NSA and CISA provide cybersecurity guidance for 5G cloud infrastructures

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published cybersecurity guidance to securely build and configure cloud infrastructures in support of 5G. Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement is the first of a four-part series created by the Enduring Security Framework (ESF), a cross-sector, public-private working group which provides cybersecurity guidance that addresses high priority cyber-based threats to the nation’s critical infrastructure.

“This series provides key cybersecurity guidance to configure 5G cloud infrastructure,” said Natalie Pittore, Chief of ESF in NSA’s Cybersecurity Collaboration Center. “Our team examined priority risks so that we could provide useful guidance, disseminated in an actionable way to help implementers protect their infrastructure.”

The series builds on the ESF Potential Threat Vectors to 5G Infrastructure analysis paper released in May 2021, which focused specifically on threats, vulnerabilities, and mitigations that apply to the deployment of 5G infrastructures. Based on preliminary analysis and threat assessment, the top 5G cloud infrastructure security challenges were identified by ESF and a four-part series of instructional documents covering those challenges will be released over the next few weeks. Topics include securely isolating network resources; protecting data in transit, in use, and at rest; and ensuring integrity of the network infrastructure.

Part I focuses on detecting malicious cyber actor activity in 5G clouds to prevent the malicious cyberattack of a single cloud resource from compromising the entire network. The guidance provides recommendations for mitigating lateral movement attempts by malicious cyber actors who have successfully exploited a vulnerability to gain initial access into a 5G cloud system.
“This series exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA, and industry,” said Rob Joyce, NSA Cybersecurity Director. “Service providers and system integrators that build and configure 5G cloud infrastructures who apply this guidance will do their part to improve cybersecurity for our nation.”

“Strong and vibrant partnerships are critical to the overall effort to reduce cyber risk. Along with our public and private partners in the ESF, CISA is proud to partner with NSA to present the Security Guidance series for 5G Infrastructure,” said Alaina Clark, Assistant Director for Stakeholder Engagement. “Protecting 5G cloud infrastructure is a shared responsibility and we encourage 5G providers, operators and customers to review the new guidance.”

5G cloud providers, integrators, and network operators share the responsibility to detect and mitigate lateral movement attempts within their 5G cloud infrastructure. This document provides best practices to secure the 5G cloud from specific cyber threats of lateral movement that could compromise a network.

Telcos strengthen India’s disaster preparedness

When Cyclone Tauktae struck India’s western coastal areas several months ago, it brought mass destruction of property and disrupted daily life in five Indian states.
Despite the storm’s ‘extremely severe’ designation, the damage and loss of lives were less than expected. This was thanks in large part to national disaster preparation plans, underpinned by information and communication technologies (ICTs) and timely preparation by telecom operators.
Technology plays a pivotal role at each stage of disaster management, from early warning and mitigation to response, and then to post-disaster recovery and rehabilitation.
Collaborative action on the ground
To prepare for the upcoming disaster, the Indian government had already implemented standard operating procedures (SOPs), whereby telecom operators initiated inter-operator roaming services that let mobile phone users switch easily between networks based on availability.
Priority call routing enabled rescue and relief crews to coordinate with government officials, including in the vital restoration work in Tauktae’s aftermath.
On-site diesel and battery back-up were ready to mitigate any power cuts, while coordination was stepped up with the National Disaster Management Authority, the National Disaster Relief Force, and central, state and local governments.
Challenges for operators during disasters
Telecom and ICT operators form the backbone of connectivity across the world. But ICT services can be hard to maintain – let alone expand – during earthquakes, tsunamis or a pandemic.
Natural hazards often damage towers, power generators, cables and wires. At the same time, network congestion arises as people call family and friends, frequently hampering rescue and relief operations.
Amid the COVID-19 pandemic, telecom and Internet usage have surged everywhere.
Meanwhile, with shops closed, pre-paid mobile consumers could not recharge their credit.
Still, telecom operators maintained the continuity of services and facilitated online recharges for pre-paid users.
By the time of the May 2021 cyclone, lessons from both before and during the pandemic, had made India’s telecom networks more robust and resilient, with sufficient adaptability and scalability to handle demand spikes.
How operators can prepare
Access to robust and secure ICT infrastructure is critical. Putting resilient networks and disaster management tools in place well ahead of time helps to mitigate negative impacts.
Wherever feasible, telecom operators must upgrade to 4G or 5G, as well as educate staff and raise awareness among customers on how to withstand disaster situations, including recharging subscriptions online with mobile devices.
Inter-operator roaming agreements can ensure continuous service for all customers in a disaster-affected area, even if the infrastructure of one or two operators suffers damage. Along with temporary solutions like CoW, operators can turn to satellite-based plug-and-play networks to stand in for damaged terrestrial infrastructure.

