Showing posts with label Network Automation. Show all posts
Showing posts with label Network Automation. Show all posts

Tuesday, 20 January 2026

Telecom Security Realities from 2025 and Lessons for 2026

Telecom security rarely stands still. Each year brings new technologies, new attack paths, and new operational realities. Yet 2025 was not defined by dramatic new exploits or spectacular network failures. Instead, it became a year that highlighted how persistent, patient and methodical modern telecom attackers have become.

The recent SecurityGen Year-End Telecom Security Webinar offered a detailed look back at what the industry experienced during 2025. The session pulled together research findings, real world incidents and practical lessons from across multiple domains, including legacy signalling, eSIM ecosystems, VoLTE vulnerabilities and the emerging world of satellite-based mobile connectivity.

For anyone working in mobile networks, the message was clear. The threats are evolving, but many of the core problems remain stubbornly familiar.

A Year of Stealth Rather Than Spectacle

One of the most important themes from the webinar was that 2025 did not bring a wave of highly visible disruptive telecom attacks. Instead, it was characterised by quiet, low profile intrusions that often went undetected for long periods.

Operators around the world reported that attackers increasingly favoured living-off-the-land techniques. Rather than deploying noisy malware, intruders looked for ways to gain legitimate access to core systems and remain hidden. Lawful interception platforms, subscriber databases such as HLR and HSS, and internal management platforms were all targeted.

The primary objective in many cases was intelligence collection. Attackers were interested in call data, subscriber information and network topology rather than immediate disruption. This shift in motivation makes detection far more difficult, as there are often few obvious signs of compromise.

At the same time, automation has become a defining feature on both sides of the security battle. Operators are investing heavily in AI and machine learning to identify abnormal behaviour. Attackers are doing exactly the same, using automation to scale phishing campaigns and to accelerate exploit development.

Despite all this technology, basic security discipline continues to be a major challenge. A significant proportion of incidents still originate from human error, poor operational practices or simple failure to apply patches. The industry continues to invest billions in cybersecurity, but much of that effort is consumed by reporting and compliance activities rather than direct threat mitigation.

eSIM Security Comes into Sharp Focus

The transition from physical SIM cards to eSIM and remote provisioning is one of the most significant structural changes in the mobile industry. It offers clear benefits in terms of flexibility and user experience. However, the webinar highlighted that it also introduces entirely new security concerns.

Traditional SIM security models relied heavily on physical control. Fraudsters needed access to large numbers of real SIM cards to operate at scale. With eSIM, many of those physical constraints disappear. Remote provisioning expands the number of parties involved in the connectivity chain, including resellers and intermediaries who may not always operate under strict regulatory oversight.

During 2025 several major SIM farm operations were dismantled by law enforcement. These infrastructures contained tens of thousands of active SIM cards and were used for large scale fraud, smishing campaigns and automated account creation. While such operations existed long before eSIM, the technology has the potential to make them even easier to deploy and manage.

Research discussed in the session pointed to additional concerns. Analysis of travel eSIM services revealed issues such as cross-border routing of management traffic, excessive levels of control granted to resellers, and lifecycle management weaknesses that could potentially be abused by attackers. In some cases, resellers were found to have capabilities similar to full mobile operators, but without equivalent governance or transparency.

The conclusion was not that eSIM is inherently insecure. The technology itself uses strong encryption and robust mechanisms. The problem lies in the wider ecosystem of trust boundaries, partners and processes that surround it. Securing eSIM therefore requires cooperation between operators, vendors, regulators and service providers.

SS7 Remains a Persistent Weak Point

Few topics in telecom security generate as much ongoing concern as SS7. Despite being a technology from a previous era, it remains deeply embedded in global mobile infrastructure. The webinar dedicated significant attention to why SS7 continues to be exploited in 2025 and why it is likely to remain a problem for many years to come.

Throughout the year, media reports and research papers continued to demonstrate practical abuses of SS7 signalling. Attackers probed networks, attempted to bypass signalling firewalls and looked for new ways to manipulate protocol behaviour. Techniques such as parameter manipulation and protocol parsing tricks were highlighted as methods that can sometimes evade existing protections.

