Tackling Security Challenges in 5G Networks

The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.

Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.

The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

How does it work?

Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.

Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.

60 security challenges were identified in the report and classified under 7 categories:

- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).

How do we address the security challenges

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.

Some of the key findings the report include:

- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.

- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.

- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.

- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.

NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.

Asia-Pacific implements radiocommunication updates

Countries across Asia and the Pacific need fair, transparent, and predictable spectrum policies to accelerate equitable digital transformation across the region, according to radiocommunication experts convened by the International Telecommunication Union (ITU) over the last two weeks.

Regulators, industry experts and academics met to discuss future Asia-Pacific radio-frequency spectrum requirements following Radio Regulations updates.

"Radiocommunication services profoundly transform the way we work, travel, do business and access public services, including education and health," said ITU Secretary-General Houlin Zhao. “The Regional Radiocommunication Seminars provide an excellent opportunity for our members to learn the practical application of the ITU Radio Regulations, so that people everywhere can take advantage of the social and economic opportunities brought about by the rapid growth of digital platforms."

The regional seminar, convened entirely online, covered the regulatory framework for both terrestrial and space services and the procedures for filing and recording frequency assignments in the Master International Frequency Register (MIFR).

Masanori Kondo, Secretary-General of the Asia-Pacific Telecommunity, welcomed the discussions as “an opportunity for regulators to widen and deepen their knowledge and insight in the field of spectrum management." He emphasized the need for Asia-Pacific countries to develop fair, predictable, and transparent spectrum management policies and regulations to keep their diverse and geographically extensive telecommunication sector functioning effectively.

ITU support and guidance
Participants discussed the current regulatory framework for international frequency management, ITU Radiocommunication (ITU-R) Recommendations, and best practices for spectrum use by both terrestrial and space services.

“Despite the challenges brought about by the COVID-19 pandemic, we continue to deliver high quality capacity building opportunities to our members, supporting them with all the information and tools they need to analyse and implement the Radio Regulations and promote efficient spectrum management," said Mario Maniewicz, Director of the ITU Radiocommunication Bureau.

RRS-21 Asia-Pacific also included basic training to prepare for technical examinations and gain familiarity with ITU tools to produce frequency notices.

NSA and CISA provide cybersecurity guidance for 5G cloud infrastructures

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published cybersecurity guidance to securely build and configure cloud infrastructures in support of 5G. Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement is the first of a four-part series created by the Enduring Security Framework (ESF), a cross-sector, public-private working group which provides cybersecurity guidance that addresses high priority cyber-based threats to the nation’s critical infrastructure.

“This series provides key cybersecurity guidance to configure 5G cloud infrastructure,” said Natalie Pittore, Chief of ESF in NSA’s Cybersecurity Collaboration Center. “Our team examined priority risks so that we could provide useful guidance, disseminated in an actionable way to help implementers protect their infrastructure.”

The series builds on the ESF Potential Threat Vectors to 5G Infrastructure analysis paper released in May 2021, which focused specifically on threats, vulnerabilities, and mitigations that apply to the deployment of 5G infrastructures. Based on preliminary analysis and threat assessment, the top 5G cloud infrastructure security challenges were identified by ESF and a four-part series of instructional documents covering those challenges will be released over the next few weeks. Topics include securely isolating network resources; protecting data in transit, in use, and at rest; and ensuring integrity of the network infrastructure.

Part I focuses on detecting malicious cyber actor activity in 5G clouds to prevent the malicious cyberattack of a single cloud resource from compromising the entire network. The guidance provides recommendations for mitigating lateral movement attempts by malicious cyber actors who have successfully exploited a vulnerability to gain initial access into a 5G cloud system.
“This series exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA, and industry,” said Rob Joyce, NSA Cybersecurity Director. “Service providers and system integrators that build and configure 5G cloud infrastructures who apply this guidance will do their part to improve cybersecurity for our nation.”

“Strong and vibrant partnerships are critical to the overall effort to reduce cyber risk. Along with our public and private partners in the ESF, CISA is proud to partner with NSA to present the Security Guidance series for 5G Infrastructure,” said Alaina Clark, Assistant Director for Stakeholder Engagement. “Protecting 5G cloud infrastructure is a shared responsibility and we encourage 5G providers, operators and customers to review the new guidance.”

5G cloud providers, integrators, and network operators share the responsibility to detect and mitigate lateral movement attempts within their 5G cloud infrastructure. This document provides best practices to secure the 5G cloud from specific cyber threats of lateral movement that could compromise a network.

