7
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Risk management continued
New technologies, industry practice and regulations We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Security by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls. We anticipate threats will continue from existing sources, but also evolve in areas such as 5G, IoT, vendor software integrity, quantum computing and the use of artificial intelligence (‘AI’) and machine learning. Mobile networks Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features in our core networks. We also test security in our radio networks using independent testing companies. Open RAN is a new way of building and managing Radio Access Network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecoms equipment. We mitigate security risks by following our Security by Design process, identifying and mitigating threats with secure design and configuration.
Regulatory landscape We expect a significant increase in security regulation over the next few years as governments respond to the heightened cyber threat landscape, recognising that telecommunications operators provide critical national infrastructure. We engage directly with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecoms Security Act which sets enhanced security requirements for UK network operators and their suppliers. In Europe, individual member states have their own current or pending legislation, however these incorporate EU-wide standards such as the 5G Security toolbox and the ‘Network and Information Security 2’ Directive. We continue to monitor the forthcoming EU Cyber Resilience Act which aims to ensure that all digital products and services fulfil the same mandatory security requirements. We are also monitoring the enhanced SEC cybersecurity disclosure provisions, which are expected to be published later in 2023.
Quantum computing As part of our efforts to track and monitor potential future threats to our networks, systems and customers, we are monitoring developments in quantum computing and its effect on encryption. Whilst such a risk is not specific to Vodafone, we have started work to address the potential negative effects and maintain a robust level of encryption that is quantum safe within our network and systems. We are also contributing to initiatives which support other industries. During the year, we formed a taskforce with IBM, the GSMA and other industry partners to work together on post-quantum cryptography. The taskforce has now published a whitepaper which summarises government initiatives and provides recommendations that can be applied to any industry. Industry collaboration More broadly, we actively engage with stakeholders, including industry and government, in order to protect Vodafone, respond to cyber threats and work together to share best practice. Given our expertise and extensive experience, we also engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing and analysis, risk assessment, and governance. For example, we have engaged in cross-industry collaboration through the European Round Table, where Vodafone chairs the CISO committee and via the National Cyber Advisory Board in the UK. We also participate and engage in security standards working groups such as ENISA 5G Cyber Security Certification, O-RAN Alliance Security Focus group and GSMA Fraud and Security Group.
Spectrum
Our networks
RAN equipment
Open RAN equipment
Technology centres
Mobile core and fixed networks
Radio base stations
Fixed and transport infrastructure
Wireless devices
Homes
Offices and data centres
Powered by FlippingBook