5G transport security: What service providers need to evolve? (part 2 of 2)
In my previous blog*, I talked about the security implications of 5G, particularly on the performance and operations impact. In this blog, I will share what are the new attack surfaces and threats that service providers need to consider and plan for.
As we have discussed before, edge computing will be essential to deliver the low latency and bandwidth efficiency required by many 5G applications, such as driverless cars, remote healthcare, virtual reality, industrial automation, and frictionless logistics.
However, there are risks. A likely deployment model is to run edge computing applications on the same physical platforms as some virtual network functions. These edge computing applications may be third-party applications, not controlled by the mobile service provider, which raises the concern that these applications may exhaust resources needed by the network functions.
There are also risks that poorly designed applications could offer hackers an attack vector to infiltrate the distributed data center and impact the network functions running on the platform. Similarly, attackers could insert malicious applications to achieve the same means. If sensitive security assets are compromised at virtualized functions at the edge, an attacker could maliciously reuse them to gain connectivity or carry out a spoofing, eavesdropping or data manipulation attacks.
Control and user plane separation
CUPS stands for Control Plane and User Plane Separation of EPC (Evolved Packet Core) nodes. This gives operators the flexibility to locate and scale the control plane and user plane resources of the EPC nodes independently. CUPS works well for high bandwidth applications like video. Because the core user plane is located closer to the end user, operators do not have to backhaul traffic all the way to central data center. Therefore, they can reduce latency and backhaul costs.
However, as some of the interfaces (e.g. between the centralized control plane and distributed user plane) are new, without proper protection in place, these would be new attack surfaces.
5G opens up the possibility of a multitude of new use cases and services, each with their own requirements in terms of performance and functionality. With network slicing, mobile operators can partition their physical network into multiple virtual networks to offer optimal support for different types of services for different types of customer segments.
For example, it is possible to create a slice for specifically healthcare vertical, a slice for connected vehicle, and another slide for smart meters – each slice with different latency, throughput, reliability and security.
For instance, the service in one slice may require extremely long device battery life, which constrains the security protocol in some other way (e.g., how often re-authentication is performed). In another example, the service in one slice may be very privacy-sensitive, requiring unusually intensive security procedures (e.g., very frequent reallocation of temporary identities).
Therefore, service providers need to ensure different virtual network slices are adequately isolated from one another, so that access to "high security" applications cannot be gained from a "lower security" slice.
Edge computing, CUPS/distributed core, and network slicing are all critical technology enablers to meet the 5G ambitious requirements. However, with new technologies and architectural change comes with new attack surfaces and risks. Service providers must carefully evaluate the potential threats, adapt security strategies and implement proper security measures to protect the infrastructure, assets and end users.
To learn more:
- Download the full whitepaper
- Listen to the on-demand webinar