Jessica Lyons Hardcastle | www.sdxcentral.com »
Supply chain attacks are on the rise. The National Security Agency (NSA) ranked these indirect attacks as one of the top security threats, and a recent Accenture report linked them to 40% of all breaches. There’s a good reason for this. It’s generally easier for attackers to go after the weakest link, which usually isn’t the enterprise — this is the company they want to attack — it’s often a smaller supplier or partner that doesn’t have the same level of security investment and staffing in place. And attackers like low-hanging fruit.
“Supply chain security is one of the most important things facing our industry these days because there is no security standard out there that applies to the ITC space,” said David Stehlin, CEO of the Telecommunications Industry Association (TIA). Industry standards are the only way to fix this problem and build a secure network, he added. And to this end, TIA launched an initiative to develop telecommunications supply chain security standards and programs.
TIA Supply Chain Security Efforts
The industry group planned to host two panels at MWC Barcelona with public and private sector leaders discussing telecom supply chain security. The first included government leaders: U.S. Federal Communications Commission (FCC) Chairman Ajit Pai and Ambassador Robert Strayer, deputy assistant secretary for cyber and international communications and information policy at the U.S. Department of State.
And the second panel would have focused on the need for supply chain security in a 5G world — and 5G is, by all accounts, going to magnify the supply chain security threat. This panel included industry executives who are already involved in the TIA’s supply chain security standards and certification efforts: Rajesh Gadiyar, CTO for Intel’s Network Platforms Group; James Gowen, VP of supply chain operations and chief sustainability officer at Verizon; and Amit Dhingra, VP of global services delivery at Nokia.
Security vendor Gurucul expects some of the biggest 5G security problems in 2020 to involve the supply chain. “The vast 5G supply chain is susceptible to the introduction of vulnerabilities such as malicious software or hardware and poor designs,” wrote CEO Saryu Nayyar in a blog post. “Also, many of the companies providing hardware and software for 5G networks have their own security vulnerabilities so we should expect an increase in network asset compromise and a negative impact on the confidentiality and availability of data.”
5G Benefits — and Risks
While 5G has benefits for service providers — network slicing, for example, will allow operators to offer and manage fewer networks than they have in the past while offering more services — it also comes with added security risk, Stehlin said. 5G networks are typically not as purpose built as earlier network generations, he explained. They tie together wireless and wireline attributes. And to provide very low-latency services like self-driving cars over the network, “you have to have many more cells, and you also have to push that power out to the edge of the network, so you need edge data centers,” he said.
In addition to networks becoming more complex, and edge computing opening up an expanded attack surface, the telecom industry is using more open source software. This has obvious benefits like cost savings and flexibility. But it also comes with security risk.
“Rather than buying all of the core components from a small set of suppliers, they now have the ability to adjust it themselves and add in third-party software,” Stehlin said. “That’s one of the benefits of open source. But one of the downsides is you have more software providers and many more ways to get into the network, which adds in risk.”
While 5G is “operationally more efficient for service providers, it’s moving from proprietary hardware and software to open source and white boxes into the network,” he added. “But all of that injects risk.”
Supply Chain Security Standards
This is why the telecommunications industry needs global supply chain security standards, Stehlin argues. And TIA, whose members include more than 400 companies worldwide, spanning chipmakers, service providers, and communications network equipment vendors, is in a unique position to drive this effort. The group has developed more than 3,000 standards in its 60-year history. This includes TL 9000, a global telecommunications industry quality management standard that includes supply chain directives.
“There is a wide range of issues around the supply chain and building in security and we believe that security is a subset of quality. You can’t have a quality system or a quality network unless you have security built in, not bolted on,” Stehlin said. “So our intent is to create a standard based on our TL 9000 framework that will address supply chain security.”
The group recently released a position paper, “Trust in ICT Supply Chain Security Can Only Come from Global Industry-Driven Standards and Programs,” that outlines supply chain vulnerabilities — and how these attacks can disrupt business and destroy consumer confidence, both of which carry enormous economic consequences.
‘You Ought to Be Part of This’
In its first phase, the TIA supply chain security working group conducted a landscape analysis to determine if any such standards exist. The group met with several United States’ governmental agencies including the Department of Defense (DoD), Department of Homeland Security (DHS), and the Department of Commerce, as well as governments outside the U.S., “and they all agree there is no telecom or ITC standard that can be accredited against or measured,” Stehlin said. “The next phase is to put together a broader set of working groups that will look at all the major elements to put in the standards.”
TIA expects this to be a 12- to 18-month process to release the standards, which is a pretty speedy timeline for this type of global effort. And the group wants as many people as possible to get involved with the development. “Our intention is to build global standards, open standards, which means every company can join. The way we do things is one company, one vote,” Stehlin said. “TIA is welcoming anyone with open arms to be part of this. You don’t have to be a traditional telecom. If you’re a software supplier, or a consulting firm, a security company, you absolutely ought to be a part of this.”