Tackling Security Challenges in 5G Networks

The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.

Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.

The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

How does it work?

Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.

Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.

60 security challenges were identified in the report and classified under 7 categories:

- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).

How do we address the security challenges

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.

Some of the key findings the report include:

- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.

- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.

- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.

- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.

NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.

Fourth radio interface technology added to 5G standards

Members of the International Telecommunication Union (ITU) today approved a fourth technology as part of ongoing standards development for 5G mobile services.

Known as “DECT 5G-SRIT", the new technology supports a range of uses, from wireless telephony and audio streaming to industrial Internet of Things (IoT) applications, particularly in smart cities.

It was added in the first revision to ITU's key recommendation IMT-2020, which broadly encompasses fifth-generation, or 5G, networks, services, and devices.

This ITU Radiocommunication Sector (ITU-R) Recommendation – providing a set of global technical 5G standards – reflects continual consultation and discussion among governments, companies, regulators, and other stakeholders dealing with radiocommunication worldwide.

Along with fostering connectivity across borders, ITU promotes the global rollout of 5G as a key driver to achieve the UN's 17 Sustainable Development Goals.​

“New and emerging technologies like 5G will be essential to build an inclusive, sustainable future for all people, communities and countries," said ITU's Secretary-General, Houlin Zhao. “Under the ongoing International Mobile Telecommunications or IMT programme, our diverse global membership continues its long-standing contribution to advance broadband mobile communications, furthering our mission to leave no one behind in connecting the world."

A new radio interface technology

ITU – the United Nations agency entrusted with coordinating radio-frequency spectrum worldwide - published the specifications for the new technology as Recommendation ITU-R M.2150-1.

The technology is designed to provide a slim but strong technical foundation for wireless applications deployed in a range of use cases, from cordless telephony to audio streaming, and from professional audio applications to the industrial Internet of Things (IoT) applications, such as building automation and monitoring.

The European Telecommunications Standards Institute (ETSI) laid the essential groundwork jointly with the DECT Forum, a worldwide association of the digital enhanced cordless telecommunications (DECT) or wireless technology industry.

ESF Members, NSA and CISA publish the fourth installment of 5G cybersecurity guidance

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the fourth installment on securing integrity of 5G cloud infrastructures, Ensure Integrity of Cloud Infrastructure. As 5G networks and devices continue to increase in popularity, the importance of platform security to harden your systems against malicious cyber activity and persistence is apparent.

This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group - a public-private working group led by NSA and CISA, that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.

Ensure Integrity of Cloud Infrastructure provides guidance on platform integrity, build time security, launch time integrity, and micro services infrastructure integrity. An industry trend has been to deploy stand-alone 5G core using virtualized functions of micro services on an architecture that provides rapid enablement of services. It is imperative for device and system security that the underlying 5G cloud infrastructure platform on which micro services are deployed, or orchestrated, have been designed and built securely and continue operating as intended.

"A secure 5G core requires cybersecurity mitigations that are implemented at the foundation level and carried forward," said Jorge Laurel, NSA Project Director for ESF. "A secure underlying foundation ensures the services deployed on the network are done so on a secure infrastructure, which further strengthens the security of data across the network."

“The document provides actionable advice for 5G operators, said Neal Ziring, NSA Cybersecurity Technical Director. “The fourth installment in the series covers an essential topic: integrity. Integrity is the most fundamental security property, and ensuring integrity from base hardware up through the software stack is critical for maintaining trustworthy 5G services.”

“The issues facing the cloud community, such as lateral movement to pod security and infrastructure integrity, are complex as are their solutions,” said Alaina Clark, Assistant Director of Stakeholder Engagement, CISA. “This series demonstrates the value of collaboration, spotlighting several cyber best practices that cloud providers, mobile network operators, and customers alike can implement for long-term security benefits. With our ESF government and industry associates, CISA will continue working with the Cloud and 5G communities to secure our Nation’s network infrastructure through partnership efforts like this.”

NSA and CISA provide cybersecurity guidance for 5G cloud infrastructures

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published cybersecurity guidance to securely build and configure cloud infrastructures in support of 5G. Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement is the first of a four-part series created by the Enduring Security Framework (ESF), a cross-sector, public-private working group which provides cybersecurity guidance that addresses high priority cyber-based threats to the nation’s critical infrastructure.

