5g and the future of security in ict -...
TRANSCRIPT
5G and the Future of Security in ICT
David Soldani Huawei Technologies
Australia [email protected]
Abstract—This work analyzes the most significant root cause
categories of Telecoms security incidents over the recent years,
prominent initiatives to mitigate the identified cyber security
threats and associated risks, and joint efforts on cyber security standards and certification frameworks, ongoing globally. The
benefits of 5G requirements, technologies, new threat landscape,
system assets and security control zone, and enhanced solutions
to product, deployment and operation, and application security
are then presented. Reduction of national dependency on any
one supplier – irrespective of its country of origin – and a more
competitive, sustainable and diverse Telecoms supply chain,
along with proper risk mitigation and transparency measures is the most effective solution to 5G, and beyond, cyber security.
Keywords—AI, 5G, ICT, Mobile, Security, Cyber Security
I. INTRODUCTION
As a variety of industries go digital, cyber security risks are increasing. The rising number of mobile connections is creating a much larger attack surface (security control zone) for every network. The increasing adoption of cloud platforms means that the geographical and legal boundaries are being expanded for cyber security. The Internet of Things (IoT), Industrial IoT (IIoT), Artificial Intelligence (AI) and big data help us create and deliver much more value than ever before, but the risk of data breaches is also rising [1]-[3].
In May 2019, the European Union Agency for Network and Information Security (ENISA) published the analysis of the incident reports that the organization had been collecting and aggregating since 2012, see [4] and Fig. 1:
• System failures are the most common root cause, roughly two thirds every year (68% of the total). For this root cause category, over the last 7 years, the most common causes were hardware failures (36%) and software bugs (29%).
• Human errors is the second most common root cause over the 7 years of reporting with nearly a fifth of total incidents (17%, 162 incidents in total).
• Natural phenomena come third at just under a tenth of total incidents (9%, 89 incidents in total).
• Malicious actions are only 4% of the categorized incidents actions. In 2012-2018, two thirds of the malicious actions consist of Denial of Service (DoS) attacks and the rest are mainly damage to physical infrastructure.
Also, as recently reported by the UK’s National Cyber Security Centre (NCSC), in the most significant cyber security incidents the UK NCSC has managed since it was set up, the “country of origin” of suppliers has not featured among the main causes for concern in how these attacks are carried out. The techniques were looking for weaknesses in how networks were architected and how they were run [5], and 90% of the significant security incidents are system failure [6].
Fig. 1. Root cause categories Telecom security incidents in the EU –
reported over 2012-2018 (included) [4].
From these findings, a few things become immediately clear. Firstly, it is clear that system failure and human error constitute the greatest risk, and that should be the focus of risk evaluation. Secondly, the potential risks inherent to any given product should be evaluated based on key factors that have a material effect on security, e.g.: product security architecture, security mechanisms, and security features, irrespective of the country of origin of the corresponding suppliers [2].
High risk threats may be from trusted insiders and/or external organizations that may seek to exploit weaknesses in Telecoms service equipment, and/or in how operators build and run their networks, in order to compromise security [7]. When dealing with cyber security threats, not only their technical nature but also specific to their political nature, economic or other behavior of malicious actors which seek to exploit our dependency on communication and information technologies (ICT) should be taken into account [8].
However, the “flag of origin” for Telecoms equipment is not the critical element in determining cyber security. See conclusions drawn in [9] and [10] for more information.
The EU coordinated action on 5G security risk assessment has drawn the following conclusions based on capabilities (resources) and intention/attempt (motivation) [11]:
• Integrity and availability of 5G is the major concern, on top of the existing confidentiality and privacy requirements.
• Core Network Functions (5G Core), Network Functions Virtualization (NFV), and Management and Orchestration (MANO) are the most critical 5G assets.
• In the Telecoms supply chain, the dependency on any one supplier – lack of diversity in equipment or solutions used both within individual networks and nationally – is the most important identified vulnerability, because it reduces the 5G system resiliency, disincentivizes investments, increases the likelihood of a) systemic failure, b) hostile exploitation and c) business continuity risks.
Telecoms supply chain includes the design, manufacture, delivery, deployment, support and decommissioning of equipment (hardware and software) or services utilized within
an organizations cyber ecosystem. Supply chain must consider the whole life of an ICT product or service in an organization.
Threat to the supply chain is not limited to extrajudicial influence. Foreign interference is not just related to a vendor’s country of origin. As the case studies demonstrate, it is usually much simpler to compromise another product or service in the supply chain without lawful interference, in order to achieve the required outcome [12].
