A guide to 5G network security 2.0

Conceptualizing security in mobile communication networks – how does 5G fit in?

This report will uncover the telecom security aspects in the era of 5G. Telecom networks are evolving rapidly across a broad technological environment which includes virtualization, disaggregation, cloud, AI, IoT and Industry 4.0. This is met by an equally broad yet an increasingly challenging cybersecurity environment.

5G marks the beginning of a new era of network security

Enhancements in mobile telecommunication networks are galvanizing a wave of digital transformation which is disrupting industries of all types and forcing us to rethink our traditional ways of working. Value chains are becoming value networks, where one-to-one relations between suppliers, vendors, operators, and end users are being reinvented as ecosystems of partners and co-creators.

From a user perspective, 5G is inherently different to any of the previous mobile generations. Machine-type communication, enabled by 5G, is widely anticipated to become the strategic difference and unique selling point of 5G in the long run. 5G networks will serve as critical infrastructures to facilitate the digitization, automation, and connectivity to machines, robots, and transport solutions etc. Thus, there is a significant value at stake and, so too, a significantly different tolerance for risk. 5G marks the beginning of a new era of network security.

Download the report

Key topics

Explore and read the full 5G security guide

 

Conceptualizing security in telecom networks

 

The mobile network assets

 

What is a telecom network and how does it work?

The mobile network assets

The telecom network transfers voice and data across the globe with high quality and consistency. User devices such as mobile phones can stay connected regardless of time and place, which is all possible thanks to standardized signaling systems and interfaces.

Mobile telecommunication networks consist of four main logical network parts: radio access network, core network, transport network, and interconnect network.

Each network part comprises three so-called planes, each of which is responsible for carrying a different type of traffic, namely: the control plane which carries the signaling traffic; the user plane which carries the payload (actual-) traffic; and the management plane which carries the management traffic.

In terms of network security, all three planes can each be exposed to unique types of threats. There are also uniform threats which can affect all three planes simultaneously.

Core network functions and management systems are critical assets in a mobile network. Affecting the core network or management systems may compromise the confidentiality, availability, and integrity of the entire mobile network services.

Radio access network is also a sensitive asset, as it handles user data and may be placed in critical locations. At the introduction of edge computing certain core network functions are expected to deploy closer to the access sites, which makes the access also critical.

Data is one of the most important assets in mobile networks, subscriber data being the most critical one in this category. Subscriber data comprises of communication data (voice, text, and data sessions) as well as subscriber related information, such as identities, location, subscription profile, and connection metadata (e.g. Call Data Records or signaling traces). To protect subscriber privacy, this data needs to be protected at storage and at transport.

Apart from subscriber data, network management related information assets are required for proper operation of the mobile network. The management data comprises of infrastructure and service configuration data, network configuration data, security-related data, monitoring data, such as performance metrics, logs, and traces.

All data deemed critical must be protected over its entire lifecycle, including secure deletion. To ensure sustained protection, it is essential to enforce secure handling of encryption keys and the use of cryptographic algorithms and protocols of appropriate strength.

For data-at-rest, the protection should include file system protection, encryption, integrity protection and strict access control. Additional controls are necessary for data-in transit; traffic analysis to detect passing data to unexpected communication endpoints transport layer encryption, and monitoring changes to router and firewall configurations.

Data-in-use protection may require selective actions on specific data items e.g. for privacy protection.

Additional access controls can be applied, and some data elements may need to be removed, obfuscated, or anonymized.

Figure2

Key security considerations

Telecommunication network security is defined by the following layers that determine the network security experience of end users.

Figure3
  • Network operation: the operational processes which allow networks to function and deliver targeted levels of security are highly dependent on the deployment and operations of the network itself.
  • Network deployment: at the deployment phase, networks are configured for a targeted security level, which is key to setting security parameters and further strengthening the security and resilience of the network.
  • Vendor product development: network vendors design, develop and implement the agreed standards for functional network elements and systems, which play a crucial part in making the end network product both functional and secure.
  • Telecommunication standardization: a process whereby operators, vendors and other stakeholders set standards for how networks around the globe will work together. This also includes how best to protect networks and users against malicious actors.

