How 3GPP is setting the security standards for a 5G future
For decades, 3GPP has ensured the proper security mechanisms through standards which have enabled billions of global users to access mobile communications. But what is 3GPP, and what impact is it making within 5G? We meet the chairman of one of 3GPP’s working groups, SA3, who explains the work being done for lasting security at scale for global innovations, applications and devices.
Over the years, 3GPP has dealt with setting the standards for all relevant security functions needed to handle the use cases of the respective communications generations. To combat fraud and protect user privacy, for example, the Global System for Mobile Communications (GSM) made the standard for SIM-cards and Air Interface encryption. Furthermore, 3G standards were defined for protection against malicious activity from the internet and mutual authentication to combat false base stations.
These are just some examples of what 3GPP and its predecessors like ETSI SMG have accomplished. They’re all very important security functionalities for the relevant use cases of telephony and mobile internet. These achievements have lasted for decades and scaled to billions of users, which is completely unique.
Security assurance through the SECAM/NESAS standards was a groundbreaking step. No best practice and validation requirements for anything as complex as a telecom system had previously been made. The techniques available were optimized for very static and confined IT components, and were not working for a complex system or in a dynamic scenario where upgrades are extensive and frequent. It was a personal privilege for me to drive this work item to be approved by the parent committee System Architecture (SA) at its meeting in Ljubljana, Slovenia in 2012.
Similarly, for 5G, with all the new use cases and cloud realizations, security requires a solid mechanism that offers lasting security at scale for continuing innovations, applications and devices. Today in 3GPP, the responsibility for this crucial task is on a working group named SA3, where Ericsson provides the leadership of the processes to set these standards through Noamen Ben Henda, who was elected chairperson of SA3 in Q1, 2019.
I am very pleased to share a discussion I had with Noamen, where we covered some of the important aspects of the work that Noamen leads as the chairman of the SA3 group in 3GPP.
Firstly, what is 3GPP and SA3?
3GPP is a collaborative activity between well-established regional standard organizations. The goal is to develop and maintain global technical specifications. This is to make sure that network equipment and handset manufacturers can develop products that are interoperable all over the world. In contrast to the old days, where if you buy a mobile phone in one country or region, and it might not work in another one, nowadays, when you buy a mobile phone you don't even think of that, thanks to 3GPP!
3GPP is made up of different groups that meet at least once every quarter. There are different types of groups, but the technical work is done in so called working groups. During working group meetings, companies' representatives or delegates meet to discuss proposals for changes or additions to the technical specifications. These are called contributions. Each working group is responsible for a specific aspect of a mobile communication system. The working group called SA3 is responsible for the security aspect. Basically, SA3 has the task of studying any feature or enhancement developed within 3GPP and, whenever needed, specifying the requirements and mechanisms to secure it.
What is the role of the SA3 chairman?
The SA3 chairman, like any other working group chairman, is responsible for the overall management of the technical work within the working group. The chairman is not alone. Together with a support team which consists of one or more vice chairs and a secretary, the chairman plans the working group meetings, provides the agenda and the schedule, conducts the meeting, coordinates the technical discussions, and so on. As a 3GPP official, a chairman is often expected to report and present the status in the working group within, but also outside, 3GPP. It is quite common that chairmen are invited to give talks and presentations related to working group activities or even to interviews like this one.
How does 3GPP/SA3 work with other Standards Development Organizations (SDOs)?
3GPP communicates with other SDOs via Liaison Statements or LSes for short. LSes – which are also contributions incoming or outgoing from group meetings – are the official means to request feedback, actions or just to inform other entities or bodies about topics that are subject to collaboration. This practice is not specific to 3GPP, and is well establish in the standardization industry in general. LSes are also used internally within 3GPP to facilitate collaboration between the different groups.
What has been the outcome of your work on 5G security?
The work on 5G security started back in 2016 and by the summer of 2018, SA3 delivered the first version of a new technical specification for 5G security. This is specification number 33.501. 5G is an entirely new system, and this was a very important milestone. The specification includes all there is you need to know about the overall security architecture and mechanisms for 5G systems. For example, how the devices are authenticated by the network, how communication is protected between the device and the network, and also within a 5G network between the different entities, also called network functions.
What are the most important topics that SA3 is working on now, and in the future?
Let me first give some background. The work on 5G in 3GPP was split over two releases, or cycles, referred to as 5G phase 1 and 5G phase 2. The work on 5G phase 1 was completed few years back. Right now, 3GPP is finalizing the work on 5G phase 2. Maybe you heard of Cellular IoT, connected vehicles, non-public networks, and ultra-reliable low-latency communication. The work on 5G phase 2 is targeting these kinds of use cases. The goal is to deliver enhancements and features to support and enable these use cases in a 5G system. In all of this, SA3 is busy doing its part, which is to specify the security requirements and mechanisms for all these new enhancements.
Is there a specific SA3 topic you want to mention?
Yes. Back in the LTE days, and jointly with GSMA, 3GPP developed a security assurance framework called NESAS. In short, NESAS defines an assessment framework for the secure development and lifecycle management of products, as well as security test cases for the evaluation of network equipment. The 3GPP part in this is to develop such security test cases which, for each network function in the system are collected in separate technical specifications called SCASes. Recently, SA3 completed the work on a batch of such SCASes, one for almost every network function in the 5G System. This was a big effort and a very important deliverable for the whole industry.
Learn more about our work across network standardization.