EXPETO IMPLEMENTATION: Security Considerations Prepared by the Expeto Security Team

Page created by Ian Keller
 
CONTINUE READING
EXPETO IMPLEMENTATION: Security Considerations Prepared by the Expeto Security Team
EXPETO
IMPLEMENTATION:
Security Considerations
Prepared by the Expeto Security Team

                                       WWW.EXPETO.IO
EXPETO IMPLEMENTATION:

SECURITY
CONSIDERATIONS
OVERVIEW
As organizations approach digital transformation and attempt to manage different kinds
of “things” or devices, and provide access to different kinds of mobile workers over cellular
networks, they must ask themselves the following several key questions:
      • Does your organization care about its digital data?
      • Is your organization data truly secure? Do you control the entire data path from the
         device to your corporate network?
      • Is your organization a multinational entity subject to data regulations?

For example, unsecured SCADA devices can result in dangerous holes in corporate security.
Being unable to track where data travels and is collected can leave your businesses exposed
to powerful new privacy regulations such as GDPR. Simply trying to manage these risks
with the tools provided by existing cellular networks can result in significant operational and
capital costs.

This white paper explains the security controls inherent with the worldwide standard commonly
referred to as “LTE” (Long-Term Evolution) developed by the 3rd Generation Partnership
Project (3GPP). This document then describes additional security controls that Expeto adds
to deliver a secure, wireless, worldwide private networking solution “over” LTE (private radio
networks or MNO/carrier RF networks).

Based on the Evolved Packet Core (EPC), the Expeto Wireless solution makes cellular
communication seamless, allowing businesses to manage, control and secure private data
on any cellular network.

          |   Security Considerations                                                             i
The Expeto Wireless solution makes
cellular communication seamless, allowing
businesses to manage, control and secure
private data on any cellular network.

        PURPOSE
        Enterprise architects will be able to explain to their internal stakeholders:

              • Why secure 4G LTE is foundational enabling technology that is critical
                  to business transformation.
              • How Expeto’s Private LTE Networking solution makes LTE adoption
                  Flexible, Agile, Secure and Transparent (FAST).

        WHO SHOULD READ THIS DOCUMENT
        Specifically, security architects who must provide informed counsel to
        CISO, CIO, CTO, CFO and whoever champions innovation and business
        transformation within an Enterprise should review this document.

    |   Security Considerations                                                          ii
TABLE OF CONTENTS

Overview                                                 i

Introduction: LTE, Expeto and Business Transformation    1

Overview of LTE Architecture                            3

Expeto Deployment and Security Implementation            7

Security Recommendations                                9

Expeto Security Threat Mitigation                       11

Real-World Applications of the Expeto Solution          13

Appendix:
     Appendix I: Threat Risk Assessments                18

     Appendix II: 2G, GSM and 3G Security               21

     Appendix III: Glossary                             23

Bibliography                                            26
INTRODUCTION:

LTE, EXPETO AND
BUSINESS
TRANSFORMATION

                              This paper is an overview of Expeto’s solution from a security perspective, explaining:

                                    • Security controls inherent with the 3GPP’s worldwide LTE standard
                                    • Additional security controls provided by the Expeto solution that deliver a
                                        secure, wireless, worldwide private networking solution over LTE
                                    • Expeto implementation
                                    • Security considerations
                                    • Basic practical applications of the Expeto solution

                              First, we’d like to review why the LTE (Long-Term Evolution) wireless standard
                              is important for businesses, and the security implications of deploying the
                              Expeto solution.

                              ENTERPRISES, THE INTERNET OF THINGS AND
                              BUSINESS TRANSFORMATION
                              Global enterprises aspire to be part of this Internet of Things (IoT). By deploying
                              everything from tablets and machinery with built-in sensors to Augmented
                              Reality (AR) devices that allow equipment to be fixed with enhanced real-time
                              information, Enterprises can seize business opportunities while cutting downtime
                              and reducing costs.

                              Business rely on LTE (data delivery provided by cellular providers, or over their own
                              private radio networks) to make this transformation happen.

                              With the evolution of 3rd Generation Partnership Project (3GPP) standards from
                              2G/3G to 4G LTE (and soon 5G), we now have a truly worldwide secure wireless
                              protocol (and Enterprise-friendly TCP/IP).

    |   Security Considerations                                                                                         1
Introduction: LTE, Expeto and Business Transformation

Expeto mitigates risks while
allowing Enterprises to scale
their business.

                                         SECURE ALL BUSINESS COMMUNICATIONS WITH
                                         A SINGLE WORLDWIDE SOLUTION
                                         With traditional private LTE networking solutions offered by wireless providers,
                                         Enterprises must accept one-size-fits-all solution with little flexibility or control.
                                         In contrast, Expeto takes advantage the 3GPP standard to provide a disruptive
                                         solution that turns the tables and puts the security and control back in the hands of
                                         the Enterprise.

                                         Expeto supports security efforts producing logs that can be consumed by enterprise
                                         SIEM applications. Moreover, Expeto provides secure technologies to typically
                                         insecure IoT, edge computing devices.

                                         Essentially, the Expeto solution offers private networking leveraging cellular security.

                                         Using the Expeto solution results in the convergence of Information Technology
                                         (IT), Operational Technology (OT), and the Internet of Things over LTE which
                                         allows you to secure all communications with a single worldwide solution that
                                         provides the enterprise Flexibility, Agility, Security and Transparency (FAST).
                                               • You control the device, via the Expeto/Customer SIM.
                                               • You control the LTE network EPC switch.
                                               • You have complete control and visibility of the device, the network path and
                                                   the data.
                                               • You can easily and securely deploy IoT devices and Connected Workers.

