5G Security Addressing Risk and Threats of Mobile Network Technologies Security © 2021 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 2 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES CONTENTS 4 Introduction 16 / Security Features (Mitigating 5 5G Technology Explained Controls) for Increased Attacks 5 / High-Level Comparison of 5G 16 / 5G Core Network Security Technology With Previous Cellular 16 / 5G Core Network Risk Technologies 16 / Security Features (Mitigating 5 / 2G Technology Controls) for 5G Core Network 6 / 3G Technology 17 Conclusion 6 / 4G Technology 18 Acknowledgments 6 / 5G Technology 7 / 5G Technology Overview 7 / 5G Core Network 9 / 5G Radio Access Network (RAN or AN) 9 / Network Slicing 10 5G Security Domains 12 / Six Domains 12 Review of 5G Security Architecture 13 / Authentication and Authorization 13 / Bidding Down Attack 13 / Security Features (Mitigating Controls) for Bidding Down Attack 15 / Risk of Exploitation of User Plane 15 / Security Features (Mitigating Controls) for Exploitation of User Plane 15 / Security Features Based on 5G Radio Access Network (RAN) 15 / Data Compromise Risk 15 / Security Features (Mitigating Controls) for Data Compromise Risk 15 / Risk of Increased Attacks © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 3 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES ABSTRACT This white paper examines how 5G technology addresses the risk and threats facing cellular technologies and compares 5G technology to 4G and previous generation technologies. Generally, 5G security architecture inherits all the features of 4G security architecture, improves on those features, and introduces new security features to better mitigate the new and existing risk of cellular technology. This paper reviews 5G system architecture and 5G security architecture at a high level, identifying six security domains. These six security domains have security features that, when implemented, mitigate the identified risk. Because these 5G features are optional rather than mandatory, it is the responsibility of the network providers to implement them in alignment with the 3rd Generation Partnership Project’s (3GPP) 5G security standards. © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 4 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES Introduction 5G technology not only provides the foundation for an entire Internet of Things (IoT) ecosystem—5G can also unleash its full potential. IoT systems that make up this ecosystem do the following: • Link together highly specialized devices designed for specific The 4G and prior generation networks that form the underlying fabric of the current IoT ecosystem are inadequate to handle the data load from its everincreasing number of sensors and connected devices, limiting what IoT can achieve. purposes with a limited degree of programmability and Based on the improvements stated above, 5G’s high data customizability speed, low latency, increased flexibility, low energy • Store and process data in a distributed manner consumption, cost-effectiveness, and ability to support a • Gather data continuously in real time over defined periods of greater number of devices make the 5G platform a perfect time enabler for IoT.1 1 This white paper provides a high-level comparison of 5G Figure 1 shows the benefits of 5G technology. technology with 4G and previous generation cellular The IoT systems residing on 5G networks create opportunities to positively transform existing business technologies. processes, provide value-added benefits, and save time It includes a review of 5G system architecture and an and cost for businesses. The 4G and prior generation examination of 5G security architecture. networks that form the underlying fabric of the current IoT ecosystem are inadequate to handle the data load from its ever-increasing number of sensors and connected devices, limiting what IoT can achieve. 5G technology provides vast improvements over the current capabilities of the 4G and previous networks. The paper also reviews 5G security features, identifying the existing risk when implementing cellular technologies and the new risk introduced when implementing 5G technology. The paper further explains how 5G features address the identified risk. FIGURE 1: Benefits of 5G Technology 5G Capabilities • Description Provides a faster network with higher capacity • Supports many static and mobile IoT devices • 1 1 Decreases network energy usage Higher capacity with faster processing can better serve the connectivity needs of the IoT ecosystem. The increased speed and capacity can eliminate lags in transmitting data across the network. 5G’s extremely fast speeds provide latency of a mere 1 millisecond. The faster 5G speed means one could download an HD film in seconds compared to the longer time it currently takes to download such a film via devices running on a 4G network. 5G technology’s flexibility provides a diverse range of: • Speeds • Bandwidth • Quality of service requirements 5G technology can reduce network energy usage by 90% and provide up to 10 years’ worth of battery life for low-powered IoT devices. Violino, B; “What 5G promises for IoT,” Network World, 12 October 2020, www.networkworld.com/article/3584385/what-5g-brings-to-iot-today-andtomorrow.html © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 5 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES 5G Technology Explained High-Level Comparison of 5G Technology With Previous Cellular Technologies technology started with the first generation (1G) using The term generation refers to a set of cellular network based on the frequency division multiple access (FDMA) standards applicable to a particular mobile system and technique, which uses separate frequency bands to the associated frequency of generated network waves. transmit and receive communication wirelessly. analog technologies to deliver mobile communication services. The goal of 1G was to provide basic voice services to customers. Analog mobile systems were The goal of cellular communication is to provide highquality, reliable communication. Each evolving generation 2G Technology represents a big improvement. Since its inception in the In 1991, 2G technology arrived with the digital era; it 1980s, mobile technology has evolved through aimed to provide highly secure voice and text messaging generations of commercial cellular/mobile systems.2 and limited data services. 