Agencies Should Strengthen Collaborative Mechanisms and Processes to Address Potential Interference

In the U.S., the FCC and the National Telecommunications and Information Administration regulate radio-frequency spectrum use to ensure enough is available for 5G networks, satellites, etc. when there could be interference, FCC and NTIA coordinate with other federal agencies via interagency agreements and groups.
To address potential interference among proposed uses of spectrum, these agencies employ various coordination mechanisms. For domestic matters, the agencies coordinate through an NTIA-led committee that provides input to FCC’s spectrum proceedings. For U.S. participation in the International Telecommunication Union’s (ITU) World Radiocommunication Conferences (WRC), agencies coordinate via a preparatory committee that provides input used to develop U.S. positions that the Department of State submits to a regional body or directly to the WRC.
These mechanisms reflect some key collaboration practices but do not fully reflect others. For example, while the documents that guide coordination between FCC and NTIA and the preparatory committee emphasize reaching consensus whenever possible, there are no clearly defined and agreed-upon processes for resolving matters when agencies cannot do so. Additionally, neither document has been updated in almost 20 years, though agency officials said conditions regarding spectrum management activities have changed in that time. GAO’s review of U.S. participation in ITU’s 2019 WRC shows that these issues affected collaboration. For example, disputes among the agencies and the inability to reach agreement on U.S. technical contributions challenged the U.S.’s ability to present an agreed-upon basis for decisions or a unified position.
NOAA and NASA conduct and FCC and NTIA review technical interference studies on a case-by-case basis. When originating from ITU activities, the agencies conduct or review technical interference studies through participation in international technical meetings and the preparatory committee process. However, the lack of consensus on study design and, within the U.S. process, specific procedures to guide the design of these types of studies, hampered U.S. efforts to prepare for the 2019 WRC. For example, the U.S. did not submit its studies on certain key issues to the final technical meeting, resulting in some stakeholders questioning whether the corresponding U.S. positions were technically rooted. Agreed-upon procedures could help guide U.S. efforts to design these studies and consider tradeoffs between what is desirable versus practical, to mitigate the possibility of protracted disagreements in the future.

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP
The European Union Agency for Cybersecurity (ENISA) provides authorities with technical guidance on the 5G Toolbox measure for security requirements in existing 5G standards.
The Agency has released its Security in 5G Specifications Report about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks. As vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.
This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security - mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
More specifically, the report provides:
- A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
- An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
- Summary of key findings and good security practices.
The ENISA report also covers security considerations beyond standards and specifications, such as testing and assurance, product development, network design, configuration and deployment, and operation and management.

