5G Security Addressing Risk and Threats of Mobile Network

5G Security
Addressing Risk and Threats
of Mobile Network Technologies
Security
© 2021 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
2
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
CONTENTS
4
Introduction
16 / Security Features (Mitigating
5
5G Technology Explained
Controls) for Increased Attacks
5 / High-Level Comparison of 5G
16 / 5G Core Network Security
Technology With Previous Cellular
16 / 5G Core Network Risk
Technologies
16 / Security Features (Mitigating
5 / 2G Technology
Controls) for 5G Core Network
6 / 3G Technology
17
Conclusion
6 / 4G Technology
18
Acknowledgments
6 / 5G Technology
7 / 5G Technology Overview
7 / 5G Core Network
9 / 5G Radio Access Network (RAN or
AN)
9 / Network Slicing
10
5G Security Domains
12 / Six Domains
12
Review of 5G Security Architecture
13 / Authentication and Authorization
13 / Bidding Down Attack
13 / Security Features (Mitigating
Controls) for Bidding Down Attack
15 / Risk of Exploitation of User Plane
15 / Security Features (Mitigating
Controls) for Exploitation of User Plane
15 / Security Features Based on 5G Radio
Access Network (RAN)
15 / Data Compromise Risk
15 / Security Features (Mitigating
Controls) for Data Compromise Risk
15 / Risk of Increased Attacks
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
3
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
ABSTRACT
This white paper examines how 5G technology addresses the risk and threats facing
cellular technologies and compares 5G technology to 4G and previous generation
technologies. Generally, 5G security architecture inherits all the features of 4G security
architecture, improves on those features, and introduces new security features to better
mitigate the new and existing risk of cellular technology.
This paper reviews 5G system architecture and 5G security architecture at a high level,
identifying six security domains. These six security domains have security features that,
when implemented, mitigate the identified risk.
Because these 5G features are optional rather than mandatory, it is the responsibility of
the network providers to implement them in alignment with the 3rd Generation
Partnership Project’s (3GPP) 5G security standards.
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
4
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
Introduction
5G technology not only provides the foundation for an
entire Internet of Things (IoT) ecosystem—5G can also
unleash its full potential. IoT systems that make up this
ecosystem do the following:
•
Link together highly specialized devices designed for specific
The 4G and prior generation networks that form the
underlying fabric of the current IoT ecosystem are
inadequate to handle the data load from its everincreasing number of sensors and connected devices,
limiting what IoT can achieve.
purposes with a limited degree of programmability and
Based on the improvements stated above, 5G’s high data
customizability
speed, low latency, increased flexibility, low energy
•
Store and process data in a distributed manner
consumption, cost-effectiveness, and ability to support a
•
Gather data continuously in real time over defined periods of
greater number of devices make the 5G platform a perfect
time
enabler for IoT.1
1
This white paper provides a high-level comparison of 5G
Figure 1 shows the benefits of 5G technology.
technology with 4G and previous generation cellular
The IoT systems residing on 5G networks create
opportunities to positively transform existing business
technologies.
processes, provide value-added benefits, and save time
It includes a review of 5G system architecture and an
and cost for businesses. The 4G and prior generation
examination of 5G security architecture.
networks that form the underlying fabric of the current IoT
ecosystem are inadequate to handle the data load from
its ever-increasing number of sensors and connected
devices, limiting what IoT can achieve. 5G technology
provides vast improvements over the current capabilities
of the 4G and previous networks.
The paper also reviews 5G security features, identifying
the existing risk when implementing cellular technologies
and the new risk introduced when implementing 5G
technology. The paper further explains how 5G features
address the identified risk.
FIGURE 1: Benefits of 5G Technology
5G Capabilities
•
Description
Provides a faster network with
higher capacity
•
Supports many static and mobile
IoT devices
•
1
1
Decreases network energy usage
Higher capacity with faster processing can better serve the connectivity needs of the IoT
ecosystem. The increased speed and capacity can eliminate lags in transmitting data across the
network.
5G’s extremely fast speeds provide latency of a mere 1 millisecond. The faster 5G speed means
one could download an HD film in seconds compared to the longer time it currently takes to
download such a film via devices running on a 4G network.
5G technology’s flexibility provides a diverse range of:
•
Speeds
•
Bandwidth
•
Quality of service requirements
5G technology can reduce network energy usage by 90% and provide up to 10 years’ worth of
battery life for low-powered IoT devices.