Broadband Commission calls for people-centred solutions to achieve universal connectivity

More than a year and a half into the COVID-19 pandemic, amid relentless global demand for broadband services, the Broadband Commission for Sustainable Development has reaffirmed its call for digital cooperation, innovation with information and communication technologies (ICTs), and collaborative approaches to secure universal connectivity and access to digital skills.

The Commission's State of Broadband Report 2021​, released during the meeting, outlines the impact of pandemic policies and calls for a concerted, people-centred push to close the world's persistent divide. In the world's least developed countries (LDCs), no more than a quarter of the population is online.

"Digital cooperation needs to go beyond access to broadband," said H.E. President Paul Kagame of Rwanda, Co-Chair of the Commission. “We also need to close the gap in the adoption and use of affordable devices and services, in accessible content, and in digital literacy."

More than 50 Commissioners and special guests, representing government leaders, heads of international organizations and private sector companies, civil society and academia, affirmed that people-centred solutions must be at the heart of building a sustainable path towards universal broadband.

Commission co-Chair Carlos Slim, Founder of Carlos Slim Foundation and Grupo Carso, added: “To achieve our universal connectivity goal, we need to work together. We need to build a digital future that is inclusive, affordable, safe, sustainable, meaningful and people centred. We need to support infrastructure and to deal with affordability and relevant content to ensure usage. For that to happen, it requires concerted efforts."

Connectivity for sustainable development
The Annual Fall Meeting, held in a virtual format, underscored the need to accelerate digital connectivity to fulfil the United Nations Agenda for 2030, centred on 17 Sustainable Development Goals.

“The absence of digital skills remains the largest barrier to Internet use," noted Audrey Azoulay, Director-General of the United Nations Educational, Scientific and Cultural Organization (UNESCO) and co-Vice Chair of the Commission. “Digital education must therefore be as much about gaining skills as about developing the ability to think critically in order to master the technical aspects and be able to distinguish between truth and falsehood."

“UNESCO's Media and Information Literacy curriculum, launched in Belgrade, Serbia, in April, provided a key tool to boost skills," she added.

A newly released Commission report on distance and hybrid learning cites the need to foster digital skills along with expanding broadband infrastructure.

[Source: ITU]

Digital is the future of urban energy

Cities already account for two-thirds of energy consumption and produce more than 70 per cent of carbon emissions globally every year.

With more than half of all people in the world living in cities, smart urban energy systems are needed to bring climate-damaging emissions down to net-zero in the next few decades.

Digital solutions can help cities reduce emissions and make the transition to clean energy systems, according to the latest report from the International Energy Agency (IEA).

By 2050, when almost 70 per cent of the world’s population will be city dwellers, energy will be in even higher demand.

To provide it sustainably, cities will need smart grids and innovative storage that integrate renewable power generation, electrified transport, and efficient heating and cooling, along with climate-safe bioenergy and waste-to-energy solutions.

Bringing all these together will depend on top-to-bottom digitalization of urban energy systems and related services. The IEA report, 'Empowering Cities for a Net Zero Future', based on consultations with over 125 experts, advises pioneering cities on how to ensure a sustainable energy future based on digital technologies.
Building smart grids

Flexible energy systems enable agile responses to real-time situations, balancing demand and supply throughout the day. Smart grids with real-time monitoring and predictive analytics can offer reduced peak loads, better integrate renewables at lower costs and minimize pressure on aging grid infrastructure.

Smart grids will be crucial to address global warming by reducing carbon-dioxide (CO2) emissions. Direct access to data, meanwhile, empowers consumers to manage their energy consumption and costs.

In the United Arab Emirates, the Dubai Electricity and Water Authority (DEWA) says it has installed a local smart grid that enables "automated decision-making and interoperability across the entire electricity and water network."

By 2050, digitalization and smart controls can reduce CO2 emissions from buildings by 350 million tonnes, the IEA estimates.

Heating, air conditioning, motion sensors, ventilation and other data can encourage more efficient energy use. For instance, appliances can be operated when solar and wind power are active.

Electric vehicles (EVs) can be charged overnight, when electricity demand is lower, or when solar photovoltaic (PV) production exceeds other demand. Crucially, plugged-in EVs can also add energy storage capacity to the whole system.
Connected mobility

Electrification of transport and widespread EV use will help to scale up renewable energy sources through smart charging and vehicle-to-grid (V2G) systems that adapt charging rates to power availability and sometimes even return power to the grid.

People who hesitate to adopt EVs could be reassured by real-time data on costs and the availability of charging points.