In Europe, including the UK, the above findings will lead to the definition of a “toolbox” of appropriate, effective and proportionate risk management measures to mitigate cyber security risks; the setting up of an European cyber security certification framework, which enables the creation of tailored and risk-based certification schemes, in collaboration with the industry; and to the development of industrial capacity for laboratory testing, conformity evaluation, etc. [13]-[15].
The German rules [16] came after the EU report on 5G networks by state-backed actors had been published. Network operators would be required to identify and apply enhanced security standards to critical network elements. More broadly, vendors should be certified as trustworthy, giving customers the possibility of legal recourse to exclude them and seek damages if proof was found that equipment had been used for spying or sabotage. Certification of critical equipment would have to be obtained from Germany’s cybersecurity authority, the Federal Office for Information Security (BSI) [17].
This is aligned with the conclusions drawn by the 5 Eyes in London, on July 29-30th 2019 [18], i.e.:
• Ensure supply chains are trusted and reliable to protect networks from unauthorized access or interference.
• Rigorous risk-based evaluation of a range of factors which may include, but not be limited to, control by foreign governments.
• Evidence-based risk assessment to support the implemen-tation of agreed-upon principles for setting international standards for securing cyber networks.
Governments are expected to collaborate with key private sectors players – for each critical infrastructure (CI) sector – recommend best practices for key providers and suppliers, particularly Telecoms operators and equipment vendors, for risk related to ICT, generally, 5G, IoT, IIoT and AI risk. First identify requirements, both those capable of being addressed now, and those that are priorities for R&D, and provide solutions to achieve different levels of security within a carrier network, which should be built to be resilient to any attack, such that no single action could disable the system. In [9]-[11], this can be best achieved by diversifying suppliers:
• Reducing over-dependence from a single vendor. The 5G network should not be dependent on just one vendor, as this would render it less resilient.
• Increasing the level of competition. Requiring operators to use equipment from more than one vendor increases competition between those vendors, which will force them to improve their security standards for each key node.
Governments, in collaboration with private parties, should play a fundamental role in raising the bar on cyber security standards, together with objective conformance programs and disclosure requirements of conformance [19]-[22].
II. EU CERTIFICATION FRAMEWORK
Following the entry into force of the EU Cybersecurity Act [15], the European Commission (EC) and the EU Agency for Cybersecurity (ENISA) will set up an EU-wide certification framework for ICT digital products, services and processes, in collaboration with the industry. The European cybersecurity certification framework enables the creation of tailored and risk-based EU certification schemes.
Certification plays a critical role in increasing trust and security in products and services that are crucial for the Digital Single Market. The certification framework will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. This will be based on agreement at EU level for the evaluation of the security properties of a specific ICT-based product or service e.g. smart cards. It will attest that ICT products and services which have been certified in accordance with such a scheme comply with specified requirements. In particular, each EU scheme will specify:
• The categories of products and services covered.
• The cybersecurity requirements, for example by reference to standards or technical specifications.
• The type of evaluation (e.g. self-assessment or third party evaluation).
• The intended level of assurance (e.g. basic, substantial and/or high).
To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. The resulting certificate will be recognized in all EU Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.
At the time of writing the industry is actively contributing to integrate 3GPP SeCurity Assurance Specifications (SCAS) [23] and Network Equipment Security Assurance Scheme (NESAS) [24] certification and accreditation frameworks with the upcoming EU toolbox and new Certification Schemes. The 3GPP SCAS – GSMA NESAS assurance schemes are exemplified in Fig. 2.
Fig. 2. Network Equipment Security Assurance Scheme [23], [24].
NESAS: Network Equipment Security Assurance Scheme
Drive
NESAS/SCAS
to become
mature
international
standards
Gain
regulators'
recognition on
NESAS/SCAS
NESAS/SCAS are authoritative
security standards built by
3GPP/GSMA for the
communication industry
Engage more
industry
partners
including
labs/auditing
companies
3GPP / SCAS Product security testing
GSMA / NESAS Audits of product
development and
lifecycle processes
• NESAS officially released in August 2019
• 5G SCAS specifications completed in Q3 of 2019
Security Assurance Specs
Security Assurance Methodology
Security Assurance Standards Package
III. 5G STAKEHOLDERS
Stakeholders will play different roles in the 5G ecosystem. Among other things, these entities will be responsible for assuring the security of the network at different levels and in separate layers. In [25], their role is being characterized by the ownership, responsibility and relationships to the 5G assets described in Section IV. The following list present a short indicative note for each entity and its role:
• Internet Exchange Points (IXPs): Data network providers play an important role in 5G, as they support the end-to-end throughput of the data traffic.
