As the scale of organizations increases, network complexity exponentially grows, and the attack methods vary and become more implicit, cybersecurity risks increase day by day. In order to help organizations improve their cybersecurity, risk management and system resilience capabilities, the National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) in 2014, which is composed of a series of standards such as ISO27001, COBIT and NIST SP800, guidelines and practices. Nowadays, with the advancement of CSF, it is widely used as the basis of country-level cybersecurity standards in the US, Italy, Israel, and other countries or regions. The framework is also recognized by more and more governments and industries and is used as a recommended cybersecurity standard for more organizations.
CSF consists of five fields: asset identification (IDENTIFY), security protection (PROTECT)), security detection (DETECT)), security response (Response) and security recovery (RECOVER) (see Figure 1). This framework covers the entire cybersecurity assurance process and provides a comprehensive roadmap for helping organizations identify risks, prevent and detect threats, and handle security incidents and service recovery.
In order to provide our customers with more secure and reliable products and services, ZTE Global Services officially introduced CSF in 2019 and continuously builds capabilities in the corresponding fields. After two successive years of practice, ZTE’s delivery security capabilities have been highly recognized by customers worldwide.
Identify – managing asset risks in a comprehensive and scientific manner
The prerequisite of security protection is to identify the objects (assets) to be protected and relevant risks. During the engineering service process, assets include software and hardware devices deployed in live networks, customer data, documents, tools, and mobile media, varying in forms.
To provide comprehensive guidance for engineering service personnel on risk identification and control of assets (including vulnerabilities), the cybersecurity team of ZTE Global Services developed the scientific risk assessment procedure by referring to the industry-recognized NIST SP800 series and the GBT 20984 standard in 2020. Currently, the risk assessment procedure has been applied to ZTE’s many projects around the world. Under the guidance of the procedure, engineering service personnel perform comprehensive analysis for the asset value depending on the confidentiality, integrity and availability, threat as well as vulnerabilities regarding physical environments, personnel, security awareness, management flows, software & hardware, services, and emergency response, and then carry out sound management and control measures in accordance with the identified derivative risks and organizational risk strategies. This significantly reduces the cyber risks of network operators.
Protect – setting multi-layered defense lines for core assets
During engineering services, the protection of important assets such as customers’ network devices is primarily reflected in the setting of multi-layered defense lines featured by the “in-depth defense” philosophy.
The first line of defense is physical security. When entering network security-sensitive areas such as core equipment rooms, engineering service personnel shall strictly abide by the physical security rules of ZTE and its customers to avoid information disclosure caused by improper behaviors or unintentional contact with irrelevant personnel.
The second line of defense is access control. In the delivery field, the primary concern is the secure use of login accounts and passwords. ZTE has formulated comprehensive process specifications, such as “One Account only for One Person,” “Permission-and-Domain-based”, “Password Complexity”, “Automatic Lock After Multiple Wrong Password Attempts”, “Regular Modification”, “Prohibiting the Use of the Same Password Across Devices”, and “Account Disabling and Cancellation Upon Changes of Project Team Members”. Besides, ZTE implements random checks to ensure reliable implementation.
The third line of defense is the secure transmission, storage, and use of important data. As ruled, ZTE engineering service personnel download product software from the specified support website and then carry out virus scanning and integrity check before the upgrade to prevent possible viruses or content tampering. If customers’ network data needs to be temporarily stored on local personal laptops, ZTE engineering service personnel obtain customer authorization first and then classify and store the data securely as ruled (such as encryption). In the necessary data transmission scenario, after obtaining customer authorization, ZTE engineering service personnel transmit network data in an encrypted manner by following local laws and regulations and the “Least-to-Know” principle.
Detect – responding to cybersecurity threats that constantly change
With the increase of complexity and constant changes of internal and external threats, if protection measures remain unchanged, the defense capabilities of network devices might gradually be reduced or even become ineffective, thus inevitably resulting in security incidents. Therefore, both equipment vendors and network operators shall be persistently concerned with the regular detection and continuous enhancement of protection measures.
Before delivery, the products provided by ZTE shall undergo baseline and related security hardening configurations as requested and are put into commercial use only after passing security testing of customers or customer-authorized third parties During the network operation, and maintenance period, in addition to customer-originated regular vulnerability scanning and the use of mainstream security devices such as IDS/IPS/SIEM, ZTE also carries out routine security checks including attack detection on network devices by following contract requirements and provides special security guarantee during important network safeguard activities.
In addition, from the perspective of products, some of the ZTE-manufactured products have the built-in whitelist program function. When an intruder successfully starts malicious applications (for example, Trojan or virus) on such products and the activities are detected, an alert is automatically issued in real-time.
Respond——24/7 service to reduce the negative effect caused by security incidents
Similar to faults, how to respond to security incidents is of great importance. Presently, ZTE has deployed the Customer Support Center (CSC) system accessible to engineering service personnel worldwide. The CSC system allows engineering service personnel to rapidly report identified security incidents at any time (24/7) and mark them as security incidents. In accordance with the reported severity level and preset Service Level Agreement (SLA), the CSC system automatically forwards these incidents to the security experts of the corresponding products. It then outputs suppression, mitigation and eradication solutions to on-site personnel.
Recover – professional troubleshooting to recover affected services to the greatest extent
When a security incident inevitably occurs, recovering quickly and effectively requires full communication and collaboration with relevant parties to reduce possible negative impact and damage. At the same time, due to the particularity of the security incident, how to ensure that the SLA is reached without destroying the attack site, retaining complete evidence, and tracing the source of the attack chain shall be taken into account in a balanced manner.
Presently, all ZTE products have comprehensive emergency plans against sudden incidents, including network attacks, and responsible persons and handling measures are explicitly listed. In addition, ZTE carries out emergency drills regularly to ensure that customer expectations are surely met. Upon the occurrence of an attack, besides immediately instructing on-site personnel to isolate the network rapidly, security experts also begin to investigate root causes for the first time. In this way, relevant attack information is retained during service recovery.
Systematic engineering should be considered in cybersecurity, and continuous investment, evolution, and improvement are necessary. In addition to fully improving the security and reliability of delivery capabilities based on the CSF, ZTE proactively listens to customers’ voices and embeds cybersecurity requirements across the fields of products, services and supply chain etc., aiming to build an integrated cybersecurity ecosystem and customer-oriented architecture, thus fully guaranteeing cybersecurity.