Designing 6G security: key topics shaping the next generation

6G offers a once-in-a-decade opportunity to reassess security design. Emerging technologies, novel use cases and evolving threats are reshaping the fundamental assumptions of mobile network security. This evolution necessitates a thorough reassessment of the security frameworks established in 5G, ensuring they effectively address the complexities of the future. 

Standardization is key to ensuring mobile networks remain interoperable and secure. 3GPP, the main standardization body for mobile networks, drives this work, and within it, the working group SA3 defines the security architecture and protocols that protect devices, networks and users. 

With 6G standardization underway, SA3 has begun exploring how to evolve security for a future shaped by artificial intelligence (AI), integrated sensing and communication (ISAC), network exposure, post-quantum cryptography and new ways of connecting people and things. This blog takes a closer look at the topics likely to shape 6G security and the principles guiding its design.

Two perspectives on 6G security design

Security work for 6G in 3GPP can be thought of in two broad perspectives. The first focuses on the 6G system itself: its baseline architecture, and new features and capabilities. 

The second covers generation-independent security topics. These are not tied to 6G specifically but are shaped by evolving threats, regulatory requirements and best practices, such as Zero Trust principles and post-quantum cryptography. It also includes security assurance, ensuring that security mechanisms are not only specified, but can also be verified to work as intended in real deployments.

These two perspectives are closely related. SA3 collaborates with other 3GPP working groups to ensure that functional security measures and assurance mechanisms are embedded in the design of the system from the first release onward.

A once-in-a-decade opportunity to redesign security

3GPP mobile standards evolve incrementally, often maintaining backward compatibility so devices and networks work with earlier 3GPP releases. This stability is critical, but it can also limit radical improvements. A new generation like 6G offers a rare chance to rethink core design principles. Unlike releases within the same generation, a new generation also allows improvements that might otherwise be difficult to introduce if they conflicted with backward-compatibility assumptions.

While 6G will build on the experience of 5G, it can also introduce architectural and security enhancements without being constrained by backward compatibility. The first release of 6G will set the foundation for years to come. That makes it essential to design security that is robust, forward-looking and resilient to emerging threats. Decisions made now will influence the ecosystem for the next decade, shaping how operators, regulators and users experience the network.

Applying a risk-based approach to 6G security

Security exists for one purpose: to manage risk. Authentication, encryption and other mechanisms are only effective when they address real threats. Designing 6G security starts with a systematic threat and risk analysis. This means identifying the assets that need protection (devices, network functions, and data), understanding potential threats and assessing the likelihood and potential impact of those threats. 

Without this approach, security measures can either leave vulnerabilities unaddressed or they can become overengineered, adding cost and complexity without improving protection. A risk-based approach is therefore not about adding more security everywhere, but about applying the right protection in the right places for the threats that actually matter.

6G will inherit the evolving security foundation of 5G, but new use cases and technologies will expand the threat landscape. Even small changes to system principles can introduce unforeseen risks. Revisiting threat and risk assumptions at the start of each new generation is essential to ensure the security architecture remains robust.

Threat and risk analysis is not a one-time task. It must evolve alongside 6G as new capabilities are introduced across successive 3GPP releases. Doing this gives operators, regulators and users a clear understanding of the network’s security posture and the rationale behind security choices.

Threat modelling and security-by-design principles

Threat modelling is a key part of a security-by-design approach. It starts by identifying what needs protection and mapping out the trust boundaries within the system. Entities inside a trust boundary are assumed to be trustworthy while outside entities are not. Attackers are assumed to act at these boundaries and therefore security controls are applied there. 

A Zero Trust approach assumes that breaches may already exist or could occur at any time. Trust boundaries are minimized and protections are applied as close as possible to the assets themselves. 

Taken together, these controls form the overall security architecture of the system, with their placement and strength shaped by the assessed risk of each threat balancing protection with cost and operational complexity.

For 6G, threat modelling should underpin all major design decisions, from baseline connectivity to advanced capabilities like AI and ISAC. By integrating risk assessment, Zero Trust principles and systematic modelling from the start, 6G can achieve a security posture that is both resilient and future-proof.

Key 6G security topics

As the 6G standards takes shape, the security work in 3GPP working group SA3 spans three overlapping areas: generation-independent topics, baseline connectivity and new capabilities beyond connectivity. Together, they define the blueprint for a secure 6G ecosystem.

Generation-independent topics

Some security topics, such as Zero Trust, are relevant to any mobile network generation. Rather than relying solely on perimeter defenses, Zero Trust emphasizes verifying every attempt to access assets and minimizing trust boundaries around critical assets. Many principles now associated with Zero Trust have already been present in 3GPP security design for years, but 6G offers an opportunity to apply them even more systematically from the outset. The American National Institute of Standards and Technology (NIST) has published NIST SP 800 207, one of the main references used in the mobile industry to achieve a Zero Trust Architecture.

