Security Alert!

CybersecuritySafety
telecom-5g-network-security-trusted-platform-modules

Next-Generation Networks Rely on Security Improvements —

With operators preparing to rollout 5G worldwide and the deployment of next-generation networks growing to a market value worth USD $32.81 billion by 2023, it is clear networks need more protection than ever, as the number of IoT devices and other digital systems relying on them increases. To ensure a secure ecosystem for all, it is imperative security is made a priority from the outset by network service operators. 

We live in a digital-first society, where many aspects of life are now reliant on technology and the huge volumes of data being transmitted across a variety of networks. With so much information being exchanged across industries such as healthcare, government, and smart homes, network security plays a vital role to avoid severe damage. It is imperative to protect the reputations of companies by preventing the interception and misuse of data, and the degradation or malfunctioning of Internet services. 

Over half of all Internet traffic comes from mobile phones, introducing new 5G bandwidth demands and new problems for network operators to overcome. Infrastructure needs to not only handle that mobile traffic smoothly and efficiently, but to protect it as well. Another risk arises from 56 percent of all data being initiated by an automatic source like bots, hacking operations, and spammers — highlighting the clear risks that are posed by increasing human reliance on the Internet. 

It is crucial that businesses and operators take a security-first approach with many no longer seeing technology as an extension of their services but at the core. As pressure mounts around issues like data protection and the usage of data, it is the use of network security with preventive measures to protect the underlying network infrastructure that will make the difference. Implementing a complex mix of steps such as firewalls, anti-malware software applications, and other hardware devices, will ensure that computers, users, and programs, can perform their permitted critical functions within a secure environment.

Critical Impact

With networks responsible for a variety of applications for end users, businesses, and mission critical communication, having robust, secure infrastructure is essential. The consequences of not integrating network integrity and security measures are great. 

As technology evolves, the threat landscape evolves creating new areas that can be exploited. Attackers will ruthlessly target any vulnerabilities they find to garner huge amounts of personal or commercially sensitive data or ultimately to gain control of important assets and systems. The impact of this can be catastrophic for commercial entities, governments, and individuals, where material lost can be hugely expensive in time, money, and energy.

According to Dell, 63% of companies said its data became compromised within the last 12 months due to a hardware or silicon level security breach. With data compromises costing enterprises an average of $3.92 million, this demonstrates again the critical impact that can be felt when network security is not implemented. 

As operators seek to preserve the integrity and smooth operation of networks, they are turning more and more to trends including virtualization, cloud, and edge computing, which are set to become the norm for 2021. These enablers and technologies will allow for next-generation 5G to deliver the flexibility and agility to address a wide range of needs across verticals, including IoT and Smart Cities, including the required level of security and protection to keep data secure. 

To unlock the full potential of virtualization, edge, and cloud computing, the industry must adopt global standards with open, interoperable interfaces to prevent fragmentation, and to deliver the flexibility and scalability needed for the advent of 5G and next-generation network infrastructure. 

Trusted Computing Is Essential 

The Trusted Computing Group (TCG) is a not-for-profit standards organisation developing specifications and technologies that create a secure connected ecosystem for all with a variety of work groups focusing on specific areas. The Network Equipment Work Group’s work is critical in the fight for protection of network infrastructure in what is an increasingly connected world. With networks pivotal to the operation of a broad range of devices and services, preserving the integrity of network services and security of routers, switches, and firewalls, is essential. 

Network infrastructure must implement strong measures to defend against the growing sophistication of attacks against connected devices and critical infrastructure. With network equipment having unique properties such as always being switched on, having a long life cycle, privacy protection, possessing unattended operation, and a strong device identity, it requires very specific technologies and specifications to protect it.

The Network Equipment Work Group focuses on requirements and use cases to provide security best practices, recommendations, and specifications, to guide the industry on enhancing the security and privacy of TCG technology within network infrastructures.

Trusted Platform Modules (TPMs)

Within flexible computing environments that incorporate Software Defined Networking (SDN), remote management is key for network operators to monitor and reconfigure their devices dynamically. In these instances, Trusted Platform Modules (TPMs) are of critical importance offering enhanced security and reliable identification of each device.