“This series provides key cybersecurity guidance to configure 5G cloud infrastructure,” said Natalie Pittore, Chief of ESF in NSA’s Cybersecurity Collaboration Center. “Our team examined priority risks so that we could provide useful guidance, disseminated in an actionable way to help implementers protect their infrastructure.”

The series builds on the ESF Potential Threat Vectors to 5G Infrastructure analysis paper released in May 2021, which focused specifically on threats, vulnerabilities, and mitigations that apply to the deployment of 5G infrastructures. Based on preliminary analysis and threat assessment, the top 5G cloud infrastructure security challenges were identified by ESF and a four-part series of instructional documents covering those challenges will be released over the next few weeks. Topics include securely isolating network resources; protecting data in transit, in use, and at rest; and ensuring integrity of the network infrastructure.

Part I focuses on detecting malicious cyber actor activity in 5G clouds to prevent the malicious cyberattack of a single cloud resource from compromising the entire network. The guidance provides recommendations for mitigating lateral movement attempts by malicious cyber actors who have successfully exploited a vulnerability to gain initial access into a 5G cloud system.
“This series exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA, and industry,” said Rob Joyce, NSA Cybersecurity Director. “Service providers and system integrators that build and configure 5G cloud infrastructures who apply this guidance will do their part to improve cybersecurity for our nation.”

“Strong and vibrant partnerships are critical to the overall effort to reduce cyber risk. Along with our public and private partners in the ESF, CISA is proud to partner with NSA to present the Security Guidance series for 5G Infrastructure,” said Alaina Clark, Assistant Director for Stakeholder Engagement. “Protecting 5G cloud infrastructure is a shared responsibility and we encourage 5G providers, operators and customers to review the new guidance.”

5G cloud providers, integrators, and network operators share the responsibility to detect and mitigate lateral movement attempts within their 5G cloud infrastructure. This document provides best practices to secure the 5G cloud from specific cyber threats of lateral movement that could compromise a network.

Telcos strengthen India’s disaster preparedness

When Cyclone Tauktae struck India’s western coastal areas several months ago, it brought mass destruction of property and disrupted daily life in five Indian states.
Despite the storm’s ‘extremely severe’ designation, the damage and loss of lives were less than expected. This was thanks in large part to national disaster preparation plans, underpinned by information and communication technologies (ICTs) and timely preparation by telecom operators.
Technology plays a pivotal role at each stage of disaster management, from early warning and mitigation to response, and then to post-disaster recovery and rehabilitation.
Collaborative action on the ground
To prepare for the upcoming disaster, the Indian government had already implemented standard operating procedures (SOPs), whereby telecom operators initiated inter-operator roaming services that let mobile phone users switch easily between networks based on availability.
Priority call routing enabled rescue and relief crews to coordinate with government officials, including in the vital restoration work in Tauktae’s aftermath.
On-site diesel and battery back-up were ready to mitigate any power cuts, while coordination was stepped up with the National Disaster Management Authority, the National Disaster Relief Force, and central, state and local governments.
Challenges for operators during disasters
Telecom and ICT operators form the backbone of connectivity across the world. But ICT services can be hard to maintain – let alone expand – during earthquakes, tsunamis or a pandemic.
Natural hazards often damage towers, power generators, cables and wires. At the same time, network congestion arises as people call family and friends, frequently hampering rescue and relief operations.
Amid the COVID-19 pandemic, telecom and Internet usage have surged everywhere.
Meanwhile, with shops closed, pre-paid mobile consumers could not recharge their credit.
Still, telecom operators maintained the continuity of services and facilitated online recharges for pre-paid users.
By the time of the May 2021 cyclone, lessons from both before and during the pandemic, had made India’s telecom networks more robust and resilient, with sufficient adaptability and scalability to handle demand spikes.
How operators can prepare
Access to robust and secure ICT infrastructure is critical. Putting resilient networks and disaster management tools in place well ahead of time helps to mitigate negative impacts.
Wherever feasible, telecom operators must upgrade to 4G or 5G, as well as educate staff and raise awareness among customers on how to withstand disaster situations, including recharging subscriptions online with mobile devices.
Inter-operator roaming agreements can ensure continuous service for all customers in a disaster-affected area, even if the infrastructure of one or two operators suffers damage. Along with temporary solutions like CoW, operators can turn to satellite-based plug-and-play networks to stand in for damaged terrestrial infrastructure.

