"5G+Industrial Internet" security capabilities and scenario-based solutions

[[417951]]

Under the wave of the new generation of scientific and technological revolution and industrial transformation, the world's leading countries have all regarded the industrial Internet as a strategic direction to strengthen their future industrial competitiveness. The foundation of the industrial Internet lies in building a highly reliable, high-performance, and highly flexible network that can meet the needs of industrial production and operation. Based on the new wireless air interface capabilities, the 5G network uses new technologies such as network slicing and edge computing, and has the characteristics of large bandwidth, low latency, wide connection, and customization, which is consistent with the needs of the industrial Internet.

"5G+Industrial Internet" is to use the fifth generation of mobile communication technology (5G) to meet the network needs of industrial intelligent development. The integrated and innovative development of 5G and the Industrial Internet will promote the construction of a digital China and a smart society, accelerate China's new industrialization process, and inject new impetus into China's economic development. However, while the deep integration of 5G and the Industrial Internet accelerates the digital transformation of the industry, it also breaks the closed production environment of traditional industries and brings more severe security challenges. The security protection method of the Industrial Internet needs to shift from passive protection to active defense. In this process, operators should give full play to the advantages of 5G networks and empower the security of the Industrial Internet with 5G network security capabilities in a scenario-based manner.

Industrial Internet industry security requirements

Terminal management and security requirements

The integration of 5G and the Industrial Internet makes it possible for massive industrial terminals to access the Industrial Internet. A large number of industrial terminals have the characteristics of low power consumption and limited computing and storage resources, making it difficult to deploy complex security policies. The vulnerabilities and backdoors of terminal devices are exposed in the relatively open 5G network and can be easily exploited as a source of distributed denial of service (DDoS) attacks, forming a large-scale botnet to attack industrial applications and backend systems, bringing security risks such as network interruption and system paralysis. Industrial Internet companies are paying more and more attention to terminal management and control security, and need to independently and controllably authenticate and manage terminal access.

Data protection security requirements

Once the internal production management data, production operation data, working condition data, external collaborative data and other information of industrial Internet enterprises are leaked and abused or tampered by criminals, it may cause system equipment failures, lead to production safety accidents, affect production and operation safety, and even threaten public safety and national security. With the increasing importance of industrial Internet data security, industrial Internet data has become a key target of attack, and the security risks it faces are becoming increasingly severe. Industrial Internet data security is an important prerequisite for ensuring the normal production and operation of industrial Internet enterprises, the healthy development of the economy and society, and the effective protection of national security. Industrial Internet enterprises have an urgent need to improve the security protection level of industrial data.

Network isolation security requirements

As the digital transformation of industrial Internet companies accelerates, traditional private network technologies are unable to meet the ever-changing information technology business needs of industrial Internet companies. While meeting the digital transformation needs of industrial Internet companies, "5G+Industrial Internet" also extends the enterprise network from the factory intranet to the external 5G mobile communication network. The traditional industrial closed production environment has been broken, and industrial Internet companies urgently need external 5G networks to provide exclusive network channels to safely isolate from other public network services and industry application services to ensure the business security of the company. 5G network operators need to provide customized network services for industrial Internet industry users based on their business needs.

Edge computing security requirements

In order to meet the needs of low-latency services in the Industrial Internet, 5G edge computing technology is introduced to sink computing power and IT service environment to the edge of the mobile communication network to provide services to users nearby. When the 5G core network element UPF is deployed in the Industrial Internet Park, the network boundary is blurred and traditional physical boundary protection is difficult to apply. Edge computing nodes carry various application services in the Industrial Internet industry and become the preferred attack target of hackers. It is necessary to improve security capabilities, resist various types of high-intensity network attacks, and provide a safe deployment environment for MEC applications. Industrial Internet companies need to centrally manage and orchestrate security protection strategies according to changes in operations and attack behaviors, and provide security services for edge computing applications flexibly and dynamically on demand.

Network Operators' "5G+Industrial Internet" Security Capabilities

As shown in Figure 1, 5G networks, as an important infrastructure of the industrial Internet, can provide capabilities such as terminal access security, user data security, network isolation security, and edge computing security.

Figure 1 Typical networking and security capabilities of “5G+Industrial Internet”

Terminal access security includes terminal access authentication and access control. Multiple access authentication methods can be defined, from network-level authentication, slice authentication to data network authentication, and authentication strategies can be flexibly configured according to different businesses to meet the access authentication security requirements of different industries. Different access control strategies can also be set according to business and location information and the personalized needs of the industrial Internet industry.