2G technology standards 2 Figure 2 describes how cellular technology has evolved since 1G was introduced. It presents how mobile include global system for mobile communications (GSM), digital advanced mobile phone system (D-AMPS) and Interim Standard 95 (IS-95).3 3 FIGURE 2: Cellular Technology Evolution Technology 1G 2G 3G 4G 5G Requirements No official No official requirements, requirements, analog technology digital technology ITU’s IMT-2000 required 144 Kbps mobile, 384 Kbps pedestrian, 2 Mbps indoors ITU’s IMT advanced requirements include ability to operate in up to 40 MHz radio channels and very high speed spectral efficiency At least 1 GB/s or more data rates to support ultra-high definition video and virtual reality applications; 10 GB/s data rates to support mobile cloud service Data bandwidth 1.9 Kbps 14.4 Kbps to 384 Kbps 2 Mbps 2 Mbps to 1 Gbps 1 Gbps and higher Core network PSTN PSTN packet network Packet network All IP network Flatter IP network and 5G network interfacing (5G-NI) Service Analog voice Digital voice Higher capacity, packetized data Integrated high quality audio, video and data Dynamic information access, wearable devices, HD streaming; global roaming Dynamic information access, wearable devices, HD streaming; any demand of users; upcoming all technologies; global roaming smoothly Standards NMT, AMPS, Hicap, CDPD, TACS, ETACS GSM, GPRS, EDGE, etc. WCDMA, CDMA 2000 All access convergence including: OFMDA, MC-CDMA, Network-LMPS CDMA and BDMA Multiple access FDMA TDMA CDMA CDMA CDMA CDMA and BDMA Source: Adapted from Kalra, B.; D.K. Chauhan; “A Comparative Study of Mobile Wireless Communication Network: 1G to 5G,” September 2014, https://www.researchgate.net/figure/COMPARISON-OF-MOBILE-TECHNOLOGIES_tbl1_318673817 2 3 2 3 Ghayas, A.; “What do the terms 1G, 2G, 3G, 4G and 5G really mean?,” Commsbrief, 3 March 2020, https://commsbrief.com/what-do-the-terms-1g-2g-3g4g-and-5g-really-mean/ 3GPP, “About 3GPP,” www.3gpp.org/about-3gpp © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 6 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES 3G Technology The types of 5G networks are: In 1998, 3G technology4 introduced web browsing, email, 4 • video downloading, picture sharing and other smart technologies.5 The 3G standard includes the following 5 technologies: • • 5G NSA (non-standalone)—5G network supported by existing 4G infrastructure • 5G SA (standalone)—5G network supported by 5G infrastructure 5G architecture also differs from 4G and previous Universal mobile telecommunications system (UMTS)—Used generations because it is defined as service-based. 5G is a to migrate 2G GSM networks to 3G support service that enables deployments and data High speed packet data access (HSPA)—Provided data rate connectivity through the use of technologies such enhancements6 and introduced web browsing, email, video 6 downloading, picture sharing and other smart technologies network function virtualization and software defined networking and by implementing the following key The goals of 3G technology were to facilitate greater voice principles and concepts: and data capacity, support a wider range of applications • and increase data transmission speed at a lower cost. Separates user plane (UP) functions from control plane (CP) functions, which allows for on-demand configuration of network functions, independent scalability, evolution and flexible deployments. The user plane, also called the data plane, carries 4G Technology 4G technology was introduced in 2009 with the goals of the network user traffic. The control plane provides signaling via providing high speed, quality and capacity to users; exchange of information to enable end-to-end communications, improving security; and lowering the cost of voice and thereby supporting the functions in the mobile data services, multimedia and Internet protocol telephony. telecommunications system that establish and maintain the 4G was enabled by a new technology called long term user plane. evolution (LTE), which offered next-generation capabilities • Provides logically independent network slicing on a single network infrastructure to meet diversified service requirements that formed the basis of all new mobile systems. for various applications • 5G Technology maintenance and termination for various services, which In 2019, the implementation of 5G technology began with the goals of providing significantly faster data rates, higher connection density, much lower latency, device-to- reduces the operating expenses of those services • Enables each network function and its network function services to interact with other NFs and network function device communication, better battery consumption and improved overall wireless coverage.7 Provides automatic network slicing service generation services directly or indirectly, via a service communication proxy 7 if required. (A network function is a defined processing function 5G technology evolved from 4G LTE technology, but it differs from 4G and previous generations by improving on that has defined functional behavior and defined interfaces.) • key areas of the inherited 4G technology.8 5G technology Minimizes dependencies between the radio access network (RAN) and the core network (CN) 8 introduced new radio (5G NR) technology and provided • Provides a unified authentication framework an overall higher-level of security than that of 4G or • Decouples the computing resource from the storage resource in 9 9 previous generations. 