Violino, B; “What 5G promises for IoT,” Network World, 12 October 2020, www.networkworld.com/article/3584385/what-5g-brings-to-iot-today-andtomorrow.html
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
5
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
5G Technology Explained
High-Level Comparison of 5G
Technology With Previous
Cellular Technologies
technology started with the first generation (1G) using
The term generation refers to a set of cellular network
based on the frequency division multiple access (FDMA)
standards applicable to a particular mobile system and
technique, which uses separate frequency bands to
the associated frequency of generated network waves.
transmit and receive communication wirelessly.
analog technologies to deliver mobile communication
services. The goal of 1G was to provide basic voice
services to customers. Analog mobile systems were
The goal of cellular communication is to provide highquality, reliable communication. Each evolving generation
2G Technology
represents a big improvement. Since its inception in the
In 1991, 2G technology arrived with the digital era; it
1980s, mobile technology has evolved through
aimed to provide highly secure voice and text messaging
generations of commercial cellular/mobile systems.2
and limited data services. 2G technology standards
2
Figure 2 describes how cellular technology has evolved
since 1G was introduced. It presents how mobile
include global system for mobile communications (GSM),
digital advanced mobile phone system (D-AMPS) and
Interim Standard 95 (IS-95).3
3
FIGURE 2: Cellular Technology Evolution
Technology
1G
2G
3G
4G
5G
Requirements
No official
No official
requirements,
requirements,
analog technology digital technology
ITU’s IMT-2000
required
144 Kbps mobile,
384 Kbps
pedestrian, 2
Mbps indoors
ITU’s IMT advanced
requirements include ability to
operate in up to 40 MHz radio
channels and very high speed
spectral efficiency
At least 1 GB/s or more data
rates to support ultra-high
definition video and virtual
reality applications; 10 GB/s
data rates to support mobile
cloud service
Data
bandwidth
1.9 Kbps
14.4 Kbps to 384
Kbps
2 Mbps
2 Mbps to 1 Gbps
1 Gbps and higher
Core network
PSTN
PSTN packet
network
Packet network
All IP network
Flatter IP network and 5G
network interfacing (5G-NI)
Service
Analog voice
Digital voice
Higher capacity,
packetized data
Integrated high
quality audio,
video and data
Dynamic information access,
wearable devices, HD
streaming; global roaming
Dynamic information access,
wearable devices, HD
streaming; any demand of
users; upcoming all
technologies; global roaming
smoothly
Standards
NMT, AMPS,
Hicap, CDPD,
TACS, ETACS
GSM, GPRS,
EDGE, etc.
WCDMA, CDMA
2000
All access convergence
including: OFMDA, MC-CDMA,
Network-LMPS
CDMA and BDMA
Multiple
access
FDMA
TDMA
CDMA
CDMA
CDMA
CDMA and BDMA
Source: Adapted from Kalra, B.; D.K. Chauhan; “A Comparative Study of Mobile Wireless Communication Network: 1G to 5G,” September 2014,
https://www.researchgate.net/figure/COMPARISON-OF-MOBILE-TECHNOLOGIES_tbl1_318673817
2
3
2
3
Ghayas, A.; “What do the terms 1G, 2G, 3G, 4G and 5G really mean?,” Commsbrief, 3 March 2020, https://commsbrief.com/what-do-the-terms-1g-2g-3g4g-and-5g-really-mean/
3GPP, “About 3GPP,” www.3gpp.org/about-3gpp
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
6
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
3G Technology
The types of 5G networks are:
In 1998, 3G technology4 introduced web browsing, email,
4
•
video downloading, picture sharing and other smart
technologies.5 The 3G standard includes the following
5
technologies:
•
•
5G NSA (non-standalone)—5G network supported by existing
4G infrastructure
•
5G SA (standalone)—5G network supported by 5G infrastructure
5G architecture also differs from 4G and previous
Universal mobile telecommunications system (UMTS)—Used
generations because it is defined as service-based. 5G is a
to migrate 2G GSM networks to 3G
support service that enables deployments and data
High speed packet data access (HSPA)—Provided data rate
connectivity through the use of technologies such
enhancements6 and introduced web browsing, email, video
6
downloading, picture sharing and other smart technologies
network function virtualization and software defined
networking and by implementing the following key
The goals of 3G technology were to facilitate greater voice
principles and concepts:
and data capacity, support a wider range of applications
•
and increase data transmission speed at a lower cost.
Separates user plane (UP) functions from control plane (CP)
functions, which allows for on-demand configuration of network
functions, independent scalability, evolution and flexible
deployments. The user plane, also called the data plane, carries
4G Technology
4G technology was introduced in 2009 with the goals of
the network user traffic. The control plane provides signaling via
providing high speed, quality and capacity to users;
exchange of information to enable end-to-end communications,
improving security; and lowering the cost of voice and
thereby supporting the functions in the mobile
data services, multimedia and Internet protocol telephony.
telecommunications system that establish and maintain the
4G was enabled by a new technology called long term
user plane.
evolution (LTE), which offered next-generation capabilities
•
Provides logically independent network slicing on a single
network infrastructure to meet diversified service requirements
that formed the basis of all new mobile systems.
for various applications
•
5G Technology
maintenance and termination for various services, which
In 2019, the implementation of 5G technology began with
the goals of providing significantly faster data rates,
higher connection density, much lower latency, device-to-
reduces the operating expenses of those services
•
Enables each network function and its network function
services to interact with other NFs and network function
device communication, better battery consumption and
improved overall wireless coverage.7
Provides automatic network slicing service generation
services directly or indirectly, via a service communication proxy
7
if required. (A network function is a defined processing function
5G technology evolved from 4G LTE technology, but it
differs from 4G and previous generations by improving on
that has defined functional behavior and defined interfaces.)