• National Regulators (NRAs): Regulators will be asked to regulate various areas of the 5G infrastructure (frequencies, identifiers, traffic laws, etc.).
• Information sharing and analysis centers (ISACs): ISACs will have to collect and share 5G related intelligence. This can be achieved either by means of existing ISACs and/or specific 5G ISACs.
• National cybersecurity coordinators, agencies, and centers (NCSCs): Existing cybersecurity centers need to engage in 5G infrastructure matters in order to evaluate and scrutinize major risks at national level, emanating from 5G infra-structure deployments.
• National 5G Test Centers (NTCs): The creation of national 5G test centers has been taken forward in some Member States in EU, in order to assess the quality and security of 5G solutions. It is expected that this trend will lead to the creation of such facilities in multiple countries, globally.
• National Certification Authorities (NCAs): Given the fact that certification is a major security control to be implemented for 5G components, it is expected that various players will be active in definition and implementation of national 5G certification and accreditation schemes.
• Government competent institutions and services: These entities will play a significant role in the coordination of national activities, standardization work, research projects and policy initiatives.
In different roles, the entities mentioned above may have different levels of concern regarding 5G assets, among other things carrying responsibility for the risk mitigation affecting those assets. The stakeholders must develop strategies that, independently or co-responsibly, allow reduction of exposure to cyber threats, as further explained in Section V.
IV. 5G NETWORKS
The following sections present the most important 5G use cases, related technical requirements, architecture, assets and threats, and 5G inherited and improved security features.
A. Use Cases and Requirements
The description of the network design and architecture is started by explaining the different Use Cases defined for 5G Networks. The three sets of Use Cases are as follows [26]:
• Enhanced Mobile Broadband (eMBB): It will be the first commercial 5G service, globally, enabling faster and more reliable downloads (minimum of 20Gbps for downlink and 10Gbps for uplink).
• Ultra-Reliable Low Latency Communication (URLLC). It is designed to support businesses on mission critical
communication scenarios, such as emergency situations, autonomous systems operations, among others.
• Massive Machine Type Communications (mMTC): It is for scalable and efficient connectivity for a massive number of devices sending very short packets (minimum requirement for connection density of 1,000,000 devices per km2).
Multiple deployment scenarios for eMBB, URLLC and mMTC can be envisioned in future implementations of this technology. Some of these future scenarios are illustrated in Fig. 3. The New Radio (NR) Light is a feature of 3GPP R17.
B. 5G Architecture Evolution
The initial 5G deployment option and network architecture evolution are depicted in Fig. 4 [26] and Fig. 5 [27]:
• 3GPP Option 3x (Non Standalone (NSA) LTE plus NR with EPC) is the initial configuration mostly adopted by carriers, due to minor investments in their initial 5G deployments.
• 3GPP Option 2 (SA NR with 5GC) is expected initially to be adopted by only a few of the network operators globally.
In the long run, 5G SA will support all scenarios (eMBB, URLLC, mMTC), plus other functionalities than Option 3x, such as Network Slicing and Voice over NR (VoNR). Finally, all networks will converge to a 3GPP SA Option 2 architecture configuration (SA NR with 5GC), and the a smooth transition from LTE to 5G, without the need for spectrum refarming, will be enabled by spectrum sharing principles embedded into the 5G NR standard [26].
Fig. 3. 5G requirements and 3GPP roadmap from Release 14 to 17 [26].
Fig. 4. 5G architecture evolution and usage scenarios [26].
Fig. 5. Huawei 5G physical infrastrucrture at minimal cost/bit/km [27].
