5G technology has rapidly emerged as the next big thing in the telecommunications industry, promising faster speeds, increased capacity, and improved network reliability.
However, as with any new technology, 5G networks also come with their own set of security standards, challenges, Privacy concerns.
In this article, we will try to explore into details about 5G security and enhancements that have been made over 4G to ensure a more secure network environment.
The 5G system has introduced several security improvements, including subscriber authentication terminated in HPLMN, non-SIM card-based authentication for IoT devices, enhanced subscriber privacy with mechanisms for encrypting long term subscriber identifiers and no longer using them for paging, support of TLS and OAuth 2.0 mandatory on all network functions for SBA security and interconnect.
The 5G system security improvements also includes further mandatory integrity protection of the user plane on UE and gNB, optional control of the operator, and IPsec support mandatory on gNB side for protection of RAN-CN interfaces (transport), with DTLS over SCTP support mandatory in addition to IPsec.
In the 3GPP network, security assurance methodology (SCAS) is defined by SA3. This methodology ensures that network equipment meets security requirements and follows secure development and product lifecycle processes.
As mobile systems form the backbone of the connected society and are classified as critical infrastructure in some jurisdictions, security assurance is of utmost importance.
To create a security assurance scheme suitable for the telecom equipment lifecycle, the NESAS (network equipment security assurance scheme) was initiated by 3GPP and GSMA.
The NESAS comprises two main components: security requirements defined by 3GPP (SCAS – SeCurity Assurance Specifications) and auditing infrastructure governed by GSMA.
The NESAS aims to meet the requirements of many national and international cybersecurity regulations, such as the EU cybersecurity certification framework. Work is ongoing to develop new SCASes for network functions of the 5G system.
5G Security Standards
Basic 5G Security Standards
5G Security Standards Includes:
- 3GPP (3rd Generation Partnership Project)
- Joint Technical Committee for IT
- NESAS (The Network Equipment Security Assurance Scheme)
- NIST, GSMA, and Others
Security Standards Applicable to 5G Cloud Computing
1. International Standard related to Information Security Management Systems
- ISO 27001:2013 – Information security management systems – Requirements (Annex A)
- ISO 27002:2013 – Code of practice for information security controls
- ISO 27003:2017 – Information security management systems – Guidance
- ISO 27017:2015 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO 27018:2014 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- Guidelines on Security and Privacy in Public Cloud Computing (SP-800 144)
- Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53)
2. CSA (Cloud Security Alliance)
The Cloud Security Alliance (CSA) is an organization that aims to promote best practices for providing security assurance within cloud computing.
It is a member-driven organization that has released the Cloud Controls Matrix (CCM), which is a baseline set of security controls to help enterprises assess the risk associated with a cloud computing provider.
The CCM consists of 16 control frameworks that cover various security domains, such as compliance, data security, and application security.
The National Institute of Standards and Technology (NIST) has also published several guidelines related to security and privacy in cloud computing.
The Guidelines on Security and Privacy in Public Cloud Computing (SP-800 144) provide an overview of security and privacy issues in cloud computing and offer recommendations for organizations to address those issues.
The Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53) provides a catalog of security and privacy controls for federal information systems and organizations.
The Cybersecurity Framework is a common baseline that provides a risk-based approach to managing cybersecurity risk.
4. COBIT (Control Objectives for IT)
ISACA’s Control Objectives for IT (COBIT) is a standard that is developed and maintained by ISACA. COBIT 5 provides a framework for IT management and governance of business-driven, IT-based projects and operations.
ISACA has released several publications about applying COBIT to the cloud. These publications provide guidance on how to use COBIT to manage risks associated with cloud computing and ensure that cloud-based services align with the organization’s goals and objectives.
5G System Security Enhancements
The 5G Core network incorporates several security enhancements to protect against potential threats. While the 5G network reuses most of the security mechanisms from the 4G EPS network itself, some additional security features have been introduced in the Core network.
