EXPETO IMPLEMENTATION: Security Considerations Prepared by the Expeto Security Team
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
EXPETO
IMPLEMENTATION:
Security Considerations
Prepared by the Expeto Security Team
WWW.EXPETO.IOEXPETO IMPLEMENTATION:
SECURITY
CONSIDERATIONS
OVERVIEW
As organizations approach digital transformation and attempt to manage different kinds
of “things” or devices, and provide access to different kinds of mobile workers over cellular
networks, they must ask themselves the following several key questions:
• Does your organization care about its digital data?
• Is your organization data truly secure? Do you control the entire data path from the
device to your corporate network?
• Is your organization a multinational entity subject to data regulations?
For example, unsecured SCADA devices can result in dangerous holes in corporate security.
Being unable to track where data travels and is collected can leave your businesses exposed
to powerful new privacy regulations such as GDPR. Simply trying to manage these risks
with the tools provided by existing cellular networks can result in significant operational and
capital costs.
This white paper explains the security controls inherent with the worldwide standard commonly
referred to as “LTE” (Long-Term Evolution) developed by the 3rd Generation Partnership
Project (3GPP). This document then describes additional security controls that Expeto adds
to deliver a secure, wireless, worldwide private networking solution “over” LTE (private radio
networks or MNO/carrier RF networks).
Based on the Evolved Packet Core (EPC), the Expeto Wireless solution makes cellular
communication seamless, allowing businesses to manage, control and secure private data
on any cellular network.
| Security Considerations iThe Expeto Wireless solution makes
cellular communication seamless, allowing
businesses to manage, control and secure
private data on any cellular network.
PURPOSE
Enterprise architects will be able to explain to their internal stakeholders:
• Why secure 4G LTE is foundational enabling technology that is critical
to business transformation.
• How Expeto’s Private LTE Networking solution makes LTE adoption
Flexible, Agile, Secure and Transparent (FAST).
WHO SHOULD READ THIS DOCUMENT
Specifically, security architects who must provide informed counsel to
CISO, CIO, CTO, CFO and whoever champions innovation and business
transformation within an Enterprise should review this document.
| Security Considerations iiTABLE OF CONTENTS
Overview i
Introduction: LTE, Expeto and Business Transformation 1
Overview of LTE Architecture 3
Expeto Deployment and Security Implementation 7
Security Recommendations 9
Expeto Security Threat Mitigation 11
Real-World Applications of the Expeto Solution 13
Appendix:
Appendix I: Threat Risk Assessments 18
Appendix II: 2G, GSM and 3G Security 21
Appendix III: Glossary 23
Bibliography 26INTRODUCTION:
LTE, EXPETO AND
BUSINESS
TRANSFORMATION
This paper is an overview of Expeto’s solution from a security perspective, explaining:
• Security controls inherent with the 3GPP’s worldwide LTE standard
• Additional security controls provided by the Expeto solution that deliver a
secure, wireless, worldwide private networking solution over LTE
• Expeto implementation
• Security considerations
• Basic practical applications of the Expeto solution
First, we’d like to review why the LTE (Long-Term Evolution) wireless standard
is important for businesses, and the security implications of deploying the
Expeto solution.
ENTERPRISES, THE INTERNET OF THINGS AND
BUSINESS TRANSFORMATION
Global enterprises aspire to be part of this Internet of Things (IoT). By deploying
everything from tablets and machinery with built-in sensors to Augmented
Reality (AR) devices that allow equipment to be fixed with enhanced real-time
information, Enterprises can seize business opportunities while cutting downtime
and reducing costs.
Business rely on LTE (data delivery provided by cellular providers, or over their own
private radio networks) to make this transformation happen.
With the evolution of 3rd Generation Partnership Project (3GPP) standards from
2G/3G to 4G LTE (and soon 5G), we now have a truly worldwide secure wireless
protocol (and Enterprise-friendly TCP/IP).
| Security Considerations 1Introduction: LTE, Expeto and Business Transformation
Expeto mitigates risks while
allowing Enterprises to scale
their business.
SECURE ALL BUSINESS COMMUNICATIONS WITH
A SINGLE WORLDWIDE SOLUTION
With traditional private LTE networking solutions offered by wireless providers,
Enterprises must accept one-size-fits-all solution with little flexibility or control.
In contrast, Expeto takes advantage the 3GPP standard to provide a disruptive
solution that turns the tables and puts the security and control back in the hands of
the Enterprise.
Expeto supports security efforts producing logs that can be consumed by enterprise
SIEM applications. Moreover, Expeto provides secure technologies to typically
insecure IoT, edge computing devices.
Essentially, the Expeto solution offers private networking leveraging cellular security.
Using the Expeto solution results in the convergence of Information Technology
(IT), Operational Technology (OT), and the Internet of Things over LTE which
allows you to secure all communications with a single worldwide solution that
provides the enterprise Flexibility, Agility, Security and Transparency (FAST).