Smart mobility applications can help residents pick modes of transport, including public transit and shared schemes, with more awareness about lowering emissions.

In Lathi, Finland, a mobile app shows the different transport options available and their respective carbon emissions. Virtual credits awarded for a low footprint can then be used to purchase city services and products.
Standards for climate-safe cities

Harmonized international standards can enable the interoperability of smart energy solutions as well as ensure data privacy, grid stability and cybersecurity, the IEA report affirms.

The International Telecommunication Union (ITU), the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) already work together closely on standards development through their joint smart city task force.

Innovators aiming for system-level harmonization can look to smart city standards like ITU Y.4459, “Digital entity architecture framework for Internet of Things interoperability”, developed by ITU-T Study Group 20 (Internet of Things and smart cities and communities).

Key Performance Indicators for Smart Sustainable Cities – prepared by the United for Smart Sustainable Cities Initiative based on an ITU standard aligned with UN Sustainable Development Goals (ITU Y.4903/L.1603) – have set a benchmark for best practices and provide a practical framework to assess each city’s progress towards net-zero emissions and digital transformation.

A key standard developed by ITU-T Study Group 5 (Environment, climate change and circular economy) and released last year (ITU L.1470) details the emission-reduction trajectories needed to cut greenhouse gas emissions in the information and communication technology (ICT) sector by 45 per cent between 2020 and 2030.

This is the rate required to meet a key climate goal – limiting global warming to 1.5 degrees Celsius during this century, compared to pre-industrial levels, in line with the Paris Agreement and the United Nations Framework Convention on Climate Change (UNFCCC).

[Source: ITU]

How ITU provides emergency telecommunications in a pandemic

“We have to prepare everything in advance so that when a disaster strikes, the only thing that we have to do is pack the equipment and take it to where it is needed,” explained Jake Spinnler from ITU’s Emergency Telecommunications Division.

Spinnler is part of the ITU Emergency Telecommunications team and currently coordinating ITU’s Emergency Telecommunications Roster (ETR), a voluntary group of ITU staff from across the organization on stand-by to deploy the services on short notice.

“In the last few months, we have been checking and testing the satellite phones and Broadband Global Area Network (BGAN) terminals to see if the equipment is complete, if it works correctly or we need to buy spare parts,” added Spinnler, who has been trained to use emergency telecommunications equipment, helping to ensure vital communication networks are maintained during relief efforts.
The year of disasters

Disasters don’t stop during a pandemic. In 2020, 389 disasters impacted 98.4 million people globally.

Additionally, according to the recently released Intergovernmental Panel on Climate Change (IPCC) report, Climate Change 2021: The Physical Science Basis, extreme weather events that we are facing today – from cyclones in India to devastating floods in China, widespread wildfires in North America and enduring droughts across Africa – are set to continue and worsen in the decades to come.

Telecommunication networks are critical to coordinating relief efforts, but are often destroyed when disaster strikes.

At the request of Member States, in the aftermath of a disaster, ITU deploys temporary information and communication technology (ICT) solutions to help restore telecommunication links needed for response efforts. The ITU ETR is a new addition to this service.

“I have visited nearly all countries in the world, taking this equipment to help them to use it for response coordination efforts and assist in recovery from disasters,” said Maritza Delgado, ITU’s Emergency Telecommunications Programme Officer.

“Sometimes these are the only phones that are available in the disaster zones, and the only channel for organizations to coordinate with different stakeholders in charge of overall disaster management.”

Direct impact on the ground

Although training was largely conducted online during the COVID pandemic – from using the equipment to personal safety training – some aspects still need to be done in person.

To ensure life-saving equipment is in full working order, the ETR team needs to test it regularly. This equipment includes BGAN terminals, Iridium satellite phones and other terminals.

“As a Radiocommunication Engineer, working with these satellite devices is a great opportunity for hands-on experience,” said Veronique Glaude, Senior Radiocommunication Engineer in ITU-R. “This equipment is vital to assist first responders for timely communication and enable them respond to the humanitarian needs of the affected individuals and communities. It is a real honour for me to be part of that process.”

For many ITU staff, being part of the ETR has had a positive impact on their work at ITU.

“One of my roles in ITU is Acting Advisor to ITU-T Study Group 2, which plays a leading role in ITU standards development for disaster relief, early warning, network resilience and recovery. The ETR provides a direct connection between theory and practice,” said Rob Clark, Study Group Project Coordinator in ITU-T.

“Being part of the ETR has enlightened me on the role that ITU is playing alongside its partners in the field of emergency telecoms and disaster relief. It also reminds me of the direct impact of ITU’s work on the ground. This is a useful perspective to incorporate into my ‘day job’ supporting ITU members’ development of international telecommunication standards,” he said.