What kind of general threats do telecom networks face?

The number of cyber security threats across the society and different industries has increased in the recent years. Telecommunication industry is no different and increasing number of attacks and attack attempts have affected the integrity, availability, and confidentiality of the infrastructure. Commonly these attacks are enabled by trivial security errors such as improper hardening, configuration, and usage of deprecated, vulnerable software versions. But in contrast, telecom networks also include components of bespoke specialized equipment and can only be targeted by malware which can be anything but trivial. In large the technological barrier for successfully executing a cyber-attack doesn’t exist anymore. Different types of malware and attack toolkits are sold as-aservice, complemented with options like trial periods, 24/7 user support, dedicated discussion forums and multi-language documentation. This development has contributed to a dramatic increase in the frequency of cybersecurity attacks, which have a low-risk and high-pay-off. Due to high degrees of digitization of industries and public services, the increased value of attack targets has also been aggravated by increased severity of impact that a cybersecurity attack can result in.

 

Critical infrastructure – increased value at stake in 5G

 

5G use cases

5G will expand traditional relationships between consumers, business users and mobile network operators. The expansion will include new relationships in the form of digitized and automated business processes of enterprises, control, and operations of machinery of industry companies. Furthermore, cyber-physical interdependency between telecom networks and smart connectivity of other infrastructure providers (cities, power, utility, transport etc.) will be enabled by new ways to access the mobile network.

  • The 5G use cases for enhanced mobile broadband, fixed wireless access and cellular IoT are embodiments of new types of payloads carried over mobile networks.
  • The massive machine-type communication will support tens of billions of power-constrained devices which typically transmit at irregular intervals, low volumes of data that are insensitive to delay. For applications which rely on 5G critical machine-type communication, they’ll enjoy the benefit of ultra-reliable and low latency connectivity, where data volumes can be high and business critical.
  • While IoT is a phenomenon that has already arrived and can be leveraged using both 4G and other non-3GPP access technologies, the machine type communication cases in 5G networks will empower IoT with network capabilities such as ultra-low latency which had not yet been available.
Figure4

IoT device security aspects

While IoT device security is a critical component of an IoT security posture, it alone cannot ensure a secure IoT solution. Device classifications and security profiles are necessary to categorize each device type according to its use case, intended function, and classification of the data it processes and stores. IoT also introduces new security risks due to the number of devices, impact of an attack and lack of appropriate security controls. IoT solutions have unique security considerations because the devices are data-centric rather than human-centric. The IoT attack surface is across the entire IoT system, including the individual device profile, scale of devices, network interfaces, IoT application, IoT platform and shared resources in the cloud. A strong IoT security posture takes zero trust and defense-in-depth approaches by placing security controls across the IoT system at multiple layers, protecting the endto-end system and data to minimize risk. From the 5G network point of view, trust in IoT is based on trustworthiness of the device’s hardware, software, configuration etc. Hence, trustworthiness is cumulative and will be defined by how well network operators and those who manage IoT devices govern the following: 

  • Identities and data
  • Security and privacy
  • Actor compliance with agreed security policies end-to-end

Evolution toward 5G and key technology trends

The 5G system may only appear as a faster and more versatile radio technology but it is much more. 5G is the first generation that was designed with virtualization and cloud-based technology in mind. The 5G system is not static for any specific access type or radio technology. For example, new services provided by the 5G core network are also available via 4G radio, Wi-Fi or fixed access depending on the network configuration. Evolution towards the 5G system started in the mid-2000s when the focus in telecom networks was shifted from circuit switched telephony services to packet switched networks and mobile broadband (figure 6). With cloud-based technologies, software execution can now be disconnected from specific physical hardware (removing the need for boxed, e.g. hardware dependent functions). This is made possible thanks to Software Defined Networking (SDN) and Network Function Virtualization (NFV). SDN offers flexibility how to configure the routing paths between dynamically configured virtualized network functions.