One particularly interesting demonstration showed how SS7 messages could be used as a covert channel for data exfiltration. By embedding information inside otherwise legitimate signalling transactions, attackers can potentially move data across networks without triggering traditional security alarms.

Perhaps the most striking point raised was how little progress has been made in eliminating SS7 dependencies. Analysis of global network deployments showed that only a handful of countries operate mobile networks entirely without SS7. Everywhere else, the protocol remains a foundational element of roaming and interconnect.

As a result, even operators that have invested heavily in 4G and 5G security can still be undermined by weaknesses in this legacy layer. The uncomfortable reality is that SS7 vulnerabilities will continue to be exploited well into 2026 and beyond.

VoLTE and Modern Core Network Risks

While legacy protocols remain a problem, modern technologies are not immune. VoLTE infrastructure in particular was identified as an increasingly attractive target.

VoLTE relies on complex interactions between signalling systems, IP multimedia subsystems and subscriber databases. Weaknesses in configuration or interconnection can open the door to call interception, fraud or denial of service. Several real world incidents during 2025 demonstrated that attackers are actively exploring these paths.

The move toward fully virtualised and cloud-native mobile cores also introduces new operational challenges. Telecom networks now resemble large IT environments, complete with the same risks around misconfiguration, insecure APIs and exposed management interfaces.

The Emerging Security Challenge of 5G Satellites

One of the most forward-looking parts of the webinar focused on non-terrestrial networks and direct-to-device satellite connectivity. What was once a concept for the distant future is rapidly becoming a commercial reality.

Satellite integration promises to extend 5G coverage to remote areas, oceans and disaster zones. However, it also changes the security model in fundamental ways. Satellites can act either as simple relay systems or as active components of the mobile radio access network. In both cases, new threat vectors emerge.

Potential issues discussed included the risk of denial of service against shared satellite resources, difficulties in applying traditional radio security controls in space-based equipment, and the possibility of more precise user tracking due to the way satellite systems handle location information.

Experts from the space cybersecurity community explained how vulnerabilities in mission control software and ground segment infrastructure could be exploited. Much of this software was originally designed for isolated environments and is only now being connected to wider networks and the internet.

As telecom networks expand beyond the boundaries of the Earth, security responsibilities extend with them. Operators will need to think not only about terrestrial threats but also about risks originating from space-based components.

The Human Factor and the Skills Gap

Technology was only part of the story. Another recurring theme was the global shortage of skilled telecom cybersecurity professionals.

Studies referenced in the session suggested that millions of additional specialists are needed worldwide, yet only a fraction of that demand can currently be filled. Many security teams are overwhelmed by the sheer volume of alerts and data they must process.

This shortage has real consequences. When teams are stretched thin, patching is delayed, anomalies are missed and complex investigations become difficult to sustain. The panel emphasised that throwing more tools at the problem is not enough. Organisations must focus on training, automation and smarter operational processes.

Automation and AI-driven analysis were presented as essential enablers. Given the scale of modern mobile networks, it is simply not feasible for human analysts to monitor every signalling protocol, every core interface and every emerging technology manually.

Preparing for 2026

Looking ahead, the experts agreed on several broad trends. Attacks on legacy systems such as SS7 will continue. Fraudsters will increasingly target eSIM provisioning processes. VoLTE and 5G core components will face growing scrutiny. Satellite-based connectivity will introduce new and unfamiliar security questions.

Perhaps most importantly, the line between traditional telecom security and general cybersecurity will continue to blur. Mobile networks are now large, distributed IT platforms, and they inherit all the complexities that come with that transformation.

Operators, regulators and vendors must therefore adopt a holistic view. Investment must go beyond compliance reporting and focus on practical defences, real time monitoring and collaborative intelligence sharing.

Final Reflections

The SecurityGen webinar provided a valuable snapshot of an industry at a crossroads. Telecom networks are becoming more advanced and more capable, but also more complex and interconnected than ever before.