• You control the device, via the Expeto/Customer SIM.
• You control the LTE network EPC switch.
• You have complete control and visibility of the device, the network path and
the data.
• You can easily and securely deploy IoT devices and Connected Workers.
The Expeto solution enables the “enablers” and “innovators” within the Enterprise
to unlock untapped opportunities in the rapid pace of Digital Transformation of
corporations using Data, Automation, Machine Learning and Artificial Intelligence.
Most importantly, Expeto mitigates risks while allowing Enterprises to scale
their business.
| Security Considerations 2OVERVIEW OF
LTE ARCHITECTURE
Expeto’s solution provides businesses with secure, others can sniff and view packets in the clear. For
scalable, private networking so that data can be example, users sitting at a Starbucks in the food
managed and controlled over any LTE cellular court are broadcasting their traffic to everyone;
network. A basic understanding of how LTE works even with home Wi-Fi networks, the ISP is
will help the reader explore security questions routing that traffic over the internet where
around cyber security attack vectors. hackers can attack.
The technical equipment needed to sniff and
WHY LTE AND NOT WI-FI? hack into an LTE network is far more complex
Currently, many Enterprises rely on industrial than what is required for Wi-Fi networks.
Wi-Fi to connect different kinds of “things” Hackers typically will opt for the path of least
and devices, and to provide access to different resistance, and so they focus their efforts on
kinds of mobile workers over public cellular Wi-Fi vulnerabilities, rather than hardened
networks. However, Wi-Fi causes many LTE networks.
challenges and security risks for businesses
While traffic over Wi-Fi can be made secure, the
embarking on business transformation.
challenge is more complex and requires layers of
As a replacement or adjunct for Wi-Fi, emerging security software and controls such as VPNs,
wireless standards are still not mature compared RSA tokens, Multi Factor Authentication (MFA)
to what 3GPP can offer; many of these standards and other techniques.
are unlicensed which introduces more security
With Expeto’s Private LTE Networking, the
threat vectors and overall performance and
complexity and associated costs (hardware,
power considerations.
software, IT staff to maintain and operate) of
In contrast, LTE traffic is over a dedicated securing Wi-Fi is eliminated.
encrypted connection channel from the device to
the radio, and from the device to the EPC
software. Wi-Fi is a over a shared network where
| Security Considerations 3Overview of LTE Architecture
Expeto’s solution provides businesses with
secure, scalable, private networking so that
data can be managed and controlled over
any LTE cellular network.
LTE COMPATIBILITY WITH EVOLVING 3GPP STANDARDS
LTE is a standard for high-speed wireless on the LTE technology protocols. Being based on
communication for mobile devices and data LTE means all of these protocol standards are
terminals, based on the GSM/EDGE and UMTS/ all fully compatible with the Expeto EPC
HSPA technologies. As a wireless interface, LTE software solution.
operates on a separate radio spectrum than its
predecessor 2G and 3G networks. Compared to Expeto builds upon the inherent functionality
2G and 3G, LTE offers faster upload and and security of LTE as defined by 3GPP.
download speeds, and IP-based communication.
With the recent rise of IoT/IIoT devices, the
entire industry has evolved yet again with
CAT-M1, NB-IOT and 5G which are all based
| Security Considerations 4Overview of LTE Architecture
SECURITY, CONNECTIONS AND TRAFFIC WITHIN THE
LTE STANDARD
As mobile networks standards have evolved over time, security controls have also been greatly
improved with 4G and will be even stronger with 5G.
Basic Architecture of the LTE Protocol Standard
User data sent from the User Equipped device (UE) to the corporate network is ‘tunneled’ using
GPRS Tunneling Protocol (GTP) and is supported by SCTP (Stream Control Transmission Protocol)
protocol, which provides increased reliability. The data is protected, signed and verified to guarantee
message integrity.
UE
CORPORATE
EPC
NETWORK
E-UTRAN
High-level Cellular Network
Connections and Traffic
From a cybersecurity perspective, it is imperative to know the data path through the radio network
E-UTRAN from end device to the corporate IP network. This is because an unknown data path could
impact regulatory obligations, routing costs and unintended 3rd-party access to data packets.
E-UTRAN
EPC
UE CORPORATE
SGW PGW
NETWORK
MME PCRF
eNodeB eNodeB
HSS
eNodeB
LTE Network Architecture
The data path from the UE to the Corporate IP network is ‘tunneled’ over the network, acting much
like a VPN. The data packets exit the EPC at the Packet Gateway (PGW) component, entering the
corporate network.
| Security Considerations 5Overview of LTE Architecture
CONTROL SIGNALING AND USER DATA IN LTE ARCHITECTURE
The traffic spans from the UE (mobile device) to the EPC across two types of TCP/IP traffic that
traverse the network: Control signaling and User data.
Both planes traverse the same RF connection but go to different endpoint components within the
Expeto EPC.
