US federal agencies leading on cybersecurity discuss incidents in terms of ‘left of boom’ and ‘right of boom’. ‘Boom’ is the incident in the form of an attack or breach. ’Boom’ can vary widely from known attacks to zero-day or novel attacks. ‘Left of boom’ is the preparation to defend against an incident and ensure processes are in place to respond and recover. This phase inherently focuses on known attacks and vulnerabilities. ‘Right of boom’ is the response to the incident.
Solarwinds was a novel attack uncovered in December 2020 that combined multiple zero-day attacks enabling a malicious actor to exploit the software supply chain, gain access to resources, perform reconnaissance on the network, and move laterally through the network to expand the reconnaissance mission. A significant outcome of Solarwinds was a full court press from US federal agencies driven by the directives in the President’s Executive Order (EO) 14028, Improving the Nation’s Cybersecurity [1].
Solarwinds shifted the focus to Zero Trust
Solarwinds was an inflection point for cybersecurity, particularly as services migrate to the cloud. Perimeter-based defenses provide value to secure assets, but alone are insufficient. Security controls must be implemented with the assumption that the adversary is already inside the network to detect and prevent lateral movement, reconnaissance, and data theft. This is important to consider for 5G cloud-based deployments, as 5G will be a general digital platform for enterprise and society that supports critical infrastructure, mission critical applications, public safety, smart manufacturing, connected car, and other realtime, low latency use cases. 5G is the first cellular technology designed for the cloud where the expanded attack surface could create opportunity for a cyberattack that has greater impact, while at the same time there is reduced risk tolerance.
The increased risk from cyberattacks has advanced interest in zero trust architecture (ZTA) for 5G cloud-based deployments. The principles of a zero-trust architecture (ZTA) for 5G cloud deployments are based on perimeter-less security in which each asset implements security controls. In October of 2021, the United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released its “Security Guidance for 5G Cloud Infrastructures” [2] based on the work of the Enduring Security Framework’s (ESF) 5G Cloud Working Panel. This is the first publication from a government agency around the globe that provides guidance for a security posture that specifically connects 5G, Cloud, and ZTA.
Elements of a ZTA for 5G cloud deployments
Secure 5G cloud deployments should implement the security features that are part of a zero-trust architecture, including:
- Continuous monitoring and logging
- Threat Detection and Response (TDR)
- Data encryption and integrity checking for data-at-rest, data-in-motion, and data-in-use
- Micro-segmentation and isolation, including tenant isolation and container isolation
- Strong authentication using TLS 1.2 or 1.3 with PKI X.509 certificates on network interfaces and multi-factor authentication for users. [It is worth noting that CISA added single-factor password-based authentication to its List of Bad Practices in August 2021.]
- Supply chain security in which vendors and upstream suppliers implement a secure software development lifecycle, DevSecOps, and Continuous Integration/Continuous Deployment (CI/CD)
- A chain of trust based upon a hardware root of trust using HSM
- Plus, perimeter security, which has successfully protected networks and should continue as a component of a ZTA
Figure 1. Security Features for a 5G Cloud Zero-Trust Architecture (ZTA)
The CISA work builds upon the US National Institute for Standards and Technology (NIST) Special Publication (SP) 800-207 Zero Trust Architecture [3], which defines a ZTA to have no implicit trust granted to an asset based upon ownership, physical location, or network location. This is significant for securing 5G, particularly the Radio Access Network (RAN), where historically the thinking from mobile network operators has been, the RAN is owned by me, running in my network, and residing on my property. As RAN functions become virtualized and migrate to the cloud, like Ericsson’s Cloud RAN [4] for example, each function must be an independently secured asset that does not rely upon perimeter protection. 5G cloud deployments may reside in a third-party’s facility, such as with Multi-access Edge Compute (MEC), a 3rd-party may be managing infrastructure, and the software platform has components from other 3rd-parties with potential vulnerabilities. This requires a zero-trust mindset for 5G cloud deployments. Fortunately, 3GPP specified 5G to include many security features that align with NIST’s 7 tenets for a ZTA.
New resource and recommendations from 5G Americas
5G Americas recently published its paper “Security for 5G” [5], providing recommendations for the security of 5G cloud deployments, including an analysis of the alignment of 3GPP security requirements to the NIST ZTA, which is summarized in the graphic below. Ericsson played a key role as the co-lead author for the 5G Americas paper, written in collaboration with 5G security experts representing other members of 5G Americas, including US mobile network operators.
Figure 2. Alignment of 3GPP security features for 5G to the NIST 7 Tenets for a ZTA
The 5G Americas paper, the third in its series of security papers, makes the following four primary recommendations for securing 5G networks:
- Build 5G networks with a ZTA that is complemented with perimeter security to provide protection from internal and external threats.
- Implement a 3GPP Release 16 5G standalone network to benefit from security enhancements that support a zero-trust architecture and follow CSRIC VII recommendations.
- Follow industry best practices for secure cloud deployments, including secure CNFs, orchestration, automation, APIs, and infrastructure. These best practices are applicable to private, public, and hybrid deployment models.
- Consider supply chain security as a component of 5G security. Use trusted suppliers that follow industry best practices for secure development processes.
A 5G security posture must continuously evolve to match evolving threats and new security controls tools and techniques. Security considerations must be made as 5G migrates to cloud-based deployments, due to the cloud’s expanded attack surface. 5G Americas has provided key recommendations for secure 5G cloud deployments that align well with CISA’s guidance for 5G cloud deployments based upon the principles of a ZTA. A secure 5G cloud deployment builds-in ZTA with a secure supply chain, secure software development processes, strong authentication, strong data protection, continuous monitoring and logging, and industry best practices for cloud security. A foundation of strong security based on ZTA will help to ensure 5G meets its promises for society.
References
[1] Executive Order on Improving the Nation’s Cybersecurity, EO 14028, The White House, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[2] “Security Guidance for 5G Cloud Infrastructures”, United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), https://www.cisa.gov/news/2021/10/28/nsa-and-cisa-provide-cybersecurity-guidance-5g-cloud-infrastructures
[3] Zero Trust Architecture, Special Publication (SP) 800-207, US National Institute for Standards and Technology (NIST), https://csrc.nist.gov/publications/detail/sp/800-207/final
[4] Ericsson Cloud RAN, https://www.ericsson.com/en/ran/cloud
[5] “Security for 5G”, 5G Americas, https://www.5gamericas.org/security-for-5g/