Securing Digital Nasional Berhad (DNB) 5G Network Infrastructure
Overview
Unlike 4G, 5G goes beyond purely voice and faster data speed for consumer. Instead, 5G is also a major enabler of enterprise digital services by modularising key network functions coupled with very fast data speed, ultra-low latency and high reliability.
In 2021, the Malaysian government established Digital Nasional Berhad (DNB) to accelerate the deployment of 5G coverage in Malaysia through the establishment of a supply led 5G Single Wholesale Network (SWN) and adoption of a multi-operator core network (MOCN) model. Securing the DNB 5G Network infrastructure from a cybersecurity perspective was identified as critical from the first step due to the following key factors:
- Increase in mission critical applications in multiple industries including the critical infrastructure space such as power utilities, telecommunication and service provider, public safety, oil and gas.
- Growth of smart industrial IOT devices as enterprises leverage on 5G capability and transition away from central processing to an on premise or Edge processing model.
- Transition from monolithic proprietary systems to service-based architecture based on open sourced or commercial off-the-shelf software which inadvertently introduces more risk due to known vulnerabilities.
- Increase in recent times of specialized threat actors such as LightBasin targeting the telecommunication and service provider sector, evident from recent telco breaches globally. These threat actors leverage on malwares and backdoors such as Origami Elephant and Merdoor Backdoor to compromise their victims.
In view of the factors above and the cybersecurity risks associated with them, DNB’s
cybersecurity team identified several key cybersecurity approaches to secure the 5G network infrastructure in terms of cyber resiliency, cyber compliance and data security.
Key cybersecurity Approaches taken to Secure the 5G Network Infrastructure
Five key cybersecurity approaches were identified by the DNB cybersecurity team from design to implementation of the 5G Network infrastructure. They were identified based on both criticality and immediate needs to establish a strong cybersecurity foundation.
The first was to establish a comprehensive cybersecurity governance and reporting
framework to provide independent strategic and operational oversight of cybersecurity risks, compliance to regulatory and organization cybersecurity requirements, cybersecurity threats and incidents, and lastly data security and privacy. The cyber governance extended to the board in the form of a board cyber security committee in addition to the company’s senior management including the CEO followed by a fixed reporting cadence to regulatory bodies. This is to ensure both progress and challenges are transparently shared with feedback and support sought from all relevant stakeholders. In general, most cybersecurity teams provide
governance reporting at best to the senior management level.
The second was to adopt a Secure by Design (SBD) approach in having both cybersecurity controls and requirements baked into the 5G network architecture design and solutions from day one and not as an after-thought. This is important in ensuring cybersecurity controls are fully integrated into the 5G Network infrastructure for completeness and manageability. An SBD approach also ensures all new 5G systems are fully compliant with cybersecurity requirements prior to being introduced into the production 5G network.
The third, was to identify and establish a set of cybersecurity compliance requirements based on international standards from both the Information Technology (IT) and 5G telecommunication space for the 5G Network infrastructure and systems. The adoption of IT based standards is important as much of today’s telecommunication stacks are based on open sourced or off-the-shelf software such as Red Hat, Ubuntu, VMware, Microsoft, Kubernetes to name a few. Examples of relevant cybersecurity standards to adopt are ISO27002, CIS Critical Security Controls, CIS hardening benchmark, NESAS (product certification), 3GPP TS 33.501, GSMA FS.31 and local standards such as the Malaysian MCMC MTFSB.
The fourth was to justify and establish a multi-year cyber security programme with key cyber security objectives, initiatives and budget identified and approved by both senior management and the board. The identified cybersecurity initiatives should span across the Advise, Protect, Detect and Response areas as defined under the NIST Framework to ensure completeness on the implementation of both technical and non-technical controls. A comprehensive cyber security programme is also important in communicating the vision, role and direction of the organization’s cybersecurity team.
Lastly, the establishment of a Cybersecurity Fusion Centre (CFC) to provide cyber threat monitoring and management, threat hunting, threat intelligence gathering and incident response across both the Corporate Information Technology (IT) space and the 5G Network infrastructure. End to end cyber threat monitoring and management across both environment is important as many cybersecurity incidents in Critical Network Infrastructures are due to lateral movement of threats from compromised assets in the Corporate IT space into the Operational Technology (OT) space. Many of today’s telcos do not combine their security monitoring and operations across both spaces which limits their ability to detect threats as they traverse laterally.
In summary, the approaches identified above allows DNB to establish the basic building blocks in the development and implementation of cybersecurity for the organization and the 5G Network infrastructure in the long term. It is also important to note that cybersecurity cannot operate independently of both the business and technology that it is meant to secure and protect. Therefore a strong understanding of business and technology is necessary for the successful implementation of any cybersecurity programme and it’s initiatives.
Alex Ooi
Alex Ooi has more than 20 years of ICT experience, bringing with him a wealth of on-the-ground and
practical experience in both cyber security and IT network infrastructure space for enterprises and public sector in both service provider and end user role.
His cyber experience encompasses board and senior level engagements, development and implementation of cyber security programs, cyber security governance and compliance, enterprise level cyber security architecture design, solution delivery, building and managing cyber security operation centres to name a few.
His most recent role was as Business Information Security Officer at Singtel Group Networks where he
was accountable for the cyber security posture of Singtel and Optus Networks from a cyber governance,
assurance and compliance perspective including regulatory compliance.