Control Plane Overview User Plane Overview
• Control Plane signaling occurs using • User/Data Plane signaling occurs
the eNodeB, MME and HSS EPC using the eNodeB, SGW and PGW
components and is responsible for EPC components.
the establishment of a connection
• Traffic on the User Plane is encrypted
between the UE and the core network
between the UE and the SGW
• Traffic on the Control Plane is component and is separate from the
encrypted between the UE and the Control Plane traffic
eNodeB and MME component and is
• The SIM card on the device holds the
separate from the User Plane traffic
crypto/encryption keys for the User
• The SIM card on the device holds Plane traffic
the crypto/encryption keys for the
• The SGW is the router between the
Control Plane traffic
eNodeB networks and the PGW. It
• When a device attempts to connect to carries the User Plane traffic.
the network, it establishes a handshake
• The PGW allocates IP addresses to the
with an eNodeB, and sends it’s IMSI in
the Control Plane signaling. UEs (like a NAT server) and routes traffic
between the eNodeB networks and the
• The component controls the security IP network (Corporate).
and authentication of the device onto
the network.
FOR MORE READING...
• The eNodeB queries the MME In order to fully appreciate all the security
to see if this device is allowed on controls built into the 4G LTE architecture a
the network. detailed understanding is required. This section
only provides a high-level overview and the
• The MME reaches back to its HSS
reader is encouraged to review more detailed
(Home Subscriber Server) which
information as provided by NIST in their “NIST
stores the security information
Guide to LTE Security” found at this link.
associated with this device/IMSI.
https://csrc.nist.gov/publications/detail/
• If it is allowed onto the network, then
sp/800-187/final
a connection between the eNodeB
and SGW (Serving Gateway) is
allowed along the User/Data plane.
| Security Considerations 6EXPETO DEPLOYMENT &
SECURITY
IMPLEMENTATION
Enterprise customers have cybersecurity policies and standards that solutions
must adhere to in order to protect company digital assets. Expeto’s Private LTE
Networking solution introduces a new external network entering the Enterprise
that must be analyzed to understand the security controls and any required threat
mitigation strategies.
Inherent to 4G LTE standards (as defined by 3GPP), the data is already protected,
signed, verified, encrypted and authenticated end-to-end, from UE device to
Expeto EPC:
• Control Plane traffic from UE SIM to the radio network (eNodeB) and
Serving Gateway/Mobility Management Entity (SGW/MME) is encrypted.
• Data Plane traffic from UE SIM to Expeto Serving Gateway/Data Network
Gateway (SGW/PGW) is two-way authenticated and encrypted.
In both cases, the egress into the Corporate Business Network would typically
enter via a protected “Trusted Business Partner”-type DMZ network with all the
expected perimeter and cyber security controls that any other external network
would go through.
The result is that all the Enterprise data is fully protected in a private cellular
network from the device right to the PGW component which is the egress into the
Corporate TCP/IP network.
The security implications of the Expeto deployment include
• No software or hardware VPN is required
• No complicated routing and configuration
• No RSA tokens
Since the customer controls the device SIM and network elements (EPC), only
Expeto/Customers devices (SIMs) are allowed to attach to the network-this can
be enforced using a polling/monitoring solution that confirms the SIM in each IOT
device is unchanged. If it changed then the enterprise security team can be alerted.
| Security Considerations 7Expeto Deployment & Security Implementation
EXPETO DEPLOYMENT
With Expeto’s Private LTE Networking solution, customers for the first time have full end-
to-end control of their data path from the device to their corporate network. The following
diagram outlines a typical deployment with the Expeto EPC deployed within the Customer
data center/network:
CORPORATE NETWORK CORPORATE NETWORK
REMOTE HQ
IT
EXPETO EPC INTERNET
IT SUBNET
SGW MME
OT
PRIVATE HSS PGW
OT SUBNET
PCRF
EXPETO EPC EXPETO EPC
HSS PROXY PCRF PGW
IT MNO NETWORK
IPX
MNO EPC NETWORK
OT
SGW MME
PUBLIC
Expeto Deployment Architecture
The diagram illustrates both a truly private RAN which may be deployed at an industrial
location such as mining or oil and gas facilities, as well as connected workers on a national
MNO/Carrier network.
EXPETO EMPOWERS THE ENTERPRISE
Private LTE Networking allows the enterprise to gain visibility and real time network controls
without time consuming interaction or reliance on third party expertise. The private cellular
service is composed of several system instances. Each system contains independent functions
expected within the EPC core including: HSS, MME, SGW, PCRF, PGW.
The previous diagram highlights PGW breakout for simplicity. Separation of concerns among
functional and business unit boundaries is essential for operational security.
Taking into consideration the explanations in this paper, one can see that although the Expeto
EPC resides behind and inside the corporate network, the inherent security controls of the
3GPP/LTE protocol provide a simplified and higher level of security compared to Wi-Fi.
Standardizing on a global Private LTE Networking solution reduces loaded cost and
complexity. Most solution only offer MNO roaming or localized network in a box.
