5G Security Briefing

5G Security Briefing
3G4G.CO.UK Webinar
Dr. Anand R. Prasad & Hans Christian Rudolph
wenovator LLC
March 6, 2021 2021 © wenovator LLC 1

Contents
1. About wenovator
2. 5G Security
• New Challenges
• Standards Enhancements
• Security Assurance
3. Related Topics
• Non-Public Networks
• Open vRAN
4. Key Takeaways

About the Company
• Private company, founded in 2019
• Built around the concept of holistic security
• Specialization: Mobile Networks & related emerging technologies
• Areas of practice
• Security Strategy & Design
• Solution Assessment & Enhancements
• Advisory on Strategic Partnerships

Global Engagement & Contribution
3GPP
• Chairman 3GPP
SA3
• Vice-Chairman
3GPP SA3
• Rapporteurs of
several WIDs &
SIDs
• Key contributors of
4G & 5G security
ETSI
• Contributor &
participant of ETSI
NFV, ETSI TC Cyber
• ETSI Security week
committee member
• Speaker at ETSI
events
IEEE
• Senior Member
• Keynote IEEE 5G
Forum
• IEEE 802.11 and
802.15 contributor
GSMA
• Speaker at GSMA
events including
MWC Barcelona
• Contributors to
GSMA FASG
TSDSI/GISFI
• Member of GISFI
Governing Body
• Member of TSDSI
Governing Council
• Founder &
Chairman of
Security and Green
ICT working
groups, GISFI

What is 5G Security?
That Depends on who you ask
As per public perception:
• Cloud & Edge computing, NFV,
SDN
• Intelligent, AI-enabled security
controls
• Network Slicing
As per 3GPP:
• TS 33.501
• TS 33.310
• TS 33.210
• Security Assurance
Specifications (SCAS)
As usual, the truth lies somewhere in between, but also includes aspects, such as
Secure System Development and Integration, Security Monitoring, Incident Response, etc.

5G – Increased Security Risk
5G mobile networks are subject to increased security risk compared to 4G,
as attack impact, risk exposure, and the ease of exploitation all increase.
Moreover, increased network complexity makes detection more difficult.
Therefore, network operators' security strategy needs to be redesigned.
March 6, 2021 2021 © wenovator LLC
Increased
Attack
Impact
Increased
Network
Exposure
Ease of
Exploitation
Increased
Security
Risk
6

Added complexity and security risk due to high-degree of virtualization and cloud usage
Diverse technology ecosystem renders compliance to industry standards and best practices more important than ever
Customer's expectations require 5G to be more open and interconnected than any previous mobile generation
Diversified service offerings complicates assurance of continuous level of security
Greater functional disaggregation throughout the Radio Access and Core Network
New and untested protocols (e.g. Protocol for Interconnect Security / PRINS)
Heavy use of common web protocols lowers barrier for unexperienced vendors as well as attackers and fraudsters
5G – Security Challenges

3GPP 5G Security Framework
Improvements Across The Board
User Plane
Integrity
Protection
Primary
Authentication
Secondary
Authentication
Increased Home
Control
Enhanced
Subscriber
Privacy
Visibility and
Configurability
Service Based
Architecture
Initial NAS
Message
Protection
5GS – EPS
Interworking
Security
Unified Access-
agnostic
Authentication
PLMN
Interconnect
Security - SEPP
RAN Security –
DU-CU Split
Architcture Enablers
Advancing the Security Concept
to allow both innovation and
backwards compatibility.
Feature Enhancements
5G improves several foundational
security controls to maintain
state-of-the-art protection.
New Security Features
Substancial improvements in terms of
privacy protection and extensibility
make 5G suitable for critical use cases.

