Cyber security
16
www.criticalcomms.com January 2020
5G slicing option: “Would it make sense to implement
dedicated 5G slices for PPDR? The public operators are
interested in the idea of managing their own slice.”
However, given that slices are cloud-based, she asks:
“How can we guarantee that those virtual slices fit our ideas
of security and reliability? You must trust the provider of the
slice or it’s going to be difficult.”
Security solutions
It is clear that these multiple cyber security risks are
concerning public safety network operators. However,
help and advice is available. For example, the Public Safety
Technology Alliance (PSTA) has issued some guidance.
“As we move to mobile broadband for public safety,
it’s important that organisations have the right posture in
place,” says Kennedy. He says it is crucial that agencies are
embracing the best practices outlined by the PSTA.
He cites the example of device management. “We are
dealing with wearable devices as well as smartphones and
tablets. Therefore, every agency should have a mobile
device management (MDM) solution in place. Also have a
whitelist and blacklist policy and make sure safeguards are in
place as people are let go and devices are lost.”
At the same time, device procurement needs to be led
by people who understand security, says Rehbehn. “Other
issues are keeping the software up to date. How many
revisions back are you supporting of the operating system?”
Ceri Charlton, associate director at cyber security
consultancy Bridewell Consulting, also advocates practices
such as patch management. “Ensure there is a mechanism
through which things can be updated. When procuring
kit, make sure patching is something that’s included. Ask
whether the support agreement includes getting patches,
and do you do it yourself, or do they? To me, the core of
running a service is making sure it remains patched.”
Meanwhile, Kennedy says cloud access needs to be
managed in the correct way. “We no longer recommend onpremises
equipment, so we have to ensure that agencies can
secure data – which could be leveraging a cloud provider.
You need service-level agreements (SLAs) in place and to
be monitoring that cloud-deployed data.”
Network security and network hardening are
“paramount”, says Johur. “Systems are required that monitor
the network for changes in configuration, unexpected
modes of operation, and any anomalies in information
flows. Collecting logs, auditing system operations, recording
authorised access or changes, and any unauthorised access
attempts, are all quintessential security measures. The
operator must also have a continuous understanding of the
status of their network and its operations. This includes
keeping track of all software components, including use
of any third-party software, and understanding if any
vulnerabilities exist that urgently need patching.”
At the same time, consider the risk posed by what many
cyber-security professionals call your “weakest link”: people.
Kennedy says: “The number-one risk for cyber security is
human; most cyber attacks leverage this. It’s about using
good passwords to begin with and other best practices that
will help protect against, for example, ransomware attacks.”
Things are starting to change, but more knowledge is key
to gain trust in the new technologies, says Dr Held, who
believes in the concept of ‘zero trust’. “You cannot build walls
around your network elements because then your network
becomes useless: it stops communication instead of facilitating
it. We should look at how we can develop functionalities and
services that are secure by themselves independently from
the actual network environment. We will have to rely on
technologies such as end-to-end encryption: it won’t be 100
per cent safe, but you need to try to get to 99.99 per cent.”
Dr Held thinks Europeans should develop joint solutions
for Europe and other interested parts of the world. “Individual
countries don’t have the technological power, but with the
experience Europeans have, we can jointly produce successful
security architectures and solutions. In data protection, we
already play a leading role. This does not necessarily mean
regulating, but it needs political will for co-operation.”
What the future holds
Work is under way, so what does the future hold for public
safety networks, and their security? So far, says Pesonen,
one general trend is convergence. “People talk about public
safety and smart cities as separate; I prefer to speak about ‘safe
society’ with the two happening at the same time.”
For example, he says, autonomous vehicles will have an
impact on traffic police. “The rate of traffic accidents is likely
to decline and perhaps speeding will vanish altogether. There’s
also a big question about how society functions will change
and what impact it will have on public safety operations
overall – and what the threats will be.”
Pesonen advocates pushing for commonality as much
as possible. “If every country has significantly different
regulations and laws, it will be difficult and expensive for
solutions to be compliant with all of those – and it is taxpayer
money to pay for those variants.”
Therefore, says Pesonen: “We should encourage cooperation.
Standardisation in 3GPP is ongoing so this is the
perfect and most cost-efficient time to influence. The more we
work together, the more common solutions we can define, the
better quality and lower cost the solutions are.”
As cyber attacks continue to grow in number and
sophistication, public safety networks will always be a target.
Rehbehn says: “I will never be surprised at how clever
bad people are when there is incentive to attack a system.
Vigilance is required; attention to security has to be more
than just a campaign slogan.”
Adobe Stock/Dmitry
When it comes
to protecting
mission critical
communications
networks against
cyber attacks,
the ‘weakest link’
is still the human
element
/www.criticalcomms.com