4 5 6 7 8 9 10 10 situations where there are stateless network functions Ibid. Op cit Ghayas 6 Op cit 3GPP, “About 3GPP” 7 Ibid. 8 Verizon, “The Security of Verizon’s 5G Network, Network Security Planning Version 1.0,” August 2020, www.verizon.com/about/sites/default/files/202009/200574_Schulz_07242020.pdf 9 Op cit 3GPP, “About 3GPP” 10 Op cit Verizon 4 5 10 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 7 • 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES Supports service capability exposure that includes monitoring (PLMN). PLMN is any wireless communications system capability, provisioning capability, policy/charging capability and intended for mobile use.11 11 analytics reporting capability • Supports the following: (i) concurrent access to local and centralized services; (ii) low latency services and access to local data networks, and deployment of user plane functions close to the access network • 5G Technology Overview As shown in figure 3, 5G architecture is comprised of two components: Supports roaming with both home-routed traffic and local • 5G core network breakout traffic in the visited public land mobile network • 5G radio access network (RAN) FIGURE 3: 5G Service Access Model User equipment (UE) Service Access network (AN) Core network (CN) Data network (DN) Source: Adapted from Guttman E.; I. Ali; “Patch to 5G: A Control Plane Perspective,” 3 May 2018, https://pdfs.semanticscholar.org/4d05/9e50521a2520a69e7c7ee9b0b7953a2d88c5.pdf?_ga=2.237964544.1066911265.1605115645-921535984.1605115645 5G Core Network locations change when the user moves. The serving The 5G core network can be depicted as the brain of the network is responsible for routing calls and transporting 5G network.12 The 5G core network uses cloud-aligned, user data from source to destination. It can interact with service-based architecture (SBA) that spans all 5G the home network to manage user-specific data/services, functions and interactions, including authentication, and it can interact with the transit network for non-user- security, session management and aggregation of traffic specific data or services. 12 from end devices.13 13 The home network represents the core network functions The core network is subdivided into three network that are conducted at a permanent location. The home domains: network retains permanent user-specific data and • Serving network manages subscription information. • Home network The transit network represents the core network section • Transit network located on the communication path between the serving The serving network is a component of the core network. network and remote parties.14 Users connect to the 5G The radio access network that provides the user’s access network using procedures and mechanisms via user is connected to and represents the core network functions equipment (UE). UE represents a subscriber’s mobile that are local to the user’s access point. Function devices, such as cellphones and tablets. 11 12 13 14 14 3GPP TS 23.501 V16.3.0 Dec 2019 (2019-12) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),” 3GPP, 22 December, 2019, www.3gpp.org/ftp//Specs/archive/23_series/23.501/ 12 Purdy, A.; “Why 5G can be more secure than 4G,” Forbes, 23 September 2019, www.forbes.com/sites/forbestechcouncil/2019/09/23/why-5g-can-bemore-secure-than-4g/#30194b6157b2 13 VIAVI, “5G Architecture,” www.viavisolutions.com/en-us/5g-architecture 14 3GPP TS 23.101 version V8.0.0 (2008-12) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Universal Mobile Telecommunications System (UMTS) architecture (Release 8), 16 December 2008, https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=782 11 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 8 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES Figure 4 shows a diagram of 5G network architecture. FIGURE 4: Network Architecture User Plane AUSF Nausf UDM Nudm UDSF Namf UDR Nnssf AMF NSSF NRF NEF Nnrf Nnef Nsmf Npcf PCF SMF SEPP Naf N1 Network Exposure APIs Control Plane Third parties Data network N2 UE AP UPF N3 N6 NG RAN Network slice 5G CN Source: Adapted from European Union Agency for Cybersecurity, “ENISA threat landscape for 5G Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threatlandscape-for-5g-networks Key for figure 4: function services are in the form of point-to-point references between any two network functions. • Access and mobility management function (AMF) • Data network (DN), e.g., operator services, Internet access or The SBA includes the reference point representation third-party services where necessary. 5G system architecture includes the • Unstructured data storage function (UDSF) following network functions (NFs): • Network exposure function (NEF) • Authentication server function (AUSF) • Intermediate NEF (I-NEF) • Session management function (SMF) • Network repository function (NRF) • Unified data management (UDM) • Network slice selection function (NSSF) • Unified data repository (UDR) • Policy control function (PCF) • User plane function (UPF) • Security edge protection proxy (SEPP) • UE radio capability management function (UCMF) With reference to figure 4, interaction between the • Application function (AF) network functions in the 5G service-based architecture is • User equipment (UE) represented in two ways: • (Radio) access network ((R)AN) • 5G-equipment identity register (5G-EIR) • Network data analytics function (NWDAF) access their services. • Charging function (CHF)15 Reference point architecture—Interactions between network (Details on the network functions listed above are beyond • Service-based architecture (SBA)—Network functions within the control plane enable other authorized network functions to • 15 the scope of this publication.) 