                                         The Expeto solution enables the “enablers” and “innovators” within the Enterprise
                                         to unlock untapped opportunities in the rapid pace of Digital Transformation of
                                         corporations using Data, Automation, Machine Learning and Artificial Intelligence.

                                         Most importantly, Expeto mitigates risks while allowing Enterprises to scale
                                         their business.

               |   Security Considerations                                                                                          2
OVERVIEW OF

LTE ARCHITECTURE

           Expeto’s solution provides businesses with secure,   others can sniff and view packets in the clear. For
           scalable, private networking so that data can be     example, users sitting at a Starbucks in the food
           managed and controlled over any LTE cellular         court are broadcasting their traffic to everyone;
           network. A basic understanding of how LTE works      even with home Wi-Fi networks, the ISP is
           will help the reader explore security questions      routing that traffic over the internet where
           around cyber security attack vectors.                hackers can attack.

                                                                The technical equipment needed to sniff and
           WHY LTE AND NOT WI-FI?                               hack into an LTE network is far more complex
           Currently, many Enterprises rely on industrial       than what is required for Wi-Fi networks.
           Wi-Fi to connect different kinds of “things”         Hackers typically will opt for the path of least
           and devices, and to provide access to different      resistance, and so they focus their efforts on
           kinds of mobile workers over public cellular         Wi-Fi vulnerabilities, rather than hardened
           networks. However, Wi-Fi causes many                 LTE networks.
           challenges and security risks for businesses
                                                                While traffic over Wi-Fi can be made secure, the
           embarking on business transformation.
                                                                challenge is more complex and requires layers of
           As a replacement or adjunct for Wi-Fi, emerging      security software and controls such as VPNs,
           wireless standards are still not mature compared     RSA tokens, Multi Factor Authentication (MFA)
           to what 3GPP can offer; many of these standards      and other techniques.
           are unlicensed which introduces more security
                                                                With Expeto’s Private LTE Networking, the
           threat vectors and overall performance and
                                                                complexity and associated costs (hardware,
           power considerations.
                                                                software, IT staff to maintain and operate) of
           In contrast, LTE traffic is over a dedicated         securing Wi-Fi is eliminated.
           encrypted connection channel from the device to
           the radio, and from the device to the EPC
           software. Wi-Fi is a over a shared network where

    |   Security Considerations                                                                                    3
Overview of LTE Architecture

Expeto’s solution provides businesses with
secure, scalable, private networking so that
data can be managed and controlled over
any LTE cellular network.

                     LTE COMPATIBILITY WITH EVOLVING 3GPP STANDARDS
                     LTE is a standard for high-speed wireless         on the LTE technology protocols. Being based on
                     communication for mobile devices and data         LTE means all of these protocol standards are
                     terminals, based on the GSM/EDGE and UMTS/        all fully compatible with the Expeto EPC
                     HSPA technologies. As a wireless interface, LTE   software solution.
                     operates on a separate radio spectrum than its
                     predecessor 2G and 3G networks. Compared to       Expeto builds upon the inherent functionality
                     2G and 3G, LTE offers faster upload and           and security of LTE as defined by 3GPP.
                     download speeds, and IP-based communication.

                     With the recent rise of IoT/IIoT devices, the
                     entire industry has evolved yet again with
                     CAT-M1, NB-IOT and 5G which are all based

              |   Security Considerations                                                                              4
Overview of LTE Architecture

                     SECURITY, CONNECTIONS AND TRAFFIC WITHIN THE
                     LTE STANDARD
                     As mobile networks standards have evolved over time, security controls have also been greatly
                     improved with 4G and will be even stronger with 5G.

                     Basic Architecture of the LTE Protocol Standard
                     User data sent from the User Equipped device (UE) to the corporate network is ‘tunneled’ using
                     GPRS Tunneling Protocol (GTP) and is supported by SCTP (Stream Control Transmission Protocol)
                     protocol, which provides increased reliability. The data is protected, signed and verified to guarantee
                     message integrity.

                        UE
                                                                                                           CORPORATE
                                                                                  EPC
                                                                                                            NETWORK
                                                E-UTRAN

                                                                                               High-level Cellular Network

                     Connections and Traffic
                     From a cybersecurity perspective, it is imperative to know the data path through the radio network
                     E-UTRAN from end device to the corporate IP network. This is because an unknown data path could
                     impact regulatory obligations, routing costs and unintended 3rd-party access to data packets.

                                                E-UTRAN
                                                                                  EPC
                        UE                                                                                 CORPORATE
                                                                           SGW          PGW
                                                                                                            NETWORK
                                                                           MME          PCRF
                                            eNodeB        eNodeB
                                                                            HSS

                                                 eNodeB

                                                                                                LTE Network Architecture

                     The data path from the UE to the Corporate IP network is ‘tunneled’ over the network, acting much
                     like a VPN. The data packets exit the EPC at the Packet Gateway (PGW) component, entering the
                     corporate network.

              |   Security Considerations                                                                                      5
Overview of LTE Architecture

                     CONTROL SIGNALING AND USER DATA IN LTE ARCHITECTURE
                     The traffic spans from the UE (mobile device) to the EPC across two types of TCP/IP traffic that
                     traverse the network: Control signaling and User data.

                     Both planes traverse the same RF connection but go to different endpoint components within the
                     Expeto EPC.