eMTC (IoT) NR-Light (IIoT)
Low Latency
Coverage
Battery
Life
Reliability
Peak Data
RateCost
2017 2018 2019 2020
NB-IoT
eMTC
eMBB
URLLC
NR-Light
URLLC (Robotic platforms)eMBB (Consumers)NB-IoT
S1-C S1-U
eNB gNBX2
EPC
5G NSA
5G UE
5G Wireless
base station
4G Core
Network
4G Wireless
base station
NGC
NG-C NG-U
5G SA
5G Core
Network
gNB
5G Wireless
base station
5G UE
• Basis for eMBB Service • Enhancement for URLLC services
Rel-15 Rel-16 Rel-17+
NSA: Non-standalone SA: Standalone eMBB: enhanced Mobile Broadband URLLC: Ultra-Reliable and Low-Latency Communications mMTC: massive Machine-Type Communications
5G future usage
Operator Third party
Specific area
Remote Driving Power Distribution Control Smart Factory
• Enhancement for mMTC services
Slicing as a Service + Agile Operation + Superior New Experiences
DCN
BackboneMetro Central DC
ODN
100G 200/400G
Gbps User Experience
Edge DC/MEC
10G PON OLTOTN200/400G/λ
IP
SR/EVPN
5G Microwave: 10-20 Gbps
Gbps 5G UE
GE-10GE LL
Giga to Home
4K IP Camera
100Mbps UL ……
10Gbps/Sector
EGW
10G PON ONT
Access Ring
WiFi 6: 1+ Gbps
50G Ring10Gbps to Site
5G Core
User Plane5G Core
CP/UP
10G Site/GW 50G Access Ring 100G UL Edge DC 200G/400G Metro/Backbone Ring 200/400G DCI
Segment Routing (SR/SRv6): Up to 80% network utilization
Access Backhaul Edge Metro/Backbone Central
C. 5G Assests and Threats
An asset is anything that has value to an individual or to an organization and therefore requires protection. In a typical 5G system, assets can be [25]:
• Hardware, software and communication components.
• Communication links between them.
• Data that control the function of the system, are produced and/or consumed by it, or flow within it.
• The physical and organizational infrastructure within which the 5G system is deployed.
• The human agents who interact with the system and may affect its operation (e.g., users, system administrators etc.).
Due to its value, a digital asset becomes a target for threat agents. Threat agents are human or software agents, which may wish to abuse, compromise and/or damage assets. Threat agents may perform attacks, which create threats that pose risks to assets.
Table I and Fig.6 give an overview of 5G assets (UE, air interface, gNB (base station, or BTS), transport, Multi-Access Edge Computing (MEC), 5G and O&M) and possible threats. In [25], ENISA published a preliminary assessment of their importance by taking into account the role of assets in maintaining the security-related properties of Confidentiality, Integrity and Availability (commonly known as CIA triad). The emphasis was given to asset groups responsible for maintaining the overall security and availability of the 5G infrastructure and that are known targets of cyber-attacks.
TABLE I. EXAMPLE OF 5G ASSETS AND THREATS
Assets Treats
UE
(eMBB, URLLC, mMTC)
Malware, cloning, bot hijacking, rough BTS, protocol downgrade, FW/HW/SW (supply chain) poisoning, IMSI catching
Air interface
(eMBB, URLLC, mMTC)
Eavesdropping, impersonation, data tampering, jamming, rough BTS, SON attack
gNB
(New Radio, CU/DU Split, eCPRI)
Tampered SW/HW, unauthorized access, data leakage, RAN DDoS (From UE)
Transport
(Optical, microwave, SDN)
Tampering, eavesdropping, protocol modification, protocol downgrade, SDN threats
MEC
(NFV, COTS, UPF)
Untrusted 3rd APP, DDoS UPF, malware, virtualization attacks, App layer attacks, API Attacks
5G Core
(User data, OS/software, O&M data)
NFV-based attacks, roaming (fraud, abuse), roaming protocol attacks, (SS7-like attacks), malicious AF/VNF, unauthorized access, data tempering, eavesdropping, DDOS, OSS/5GC attacks
O&M
Hardware, OSS & EMS software, O&M data
O&M Threats, unauthorized access, data leakage, malware, API attacks, OSS services integration
Fig. 6. 5G assets and related threats [27].
The relevance of the identified asset groups, with regard to the CIA triad, showed that the role of network functions virtualization (NFV), network management and orchestration (MANO), 5G core (5GC) and software defined networking (SDN) are the most crucial asset categories for maintaining the CIA security properties [25].
D. 5G Security Architecture
The 5G security architecture consists of various network functions, protocols and components that are responsible for securing end-to-end communications [23].
In particular, security functions are securing the access of users within the Radio Access Network (RAN), they cover security functions in the Core Network (5GC) and perimeter entities (Edge Computing) and they provide security functions in network functions virtualization. Also, a set of elements is covering security management functions, audit and analytics.
The detailed structure of the 5G security architecture is shown in Fig. 7. In particular, the most important 3GPP 5G security mechanisms are [23], [25]-[27]:
• UE access control: Bidirectional authentication performed between the UE and the network to prevent the existence of rogue base stations.
