The fifth generation (5G) network is likely to be one of the most important technology and societal factors in the decade. It’s not just about getting faster, bigger or better, it’s about using 5G as an enabler of a series of services that we will all consume in every aspect of our lives. Whereas previous generation mobile technologies like 2G and 3G were designed to connect people through voice and text, and 4G was designed to connect people over the internet, 5G is all about connecting people with services, the internet, and things. Use cases such as self-driving cars, integrated smart cities, augmented and virtual reality, social networking and interconnected devices will be everywhere.
However, with the number of 5G deployments increasing around the world, it is time to consider security considerations for 5G deployments. While 3GPP has standardized 5G as the most secure mobile technology, it differs from previous generations of mobile technologies in that it requires network restructuring for Software Defined Networks (SDN), Network Function Virtualization (NFV), and cloud-native architecture for scalability. . The convergence of 5G and the Internet of Things adds to the existing threat surface that requires careful consideration from a cyber risk perspective. It’s time to consider the security ramifications and cyber risks associated with 5G, be it business risks, financial risks or regulatory risks, and this applies not only to companies providing 5G services but also to companies consuming them.
3GPP security improvements for 5G in versions 15 and 16
5G is the first mobile technology designed for the cloud, leveraging cloud security best practices to protect networks, applications and data while introducing new security risks to the cloud. In versions 15 and 16, 3GPP standardized and improved security standards. The importance of data confidentiality and integrity, as well as authentication and authorization of both user devices and network infrastructure, is emphasized. Various security considerations for 5G network security fall on both the end user’s devices and the network infrastructure. Some important aspects to consider are
Network authentication and authorization of end user devices
Encryption of user data during transmission and signaling
Secure service-based architecture
Authentication and authorization for the selected network segment
Use case-specific security improvements for IoT and URLLC cellular services.
Each generation of mobile technology is more secure than the last. However, our risk tolerance has decreased due to the increased impact of cyberattack on the 5G network as we increasingly rely on it for critical infrastructure and mission-critical applications.
Figure 1: 5G Security Considerations
Key considerations for 5G network security
Let’s look at the main drivers driving the re-engineering of 5G security architecture.
- Native cloud architectureThe 5G network takes advantage of the cloud-native architecture where the network functions are virtualized as VNF/CNF. These network elements communicate with each other to deliver services and applications. Cloud-native architecture allows for an automated and scalable environment where network, compute, storage, and contract services can be expanded as needed. Many communications and mobility functions can now be hosted as software services and instantiated dynamically in different network segments. However, cloud-native architecture introduces some vulnerabilities such as hack attacks, resource theft, and man-in-the-middle attack. Virtualization technologies may present a denial of service (DoS) risk. Some exposed APIs may make it easier to exploit vulnerabilities and gain unauthorized access.
- Categorized Deployments and ORAN: The initial deployment of 5G networks is often non-NSA based, which does not significantly change the security risks from previous 4G deployments. However, with 5G Stand-alone (SA) the security landscape is fundamentally changing. In 5G SA, an attacker can launch a 4G fallback attack and then take advantage of 4G’s security weaknesses. Apart from the core networks, 5G New Radio (NR) is the global standard for open, interoperable, and classified networks. While ORAN has advantages in terms of speed and efficiency, it introduces new security risks as more functions, interfaces, and open source code have been added.
- IoT and edge devices: 5G serves not only individual mobile users but also businesses, industries and the broader community. With the new services provided by the 5G network, operators will need a flexible security mechanism for each type of service. In Edge deployment, many operators have default components. Peripherals may have to be physically secured along with the underlying software platform. The number of high-end devices is also significantly more, and these devices may come from a variety of vendors. Not all of these devices may have necessarily undergone the required security tests and certifications.
- open source software: Although open source software has many benefits in terms of shortening time to market and overall cost, it also has weaknesses that compromise application security. Since the code is readily available, attackers can easily detect flaws and introduce malicious code. The code may not always be adequately tested and patched for known vulnerabilities in the latest version.
- Manual operations: Traditionally, network administration had network engineers manually log in to the configuration or troubleshooting infrastructure. Manual processes are no longer enough with 5G technology and the fact that the threat landscape continues to grow in scale and complexity. Security should be fully automated, including threat detection and mitigation.
5G network security recommendations
As we have seen, 5G networks are facing new security threads due to their unique architecture and services. Now let’s look at some mitigating measures that can be considered. This is by no means an exhaustive list but some aspects to consider
- Cloud Native Security: Ensure that security is built into the entire lifecycle management from development to production. Key security controls and operations required include secure CI/CD, implementation of DevOps best practices, orchestration and access control, and operating system and hardware security.
- Categorized Deployments and ORAN: Oran’s security depends on the secure platform and the communication between network functions. The O-RAN Alliance has defined several security guidelines including – authentication and authorization of all access, integration with an external identity management system, role-based access, data encryption, and logging implementation.
- IOT and Edge data security: Ensure that the cached data is encrypted and protected. Boilerplate audits are performed for terminal sites.
- open source software5G architecture uses many open source software, but before using it, be sure to check for known vulnerabilities, perform a security scan using any standard tool and perform a thorough security review.
- automationNetworks that exceed a certain size are impossible to manually maintain, so automation is important. Implement an intelligent, automated, real-time automated solution to detect and mitigate threats.
- API security: Ensure that APIs are built with strong security including identity and access management, authentication, error detection and logging.
- Zero Trust Security:Finally, implement the Zero Trust security model which is based on the principle of not trusting user and network functionality. Zero trust shifts the focus away from network perimeter security, and instead restricts access by internal and external users and software components through the use of strong authentication and less privilege authorization.
5G represents a major advance in mobile communications. Its ability to support massive bandwidth and low latency allows for many new and exciting use cases. However, the new architecture of 5G also reveals additional security vulnerabilities. 5G security should be built in, not as an afterthought. Hence, a careful approach is required for these new aspects of cloud-native services, open source software, APIs, automation, and the edge.