One ICT regulator’s journey to 5th-generation regulation

The global regulatory and technology landscape is complex and fast-moving.
Regulators find themselves grappling with an ever-growing array of challenges, chief among them achieving the Sustainable Development Goals (SDGs) by the 2030 deadline, now just a decade away.
The Kingdom of Saudi Arabia’s ICT regulator is no exception, as the country continues to prioritize the rapid growth of its ICT sector and pursue sustainable economic diversification as part of its Vision 2030.
But what is 5th-generation in the first place? And how is Saudi Arabia’s Communications and Information Technology Commission (CITC) planning to get there?
The evolving role of the ICT regulator
If we think in terms of regulatory “generations”, the first employed a “command and control approach”, which often took the form of public or national telecom monopolies. The second-generation regulatory landscape saw the opening of markets, facilitating partial liberalization and privatization of telecommunications. By generation three, we saw accelerated investment, innovation, and access opportunities emerge, with regulators placing a dual focus on stimulating competition while ensuring consumer protection.
Fourth generation features integrated regulation, led by economic and social policy goals. A 4th-generation regulator is one that ensures or is working towards universal access, consults stakeholders regularly, and promotes international and regional cooperation, equitable spectrum management, and stronger consumer protection.
Where do regulators stand globally?
According to ITU’s Global ICT Regulatory Outlook 2020, 8 per cent of countries now has holistic, forward-looking regulatory frameworks enabling digital transformation across the economy.
40 per cent of countries remain in regulatory generations 1 and 2, missing development opportunities and remaining disconnected from the digital transformation of their economies. While one third of countries have achieved G4, characterized by thriving markets for ICT services and the lowest proportion of unconnected populations, some have already set 5th-generation regulation in their sights. In a 5th-generation regulatory environment, collaboration among even more stakeholders is key to shaping decisions in a harmonized way not only within the telecommunications realm, but across a broad range of sectors now dependent on ICTs.
CITC’s regulatory transformation
With a guiding vision of a “connected nation for a thriving digital economy”, CITC is stepping up to meet the 5th-generation regulation challenge with an ambitious new digital transformation strategy. Their vision also emphasizes safeguarding the public, providing reliable service, ensuring fair competition, and balancing the diverse needs of multiple stakeholders.
Historically, the Commission’s mandate focused on regulating the telecommunication and information technology sectors. But the last two years have seen that mandate evolve to reflect a changing global regulatory and technology landscape.
The Saudi Arabian regulator has met the challenges of an increasingly complex regulatory environment with a series of initiatives, including, among others:
• Promoting investment and infrastructure development while ensuring access to high-quality services. CITC reported investing 15 billion USD in infrastructure, including meeting major deployment milestones on network infrastructure and quality. Mobile broadband download speed reached 77.55 Mbps in August 2020, and mobile coverage increased to 99 per cent of the population for 3G and 94 per cent for 4G, according to CITC estimates.
• Establishing a National Regulatory Committee that will bring together 8 core regulators to collaborate on ICT and digital cross-sectoral topics like blockchain, smart cities and digital platforms, and proactively anticipate emerging topics. Additional public and private entities will be involved as needed. This collaboration was set up to accelerate regulation-to-adoption and seeks to drive innovation, job creation, and investor confidence by promoting coherence and efficiency across Saudi Arabia’s ICT ecosystem.
• Acting collaboratively to deploy ICTs during the COVID-19 pandemic. As the pandemic reached Saudi Arabia, CITC collaborated quickly and effectively with telecom operators to meet the surge in demand for online access and data with increased speeds and data capacity, free services, expanded spectrum use, and enhanced network configurations and connectivity. This rapid response played a critical role in enabling remote work, business continuity, delivery apps, e-government services, and remote learning across Saudi Arabia.
[courtesy of ITU]

ENISA 5G Threat Landscape Report Updated to Enhance 5G Security

The European Union Agency for Cybersecurity (ENISA) published an updated version of its 5G threat assessment report to address advancements in the areas of fifth generation of mobile telecommunications networks (5G) and to contribute to the implementation of the EU 5G toolbox cybersecurity risk mitigating measures.
The new ENISA Threat Landscape for 5G Networks report is a major update of the previous edition as it captures recent developments in 5G standardisation. The publication includes a vulnerability analysis, which examines the exposure of 5G components. The analysis explores how cyber threats can exploit vulnerabilities and how technical security controls can help mitigate risks.
European Union Agency for Cybersecurity Executive Director Juhan Lepassaar explained: “By providing regular threat assessments, the EU Agency for Cybersecurity materialises its support to the EU cybersecurity ecosystem.  This work is part of our continuous contribution to securing 5G, a key infrastructure for the years to come.”
The New Threat Landscape includes:
- An updated system architecture of 5G, indicating introduced novelties and assessed security considerations;
- A detailed vulnerability analysis of all relevant 5G assets, including their exposure to threats;
- A mapping of related security controls aiming at the reduction of threat surface;
- An update of the relevant threats in accordance with their exploitation potential of the assessed vulnerabilities;
- The consideration of implementation options – migration paths from 4G to 5G infrastructures;
- The development of a process map showing the contribution of operational, life cycle and security assurance processes to the overall security of 5G infrastructures;
- A new inventory of critical components.
The information produced for this report is based on publicly available content published by 5G market players (operators, vendors, and national and international organisations), standardisation groups and bodies (for example: 3rd Generation Partnership Project (3GPP); International Telecommunications Union (ITU); European Telecommunications Standardisation Institute (ETSI); International Organisation for Standardisation (ISO); the Global System for Mobile Communications (GSMA)).