15 15 Op cit 3GPP TS 23.501 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 9 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES 5G Radio Access Network (RAN or AN) • gNB, gNB distributed unit (gNB DU), and gNB central unit (gNB- 5G radio access network (RAN or AN) is also known as CU), which are radio network nodes for communication next-generation radio access network (NG-RAN). NG-RAN between network components can be depicted as the arms and legs of the 5G network. It • Access and mobility management function (AMF), which is a takes signals from cellphones and other devices and network function that performs several functionalities such as transmits them back to the core, using cellphones, towers access authentication and authorization, registration or base stations. Elements of RAN include (figure 5): management, and connection management.16 16 • User equipment (UE) RAN connects many routers, hubs and switches that exist • Radio unit (RU), which is an element that connects user in the global network infrastructure and allows objects equipment with the network and devices to gain quicker access to the Internet than ever before. FIGURE 5: 5G Radio Access Network (RAN) Architecture gNB gNB-CU F1 F1 gNBDU gNBDU RU RU UE UE NG AMF AS protocols Xn NAS protocols 5GC gNB NAS protocols AS protocols NG-RAN Source: European Union Agency for Cybersecurity “ENISA threat landscape for 5G Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threat-landscape-for5g-networks Cellphones and other devices communicate by converting Network Slicing users’ data and service requests into digital signals to One of the most innovative aspects of 5G network send as radio waves. These waves are sent to and architecture is network slicing, which allows a virtual received by the RAN via base stations (i.e., transceivers) network to exist on top of a shared physical infrastructure and then sent to the core network for processing. as shown in figure 6. Network slicing allows the 17 17 Cellphones and other devices communicate by converting users’ data and service requests into digital signals to send as radio waves. 5G maintains clear separation between RAN and the core network. 16 17 18 19 segmentation of a single physical network into multiple virtual networks, so the network functions necessary to support specific customers and market segments,19 can 19 be dynamically allocated and deployed to meet technical 18 18 European Union Agency For Cybersecurity, “ENISA THREAT LANDSCAPE FOR 5G NETWORKS: Threat assessment for the fifth generation of mobile telecommunication networks,” November 2019, www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks Verizon, “What are Radio Access Networks and 5G RAN?,” 2 February 2020, www.verizon.com/about/our-company/5g/5g-radio-access-networks 18 Op cit Purdy 19 Op cit European Union Agency for Cybersecurity 16 17 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 10 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES and service requirements with respect to throughput, customized network capabilities such as data speed, latency, reliability and availability. quality, latency, reliability, security and services. 20 20 A virtual network (i.e., logical network) appears to the With network slicing, 5G networks allow business customers subscriber (i.e., user) as an entirely separate and self- with different and sometimes conflicting needs to enjoy contained network, even though it could be either a connectivity and data processing tailored to specific portion of a larger physical network or a combination of business requirements that adhere to a service level multiple separate physical networks that appears as a agreement (SLA) entered with the 5G network provider.22 single network. FIGURE 6: 5G Network Slicing 21 21 Due to varying needs, business and 22 individual subscribers to 5G services may have different sets of requirements for these services. Network slicing entails the concept of running multiple Slice management virtual networks as independent business operations on a common physical infrastructure in an efficient and economical way. A network slice is an independent endto-end virtual network that runs on a shared physical Network slice infrastructure capable of providing negotiated quality services customized to a subscriber’s specific Generic 5G architecture components requirements. A network slice can span multiple parts of the network, can be deployed across multiple operators UE 5G RAN 5G core and is isolated from other network slices. It also can incorporate dedicated and/or shared resources such as processing power, storage and bandwidth, and Source: European Union Agency for Cybersecurity “ENISA threat landscape for 5G Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threatlandscape-for-5g-networks 5G Security Domains The 3rd Generation Partnership Project (3GPP), in network functions are not available to lower-trust network collaboration with telecommunications standard functions.23 development organizations, defined the 5G security architecture. This architecture was based on the trust model: Network functions in the inner circles of the user’s 23 5G inherits the 4G security environment and then builds on it, providing enhancements to previous generations (3G and 4G)24 by implementing new security protocols that 24 device (i.e., user equipment) are more trusted than the network functions in the outer circle, as shown in figure 7. Based on the trust model, 5G security is designed so that sensitive data and encryption keys from higher-trust 20 21 22 23 24 address previously unresolved threats. The application stratum consists of protocols and functions used in routing and transmitting user- or network-generated data/information from source to Innovation Committee, “Network of the future,” Chief Information Officers Council, www.cio.gov/assets/resources/Networks-of-the-Future-FINAL.pdf Techopedia, “What does Logical Network mean?” www.techopedia.com/definition/14760/logical-network 22 GSMA, “An introduction