PARTNER CONTENT: Mobile network operators (MNOs) have been managing cyber risk for years. But the challenges presented by today’s 5G networks are unlike any that have gone before. The attack surface has expanded significantly thanks to the new ways in which these next-gen networks operate. And as well as being a target in their own right, MNOs are increasingly viewed by adversaries as a stepping stone to reach their enterprise customers.

Against this backdrop, operators must not only mitigate the financial and reputational risks of suffering a serious security breach. They must also ensure security programs keep regulators and customers happy. The latter is critical if MNOs are to drive ARPU and increased service consumption.

Doing so will require them to focus not only inwards – on the service platform – but to expand this scrutiny to the user plane, where threat actors increasingly congregate. It will demand a unified, natively integrated security operations (SecOps) offering designed for specific telco use cases.

New networks bring new threats
On the one hand, 5G networks introduce secure-by-design elements which should help MNOs mitigate some of the risks associated with legacy infrastructure. Mutual authentication capabilities, mandated encryption of inter and intra-network traffic, and enhanced subscriber identity protection are all to be welcomed. But there are also new risks to consider. Many of these stem from 5G’s more open, multi-vendor approach, and a wider attack surface that comes from large numbers of connected devices, denser network infrastructure and a reliance on cloud, virtualisation and software-defined networking (SDN).

More vendors in the supply chain mean potentially more points of compromise and more distributed environments to manage and secure – from the edge to the MNO datacentre and across physical, virtual and cloud-native systems. RAN sharing and slicing initiatives designed to reduce cost and generate new revenues can also introduce risk. When it comes to network slicing, additional layers of security are needed to isolate and protect individual tenants/slices.

Third-party risk could also creep in via neutral hosting initiatives where infrastructure is shared with partners and competitors. And network exposure projects designed to spur innovative new revenue-generating applications and services must prioritise API security if they are to be trusted by developers and end users. One study claims that 60% of global organisations have suffered at least one API-related data breach over the two years to September 2023.

The heterogeneity of this 5G architecture will also create more complexity, and a rising number of security alerts which could overwhelm traditional security monitoring systems. And as more software finds its way into these networks, there will be a greater risk of vulnerability exploitation. Over 29,000 CVEs were officially reported in 2023, the seventh year in a row to record an all-time high. On average, new exploits led to attacks within just 4.75 days in 2H 2023, 43% faster than the first half of the year.

Whether it’s a nation state operative, a hacktivist or a financially motivated threat actor, there are a range of tactics, techniques and procedures (TTPs) at their disposal today to support destructive attacks, ransomware, data theft, business email compromise (BEC) and more. And there’s plenty to aim at. The UK’s National Cyber Security Centre (NCSC) claims in a 2020 report to have uncovered at least 140 discrete attack vectors in MNO networks.

Quote Icon

Cybercriminals and threat actors are strategically observing the telecoms and mobile ecosystems, identifying opportunities to attack through complex layers and dependencies. Attacks are becoming more tactical, selective, and targeted. As attacks move upstream, the ripple effect increasingly impacts end users. Security by design, infrastructure hardening and threat partnerships are among the strong measures needed to mitigate this growing risk.

Derek Manky, Global VP Threat Intelligence, FortiGuard Labs Fortinet

Skills shortages and compliance challenges
Adding to the challenge for MNOs is the limited in-house resource many have today to mitigate cyber risk across legacy and 5G networks. There’s currently an estimated cyber-workforce gap of around four million individuals globally, including 348,000 in Europe, which is a 10% annual increase. Over three-fifths (62%) of telecoms firms claim to have staff shortages, and even more (69%) agree that the current threat landscape is the most challenging it’s been in the past five years. The shortfall is particularly concerning in SecOps – a sub-sector of cybersecurity where stress and burnout are already commonplace.

The stakes for getting this right couldn’t be higher. It’s not just about reducing the risk of the financial and reputational damage that can stem from a breach, but also meeting strict regulatory compliance mandates. The EU’s NIS 2 directive in particular demands a strict new minimum set of security standards, and holds senior leadership personally accountable for anything deemed gross negligence. Complying with regulations like these is not just a legal requirement. It’s also vital to winning the trust of enterprise customers.

Where current approaches are unsuitable
MNOs have historically focused most of their cyber-risk management efforts on their own service platforms. But while this will (and must) remain a key priority going forwards, they also need to expand their focus towards the user plane. Why? Because this is where most risk is concentrated today, as threat actors target user data and connectivity to less trusted domains such as cloud, datacentres and edge computing.

The challenge is that existing SecOps approaches are largely unsuitable for this evolution in strategy. They’re often based on multiple point solutions from different vendors, which can create visibility and automation gaps – reducing efficiency and increasing the likelihood of threat blind spots. They may also be disconnected from the underlying security infrastructure. This has several implications. It limits the value such tools can offer, as they tend to be generic and less specialised. And it might increase detection and response times, meaning MNOs fail to meet their security SLAs.

Under pressure security operations centre (SOC) analysts are already struggling to prioritise threats in the face of alert overload. Disjointed, non-native tooling will only increase the chances of mistakes as they look to discover, contain and remediate threats as rapidly as possible.

Time to unify
Instead, operators need focus on streamlining their SecOps operations. By dispensing with point solutions and consolidating on a natively integrated platform, MNOs can move from detection and response to “detect and disrupt”, followed by “investigate and respond”. That would accelerate mean-time-to-containment and make it quicker and easier for SOC analysts to change security policies in response to an attack or changing SLAs. Such a platform would focus on inspecting traffic flows across what is an increasingly dynamic network perimeter, to mitigate threats originating in edge computing, public cloud and other third-party environments.

It would also use AI judiciously for better outcomes – such as machine learning to detect attack patterns human eyes can’t see, and generative AI (GenAI) to enhance SecOps incident management and threat hunting. That would empower teams not just to detect and respond, but also remediate threats – and help analysts to close skills gaps in the process.

It also goes without saying that any SecOps platform used by the MNO community should be engineered to detect threats specific to the sector. These could include rogue base stations, mobile botnets and roaming anomalies.

A circular diagram features FortiSOAR at the center, surrounded by sections labeled: FortiRecon, FortiSIEM, FortiAnalyzer, FortiWeb Threat Analytics, FortiMail API, FortiNDR, and FortiEDR/XDR. Outer categories include Attack Surface, Infrastructure, Applications, Email, Networks, and Endpoints.

Example of Fortinet Security Operations Platform


Minimise risk and drive revenue
Uplifting SecOps in this way is critical for two reasons. It will help MNOs to avoid the potentially costly repercussions of a serious security breach. The average cost of a data breach in the sector last year was $3.9 million, although ransomware outages can incur costs many times higher. But just as importantly, delivering targeted, impactful SecOps can help monetisation efforts at a time of continued macroeconomic headwinds for many MNOs.

With enhanced threat detection, disruption, response and remediation, operators can reassure enterprise customers about the safety of their platform – spurring them to invest in more services. They could even drive up ARPU by offering security-related managed services as a value-added option. It’s time MNOs took a fresh look at SecOps.