Delivering a secure and resilient 5G Radio Access Network
New Challenges, Evolving Threats
Mobile networks are by many nations classified as critical infrastructure which people, companies and organizations rely on for essential services and processes. This increased dependency means that any network outage could result in detrimental impact on the availability of those essential services, leading to severe economic and social consequences or, in the worst-case scenario, to losing lives. It is also what makes them more attractive to security breaches, since data becomes such a valuable asset.
At the same time, it has become increasingly challenging to keep networks permanently available, providing data integrity and confidentiality. Key reasons for this include:
- Stricter network reliability and compliance requirements, as governments increase regulations toward networks for better privacy and security.
- A growing number of new and unsecure devices with varying levels of built-in security, which become potential points for breaches.
- Increased complexity with new deployment scenarios such as 5G standalone and non-standalone, split architecture – centralized, distributed and hybrid nodes –, as well as use cases for both consumer and enterprise segments.
- Virtualization of network functions in 5G increases Network exposure and security challenges.
- Evolving security attacks, as threat actors use more advanced and sophisticated ways to target their victims.
While cyber-attacks can happen in many parts of the network, RAN infrastructure is more physically accessible due to the location and distribution of the sites – often in public spaces. That is why we will be focusing on 5G RAN Security in this blog.
Ericsson’s Holistic Approach to Secure Networks
Different aspects of security are considered in every product we commercialize. We start with our security culture – in addition to our fully dedicated security teams, we embrace security education and awareness across the entire organization. Based on that, Ericsson works with three main perspectives to ensure secure networks across the portfolio’s lifecycle: from development, to deployment, to how products are operated in the network. The overall RAN security solution is supported by each of these perspectives:
Security posture for development
Provides the framework, guidelines, documentation and security competence in all areas of the organization. Within this, security by design is key.
At Ericsson, we systematically incorporate security and privacy considerations into all relevant phases of our product development and supply chain. Much like when building a house, rather than reinforcing the structure or doing quick fixes after it has been built, we want to make sure everything is built with a secure foundation from the ground up (starting from the plan, materials that are used, etc.). We do this primarily through our internal governance framework for product security and privacy, the Security Reliability Model (SRM).
The SRM defines strict activities that cover the product value flow from the sourcing of components throughout the development activities, to deployment and operation in customer networks. It covers both internally and externally developed software (SW). One of these activities is the vulnerability analysis – that is, checking if the SW has elements that could be exploited. This is applied to all software delivered for integration and testing. We also introduced the ONE SW track several years ago, which facilities the control and maintenance of internal and outsourced software. These are only a few examples of what we do to create products that are as secure as possible. A company that does not incorporate these controls and monitoring during development can put service providers into a high risk of intrusion or security breach.
All these security activities aim to find and mitigate vulnerabilities before the product/SW reaches our customers. In addition, we have created a development environment with built-in procedures and controls that reduce the risk of external malicious interventions for both Ericsson and our customers.
Technology foundation for deployment
Security starts at the software development and this is also the case with hardware development. Each Radio Node is designed with an embedded silicon chip that holds secure information, in much the same way the SIM card we have in our phones holds secure information like subscriber keys.
Security is considered when we design the silicon and the architecture of the HW, making sure that cryptographic keys, sensitive data, and the SW are protected. Ericsson Silicon provides an unbroken chain of trust from the HW root up to the firmware, operating system (OS), middleware and the application.
Once the node is installed in the field, the integrity of the HW, OS, and application is confirmed by the node itself before it boots (turns on). Hence the name secure boot. However, to reach strong node security, additional security controls are needed. Access control, traffic protection, data protection, security event logging and traffic filtering are examples of controls that can be provided by the SW. The combined security controls of the HW and SW then establish strong node security that protects the confidentiality, integrity, and availability of the node.
In virtualized deployments such as Cloud RAN, the HW and SW are disaggregated and can be supplied by different vendors. We foresee that it is possible to achieve a similar level of security in cloud-based RAN nodes. The major difference is that the responsibility for the security controls of the 5G node (gNB) is then shared between the involved vendors and need to be interoperable and integrated. Standardization will be crucial to overcome this split of responsibilities brought about by cloud deployments. Although Ericsson’s RAN SW will also have built-in integrity when running on cloud infrastructure, the SW trust anchor needs to be pre-loaded in the infrastructure HW by the operator in order to establish the chain of trust.
To address the increased network exposure in cloud-based environments, another important aspect is the infrastructure capability to provide isolation between different SW instances running on the same platform. Here, mechanisms such as secure enclaves in the infrastructure will be needed to fully protect all data processed in the gNB’s Trusted Execution Environment (TEE). Ericsson Cloud RAN SW will be prepared to utilize these technologies as they mature.
Secure end-to-end network operations
The embedded security inside network products is critical but not sufficient. Operators need to consider actively operating a security management system for their end-to-end network.
Ericsson offers both the Ericsson Network Manager (ENM) and Ericsson Security Manager (ESM). These offerings provide centralized operation and maintenance (O&M) user management for secure access control, limiting both internal and external threats from accessing network management tools. Additionally, it is important to quickly detect if something suspicious is happening in the network. To avoid or limit the potential damage from an attack, the time to mitigate is crucial. ESM provides ongoing threat and vulnerability detection to shorten the time to resolve potential incidents. We are also developing RAN functions that will further help service providers to detect and mitigate potential security threats, when combined with ESM’s centralized mechanisms.
Ericsson, The Trusted Telecom Security Partner
Ericsson’s radio access networks build on a platform with state-of-the art security functions, offering built-in security controls on all levels. We are 100% compliant with the industry-wide, GSMA-defined security framework – the Network Equipment Security Assurance Scheme (NESAS), which creates a security assurance scheme addressing the telecom equipment lifecycle.
However, our approach to security goes beyond what is stipulated in the 3GPP standards – which defines many of the security aspects of a mobile system. We use a holistic approach for assuring security in our RAN products, independent of physical or virtual implementation.
Ericsson’s forward-looking RAN Security solution meets growing challenges by providing security in product design, deployment and operations, based on a security culture and in continuously improving network security. Together with ENM and ESM, we are establishing an active defense solution which provides security policy enforcement and monitoring, implementing building blocks for protection, orchestration, detection and response.
Network security has been critical to Ericsson’s technology leadership throughout the company’s history. We understand that the battle against security threats is a constant and evolving one, but we are committed to our responsibility to provide secure and reliable products and solutions. Our product design principles and network security solutions make us well-positioned to support our customers with secure networks, enabling them to protect, detect and act quickly in case of intrusion. We are ready for this today and are equipped to evolve as the threat landscape changes.
Watch the 'Delivering a secure and resilient 5G Radio Access Network' video
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.