to Network Slicing,” 2017, www.gsma.com/futurenetworks/wp-content/uploads/2017/11/GSMA-An-Introduction-to-NetworkSlicing.pdf 23 Op cit Verizon 24 Huawei, “What We Don’t Know About 5G and Telecom Networks Can Hurt Us,” www.huawei.com/us/facts/news-opinions/2019/what-we-dont-knowabout-5g-and-telecom-network-can-hurt-us 20 21 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 11 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES destination, with the source being within the same or Figure 8 displays the 5G security architecture main strata. different networks. FIGURE 7: 5G Trust Model The home stratum contains protocols and functions related to the handling and storage of subscription data and home network-specific services. This stratum includes functions that allow domains other than the UDM USIM ME DU CU AMF SEAF AUSF ARPF home network domain to act on behalf of the home network. It also includes functions that are related to subscription data management, customer care, billing and charging, mobility management and authentication. Source: 3GPP, www.3gpp.org/news-events/1975-sec_5g FIGURE 8: 5G Security Architecture Source: 3GPP/3GPP TS 33.401 V16.3.0, ©2020. 3GPP™ deliverables and material are the property of ARIB, ATIS, CCSA, ETSI, TSDSI, TTA and TCC, which jointly own the copyright in them. They are subject to further modifications and are therefore provided as-is for information purposes only. Further use is strictly prohibited. The serving stratum consists of protocols and functions The transport stratum supports the transport of user data that route and transmit user- or network-generated and network control signaling from other strata. This data/information from source to destination, with the stratum includes mechanisms for the following: source and destination being within either the same or • Formatting of physical transmissions different networks. This stratum’s functions are related to • Error correction and recovery telecommunication services. © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 12 • 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES Encryption of data over the radio interface and in the 4. Application domain security (IV)—A group of security features infrastructure that enable applications in the user domain and in the provider • Adaptation of data to use the supported physical format domain to securely exchange messages • Transcoding of data to make efficient use of the radio interface • Resource allocation and routing local to the different interfaces 5. SBA domain security (V)—The newly introduced 5G security domain, comprised of a group of security features that enable 25 network functions—such as network function registration, 25 discovery and authorization security aspects—to securely Six Domains communicate within the serving network domain and with other network domains Figure 8 provides an overview of 5G security architecture, 6. which is made up of six security domains: 1. features that enable the user to learn whether a security feature Network access security (I)—A group of security features that is in operation or not and whether the use and provision of enable users’ devices to securely authenticate and access services should depend on the security feature (visibility and services through the network and to specifically protect against configurability of security are not shown in figure 8) attacks on the radio access link 2. Visibility and configurability of security (VI)—A group of The security features provided by each security domain Network domain security (II)—A group of security features that that enable the interactions shown in figure 8 are enable nodes to securely exchange signaling data and user data optional.26 It is the responsibility of the network provider 26 and protect against attacks on the wireline network 3. to ensure that these features are implemented in User domain security (III)—A group of security features that alignment with the 3GPP’s 5G security standards. secure access to mobile stations and equipment Review of 5G Security Architecture This section addresses cellular technologies previously Figure 9 provides descriptions of 5G’s security features identified as threats. for each risk which the feature mitigates. FIGURE 9: 5G Threats and Mitigating Security Controls I. Authentication Threats • 25 26 Bidding down attacks 5G Security Features (Mitigating Controls) • Subscription authentication • Enhanced subscriber privacy • Network authorizations • Exploitation of user plane integrity • User plane integrity protection • Malicious network connection • Stronger roaming authentication via 5G Authentication and key • Connection to network by rogue user equipment • Pretense of user equipment roaming on networks 25 26 agreement (5G-AKA) Op cit 3GPP TS 23.101 Op cit 3GPP TS 23.501 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 13 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES FIGURE 9: 5G Threats and Mitigating Security Controls (cont.) II. 5G Radio Access Network (RAN) Threats • 5G Security Features (Mitigating Controls) Sensitive data vulnerability because of physical attacks due to • Restriction of sensitive data via encryption of user equipment unencrypted or poorly encrypted radio units (RUs)/distributed units (DUs)Higher risk of attackers due to the introduction of communications • RAN interface protection new interfaces for core/user plane and 5G core network resulting in: • More attackers • Network disruptions • Fake access network node threat • Flooding attack threat via interface flooding III. 5G Core Network Threats • 5G Security Features (Mitigating Controls) Abuse of remote access threat and authentication traffic spike • Security-enhancing network functions (NFs) due to malicious acts • Interoperator security • Abuse of third party-hosted network function threat • Application programming interface (API) exploitation threat Authentication