There is a lot of discussion regarding 5G security in the industry recently, which is good. However, it comes with several misconceptions and concerns that 5G will lead to an increased risk. Therefore we think that that proper understanding of 5G security is necessary since most of the news or information in the industry is based on inadequate knowledge of 5G security.
5G is expected to provide a variety of services in all verticals while penetrating deep into society. At the same time technologies will be brought in use in 5G natively that were not used in earlier generations of mobile communications systems. From both a technology and market perspective, this opens up new opportunities, some of which cannot even be envisioned yet. At the same time, however, there is a fear that 5G will lead to more security issues.
As we move towards 5G, there is far more understanding and awareness of security today than when previous generations of mobile networks were introduced. Therefore better planning for securing the network can be done by mobile operators. In the following we will look at some of the key security enhancements in 5G specifications and technology in use. Secondly, there are security aspects to consider pertaining to the operations of 5G networks. We will consider the operations aspect as well.
- User-plane integrity protection: Previous generations of mobile communication systems were mainly focused on voice communications thus, for service quality considerations the user-plane, which carries the network user traffic, was not integrity protected. In 5G the user-plane has integrity protection from the very beginning.
- Service based architecture: The core network control plane architecture has adapted well established IT based technology. Security is provisioned in the form of authorization and authentication while using Transport Layer Security (TLS) for secure communication.
- Interconnect security:Security issues especially on roaming interconnect has become a major issue in mobile systems. With this understanding, 5G brings interconnect security in the form of SEcurity Protection Proxy (SEPP), ensuring secure traffic between different 5G networks.
- Initial NAS security: Non-Access Stratum (NAS) messages are used for control plane signaling between the mobile device and the core network. Unlike previous generations of mobile systems, 5G provides security from the very first NAS message.
- Unified authentication and home control:5G networks are envisioned to use other technologies such as WiFi thus the 5G specifications provide unified authentication solution for any access technology. At the same time, to reduce fraud, the home network controls whether authentication of a device to a given network should take place.
- Enhanced privacy protection:Privacy in earlier generations of mobile systems was provisioned by temporary subscriber identity. While temporary identity will be used in 5G, the 5G system also provides enhanced privacy with the use of public / private key pairs to conceal the subscriber identity.
Even though 5G brings security enhancements, there are several other aspects of importance to make 5G secure, such as secure network operations. The 5G specifications not only enhances security with the new security features mentioned above. Maybe even more importantly, 5G also provides more options to secure networks from an operations perspective.
- Vulnerability management: First and foremost it is important to do vulnerability management in the network, which can be done using various tools available in the market with support of security experts
- Virtualization and Cloud: Both virtualization and cloud form a key part of 5G and they come with their own set of security challenges. One of the issues of using virtualization for mobile systems is security context that is not appropriately stored or removed. The same issue is slightly bigger in cloud since virtual machine migration can take place. The solution is very logical: design the network based on appropriate understanding of mobile systems while providing monitoring and management of network with capability of correlating communication in different parts of the network.
- New services and API: New services and increased exposure of APIs will also lead to increased footprint and thus an increase in the attack surface. The Solution to this is as simple as following the basic logic of designing security from the beginning while keeping in mind to provision adequate security for APIs.
- Identity: Identities of very different types and purpose will be another major aspect in the secure operations of the network. Proper policies and procedures combined with identity binding and secure monitoring will be required to tackle the security issues.
- Integration: Mobile network requires interworking and integration with multiple networks such as enterprise Information Technology (IT) networks, mobile network IT systems (Operations Service Support, OSS, and Business Service Support, BSS), integration with other networks in the country including fixed or mobile networks and public services, roaming networks and Internet connectivity. In this case, too, a logical security design with consideration of given interfaces and access control will lead to a secure network.
5G will bring several enhancements that will benefit the society and thus will lead to increased penetration of mobile communication system. Therefore, a logical approach to security which considers security from the very beginning becomes ever important, if not inevitable. This approach also ensures having a secure 5G system instead of waiting for issues to happen. In other words, despite the massive increase in data and applications running on 5G, security of mobile communications will improve with the next generation of networks.
Anand R. Prasad
Dr. Anand R. Prasad is a global leader and expert in information and cyber security who has delivered security solutions for 5G, 4G, virtualization, SOC, Wi-Fi, mobile devices, enterprise and built GRC processes from scratch.
Anand is Founder and CEO of wenovator LLC, a global provider of cybersecurity services and consulting with top-tier clients right across the telecommunications industry. Dr. Prasad is also a Senior Security Advisor of NTT DOCOMO, providing advise on all aspects of cybersecurity for the company, Advisor to CTIF and Advisory to GuardRails. Prior to which he was Chief Information Security Officer of Rakuten Mobile, the world's leading MNO with the very first cloud-native 4G / 5G network implementation. As CISO of Rakuten Mobile Anand led all aspects of enterprise and mobile network security from design, deployment to operations.
With over 20 years of experience, Anand has also held key roles in NEC, Genista, Lucent Technologies and Uniden. He is an innovator with over 50 patents, a recognized keynote speaker (RSA, GWS, MWC, ICT etc.) and a prolific writer with 6 books and over 50 peer reviewed publications. Anand was the Chairman of 3GPP SA3 where he led the standardization of 5G security. He did his ir (MScEE) and PhD from Delft University of Technology, The Netherlands. He is a Fellow of IET, Fellow of IETE and CISSP. Anand is Editor-in-Chief of the Journal of ICT Standardization and Co-Founder & Co-Editor of Cybersecurity Magazine.