•
key areas of the inherited 4G technology.8 5G technology
Minimizes dependencies between the radio access network
(RAN) and the core network (CN)
8
introduced new radio (5G NR) technology and provided
•
Provides a unified authentication framework
an overall higher-level of security than that of 4G or
•
Decouples the computing resource from the storage resource in
9
9
previous generations.
4
5
6
7
8
9
10
10
situations where there are stateless network functions
Ibid.
Op cit Ghayas
6
Op cit 3GPP, “About 3GPP”
7
Ibid.
8
Verizon, “The Security of Verizon’s 5G Network, Network Security Planning Version 1.0,” August 2020, www.verizon.com/about/sites/default/files/202009/200574_Schulz_07242020.pdf
9
Op cit 3GPP, “About 3GPP”
10
Op cit Verizon
4
5
10
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
7
•
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
Supports service capability exposure that includes monitoring
(PLMN). PLMN is any wireless communications system
capability, provisioning capability, policy/charging capability and
intended for mobile use.11
11
analytics reporting capability
•
Supports the following: (i) concurrent access to local and
centralized services; (ii) low latency services and access to local
data networks, and deployment of user plane functions close to
the access network
•
5G Technology Overview
As shown in figure 3, 5G architecture is comprised of two
components:
Supports roaming with both home-routed traffic and local
•
5G core network
breakout traffic in the visited public land mobile network
•
5G radio access network (RAN)
FIGURE 3: 5G Service Access Model
User
equipment
(UE)
Service
Access network
(AN)
Core network
(CN)
Data network
(DN)
Source: Adapted from Guttman E.; I. Ali; “Patch to 5G: A Control Plane Perspective,” 3 May 2018,
https://pdfs.semanticscholar.org/4d05/9e50521a2520a69e7c7ee9b0b7953a2d88c5.pdf?_ga=2.237964544.1066911265.1605115645-921535984.1605115645
5G Core Network
locations change when the user moves. The serving
The 5G core network can be depicted as the brain of the
network is responsible for routing calls and transporting
5G network.12 The 5G core network uses cloud-aligned,
user data from source to destination. It can interact with
service-based architecture (SBA) that spans all 5G
the home network to manage user-specific data/services,
functions and interactions, including authentication,
and it can interact with the transit network for non-user-
security, session management and aggregation of traffic
specific data or services.
12
from end devices.13
13
The home network represents the core network functions
The core network is subdivided into three network
that are conducted at a permanent location. The home
domains:
network retains permanent user-specific data and
•
Serving network
manages subscription information.
•
Home network
The transit network represents the core network section
•
Transit network
located on the communication path between the serving
The serving network is a component of the core network.
network and remote parties.14 Users connect to the 5G
The radio access network that provides the user’s access
network using procedures and mechanisms via user
is connected to and represents the core network functions
equipment (UE). UE represents a subscriber’s mobile
that are local to the user’s access point. Function
devices, such as cellphones and tablets.
11
12
13
14
14
3GPP TS 23.501 V16.3.0 Dec 2019 (2019-12) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),” 3GPP, 22 December, 2019,
www.3gpp.org/ftp//Specs/archive/23_series/23.501/
12
Purdy, A.; “Why 5G can be more secure than 4G,” Forbes, 23 September 2019, www.forbes.com/sites/forbestechcouncil/2019/09/23/why-5g-can-bemore-secure-than-4g/#30194b6157b2
13
VIAVI, “5G Architecture,” www.viavisolutions.com/en-us/5g-architecture
14
3GPP TS 23.101 version V8.0.0 (2008-12) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; Universal Mobile Telecommunications System (UMTS) architecture (Release 8), 16 December 2008,
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=782
11
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
8
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
Figure 4 shows a diagram of 5G network architecture.
FIGURE 4: Network Architecture
User Plane
AUSF
Nausf
UDM
Nudm
UDSF
Namf
UDR
Nnssf
AMF
NSSF
NRF
NEF
Nnrf
Nnef
Nsmf
Npcf
PCF
SMF
SEPP
Naf
N1
Network Exposure APIs
Control Plane
Third
parties
Data
network
N2
UE
AP
UPF
N3
N6
NG RAN
Network slice
5G CN
Source: Adapted from European Union Agency for Cybersecurity, “ENISA threat landscape for 5G Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threatlandscape-for-5g-networks
Key for figure 4:
function services are in the form of point-to-point references
between any two network functions.
•
Access and mobility management function (AMF)
•
Data network (DN), e.g., operator services, Internet access or
The SBA includes the reference point representation
third-party services
where necessary. 5G system architecture includes the
•
Unstructured data storage function (UDSF)
following network functions (NFs):
•
Network exposure function (NEF)
•
Authentication server function (AUSF)
•
Intermediate NEF (I-NEF)
•
Session management function (SMF)
•
Network repository function (NRF)
•
Unified data management (UDM)
•
Network slice selection function (NSSF)
•
Unified data repository (UDR)
•
Policy control function (PCF)
•
User plane function (UPF)
•
Security edge protection proxy (SEPP)
•
UE radio capability management function (UCMF)
With reference to figure 4, interaction between the
•
Application function (AF)
network functions in the 5G service-based architecture is
•
User equipment (UE)
represented in two ways:
•
(Radio) access network ((R)AN)
•
5G-equipment identity register (5G-EIR)
•
Network data analytics function (NWDAF)
access their services.