and Authorization Security Features (Mitigating Controls) for Bidding Down Attack 5G security technology mitigates the bidding down threat by adopting the following authentication and authorization Bidding Down Attack Bidding down attacks are a form of man-in-the-middle attack; essentially, they degrade service by making user features: • Subscription authentication—With 5G technology, authentication devices (and the network entities these devices connect is done by assigning a unique identity to each user and device, to) believe that the other side does not support a security eliminating the need for SIM cards and thereby shifting feature—even when both sides do. responsibility for authentication from the telecommunications 27 27 By doing this, the attacker forces the use of an authentication/authorization operator to the individual service provider.3030 mechanism for the stronger mechanism in place.28 A telecommunications operator provides services such as 28 With 4G technology, telecommunication operators telephony and data communications access. Individual 5G authenticate users with SIM cards placed inside providers deliver hardware and software services, Including smartphones and other devices and by connecting to the Internet access services. base station. Authentication and authorization via 4G and previous generation technologies does not encrypt the In addition, the bidding down attack threat is also mitigated user’s authentication information (i.e., user’s identity and by encrypting a user’s identity and location, making it location), leaving it vulnerable to attacks, even though impossible to identify or locate the user from the moment calls/text are encrypted.29 the user accesses the network. The 5G security architecture 27 28 29 30 29 Seals, T.; “Black Hat 2019: 5G Security Flaw Allows MiTM, Targeted Attacks,” Threatpost, 7 August 2019, https://threatpost.com/5g-security-flaw-mitmtargeted-attacks/147073/ 3GPP TS 33.501 V16.1.0) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 16),” 3GPP, 33501-g10.zip, 31 December 2019, www.3gpp.org/ftp//Specs/archive/33_series/33.501/ 29 Op cit Purdy 30 Ibid. 27 28 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 14 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES allows network operators to restrict network access to only The SUCI and SUPI identifiers are not transferred in clear text, authorized devices and subscribers by ensuring that each piece but rather use 256-bit encryption to prevent attackers from of connecting user equipment and each subscriber is identified observing the connection procedure, capturing the subscriber’s when connecting to the cellular network. 5G assigns a globally identifying information and then tracking the subscriber’s unique identifier, called the subscription permanent identifier location. Neither passive attackers, such as eavesdroppers, nor (SUPI), to each subscriber and requires that the user equipment active attackers, such as spoofed base stations, are able to send the SUPI to the network during the connection process. follow a user equipment’s SUCI over multiple connections or obtain details in the SUPI that identify the subscriber but not the This 5G authentication approach shifts responsibility for service provider. authentication from the telecommunications operator to the 5G use of 256-bit encryption is a substantial improvement over individual service provider.3131 • the 128-bit standard used by 4G.32 Enhanced subscriber privacy—One of the new security features added by 5G is the subscription concealed identifier (SUCI), • which is allocated to each subscriber for use within the network. The SUCI is a globally unique privacy-preserving Network authorizations—The following network authorizations are implemented via 5G: • Serving network authorization by the home network—The UE’s home network authorizes a serving network before identifier that contains the concealed SUPI. This mechanism the serving network provides services to the UE, as shown requires users’ devices to identify themselves during the in figure 8. network connection process using the SUCI identifier, as shown • in figure 10. 32 Radio access network authorization—The serving network authorizes the UE’s radio access network before providing services to the UE.33 33 FIGURE 10: Initiating Authentication Subscriber Serving Network (SN) Home Network (HN) User equipment (UE) encrypts SUPI in SUCI Registration Request (SUCI) Authentication Request (SUCI) Get SUPI from SUCI to perform authentication 31 32 33 31 32 33 Ibid. Op cit Verizon Op cit 3GPP TS 33.501 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 15 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES maliciously redirect traffic, even though both 4G and 5G Security Features Based on 5G Radio Access Network (RAN) have the capability to protect users’ privacy by encrypting The 5G RAN provides secure communications on all RAN the user plane, which transmits data in the form of interfaces and includes extra protections at places that photos, web traffic and text messages. With 4G and are vulnerable to physical attacks. Risk of Exploitation of User Plane Attackers can exploit the lack of user plane integrity to previous generations, the UE capability to connect and roam onto partner networks other than a device’s Data Compromise Risk subscribed network creates risk, including the following: As shown in figure 5, the 5G RAN, which is referred to as a • UEs can be tricked by attackers to connect to malicious gNodeB (gNB) or base station, is composed of radio units networks. (RUs), distributed units (DUs) and central units (CUs) that Partner networks can pretend UEs are currently roaming on are collocated or distributed in various configurations and their networks when the devices are not. deployed as virtual network functions (VNFs). Both the A rogue UE can trick a partner network into allowing it to RUs and DUs sit at