                     Control Plane Overview                                User Plane Overview
                            • Control Plane signaling occurs using               • User/Data Plane signaling occurs
                               the eNodeB, MME and HSS EPC                           using the eNodeB, SGW and PGW
                               components and is responsible for                     EPC components.
                               the establishment of a connection
                                                                                 • Traffic on the User Plane is encrypted
                               between the UE and the core network
                                                                                     between the UE and the SGW
                            • Traffic on the Control Plane is                        component and is separate from the
                               encrypted between the UE and the                      Control Plane traffic
                               eNodeB and MME component and is
                                                                                 • The SIM card on the device holds the
                               separate from the User Plane traffic
                                                                                     crypto/encryption keys for the User
                            • The SIM card on the device holds                       Plane traffic
                               the crypto/encryption keys for the
                                                                                 • The SGW is the router between the
                               Control Plane traffic
                                                                                     eNodeB networks and the PGW. It
                            • When a device attempts to connect to                   carries the User Plane traffic.
                               the network, it establishes a handshake
                                                                                 • The PGW allocates IP addresses to the
                               with an eNodeB, and sends it’s IMSI in
                               the Control Plane signaling.                          UEs (like a NAT server) and routes traffic
                                                                                     between the eNodeB networks and the
                            • The component controls the security                    IP network (Corporate).
                               and authentication of the device onto
                               the network.
                                                                           FOR MORE READING...
                            • The eNodeB queries the MME                   In order to fully appreciate all the security
                               to see if this device is allowed on         controls built into the 4G LTE architecture a
                               the network.                                detailed understanding is required. This section
                                                                           only provides a high-level overview and the
                            • The MME reaches back to its HSS
                                                                           reader is encouraged to review more detailed
                               (Home Subscriber Server) which
                                                                           information as provided by NIST in their “NIST
                               stores the security information
                                                                           Guide to LTE Security” found at this link.
                               associated with this device/IMSI.
                                                                           https://csrc.nist.gov/publications/detail/
                            • If it is allowed onto the network, then
                                                                           sp/800-187/final
                               a connection between the eNodeB
                               and SGW (Serving Gateway) is
                               allowed along the User/Data plane.

              |   Security Considerations                                                                                    6
EXPETO DEPLOYMENT &

SECURITY
IMPLEMENTATION

                              Enterprise customers have cybersecurity policies and standards that solutions
                              must adhere to in order to protect company digital assets. Expeto’s Private LTE
                              Networking solution introduces a new external network entering the Enterprise
                              that must be analyzed to understand the security controls and any required threat
                              mitigation strategies.

                              Inherent to 4G LTE standards (as defined by 3GPP), the data is already protected,
                              signed, verified, encrypted and authenticated end-to-end, from UE device to
                              Expeto EPC:
                                    • Control Plane traffic from UE SIM to the radio network (eNodeB) and
                                       Serving Gateway/Mobility Management Entity (SGW/MME) is encrypted.
                                    • Data Plane traffic from UE SIM to Expeto Serving Gateway/Data Network
                                       Gateway (SGW/PGW) is two-way authenticated and encrypted.

                              In both cases, the egress into the Corporate Business Network would typically
                              enter via a protected “Trusted Business Partner”-type DMZ network with all the
                              expected perimeter and cyber security controls that any other external network
                              would go through.

                              The result is that all the Enterprise data is fully protected in a private cellular
                              network from the device right to the PGW component which is the egress into the
                              Corporate TCP/IP network.

                              The security implications of the Expeto deployment include
                                    • No software or hardware VPN is required
                                    • No complicated routing and configuration
                                    • No RSA tokens

                              Since the customer controls the device SIM and network elements (EPC), only
                              Expeto/Customers devices (SIMs) are allowed to attach to the network-this can
                              be enforced using a polling/monitoring solution that confirms the SIM in each IOT
                              device is unchanged. If it changed then the enterprise security team can be alerted.

    |   Security Considerations                                                                                     7
Expeto Deployment & Security Implementation

                               EXPETO DEPLOYMENT
                               With Expeto’s Private LTE Networking solution, customers for the first time have full end-
                               to-end control of their data path from the device to their corporate network. The following
                               diagram outlines a typical deployment with the Expeto EPC deployed within the Customer
                               data center/network:

                                                        CORPORATE NETWORK                         CORPORATE NETWORK
                                                             REMOTE                                      HQ
                                 IT
                                                            EXPETO EPC                                                 INTERNET
                                                                                                      IT SUBNET
                                                           SGW      MME
                                 OT

                                            PRIVATE        HSS      PGW
                                                                                                      OT SUBNET
                                                                 PCRF

                                                                                 EXPETO EPC          EXPETO EPC
                                                                                 HSS   PROXY        PCRF   PGW

                                 IT                        MNO NETWORK
                                                                                     IPX
                                                             MNO EPC              NETWORK
                                 OT
                                                           SGW          MME
                                            PUBLIC

                                                                                               Expeto Deployment Architecture

                               The diagram illustrates both a truly private RAN which may be deployed at an industrial
                               location such as mining or oil and gas facilities, as well as connected workers on a national
                               MNO/Carrier network.

                               EXPETO EMPOWERS THE ENTERPRISE
                               Private LTE Networking allows the enterprise to gain visibility and real time network controls
                               without time consuming interaction or reliance on third party expertise. The private cellular
                               service is composed of several system instances. Each system contains independent functions
                               expected within the EPC core including: HSS, MME, SGW, PCRF, PGW.

                               The previous diagram highlights PGW breakout for simplicity. Separation of concerns among
                               functional and business unit boundaries is essential for operational security.

                               Taking into consideration the explanations in this paper, one can see that although the Expeto
                               EPC resides behind and inside the corporate network, the inherent security controls of the
                               3GPP/LTE protocol provide a simplified and higher level of security compared to Wi-Fi.

                               Standardizing on a global Private LTE Networking solution reduces loaded cost and
                               complexity. Most solution only offer MNO roaming or localized network in a box.