•
Charging function (CHF)15
Reference point architecture—Interactions between network
(Details on the network functions listed above are beyond
•
Service-based architecture (SBA)—Network functions within
the control plane enable other authorized network functions to
•
15
the scope of this publication.)
15
15
Op cit 3GPP TS 23.501
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
9
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
5G Radio Access Network (RAN or AN)
•
gNB, gNB distributed unit (gNB DU), and gNB central unit (gNB-
5G radio access network (RAN or AN) is also known as
CU), which are radio network nodes for communication
next-generation radio access network (NG-RAN). NG-RAN
between network components
can be depicted as the arms and legs of the 5G network. It
•
Access and mobility management function (AMF), which is a
takes signals from cellphones and other devices and
network function that performs several functionalities such as
transmits them back to the core, using cellphones, towers
access authentication and authorization, registration
or base stations. Elements of RAN include (figure 5):
management, and connection management.16
16
•
User equipment (UE)
RAN connects many routers, hubs and switches that exist
•
Radio unit (RU), which is an element that connects user
in the global network infrastructure and allows objects
equipment with the network
and devices to gain quicker access to the Internet than
ever before.
FIGURE 5: 5G Radio Access Network (RAN) Architecture
gNB
gNB-CU
F1
F1
gNBDU
gNBDU
RU
RU
UE
UE
NG
AMF
AS protocols
Xn
NAS protocols
5GC
gNB
NAS protocols
AS protocols
NG-RAN
Source: European Union Agency for Cybersecurity “ENISA threat landscape for 5G Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threat-landscape-for5g-networks
Cellphones and other devices communicate by converting
Network Slicing
users’ data and service requests into digital signals to
One of the most innovative aspects of 5G network
send as radio waves. These waves are sent to and
architecture is network slicing, which allows a virtual
received by the RAN via base stations (i.e., transceivers)
network to exist on top of a shared physical infrastructure
and then sent to the core network for processing.
as shown in figure 6. Network slicing allows the
17
17
Cellphones and other devices communicate by converting
users’ data and service requests into digital signals to
send as radio waves.
5G maintains clear separation between RAN and the core
network.
16
17
18
19
segmentation of a single physical network into multiple
virtual networks, so the network functions necessary to
support specific customers and market segments,19 can
19
be dynamically allocated and deployed to meet technical
18
18
European Union Agency For Cybersecurity, “ENISA THREAT LANDSCAPE FOR 5G NETWORKS: Threat assessment for the fifth generation of mobile
telecommunication networks,” November 2019, www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks
Verizon, “What are Radio Access Networks and 5G RAN?,” 2 February 2020, www.verizon.com/about/our-company/5g/5g-radio-access-networks
18
Op cit Purdy
19
Op cit European Union Agency for Cybersecurity
16
17
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
10
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
and service requirements with respect to throughput,
customized network capabilities such as data speed,
latency, reliability and availability.
quality, latency, reliability, security and services.
20
20
A virtual network (i.e., logical network) appears to the
With network slicing, 5G networks allow business customers
subscriber (i.e., user) as an entirely separate and self-
with different and sometimes conflicting needs to enjoy
contained network, even though it could be either a
connectivity and data processing tailored to specific
portion of a larger physical network or a combination of
business requirements that adhere to a service level
multiple separate physical networks that appears as a
agreement (SLA) entered with the 5G network provider.22
single network.
FIGURE 6: 5G Network Slicing
21
21
Due to varying needs, business and
22
individual subscribers to 5G services may have different
sets of requirements for these services.
Network slicing entails the concept of running multiple
Slice
management
virtual networks as independent business operations on a
common physical infrastructure in an efficient and
economical way. A network slice is an independent endto-end virtual network that runs on a shared physical
Network slice
infrastructure capable of providing negotiated quality
services customized to a subscriber’s specific
Generic 5G architecture components
requirements. A network slice can span multiple parts of
the network, can be deployed across multiple operators
UE
5G RAN
5G core
and is isolated from other network slices. It also can
incorporate dedicated and/or shared resources such as
processing power, storage and bandwidth, and
Source: European Union Agency for Cybersecurity “ENISA threat landscape for 5G
Networks,” 21 November 2019, www.enisa.europa.eu/publications/enisa-threatlandscape-for-5g-networks
5G Security Domains
The 3rd Generation Partnership Project (3GPP), in
network functions are not available to lower-trust network
collaboration with telecommunications standard
functions.23
development organizations, defined the 5G security
architecture. This architecture was based on the trust
model: Network functions in the inner circles of the user’s
23
5G inherits the 4G security environment and then builds
on it, providing enhancements to previous generations (3G
and 4G)24 by implementing new security protocols that
24
device (i.e., user equipment) are more trusted than the
network functions in the outer circle, as shown in figure 7.
Based on the trust model, 5G security is designed so that
sensitive data and encryption keys from higher-trust
20
21
22
23
24
address previously unresolved threats.