Expeto is among the few subscription-based Private LTE Networking platforms to
offer connectivity to both MNO and private RAN globally with a single solution under
Enterprise control.
| Security Considerations 8SECURITY
RECOMMENDATIONS
With Expeto’s solution, the customer is responsible Implement Default Behavior
for their own defense-in-depth strategy and must
Expeto controls the EPC and as such can
determine if they still wish to utilize VPNs or
implement some default behavior in order to
other Multi-Factor Authentication mechanisms.
improve the security posture of the entire
This choice really depends on the classification and
network and system:
nature of the data being transported.
• Force LTE connections only and don’t
fallback to un-secure 2G/3G networks
RECOMMENDED STANDARD
IT SECURITY PRACTICES • Force/enable Control Plane
As well, some EPC elements can be run on traffic encryption
customer supplied infrastructure that is out of • Force/enable User Plane
direct control of Expeto. Expeto recommends traffic encryption
and expects customers to implement standard IT
security practices to for prevention and detection
of threats such as: Implement Additional Defense-in-Depth
In addition to the default security profile,
• Network Perimeter Intrusion
additional ‘defense in depth’ measures can also
Detection Systems
be implemented:
• Security Information Event Monitoring
• Use of SIM PIN code (common practice
• O/S hardening with IIoT devices)
• Mapping of IMEI (hardware device) to
SIM (token) in the HLR/HSS register
• Use 3rd party ‘over the top’ encryption
(may be overkill)
• Encrypt eNodeB to EPC (S1) interface
for private RAN deployments (see
Backhaul protection)
| Security Considerations 9Security Recommendations
Expeto recommends and expects customers to
implement standard IT security practices to for
prevention and detection of threats.
BACKHAUL (S1) PROTECTION
The backhaul network is the network connection between the eNodeB radio
network and the EPC elements (SGW/PGW) and runs over what is called the ‘S1’
interface. IP traffic managed using the GTP and SCTP tunneling protocols.
This traffic should be protected and encrypted. This can be established using a
variety of methods from software encryption/tunneling to hardware encryption
devices. The endpoint within the customer network (typically in a business/partner
DMZ zone) is referred to as the Security Gateway (SEG).
• For public/macro networks connecting to the Expeto Partition Aware Proxy
(EPAP) component (located in the Amazon AWS cloud for example), it
is essential that a secure connection be established using the preferred
method from the customer (IPsec or physical cross connect for example).
• For a private RAN (P-RAN) deployment, the customer can decide if the
underlying network infrastructure is sufficient, or if additional network
security (AES/IPsec) is required.
MULTI-FACTOR AUTHENTICATION (MFA)
From an MFA perspective, confirming that the connecting device is authenticated
and is an Enterprise asset can be accomplished by mapping the IMEI and IMSI
number to the device in conjunction with any local device user authentication that
the Enterprise security policy enforces.
The basic elements of MFA include:
Knowledge (something the user and only the user knows)
• The user local login to the device or login to the corporate ‘network’ via a SSO
solution such as Microsoft ADFS or Okta. This could also be enhanced with
enforcing a PIN on the SIM so that no ‘SIM swapping’ can occur. This is
common practice with Industrial IoT devices that have no user interface to login.
Possession (something the user and only the user has)
• The Expeto/Customer SIM Inherence (something the user and only the user is)
• Depending on the level of security and the device capabilities, this could be
a fingerprint scan, retinal recognition.
| Security Considerations 10EXPETO
SECURITY THREAT
MITIGATION
Expeto’s solution has complete control of the SIM (UICC) in the User Equipment (UE)
device as well as the core network software elements (EPC – Evolved Packet Core)
components (SGW, MME, HSS, PGW).
This allows Expeto manage security policy in both the Control Plane and the User Plane,
and dynamically route traffic to separate EPC instances or corporate networks for
separation for duties/networks.
Therefore, Expeto mitigates risk in the following ways:
SECURITY THREAT/RISK EXPETO MITIGATION
2G and 3G networks have Expeto forces ‘true’ 4G LTE connections only.
considerable security vulnerabilities No ‘fallback’ or ‘downgrade’ to 2G/3G allowed.
Any LTE device will attach to the Only authenticated Expeto/Customer SIMs and devices
radio network and automatically are allowed on the network.
be ‘on’ the corporate network
Users will swap SIMs between This is done via control of the SIM and mapping to
devices and get ‘on’ the specific hardware devices via the IMEI. The HSS
corporate network component houses this information.
Devices will be lost or stolen, The person who ‘found’ the device would first have to be
so ‘any’ user can get onto the able to authenticate locally on the device.
corporate network Most corporate devices (phones, tablets, laptops) should
enforce local MFA security policies to prevent local
unauthorized access to a device.
If a device is lost, once notified the SIM can be disabled/
blocked immediately by IT security or a Service Request
via the REST API or using the GUI.