                               Expeto is among the few subscription-based Private LTE Networking platforms to
                               offer connectivity to both MNO and private RAN globally with a single solution under
                               Enterprise control.

              |   Security Considerations                                                                                       8
SECURITY

RECOMMENDATIONS

        With Expeto’s solution, the customer is responsible    Implement Default Behavior
        for their own defense-in-depth strategy and must
                                                               Expeto controls the EPC and as such can
        determine if they still wish to utilize VPNs or
                                                               implement some default behavior in order to
        other Multi-Factor Authentication mechanisms.
                                                               improve the security posture of the entire
        This choice really depends on the classification and
                                                               network and system:
        nature of the data being transported.
                                                                     • Force LTE connections only and don’t
                                                                        fallback to un-secure 2G/3G networks
        RECOMMENDED STANDARD
        IT SECURITY PRACTICES                                        • Force/enable Control Plane
        As well, some EPC elements can be run on                        traffic encryption
        customer supplied infrastructure that is out of              • Force/enable User Plane
        direct control of Expeto. Expeto recommends                     traffic encryption
        and expects customers to implement standard IT
        security practices to for prevention and detection
        of threats such as:                                    Implement Additional Defense-in-Depth
                                                               In addition to the default security profile,
               • Network Perimeter Intrusion
                                                               additional ‘defense in depth’ measures can also
                  Detection Systems
                                                               be implemented:
               • Security Information Event Monitoring
                                                                     • Use of SIM PIN code (common practice
               • O/S hardening                                          with IIoT devices)
                                                                     • Mapping of IMEI (hardware device) to
                                                                        SIM (token) in the HLR/HSS register
                                                                     • Use 3rd party ‘over the top’ encryption
                                                                        (may be overkill)
                                                                     • Encrypt eNodeB to EPC (S1) interface
                                                                        for private RAN deployments (see
                                                                        Backhaul protection)

    |   Security Considerations                                                                                  9
Security Recommendations

Expeto recommends and expects customers to
implement standard IT security practices to for
prevention and detection of threats.
                                       BACKHAUL (S1) PROTECTION
                                       The backhaul network is the network connection between the eNodeB radio
                                       network and the EPC elements (SGW/PGW) and runs over what is called the ‘S1’
                                       interface. IP traffic managed using the GTP and SCTP tunneling protocols.

                                       This traffic should be protected and encrypted. This can be established using a
                                       variety of methods from software encryption/tunneling to hardware encryption
                                       devices. The endpoint within the customer network (typically in a business/partner
                                       DMZ zone) is referred to as the Security Gateway (SEG).
                                             • For public/macro networks connecting to the Expeto Partition Aware Proxy
                                                (EPAP) component (located in the Amazon AWS cloud for example), it
                                                is essential that a secure connection be established using the preferred
                                                method from the customer (IPsec or physical cross connect for example).
                                             • For a private RAN (P-RAN) deployment, the customer can decide if the
                                                underlying network infrastructure is sufficient, or if additional network
                                                security (AES/IPsec) is required.

                                       MULTI-FACTOR AUTHENTICATION (MFA)
                                       From an MFA perspective, confirming that the connecting device is authenticated
                                       and is an Enterprise asset can be accomplished by mapping the IMEI and IMSI
                                       number to the device in conjunction with any local device user authentication that
                                       the Enterprise security policy enforces.

                                       The basic elements of MFA include:

                                       Knowledge (something the user and only the user knows)
                                             • The user local login to the device or login to the corporate ‘network’ via a SSO
                                                solution such as Microsoft ADFS or Okta. This could also be enhanced with
                                                enforcing a PIN on the SIM so that no ‘SIM swapping’ can occur. This is
                                                common practice with Industrial IoT devices that have no user interface to login.

                                       Possession (something the user and only the user has)
                                             • The Expeto/Customer SIM Inherence (something the user and only the user is)
                                             • Depending on the level of security and the device capabilities, this could be
                                                a fingerprint scan, retinal recognition.

             |   Security Considerations                                                                                       10
EXPETO

SECURITY THREAT
MITIGATION
                       Expeto’s solution has complete control of the SIM (UICC) in the User Equipment (UE)
                       device as well as the core network software elements (EPC – Evolved Packet Core)
                       components (SGW, MME, HSS, PGW).

                       This allows Expeto manage security policy in both the Control Plane and the User Plane,
                       and dynamically route traffic to separate EPC instances or corporate networks for
                       separation for duties/networks.

                       Therefore, Expeto mitigates risk in the following ways:

                         SECURITY THREAT/RISK                    EXPETO MITIGATION
                         2G and 3G networks have                 Expeto forces ‘true’ 4G LTE connections only.
                         considerable security vulnerabilities   No ‘fallback’ or ‘downgrade’ to 2G/3G allowed.

                         Any LTE device will attach to the       Only authenticated Expeto/Customer SIMs and devices
                         radio network and automatically         are allowed on the network.
                         be ‘on’ the corporate network

                         Users will swap SIMs between            This is done via control of the SIM and mapping to
                         devices and get ‘on’ the                specific hardware devices via the IMEI. The HSS
                         corporate network                       component houses this information.

                         Devices will be lost or stolen,         The person who ‘found’ the device would first have to be
                         so ‘any’ user can get onto the          able to authenticate locally on the device.
                         corporate network                       Most corporate devices (phones, tablets, laptops) should
                                                                 enforce local MFA security policies to prevent local
                                                                 unauthorized access to a device.
                                                                 If a device is lost, once notified the SIM can be disabled/
                                                                 blocked immediately by IT security or a Service Request
                                                                 via the REST API or using the GUI.
                                                                 May have bigger problems with the lost device rather
                                                                 than gaining access to the network, which has its own
                                                                 level of security controls to corporate apps/resources.