the edge of the network. Therefore, connect. network operators can deploy them in unmanned • • locations or sites with minimal physical security. This Security Features (Mitigating Controls) for Exploitation of User Plane produces the risk of leaving sensitive data vulnerable to To mitigate the exploitation of user plane integrity risk, 5G unencrypted or if the RUs/DUs possess keys used to adds a new security feature that gives user equipment the decrypt them. physical attacks, if they are sent through the RUs/DUs option to provide integrity protection for the user plane in addition to encrypting it. Security Features (Mitigating Controls) for Data Compromise Risk 5G’s new authentication procedure, called 5G authentication and key agreement (5G-AKA), mitigates this risk. The new authentication procedure does the following: • To mitigate the risk, the 5G network can encrypt the communication to activate confidentiality protection for the UE communications. The network operators can distribute encryption keys so that protected data cannot Ensures that the subscriber’s home network authenticates both be viewed via the RU and DU. the subscriber’s UE and the roaming network the UE is joining, Previously, only the roaming network performed authentication in 4G architecture. Because the subscriber’s home network authenticates both the subscriber’s UE and the roaming network the UE is joining, UEs are prevented from being tricked into joining unauthorized partner networks. • Risk of Increased Attacks Both 4G LTE and 5G networks can implement a RAN that is disaggregated into RU, CU and DU components that are a native part of the 5G architecture. The native disaggregation associated with 5G results in the Ensures that a UE is connected to the roaming network and therefore mitigates the risk of fraudulent billing by the home introduction of new interfaces for the both the control plane and user plane, as well as the 5G core network. network operator, which can occur with 4G technology. • Ensures that UE and subscriber information needed to establish These new interfaces carry sensitive traffic and in the 5G a network connection is shared only with authorized partner architecture pose a higher risk of attackers modifying or networks. reading confidential information, which can cause © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 16 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES significant network disruptions compared to 4G or previous generations.34 • Whereby 5G allows a subscriber to roam onto another 34 operator’s network, which provides value-added services to the In addition, the following threats exist: • Application programming interface (API) exploitation— subscriber via interfaces to external networks, opening a likely Fake access network node threats, whereby a compromised avenue for attackers38 due to the openness and 38 base station masquerading as legitimate can send different programmability offered by the new 5G network architecture’s types of attacks to the network • reliance on the expanded use of APIs39 Flooding attack threat, which transmits data requests that can exhaust components of the RAN, leading to a reduction or Security Features (Mitigating Controls) for 5G Core Network complete shutdown of the radio frequency provided by the component, and blocking subscriber access to core network and related services35 39 5G security technology mitigates core network threats with the following security features: 35 Security Features (Mitigating Controls) for Increased Attacks To mitigate this risk, the 3GPP’s 5G standards make it Security-enhancing network functions (NFs)—The 5G core network enhances security by introducing specialized network functions for security within an operator’s network and with roaming partners, and by introducing a service-based mandatory in some situations and optional in others for architecture (SBA) for NF-to-NF communications. The following the network operators to implement confidentiality, integrity and replay protection for all affected interfaces.36 • are security-enhancing network functions: 36 • The authentication server function (AUSF) is within the home network and performs authentication with UE. AUSF 5G Core Network Security is responsible for making decisions on UE authentication, but it relies on backend service for computing the 5G Core Network Risk authentication data and keying materials when either 5G- 5G introduces the following threats to the 5G core AKA or EAP-AKA is used. network: • • • function (ARPF) is a functional element of UDM (unified remote access to the network can take control of its virtual data management) that keeps the authentication components to engage in activities such as configuration credentials. It is mirrored by the universal subscriber tampering, malware distribution, data modification in transit and identity module (USIM), which is the entity that stores injection of illegitimate data into the network subscriber-related information and implements the Authentication traffic spike—Whereby a malicious actor sends security functions pertaining to authentication and a massive number of authentication requests that leads to the ciphering on the user side. denial of service due to the network experiencing more • 34 35 36 37 38 39 The authentication credential repository and processing Abuse of remote access—Whereby a malicious actor with • The subscription identifier deconcealing function (SIDF) signaling and authentication requests than it is capable of decrypts a subscription concealed identifier (SUCI) to handling produce the subscription permanent identifier (SUPI). Abuse of third party-hosted network function—Whereby an • The SIDF is a functional element of UDM (unified data untrustworthy cloud service provider can access, interrupt and management), responsible for decrypting a SUCI modify the user/control pane traffic, leading to network (subscription concealed identifier) to reveal the availability issues and disclosure of sensitive data37 subscriber’s SUPI (subscription permanent identifier). 