Security standards and their role in 5G
Standardization forms the base for mobile network security, ensuring interoperability and openness. Building on this base, many other aspects come into play: it’s when all the pieces come together in an orchestrated manner that we get adequate security throughout the mobile network
Drivers for security standardization
The mobile networks are serving close to 8 billion subscriptions worldwide, and in many countries these networks are considered part of the national critical infrastructure. Scale and the critical role of the networks drive the demand for enhanced security, along with an increased focus on transparency, both in terms of design and implementation of security solutions, and compliance with regulatory and operator-specific demands.
Mobile networks are traditionally based on open and globally agreed standards. While the main motivation for standardization in mobile industry has been and continues to be interoperability (among vendors, operators, and device manufacturers) to enable a global market for mobile networks and devices, another important aspect is security, with the possibility to verify properties such as interface definitions, security protocols, key lengths, and the strength of cryptographic algorithms. The basic idea of standardizing security is to use commonly agreed, tested, verified, and updated solutions according to best common practice. Open standards, in turn, means that they are available for anybody to review and therefore adds transparency and gives more confidence in that the security features as specified in the standards are sound.
There is no one single security standard
The main standardization organization for mobile networks is 3GPP, and the security for 3G through 5G has been defined in the security group SA3. The security architecture, as defined by 3GPP SA3, in turn comprises security solutions from several different standardization organizations. The IETF defines security protocols such as IPsec, EAP, and TLS which are incorporated in the 5G security architecture. A 5G network is built using cloud and virtualization technologies, and ETSI ISG NFV defines security for network functions virtualization (NFV). Crypto solutions such as AES are standardized by NIST, and the recently approved NESAS framework for security assurance is a joint effort between 3GPP SA3 and GSMA. All these different components together form the security standard for 5G.
Setting security standards
Defining security standards is a process that often continues over a long period of time. In some cases, discussions on potential improvements start already in collaborative research efforts such as EU-ENSURE, where relevant topics were researched several years before they can be recognized in the 5G security standard. Examples of this are privacy enhancements like concealment of long-term identifier and strict refreshment of temporary identifier, and greater adoption of EAP which enables use cases without requiring SIM cards.
Standardization is a collaborative effort, where contributions from different participants are examined, analyzed, discussed, and adjusted to accommodate not only the needs and requirements from participating actors, but also from different sub-groups within a standardization organization as well as other standardization organizations. In the end, the standard is formally approved and published.
Standards come with different flavors. The consensus-driven standardization process strives to accommodate the needs and wishes of many to produce the best possible solution, and not all features are needed everywhere. Certain parts of the standard are mandatory to implement and use, forming a common base for security in the mobile networks. One example of this is the mutual authentication, which was defined already for 3G, making the network authenticate the device and the device authenticate the network. Another example is integrity protection of signaling.
Other parts of the standard are mandatory or optional to implement and optional to use, thereby allowing the vendor and the operator to decide on the level of security, and the choice of mechanisms to reach that level. An example of security that is mandatory to implement but optional to use is network domain security (IPsec, for example) between the nodes of mobile network. The motivation for the decision on optional use is to allow flexible deployment options. For example, typically an operator has ownership and control of the transport network, and operator’s security policy and network architecture may enable security to be achieved by other means than using IPsec. This means that the standard supports a certain security solution, but the operator can decide on another and still achieve a secure result.
Security posture of a deployed network cannot be realized through standardization alone
So, when the standard is set, do we have the security in place for the mobile network? Not really. The standard defines what is commonly agreed in order to ensure a multi-vendor, multi-operator environment where the end user can roam around and still maintain the same service experience.
One example of this is the authentication mechanisms, where the end user, through a SIM in the device, requests and is granted access to connect to the network, anywhere in the world. But what is defined in standards needs to be implemented, deployed and operated, and with this comes many other security aspects that are simply not in scope for the standards.
As discussed in the guide for 5G security, standardization is only one part of the overall security of the mobile network. It gives the foundation which other parts can build on. When the standard has been set, it is the vendor’s responsibility to decide how to implement the standard. This is done through choices of hardware, development of software, incorporation of third-party components, proprietary solutions and open source, and typically follows a process or model, like the Ericsson security reliability model. At the deployment of the network, it is the responsibility of the operator to turn the needed security features on and take care of configuring and operating the network in a secure way.
Virtualization – security in standards, products, and deployed networks
Virtualization is a key technology that enables mobile networks to support the many 5G use cases in a flexible way. Standardization of virtualization in mobile networks, and associated security aspects, is needed due to a multivendor environment, but also because of the dynamic nature of mobile network management to support, for example, network slicing. This is carried out in ETSI ISG NFV which has been working on standardizing network function virtualization and its security aspects from a more general network management and orchestration point of view. In turn, 3GPP security experts are looking at virtualization security aspects from mobile network architecture point of view.
Together these standardization efforts aim to cover all relevant mobile network related virtualization security topics. It should also be noted that some virtualization aspects can be standardized, and some will be a question of implementation, deployment, configuration and operation. It is important to find the right balance between standardized and non-standardized aspects to allow for freedom for innovation and differentiation. This also illustrates how standardization comes into deployment and operational phase and brings more transparency to the security of mobile networks.
Security assurance – standards-based assessments of 5G security
Apart from standards, there are different requirements that come into play. Regulatory demands on security assurance for 5G have led to standardized specifications for security assurance, while the auditing process is handled outside of standardization through GSMA. This framework for security assurance which was develop as a joint effort between 3GPP and GSMA is generally referred to as NESAS. The specifications developed by 3GPP define what properties need to be checked in product implementations of different network nodes. In the auditing process, auditors who are accredited by GSMA perform an audit of the vendor’s development process, and security test laboratories accredited according to ISO 17025 evaluate the respective products from different vendors towards the requirements in the specifications. Once the properties are clear, the product is declared compliant to the specification. This means that an appointed third-party actor has verified security properties of a specific product towards a certain specification.
Regulatory security requirements not supported by a standard
Standards are set to form an agreed base for security throughout the mobile networks. In addition, there are other initiatives to define requirements for the mobile networks to meet specific security demands in different contexts. The EU toolbox, for example, was produced to ensure an adequate level of security of the 5G networks across the EU.
The ongoing works from the Indian government called Indian telecom security assurance requirements (ITSAR), and the UK telecom security requirements (TSR) by NCSC, are examples of security requirements on 5G. In general, these requirements aim to raise the baseline security of products and services, and to protect the networks from attacks. This ambition for enhanced and assured security stems to a large extent from the critical role of the mobile networks in society, and suggested enhancements also form input to global standardization and assurance schemes such as NESAS.
Guiding principles to understand security standardization for 5G and beyond
- Standardization forms the backbone for mobile network security – standards are open and globally agreed and ensure interoperability and transparency
- There is not one security standard that includes all – 5G includes many different standards from many different standardization organizations
- Security doesn’t come from standardization alone: security in implementation, deployment, configuration, and operation of the network are all essential
- Security assurance meets requirements on enhanced security through defined auditing processes where products are checked towards standardized specifications
- Additional security requirements are being discussed in many countries, due to the critical role of 5G
By driving prioritized topics in relevant standardization organizations, in conjunction with internal processes, implementation aspects, deployment and operation of the mobile networks, Ericsson provides value and security in 5G and beyond.
Read our blog post about security standardization in 3GPP.
Learn more about our research on Future network security.
Read more on how we’re involved in 5G standardization.