Security standards and their role in 5G and 6G
Standardization forms the base for mobile network security, ensuring interoperability and openness. Building on this base, many other aspects come into play: it’s when all the pieces come together in an orchestrated manner that we get adequate security throughout the mobile network.
Drivers for security standardization
The mobile networks are serving more than eight billion subscriptions worldwide, and in many countries, these networks are considered part of the national critical infrastructure. Scale and the critical role of the networks drive the demand for enhanced security, along with an increased focus on transparency, both in terms of the design and implementation of security solutions and compliance with regulatory and service provider-specific demands.
Mobile networks are traditionally based on open and globally agreed standards. The main motivation for standardization in the mobile industry has been and continues to be interoperability (among vendors, service providers, and device manufacturers) to enable a global market for mobile networks and devices. Another important aspect is security, with the possibility to verify properties such as interface definitions, security protocols, key lengths, and the strength of cryptographic algorithms. The basic idea of standardizing security is to use commonly agreed, tested, verified, and updated solutions according to best common practice. Open standards, in turn, are available for anybody to review and therefore, add transparency and give more confidence that the security features as specified in the standards are sound.
There is no one single security standard
The main standardization organization for mobile networks is 3GPP, and the security for 3G through 5G has been defined in the security group SA3. The security architecture, as defined by 3GPP SA3, in turn, comprises security solutions from several different standardization organizations. See the figure below.
The IETF defines security protocols such as IP layer security (IPsec), Extensible Authentication Protocol (EAP), and Transport Layer Security (TLS) which are incorporated in the 5G security architecture. A 5G network is built using cloud and virtualization technologies, and ETSI ISG NFV defines security for network functions virtualization. Crypto solutions such as Advanced Encryption Standard (AES) are standardized by the US National Institute of Standards and Technology (NIST).
NESAS framework for security assurance is a joint effort between 3GPP SA3 and GSMA. The GSMA also addresses interconnect security and operational security aspects of deployed mobile networks. Cloudification of open Radio Access Networks (RAN) and the security challenges are topics addressed by the O-RAN Alliance. All these different components together form the security standard for 5G.
Setting security standards
Defining security standards is a process that often continues over a long period of time. In some cases, discussions on potential improvements start already in collaborative research efforts such as EU-ENSURE, where relevant topics were researched several years before they were recognized in the 5G security standard. Examples of this are privacy enhancements like concealment of the long-term subscriber identifier, strict refreshment of temporary subscriber identifier, and greater adoption of EAP, which enables use cases without requiring SIM cards. Research efforts targeting security beyond 5G towards 6G are carried out in projects like Hexa-X , Hexa-X II, and EU-CONCORDIA.
Standardization is a collaborative effort, where contributions from different participants are examined, analyzed, discussed, and adjusted to accommodate not only the needs and requirements of participating actors but also of different subgroups within a standardization organization as well as other standardization organizations. In the end, the standard is formally approved and published.
Standards come in different flavors. The consensus-driven standardization process strives to accommodate the needs and wishes of many stakeholders to produce the best possible solution, and not all features are needed everywhere. Certain parts of the standard are mandatory to implement and use, forming a common base for security in mobile networks. One example of this is mutual authentication, which was defined already for 3G, making the network authenticate the device and the device authenticate the network. Another example is integrity protection of signaling.
Other parts of the standard are mandatory or optional to implement and optional to use, thus allowing the vendor and the service provider to decide on the level of security, and the choice of mechanisms to reach that level. Examples of security mechanisms that are mandatory to implement but optional to use include IPsec between security domains of mobile networks, DTLS between the RAN and core network entities, and TLS between the core network entities.
The motivation for the decision on optional use in the standard is to allow flexible deployment options. For example, typically a service provider has ownership and control of the transport network, and the service provider’s security policy and network architecture may enable security to be achieved by other means than using above mentioned mechanisms. This means that the standard supports a certain security solution, but the service provider can decide on another and still achieve a secure result.
Security posture of a deployed network cannot be realized through standardization alone
So, when the standards are set, do we have the security in place for the mobile network? Not really. The standards define what is commonly agreed upon to ensure a multivendor, multioperator environment where the subscriber can roam around and still maintain the same service experience.
One example of this is the authentication mechanism, where the subscriber, through a SIM in the device, requests and is granted access to connect to the network, anywhere in the world. But what is defined in standards needs to be implemented, deployed, and operated, and with this comes many other security aspects that are simply not in scope of the standards.
As discussed in the guide for 5G security, standardization is only one part of the overall security of the mobile network. It provides the foundation which other parts can build on. When the standards have been set, it is the vendor’s responsibility to decide how to implement them. This is done through choices of hardware, development of software, incorporation of third-party components, proprietary solutions, and open source, and typically follows a process or model, like the Ericsson security reliability model. At the deployment of the network, it is the responsibility of the service provider to turn on the needed security features and take care of configuring and operating the network securely.
