Protecting legacy telco kit

Telecoms operators have never had a more complex and threatening cybersecurity landscape.

• Nation state adversaries (e.g. China’s Salt Typhoon ) are increasingly focusing on them, looking to exfiltrate data and destabilize national critical infrastructure.

• Regulation is becoming more stringent – as an example in the UK the Telecoms Security Act has added extra requirements for telcos to harden remote access use cases.

• And, as we are seeing in South Korea, telecoms executives are being held personally liable for poor cybersecurity practices.

Given these pressures, how are operators looking to improve their security posture?

In this blog we outline just some of the methods telcos can use to secure legacy devices in their networks.

As in many industries that have not been born through recent startups, telco has a lot of 20+ year old legacy kit with minimal or zero security controls built-in (e.g broadband connectivity out to the last mile). This legacy kit was builtin a bygone era of trust, when the cybersecurity landscape was more benign and operating system hardening was the most you could expect on the security side.

So, how can operators expect to secure such equipment now?

The direct method is to replace or upgrade the equipment to equivalent technology that is secure. However, this may not be cost effective, and may not even be possible for particularly arcane pieces of kit utilising old protocols, or from vendors that went out of business years ago. Consider the large number of Nortel DSLAMs that are still deployed in last mile cabinets. Or 2G / 3G mobile switching equipment that is still required for IoT devices with emergency fall back like burglar alarms, and elevator emergency phones.

What can telcos do to secure these legacy telephony assets and networks without rearchitecting the entire stack?

To avoid reinventing the wheel, it’s a good idea to learn from others and avoid making any mistakes they have made. In this regard, telcos can look at what other industry sectors have done. Telecoms isn’t the only industry with legacy kit lacking security controls. This problem is pervasive in OT (Operational Technology) across many different sectors, especially as companies want to move from an OT world to a more connected Industrial IoT based architecture.

Consider the PLCs (Programmable Logic Controllers) in assembly lines or chemical processes. Or the RTUs (Remote Terminal Units) in oil and gas pipelines. Due to their long lifecycles, these devices were deployed in a less-connected, less-competitive and combative threat landscape, with the minimal security controls to match. Much like their equivalent devices in telco networks.

So what lessons can telcos learn from OT environments?

Risk avoidance is always better than risk mitigation or acceptance, but where the legacy devices themselves cannot be replaced or upgraded, the next most cost-effective and fast risk-reduction is to physically isolate them in their own network segments.

The best emerging capability to do this is via Zero Trust firewalls, such that all traffic (no matter whether it is a modern IP protocol or an older multicast OT protocol like MODBUS) to/from the legacy devices must physically go through the firewall.

Note that Zero Trust firewalls differ from legacy firewalls in a few key ways:

• They assume all traffic can be malicious, not just traffic entering the network from external sources.

• Policies can be based on identity, time windows, and context, delivering more control and least privilege on another level to purely network-based firewalls.

• Agents are not needed so legacy devices are supported from the get-go.
  

Crucially this function all ties together to protect the network from insider threat and lateral movement scenarios. A legacy telco device can be easy to compromise and become a beachhead for the attacker into the rest of the network. However, the device will stop behaving normally and start exhibiting signs of compromise. The Zero Trust firewall can detect such changes immediately and revoke even the minimal privileges that are normally granted to that device. Thus insulating the rest of the network.

It is naturally important for OT industries and telcos to choose a Zero Trust firewall that is tailored specifically to your use cases, not a generic one designed for enterprise IT networks. So, when selecting a Zero Trust firewall you should look for the following capabilities:

1. You can handle Layer 2 protocol flows required to control OT devices.

2. You can provide a modern identity stack for these devices, integrating them into your wider identity management system, including Privileged Access Management systems.

3. Authorization is only extended to provide temporary just-in-time, just-enough-trust access into operational devices when the policy allows and crucially, the user and device context is correct.

4. Actions are recorded and restricted to minimize the risk of insider threats.

Taken together these capabilities can provide excellent support for critical use cases like providing Remote Access for your supplier/vendor engineers (e.g. from Ericsson / Nokia / SIEMENS / Cisco). Not the typical function we see provided by firewalls designed for IT environments!

*The diagram showing placement of a Zero Trust firewall to isolate legacy telco in the access network, and therefore improve network security

Conclusion

In conclusion, if you need to protect legacy telecom equipment - or simply strengthen your existing telecom control network against AI‑driven threats and stricter compliance requirements - you can achieve substantial risk reduction by adopting Zero Trust firewalls that have already been proven in other OT industries.

Want more information on how ZT Solutions can help consult, design and implement zero trust security controls and architectures for your legacy estate?