2025 demonstrated that attackers do not always need new vulnerabilities. Often they succeed simply by exploiting old weaknesses in smarter ways. The challenge for 2026 is to close those gaps while also preparing for the technologies that are only just beginning to emerge.

For those involved in telecom security, the full discussion is well worth watching. The complete webinar recording can be viewed below:

Related Posts:

Posted by Zahid Ghadialy at 07:35 Leave a comment...0 comments so far
Labels: , , , , , , , , , , , , , , ,

Wednesday, 10 August 2022

AI/ML Enhancements in 5G-Advanced for Intelligent Network Automation

Artificial Intelligence (AI) and Machine Learning (ML) has been touted to automate the network and simplify the identification and debug of issues that will arise with increasing network complexity. For this reason 3GPP has many different features that are already present in Release-17 but are expected to evolve further in Release-18. 

I have already covered some of this topics in earlier posts. Ericsson's recent whitepaper '5G Advanced: Evolution towards 6G' also has a good summary on this topic. Here is an extract from that:

Intelligent network automation

With increasing complexity in network design, for example, many different deployment and usage options, conventional approaches will not be able to provide swift solutions in many cases. It is well understood that manually reconfiguring cellular communications systems could be inefficient and costly.

Artificial intelligence (AI) and machine learning (ML) have the capability to solve complex and unstructured network problems by using a large amount of data collected from wireless networks. Thus, there has been a lot of attention lately on utilizing AI/ML-based solutions to improve network performance and hence providing avenues for inserting intelligence in network operations.

AI model design, optimization, and life-cycle management rely heavily on data. A wireless network can collect a large amount of data as part of its normal operations. This provides a good base for designing intelligent network solutions. 5G Advanced addresses how to optimize the standardized interfaces for data collection while leaving the automation functionality, for example, training and inference up to the proprietary implementation to support full flexibility in the automation of the network.

AI/ML for RAN enhancements

Three use cases have been identified in the Release 17 study item related to RAN performance enhancement by using AI/ML techniques. Selected use cases from the Release 17 technical report will be taken into the normative phase in the next releases. The selected use cases are: 1) network energy saving; 2) load balancing; and 3) mobility optimization.

The selected use cases can be supported by enhancements to current NR interfaces, targeting performance improvements using AI/ML functionality in the RAN while maintaining the 5G NR architecture. One of the goals is to ensure vendor incentives in terms of innovation and competitiveness by keeping the AI model implementation specific. As shown in Fig.2 (on the top) an intent-based management approach can be adopted for use cases involving RAN-OAM interactions. The intent will be received by the RAN. The RAN will need to understand the intent and trigger certain functionalities as a result.

AI/ML for physical layer enhancements

It is generally expected that AI/ML functionality can be used to improve the radio performance and/or reduced the complexity/overhead of the radio interface. 3GPP TSG RAN has selected three use cases to study the potential air interface performance improvements through AI/ML techniques, such as beam management, channel state information feedback enhancement, and positioning accuracy enhancements for different scenarios. The AI/ML-based methods may provide benefits compared to traditional methods in the radio interface. The challenge will be to define a unified AI/ML framework for the air interface by adequate AI/ML model characterization using various levels of collaboration between gNB and UE.

AI/ML in 5G core

5G Advanced will provide further enhancements of the architecture for analytics and on ML model life-cycle management, for example, to improve correctness of the models. The advancements in the architecture for analytics and data collection serve as a good foundation for AI/ML-based use cases within the different network functions (NFs). Additional use cases will be studied where NFs make use of analytics with the target to support in their decision making, for example, network data analytics functions (NWDAF)- assisted generation of UE policy for network slicing.

If you are interested in studying this topic further, check out 3GPP TR 37.817: Study on enhancement for data collection for NR and ENDC. Download the latest version from here.