• Confidentiality and integrity of the air interface: Encryption algorithm that uses a 256-bit key; Subscription Concealed Identifier (SUCI) as home network identifier and encrypted Mobile Subscriber Identity Number (MSIN) to protect user privacy; and integrity protection is added to the user plane.
• Security between 3GPP Network Elements (NEs): IPsec is used between 3GPP NEs to ensure information security; Security Edge Protection Proxy (SEPP) is located between HPLMN and VPLMN; and HTTPS is used between isolated 5GC service functions.
Fig. 7. 5G network security architecture: (I) Network access security, (II)
network domain security, (III) user domain security, (IV) application
domain security, (V) service domain security [23].
RAN
Core
network
MECInternet
Operator's
network
EMS
External network
SeGW
SeGW
VPN
Firewall Bastion host
Firewall
1
Lawful
interception GW
UE
1
2
2
3
4
4
5
5
Radio interface
Internet
Network roaming
Extranet access
Lawful interception
Between NEs
Intra-NE module
O&M
6 87
106 7
8
9 11
1312 14
Intr
a-d
om
ain
thre
at
Inte
r-dom
ain
thre
at
910
10
12 13 14
Other CT
Networks
3
Firewall
Firewall
(I) Network access security, (II) network domain security, (III) user domain
security, (IV) application domain security, (V) service domain security
User Application Provider Application
SN
HE
3GPP AN
Non-3GPP AN
(I) (I)
(I)
(II)
(IV)
(V)
ApplicationStratum
Home Stratum/Serving Stratum
Transport Stratum
(II)
(I)
(III)
(I)
ME USIM
(I)
UE RAN Core network
5GC DN
UDMAMF
UPF
SMF
AUSF
E. 5G Security Deployment
An example of 5G deployment scenarios using NSA and NSA/SA architecture configurations is depicted in Fig. 5 and Fig. 6. All network domains, except specific RAN functions, may run on cloud infrastructures. The hardware at the far edge hosts the central and distributed (CU&DU BBU) functions. This is the area where active/passive antenna systems, radio remote (RRU) and baseband (BBU) units may be deployed.
The edge and regional cloud, hosting the CN, application server and MEC functions, are separated from the far edge zone, i.e. the RAN, by the standardized NSA RAN (S1) or SA RAN (NG, i.e. N2 and N3) interface, which guarantees a clear logical and physical isolation of radio access equipment from core network elements.
Inter-domain interfaces (radio, Internet, network roaming, extranet access network and lawful interception) and intra-domain interfaces (between NEs, intra-NE modules and O&M) and equipment are protected using a security gateways (SeGW), e.g. IPSec tunnels (IPSec encryption and verification ensure the confidentiality and integrity of data transmission; IPSec authentication safeguards data source authenticity), and firewalls for access control. The application layer ensures the security of services [27].
The Element Management System (EMS) is connected to RAN elements and to handle Performance Management (PM), Fault Management (FM), Configuration Management (CM), Inventory Management (IM) and Software Management (SM) data of its subordinate equipment.
Network operators have full control of the access to the 5G RAN EMS (e.g. firewall and security control systems such as Citrix Systems, as currently used with 4G, which may provide port filtering and monitoring).
The 5G RAN EMS manages RAN elements through its proprietary South-Bound Interface (SBI), which is currently not standardized by the 3GPP. Similarly, a third-party EMS cannot be used for handling supplier specific RAN hardware and software solution. The 5G RAN EMS can be installed and functions only on dedicated vendor-provided hardware [27].
It’s the carriers’ responsibility to ensure network security. For example: management plane, control plane and user plane must be isolated; in all nodes, security features of different interfaces must be enabled for encrypting data transmission between peer entities; unused ports must be shut down; and EMS rights strictly controlled and restricted. Furthermore, as depicted in Fig. 6, carriers may deploy a third-party Bastion host between the Operation and Maintenance (O&M) desktop and EMS, to access the EMS. The Bastion host supports, but is not limited to: identity management and authentication; authorization based on users; target hosts and time segments; transparent real-time monitoring; complete operation of the entire process; complete session audit and playback [27].
A comprehensive security portfolio for 5G to cope with the presented threats in alignment with the IPDRR NIST best practice – Identify, Protect, Detect, Respond, and Recover for network resiliency – is depicted in Fig. 8. More information thereof may be found in [28].
Fig. 8. Example of comprehensive security portfolio for 5G [27].
