as your organization realizes the many business benefits of private mobile network connectivity.

Five reasons private mobile network security will ascend the CISO priority list in 2023 | OneLayer