Principles of embedding security throughout the product lifecycle

Principles of embedding security throughout the product lifecycle

ZTE Zhong Hong.jpg
Zhong Hong

Zhong Hong, chief security officer at ZTE, explains the importance of getting on top of risk management as the growing uptake of technologies like 5G and IoT widens cyberthreats.

The take-up of advanced mobile communications is set to continue its major upsurge in the coming years. The number of global 5G connections is due to triple from around 1.5 billion now to 5.3 billion by the end of the decade, according to the GSMA. At the same time, the number of licensed cellular IoT connections will double to 5.3 billion from the 2022 figure.

Such a huge rise in the array of advanced devices and things online creates massive opportunities for the industry. However, it is also widening the scope for cybersecurity attacks, particularly when combined with the trend towards virtualisation of networks. Indeed, the first half of 2023 showed a significant uptick in cyberattacks, while such events are also increasing in complexity.

In this environment, it’s crucial that players throughout the communications value chain take wide-reaching measures to counteract these threats, says Zhong Hong, chief security officer at ZTE. This is not least a key duty for equipment vendors

“As mobile networks have become more and more important, and have entered all walks of life, cybersecurity has become an increasing issue for all of us,” says Zhong. “It’s the responsibility of equipment suppliers to guarantee the security of networks for our customers.”

For that reason, he says, ZTE regards security as a top priority for product development. Reflecting its dedication to stamping out threats, the company has outlined its comprehensive approach in a new white paper, Governance, Conformance, Openness, and Transparency – Practices of ZTE Cybersecurity Assurance.

Security by design

In its paper, ZTE explains how it implements the principles of security by design and security by default throughout its processes. This means carrying out threat analysis and risk assessment right from the start, while ensuring that products can be used ‘out of the box’ with almost no further configurations once they come to market.

Zhong explains how this is in line with the “shift left” needed in the industry, referring to implementing security at an earlier point. “We take cybersecurity into consideration at the earliest stage of the R&D process,” he says. “When we then deliver already security-configured products, it reduces the concern, the work needed and the risks not only for our customers, but also for their end users.”

Ensuring proper security includes taking into account and managing threats posed by the increasing use of external components, which can introduce new vulnerabilities. As part of this, ZTE signs agreements with suppliers of commercial third-party components to ensure they are committed to security requirements, only incorporating components that satisfy the selection criteria and pass tests to meet the appropriate standards. With regard to open-source components, meanwhile, the vendor’s strategy is to select those that are secure, compliant, widely used in the community and highly reliable.

“There are huge numbers of third-party components that have been incorporated into software and hardware in telecommunications products,” says Zhong. “For suppliers, it’s important to manage these components throughout the product lifecycle, and maintain mechanisms that are effective for the notification of vulnerabilities and for carrying out repairs.”

Working together

Ensuring security therefore also requires collaboration with other players in the value chain and with standards organisations – all of which depends on openness, transparency and alignment with industry best practices. “We adopt industry standards and best practices into our whole lifecycle management,” says Zhong. “Openness and transparency are important, and communication is key for this.”

Zhong points to frameworks such as the GSMA’s Network Equipment Security Assurance Scheme, which sets out security requirements throughout the product lifecycle and for which ZTE’s 5G products passed the audit in June 2022. The vendor also holds a range of ISO certificates – including those relating to information and supply-chain security, business continuity and privacy protection – and actively participates in the international development of standards and in organisations such as the GSMA, ITU and ETSI.

Ensuring effective security can be summarised as having robust methods for governance both internally and externally, aiding conformance in areas including the supply chain, R&D, delivery and incident response.

As a key part of this system, ZTE adopts a ‘three lines’ approach to governance, referring to having three distinct lines of defence to improve response to security issues. These comprise a first line of defence maintained by business units, whereby each unit implements security measures; a second line maintained by the Product Security Department, which harnesses an independent assessment mechanism to evaluate practices; and a third line that audits the work of the other two lines.

The overriding principle is for security requirements and countermeasures to be incorporated in every process involved at each and every level in product design and development, says Zhong. That involves keeping up-to-date with rapidly changing threats and needs as the industry evolves.

“We have to keep an eye on standards and in line with all the updated requirements so we can keep pace with the status of cybersecurity in the industry,” says Zhong. “It’s important as a common goal for the whole industry to join together to promote cybersecurity for the benefit of all.”

Gift this article