V. 5G SECURITY STRATEGIES
In different roles, the entities introduced in Section III should have different levels of concern regarding 5G assets, among other things carrying responsibility for risk mitigation affecting those assets.
Stakeholders must develop strategies that, independently or co-responsibly, allow reduction of exposure to cyber threats [25]. In short, as illustrated in Fig. 9 [29]:
• Suppliers must prioritized cyber security sufficiently (e.g. respect laws, regulations, standards, certify their products, and ensure quality in their supply chains).
• Telecoms operators are responsible for assessing risks and taking appropriate measures to ensure compliance, security and resilience of their networks.
• Service providers and customers are responsible for the implementation, deployment, support and activation of all appropriate security mechanisms of service applications.
• Regulators are responsible for guaranteeing operators take appropriate measures to safeguard the general security and resilience of their networks and services.
• Governments have the responsibility of taking the necessary measures to ensure the protection of the national security interests and the enforcement of conformance programs and independent product testing and certification.
• Standardization development organizations (SDO) ensure that there are proper specifications/standards for security assurance and best practices in place. An example of list of industry frameworks and standards for public transportation networks is shown in Fig. 10.
All stakeholders should work together to promote security and resilience of critical infrastructures, systems, and devices. Sharing experience and best practices following investigation, mitigation, response, and recovery from network attacks, compromises or disruptions should be promoted as well [29].
Communication networks and services should be designed with resilience and security in mind. They should be built and maintained using international, open and consensus-based standards, and risk-informed cybersecurity best practices [8].
Cloud Infra. Threats
• Compute
• Storage
• Network
• CloudOS
3GPP definition Enhanced by Huawei
RAN Threats
• User Data Leakage
• DDoS Attack
Common Threats
• Illegal Access
• Malicious Software
• Data Tamper/Leakage
• DDoS Attack
• O&M Security Threat
5GC Threats
• SBA
• Roaming
• Network Slice
• MEC
3-plane Isolation
Built-in firewall
Authentication
Transport Security Malicious Signaling Detect
DDoS Detect (Overload)
Slice resource isolation KPIs monitoring
Slice authentication
Access Authentication Service security auditService access
authorization
Slice key
Topology hiding
Signaling audit
Application layer security
Air Interface Encryption & Integrity Protection
Digital Signature, Secure Boot and DIM
Hardware RoT and HSM Anonymization
IPsec TLS//SSH
Slice resource reserve
Communication
encryption
Target
encryption
Software
security
E2E Data lifecycle
Security Protection
VNF/Application
hardening
Automatic security policy
Vulnerabilities Management
Intrusion detection
big data security and correlation analysis
Multi-layer Isolation
MechanismsSystem hardening
ACL blocking
VM migration
VM rebuilding
Periodic VM restoration
Blacklist and whitelist
Access control
Flow control
Network isolation
Remote attestation
Configuration correction
Account disabling
Patch/upgrade
Port disable
Configuration rollback
Data recovery
Identify Protect DetectRespond/
Recover
Resiliency Detect and Respond
Fig. 9. 5G security: a shared responsibility between stakeholders [29].
Fig. 10. Example of list of industry frameworks and standards.
Laws and policies governing networks and connectivity services should be guided by the principles of transparency and equitability, taking into account the global economy and interoperable rules, with sufficient oversight and respect for the rule of law. Also, we need open and transparent assurance against backdoors and ability of any country to force any company to turn over sensitive data, as bad guys can hack through anyone [8].
Government and regulator, in consultation with industry, should establish a comprehensive set of security and resilience requirements for 5G systems and full fiber networks. These requirements should be crystal clear, targeted and actionable, providing clarity to industry on what is expected from them. The adoption of the requirements by operators (and through them, suppliers) will mitigate network security and resilience risks, and ensure protection of national security interests [7].
By raising the security bar, new Telecoms sector security reforms should make sure there are recognized standards with conformance programs to guarantee that there is compliance. Suppliers that cannot meet these requirements should be excluded from tenders. That will increase the market demand for those vendors who place a high value on security.
Once specified what vendors should do, the government should make that a requirement and have a program in place to make sure they keep it up or they are hurt or cut out. Given the global nature of Telecoms, there is also an opportunity for regulatory alignment with Europe and UK to sharpen the security incentives in these markets [7].