The application stratum consists of protocols and
functions used in routing and transmitting user- or
network-generated data/information from source to
Innovation Committee, “Network of the future,” Chief Information Officers Council, www.cio.gov/assets/resources/Networks-of-the-Future-FINAL.pdf
Techopedia, “What does Logical Network mean?” www.techopedia.com/definition/14760/logical-network
22
GSMA, “An introduction to Network Slicing,” 2017, www.gsma.com/futurenetworks/wp-content/uploads/2017/11/GSMA-An-Introduction-to-NetworkSlicing.pdf
23
Op cit Verizon
24
Huawei, “What We Don’t Know About 5G and Telecom Networks Can Hurt Us,” www.huawei.com/us/facts/news-opinions/2019/what-we-dont-knowabout-5g-and-telecom-network-can-hurt-us
20
21
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
11
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
destination, with the source being within the same or
Figure 8 displays the 5G security architecture main strata.
different networks.
FIGURE 7: 5G Trust Model
The home stratum contains protocols and functions
related to the handling and storage of subscription data
and home network-specific services. This stratum
includes functions that allow domains other than the
UDM
USIM
ME
DU
CU
AMF
SEAF
AUSF
ARPF
home network domain to act on behalf of the home
network. It also includes functions that are related to
subscription data management, customer care, billing and
charging, mobility management and authentication.
Source: 3GPP, www.3gpp.org/news-events/1975-sec_5g
FIGURE 8: 5G Security Architecture
Source: 3GPP/3GPP TS 33.401 V16.3.0, ©2020. 3GPP™ deliverables and material are the property of ARIB, ATIS, CCSA, ETSI, TSDSI, TTA and TCC, which jointly own the copyright
in them. They are subject to further modifications and are therefore provided as-is for information purposes only. Further use is strictly prohibited.
The serving stratum consists of protocols and functions
The transport stratum supports the transport of user data
that route and transmit user- or network-generated
and network control signaling from other strata. This
data/information from source to destination, with the
stratum includes mechanisms for the following:
source and destination being within either the same or
•
Formatting of physical transmissions
different networks. This stratum’s functions are related to
•
Error correction and recovery
telecommunication services.
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
12
•
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
Encryption of data over the radio interface and in the
4.
Application domain security (IV)—A group of security features
infrastructure
that enable applications in the user domain and in the provider
•
Adaptation of data to use the supported physical format
domain to securely exchange messages
•
Transcoding of data to make efficient use of the radio interface
•
Resource allocation and routing local to the different
interfaces
5.
SBA domain security (V)—The newly introduced 5G security
domain, comprised of a group of security features that enable
25
network functions—such as network function registration,
25
discovery and authorization security aspects—to securely
Six Domains
communicate within the serving network domain and with other
network domains
Figure 8 provides an overview of 5G security architecture,
6.
which is made up of six security domains:
1.
features that enable the user to learn whether a security feature
Network access security (I)—A group of security features that
is in operation or not and whether the use and provision of
enable users’ devices to securely authenticate and access
services should depend on the security feature (visibility and
services through the network and to specifically protect against
configurability of security are not shown in figure 8)
attacks on the radio access link
2.
Visibility and configurability of security (VI)—A group of
The security features provided by each security domain
Network domain security (II)—A group of security features that
that enable the interactions shown in figure 8 are
enable nodes to securely exchange signaling data and user data
optional.26 It is the responsibility of the network provider
26
and protect against attacks on the wireline network
3.
to ensure that these features are implemented in
User domain security (III)—A group of security features that
alignment with the 3GPP’s 5G security standards.
secure access to mobile stations and equipment
Review of 5G Security Architecture
This section addresses cellular technologies previously
Figure 9 provides descriptions of 5G’s security features
identified as threats.
for each risk which the feature mitigates.
FIGURE 9: 5G Threats and Mitigating Security Controls
I. Authentication
Threats
•
25
26
Bidding down attacks
5G Security Features (Mitigating Controls)
•
Subscription authentication
•
Enhanced subscriber privacy
•
Network authorizations
•
Exploitation of user plane integrity
•
User plane integrity protection
•
Malicious network connection
•
Stronger roaming authentication via 5G Authentication and key
•
Connection to network by rogue user equipment
•
Pretense of user equipment roaming on networks
25
26
agreement (5G-AKA)
Op cit 3GPP TS 23.101
Op cit 3GPP TS 23.501
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
13
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
FIGURE 9: 5G Threats and Mitigating Security Controls (cont.)
II. 5G Radio Access Network (RAN)
Threats
•
5G Security Features (Mitigating Controls)
Sensitive data vulnerability because of physical attacks due to
•
Restriction of sensitive data via encryption of user equipment
unencrypted or poorly encrypted radio units (RUs)/distributed
units (DUs)Higher risk of attackers due to the introduction of
communications
•
RAN interface protection
new interfaces for core/user plane and 5G core network
resulting in:
•
More attackers
•
Network disruptions
•
Fake access network node threat
•
Flooding attack threat via interface flooding
III. 5G Core Network
Threats
•
5G Security Features (Mitigating Controls)
Abuse of remote access threat and authentication traffic spike
•
Security-enhancing network functions (NFs)
due to malicious acts
•
Interoperator security
•
Abuse of third party-hosted network function threat
•
Application programming interface (API) exploitation threat
Authentication and
Authorization
Security Features (Mitigating Controls) for
Bidding Down Attack
5G security technology mitigates the bidding down threat
by adopting the following authentication and authorization
Bidding Down Attack
Bidding down attacks are a form of man-in-the-middle
attack; essentially, they degrade service by making user
features:
•
Subscription authentication—With 5G technology, authentication
devices (and the network entities these devices connect
is done by assigning a unique identity to each user and device,
to) believe that the other side does not support a security
eliminating the need for SIM cards and thereby shifting
feature—even when both sides do.