Related Posts

Posted by Zahid Ghadialy at 07:35 Leave a comment...2 comments so far
Labels: , , , , , , , , , , , , ,

Tuesday, 2 February 2021

NWDAF in 3GPP Release-16 and Release-17

We looked at Network Data Analytics Function, NWDAF, in detail here. While the 3GPP Release-16 work just starting back then, we have now completed Rel-16 and looking at Release 17. 

The 5G Core (5GC) supports the application of analytics to provide Intelligent Automation of the network, In Rel-16 the set of use cases that are proposed for the NWDAF has been widely expanded. 

In an earlier post, we looked at the ATIS webinar discussing Release-16 & forthcoming features in Rel-17. Puneet Jain, Director of Technical Standards at Intel and 3GPP SA2 Chairman talked briefly about NWDAF. The following is from his talk:

Release-16 provides support for Network Automation and Data Analytics.  Network Data Analytics Function (NWDAF) was defined to provide analytics to 5G Core Network Functions (NFs) and to O&M. It consists of several services that were defined in 3GPP Rel-16 and work is now going in Release 17 to further extend them. 

In release 16 Slice load level related network data analytics and observed service experience related network data analytics were defined. NF load analytics as well Network Performance analytics was also specified. NWDAF provides either statistics or prediction on the load communication and mobility performance in the area of interest. 

Other thing was about the UE related analytics which includes UE mobility analytics, UE communication analytics, Expected UE behavior parameter, Related network data analytics and abnormal behavior related network data analytics.

The NWDAF can also provide user data congestion related analytics. This can be done by one time reporting or continuous reporting in the form of statistics or prediction or both to any other network function. 

QoS sustainability analytics, this is where the consumer of QoS sustainability analytics may request NWDAF analytics information regarding the QoS change statistic for a specific period in the past in a certain area or the likelihood of QoS change for a specific period in future, in certain areas. 

In Release 17, studies are ongoing for network automation phase 2. This includes some leftover from Release 16 such as UE driven analytics, how to ensure that slice SLA is guaranteed and then also new functionality is being discussed that includes things like support for multiple NWDAF instance in one PLMN including hierarchies, how to enable real-time or near-real-time NWDAF communications, how to enable NWDAF assisted user pane optimization and last which is very interesting is about interaction between NWDAF and AI model and training service owned by the operator.

This article on TM Forum talks about NWDAF deployment challenges and recommendations:

To deploy NWDAF, CSPs may encounter these challenges:

  • Some network function vendors may not be standards compliant or have interfaces to provide data or receive analytics services.
  • Integrating NWDAF with existing analytics applications until a 4G network is deployed is crucial as aggregated network data is needed to make decisions for centralized analytics use cases.
  • Many CSPs have different analytics nodes deployed for various use cases like revenue assurance, subscriber/marketing analytics and subscriber experience/network management. Making these all integrated into one analytics node also serving NWDAF use cases is key to deriving better insights and value out of network data.
  • Ensuring the analytics function deployed is integrated to derive value (e.g., with orchestrator for network automation, BI tools/any UI/email/notification apps for reporting).

Here are some ways you can overcome these challenges and deploy efficient next-generation analytics with NWDAF:

  • Mandate a distributed architecture for analytics too, this reduces network bandwidth overhead due to analytics and helps real-time use cases by design.
  • Ensure RFPs and your chosen vendors for network functions have, or plan to have, NWDAF support for collecting and receiving analytics services.
  • Look for carrier-grade analytics solutions with five nines SLAs.
  • Choose modular analytics systems that can accommodate multiple use cases including NWDAF as apps and support quick development.
  • Resource-efficient solutions are critical for on-premise or cloud as they can decrease expenses considerably.
  • Storage comes with a cost, store more processed smart data and not more raw big data unless mandated by law.
  • In designing an analytics use case, get opinions from both telco and analytics experts, or ideally an expert in both, as they are viewed from different worlds and are evolving a lot.

This is such an important topic that you will hear more about it on this blog and elsewhere.

Related Posts:

Posted by Zahid Ghadialy at 07:35 Leave a comment...3 comments so far
Labels: , , , , , , ,
Subscribe to: Comments (Atom)