Why 5G will lead to improved security for mobile communications

There is a lot of discussion regarding 5G security in the industry recently, which is good. However, it comes with several misconceptions and concerns that 5G will lead to an increased risk. Therefore we think that that proper understanding of 5G security is necessary since most of the news or information in the industry is based on inadequate knowledge of 5G security.

5G is expected to provide a variety of services in all verticals while penetrating deep into society. At the same time technologies will be brought in use in 5G natively that were not used in earlier generations of mobile communications systems. From both a technology and market perspective, this opens up new opportunities, some of which cannot even be envisioned yet. At the same time, however, there is a fear that 5G will lead to more security issues. 

As we move towards 5G, there is far more understanding and awareness of security today than when previous generations of mobile networks were introduced. Therefore better planning for securing the network can be done by mobile operators. In the following we will look at some of the key security enhancements in 5G specifications and technology in use. Secondly, there are security aspects to consider pertaining to the operations of 5G networks.  We will consider the operations aspect as well.

The 5G specifications bring several security enhancements. In the following we focus on a few of the highlights, further details can be found in here and the original specification here.

  • User-plane integrity protection: Previous generations of mobile communication systems were mainly focused on voice communications thus, for service quality considerations the user-plane, which carries the network user traffic, was not integrity protected. In 5G the user-plane has integrity protection from the very beginning.
  • Service based architecture: The core network control plane architecture has adapted well established IT based technology. Security is provisioned in the form of authorization and authentication while using Transport Layer Security (TLS) for secure communication.
  • Interconnect security:Security issues especially on roaming interconnect has become a major issue in mobile systems. With this understanding, 5G brings interconnect security in the form of SEcurity Protection Proxy (SEPP), ensuring secure traffic between different 5G networks.
  • Initial NAS security: Non-Access Stratum (NAS) messages are used for control plane signaling between the mobile device and the core network. Unlike previous generations of mobile systems, 5G provides security from the very first NAS message.
  • Unified authentication and home control:5G networks are envisioned to use other technologies such as WiFi thus the 5G specifications provide unified authentication solution for any access technology. At the same time, to reduce fraud, the home network controls whether authentication of a device to a given network should take place.
  • Enhanced privacy protection:Privacy in earlier generations of mobile systems was provisioned by temporary subscriber identity. While temporary identity will be used in 5G, the 5G system also provides enhanced privacy with the use of public / private key pairs to conceal the subscriber identity. 

Even though 5G brings security enhancements, there are several other aspects of importance to make 5G secure, such as secure network operations. The 5G specifications not only enhances security with the new security features mentioned above. Maybe even more importantly, 5G also provides more options to secure networks from an operations perspective. 

  • Vulnerability management: First and foremost it is important to do vulnerability management in the network, which can be done using various tools available in the market with support of security experts
  • Virtualization and Cloud: Both virtualization and cloud form a key part of 5G and they come with their own set of security challenges. One of the issues of using virtualization for mobile systems is security context that is not appropriately stored or removed. The same issue is slightly bigger in cloud since virtual machine migration can take place. The solution is very logical: design the network based on appropriate understanding of mobile systems while providing monitoring and management of network with capability of correlating communication in different parts of the network.
  • New services and API: New services and increased exposure of APIs will also lead to increased footprint and thus an increase in the attack surface. The Solution to this is as simple as following the basic logic of designing security from the beginning while keeping in mind to provision adequate security for APIs.
  • Identity: Identities of very different types and purpose will be another major aspect in the secure operations of the network. Proper policies and procedures combined with identity binding and secure monitoring will be required to tackle the security issues. 
  • Integration: Mobile network requires interworking and integration with multiple networks such as enterprise Information Technology (IT) networks, mobile network IT systems (Operations Service Support, OSS, and Business Service Support, BSS), integration with other networks in the country including fixed or mobile networks and public services, roaming networks and Internet connectivity. In this case, too, a logical security design with consideration of given interfaces and access control will lead to a secure network.

5G will bring several enhancements that will benefit the society and thus will lead to increased penetration of mobile communication system. Therefore, a logical approach to security which considers security from the very beginning becomes ever important, if not inevitable. This approach also ensures having a secure 5G system instead of waiting for issues to happen. In other words, despite the massive increase in data and applications running on 5G, security of mobile communications will improve with the next generation of networks. 

Anand R. Prasad
Chief Information Security Officer at Rakuten Mobile Network | LinkedIn Profile

Anand is Chief Information Security Officer of Rakuten Mobile Network responsible of 4G, 5G and network security. Prior to joining Rakuten, Anand has over 20 years of experience in the mobile and wireless networking industry with key roles in NEC Corporation, NTT DOCOMO, Genista Corporation, Lucent Technologies and Uniden Corporation. Anand is an innovator with over 50 patents, a recognized keynote speaker (RSA, Global Wireless Summit (GWS), MWC, ICT etc.) and a prolific writer with 6 books & over 50 peer reviewed publications.

Anand is the Chairman of 3GPP SA3 -the mobile communications security and privacy group-, was governing council member of TSDSI, governing body member of GISFI, Fellow of IET, Fellow of IETE and Certified Information Systems Security Professional (CISSP).

Leave a Reply

Your email address will not be published. Required fields are marked *