                         EPC runs on commodity                   Expeto relies on the customer security practices to
                         hardware infrastructure                 harden their server and network infrastructure.

    |   Security Considerations                                                                                                11
Expeto Security Threat Mitigation

                                    SECURITY THREAT/RISK                EXPETO MITIGATION

                                    Egress into the corporate           Customers have many network interfaces with business
                                    network is from an ‘untrusted’      partners and other ‘untrusted’ network sources which
                                    network source                      should go through a wide range of ‘defense in depth’
                                                                        security controls such as IDS (Intrusion Detection
                                                                        Systems), network sniffers, DoS prevention, network
                                                                        taps/audits along with other perimeter security controls.
                                                                        Expeto assumes the entry into the customer network will
                                                                        be into a semi-trusted or Business Partner DMZ type
                                                                        network zone with appropriate security controls in place
                                                                        as is done for all other types of connections.

                                    Man in the Middle attacks,          Expeto forces ‘true’ 4G LTE connections only.
                                    including IMSI Catching,            No ‘fallback’ or ‘downgrade’ to 2G/3G allowed.
                                    ‘Stingray Devices’, also known as
                                    cell site simulators
                                    (They trick cell phones into
                                    downgrading to the weaker 2G/3G
                                    standard to easily intercept
                                    communications and track
                                    locations of anyone nearby)

                                    SIM Swapping                        SIM swapping isn’t new and to mitigate against this you
                                                                        can simply enforce the SIM PIN code to be set.
                                                                        If you don’t set the SIM PIN code, we can also detect if
                                                                        the SIM matches the device (IMEI).

                                    IMSI spoofing                       The IMSI # on the SIM is only sent during the first
                                                                        attachment request. Subsequent requests utilize a
                                                                        temporary IMSI (TIMSI) which rotates on a timed
                                                                        schedule. Since you control the core you can define how
                                                                        often you want to ‘rotate’ the TIMSI so even if someone
                                                                        did happen to catch the original attachment request and
                                                                        grab the IMSI, it will be rotated on the next schedule.

                                    IMEI spoofing                       Since Expeto controls the core, we can detect if the
                                                                        IMEI matches the SIM (IMSI). If not, we reject the
                                                                        connection, or send out a notification

               |   Security Considerations                                                                                          12
REAL-WORLD APPLICATIONS OF THE

EXPETO SOLUTION
                                  Emerging private LTE technologies provide broadband data capabilities with
                                  mobility and roaming capabilities, SIM-based security and other features to
                                  support connectivity for internet of things devices and human end users.

                                  Expeto’s solution allows Enterprises to view all their “things” on a single “pane of
                                  glass”, no matter where in the world these assets are located, or which regional or
                                  private cellular network that provides connectivity.

                                  In each case, businesses enjoy complete security over their devices and data,
                                  over any public cellular network in the world.

                                  FLEET MANAGEMENT
                                  For enterprises that rely on transportation as part of their business, fleet
                                  management helps them reduce and mitigate risks associated with vehicle
                                  investment, improving efficiency and productivity while reducing overall
                                  vehicle and transportation and staff costs.

                                  For example, smart cities are using asset tracking for waste management purposes
                                  by giving garbage collectors the most efficient routes to collect the buildup of
                                  waste in urban environments. Shipping services also use real time traffic feeds
                                  and efficiency algorithms to deliver more packages more efficiently, with less wear
                                  and tear on drivers and on vehicles.

                                  Asset tracking
                                  According to a study by Infosys and the Institute for Industrial Management at
                                  Aachen University, 85% of manufacturing companies globally are aware of asset
                                  efficiency practices, but only 15% of those surveyed have implemented such
                                  measures with a technological systemic approach.

                                  Asset tracking allows the Enterprise to easily locate and monitor key assets,
                                  including along the supply chain (e.g. real time analysis of raw materials, final
                                  products and containers) to optimize logistics, manage inventory levels and
                                  prevent quality issues and detect theft.

                                  For example, in maritime shipping, sensors help track the location of a ship at sea
                                  and can provide the status and temperature of individual cargo containers. When
                                  temperatures differ from the optimal mark, crew can be notified and conduct repairs.

    |   Security Considerations                                                                                       13
Real-World Applications of the Expeto Solution

                                         OIL & GAS
                                         The ongoing “digitization” of the oil and gas industry is leading to adoption of
                                         machine learning, artificial intelligence and automation. Worker safety is improved,
                                         operational expenses are reduced, and new business opportunities are unlocked.

                                         Expeto makes IoT deployment scalable and secure, at very low cost.

                                         Pipeline and Refinery Monitoring
                                         A single pump failure can cost as much as $300,000 a day in lost production. Using
                                         devices and sensors connected LTE to monitor more key points and pipeline
                                         equipment more accurately, at less cost, just makes sense. Data analytics can identify
                                         new areas of performance improvement, survey potential drilling sites, and pinpoint
                                         exactly when pump and filter replacement will begin to affect performance. And by
                                         providing greater insight about the flow, the refinery can be run at higher capacity.

                                         Operational Optimization
                                         Internal data generated by large integrated oil and gas companies is estimated to
                                         exceed 1.5 terabytes a day. Being able to harness and use that data increases the
                                         efficiency of workflow, supply chain and people management. Sensors relay data
                                         to the cloud, where it can be stored and sent to analysts who can assess current
                                         operations. Added visibility and insight allow oil and gas companies to seamlessly
                                         connect massive operations.

                                         Exploration
                                         The typical survey of a potential drilling site involves monitoring more than one
                                         million readings of seismic waves. These readings help oil producers find new
                                         hydrocarbon deposits, determine new spots for drilling and even find ways to optimize
                                         already-operational rigs. Using robots and sensors to quickly analyze surface and
                                         subterranean environments of potential drilling sites could save millions of dollars.