ITU Forum addresses opportunities and challenges of 5G implementation in Europe

“Just as 4G deployment was carried out across Europe with a strong focus on leaving no one behind, it is now our duty to ensure that an enabling regulatory environment sustains the deployment of 5G in a way that connectivity is leveraged by all and for all,” said Doreen Bogdan-Martin, Director of the Telecommunication Development Bureau at the ITU, as she welcomed participants of the ITU Regional Forum for Europe on 5G strategies, policies, and implementation.
The event was one of several milestones of the ITU Regional Initiative for Europe on broadband infrastructure, broadcasting and spectrum management.
Organized with the support of the Chancellery of The Prime Minister (KPRM) of the Republic of Poland, the Forum was opened by H.E. Mr. Marek Zagórski, Poland’s Secretary of State Government Plenipotentiary for Cybersecurity, who called for “connecting the unconnected” and “bridge the digital divide” as priorities in the context of Sustainable Development Goal (SDG) 10 on reducing inequality. Mr. Zagórski went on to highlight Poland’s achievements in the provision of high-quality connectivity towards an Internet Society by 2025, and called for the urgent need to address misinformation around 5G in Europe and beyond.
5G strategies and implementation dynamics
More than 50 speakers provided participants with a comprehensive overview of the status of 5G rollout, focusing on regional and national strategies and policies as well as other ongoing implementation challenges relevant to stakeholders in the Europe region.
The first day of proceedings saw context-setting interventions from the ITU Telecommunication Standardization Bureau (TSB) and the ITU Radiocommunication Bureau (BR), both of whom recognized excellent ITU cross-sectoral collaboration. Regional organizations and industry associations followed by discussing key priorities for the region, including the importance of international cooperation, industry collaboration, and regulation creating the necessary incentives for 5G deployment to deliver social and economic impact as well as the challenge of radiofrequency electromagnetic fields (RF-EMF).
Sessions 2 and 3 offered a detailed picture of the status of 5G implementation both in EU and non-EU countries. Administrations and National Regulatory Authorities recognized the importance of the transition to 5G converging towards the notion of “connecting everyone and everything” and reiterated how international cooperation must ensure a consistent deployment of 5G across the region, especially in context of the post-COVID economic recovery.
In his second day keynote, 2020 BEREC Vice-chair Jeremy Godfrey highlighted the importance of sustainability and resilience in the post-COVID-19 world.
From the 5G commercialization and market development perspective, industry representatives from satellite, mobile and equipment providers noted in Session 4 that efforts and expectations should be placed in the business-to-business (B2B) rather than in the business-to-customer (B2C) segment, and should focus on innovation-driven public-private partnerships as well as on the industrial IoT environment enabling emergence of 5G applications and ecosystems.
During the Forum’s final session on the challenge of increasing public concern about RF-EMF, it was widely agreed that the focus should shift from the scientific evidence, which is already there, to elaborating new strategies for 5G and EMF risk communication, as some countries have already undertaken.
New publications, upcoming priorities and next steps
In the context of the Forum, and to prioritize topics for future consideration at the regional level, the ITU Office for Europe announced the publication of two background papers.
One includes a series of country profiles on 5G implementation dynamics in 18 non-EU countries in the Region, featuring the implementation of 5G strategies, frequency allocation, EMF regulation as well as private sector trials and commercialization at the country level. The country profiles are designed to act as a reference for decision-makers and as a platform to monitor progress in reducing intra-regional gaps.
The other background paper on 5G and electromagnetic fields (EMFs) responds to concerns of administrations observed across Europe by referencing scientific evidence and recommendations as well as outlining key challenges and open questions, including misinformation and the social and economic cost for societies resulting from holding back 5G. The paper aims to support administrations in their efforts to elaborate communications on 5G at the national level.
The virtual meeting also hosted representatives of international and regional organizations such as the World Health Organization (WHO), International Commission on Non-Ionizing Radiation Protection (ICNIRP), the European Broadcasting Union (EBU), the Nordic Council of Ministers, Eastern Partnership Electronic Communications Regulators Network (EaPeReg), the Body of European Regulators for Electronic Communications (BEREC) and a number of National Regulatory Authorities and ICT Ministries from both EU and non-EU countries as well as important industry associations such as the European Telecommunication Network Operators’ Association (ETNO), the EMEA Satellite Operators Association (ESOA), the European Competitive Telecommunications Association (ECTA), DIGITALEUROPE, and GSMA.