Until recently, organizations had IT networks, OT networks, and cloud networks. We now have a new type of enterprise LAN based on a cellular protocol. This LAN is no different from any other LAN owned by the enterprise when it comes to security. Here too, the enterprise is responsible for security.
Why do we need private cellular network security?
Public cellular networks have been around for years, and many security tools keep them running. Likewise, enterprise IoT networks are not new, and a wide variety of great security solutions have been developed to protect these networks. So why is a different security solution necessary for private cellular networks?
In the private cellular domain, three threat perspectives are combined:
- Enterprise networks
- IoT devices
- Cellular networks
The presence of IoT devices within enterprise networks has long been known to expose them to IoT vulnerabilities. Yet, in public cellular networks, the value gained from a compromised IoT device is restricted to the device itself.
In contrast, in the private cellular domain, malicious access to a device has the potential to shut down the entire production process of an organization. This is a direct result of devices being connected to critical entities in the network, unlike the way it was in public networks.
What makes the security products from public cellular networks ineffective in private networks?
While public and private cellular networks both use the same protocols, they differ greatly in many other ways. From a security standpoint, there are only a few similarities. Carriers’ main priority is to keep their networks running and serve customers, and their security approach reflects this.
They focus on protecting their centric core, they are not sensitive to a single antenna malfunction, and they lack responsibility when it comes to protecting endpoint devices. This is not the case for private cellular networks. In these networks, the critical component is the endpoint user. An antenna malfunction (out of a handful in a network) can harm a business to a much greater degree, and the granularity of network protection is vital.
Everyone told me cellular networks are more secure…
Enterprises have security standards and security requirements that they need to meet to balance the risks, the effort, and the costs involved with protecting their networks. To reach this desired level of security, each organization has invested in security tools, such as visibility and policy control, XDR, etc.
The cellular protocols themselves provide better features than most IP networks since they use SIM authentication and traffic encryption by default. But one does not secure IoT devices merely with traffic protocols, one secures them with designated security tools.
Unfortunately, most of the existing IP network security tools do not apply to private cellular networks, exposing IoT devices to lurking threats.
Why are the current security solutions not applicable?
IP networks were built for enterprises and cellular networks were built for carriers. Connectivity is key for enterprises while charging and monitoring devices are crucial for carriers.
Consequently, the architecture of their networks differs. IP networks, for example, were initially designed in a way that allows them to connect as efficiently as possible, which resulted in their MESH-like architecture. In contrast to them, a cellular network has a star topology (like a network that has just one router).
Therefore, there are three main changes between enterprise IP networks and enterprise cellular networks that prevent the current security products from adapting.
The Network Access Control (NAC) absence
Routing of network traffic is not done by IP switches but by the cellular core (and in the future with the O-RAN too). This prevents the implementation of an existing NAC (Network Access Control) that authenticates, authorizes, and segments the private cellular network.
The Firewall challenges
All data from IP networks flows in a single stream – headers then data, headers then data, in the same route. In cellular networks, however, the headers (signaling) and the data flow are separate. Implementing a “Man-in-the-Middle” firewall mitigation requires the firewall to correlate signals and data from two routes in real-time, and that is a difficult task.
Due to the increasing sensitivity of these networks to latency, this challenge has become more relevant. Also, it is important to note that cellular signaling and data routes are becoming increasingly encrypted. Moreover, as cellular technologies become more enterprise-oriented, they are being built as “Black Boxes”, eliminating the possibility of legacy tapping options.
The unique identifier challenges
IoT security can be broken down into two steps:
- Filtering data to uncover unique insights, such as patterns, fingerprints, and anomalies.
- Assign these insights to the source device identity that created them.
However, while enterprise LANs use MAC addresses and IP addresses, cellular networks rely on identifiers such as IMSI and IMEI. An even greater challenge arises when a cellular device tries to communicate with a server installed on the IP side of the network. So, even with the best existing IoT security products, an organization’s visibility and asset management abilities are severely impaired. Without visibility, other preventions and detection capabilities are not effective.
How can we maintain our network’s security standards?
We must bridge the gap between the existing IP networks and the new enterprise cellular environment.
OneLayer was built by world-class cybersecurity experts with a deep understanding of both cellular protocols and IoT security needs. In OneLayer, we developed a software solution dedicated to securing private cellular networks. We ensure that the best IoT security toolkit is implemented in your cellular environment, so you can achieve the desired standard of security for your private network. Our solution was designed to enable visibility, smart policy enforcement, and zero-trust capabilities within a cellular ecosystem.