Agencies Should Strengthen Collaborative Mechanisms and Processes to Address Potential Interference

In the U.S., the FCC and the National Telecommunications and Information Administration regulate radio-frequency spectrum use to ensure enough is available for 5G networks, satellites, etc. when there could be interference, FCC and NTIA coordinate with other federal agencies via interagency agreements and groups.
To address potential interference among proposed uses of spectrum, these agencies employ various coordination mechanisms. For domestic matters, the agencies coordinate through an NTIA-led committee that provides input to FCC’s spectrum proceedings. For U.S. participation in the International Telecommunication Union’s (ITU) World Radiocommunication Conferences (WRC), agencies coordinate via a preparatory committee that provides input used to develop U.S. positions that the Department of State submits to a regional body or directly to the WRC.
These mechanisms reflect some key collaboration practices but do not fully reflect others. For example, while the documents that guide coordination between FCC and NTIA and the preparatory committee emphasize reaching consensus whenever possible, there are no clearly defined and agreed-upon processes for resolving matters when agencies cannot do so. Additionally, neither document has been updated in almost 20 years, though agency officials said conditions regarding spectrum management activities have changed in that time. GAO’s review of U.S. participation in ITU’s 2019 WRC shows that these issues affected collaboration. For example, disputes among the agencies and the inability to reach agreement on U.S. technical contributions challenged the U.S.’s ability to present an agreed-upon basis for decisions or a unified position.
NOAA and NASA conduct and FCC and NTIA review technical interference studies on a case-by-case basis. When originating from ITU activities, the agencies conduct or review technical interference studies through participation in international technical meetings and the preparatory committee process. However, the lack of consensus on study design and, within the U.S. process, specific procedures to guide the design of these types of studies, hampered U.S. efforts to prepare for the 2019 WRC. For example, the U.S. did not submit its studies on certain key issues to the final technical meeting, resulting in some stakeholders questioning whether the corresponding U.S. positions were technically rooted. Agreed-upon procedures could help guide U.S. efforts to design these studies and consider tradeoffs between what is desirable versus practical, to mitigate the possibility of protracted disagreements in the future.

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP
The European Union Agency for Cybersecurity (ENISA) provides authorities with technical guidance on the 5G Toolbox measure for security requirements in existing 5G standards.
The Agency has released its Security in 5G Specifications Report about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks. As vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.
This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security - mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
More specifically, the report provides:
- A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
- An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
- Summary of key findings and good security practices.
The ENISA report also covers security considerations beyond standards and specifications, such as testing and assurance, product development, network design, configuration and deployment, and operation and management.