Post-quantum cryptography (PQC) is another important generation-independent topic. Large-scale quantum computers threaten the traditional asymmetric algorithms used for encryption and authentication. To address this threat, 3GPP SA3 is planning a gradual transition to PQC algorithms, aligned with timelines set by NIST, ensuring 6G will be resilient to future quantum threats from day one. This work builds on SA3’s review of where asymmetric cryptography is used across the 3GPP system and will rely heavily on protocol developments in bodies such as the Internet Engineering Task Force (IETF) using algorithms selected through NIST’s PQC standardization process.

Upgraded radio interface algorithms are also in the works. Moving from 128-bit to 256-bit algorithms, along with authenticated encryption with additional data (AEAD), will improve performance, energy efficiency and security. Importantly, the move is not driven by an immediate weakness in existing 128-bit protection, but also by the opportunity to improve efficiency and simplify cryptographic design for future systems.

All of these improvements are expected to be implemented in 6G from the first 3GPP release.

Securing baseline 6G connectivity

The 6G baseline system will build on 5G standards, maintaining proven security measures while integrating new improvements where justified by risk assessment. Mutual authentication between devices and networks remains fundamental, generating keys to protect signaling and user-plane data.

Internal network interfaces in the Radio Access Network (RAN) and Core Network (CN) are expected to continue to be secured using IP layer security (IPsec) and transport layer security (TLS/DTLS), following Zero Trust and defense-in-depth principles. As in 5G, this layered approach combines protection across network-security boundaries with end-to-end protection between network functions, reducing reliance on any single security control.

Automated certificate management further eases operational burdens for operators. This robust approach ensures that 6G’s foundation is both familiar and strengthened to handle emerging threats.

Non-terrestrial (satellite-based) and mission-critical networks rely on the same principles. Security mechanisms are adapted to each context, and overlay protections ensure that mission-critical operators can maintain independence and trust across shared infrastructure. In such deployments, mission-critical services can rely on their own credentials and overlay security mechanisms defined in 3GPP, allowing mission-critical operators to maintain trust even when connectivity is provided by shared mobile networks.

Securing new 6G capabilities beyond connectivity

6G will introduce several new capabilities that extend beyond traditional connectivity, each bringing its own unique security considerations. The most notable of these capabilities are in the areas of AI, ISAC, network exposure and data frameworks.

AI

6G networks will both use AI and support AI-driven applications. SA3 will define standards for security of AI systems and using AI to enhance security, ensuring both sides of the equation are covered. This work will need to align closely with parallel studies across 3GPP on AI-enabled network functions and AI support frameworks so that security and privacy considerations are built into these capabilities from the start.

ISAC

6G networks will be able to sense the environment, producing data that may include information about people and objects. Security and privacy measures must protect this data, control access and ensure that sensing results are only available to authorized clients. This is particularly important because sensing may reveal information about people or objects even when no device is present, making its privacy characteristics fundamentally different from traditional mobile-network services.

Network exposure

Network exposure is about application programming interfaces (APIs) allowing applications to access network functionality, consequently making the mobile networks programmable. With AI and ISAC generating more valuable data, securing API access is critical to prevent misuse or breaches.

Data frameworks

Large volumes of data from AI and network operations require secure collection, storage and access control. SA3 will define protections for this emerging “data plane,” complementing traditional control, user and management planes. The need for such protection is driven by the scale and sensitivity of data expected from AI and network operations, which together are pushing mobile systems toward more common ways of collecting, storing and exposing data securely.

Industry collaboration and standards coordination

While 3GPP is the main standards organization for mobile networks and their security, other bodies (for example, O-RAN Alliance, IETF, European Telecommunications Standard Institute (ETSI) and the GSM Association (GSMA)) and industry partners play critical roles. Coordination is key to avoid fragmentation and ensure a well-functioning, secure ecosystem.

Mobile network security depends on four interdependent processes: standardization, development, deployment and operations. Risk-based thinking and Zero Trust principles apply across all of them. Standardization acts as the foundation, enabling operators and regulators to implement and manage security effectively and ensures interoperability. Industry collaboration, academic input and regulatory guidance all contribute to a robust, holistic approach to 6G security.

Conclusion

6G offers a rare opportunity to revisit mobile security from the ground up. While the system will build on the strong foundation established by 5G, improvements must be guided by rigorous risk assessment and Zero Trust principles. Proactive, forward-looking design will be particularly important in areas such as post-quantum cryptography and embedding Zero Trust architecture from the outset.

3GPP SA3 is laying the foundation for 6G security, but the success of the next generation of mobile networks will depend on broad industry collaboration. Operators, vendors, academia and regulators all have a role to play in ensuring that 6G networks are secure, resilient and ready for the challenges of the decade ahead.

Read more:  

• Learn more about network security standardization 
• Security standards and their role in 5G and 6G 
• AI/ML security in mobile telecommunication networks
• Download NIST SP 800 207