responsibility for authentication from the telecommunications
27
27
By doing this, the
attacker forces the use of an authentication/authorization
operator to the individual service provider.3030
mechanism for the stronger mechanism in place.28
A telecommunications operator provides services such as
28
With 4G technology, telecommunication operators
telephony and data communications access. Individual 5G
authenticate users with SIM cards placed inside
providers deliver hardware and software services, Including
smartphones and other devices and by connecting to the
Internet access services.
base station. Authentication and authorization via 4G and
previous generation technologies does not encrypt the
In addition, the bidding down attack threat is also mitigated
user’s authentication information (i.e., user’s identity and
by encrypting a user’s identity and location, making it
location), leaving it vulnerable to attacks, even though
impossible to identify or locate the user from the moment
calls/text are encrypted.29
the user accesses the network. The 5G security architecture
27
28
29
30
29
Seals, T.; “Black Hat 2019: 5G Security Flaw Allows MiTM, Targeted Attacks,” Threatpost, 7 August 2019, https://threatpost.com/5g-security-flaw-mitmtargeted-attacks/147073/
3GPP TS 33.501 V16.1.0) Technical Specification, “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects;
Security architecture and procedures for 5G system (Release 16),” 3GPP, 33501-g10.zip, 31 December 2019,
www.3gpp.org/ftp//Specs/archive/33_series/33.501/
29
Op cit Purdy
30
Ibid.
27
28
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
14
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
allows network operators to restrict network access to only
The SUCI and SUPI identifiers are not transferred in clear text,
authorized devices and subscribers by ensuring that each piece
but rather use 256-bit encryption to prevent attackers from
of connecting user equipment and each subscriber is identified
observing the connection procedure, capturing the subscriber’s
when connecting to the cellular network. 5G assigns a globally
identifying information and then tracking the subscriber’s
unique identifier, called the subscription permanent identifier
location. Neither passive attackers, such as eavesdroppers, nor
(SUPI), to each subscriber and requires that the user equipment
active attackers, such as spoofed base stations, are able to
send the SUPI to the network during the connection process.
follow a user equipment’s SUCI over multiple connections or
obtain details in the SUPI that identify the subscriber but not the
This 5G authentication approach shifts responsibility for
service provider.
authentication from the telecommunications operator to the
5G use of 256-bit encryption is a substantial improvement over
individual service provider.3131
•
the 128-bit standard used by 4G.32
Enhanced subscriber privacy—One of the new security features
added by 5G is the subscription concealed identifier (SUCI),
•
which is allocated to each subscriber for use within the
network. The SUCI is a globally unique privacy-preserving
Network authorizations—The following network authorizations
are implemented via 5G:
•
Serving network authorization by the home network—The
UE’s home network authorizes a serving network before
identifier that contains the concealed SUPI. This mechanism
the serving network provides services to the UE, as shown
requires users’ devices to identify themselves during the
in figure 8.
network connection process using the SUCI identifier, as shown
•
in figure 10.
32
Radio access network authorization—The serving
network authorizes the UE’s radio access network before
providing services to the UE.33
33
FIGURE 10: Initiating Authentication
Subscriber
Serving Network (SN)
Home Network (HN)
User equipment (UE)
encrypts SUPI
in SUCI
Registration
Request (SUCI)
Authentication
Request (SUCI)
Get SUPI from SUCI
to perform
authentication
31
32
33
31
32
33
Ibid.
Op cit Verizon
Op cit 3GPP TS 33.501
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
15
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
maliciously redirect traffic, even though both 4G and 5G
Security Features Based on 5G
Radio Access Network (RAN)
have the capability to protect users’ privacy by encrypting
The 5G RAN provides secure communications on all RAN
the user plane, which transmits data in the form of
interfaces and includes extra protections at places that
photos, web traffic and text messages. With 4G and
are vulnerable to physical attacks.
Risk of Exploitation of User Plane
Attackers can exploit the lack of user plane integrity to
previous generations, the UE capability to connect and
roam onto partner networks other than a device’s
Data Compromise Risk
subscribed network creates risk, including the following:
As shown in figure 5, the 5G RAN, which is referred to as a
•
UEs can be tricked by attackers to connect to malicious
gNodeB (gNB) or base station, is composed of radio units
networks.