Measures to equalize cyber security standards across vendors should make it harder for a vendor to enjoy competitive advantage at the expense of security. Moreover, operators should be required to demonstrate to the regulator and government that they have in place a comprehensive risk management and monitoring program consistent with agreed-
upon standards and other requirements, and that they have put in place appropriate architectural controls and other measures to address identified risks in their supply chain, irrespective of the country of origin (label) of the deployed equipment [7].
Another critical way of applying the new security reforms should be through effective assurance testing and ongoing management of vendor equipment. Operators should work closely with vendors – supported by national cybersecurity coordinators, agencies, and/or centers – to ensure:
i) A robust security development lifecycle process.
ii) Effective security assurance in the context of that specific operator’s deployment of designated equipment, systems and software.
iii) Ongoing verification arrangements to make sure that security requirements are met.
It is clear that operators should prioritize greater security assurance and whole-of-life costing in their vendor base and the new security reforms will help to drive that. When taken together, these measures will create a robust and risk-based security regime for telecoms that will improve how the market works, without banning a carrier from accessing the best 5G technology. This new framework will allow the government to respond to threats, risks and technology changes, including strengthening the controls if needed in the future [29].
Furthermore, the government should establish equivalent cyber security evaluation centers for all 5G vendors in their country, especially the ones supplying core networks [9], [10].
The UK has taken the lead in network assurance with the creation of the Huawei Cyber Security Evaluation Centre (HCSEC) in Banbury, Gloucestershire. This evaluation center has established itself as a world-class source code evaluation facility, which inspects the network products used in the UK infrastructure and ensures there is no malicious code. No malicious code or backdoors have been found on any product at this center, providing substantial evidence that there is no latent threat of state-sponsored attack from using non-UK equipment. The center has been instrumental in providing guidance to Huawei on continuous improvement in its products, and also in its technical development strategy. However, this is a point-in-time evaluation and does not cover the full lifecycle of the technologies.
Other centers – mirroring the Huawei Independent Cyber Security Lab (ICSL) in China, where all products are verified before commercialization independently from the tests run by the corresponding product lines – have been opened in UAE, Belgium, Canada, and Germany, see Fig. 11. E.g. the center in Brussels is for communication, innovation and verification.
Currently, there is a strong need for a unified approach to providing security evaluation and assurance of Telecoms infrastructure and systems throughout the offering lifecycle. Independent passive monitoring of Telecoms infrastructure and systems is required to assure that the infrastructure and systems are configured, installed, maintained and operating as expected [27].
The deep inspection of information that is collected utilizing a passive system, which does not adversely affect nor have the potential to alter the operation of network operator infrastructure or systems, provides a new approach to assuring that telecommunications infrastructure and systems are secure and operating as expected [27].
Product Security
Vendor
Delivery
Deployment & Operation Security
Operators
8K
Service Provider & Customers
Standard OrganizationsDefine requirement & standard
scheme
GovernmentDevelop legislation and
regulations
Implement E2E security
supervision
Application Security
Eco
Sec
Eco
Sec
E2E Supply Chain Risk Management
E2E Su
pp
ly Ch
ain R
isk Man
agemen
t
Fig. 11. Examples of Huawei cybersecurity test centres.
This capability to reduce the risk of inadvertent, foreign or criminal interference with critical Telecoms infrastructure and systems is required, as there is an increasing dependence on telecommunications by government, business and industry.
VI. CONCLUSIONS
To improve the security of business and communities and, at the same time, ensure the future prosperity of a country, the government should:
1. Reduce the risk of national over-dependency on any one supplier, irrespective of its country of origin, to improve 5G and fiber networks resilience.
2. Ensure a much more competitive, sustainable and diverse Telecoms supply chain, in order to drive higher quality, innovation, and, especially, incentivize more investments in cyber security.
3. Define network security and resilience requirements on 5G and fiber networks; contribute to unified standards; identify toolbox of appropriate, effective risk mitigation measures; and impose tailored and risk based certification schemes.
4. Ensure that there are conformance programs in place and independent product testing for equipment, systems and software, and support specific evaluation arrangements. (The assessment and evaluation of products and solutions from different vendors shall be the same, as their supply chain has the same level of risk.)
5. Develop national industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc., looking at end-to-end cyber security system assurance; new architecture and business models; tools for risk mitigation and transparency, and greater interoperability and more open interfaces; and share results, in closed loop (3.)
New developments in all cloud, AI, IoT, and software-defined everything are posing unprecedented challenges to the cyber security of ICT infrastructure. The lack of consensus on cyber security, technical standards, verification systems, and legislative support further exacerbates these challenges.
