Quick Answer
LTE450 private networks provide strong inherent security through 3GPP Authentication and Key Agreement (AKA) at the radio layer, EPS encryption for all air interface traffic, IPsec for backhaul, and private APN isolation of OT traffic. For critical national infrastructure operators, compliance with the NIS Regulations and NCSC guidance on CNI connectivity security is also required.
3GPP Security Architecture
The 3GPP LTE security architecture, defined in 3GPP TS 33.401, provides a multi-layer security framework that is substantially stronger than most alternative industrial wireless technologies. At the foundation is the Authentication and Key Agreement (AKA) protocol, which uses a symmetric key (Ki) stored in the SIM and in the Home Subscriber Server (HSS). When a device attempts to attach to the network, a mutual authentication challenge-response sequence occurs: the network verifies the device’s SIM is genuine, and the device verifies the network is its authorised operator. This mutual authentication prevents both rogue devices from accessing the network and rogue base stations from tricking legitimate devices into connecting.
Following successful authentication, encryption keys are derived for the radio interface. The Air Interface Encryption algorithm (typically AES-128 using EEA2 or SNOW 3G using EEA1) encrypts all user data and control plane signalling between the device and the eNodeB. This prevents interception of traffic from the air interface. Integrity protection is applied to control plane messages, preventing tampering with network signalling.
Private APN Isolation
In a private LTE450 utility network, the Packet Data Network Gateway (P-GW) provides the boundary between the LTE network and the utility’s operational technology (OT) network and corporate IT systems. Traffic from utility devices is routed via a private APN to the utility’s own network, completely isolated from the public internet. This means that even if a device’s application layer were compromised, the attacker could only reach other devices on the utility’s own network – there is no direct path to or from the public internet without passing through the utility’s own security controls (firewalls, intrusion detection systems, network segmentation).
IPsec for Backhaul Security
The S1 interface connecting eNodeBs to the EPC MME and S-GW is protected by IPsec tunnels. This ensures that even if the physical backhaul medium (fibre, microwave, co-located public network circuits) were compromised, the signalling and user data traffic would remain encrypted and authenticated. For utility networks where the backhaul may traverse shared infrastructure, IPsec on the S1 interface is essential. The IPsec Security Gateway (SecGW) function may be co-located with the EPC or deployed as a separate network element.
NIS Regulations and CNI Security Requirements
UK critical infrastructure operators in the electricity, gas, water, transport and digital infrastructure sectors are subject to the Network and Information Systems (NIS) Regulations 2018 (implementing the EU NIS Directive). The NIS Regulations require operators of essential services to implement appropriate and proportionate technical and organisational security measures, with reporting obligations for significant incidents. The NCSC has published sector-specific guidance for CNI operators on telecommunications security, including guidance relevant to private cellular network deployments.
For utility operators considering LTE450 deployment, the security architecture of the network should be documented as part of the NIS compliance evidence pack. Key elements include: the authentication mechanism, encryption standards, network segmentation, monitoring and incident detection capability, and the security of the supply chain (eNodeB vendors, EPC software, SIM manufacturer).
Frequently Asked Questions
Yes, significantly. An MVNO arrangement routes utility device traffic through a shared public mobile network where QoS, routing and security policies are under the MNO’s control, not the utility’s. The utility’s traffic shares infrastructure with millions of consumers and businesses. A private LTE450 network gives the utility operator full control: their own spectrum, their own HSS (only authorised SIMs attach), their own EPC (routing and firewall policies), and their own private APN (traffic never touches the public internet). The 3GPP AKA security is the same in both cases, but the operational security posture is fundamentally different.
LTE450 can carry Push-to-Talk (PTT) voice and data communications using applications such as MCPTT (Mission Critical Push-to-Talk) defined in 3GPP Release 13+. However, TETRA (Terrestrial Trunked Radio) has specific features – direct mode operation (device-to-device without infrastructure), very fast call setup, and proven operational procedures for public safety – that LTE has not fully replicated in all deployment scenarios. For utility operations and maintenance communications (as opposed to blue-light emergency services), LTE450 with MCPTT is generally considered a suitable and cost-effective solution.
LTE450 uses AES-128 (Advanced Encryption Standard, 128-bit key) with the EEA2 encryption algorithm for the air interface, or SNOW 3G with EEA1. The algorithm selection is negotiated during connection establishment. AES-128 is considered unbreakable with current computing technology and is used by governments and military globally for classified communications up to SECRET classification in some nations.