As mobile network operators (MNOs) around the world deploy 5G, communications networks will face new threats and security challenges. Standardization of 5G security is important and provides an opportunity for stakeholders to create a common language of risk management communication to support small and large operators as well as the market as a whole.
Solutions to Security Threats in 5G deployment
Security threats to 5G networks have increased significantly in recent years, as highlighted by both ENISA (European Union Agency for Cybersecurity) and GSMA’s analysis of 5G security. The threat descriptions in these reports provide a common classification, which includes a definition of the threat, how it manifests itself, its impact and how to mitigate it.
According to ENISA’s annual report on telecom security incidents, in 2020, only 2% of lost user hours could be attributed to actions like physical sabotage of base stations and DDoS attacks—which hardly qualify as advanced threats or network compromises. On the other hand, about 26% of security incidents were the result of human errors. This is consistent with what happened in 2019 (also 26%). In addition, 61% of telecom incidents were system failures—a slight increase compared to 2019 (56%). In 2020, 29% of the incidents were also flagged as third-party failures.
Baseline security controls provide an opportunity to measure the maturity of the security ecosystem. Through these benchmarks, it is possible for an operator to compare itself to the industry average and for a regulator to scrutinize operators in the market. Benchmarks also provide a starting point for assessing internal security maturity against the desired maturity level, and gaps are a useful assessment tool to achieve this level. On this basis, a standardized 5G network security strategy can be built based on a common understanding of threats and effective measures, which gives operators and regulators, as well as customers, a degree of confidence that the work undertaken to protect 5G networks is effective and relevant.
Currently, many countries in Europe approach 5G security individually, and in the long run, managing security differently across countries and providers is not an effective solution. This will cause challenges for regulators and operators in different markets. Local operators and regulators have the necessary expertise to assess all security measures, and 5G security and digitization must be built on standardization efforts and industry best practices.
Security controls can be carried out individually or mandated by a regulator, and technical mitigation solutions exist for all identified threats. Furthermore, introducing as many vendors as possible to ensure diversity in an industry with a limited number of options is seen as a key measure to reduce risks. This is because downtime in European mobile networks is largely the result of natural events, software and hardware failures, configuration errors, and power loss.
How the US Government Plans to Secure 5G Networks
In recent years, cybersecurity emerged as a major issue for all US federal agencies, and more broadly, for most governments and businesses in general. The Cybersecurity and Infrastructure Security Agency (CISA) recently released its “5G Security Evaluation Process Investigation Study.”
This document is designed to be a security guide for federal agencies wishing to make use of 5G technologies, ranging from standalone (SA) to multi-access edge computing (MEC) to network slicing. When it comes to standard security, the authors of the paper suggest keeping tabs on the commercial 5G industry, including the 3GPP and the O-RAN Alliance: “Risk managers may be able to identify alternative assessment regimes, such as industry certifications, security assurance programs created by commercial or trade groups, or other best practice assessment frameworks”.
The report is important considering that there has always been a debate between US government officials about how to ensure security and the best government agency to handle the task.
“The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies. As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology,” wrote Eric Goldstein, executive assistant director for cybersecurity, on CISA’s blog.
Conclusion
Changing technology trends have greatly increased the need for fast and reliable 5G networks. The deployment of a secure network requires expertise and special skill sets—thus making security standardization an important consideration for the entire industry.