                                         Equipment Maintenance
                                         Not only does IoT offer the opportunity to automate thousands of wells spread
                                         across regions, it can monitor multiple pieces of equipment per well. Fuel leaks and
                                         theft cost the industry millions in losses each year. Monitoring equipment with
                                         sensors and video cameras results in data that can precisely pinpoint anomalies in
                                         the drilling process. Efficient maintenance can help avoid unscheduled shutdowns,
                                         which cost producers and refiners billions per year in operating costs.

               |   Security Considerations                                                                                   14
Real-World Applications of the Expeto Solution

                                         MINING
                                         Mining operations face a number of challenges when it comes to connectivity,
                                         because they often operate in remote areas with little to no cellular
                                         coverage and have complicated network needs — such as being able to extend
                                         communications underground.

                                         According to a Qualcomm white paper on private LTE, mining conglomerate Rio
                                         Tinto of Australia was one of the first large enterprises to use a private LTE network
                                         for commercial operations at scale. Rio Tinto used private LTE to cover 15 mines
                                         and related facilities including transportation hubs and railways. That solution made
                                         use of 1800 MHz spectrum under a special arrangement from local regulators.

                                         Expeto partners with the hardware firms to provide the required private radio
                                         hardware and our EPC allows the enterprise to provision SIMs on demand to their
                                         site’s IIoT systems.

                                         HOSPITALS
                                         Reducing Emergency Room Wait Times
                                         Thanks to some recent ingenuity and the IoT, at least one hospital — Mt. Sinai Medical
                                         Center in New York City — effectively slashed wait times for 50% of their emergency
                                         room patients who need inpatient care.

                                         It’s their partnership with GE Healthcare and new, IoT-driven software, known as
                                         AutoBed, that tracks occupancy among 1,200 units and factors in 15 different
                                         metrics to assess the needs of individual patients. It’s a highly effective system that
                                         highlights some of the more innovative and exciting uses of the IoT.

                                         Ensuring the Availability and Accessibility of Critical Hardware
                                         Modern hospitals require next-gen software and hardware to function — some are
                                         even used to save or sustain human life. Like all electronic devices, this equipment is
                                         prone to numerous risks — from power outages to system failures — that could be a
                                         matter of life or death. A new IoT-driven solution from Philips, called e-Alert, aims
                                         to solve that problem. Instead of waiting for a device to fail, Philips’ new system
                                         takes a proactive approach by virtually monitoring medical hardware and alerting
                                         hospital staff members if there’s a problem. Philips recently unveiled the product
                                         through a collaborative effort with OpenMarket.

               |   Security Considerations                                                                                        15
Real-World Applications of the Expeto Solution

                                         SUMMARY
                                         With traditional Private LTE Networking solutions offered by wireless providers,
                                         Enterprises have little to no control over security or IT deployment. In contrast,
                                         Expeto takes advantage the 3GPP standard to provide a disruptive solution that
                                         turns the tables and puts the security and control back in the hands of the
                                         Enterprises — businesses enjoy complete security over their devices and data,
                                         over any public cellular network in the world.

                                         While Enterprises are still responsible for ensuring defense-in-depth over their
                                         corporate network, LTE and the Expeto solution provide powerful, cost-effective
                                         tools for guaranteeing security.

                                         CONTACT US
                                         If you have any questions about Expeto deployment and
                                         security implementation, please do not hesitate to contact us
                                         at security@expeto.io

                                         www.expeto.io

               |   Security Considerations                                                                                    16
APPENDIX

           WWW.EXPETO.IO
APPENDIX I:

THREAT RISK
ASSESSMENTS
Expeto has prepared the following table (based on industry
standard security requirements) to help customers perform any
Threat Risk Assessment when implementing Expeto:

                       THREAT / CONTROL                EXPETO RESPONSE

                       Devices attached to a zone      Authorization onto the network is controlled via the Expeto/
                       are authorized                  Customer SIM and hardware device IMEI mapping.
                                                       If not a valid and active SIM, or if SIM does not match device, then
                                                       no access is granted.

                       Interfaces with other zones     Out of Expeto’s control; Expeto provides Layer 2 transport.
                       are authorized                  Expeto relies on the customer IT networking and security practices and
                                                       systems such as IDS, IPS, firewalls.
                                                       Once on the customer enterprise network, this type of control falls
                                                       under the regular firewall and routing rules and policies for any other
                                                       corporate VLAN(s).

                       Entry points are defined        Entry into the corporate network is via the Expeto EPC ‘PGW’
                                                       component which runs on the Expeto EPC server (which the
                                                       customer has control of).
                                                       Expeto recommends the egress into the customer network should
                                                       be into a “Trusted Partner Zone” which supports directly connected
                                                       services with highly trusted partners.
                                                       This Zone can be viewed as a logical extension of internal Zones
                                                       to trusted organizations external to the customer’s internal
                                                       network zones.

              |   Security Considerations                                                                                        18
Appendix I: Threat Risk Assessments

                        THREAT / CONTROL                  EXPETO RESPONSE

                        Boundary devices are hardened     Out of Expeto’s control; Expeto provides Layer 2 transport.
                        against attack                    Expeto relies on the customer to implement appropriate hardware
                                                          device security hardening.
                                                          Enforcing a PIN on the SIM is one way to add another layer of
                                                          ‘defense in depth’ and is another MFA.