The introduction of AI and increasingly powerful computers, together with cloud technologies, will become a key driver of automation technologies. Consequently, the dominant tendency in these technology trends is already resulting in telecom networks becoming more and more software driven.

Distributed cloud computing makes it possible to create partitioning for better resilience and latency.

Network slicing is about separating different types of user traffic and creating dedicated core networks ad-hoc to facilitate a whole range of different 5G use cases. Network slicing enables the creation of device type, industry sector or even customer-specific subnetworks. The network slice control mechanism needs to provide appropriate slice management, configuration of access control, and secure isolation while still authorizing the shared resources. Each slice may have its own security policy that defines the security controls applicable for its specific threat landscape. Network slices designed for critical services may also use the shared resources but require careful isolation.

 

3GPP standardization of the 5G system

 

What is a 3GPP standardized 5G system?

The main service which the 5G system provides today’s users is mobile (wireless) connectivity of a device to a network, often for Internet connectivity. This is also why the first 5G system use cases e.g. enhanced mobile broadband and fixed wireless access, are being deployed to offer users a better experience of the Internet. 3GPP does not typically standardize application services (such as Internet applications) since they are considered to be out of scope of 3GPP’s connectivity focus. There are however a few exceptions: telecom networks have traditionally provided the possibility for two devices to connect to each other with the support of the network (e.g., to set up voice calls).

Security functions provided by the 3GPP standard

3GPP’s 5G system standards provide security mechanisms, which are based on well-proven 4G security mechanisms, but also include new enhancements for e.g. encryption, authentication, and user privacy.

Security assurance in 3GPP SCAS and GSMA: NESAS

Mobile networks form the backbone of the connected society and are even classified as critical infrastructure in some jurisdictions, making security assurance especially important. Early on, the telecom industry realized the need to ensure secure implementations in addition to the secure standardized system and protocols. Therefore, 3GPP and GSMA took the initiative to create a security assurance scheme called the Network Equipment Security Assurance Scheme (NESAS), which is suitable to the telecom equipment lifecycle. Ericsson strongly and actively supports the initiative in both 3GPP and GSMA by feeding the strongest parts of our own Security Reliability Model (SRM) into the scheme, ensuring the other parts are covered by the scheme, and aligning the two.

 

Security architecture in 5G

 

The 3GPP standardization section focused on security mechanisms in scope for 3GPP, that being the functional elements and interfaces. Additional security considerations related to deployment scenarios of 5G system:

System-wide security (horizontal security)

  • Network level
  • Slicing
  • Application level security
  • Confidentiality and integrity protection
  • Interconnect (SBA)

5G function element deployments (vertical security)

  • NFVi (virtualized or cloud native)
  • Appliance based functions
  • Distributed clouds and edge computing
Figure5

 

Ericsson’s 5G product security

 

Ericsson’s 5G network products build further on proven 4G platforms which today offer state-of-the-art security functions and advanced product security mechanisms. Advance product security mechanisms, together with access management, logging, single software track and analytic tools constitute a solid foundation for implementing security policies and operating the network securely. The Ericsson Security Reliability Model (SRM) framework specifically addresses operational needs by mandating hardening guidelines and security user guides for all Ericsson products. The SRM enables a managed, risk-based approach to security and privacy implementation where requirements are tailored to the target environment and demands. This approach helps us meet stakeholders’ expectations and cater for the rapid evolution of technology and the continuous changes in legislation globally.

Figure6
Explore and read the full 5G security guide

Explore more

Cyber network security

In the era of 5G, it's important to conceptualize security on a system wide level where telecom networks are an important component, while adopting a strong understanding of the increased value at stake and decreased risk tolerance, cyber-physical dependencies, security standards, proactive cybersecurity measures, vulnerability management and securing the supply chain.

Telecom security

Ericsson’s evolved network security is the pioneer of a simpler yet more robust era of telecom security. Our market-leading solutions equip service providers with autonomous, end-to-end telecom security – built into each layer of the network and securing all connected things everywhere, all the time.