May have bigger problems with the lost device rather
than gaining access to the network, which has its own
level of security controls to corporate apps/resources.
EPC runs on commodity Expeto relies on the customer security practices to
hardware infrastructure harden their server and network infrastructure.
| Security Considerations 11Expeto Security Threat Mitigation
SECURITY THREAT/RISK EXPETO MITIGATION
Egress into the corporate Customers have many network interfaces with business
network is from an ‘untrusted’ partners and other ‘untrusted’ network sources which
network source should go through a wide range of ‘defense in depth’
security controls such as IDS (Intrusion Detection
Systems), network sniffers, DoS prevention, network
taps/audits along with other perimeter security controls.
Expeto assumes the entry into the customer network will
be into a semi-trusted or Business Partner DMZ type
network zone with appropriate security controls in place
as is done for all other types of connections.
Man in the Middle attacks, Expeto forces ‘true’ 4G LTE connections only.
including IMSI Catching, No ‘fallback’ or ‘downgrade’ to 2G/3G allowed.
‘Stingray Devices’, also known as
cell site simulators
(They trick cell phones into
downgrading to the weaker 2G/3G
standard to easily intercept
communications and track
locations of anyone nearby)
SIM Swapping SIM swapping isn’t new and to mitigate against this you
can simply enforce the SIM PIN code to be set.
If you don’t set the SIM PIN code, we can also detect if
the SIM matches the device (IMEI).
IMSI spoofing The IMSI # on the SIM is only sent during the first
attachment request. Subsequent requests utilize a
temporary IMSI (TIMSI) which rotates on a timed
schedule. Since you control the core you can define how
often you want to ‘rotate’ the TIMSI so even if someone
did happen to catch the original attachment request and
grab the IMSI, it will be rotated on the next schedule.
IMEI spoofing Since Expeto controls the core, we can detect if the
IMEI matches the SIM (IMSI). If not, we reject the
connection, or send out a notification
| Security Considerations 12REAL-WORLD APPLICATIONS OF THE
EXPETO SOLUTION
Emerging private LTE technologies provide broadband data capabilities with
mobility and roaming capabilities, SIM-based security and other features to
support connectivity for internet of things devices and human end users.
Expeto’s solution allows Enterprises to view all their “things” on a single “pane of
glass”, no matter where in the world these assets are located, or which regional or
private cellular network that provides connectivity.
In each case, businesses enjoy complete security over their devices and data,
over any public cellular network in the world.
FLEET MANAGEMENT
For enterprises that rely on transportation as part of their business, fleet
management helps them reduce and mitigate risks associated with vehicle
investment, improving efficiency and productivity while reducing overall
vehicle and transportation and staff costs.
For example, smart cities are using asset tracking for waste management purposes
by giving garbage collectors the most efficient routes to collect the buildup of
waste in urban environments. Shipping services also use real time traffic feeds
and efficiency algorithms to deliver more packages more efficiently, with less wear
and tear on drivers and on vehicles.
Asset tracking
According to a study by Infosys and the Institute for Industrial Management at
Aachen University, 85% of manufacturing companies globally are aware of asset
efficiency practices, but only 15% of those surveyed have implemented such
measures with a technological systemic approach.
Asset tracking allows the Enterprise to easily locate and monitor key assets,
including along the supply chain (e.g. real time analysis of raw materials, final
products and containers) to optimize logistics, manage inventory levels and
prevent quality issues and detect theft.
For example, in maritime shipping, sensors help track the location of a ship at sea
and can provide the status and temperature of individual cargo containers. When
temperatures differ from the optimal mark, crew can be notified and conduct repairs.
| Security Considerations 13Real-World Applications of the Expeto Solution
OIL & GAS
The ongoing “digitization” of the oil and gas industry is leading to adoption of
machine learning, artificial intelligence and automation. Worker safety is improved,
operational expenses are reduced, and new business opportunities are unlocked.
Expeto makes IoT deployment scalable and secure, at very low cost.
Pipeline and Refinery Monitoring
A single pump failure can cost as much as $300,000 a day in lost production. Using
devices and sensors connected LTE to monitor more key points and pipeline
equipment more accurately, at less cost, just makes sense. Data analytics can identify
new areas of performance improvement, survey potential drilling sites, and pinpoint
exactly when pump and filter replacement will begin to affect performance. And by
providing greater insight about the flow, the refinery can be run at higher capacity.
Operational Optimization
Internal data generated by large integrated oil and gas companies is estimated to
exceed 1.5 terabytes a day. Being able to harness and use that data increases the
efficiency of workflow, supply chain and people management. Sensors relay data
to the cloud, where it can be stored and sent to analysts who can assess current
operations. Added visibility and insight allow oil and gas companies to seamlessly
connect massive operations.
Exploration
The typical survey of a potential drilling site involves monitoring more than one
million readings of seismic waves. These readings help oil producers find new
hydrocarbon deposits, determine new spots for drilling and even find ways to optimize
already-operational rigs. Using robots and sensors to quickly analyze surface and
subterranean environments of potential drilling sites could save millions of dollars.
