5G Security

5G Security

Towards trustworthy products for resilient networks

By David Soldani, CTSO, Huawei Technologies

 

5G technologies will be applied to many vertical industries and support various usage scenarios, such as applications to internet of things (IoT), self-driving vehicles and health care, to mention a few.

In general, most threats and challenges faced by 5G security are the same as those faced by 4G security, and the different security risks coming along with new services, architectures and technologies are well mitigated.

Although the separation between access and core network is as clear as that in 4G, the architecture of 5G is constantly evolving and will continue to evolve over the next decade until 6G is developed.

Whereas the first 5G release (3GPP Release 15) predominantly addressed the immediate needs of enhancing the mobile broadband experience, 3GPP Release 16 (just finalized) and 3GPP Release 17 take 5G toward the full 5G vision, balancing the needs of mobile broadband operators with expanding into new markets, including vertical players. 3GPP Release 18 and beyond will focus on the definition of new use cases, study items (SI) and work items (WI) towards 6G, which is expected to be specified by 2030.

3GPP Release 15 defines the 5G security infrastructure and further enhances 4G security by supporting: user plane integrity protection for better Air interface security; user privacy preservation by encrypting the permanent identity encryption; subscriber-level security policies for flexible security management; unified authentication for seamless experience for wireline and wireless access to 5G services; and enhanced roaming security by encrypting traffic between home and visiting mobile networks. It also supports security assurance and test methods for 5G core network functions and base station (gNodeB).

5G Security3GPP Release 16 fortifies the security architecture for wireless-wireline convergence; and supports security for vertical functions and authentication and key management of vertical applications, such as network slicing, industrial IoT (IIoT), cellular IoT (CIoT), multi-access edge computing (MEC), terrestrial and aerial manned and unmanned vehicles. It also supports security assurance requirements and test cases for data analytics, inter-working and service communication proxy functions.

3GPP Release 17 will further evolve the user plane integrity; authentication functions; security controls for rouge base stations, slice enhancement, private networks, drones, and broadcast channels. Also, it will support security assurance requirements and test cases for additional network equipment and related functions.

The Global System for Mobile Communications Association (GSMA) network element security assurance scheme (NESAS), jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry.

The NESAS defines security requirements based on 3GPP technical specifications and an assessment framework for secure product development and product lifecycle processes; and security evaluation scheme for network equipment, using the 3GPP defined security specifications and test cases, i.e., 3GPP security assurance specifications (SCAS).

 

The NESAS is focused on the vendor aspects of the supply chain, and thus provides a security assurance framework to improve security levels across the all mobile industry, because it has been developed following established practices and schemes that provide trustworthy security assurance.

The NESAS is widely supported by security authorities (such as ENISA in EU, ANSSI in France and BSI in Germany) and industry organizations, globally.

The NESAS 1.0 release was finalized in October 2019. Ericsson, Nokia and Huawei openly support NESAS as a unified cyber security certification framework for mobile network equipment, and more than ten operators have requested NESAS compliance, before deploying 5G equipment in their countries.

5G SecurityOn 24 August 2020, the GSMA announced that the world’s leading mobile network equipment vendors, Ericsson, Huawei, Nokia and ZTE, had successfully completed an assessment of their product development and life cycle management processes using the GSMA’s NESAS. In particular, Huawei has passed the auditing process for LTE eNodeB and 5G gNodeB product lines, and 5G Core product line. Also, last month, the Huawei 5G gNodeB and LTE eNodeB passed the 3GPP’s security assurance specifications testing.

The NESAS 1.0 framework was approved in October 2019 and comprises a number of technical specifications that meet the basic requirements of the EU Cyber Security Act. The NESAS specifications will be further improved by the end of this year to meet higher security assurance levels in compliance with the EU Cyber Security Act. This will take into account the best industry standards and security practices.

Trustworthy products and resilient networks cannot be achieved without the full participation of all the elements in the trust chain for a network. We need a layered defense, where controls of various types and kinds overlap each other in coverage, and that’s how a defense-in-depth 5G security strategy should be implemented.

