Mobile Security – Worth 10X the Investment

From time to time, I hear comments from operators or analysts about the “high costs” of securing the LTE RAN-core border (i.e., encrypting with IPsec). Costs in the “tens of millions” have been cited, yet there is very little thoughtful, detailed discussion found. When surveyed by Arbor Networks, an estimated 18% of operators deploy a security gateway between the RAN-core. Research by Heavy Reading has also estimated that about 15% of cell sites encrypt traffic over LTE backhaul. So while these numbers are growing as more and more unexpected types of breaches or service disruptions are encountered, there seems to be nagging skepticism that the risk incurred is not worth the cost.

As mobile operators invest billions in LTE networks, the rise of security breaches and service disruptions have exposed the new vulnerabilities of this all-IP network and risk the high service standards and reputation so carefully constructed. One can never have enough security and it costs far less for a hacker to attack a mobile network than for an operator to protect against every foreseeable threat.   Operator must balance business risk against infrastructure investment and rightfully demand fact-based analysis of the options.

In early LTE deployments operators debated whether or not to secure the RAN-Core with a security gateway, if the backhaul was considered “trusted”.   Today, however, operators planning or launching LTE are intuitively convinced of the necessity for the IPsec encryption that a security gateway enables, but still require a more rigorous, quantified rationale.

How can an operator realistically weigh the business value of deploying a new security element in such a rapidly changing and uncertain environment?

An infographic from Stoke provides a methodology with illustrative examples for quantifying the risk vs. the cost of securing the S1. The brief combines groundbreaking research from Ponemon Institute, with data from well publicized LTE incidents and applies them to a representative operator scenario to estimate the financial impact of a security breach and network outage.

The result?

A single, moderate security breach can cost operators 3-4 times the capex for encrypting the RAN-Core backhaul. That single breach combined with one denial-of-of service attach (causing wide spread service disruption) would cost the operator 10 times the capex of secure backhaul.

This analysis is consistent with comments made by Gartner Inc. analyst Avivah Litan who stated that the cost of a breach is usually far higher than the cost of security – estimating that for every $5.62 businesses spend after a breach, companies could spend $1 beforehand on encryption and network protection to prevent intrusions and minimize damage.[1]

For mobile operators, the risk of increased churn could be considered an even higher concern than the analysis just discussed. According to a recent Information Age survey, security is now among the top three elements consumers use to choose a mobile operator – 52% of consumer would switch providers after a major data breach.

So far, the mobile industry has deservedly earned a strong reputation in the area of security. There have been few publicly disclosed breaches and widely known LTE service disruptions have been caused by non-malicious sources, such as application-induced signaling storms or network failures during software upgrades.

Security vulnerabilities on the S1 are well documented by industry groups such as 3GPP and NGMN, but encryption of the backhaul is not mandated by standards and its applicability left to the operator interpretation. Even for carriers with trusted backhaul, the reputational risks may not be worth even the slightest deviation from industry recommendations. With regulators increasingly requiring public disclosure of security breaches, the wildfire spread through social media, and increasing competition, operators are taking incalculable higher risks to their strong reputation by not taking every reasonable precaution.

Finally, security is fast becoming a differentiator amongst carriers, especially with their high value enterprise customers. At a Light Reading Security conference in London in May of 2014, operators acknowledged that it was time to change security from a checklist item to a service differentiator. Heavy Reading further summarized the significance in a 2013 white paper:

“Lack of bulletproof or near-bulletproof security will be a show stopper when operators look to drive the next generation of revenue opportunities.”

[1] http://blogs.gartner.com/john_pescatore/2009/07/24/financial-friday-the-cost-of-a-security-incident-is-usually-much-greater-than-preventing-it/