Equipment Maintenance
Not only does IoT offer the opportunity to automate thousands of wells spread
across regions, it can monitor multiple pieces of equipment per well. Fuel leaks and
theft cost the industry millions in losses each year. Monitoring equipment with
sensors and video cameras results in data that can precisely pinpoint anomalies in
the drilling process. Efficient maintenance can help avoid unscheduled shutdowns,
which cost producers and refiners billions per year in operating costs.
| Security Considerations 14Real-World Applications of the Expeto Solution
MINING
Mining operations face a number of challenges when it comes to connectivity,
because they often operate in remote areas with little to no cellular
coverage and have complicated network needs — such as being able to extend
communications underground.
According to a Qualcomm white paper on private LTE, mining conglomerate Rio
Tinto of Australia was one of the first large enterprises to use a private LTE network
for commercial operations at scale. Rio Tinto used private LTE to cover 15 mines
and related facilities including transportation hubs and railways. That solution made
use of 1800 MHz spectrum under a special arrangement from local regulators.
Expeto partners with the hardware firms to provide the required private radio
hardware and our EPC allows the enterprise to provision SIMs on demand to their
site’s IIoT systems.
HOSPITALS
Reducing Emergency Room Wait Times
Thanks to some recent ingenuity and the IoT, at least one hospital — Mt. Sinai Medical
Center in New York City — effectively slashed wait times for 50% of their emergency
room patients who need inpatient care.
It’s their partnership with GE Healthcare and new, IoT-driven software, known as
AutoBed, that tracks occupancy among 1,200 units and factors in 15 different
metrics to assess the needs of individual patients. It’s a highly effective system that
highlights some of the more innovative and exciting uses of the IoT.
Ensuring the Availability and Accessibility of Critical Hardware
Modern hospitals require next-gen software and hardware to function — some are
even used to save or sustain human life. Like all electronic devices, this equipment is
prone to numerous risks — from power outages to system failures — that could be a
matter of life or death. A new IoT-driven solution from Philips, called e-Alert, aims
to solve that problem. Instead of waiting for a device to fail, Philips’ new system
takes a proactive approach by virtually monitoring medical hardware and alerting
hospital staff members if there’s a problem. Philips recently unveiled the product
through a collaborative effort with OpenMarket.
| Security Considerations 15Real-World Applications of the Expeto Solution
SUMMARY
With traditional Private LTE Networking solutions offered by wireless providers,
Enterprises have little to no control over security or IT deployment. In contrast,
Expeto takes advantage the 3GPP standard to provide a disruptive solution that
turns the tables and puts the security and control back in the hands of the
Enterprises — businesses enjoy complete security over their devices and data,
over any public cellular network in the world.
While Enterprises are still responsible for ensuring defense-in-depth over their
corporate network, LTE and the Expeto solution provide powerful, cost-effective
tools for guaranteeing security.
CONTACT US
If you have any questions about Expeto deployment and
security implementation, please do not hesitate to contact us
at security@expeto.io
www.expeto.io
| Security Considerations 16APPENDIX
WWW.EXPETO.IOAPPENDIX I:
THREAT RISK
ASSESSMENTS
Expeto has prepared the following table (based on industry
standard security requirements) to help customers perform any
Threat Risk Assessment when implementing Expeto:
THREAT / CONTROL EXPETO RESPONSE
Devices attached to a zone Authorization onto the network is controlled via the Expeto/
are authorized Customer SIM and hardware device IMEI mapping.
If not a valid and active SIM, or if SIM does not match device, then
no access is granted.
Interfaces with other zones Out of Expeto’s control; Expeto provides Layer 2 transport.
are authorized Expeto relies on the customer IT networking and security practices and
systems such as IDS, IPS, firewalls.
Once on the customer enterprise network, this type of control falls
under the regular firewall and routing rules and policies for any other
corporate VLAN(s).
Entry points are defined Entry into the corporate network is via the Expeto EPC ‘PGW’
component which runs on the Expeto EPC server (which the
customer has control of).
Expeto recommends the egress into the customer network should
be into a “Trusted Partner Zone” which supports directly connected
services with highly trusted partners.
This Zone can be viewed as a logical extension of internal Zones
to trusted organizations external to the customer’s internal
network zones.
| Security Considerations 18Appendix I: Threat Risk Assessments
THREAT / CONTROL EXPETO RESPONSE
Boundary devices are hardened Out of Expeto’s control; Expeto provides Layer 2 transport.
against attack Expeto relies on the customer to implement appropriate hardware
device security hardening.
Enforcing a PIN on the SIM is one way to add another layer of
‘defense in depth’ and is another MFA.
Network traffic is filtered at Out of Expeto’s control; Expeto provides 2 transport.
entry points Expeto relies on the customer networking and security practices and
systems such as IDS.