37 Op cit Verizon Op cit European Union Agency for Cybersecurity 36 Op cit Verizon 37 Op cit European Union Agency for Cybersecurity 38 Op cit Verizon 39 Op cit European Union Agency for Cybersecurity 34 35 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 17 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES • The security anchor function (SEAF) in a serving network • acts as a middleman. During the authentication process between two network functions belonging to different between a UE and its home network, the SEAF has the PLMNs that use interfaces to communicate with each capability to reject an authentication from the UE, relying on the UE’s home network to accept the authentication.40 • Protects application layer control plane messages other • 40 Performs topology hiding by limiting the internal topology information visible to external parties Inter-operator security—5G core network introduces an entity • called the security edge protection proxy (SEPP), which sits at Performs mutual authentication with the SEPP in the roaming network41 the perimeter of the mobile network, as shown in figure 4. SEPP 41 is a nontransparent proxy and supports the following functionalities: Conclusion The 5G security architecture design based on the trust Through network slicing, a 5G network provides model has improved security features and functions subscribers with virtual networks that are effectively compared to those of previous-generation cellular designed to meet their business requirements. 5G also technologies, and therefore it better mitigates existing provides improved subscription authentication through an risk-facing previous cellular technologies. However, this enhanced authentication process and encryption. technology also introduces new threats and may increase the presence of existing risk. To take advantage of 5G opportunities, network providers should take the following steps before implementing the Despite this, the 5G technology brings about great stated 5G security features in alignment with the 3GPP’s opportunities to positively transform and improve lives of 5G security standards: individuals and improve business processes, making • Identify the existing and new risk businesses more productive and able to put limited • Address and appropriately respond to the identified risk resources to better use. 40 41 40 41 CableLabs, “A Comparative Introduction to 4G and 5G Authentication,” 2019, www.cablelabs.com/insights/a-comparative-introduction-to-4g-and-5g-authentication Op cit 3GPP TS 33.501 © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 18 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES Acknowledgments ISACA would like to acknowledge: Lead Developer Board of Directors Ronke Oyemade Tracey Dedrick, Chair Brennan P. Baybeck CISA, CRISC, CISM, CDPSE, PMP Former Chief Risk Officer, Hudson City Bancorp, USA CISA, CRISC, CISM, CISSP Rolf von Roessing, Vice-Chair Vice President and Chief Information Security Officer for Customer Services, Oracle Corporation, USA USA Expert Reviewers CISA, CISM, CGEIT, CDPSE, CISSP, FBCI Urmila Borkar CISA, CRISC Partner, FORFA Consulting AG, Switzerland Singapore Gabriela Hernandez-Cardoso Shamik Kacker Independent Board Member, Mexico CRISC, CISM, CCSP, CISSP Pam Nigro Dell Corporation, USA CISA, CRISC, CGEIT, CRMA Rohit Khullar Vice President–Information Technology, CISM, CISSP Security Officer, Home Access Health, USA Airtel-Vodefone, United Kingdom Maureen O’Connell Kevin R. Wegryn Board Chair, Acacia Research (NASDAQ), Former Chief Financial Officer and Chief Administration Officer, Scholastic, Inc., USA CDPSE, Security+, PMP USA Marcus Yin ISACA Board Chair, 2019-2020 Rob Clyde CISM ISACA Board Chair, 2018-2019 Independent Director, Titus, and Executive Chair, White Cloud Security, USA Chris K. Dimitriadis, Ph.D. CISA, CRISC, CISM ISACA Board Chair, 2015-2017 Group Chief Executive Officer, INTRALOT, Greece David Samuelson CISA, CRISC, CISM, CGEIT Cybersecurity Agency of Singapore, Singapore Chief Executive Officer, ISACA, USA Gerrard Schmid President and Chief Executive Officer, Diebold Nixdorf, USA Gregory Touhill CISM, CISSP President, AppGate Federal Group, USA Asaf Weisberg CISA, CRISC, CISM, CGEIT Chief Executive Officer, introSight Ltd., Israel Anna Yip Chief Executive Officer, SmarTone Telecommunications Limited, Hong Kong © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474) 19 5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES About ISACA For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams that effectively drive IT audit, risk management and security priorities forward. ISACA is a global professional association and learning organization that leverages the expertise of more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including 1700 E. Golf Road, Suite 400 Schaumburg, IL 60173, USA Phone: +1.847.660.5505 Fax: +1.847.253.1755 Support: support.isaca.org Website: www.isaca.org more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations. Provide Feedback: DISCLAIMER www.isaca.org/securing-5G ISACA has designed and created 5G Security: Addressing Risk and Threats of Mobile Network Technologies (the “Work”) primarily as an educational Participate in the ISACA Online resource for professionals. ISACA makes no claim that use of any of the Work Forums: https://engage.isaca.org/onlineforums will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. Twitter: www.twitter.com/ISACANews LinkedIn: www.linkedin.com/company/isaca Facebook: www.facebook.com/ISACAGlobal Instagram: www.instagram.com/isacanews/ RESERVATION OF RIGHTS © 2021 ISACA. All rights reserved. 5G Security: Addressing Risk and Threats of Mobile Network Technologies © 2020 ISACA. All Rights Reserved. Personal Copy of aderonke oyemade (ISACA ID: 219474)