Virtualization – security in standards, products, and deployed networks
Virtualization and cloud-native are key technologies that enable mobile networks to support the many 5G use cases in a flexible way. Standardization of virtualization and cloud-native technologies in mobile networks, and associated security aspects, is needed due to a multivendor environment, but also because of the dynamic nature of mobile network management to support, for example, network slicing. This is carried out in ETSI ISG NFV, which has been working on standardizing Network Function Virtualization (NFV) and its security aspects from a more general network management and orchestration point of view. In turn, 3GPP security experts are looking at virtualization security aspects from a mobile network architecture point of view. O-RAN Alliance is analyzing risks and recommending mitigations for cloud-native deployments of Open RAN.
Together these standardization efforts aim to cover all relevant mobile network-related virtualization and cloudification security topics. It can also be noted that some virtualization aspects can be standardized, and some will be a question of implementation, deployment, configuration, and operation. It is important to find the right balance between standardized and non-standardized aspects to allow for freedom for innovation and differentiation. In some cases, standardization comes into deployment and operational phases and brings more transparency to the security of mobile networks. An example of this is the effort in 3GPP SA3 to start standardizing certificate management for the service-based core network.
Security assurance – standards-based assessment of 5G security
Apart from standards, there are different requirements that come into play. Regulatory demands on security assurance for 5G have led to standardized specifications for security assurance, while the auditing process is handled outside of standardization through GSMA.
This framework for security assurance, which was developed as a joint effort between 3GPP and GSMA, is referred to as NESAS. The specifications developed by 3GPP define what properties need to be checked in product implementations of different network nodes. In the auditing process, auditors accredited by GSMA perform an audit of the vendor’s development process, and security test laboratories accredited according to ISO 17025 evaluate the respective products from different vendors as per the requirements in the specifications. Once the properties are clear, the product is declared compliant with the specification. This means that an appointed third-party actor has verified the security properties of a specific product towards a certain specification.
Regulatory security requirements not supported by a standard
Standards are set to form an agreed base for security throughout the mobile networks. In addition, there are other initiatives to define requirements for mobile networks to meet specific security demands in different contexts. The EU toolbox, for example, was produced to ensure an adequate level of security for the 5G networks across the EU.
Furthermore, the EU Agency for Cybersecurity (ENISA) is working on a cybersecurity certification framework, which includes three certification schemes, one for ICT products, one for cloud services, and one for 5G networks. Zero trust initiatives such as the Zero Trust Architecture (ZTA) driven by NIST are aiming to further enhance security in mobile networks and communication networks in general.
Also, the works from the Indian government called Indian Telecom Security Assurance Requirements (ITSAR), and the UK Telecom Security Requirements (TSR) by the National Cyber Security Center (NCSC), are examples of security requirements for 5G. In general, these requirements aim to raise the baseline security of products and services and to protect the networks from attacks. This ambition for enhanced and assured security stems to a large extent from the critical role of mobile networks in society, and suggested enhancements also form input to global standardization and assurance schemes such as NESAS.
Looking beyond 5G
As of now, 5G is mature in standardization, the networks are being deployed, and the total number of 5G subscriptions reached 1.1 billion in early 2023. While standardization is still addressing topics such as roaming security, certificate management for SBA, and 256-bit algorithms, research work is also zooming in on 6G. Much of this research considers use cases based on extended reality, digital-physical merge, joint communication and sensing, and extensive use of AI.
From a security perspective, there is research on, for example, quantum-resistant algorithms, hardware security and side-channel attacks, secure enclaves, cybersecurity for AI and data, privacy-preserving measures in new use cases as well as threat intelligence and security compliance verification. Future standardization work for mobile network security will, among other topics, include some or all of these in its scope.
Guiding principles to understand security standardization for 5G and beyond
- Standardization forms the backbone for mobile network security – standards are open and globally agreed upon and ensure interoperability and transparency.
- There is not one security standard that includes all – 5G includes many different standards from many different standardization organizations.
- Security doesn’t come from standardization alone: Security in implementation, deployment, configuration, and operation of the network are all essential.
- Security assurance meets requirements for enhanced security through defined auditing processes where products are checked towards standardized specifications.
- Additional security requirements are being discussed in many countries, due to the critical role of 5G.
- Research for 6G security is ongoing and some of those topics will eventually also be on the agendas of security standardization organizations.
By driving prioritized topics in relevant standardization organizations, in conjunction with internal processes, implementation aspects, deployment, and operation of the mobile networks, Ericsson provides value and security in 5G and beyond.
Read more about Network security standards.
Read our blog post about Quantum-resistant algorithms in mobile networks .
Read our blog post about Security research in Hexa-X
Learn more about our research on Future network security.
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.