Once on the customer enterprise network, this type of control falls
under the regular firewall and routing rules and policies for any other
corporate VLAN(s)
Network traffic is monitored at Out of Expeto’s control; Expeto provides 2 transport.
entry points Expeto relies on the customer networking and security practices and
systems such as IDS.
Once on the customer enterprise network, this type of control falls
under the regular firewall and routing rules and policies for any other
corporate VLAN(s).
Encrypted Network traffic is Out of Expeto’s control; Expeto is only Layer 2 transport.
inspected for malware, phishing Expeto relies on the customer networking and security practices and
attacks, and other security systems such as IDS.
considerations at entry points
Once on the customer enterprise network, this type of control falls
under the regular firewall and routing rules and policies for any other
corporate VLAN(s).
| Security Considerations 19Appendix I: Threat Risk Assessments
THREAT / CONTROL EXPETO RESPONSE
Authorized user-authentication MFA is already incorporated into LTE:
techniques From a Multi-factor authentication (MFA) perspective, ensuring
are employed the connecting device is authenticated and is an Enterprise Asset
can be confirmed by mapping the IMEI and IMSI # to a device
in conjunction with any local device user authentication that the
Enterprise security policy enforces.
In summary:
• IMSI to IMEI mapping can be enforced
• SIM PINs can be enforced
• Knowledge (something the user and only the user knows):
The user local login to the device or login to the corporate
‘network’ via a SSO solution such as Microsoft ADFS
or OKTA.
• Possession (something the user and only the user has): The
Expeto/Customer SIM.
• Inherence (something the user and only the user is):
Depending on the level of security and the device capabilities,
this could be a fingerprint scan, retinal recognition.
Privileged access is managed and The Expeto EPC command, control and administration is controlled
monitored with a role-based access security model.
User information are locally stored with credentials encrypted.
Future integration with LDAP/Active Directory and SAML 2.0 is in
the product roadmap.
Authorized change control Expeto will follow the customer’s recommended change management
processes are aligned with change process but assumes a formal service and support engagement model
management standards will be established
| Security Considerations 20APPENDIX II:
2G, GSM AND
3G SECURITY
In comparison to LTE, GSM is an older more vulnerable protocol; hence we
advocate LTE.
MAIN SECURITY ISSUES FOR 2G
• It is possible to avoid eavesdropping and cloning due to the use of
encryption and authentication.
• Weaknesses in crypto algorithms (A3 algorithm for authentication, A5
algorithm for encryption, A8 algorithm for key generation) that were not
submitted to peer review due to nondisclosure.
• GSM only authenticates the user to the network and not vice versa. The
security model, therefore, offers confidentiality and authentication, but
limited authorization capabilities, and no non-repudiation. GSM uses
several cryptographic algorithms for security. The A5/1 and A5/2 stream
ciphers are used for ensuring over-the-air voice privacy. Both algorithms
have been exploited:
• A5/2 is exploitable with a real-time a ciphertext-only attack.
• A5/1 with a rainbow table attack.
| Security Considerations 21Appendix II: 2G, GSM and 3G Security
MAIN SECURITY ISSUES FOR GSM
• Communications and signaling traffic in the fixed network are not
protected.
• Does not address active attacks, whereby some network elements
(e.g. BTS: Base Station).
• Only as secure as the fixed networks to which they connect.
• Lawful interception only considered as an after-thought.
• Terminal identity cannot be trusted.
MAIN SECURITY ISSUES FOR 3G
• Eavesdropping: An intruder intercepts messages without detection.
• Masquerading: An intruder hoaxes an authorized user into believing that
they are the legitimate system to obtain confidential information from the
user; or an intruder hoaxes a legitimate system into believing that they are
an authorized user to obtain system service or confidential information.
• Traffic analysis: An intruder observes the time, rate, length, source, and
destination of messages to determine a user’s location or to learn whether
an important business transaction is taking place.
• Browsing: An intruder searches data storage for sensitive information.
• Leakage: An intruder obtains sensitive information by exploiting processes
with legitimate access to the data.
• Inference: An intruder observes a reaction from a system by sending a
query or signal to the system. For example, an intruder may actively initiate
communications sessions and then obtain access to information through
observation of the time, rate, length, sources or destinations of associated
messages on the radio interface.
| Security Considerations 22APPENDIX III:
GLOSSARY
3GPP (3rd Generation Partnership Project)
The 3rd Generation Partnership Project is a collaboration between groups of
telecommunications standards associations aimed at developing globally acceptable
specifications for third generation (3G) mobile systems. The 3GPP caters to a large
majority of the telecommunications networks in the world.
LTE (Long Term Evolution)
Long-Term Evolution (LTE) is a standard for high-speed wireless communication
for mobile devices and data terminals, based on the GSM/EDGE and UMTS/HSPA
technologies. 4G is the fourth generation of mobile data technology, as defined by
the radio sector of the International Telecommunication Union (ITU-R). LTE stands
for “Long-term Evolution” and applies more generally to the idea of improving
wireless broadband speeds to meet increasing demand.