TPMs work as a secure crypto processor to measure system integrity, and to create, use, and securely store, cryptographic keys. During the boot process, the code loaded can be measured and recorded in the TPM. The integrity measurements can be leveraged as evidence for how a system started, and to make sure a TPM-based key was utilized only when the correct software was used to boot the system. Through this, health of devices can be monitored and assessed, which is crucial for the next step of recovery and fighting off attacks.

With remote management, software inventory and attestation of integrity can take place with TPM-signed evidence, which allows for the management station to monitor the authenticity and integrity of software and configurations running on each device. As a result, device owners can detect any software or firmware deviations — which identifies whether infrastructure or equipment has been misconfigured or infected.

As operators adopt virtualization, verifying the integrity of these environments, like clouds, is extremely challenging but feasible. Recent research efforts are heading in the direction of using virtual Trusted Platform Modules (vTPMs) to protect virtual machines running on physical devices. 

vTPMs run in the bounds of the Virtual Machine Manager (VMM) and are attached to a virtual machine. By leveraging vTPMs for virtual machines and using them in conjunction with the physical TPM of the host device, the attestation of virtualized systems becomes possible. 

Depending on the data and workloads handled by virtual machines, there may be a serious need to protect sensitive or confidential information through the encryption and authentication of channels of transport. However, this data can still leak if virtual machine hosts become compromised. 

To prevent this, remote attestation and vTPMs can be utilized to verify the integrity of the system based on executed software. Current technologies allow for attestation of boot time and run time of a physical device; however, this does not cover the software hidden within virtual machines. 

TCG is currently working on a secure attestation approach where the layer linking between the VMM and the virtual machine is strengthened to improve the security of the attestation process and provide an effective counter measure against any relay attacks. Through this the integrity of virtual machines and the host system using vTPMs and a physical TPM can be assured. A strong identity allows a remote management entity to determine which device is which through a unique TPM-protected strong cryptographic key. 

Trusted Execution Environments

Service providers and mobile network operators are increasingly making use of Trusted Execution Environments (TEE), which allow for the hardware-protected and isolation execution of user-defined code.

Running in parallel with the main operating system, the TEE provides enhanced security through a combination of hardware and software. Only trusted applications running within a TEE have full access to a device’s processor, peripherals, and memory; while hardware isolation protects these from apps running on the main operating system. 

Bringing together technologies such as ARM TrustZone, Intel SGX and AMD SEV and a TPM-based root of trust, provides major protection for user-defined code and other data through attestation and verification of software or hardware authenticity.

This is an area currently under heavy research, however any succeeding combination of both the TPM and a TEE would lead to increased security of network equipment, and, therefore, a world of more secure networks.

Future Protection 

With networks becoming more innovative, and as the rollout of 5G continues, it is imperative operators look at adopting measures such as remote management, virtual TPMs, and TEEs, to ensure that the massive amount of data being transmitted between devices remains secure and protected. At the same time, these defence mechanisms will secure the new varying nature of networks as virtualization, cloud, and edge computing, become more popular. 

By guaranteeing the continued integrity of networks remains safe, the whole digital world benefits as it becomes increasingly interconnected.

For more information, please visit https://trustedcomputinggroup.org/.

Like this Article?

Subscribe to ISE magazine and start receiving your FREE monthly copy today!

References and Notes
https://www.marketsandmarkets.com/Market-Reports/next-generation-network-market-61867062.html

https://www.statista.com/statistics/241462/global-mobile-phone-website-traffic-share/

https://www.websitehostingrating.com/internet-statistics-facts/

https://www.delltechnologies.com/en-us/collaterals/unauth/analyst-reports/solutions/dell-bios-security-the-next-frontier-for-endpoint-protection.pdf

https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html

https://trustedcomputinggroup.org/

https://trustedcomputinggroup.org/work-groups/network-equipment/

https://datatracker.ietf.org/doc/draft-fedorkow-rats-network-device-attestation/

https://sec2020.um.si/call-for-papers/accepted-papers/

About Michael Eckel

Michael Eckel is a cybersecurity researcher for Fraunhofer SIT. Previously, he was a security technologist at Huawei Technologies, mobile software developer at Boostix, and a web and software developer for a number of other companies. He holds a Masters Degree in Computer Science. Michael currently co-chairs the Trusted Computing Group’s Network Equipment work group, working to secure vulnerable network equipment. For more information, please visit https://trustedcomputinggroup.org/.