                        Network traffic is filtered at    Out of Expeto’s control; Expeto provides 2 transport.
                        entry points                      Expeto relies on the customer networking and security practices and
                                                          systems such as IDS.
                                                          Once on the customer enterprise network, this type of control falls
                                                          under the regular firewall and routing rules and policies for any other
                                                          corporate VLAN(s)

                        Network traffic is monitored at   Out of Expeto’s control; Expeto provides 2 transport.
                        entry points                      Expeto relies on the customer networking and security practices and
                                                          systems such as IDS.
                                                          Once on the customer enterprise network, this type of control falls
                                                          under the regular firewall and routing rules and policies for any other
                                                          corporate VLAN(s).

                        Encrypted Network traffic is      Out of Expeto’s control; Expeto is only Layer 2 transport.
                        inspected for malware, phishing   Expeto relies on the customer networking and security practices and
                        attacks, and other security       systems such as IDS.
                        considerations at entry points
                                                          Once on the customer enterprise network, this type of control falls
                                                          under the regular firewall and routing rules and policies for any other
                                                          corporate VLAN(s).

               |   Security Considerations                                                                                          19
Appendix I: Threat Risk Assessments

                        THREAT / CONTROL                    EXPETO RESPONSE

                        Authorized user-authentication      MFA is already incorporated into LTE:
                        techniques                          From a Multi-factor authentication (MFA) perspective, ensuring
                        are employed                        the connecting device is authenticated and is an Enterprise Asset
                                                            can be confirmed by mapping the IMEI and IMSI # to a device
                                                            in conjunction with any local device user authentication that the
                                                            Enterprise security policy enforces.
                                                            In summary:
                                                                   • IMSI to IMEI mapping can be enforced
                                                                   • SIM PINs can be enforced
                                                                   • Knowledge (something the user and only the user knows):
                                                                      The user local login to the device or login to the corporate
                                                                      ‘network’ via a SSO solution such as Microsoft ADFS
                                                                      or OKTA.

                                                                   • Possession (something the user and only the user has): The
                                                                      Expeto/Customer SIM.

                                                                   • Inherence (something the user and only the user is):
                                                                      Depending on the level of security and the device capabilities,
                                                                      this could be a fingerprint scan, retinal recognition.

                        Privileged access is managed and    The Expeto EPC command, control and administration is controlled
                        monitored                           with a role-based access security model.
                                                            User information are locally stored with credentials encrypted.
                                                            Future integration with LDAP/Active Directory and SAML 2.0 is in
                                                            the product roadmap.

                        Authorized change control           Expeto will follow the customer’s recommended change management
                        processes are aligned with change   process but assumes a formal service and support engagement model
                        management standards                will be established

               |   Security Considerations                                                                                           20
APPENDIX II:

2G, GSM AND
3G SECURITY

                                   In comparison to LTE, GSM is an older more vulnerable protocol; hence we
                                   advocate LTE.

                                   MAIN SECURITY ISSUES FOR 2G
                                         • It is possible to avoid eavesdropping and cloning due to the use of
                                            encryption and authentication.
                                         • Weaknesses in crypto algorithms (A3 algorithm for authentication, A5
                                            algorithm for encryption, A8 algorithm for key generation) that were not
                                            submitted to peer review due to nondisclosure.
                                         • GSM only authenticates the user to the network and not vice versa. The
                                            security model, therefore, offers confidentiality and authentication, but
                                            limited authorization capabilities, and no non-repudiation. GSM uses
                                            several cryptographic algorithms for security. The A5/1 and A5/2 stream
                                            ciphers are used for ensuring over-the-air voice privacy. Both algorithms
                                            have been exploited:
                                         • A5/2 is exploitable with a real-time a ciphertext-only attack.
                                         • A5/1 with a rainbow table attack.

     |   Security Considerations                                                                                   21
Appendix II: 2G, GSM and 3G Security

                                        MAIN SECURITY ISSUES FOR GSM
                                            • Communications and signaling traffic in the fixed network are not
                                               protected.
                                            • Does not address active attacks, whereby some network elements
                                               (e.g. BTS: Base Station).
                                            • Only as secure as the fixed networks to which they connect.
                                            • Lawful interception only considered as an after-thought.
                                            • Terminal identity cannot be trusted.

                                        MAIN SECURITY ISSUES FOR 3G
                                            • Eavesdropping: An intruder intercepts messages without detection.
                                            • Masquerading: An intruder hoaxes an authorized user into believing that
                                               they are the legitimate system to obtain confidential information from the
                                               user; or an intruder hoaxes a legitimate system into believing that they are
                                               an authorized user to obtain system service or confidential information.
                                            • Traffic analysis: An intruder observes the time, rate, length, source, and
                                               destination of messages to determine a user’s location or to learn whether
                                               an important business transaction is taking place.
                                            • Browsing: An intruder searches data storage for sensitive information.
                                            • Leakage: An intruder obtains sensitive information by exploiting processes
                                               with legitimate access to the data.
                                            • Inference: An intruder observes a reaction from a system by sending a
                                               query or signal to the system. For example, an intruder may actively initiate
                                               communications sessions and then obtain access to information through
                                               observation of the time, rate, length, sources or destinations of associated
                                               messages on the radio interface.

              |   Security Considerations                                                                                   22
APPENDIX III:

GLOSSARY

                               3GPP (3rd Generation Partnership Project)
                               The 3rd Generation Partnership Project is a collaboration between groups of
                               telecommunications standards associations aimed at developing globally acceptable
                               specifications for third generation (3G) mobile systems. The 3GPP caters to a large
                               majority of the telecommunications networks in the world.

