Your guide to end-to-end security when introducing 5G core
It’s becoming clear that 5G will enable many new use cases, including ones that will make the critical role of mobile networks even more apparent. Service provides are increasingly requested to provide evidence on how security and privacy is managed in their networks to gain acceptance and trust.
The 5G networks will serve as a foundation for these new use cases and services, and as these different use cases may share resources in the mobile network, a cyberattacks against one could affect many others. The more society depends on digitalized services, the more likely it is that cyber threats against these services will increase – making security a critical factor for 5G business success.
Four layers of 5G security
To understand how security is structured we divide it in four layers, from the bottom up we have:
- Security standards for i/f and security architecture
- Product development security
- Security deployment of the end-to-end (E2E) architecture
- Security management and operations
We have a lot of new standardization which serves as a foundation for 5G security from bodies like 3GPP, the Internet Engineering Taskforce (IETF), the European Telecommunications Standards Institute (ETSI ISG NFV), and the National Institute of Standards and Technology, US (NIST). They have defined the interfaces and security architecture for the mobile networks. Due to all the different technology domains that make up 5G there is no single standard for security in 5G.
Apart from standards, there are also new regulations related to 5G security. In general, these regulatory requirements aim to raise the baseline security of products and services, and to protect the networks from attacks. An example is the EU toolbox.
As a 5G system will be built on a largely virtualized cloud platform with many different network functions and 3PP applications, and there will be many different vendors involved. When developing these products, vendors don’t just need to consider the 3GPP and other standardized interfaces, but also build security into products during the development process.
Ericsson has systematically developed a state-of-the-art model, called The Security Reliability Model (SRM), to incorporate security and privacy considerations into all phases of product development.
Mobile networks and 5G serve as a backbone for modern society. Therefore, security assurance is a means to ensure that network equipment meets security requirements and is implemented following secure development and product lifecycle processes.
Security in 5G Core
As an example of new security products in 5G, Ericsson has recently launched an integrated Packet Core Firewall as a single CNF (Cloud native network function) as part of the user plane in the Ericsson Packet Core Gateway. Today, this is solved with different multi-vendor hardware nodes, which increases latency, has hardware dependencies and is more complex to orchestrate. A single CNF solution means it scales in and out simultaneously with the UP, meeting specific 5G use case requirements, including edge, deep edge and small-scale deployments.
Secure deplyment and operations
As indicated above, security in a 5G system implies much more than specific products inserted at different places. It requires the ability to overlook and mange security across the entire network architecture, especially considering the vast number of multi-vendor solutions. As 5G networks will also be highly dynamic, threat detection and mitigation must also be done very quickly.
There are no telecom-specific security frameworks, and as a result many communication services providers are turning to generic cyber security frameworks – for example, the NIST Cybersecurity Framework and Center of Internet Security (CIS) controls – when designing approaches and processes around security operations. However, ETSI has defined the NFV Security Lifecycle Management, which outlines the three main stages for the VNF security life cycle: security planning, security enforcement, and security monitoring.
The journey to intelligent security management
Communication services providers today have varying levels of maturity in their security operations, and many have static manual processes in their telecoms network security operations.
Ericsson has defined a three-step approach to reach a high level of intelligent security management.
- Dynamic: Introduce automated security policy configuration and compliance monitoring
- Cognitive: Automated threat and vulnerability detection assisted with ML /AI
- Intelligent: Repeatable, adaptive and holistic security management with threat intelligence. This provides end-to-end visibility for business-related security risks, and actions can be directed via automated workflows to mitigate risks faster.
Solutions for security management
Ericsson has been working for many years to develop a management solution for the entire telecom network across all layers and network domains including multi-vendor products.
The Ericsson Security Manager is an evolutionary security management automation solution implementing building blocks for all the necessary functions: risk orchestration, protection, detection and response. It adheres to NIST Cybersecurity Framework principles. It turns data collected from the managed context into powerful security insights, identifying relevant threats and vulnerabilities. Active response also helps shorten the incident containment with a high degree of automation as closed loop and expert assisted response mechanisms.
Security as a source of revenue for service providers
The rise in new business contexts built on top of the 5G network platform will rely upon the increasingly dynamic and distributed nature of 5G network architecture. This makes managing the security of the network and services a growing challenge as the network threat surface is increased and new threat vectors are introduced. Communication service providers need to manage the security and privacy of their networks and services in a more complex business environment. This also opens for new business opportunities, since communication service providers can manage the security for many enterprises’ specific needs going forward.
For some further details please read our recent document "Mastering complete 5G network security - A guide to protecting your network when introducing cloud native 5G core"
Want to know more about the guide series?
Visit the page Guide to cloud native 5G Core
Please read the previous articles from the series:
Want to know more about security?
Read more about Network automation
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.