CYBERSECURITY OF 5G NETWORKS

Global mobile Suppliers Association

Pentti Lehtinen - November 27th, 2019

1
© 2019 Global mobile Suppliers Association
INTRODUCTION
About GSA – Global mobile Suppliers Association
• GSA (the Global mobile Suppliers Association) is a not-for-profit industry organization
representing the leading companies across the worldwide mobile ecosystem who are engaged
in the supply of infrastructure, semiconductors, devices, services, testing and validation and
applications development as well as support services.
• We co-operate with other key organizations of the industry, such as ITU, ETSI, 3GPP, GSMA, COAI,
EATA, NGMN, and the GSA Spectrum Group works globally and regionally to actively promote
the technology roadmap of industry standards and the harmonization of spectrum for mobile
services.

2
© 2019 Global mobile Suppliers Association
Existing security capabilities of 5G networks

3
© 2019 Global mobile Suppliers Association
EXISTING SECURITY CAPABILITIES OF 5G NETWORKS
Security architecture specified by 3GPP
• 3GPP and other Standards Developing Organizations provide multiple security measures, such
as
• authentication and authorization mechanisms between network and devices and between network
elements of a single or different networks;
• cryptographic protection of traffic on the various network interfaces;
• temporary identities and concealed identities to hide the subscribers’ permanent identities in the
communication over the radio interface;
• secure environment inside the (physically exposed) base stations to ensure a secure boot and protect
sensitive data.
• Most of the new security functions are ‘mandatory to support, optional to use’, i.e. vendors are
required to implement the features but they are not necessarily taken into use by network
operators or enterprises using 5G products

4
© 2019 Global mobile Suppliers Association
EXISTING SECURITY CAPABILITIES OF 5G NETWORKS
Security capabilities not specified by 3GPP
• Security is comprehensively baked into the 5G product life-cycle of suppliers with various
proactive and reactive measures, such as
• security threat and risk analysis within planning of new features and products
• secure coding, hardening and privacy implementation within development
• security testing within integration and verification
• security vulnerability monitoring and patching within support and maintenance
• Lots of security capabilities are part of the deployment and operations of actual 5G networks,
such as
• The degree of RAN and Core separation in a specific network deployment situation is not distinctively
determined by the 3GPP
• building end-to-end networks with secure architecture, such as network perimeter protection, network
zoning, traffic separation, certificate management, secure network topologies, secure operations and
maintenance, etc.
• preventing and detecting compromised credentials and advanced attacks with single-sign-on, privileged
identity management, user behavior analytics and compliance logging capabilities
• security orchestration and management of virtualization
• continuous auditing and monitoring of security configurations to manage frequently changing, evolving
and growing 5G environment 5
© 2019 Global mobile Suppliers Association
Recommendations for 5G risk mitigation
toolbox

6
© 2019 Global mobile Suppliers Association
RECOMMENDATIONS FOR 5G RISK MITIGATION TOOLBOX
1. Encourage the use of 3GPP
• Encourage the use and appropriate configuration of security functions specified by 3GPP
• To get the full benefits, this would require active role of operators and enterprises using 5G as it
is not something 5G vendors can do alone
• Regulators could demand a risk assessment to be conducted by operators if some 3GPP security
measures are not taken into use

7
© 2019 Global mobile Suppliers Association
RECOMMENDATIONS FOR 5G RISK MITIGATION TOOLBOX
2. Encourage implementation of additional security solutions
• Holistic security orchestration and management combined with automated, intelligent security
controls to cope with the complexity of large networks
• Multi-vendor identity and access management system that provides single-sign-on with
privileged identity management, user-behavior analytics and compliance-logging capabilities to
manage the risk of compromised credentials
• Vulnerability management which covers the identification and fixing the vulnerabilities of 5G
products but also ensures the remediation actions get implemented in operators’ networks
within a reasonable timeframe
• Monitoring the performance and events of security functions
• Continuous security audit and monitoring of the security configurations
• Incident detection and response processes, technologies and organizations to identify and take
necessary actions in case of cybersecurity events

8
© 2019 Global mobile Suppliers Association
RECOMMENDATIONS FOR 5G RISK MITIGATION TOOLBOX
3. Security life-cycle certification
• Consider a security life-cycle evaluation to establish a cybersecurity baseline for all players,
including processes of design, building, deploying and maintaining products
• Ensures that security is central to all stages of product design and development up to delivery
• From a security point of view this approach facilitates faster remediation of security faults
• Possible certification could be conducted by a licensed 3rd party auditors
• Recommendation is to use GSMA Network Element Security Assurance Scheme (NESAS) instead
of a new scheme or product-based certification
• Product based certification can be lengthy in time, effort and costly.
• Products that have to undergo individual certification can be ‘obsolete’ by the time they are certified.
• A vulnerability that is found the day after certification effectively nullifies any claim by a certificate that the
product is ‘secure’.
• Regions with less strict certifications may gain market advantage due to faster and more agile
deployments
• Potentially a market barrier to start-ups, smaller players and even large vendors. Budgets that could be
otherwise available to implement new security innovation and improvements can be expended on
certification costs.
• If necessary, an advanced product-based evaluation is recommended only for critical elements
which have a greater threat exposure and severe impact when successfully attacked. 9
© 2019 Global mobile Suppliers Association
RECOMMENDATIONS FOR 5G RISK MITIGATION TOOLBOX
4. Assessment of non-technical factors

• Non-technical factors should be in the scope of the toolbox to address insider and geopolitical
threats
• The assessment of non-technical factors of the 5G stakeholders should:
• be based on a set of objective criteria,
• be conducted in an impartial way,
• be conducted by a competent authority with adequate capabilities and access to necessary information,
• coordination, including information sharing with EC and between Member States should be ensured, and
• harmonization across EU is necessary to ensure proper functioning of the digital singe market.

10
© 2019 Global mobile Suppliers Association
 Global mobile Suppliers Association

The Industry Voice of the Global Mobile Ecosystem

https://gsacom.com

11
© 2019 Global mobile Suppliers Association