NCCoE 5G Cybersecurity: Connecting the Dots Between IT and Teleco Cybersecurity Capabilities in 5G Systems

5G will eventually impact every single industry—from healthcare to financial to even agriculture and transportation…and its impact is only increasing over time. Despite its benefits, it comes with privacy and security risks. An increasing number of interconnected devices increases the attack surface. In addition, there are also increased supply chain vulnerabilities and network visibility issues (companies may have issues identifying attacks since there may be a lot of new web traffic from mobile devices and/or more sophistication when it comes to attacks).

The goal of the NCCoE 5G Cybersecurity project is to provide cybersecurity guidance that will help consumers and operators of 5G networks to adopt, deploy and use this technology in a more securely and privacy-enhancing way. The NCCoE 5G Cybersecurity project is meeting this goal by building a 5G network comprised of the same commercial grade telecommunication components being used in 5G networks around the world. Our testbed implementation is bringing together both the latest telecommunication standards-based security features defined by 3GPP in combination with robust cybersecurity capabilities for the underlying IT systems needed to make the 5G system work.

5G’s shift to use cloud technologies and the cybersecurity impact.

For the first time in mobile network design, 3GPP introduces the notion of a Service Based Architecture (SBA) for 5G. The new design has fundamental impacts on the way new services are created and how the system operates.

The standards designed 5G to operate as a modern cloud or internet application (like Netflix, Gmail, Facebook), where the 5G components or ‘Network Functions’ (NFs), that handle everything from authentication to billing run as complex cloud native applications. The shift to cloud infrastructure enables functions that make up 5G core networks to be deployed on commodity servers instead of purpose-built telecommunication boxes. For example, now in 5G, NFs are software containers that can be dynamically provisioned and scaled based on the workload demands. Previously, in LTE (4G) NFs were virtual machines and before that in 3G, NFs were physical dedicated telecommunication appliances. In 5G, a single 3GPP defined NF can be deployed on a commercial network as 10s or even 100s of software containers running on many distributed servers. The operational aspects of NFs in a 5G network are now largely automated, relying on container orchestration platforms to manage network functions.

The 5G standards defined by 3GPP do not specify cybersecurity protections to deploy on the underlying IT components that support and operate the 5G system. This NCCoE 5G implementation is attempting to fill that gap by demonstrating how to leverage the introduction of IT components in mobile networks as an opportunity to implement and demonstrate enhanced cybersecurity protections. The protections the NCCoE 5G testbed has deployed to date include hardware roots of trust and remote attestation capabilities in the 5G Core. These features provide a strengthened foundation for 5G Core network functions to operate on.

 Who benefits from the NCCoE 5G Cybersecurity Project?

Commercial mobile network operators: The project outputs aim to provide a better understanding of cloud security capabilities that may already be available in the systems their vendors provide. These hardware-enabled security capabilities are beyond what 5G standards currently specify and can provide a trusted foundation for the commercial off the shelf hardware. This is increasingly important as operations move to commodity platforms and software, and as mobile network technology merges with IT.

Potential private 5G network operators. Private 5G networks are expected to become a reality, such as healthcare facilities, college campuses, industrial sites. Any organization considering deploying and operating its own 5G network will need to manage its security using a risk-based approach. We will explain a range of security capabilities and the risks each capability helps mitigate, which will inform the organizations’ risk management process.

Organizations using and managing 5G-enabled technology (Consumers): Before organizations adopt 5G enabled technologies, they should make cybersecurity risk management decisions regarding their use, management, and maintenance. The information and outputs this project produces can help to inform those decisions.

How we got here and where we are going:

Since the completion of the first release of the 5G standards, NIST has been working on this cybersecurity focused 5G network deployment. It’s important our applied cybersecurity work stays aligned with industry’s commercial 5G deployments. This alignment helps to ensure NIST can provide relevant 5G cybersecurity guidance. While the industry continues to evolve — commercial 5G standalone deployments continue to make progress and news reports indicate 5G standalone networks are starting to see more subscriber traffic—the full realization of 5G technology is not yet complete.

We are delighted to share that we have achieved our first milestone…the completion of our fully functional 5G network! We can make 5G calls on our network using commercially available 5G phones. Using this 5G network in our lab, we can turn our focus from network implementation to security testing and demonstrations of the optional cybersecurity features 5G technology can provide.

The security capabilities we will demonstrate are outlined in the table in section 3.5.2 of preliminary draft NIST SP 1800-33B. As we enable, test, and demonstrate these security capabilities, we plan to share the findings in the form of blogs, website content, special publications, and seek public comments. We will initially focus on the 5G feature of protecting the subscribers’ privacy leveraging an optional 3GPP defined capability—which is something new and unique compared to 4G. We will publish the supporting artifacts in an iterative manner as we enable test bed security features.

Future areas of interest for the NCCoE’s 5G cybersecurity testbed include:

• Increasing cloud infrastructure cybersecurity capabilities by extending the integrity measurement and remote attestation capabilities up the application stack
• Exploring enablement ORAN implementations to leverage the hardware-enabled security capabilities.
• Researching the impact of the 5G networks due the introduction of the quantum safe cryptography in the various protocols.
• Research the inclusion of zero trust principals in a 5G network.
• Reference architectures and lessons learned can influence security protections built into 6G standards and technologies.

*3GPP stands for ‘3rd Generation Partnership Project,’ which is the standards development organization that specifies the architectures and protocols that underpin 5G systems.

Article provided by NIST