During the COVID-19 pandemic, with in-person deployments suspended due to travel restrictions, ITU strengthened partnerships with satellite providers to provide the necessary connectivity and equipment.

These partnerships ensured that ITU could continue to support countries in the aftermath of disasters.

[Source: ITU]

T-Mobile confirmed latest data breach affecting millions of customers

US telecom giant T-Mobile has confirmed their latest data breach affecting nearly 8 million customers was accessed by a hacker, totaling five breaches in the last four years.

Their preliminary analysis showed that almost 8 million current postpaid customers and 40 million records of former or prospective customers, who had at one point applied for credit with the company, were taken in a 'highly sophisticated cyberattack.'

The latest in the series of hacks on the company's customers' data comes on the heels of two attacks in 2020, one in 2019, and another in 2018. This most recent breach is by far the largest.

News broke that a hacker was trying to sell T-Mobile customer data online, data they claimed to have gotten via compromised T-Mobile servers. They claimed the data contained names, addresses, social security numbers (SSN), driver license information, phone numbers and unique IMEI numbers.

Telcos strengthen India’s disaster preparedness

When Cyclone Tauktae struck India’s western coastal areas several months ago, it brought mass destruction of property and disrupted daily life in five Indian states.
Despite the storm’s ‘extremely severe’ designation, the damage and loss of lives were less than expected. This was thanks in large part to national disaster preparation plans, underpinned by information and communication technologies (ICTs) and timely preparation by telecom operators.
Technology plays a pivotal role at each stage of disaster management, from early warning and mitigation to response, and then to post-disaster recovery and rehabilitation.
Collaborative action on the ground
To prepare for the upcoming disaster, the Indian government had already implemented standard operating procedures (SOPs), whereby telecom operators initiated inter-operator roaming services that let mobile phone users switch easily between networks based on availability.
Priority call routing enabled rescue and relief crews to coordinate with government officials, including in the vital restoration work in Tauktae’s aftermath.
On-site diesel and battery back-up were ready to mitigate any power cuts, while coordination was stepped up with the National Disaster Management Authority, the National Disaster Relief Force, and central, state and local governments.
Challenges for operators during disasters
Telecom and ICT operators form the backbone of connectivity across the world. But ICT services can be hard to maintain – let alone expand – during earthquakes, tsunamis or a pandemic.
Natural hazards often damage towers, power generators, cables and wires. At the same time, network congestion arises as people call family and friends, frequently hampering rescue and relief operations.
Amid the COVID-19 pandemic, telecom and Internet usage have surged everywhere.
Meanwhile, with shops closed, pre-paid mobile consumers could not recharge their credit.
Still, telecom operators maintained the continuity of services and facilitated online recharges for pre-paid users.
By the time of the May 2021 cyclone, lessons from both before and during the pandemic, had made India’s telecom networks more robust and resilient, with sufficient adaptability and scalability to handle demand spikes.
How operators can prepare
Access to robust and secure ICT infrastructure is critical. Putting resilient networks and disaster management tools in place well ahead of time helps to mitigate negative impacts.
Wherever feasible, telecom operators must upgrade to 4G or 5G, as well as educate staff and raise awareness among customers on how to withstand disaster situations, including recharging subscriptions online with mobile devices.
Inter-operator roaming agreements can ensure continuous service for all customers in a disaster-affected area, even if the infrastructure of one or two operators suffers damage. Along with temporary solutions like CoW, operators can turn to satellite-based plug-and-play networks to stand in for damaged terrestrial infrastructure.

When & How to Report Security Incidents – ENISA releases new guidelines

The European Union Agency for Cybersecurity (ENISA) releases new guidelines to facilitate the reporting of security incidents by national telecom security authorities.
The guidelines published help national telecom security authorities in the reporting of significant incidents to ENISA and the European Commission under the European Electronic Communications Code (EECC).
These new guidelines replace the previous ones issued by ENISA on incident reporting under Article 13a of the EU Telecoms Framework Directive. This revised version takes into account the scope and the provisions of the EECC and provides non-binding technical guidance to national authorities supervising security in the electronic communications sector.
The following three types of incident reporting are provided for under article 40 of the EECC:
1. National incident reporting from providers to national security authorities;
2. Ad-hoc incident reporting between national security authorities and ENISA;
3. Annual summary reporting from national security authorities to the European Commission and ENISA.
The new guidelines focus firstly on the ad-hoc incident reporting between the security authorities and ENISA and secondly on the annual summary reporting. More specifically, the document includes information on how and when security authorities can report security incidents to ENISA, to the European Commission and to other security authorities.
The information provided considers the services and incidents within the scope of the EECC - incidents affecting confidentiality, availability, integrity and authenticity of networks and services.  The thresholds needed for the annual reporting are also defined.  These thresholds are both of a quantitative and of a qualitative nature.
The quantitative elements considered include the number of users affected and the duration of the incident. Qualitative information was also used, such as the geographical coverage of the incident and the impact on the economy, on society and on users.
The new guidelines also include an incident report template and draw the distinction between national and annual reporting.
This report was drafted by ENISA in close cooperation with the ECASEC expert group of national telecom security authorities.