(RUs), distributed units (DUs) and central units (CUs) that
Partner networks can pretend UEs are currently roaming on
are collocated or distributed in various configurations and
their networks when the devices are not.
deployed as virtual network functions (VNFs). Both the
A rogue UE can trick a partner network into allowing it to
RUs and DUs sit at the edge of the network. Therefore,
connect.
network operators can deploy them in unmanned
•
•
locations or sites with minimal physical security. This
Security Features (Mitigating Controls) for
Exploitation of User Plane
produces the risk of leaving sensitive data vulnerable to
To mitigate the exploitation of user plane integrity risk, 5G
unencrypted or if the RUs/DUs possess keys used to
adds a new security feature that gives user equipment the
decrypt them.
physical attacks, if they are sent through the RUs/DUs
option to provide integrity protection for the user plane in
addition to encrypting it.
Security Features (Mitigating Controls) for
Data Compromise Risk
5G’s new authentication procedure, called 5G
authentication and key agreement (5G-AKA), mitigates
this risk. The new authentication procedure does the
following:
•
To mitigate the risk, the 5G network can encrypt the
communication to activate confidentiality protection for
the UE communications. The network operators can
distribute encryption keys so that protected data cannot
Ensures that the subscriber’s home network authenticates both
be viewed via the RU and DU.
the subscriber’s UE and the roaming network the UE is joining,
Previously, only the roaming network performed authentication
in 4G architecture. Because the subscriber’s home network
authenticates both the subscriber’s UE and the roaming
network the UE is joining, UEs are prevented from being tricked
into joining unauthorized partner networks.
•
Risk of Increased Attacks
Both 4G LTE and 5G networks can implement a RAN that
is disaggregated into RU, CU and DU components that are
a native part of the 5G architecture. The native
disaggregation associated with 5G results in the
Ensures that a UE is connected to the roaming network and
therefore mitigates the risk of fraudulent billing by the home
introduction of new interfaces for the both the control
plane and user plane, as well as the 5G core network.
network operator, which can occur with 4G technology.
•
Ensures that UE and subscriber information needed to establish
These new interfaces carry sensitive traffic and in the 5G
a network connection is shared only with authorized partner
architecture pose a higher risk of attackers modifying or
networks.
reading confidential information, which can cause
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
16
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
significant network disruptions compared to 4G or
previous generations.34
•
Whereby 5G allows a subscriber to roam onto another
34
operator’s network, which provides value-added services to the
In addition, the following threats exist:
•
Application programming interface (API) exploitation—
subscriber via interfaces to external networks, opening a likely
Fake access network node threats, whereby a compromised
avenue for attackers38 due to the openness and
38
base station masquerading as legitimate can send different
programmability offered by the new 5G network architecture’s
types of attacks to the network
•
reliance on the expanded use of APIs39
Flooding attack threat, which transmits data requests that can
exhaust components of the RAN, leading to a reduction or
Security Features (Mitigating Controls) for
5G Core Network
complete shutdown of the radio frequency provided by the
component, and blocking subscriber access to core network
and related services35
39
5G security technology mitigates core network threats
with the following security features:
35
Security Features (Mitigating Controls) for
Increased Attacks
To mitigate this risk, the 3GPP’s 5G standards make it
Security-enhancing network functions (NFs)—The 5G core
network enhances security by introducing specialized network
functions for security within an operator’s network and with
roaming partners, and by introducing a service-based
mandatory in some situations and optional in others for
architecture (SBA) for NF-to-NF communications. The following
the network operators to implement confidentiality,
integrity and replay protection for all affected interfaces.36
•
are security-enhancing network functions:
36
•
The authentication server function (AUSF) is within the
home network and performs authentication with UE. AUSF
5G Core Network Security
is responsible for making decisions on UE authentication,
but it relies on backend service for computing the
5G Core Network Risk
authentication data and keying materials when either 5G-
5G introduces the following threats to the 5G core
AKA or EAP-AKA is used.
network:
•
•
•
function (ARPF) is a functional element of UDM (unified
remote access to the network can take control of its virtual
data management) that keeps the authentication
components to engage in activities such as configuration
credentials. It is mirrored by the universal subscriber
tampering, malware distribution, data modification in transit and
identity module (USIM), which is the entity that stores
injection of illegitimate data into the network
subscriber-related information and implements the
Authentication traffic spike—Whereby a malicious actor sends
security functions pertaining to authentication and
a massive number of authentication requests that leads to the
ciphering on the user side.
denial of service due to the network experiencing more
•
34
35
36
37
38
39
The authentication credential repository and processing
Abuse of remote access—Whereby a malicious actor with
•
The subscription identifier deconcealing function (SIDF)
signaling and authentication requests than it is capable of
decrypts a subscription concealed identifier (SUCI) to
handling
produce the subscription permanent identifier (SUPI).
Abuse of third party-hosted network function—Whereby an
•
The SIDF is a functional element of UDM (unified data
untrustworthy cloud service provider can access, interrupt and
management), responsible for decrypting a SUCI
modify the user/control pane traffic, leading to network
(subscription concealed identifier) to reveal the
availability issues and disclosure of sensitive data37
subscriber’s SUPI (subscription permanent identifier).