Safeguarding cyber security is considered to be a responsibility held by all industry players and society as a whole. Growing security risks are significant threats to future digital society.
To address these challenges, for example, Huawei has opened a Cyber Security Transparency Centre (HCSTC) in
Brussels, aiming to offer government agencies, technical experts, industry associations, and standards organizations a platform, where they can communicate and collaborate to balance out security and development in the digital era [30].
Huawei is willing to collaborate with governments, security agencies, cyber security centers and other relevant public and private organizations to embed trust in all business processes, Telecoms supply chain, and enhance cybersecurity through research and innovation at global scale.
Trustworthy equipment (all supply chain), resilient system and verification shall be all based on standards. This must be a collaborative effort between private (Industry, SME, and Research) and public (Policy Makers, Regulators) parties, as no single vendor, operator or government can do it alone.
ACKNOWLEDGMENT
The author would like to acknowledge the support and contributions of the Huawei Global Cybersecurity and Privacy Protection Organization (GSPO), Huawei Australia and New Zealand Representative Offices.
REFERENCES
[1] https://www.auscert.org.au/resources/security-bulletins/
[2] Huawei, “Position Paper on Cyber Security,” white paper, Sept. 2019.
[3] Huawei, “AI security,” white paper, Oct. 2018.
[4] EU Cybersecurity Agency (ENISA), “Annual report telecom security
incidents 2018,” May 2019.
[5] https://www.ncsc.gov.uk/speech/ciaran-martins-cybersec-speech-brussels
[6] Ofcom, “Connected Nations 2018,” report, Dec. 2018.
[7] UK Department for Digital, Culture, Media & Sport, “UK Telecoms supply chain review report,” July 2019.
[8] The Prague Proposals, “The chairman statement on cyber security of communication networks in a globally digitalized world,” Prague 5G
Security Conference, May 2019.
[9] The Intelligence and Security Committee of Parliament, “Statement on 5G suppliers,” July 2019.
[10] The Science and Technology Select Committee, “Letter to the Secretary of State for Digital, Culture, Media and Sport about Huawei’s
involvement in the UK’s 5G network,” July 2019.
[11] European Commission (EC), “EU coordinated risk assessment 5G cybersecurity,” October 09th 2019.
[12] Australian Signals Directorate (ASD), “Cyber supply chain risk management – practitioners guide,” Australian Cyber Security Centre
(ACSC) guide, July 2019.
[13] European Commission (EC), “Commission recommendation – Cyber security of 5G networks,” Mar. 2019.
[14] European Commission (EC), “ENISA and cybersecurity certification framework,” EU Cybersecurity Act, June 2019.
[15] https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act
[16] https://www.reuters.com/article/us-germany-telecoms-5g/new-german-rules-leave-5g-telecoms-door-open-to-huawei-
idUSKBN1WT110
[17] https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
[18] http://telecoms.com/498852/five-eyes-align-security-objectives-but-
where-does-this-leave-huawei/
[19] https://www.fastcompany.com/90344450/dont-ban-huawei-do-this-instead
[20] http://www.circleid.com/posts/20191016_lets_have_an_honest_conversation_about_huawei/
[21] https://www.brookings.edu/research/why-5g-requires-new-
approaches-to-cybersecurity/
[22] https://www.innovationaus.com/2019/07/5g-a-decision-that-demands-
scrutiny
[23] https://www.3gpp.org/DynaReport/33-series.htm
Banbury, UK
Brussels, Belgium
Bonn, Germany
Dubai, UAE
Shenzhen,China
Toronto, Canada
Global Hub
Regional Hub
HCSTC Brussels:Communication, Innovation and Verification
[24] https://www.gsma.com/security/network-equipment-security-
assurance-scheme/
[25] ENISA, “Threat landscape for 5G networks - Assessment for the fifth
generation of mobile telecommunications networks (5G),” Nov. 2019.
[26] https://www.3gpp.org/technologies/presentations-white-papers
[27] D. Soldani, M. Shore, J. Mitchell, M. Gregory, “The 4G to 5G network
architecture evolution in Australia,” Australian Journal of Telecoms and Digital Economy, Vol. 6, N. 4, Dec. 2018.
[28] https://nvd.nist.gov/800-53
[29] Huawei, “Submission to the Department of Home Affairs Discussion Paper Australia’s 2020 Cyber Security Strategy,” Nov. 2019.
[30] https://www.huawei.com/en/press-events/news/2019/3/huawei-cyber-
security-transparency-centre-brussels
.