                               LTE (Long Term Evolution)
                               Long-Term Evolution (LTE) is a standard for high-speed wireless communication
                               for mobile devices and data terminals, based on the GSM/EDGE and UMTS/HSPA
                               technologies. 4G is the fourth generation of mobile data technology, as defined by
                               the radio sector of the International Telecommunication Union (ITU-R). LTE stands
                               for “Long-term Evolution” and applies more generally to the idea of improving
                               wireless broadband speeds to meet increasing demand.

                               The historical progression of mobile standards is as follows:

                               2G (GSM) - > 2.5G (EDGE) -> 3G (UMTS) - > 3.5G (HPSA) -> 4G -> 5G

                               eNodeB/eNB (Evolved Node-B)
                               The Radio component of the LTE network. Also referred to as the cellular network
                               ‘base stations’; analogous to a WiFI AP (Access Point).

                               EPAP (Expeto Partition Aware Proxy)
                               The networking ‘slicing’ software component that sits in front of the EPC that ensures
                               inbound connection requests are routed based on their IMSI number to a specific
                               customer network and/or the EPC.

                               EPC (Evolved Packet Core)
                               The Evolved Packet Core is the network software elements that are the ‘brains’ of
                               the network and control the connections, security and data plane packets.

     |   Security Considerations                                                                                  23
Appendix III: Glossary

                                          E-UTRAN (Evolved Universal Terrestrial Radio Access Network)
                                          A mesh network of eNodeBs that communicate with each other using the ‘X2’
                                          interface to facilitate security and hand-off for mobile devices.

                                          GSM (Global System for Mobile communications)
                                          A globally-deployed standardized digital mobile communication system. The
                                          specifications are maintained and developed by 3GPP. See www.3gpp.org for
                                          more information.

                                          GTP (GPRS Tunneling Protocol)
                                          GTP is a group of IP-based communications protocols used to carry general
                                          packet radio service (GPRS) within GSM, UMTS and LTE networks. In 3GPP
                                          architectures, GTP and Proxy Mobile IPv6 based interfaces are specified on various
                                          interface points.

                                          IMEI/IMSI (International Mobile Equipment Identity)
                                          IMEI is a 15- or 17-digit code that uniquely identifies mobile phone sets. The IMEI
                                          code can enable a GSM (Global System for Mobile communication) or UMTS
                                          (Universal Mobile Telecommunications Service) network to prevent a misplaced or
                                          stolen phone from initiating calls.

                                          IMSI (International Mobile Subscriber Identity) is an international mobile
                                          subscriber identity (IMSI) is a unique number, usually fifteen digits, associated
                                          with Global System for Mobile Communications (GSM) and Universal Mobile
                                          Telecommunications System (UMTS) network mobile phone users. The IMSI is a
                                          unique number identifying a GSM subscriber.

                                          MME (Mobility Management Entity)
                                          The main component of the SAE architecture is the Evolved Packet Core (EPC).
                                          Mobility Management Entity (MME) plays an important role in LTE EPC
                                          architecture. In fact, MME is the main signaling node in the EPC.

                                          MNO (Mobile Network Operator)
                                          Cellular or mobile phone carriers such as Rogers, T-Mobile or Vodafone.

                |   Security Considerations                                                                                    24
Appendix III: Glossary

                                          RAN/P-RAN (Radio Access Network/Private Radio Access Network)
                                          These can be ‘public/macro’ networks provided by cellular carriers, or private
                                          networks (P-RAN) that an Enterprise customer might create at an industrial field
                                          of operations (gas plant, mining site, and so on).

                                          SCTP (Stream Control Transmission Protocol)
                                          SCTP is a protocol for transmitting multiple streams of data at the same time
                                          between two end points that have established a connection in a network. SCTP is
                                          designed to make it easier to support a telephone connection over the Internet.

                                          SGW/MME (Serving Gateway)
                                          SGW is a critical network function for the 4G mobile core network, known as the
                                          evolved packet core (EPC). The SGW resides in the user plane where it forwards
                                          and routes packets to and from the eNodeB and packet data network gateway (PGW).

                                          SGW/PGW (Packet Data Network Gateway)
                                          PGW is a critical network function for the 4G mobile core network, known as
                                          the evolved packet core (EPC). The PGW acts as the interface between the LTE
                                          network and other packet data networks, such as the Internet.

                                          SIM (Subscriber Identification Module)
                                          The Subscriber Identification Module, or SIM.

                                          Telco, Telecom
                                          An MNO or cellular or mobile phone carriers such as Rogers, T-Mobile or Vodafone.

                                          UE (User Equipment)
                                          Refers the end device with an LTE radio/modem in it such as phone, laptop, tablet,
                                          IoT sensor, OBD-II, people tracker and so on.

                |   Security Considerations                                                                                25
BIBLIOGRAPHY

                            National Institute of Standards and Technology (NIST). (2017, December).
                            Guide to LTE Security. Retrieved from www.nist.gov:
                            https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-187.pdf

                            3GPP. (2017, December 20). Interface between the Control Plane
                            and the User Plane nodes. Retrieved from www.3gpp.org:
                            https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.
                            aspx?specificationId=3111

                            National Institute of Standards and Technology. (2018, April 16).
                            Framework for Improving Critical Infrastructure Cybersecurity V1.1.
                            Retrieved from www.nist.gov:
                            https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

                            Qualcomm. (2017, July). Private LTE Networks. Retrieved from qualcomm.com:
                            https://www.qualcomm.com/media/documents/files/private-lte-networks.pdf

                            SANS. (2009, January 26). The Business Justification
                            for Data Security. Retrieved from
                            https://www.sans.org/reading-room/whitepapers/dlp/business-justification-data-
                            security-33033

  |   Security Considerations                                                                                26
Expeto creates a global
intranet wherever there is
a cellular connection.

            sales@expeto.io   855.273.5782   WWW.EXPETO.IO
You can also read