Authentication Framework
• Access agnostic
• 3GPP RAN
• Non-3GPP networks (e.g., Wi-Fi)
• Wireline networks
• Algorithm flexibility
• 5G AKA, EAP-AKA'
• Other key generating algorithms of
the EAP framework (e.g., EAP-TLS)
• Improved key hierarchy
• Unified 3GPP/non-3GPP hierarchy
• Decoupled mobility and security
anchors in the serving network
Home
Network
Serving
Network

Subscriber Privacy
• Concealment of Subscription
Permanent Identifiers (SUPI)
• SUPI ciphering into a
Subscription Concealed Identifer
(SUCI) may be performed in
either ME or USIM
• SUCI deciphering on network side
performed by the Subscriber
Identity De-concealing Function
(SIDF), part of the UDM
• 5G further prohibits subscriber
paging by SUPI
SUCI
SUPI Type
Home Network Identifier
Routing Indicator
Protection Scheme
Home Network Public Key ID
Protection Scheme Output

Interconnect Security
Control Plane
• Interconnect signaling has long
been a source for security and
fraud risks for network operators
• 5G introduces Security Edge
Protection Proxy (SEPP) for:
• signaling peer authentication
• message validation (plausibility
checks, configured policies, etc.)
• filtering and rate limiting
• Builds on PRINS or TLS security
User Plane
• Less well-known are GTP attacks,
which too are known to have been
abused in real-world deployments
• For this purpose, 5G includes
Inter PLMN UP Security (IPUPS)
as part of UPF, responsible for:
• filtering malformed messages
• correlating messages to active PDU
sessions based on Tunnel Endpoint
Identifier (TEID)

User Plane Integrity Protection
• Lack of UP IP is one of the few
serious 4G/LTE security flaws
• Practical attacks have been
demonstrated (see alter-
attack.net)
• 5G introduces PDCP protection
policies enabling UP IP
• Optional feature, under control of
the Serving Network operator
• May not be supported by all 5G UE
U
P
I
P

Service-Based Interface Security
• Service Communiction Proxy (SCP)
supports key 5G Core functions:
• Discovery, routing, load-balancing, etc.
• Building Security on the assumption
of Zero Trust is no longer optional
• Enforcing network security best
practices remains essential
• Same goes for protecting REST APIs:
• Restrict data exposure to a minimum
• Explicitly define access token scope
→ see OWASP API Security Top 10

Secure Session Establishment
NAS/RRC Protection
Non-Access Stratum
• Integrity protection for messages
setting up a NAS security context
• Preventing exposure of unsecured
information over the air
Access Stratum
• Ensuring UE security capabilities
are not tampered with over the air
Bid Down Protection
• Anti Bid-Down Between
Architectures (ABBA) parameter
prevents potential for bid down as
new features are introduced

Security Assurance Specifications
• Combined effort of GSMA & 3GPP:
• GSMA specifies Network Equipment
Security Assurance Scheme (NESAS)
• 3GPP compiles technical security
assurance specifications (SCAS)
• Given the geopolitical climate,
increased interest in NESAS/SCAS
• Already covers key 4G/5G NF,
incl:
• General security requirements
• gNB, AMF, UPF, UDM, SMF, AUSF,
NRF, NEF, SEPP

Private Mobile Network
Security

Standards Perspective
Non-Public Networks (NPN) in 3GPP
Public Network Integrated
• Provisioned by a public mobile
network (PLMN) to some degree
• Primary authentication always
performed between UE and PLMN
• Only AKA-based authentication
algorithms may be used
• PLMN Operator controls mobile
identities, RAN and core network
security controls
Standalone
• Completely isolated from PLMNs
• Primary authentication may use
alternative EAP-based algorithms
• Full control of security controls

5G NPNs For Industry 4.0
Distinct
Priorities
Stricter
Thresholds
Higher
Impact
Availability > Integrity > Confidentiality
• More than anything else, industrial settings
demand reliability and timeliness
• Safety = Availability + Integrity + Latency
Deterministic Communication
• 5G is the first wireless standard supporting
Time Sensitive Networking (TSN), enabling
real-time operation & maintenance
Security Flaws turn into Safety Incidents
• For deployment in which machines work
alongside humans or handle hazardous
materials, holistic security is not an option

