Securing Semtech’s (Formerly Sierra Wireless）Managed Connectivity Services and Mobile Virtual Network with Defense in Depth

As a leading provider of Managed Connectivity Services and a Mobile Virtual Network Operator (MVNO), Semtech (Formerly Sierra Wireless） oversees the secure operation of a complex critical infrastructure platform relied on by customers around the world. With customers relying on connectivity to maintain data communications with endpoints ranging from critical infrastructure, to mobile-connectivity for first responders, to border-crossing cargo shipments that require asset tracking our teams take this responsibility seriously. We are proud to share some insight into some of the key measures we take to keep our customers safe, secure, and connected, as well as how those measures fit into our broader strategy. First, some background. 

What is a Mobile Virtual Network Operator? 

A Mobile Virtual Network Operator, or MVNO, is a mobile communications provider that offers service to their customers using infrastructure owned and operated by a traditional Mobile Network Operator (MNO). Through this model, MVNOs can provide customers with additional value on top of mobile connectivity. As MVNOs can partner with multiple MNOs, they can offer customers one-stop connectivity that spans the operating areas of more than one MNO without the customer needing to manage each of the different carriers. This means that an MVNO can provide transparent service on a global scale, giving customers unmatched flexibility and efficiency. MVNOs can also offer customers a range of additional services for managing connectivity that go beyond what individual MNOs make available to customers.

What security threats do MVNOs face? 

Due to an MVNO’s reliance on their partner MNOs for the infrastructure used for underlying connectivity, they are not responsible directly for the security of that telecommunications infrastructure. That responsibility falls to the MNO. Nonetheless, MVNOs face a threat landscape. To deliver their services, MVNOs need significant access to their MNO partner’s infrastructure, and attackers see MVNOs as a path to attempt to compromise the underlying mobile telecommunications infrastructure. Further, an attacker who can disrupt the operations of an MVNO can have a significant impact across the MVNO’s customers that exceeds the impact of affecting a single MNO. Examples of threats faced by an MVNO include: 

• Tampering with data in transit, impacting the integrity of information 

• Theft or disclosure of sensitive information transiting the MVNO 

• Disruption and interruption of services, denying communications to critical customers 

• Theft of customer and subscriber information from the MVNO, or destruction of customer data 

How has Semtech responded to these threats? 

Semtech has implemented a robust cybersecurity and resilience program across our MVNO footprint with focused investment in tools, technologies, strong practices, and training. Combined with around-the-clock monitoring, layered resilience, and business continuity practices, this gives Semtech the depth of defense needed to combat today’s threats and tomorrow’s. 

Semtech’s Strategy for Protecting Our Customers and MVNO Infrastructure  

Defense in Depth

Semtech recognizes that there is no single measure or practice that is going to ensure that our MVNO operates with the level of security our customers need and expect. Reflecting the myriad types of threats previously described, we employ a Defense in Depth strategy built on a range of different technologies. Our cybersecurity partners, all industry leaders, provide us with the tooling and systems we need, and enable the following capabilities: 

• 24x7 Managed Endpoint Detection and Response (EDR) – monitoring and actively responding to threats within our infrastructure 

• Web Application Firewalls – Intelligently monitoring network traffic and actively preventing high risk or suspicious activity 

• Telecommunications-specific cybersecurity appliances designed to protect cellular-related network protocols 

• Vulnerability Scanners – Ongoing, regular scanning of internal and externally facing infrastructure for vulnerabilities and risks 

• Active Asset Detection & Management – Centralized aggregation of asset data with a wide range of data sources from across our footprint, supporting risk detection and asset management 

Secure Practices

Cybersecurity, particularly for complex entities like MVNOs, is not solely about the use of industry leading technologies. Secure practices must be leveraged during the design, implementation, and operation of the infrastructure to provide robust protection and to get the maximum security value from technical controls and capabilities. Some of the key operational and architectural practices used by Semtech’s MVNO include: 

• Workload isolation and segregation – Zero-trust VLAN design using leading-edge firewall protection to isolate workloads 

• Data Encryption – Use of Virtual Private Networks (VPN) to encrypt partner and carrier connectivity, as well as encryption of data at rest 

• System Hardening - Operating System and Shell Hardening following Center for Internet Security (CIS) Version 8 guidance 

• Lifecycle Management – Workflows and practices in place to ensure that systems and infrastructure remain current and supported 

• Vulnerability and Patch Management – regular operational practices to monitor for vulnerabilities and threats, and applying patches and mitigation measures in a timely manner 

Reducing Human-Vulnerability

Recognizing that well-trained employees are a key part of keeping infrastructure secure, Semtech requires all employees to participate in mandatory cybersecurity training annually. Further advanced cybersecurity training is available for employees in cybersecurity-specific or sensitive roles. All workstations used by employees to interface with sensitive systems, including customer-facing platforms, are also deployed with security measures including 24x7 Managed EDR monitoring and response, network layer web filtering and threat prevention, and advanced Multi-Factor Authentication (MFA). These measures help our employees do their jobs in the most secure way possible. 

Business Continuity and Resilience

• Physical data centers are all Tier 2 data center compliant. To achieve high availability, multiple geographically dispersed data centers run in an active-active configuration with multiple instances of underlying services similarly configured. This provides continuous services to our customers in a disaster or cyber event. 

• A robust backup strategy is a key part of the Semtech data protection policies. Backup and restoration centers around a combination of on- and off-premise data storage using data archiving techniques supporting immutability. Semtech policies further require regular testing of our backups to ensure the recoverability of data in the event of a disaster of any size. All backup solutions include rollback solutions.

 Audits and Penetration Testing 

Even after implementing all the technologies, operational practices, and policies referenced in this document, it is still critical to know if all your capabilities are operating as anticipated and with the expected operational impact. Semtech relies on regular security assessments and red team testing by recognized third parties to evaluate not just the presence of our controls but their effectiveness. Lessons learned from each successive testing engagement flow back into the workflows noted here, reinforcing strengths and ensuring any weaknesses are quickly addressed. 

• We engage a 3rd party security services provider at least once per year to perform an Internet facing vulnerability and penetration test.  

• MVNO-specific security audits are performed by a third party specializing in the unique and advanced infrastructure, protocols and architectures used by an MVNO to deliver services. 

• Semtech performs regular internal audits and security assessments as well, in addition to tracking our alignment with our selected industry security benchmarks. 

Conclusion 

Semtech is committed to delivering secure Managed Connectivity Services to our customers through the responsible operation of our MVNO infrastructure. Recognizing the numerous threats faced by MVNOs, Semtech employs a defense-in-depth security strategy built on industry-leading tools and recognized practices supported and verified by third-party assessments and audits. Together with security training and robust asset management, Semtech delivers efficient, reliable operation for our customers built on a secure foundation. As customer needs, telecommunications technologies, and threats continue to evolve, Semtech is resolved to continue maturing and evolving to keep pace and remain a trusted partner and provider for our customers.