5G Security: Getting the Structure Right As we speak, nearly four hundred operators in 126 countries are investing in 5G, and 92 carriers in 38 countries have already launched one or more 5G services. In little more than six months, China will have more than doubled its number of 5G base stations and will have a staggering 600,000 5G operational nodes. There are already some 36 million 5G end-users in the Chinese market, just one year after 5G spectrum licenses were allocated. In Australia, Telstra has more than 1,500 5G sites on-air across selected areas of 53 Australian cities and towns; Optus has more than 860 5G sites live across Sydney, Melbourne, Perth, Adelaide, Brisbane, Canberra, as well as key areas outside this cities. Looking at 5G ecosystem, by end-July 2020, GSA had identified 364 announced devices, including 162 that are understood to be commercially available. Indeed, the second phase of 5G is currently being finalised in 3GPP, with the Rel-16 version of technical specifications. Also, the features to be included in Rel-17 have been already agreed and scheduled for completion by the end of 2021. The first 5G release (Rel-15) has addressed predominantly the immediate needs of enhancing the mobile broadband experience, but the Rel-16 and Rel-17 take 5G toward the full 5G vision, balancing the needs of mobile broadband operators with expansion into new markets including vertical players. 3GPP Release 16 is the foundation for the Industrial IoT (IIoT). 3GPP Release 17 targets a wider ecosystem expansion, supporting a “New Radio (NR)-light” for IIoT and Consumer IoT, particularly suitable for industrial cameras, high-end wearable, smart grid applications, high-end logistic trackers, and healthcare monitoring. 3GPP has standardized many security improvements with 5G, including: Improved signaling plane and user plane integrity protection; Privacy protection with Subscription Concealed Identifier (SUCI); Device and network mutual authentication with the home network; Use of TLS between 5G Core functions, with option to use DTLS to protect signaling between RAN and Core; Security Edge Protection Proxy (SEPP) for secure roaming Beyond this, 5G supports, among other features: A unified authentication for fixed and wireless access; Security for network slicing management; Authentication and key management for applications (AKMA) based on 3GPP credentials in the 5G System (5GS); Security aspects for Multi-Access Edge Computing (MEC); Security for cellular V2X; Requirements and test cases for security assurance of radio access network (5G RAN), core network (5GC), network data analytics function (NWDAF), interworking function (N3IWF) and service communication proxy (SECOP). Carriers focus on four key topics: MEC Security, network slice security, massive connectivity security, and security management in 5G. Since the 5G network becomes a part of the enterprise infrastructure, the 5G security deployment must extend into the enterprise network. Also, the mobile industry requires a globally trusted and mutually recognized security assurance scheme for 5G network equipment, beyond common criteria, whose scope is limited to information technology (IT), such as the GSMA network element security assurance scheme (NESAS). The NESAS, jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. It defines security requirements based on 3GPP technical specifications and an assessment framework for secure product development and product lifecycle processes; and security evaluation scheme for network equipment, using the 3GPP defined security specifications and test cases, i.e., 3GPP SCAS. The NESAS is widely supported by security authorities (such as ENISA in EU, ANSSI in France and BSI in Germany) and industry organizations, globally. Ericsson, Nokia and Huawei openly support NESAS as a unified cybersecurity certification framework for mobile network equipment, and more than ten operators have requested NESAS compliancy, before deploying 5G equipment in their countries. The NESAS specifications will be further improved by the end of this year to meet the security assurance level in compliance with the EU Cyber Security Act. This will encompass: Penetration Tests, Cryptographic Analysis and Software Engineering, in alignment with the best industry standards and practices. 5G security requires collaboration in terms of standards, devices, and deployment: all parties in the industry chain need to take their own security responsibilities. Stakeholders must develop strategies that, independently or co-responsibly, allow reduction of exposure to cyber threats. In short: Suppliers must prioritized cyber security sufficiently (e.g. respect laws, regulations, and standards, certify their products, and ensure quality in their supply chains). Telecoms operators are responsible for assessing risks and taking appropriate measures to ensure compliance, security and resilience of their networks. Service providers and customers are responsible for the implementation, deployment, support and activation of all appropriate security mechanisms of service applications. Regulators are responsible for guaranteeing operators take appropriate measures to safeguard the general security and resilience of their networks and services. Governments have the responsibility of taking the necessary measures to ensure the protection of the national security interests and the enforcement of conformance programs and independent product testing and certification. Standardization development organizations (SDO) ensure that there are proper specifications/standards for security assurance and best practices in place. All stakeholders should work together to promote security and resilience of critical infrastructures, systems, and devices. Communication networks and services should be designed with resilience and security in mind. They should be built and maintained using international, open and consensus-based standards, and risk-informed cybersecurity best practices. To this end, Huawei develops a 5G intelligent, in-depth, end-to-end security solution that supports standard security, best practices and a number of security enhancements, such as, but not limited to: RAN security, 5GC security, MEC security, Slicing security, massive connectivity security, and security of network and element management and orchestration. Hence, a defense in depth strategy should: Adopt the GSMA NESAS for testing and evaluating telecoms equipment; Enforce certification and accreditation processes against a predetermined set of security standards and policies for security authorization; Establish joint innovation projects aimed at attesting how 5G commercial products can leverage cybersecurity standards and recommended practices for relevant 5G use cases and scenarios, as well as showcase how 5G security features can be properly utilized and continuously improved. For David’s full Telco Global Forum presentation, please click here. Recorded session can be found here.