These include support for EAP, home control, SUPI privacy, SBA security, enhanced key separation, edge protection, roaming security, service communication proxy, enhanced API gateway with security, and control of GTP-U Firewall (PFCP).
The SBI communication within the network is protected using mutual authentication OAuth 2.0 (Trust) and TLS Encryption of inter and intra-VNF interfaces (Integrity). Certificate management is also an important feature of the 5G Core network, which includes automated certificate enrollment and lifecycle management, and certificate/keys storage in secured enclaves.
5G Security Mandatory Requirements:
- Network Security and Integrity: Electronic Communication Code Applicable to Telco Providers
- Network and Information Security
- Privacy Code
- SOX and other Specification Laws
5G Security Best Practices:
- ISO 27000 Family
- ISO 27001/02 ISMS, ISO 27005 Inf. Risk Management, ISO 27017 Information Security Control for Cloud Services, ISO 27018 PII in Public Clouds
- ENISA Guidelines: Data Breach Risk, Impact Analysis & Network Security
- CIS (Center for Internet Security): Systems Hardening
- CSA (Cloud Security Alliance): CCM- Cloud Control Matrix
Beyond the Kubernetes security standards, additional security measures have been implemented, such as VPN traffic isolation on networking interfaces, Soft Guard Extensions (SGX) for total microservice isolation, secured enclave cache, and memory encryption engine. These measures help to ensure that the 5G Core network is secure and protected against potential security threats.
5G Core Security Enhancements Include:
- EAP Support
- Home control
- SUPI privacy
- SBA security
- Enhanced key separation
- Edge protection and roaming security
- Service communication proxy
- Enhanced API gateway with security
- Control of GTP-U Firewall (PFCP)
- Protection of SBI communication on internal and external communication with:
- Mutual authentication OAuth 2.0 (Trust)
- TLS Encryption of inter and intra-VNF interfaces (Integrity)
- Certificate management with:
- Automated certificate enrollment and Lifecycle management
- Certificate/Keys storage in secured enclaves
- Beyond Kubernetes security standards with:
- Additional VPN Traffic isolation on networking interfaces
- Soft Guard Extensions (SGX) for total microservice isolation
- Secured Enclave Cache
- Memory Encryption Engine
Below are the in-details 5G security enhancements points are discussed:
1. Subscriber Authentication Improvements
- Authentication terminated in HPLMN: This improvement ensures that subscriber authentication is terminated in the Home Public Land Mobile Network (HPLMN), reducing the risk of unauthorized access.
- Non-SIM card-based authentication for IoT devices: This feature provides non-SIM based authentication for IoT devices, allowing for secure access to the network.
2. Enhanced Subscriber Privacy
- Mechanisms for encrypting long-term subscriber identifiers: This improvement provides mechanisms for encrypting long-term subscriber identifiers, making them more secure.
- No longer using long-term subscriber identifiers for paging: This enhancement ensures that long-term subscriber identifiers are no longer used for paging, reducing the risk of unauthorized access.
3. Security for Service-Based Architecture (SBA) and Interconnect
- Support of TLS and OAuth 2.0 mandatory on all network functions: This feature ensures that Transport Layer Security (TLS) and OAuth 2.0 are supported on all network functions, providing a secure service-based architecture and interconnect.
- Application layer security enablers between operators: This enhancement provides application layer security enablers between operators, further improving security.
4. Integrity Protection of User Plane
- Integrity protection of user plane mandatory on UE and gNB: This feature ensures that integrity protection of user plane is mandatory on User Equipment (UE) and gNB (gNodeB), providing secure communication.
- Use of integrity protection of user plane is optional and under the control of the operator: This enhancement provides the option for the operator to control the use of integrity protection of user plane.
5. Protection of RAN-CN Interfaces (Transport)
- IPsec Support Mandatory on gNB Side: This feature ensures that Internet Protocol Security (IPsec) is supported on the gNB side, providing secure transport.
- DTLS over SCTP Support Mandatory in Addition to IPsec: This enhancement provides Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) support, in addition to IPsec, further improving security.