The historical progression of mobile standards is as follows:
2G (GSM) - > 2.5G (EDGE) -> 3G (UMTS) - > 3.5G (HPSA) -> 4G -> 5G
eNodeB/eNB (Evolved Node-B)
The Radio component of the LTE network. Also referred to as the cellular network
‘base stations’; analogous to a WiFI AP (Access Point).
EPAP (Expeto Partition Aware Proxy)
The networking ‘slicing’ software component that sits in front of the EPC that ensures
inbound connection requests are routed based on their IMSI number to a specific
customer network and/or the EPC.
EPC (Evolved Packet Core)
The Evolved Packet Core is the network software elements that are the ‘brains’ of
the network and control the connections, security and data plane packets.
| Security Considerations 23Appendix III: Glossary
E-UTRAN (Evolved Universal Terrestrial Radio Access Network)
A mesh network of eNodeBs that communicate with each other using the ‘X2’
interface to facilitate security and hand-off for mobile devices.
GSM (Global System for Mobile communications)
A globally-deployed standardized digital mobile communication system. The
specifications are maintained and developed by 3GPP. See www.3gpp.org for
more information.
GTP (GPRS Tunneling Protocol)
GTP is a group of IP-based communications protocols used to carry general
packet radio service (GPRS) within GSM, UMTS and LTE networks. In 3GPP
architectures, GTP and Proxy Mobile IPv6 based interfaces are specified on various
interface points.
IMEI/IMSI (International Mobile Equipment Identity)
IMEI is a 15- or 17-digit code that uniquely identifies mobile phone sets. The IMEI
code can enable a GSM (Global System for Mobile communication) or UMTS
(Universal Mobile Telecommunications Service) network to prevent a misplaced or
stolen phone from initiating calls.
IMSI (International Mobile Subscriber Identity) is an international mobile
subscriber identity (IMSI) is a unique number, usually fifteen digits, associated
with Global System for Mobile Communications (GSM) and Universal Mobile
Telecommunications System (UMTS) network mobile phone users. The IMSI is a
unique number identifying a GSM subscriber.
MME (Mobility Management Entity)
The main component of the SAE architecture is the Evolved Packet Core (EPC).
Mobility Management Entity (MME) plays an important role in LTE EPC
architecture. In fact, MME is the main signaling node in the EPC.
MNO (Mobile Network Operator)
Cellular or mobile phone carriers such as Rogers, T-Mobile or Vodafone.
| Security Considerations 24Appendix III: Glossary
RAN/P-RAN (Radio Access Network/Private Radio Access Network)
These can be ‘public/macro’ networks provided by cellular carriers, or private
networks (P-RAN) that an Enterprise customer might create at an industrial field
of operations (gas plant, mining site, and so on).
SCTP (Stream Control Transmission Protocol)
SCTP is a protocol for transmitting multiple streams of data at the same time
between two end points that have established a connection in a network. SCTP is
designed to make it easier to support a telephone connection over the Internet.
SGW/MME (Serving Gateway)
SGW is a critical network function for the 4G mobile core network, known as the
evolved packet core (EPC). The SGW resides in the user plane where it forwards
and routes packets to and from the eNodeB and packet data network gateway (PGW).
SGW/PGW (Packet Data Network Gateway)
PGW is a critical network function for the 4G mobile core network, known as
the evolved packet core (EPC). The PGW acts as the interface between the LTE
network and other packet data networks, such as the Internet.
SIM (Subscriber Identification Module)
The Subscriber Identification Module, or SIM.
Telco, Telecom
An MNO or cellular or mobile phone carriers such as Rogers, T-Mobile or Vodafone.
UE (User Equipment)
Refers the end device with an LTE radio/modem in it such as phone, laptop, tablet,
IoT sensor, OBD-II, people tracker and so on.
| Security Considerations 25BIBLIOGRAPHY
National Institute of Standards and Technology (NIST). (2017, December).
Guide to LTE Security. Retrieved from www.nist.gov:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-187.pdf
3GPP. (2017, December 20). Interface between the Control Plane
and the User Plane nodes. Retrieved from www.3gpp.org:
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.
aspx?specificationId=3111
National Institute of Standards and Technology. (2018, April 16).
Framework for Improving Critical Infrastructure Cybersecurity V1.1.
Retrieved from www.nist.gov:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Qualcomm. (2017, July). Private LTE Networks. Retrieved from qualcomm.com:
https://www.qualcomm.com/media/documents/files/private-lte-networks.pdf
SANS. (2009, January 26). The Business Justification
for Data Security. Retrieved from
https://www.sans.org/reading-room/whitepapers/dlp/business-justification-data-
security-33033
| Security Considerations 26Expeto creates a global
intranet wherever there is
a cellular connection.
sales@expeto.io 855.273.5782 WWW.EXPETO.IOYou can also read