One ICT regulator’s journey to 5th-generation regulation

The global regulatory and technology landscape is complex and fast-moving.
Regulators find themselves grappling with an ever-growing array of challenges, chief among them achieving the Sustainable Development Goals (SDGs) by the 2030 deadline, now just a decade away.
The Kingdom of Saudi Arabia’s ICT regulator is no exception, as the country continues to prioritize the rapid growth of its ICT sector and pursue sustainable economic diversification as part of its Vision 2030.
But what is 5th-generation in the first place? And how is Saudi Arabia’s Communications and Information Technology Commission (CITC) planning to get there?
The evolving role of the ICT regulator
If we think in terms of regulatory “generations”, the first employed a “command and control approach”, which often took the form of public or national telecom monopolies. The second-generation regulatory landscape saw the opening of markets, facilitating partial liberalization and privatization of telecommunications. By generation three, we saw accelerated investment, innovation, and access opportunities emerge, with regulators placing a dual focus on stimulating competition while ensuring consumer protection.
Fourth generation features integrated regulation, led by economic and social policy goals. A 4th-generation regulator is one that ensures or is working towards universal access, consults stakeholders regularly, and promotes international and regional cooperation, equitable spectrum management, and stronger consumer protection.
Where do regulators stand globally?
According to ITU’s Global ICT Regulatory Outlook 2020, 8 per cent of countries now has holistic, forward-looking regulatory frameworks enabling digital transformation across the economy.
40 per cent of countries remain in regulatory generations 1 and 2, missing development opportunities and remaining disconnected from the digital transformation of their economies. While one third of countries have achieved G4, characterized by thriving markets for ICT services and the lowest proportion of unconnected populations, some have already set 5th-generation regulation in their sights. In a 5th-generation regulatory environment, collaboration among even more stakeholders is key to shaping decisions in a harmonized way not only within the telecommunications realm, but across a broad range of sectors now dependent on ICTs.
CITC’s regulatory transformation
With a guiding vision of a “connected nation for a thriving digital economy”, CITC is stepping up to meet the 5th-generation regulation challenge with an ambitious new digital transformation strategy. Their vision also emphasizes safeguarding the public, providing reliable service, ensuring fair competition, and balancing the diverse needs of multiple stakeholders.
Historically, the Commission’s mandate focused on regulating the telecommunication and information technology sectors. But the last two years have seen that mandate evolve to reflect a changing global regulatory and technology landscape.
The Saudi Arabian regulator has met the challenges of an increasingly complex regulatory environment with a series of initiatives, including, among others:
• Promoting investment and infrastructure development while ensuring access to high-quality services. CITC reported investing 15 billion USD in infrastructure, including meeting major deployment milestones on network infrastructure and quality. Mobile broadband download speed reached 77.55 Mbps in August 2020, and mobile coverage increased to 99 per cent of the population for 3G and 94 per cent for 4G, according to CITC estimates.
• Establishing a National Regulatory Committee that will bring together 8 core regulators to collaborate on ICT and digital cross-sectoral topics like blockchain, smart cities and digital platforms, and proactively anticipate emerging topics. Additional public and private entities will be involved as needed. This collaboration was set up to accelerate regulation-to-adoption and seeks to drive innovation, job creation, and investor confidence by promoting coherence and efficiency across Saudi Arabia’s ICT ecosystem.
• Acting collaboratively to deploy ICTs during the COVID-19 pandemic. As the pandemic reached Saudi Arabia, CITC collaborated quickly and effectively with telecom operators to meet the surge in demand for online access and data with increased speeds and data capacity, free services, expanded spectrum use, and enhanced network configurations and connectivity. This rapid response played a critical role in enabling remote work, business continuity, delivery apps, e-government services, and remote learning across Saudi Arabia.
[courtesy of ITU]

ENISA 5G Threat Landscape Report Updated to Enhance 5G Security

The European Union Agency for Cybersecurity (ENISA) published an updated version of its 5G threat assessment report to address advancements in the areas of fifth generation of mobile telecommunications networks (5G) and to contribute to the implementation of the EU 5G toolbox cybersecurity risk mitigating measures.
The new ENISA Threat Landscape for 5G Networks report is a major update of the previous edition as it captures recent developments in 5G standardisation. The publication includes a vulnerability analysis, which examines the exposure of 5G components. The analysis explores how cyber threats can exploit vulnerabilities and how technical security controls can help mitigate risks.
European Union Agency for Cybersecurity Executive Director Juhan Lepassaar explained: “By providing regular threat assessments, the EU Agency for Cybersecurity materialises its support to the EU cybersecurity ecosystem.  This work is part of our continuous contribution to securing 5G, a key infrastructure for the years to come.”
The New Threat Landscape includes:
- An updated system architecture of 5G, indicating introduced novelties and assessed security considerations;
- A detailed vulnerability analysis of all relevant 5G assets, including their exposure to threats;
- A mapping of related security controls aiming at the reduction of threat surface;
- An update of the relevant threats in accordance with their exploitation potential of the assessed vulnerabilities;
- The consideration of implementation options – migration paths from 4G to 5G infrastructures;
- The development of a process map showing the contribution of operational, life cycle and security assurance processes to the overall security of 5G infrastructures;
- A new inventory of critical components.
The information produced for this report is based on publicly available content published by 5G market players (operators, vendors, and national and international organisations), standardisation groups and bodies (for example: 3rd Generation Partnership Project (3GPP); International Telecommunications Union (ITU); European Telecommunications Standardisation Institute (ETSI); International Organisation for Standardisation (ISO); the Global System for Mobile Communications (GSMA)).
1 2