An example of defense-in-depth approach for 5G security deployment requires the support of:

  • All 3GPP SCAS requirements, and fundamental security control enhancements, such as: user plane (UP) integrity protection, UP security policy, roaming security, user privacy preservation (encryption of international mobile subscriber identity), unified authentication and enhanced encryption algorithms.
  • Equipment security, for example: 3-plane isolation, data security, host intrusion detection and Trusted Execution Environment (TEE).
  • Sub-solutions to Radio Access Network (RAN) security (e.g. rouge base station detection, secure transmission), MEC security (MEC platform hardening, MEC security operations, e2e encrypted local network), Core Network security (multi-layer isolation and hardening, disaster and elastic recovery), Network Slicing security (slice isolation, encryption and protection, differentiated slice security) and Massive Connectivity security (signaling domain anti-DDoS and date domain anti-DDoS).
  • Security management, which includes an Element Management System (EMS) layer, for situational awareness, anomaly detection, trusted integrity measurements, certificate management, log auditing, and Network Element (NE) vulnerability management; and an end-to-end Security Operation Centre (SOC), for security situational awareness, AI-based threat analysis and detection, security orchestration and Network Element (NE) vulnerability management.

5G security requires collaboration in terms of standards, devices, and deployment. All parties in the industry chain need to take their own security responsibilities. In order to mitigate the related cyber security risks:

  • Suppliers must prioritize cyber security sufficiently (e.g. respect laws, regulations, standards, certify their products, and ensure quality in their supply chains);
  • Telecoms operators are responsible for assessing risks and taking appropriate measures to ensure compliance, security and resilience of their networks;
  • Service providers and customers are responsible for the implementation, deployment, support and activation of all appropriate security mechanisms of service applications and information (data);
  • Regulators are responsible for guaranteeing that Telco providers take appropriate measures to safeguard the general security and resilience of their networks and services;
  • Governments have the responsibility of taking the necessary measures to ensure the protection of the national security interests and the enforcement of conformance programs and independent product testing and certification; and
  • Standardization development organizations must ensure that there are proper specifications and standards for security assurance and best practices in place, such as the GSMA NESAS.

5G SecurityThe mobile industry needs a globally trusted and mutually recognized security assurance scheme. All stakeholders are invited to adopt and contribute to the GSMA NESAS, which is a security assurance scheme with shared and tailored specifications. Industry players, governments, security agencies and regulators are recommended to adopt the GSMA NESAS for testing and evaluating telecoms equipment.

The NESAS is a customized, authoritative, unified, efficient and constantly evolving security assurance scheme for the mobile industry, and could be a part of certification and accreditation processes against a predetermined set of security standards and policies for security authorization in any country.

 

About the Author

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

David Soldani AuthorDavid Soldani is the CTSO of Huawei Technologies (Australia).  He received a Master of Science (M.Sc.) degree in Engineering with full marks and magna cum laude approbatur from the University of Florence, Italy, in 1994; and a Doctor of Science (D.Sc.) degree in Technology with distinction from Helsinki University of Technology, Finland, in 2006. In 2014, 2016 and 2018 he was appointed Visiting Professor, Industry Professor, and Adjunct Professor at University of Surrey, UK, University of Technology Sydney (UTS), Australia, and University of New South Wales (UNSW), respectively. D. Soldani is currently at Huawei Technologies, serving as Chief Technology and Cyber Security Office (CTSO) in Australia, Huawei ICT Security Expert within the ASIA Pacific Region, and Chairman of the IMDA 5G task force, in Singapore. Prior to that he was Head of 5G Technology, e2e, global, at Nokia; and Head of Central Research Institute (CRI) and VP Strategic Research and Innovation in Europe, at Huawei European Research Centre (ERC). David can be reached online at https://www.linkedin.com/in/dr-david-soldani/

Global InfoSec Awards 2022

cyber defense awardsWe are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X