Private Mobile Networks
Our Perspective & Recommendations
• Industrial verticals first need to
determine requirements on their
connectivity & security
• Based on chosen deployment
model, utilized standard contols
and advance from there
• Operators need to design security
frameworks capable of different
integration models & tech stacks
wenovator.com/private-5g-security
19

Open vRAN

Standards Perspective
Open RAN Enablers in 3GPP
• Functional disaggregation in 5G NR:
• Centralized Unit (CU)
• Distributed Unit (DU)
• Clear separation of User Plane and
Control Plane
• Standard security controls on
distributed RAN interfaces:
• IPsec and/or DTLS on F1-C connecting
DU and CU, E1 connecting CU-CP and
CU-UP, and Xn-C between distinct
gNBs
• IPsec on F1-U between CU and DU and
Xn-U between distinct gNBs
CU-UP CU-CP
DU
RU
gNB
F 1-C
F 1-U
Xn-C
Xn-U
E 1

Shift to an Open Technology Stack
Opportunity for Security Improvements
Mix &
Match Best-
in-Class
Security
More
Attention to
OAM Traffic
Greater
Control for
MNOs
Increased
Network
Visibility
Greater
Automation
Potential

Open vRAN Security
Our Perspective & Recommendations
• Operators should prepare to take
on increased responsibility for
security design & implementation
• Advocate for clear separation of
duties to ensure interoperability
• Vendors need to rethink design
and packaging of their solutions,
allowing them to be integrated
into more diverse ecosystems
wenovator.com/open-vran-security
23

Key Takeaways

Technology Focus Areas
Open vRAN
Technology Liberation
for the Radio Access
Connectivity
(5G,4G,Wi-Fi)
The Next Generation
of Mobile & Fixed
Communication
Internet
Of Things
Creating Intelligent
Distributed Systems
Cloud & Edge
Computing
Distributed Compute
and Storage at the
Network Edge
Private Mobile
Networks
Reliable Wireless
Networking in most
demanding Scenarios
S e c u r i t y S e r v i c e s S p e c t r u m
25

Vicious Cycle of Patchwork Security
Pointwise Fix Leading to Continued Spend
Security
Gap
Technology
Solution
Resource
Shortage
• Companies are faced with
increased technology complexity
• Security market full with products
addressing a specific issues
• Lack of comprehensive security
strategy, quickly renders operating
& maintaining solutions infeasible

How To Do Better
Holistic Approach to Technology Changes
• Business needs, security
requirements, and risk appetite
must be well understood
• Implementing a successful security
concept requires five key activities
• The wenovator proposition is to
help its clients execute technology
transitions correctly from the start
1. Understand
2. Assess
3. Architect
4. Act
5. Protect
27

Takeaways
• With 5G comes increased
footprint, complexity & exposure
• Holistic security considerations
are a must for provisioning
adequate security
• Consistently applying security
best practices is indispensable
• Optimization & automation
becomes quint-essential

Blogs
Books
Specifications
Magazine
Journals
References
wenovator blog posts
wenovator.com/en/blog
Journal of ICT Standardization, River Publishers
journals.riverpublishers.com/index.php/JICTS/index
• 5G non-standard aspects, vol 5 issue 3
• 3GPP 5G specifications, vol 6 issue 1
• 3GPP 5G Phase 2 security, vol 8 issue 1
RSA 2019 Talk: 4G to 5G Evolution: In-Depth Security Perspective
https://youtu.be/DeTASrRYalE
Cybersecurity Magazine
cybersecurity-magazine.com
• Several articles on 5G security and related aspects
3GPP SA3 specifications
3gpp.org/DynaReport/33-series.htm

Contact
107-0062 Tokyo, Minatoku
Minamiaoyama 2-2-15
Win Aoyama 942
wenovator.com
linkedin.com/company/wenovator
twitter.com/wenovator

5G Security Briefing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 5G Security Briefing

Similar to 5G Security Briefing (20)

More from 3G4G

More from 3G4G (20)

Recently uploaded

Recently uploaded (20)

5G Security Briefing