37
Op cit Verizon
Op cit European Union Agency for Cybersecurity
36
Op cit Verizon
37
Op cit European Union Agency for Cybersecurity
38
Op cit Verizon
39
Op cit European Union Agency for Cybersecurity
34
35
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
17
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
•
The security anchor function (SEAF) in a serving network
•
acts as a middleman. During the authentication process
between two network functions belonging to different
between a UE and its home network, the SEAF has the
PLMNs that use interfaces to communicate with each
capability to reject an authentication from the UE, relying
on the UE’s home network to accept the authentication.40
•
Protects application layer control plane messages
other
•
40
Performs topology hiding by limiting the internal topology
information visible to external parties
Inter-operator security—5G core network introduces an entity
•
called the security edge protection proxy (SEPP), which sits at
Performs mutual authentication with the SEPP in the
roaming network41
the perimeter of the mobile network, as shown in figure 4. SEPP
41
is a nontransparent proxy and supports the following
functionalities:
Conclusion
The 5G security architecture design based on the trust
Through network slicing, a 5G network provides
model has improved security features and functions
subscribers with virtual networks that are effectively
compared to those of previous-generation cellular
designed to meet their business requirements. 5G also
technologies, and therefore it better mitigates existing
provides improved subscription authentication through an
risk-facing previous cellular technologies. However, this
enhanced authentication process and encryption.
technology also introduces new threats and may increase
the presence of existing risk.
To take advantage of 5G opportunities, network providers
should take the following steps before implementing the
Despite this, the 5G technology brings about great
stated 5G security features in alignment with the 3GPP’s
opportunities to positively transform and improve lives of
5G security standards:
individuals and improve business processes, making
•
Identify the existing and new risk
businesses more productive and able to put limited
•
Address and appropriately respond to the identified risk
resources to better use.
40
41
40
41
CableLabs, “A Comparative Introduction to 4G and 5G Authentication,” 2019,
www.cablelabs.com/insights/a-comparative-introduction-to-4g-and-5g-authentication
Op cit 3GPP TS 33.501
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
18
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
Acknowledgments
ISACA would like to acknowledge:
Lead Developer
Board of Directors
Ronke Oyemade
Tracey Dedrick, Chair
Brennan P. Baybeck
CISA, CRISC, CISM, CDPSE, PMP
Former Chief Risk Officer, Hudson City
Bancorp, USA
CISA, CRISC, CISM, CISSP
Rolf von Roessing, Vice-Chair
Vice President and Chief Information
Security Officer for Customer Services,
Oracle Corporation, USA
USA
Expert Reviewers
CISA, CISM, CGEIT, CDPSE, CISSP, FBCI
Urmila Borkar
CISA, CRISC
Partner, FORFA Consulting AG,
Switzerland
Singapore
Gabriela Hernandez-Cardoso
Shamik Kacker
Independent Board Member, Mexico
CRISC, CISM, CCSP, CISSP
Pam Nigro
Dell Corporation, USA
CISA, CRISC, CGEIT, CRMA
Rohit Khullar
Vice President–Information Technology,
CISM, CISSP
Security Officer, Home Access Health, USA
Airtel-Vodefone, United Kingdom
Maureen O’Connell
Kevin R. Wegryn
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA
CDPSE, Security+, PMP
USA
Marcus Yin
ISACA Board Chair, 2019-2020
Rob Clyde
CISM
ISACA Board Chair, 2018-2019
Independent Director, Titus, and Executive
Chair, White Cloud Security, USA
Chris K. Dimitriadis, Ph.D.
CISA, CRISC, CISM
ISACA Board Chair, 2015-2017
Group Chief Executive Officer, INTRALOT,
Greece
David Samuelson
CISA, CRISC, CISM, CGEIT
Cybersecurity Agency of Singapore,
Singapore
Chief Executive Officer, ISACA, USA
Gerrard Schmid
President and Chief Executive Officer,
Diebold Nixdorf, USA
Gregory Touhill
CISM, CISSP
President, AppGate Federal Group, USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
Chief Executive Officer, introSight Ltd.,
Israel
Anna Yip
Chief Executive Officer, SmarTone
Telecommunications Limited, Hong Kong
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)
19
5G SECURITY: ADDRESSING RISK AND THREATS OF MOBILE NETWORK TECHNOLOGIES
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
talent, expertise and learning in technology. ISACA equips individuals with
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning
organization that leverages the expertise of more than 150,000 members who
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
Support: support.isaca.org
Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.
Provide Feedback:
DISCLAIMER
www.isaca.org/securing-5G
ISACA has designed and created 5G Security: Addressing Risk and Threats of
Mobile Network Technologies (the “Work”) primarily as an educational
Participate in the ISACA Online
resource for professionals. ISACA makes no claim that use of any of the Work
Forums:
https://engage.isaca.org/onlineforums
will assure a successful outcome. The Work should not be considered
inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining
the same results. In determining the propriety of any specific information,
procedure or test, professionals should apply their own professional judgment
to the specific circumstances presented by the particular systems or
information technology environment.
Twitter:
www.twitter.com/ISACANews
LinkedIn:
www.linkedin.com/company/isaca
Facebook:
www.facebook.com/ISACAGlobal
Instagram:
www.instagram.com/isacanews/
RESERVATION OF RIGHTS
© 2021 ISACA. All rights reserved.
5G Security: Addressing Risk and Threats of Mobile Network Technologies
© 2020 ISACA. All Rights Reserved.
Personal Copy of aderonke oyemade (ISACA ID: 219474)