One ICT regulator’s journey to 5th-generation regulation

The global regulatory and technology landscape is complex and fast-moving.
Regulators find themselves grappling with an ever-growing array of challenges, chief among them achieving the Sustainable Development Goals (SDGs) by the 2030 deadline, now just a decade away.
The Kingdom of Saudi Arabia’s ICT regulator is no exception, as the country continues to prioritize the rapid growth of its ICT sector and pursue sustainable economic diversification as part of its Vision 2030.
But what is 5th-generation in the first place? And how is Saudi Arabia’s Communications and Information Technology Commission (CITC) planning to get there?
The evolving role of the ICT regulator
If we think in terms of regulatory “generations”, the first employed a “command and control approach”, which often took the form of public or national telecom monopolies. The second-generation regulatory landscape saw the opening of markets, facilitating partial liberalization and privatization of telecommunications. By generation three, we saw accelerated investment, innovation, and access opportunities emerge, with regulators placing a dual focus on stimulating competition while ensuring consumer protection.
Fourth generation features integrated regulation, led by economic and social policy goals. A 4th-generation regulator is one that ensures or is working towards universal access, consults stakeholders regularly, and promotes international and regional cooperation, equitable spectrum management, and stronger consumer protection.
Where do regulators stand globally?
According to ITU’s Global ICT Regulatory Outlook 2020, 8 per cent of countries now has holistic, forward-looking regulatory frameworks enabling digital transformation across the economy.
40 per cent of countries remain in regulatory generations 1 and 2, missing development opportunities and remaining disconnected from the digital transformation of their economies. While one third of countries have achieved G4, characterized by thriving markets for ICT services and the lowest proportion of unconnected populations, some have already set 5th-generation regulation in their sights. In a 5th-generation regulatory environment, collaboration among even more stakeholders is key to shaping decisions in a harmonized way not only within the telecommunications realm, but across a broad range of sectors now dependent on ICTs.
CITC’s regulatory transformation
With a guiding vision of a “connected nation for a thriving digital economy”, CITC is stepping up to meet the 5th-generation regulation challenge with an ambitious new digital transformation strategy. Their vision also emphasizes safeguarding the public, providing reliable service, ensuring fair competition, and balancing the diverse needs of multiple stakeholders.
Historically, the Commission’s mandate focused on regulating the telecommunication and information technology sectors. But the last two years have seen that mandate evolve to reflect a changing global regulatory and technology landscape.
The Saudi Arabian regulator has met the challenges of an increasingly complex regulatory environment with a series of initiatives, including, among others:
• Promoting investment and infrastructure development while ensuring access to high-quality services. CITC reported investing 15 billion USD in infrastructure, including meeting major deployment milestones on network infrastructure and quality. Mobile broadband download speed reached 77.55 Mbps in August 2020, and mobile coverage increased to 99 per cent of the population for 3G and 94 per cent for 4G, according to CITC estimates.
• Establishing a National Regulatory Committee that will bring together 8 core regulators to collaborate on ICT and digital cross-sectoral topics like blockchain, smart cities and digital platforms, and proactively anticipate emerging topics. Additional public and private entities will be involved as needed. This collaboration was set up to accelerate regulation-to-adoption and seeks to drive innovation, job creation, and investor confidence by promoting coherence and efficiency across Saudi Arabia’s ICT ecosystem.
• Acting collaboratively to deploy ICTs during the COVID-19 pandemic. As the pandemic reached Saudi Arabia, CITC collaborated quickly and effectively with telecom operators to meet the surge in demand for online access and data with increased speeds and data capacity, free services, expanded spectrum use, and enhanced network configurations and connectivity. This rapid response played a critical role in enabling remote work, business continuity, delivery apps, e-government services, and remote learning across Saudi Arabia.
[courtesy of ITU]