User data security includes data transmission security and user identification security. According to the needs of industrial Internet enterprises, data encryption methods can be defined to provide user-side data protection and user identification privacy protection.

Network isolation security includes RAN isolation, bearer isolation and core network isolation. 5G networks can use private network technology and slicing technology to achieve end-to-end network security isolation, providing customizable security networks for industrial Internet companies.

Edge computing security capabilities include edge data security (user data does not leave the park), APP security protection, etc. Deploying edge computing security capabilities can meet the needs of industrial Internet companies to keep data within the park, and prevent malicious APP attacks on MEPs, illegal mutual visits between APPs, and other security issues.

"5G+Industrial Internet" security capability scenario solution

Terminal access security

• Slice Certification

5G networks can restrict specific terminals from accessing exclusive slices for industrial Internet companies through slice authentication. Network slicing is a collection of network functions with specific wireless and transmission configurations that can provide multiple end-to-end virtual networks on the same set of physical devices. These functions can be flexibly deployed at any node (access, edge, core) in the network. Industrial Internet companies use slicing technology to isolate data between different slices, and only authorized terminals can access data within the slice, thereby ensuring terminal access security.

By configuring the correspondence between IMSI (International Mobile Subscriber Identity) and campus slice S-NSSAI (Single Network Slice Selection Assistance Information), AMF (Access and Mobility Management Function) can initiate a slice access authentication process for 5G industrial Internet terminals, restricting access to enterprise-exclusive slices to only terminals in the IMSI list approved by industrial Internet enterprises, ensuring that the terminals accessing the slices are legal.

• Secondary authentication

For industrial Internet companies that have multiple access control requirements for terminals, 5G networks can provide them with underlying authentication channels, allowing the companies to choose or customize specific authentication algorithms and protocols to achieve autonomous and controllable secondary authentication.

Before accessing the DN (Data network) of the Industrial Internet enterprise, the 5G Industrial Internet terminal must first complete the primary authentication and authorization process with the 5G core network UDM (Unified Data Manager) network element and the AUSF (Authentication Server Function) network element. After the primary authentication is passed, the SMF (Session Management Function) network element will initiate a secondary identity authentication process based on the contract information before establishing the user plane data channel. The SMF network element sends an authentication start message to the AAA (Authentication, Authorization, Accounting) server, and establishes an authentication channel between the 5G Industrial Internet terminal and the AAA server, and the AAA server performs secondary authentication on the 5G Industrial Internet terminal. After the secondary authentication is passed, the 5G core network will establish a connection to the data network for the 5G Industrial Internet terminal.

The AAA server can be deployed by industrial Internet enterprises themselves and connected to the SMF network element through the UPF (User Plane Function) network element. It can also be directly deployed in the communication room by 5G network operators and connected to the SMF network element. The 5G network operator provides cloud-based AAA services, and industrial Internet enterprise users implement secondary identity authentication for network access terminals in the form of tenants.

• Business access control

5G network operators can open terminal identification information to industrial Internet enterprise users, and forward the terminal identification information to the enterprise business access control system through SMF. The enterprise can independently implement business control based on the terminal identification information. For industrial Internet enterprises that have business access control requirements but cannot deploy business access control systems themselves, 5G network operators can provide cloud business access control services, and enterprises can implement business access control of network terminals in the form of tenants.

• Terminal access location control

5GC maintains two lists: the correspondence between IMSI and industrial Internet park slice S-NSSAI, and the correspondence between TAI and park slice S-NSSAI. When the planned park TAI list is a subset of the 5G network operator's large network TAI list, the terminal can be allowed to use park services and large network services after entering the park, and only allowed to access large network services after leaving the park. When the park TAI list is planned independently and does not overlap with the 5G network operator's large network TAI list, the terminal can be allowed to use only park services, and not allowed to access park services or large network services after leaving the park. For industrial Internet companies with higher terminal location accuracy requirements, 5G network operators can also combine 5G cellular network positioning capabilities to provide terminal location services.

User data security

• Data transmission security

For sensitive business data of the Industrial Internet, the 5G network can ensure the security of user-plane air interface data transmission. According to the security policy sent by the 5G core network element SMF, the 5G base station gNodeB can activate the confidentiality protection, integrity protection and anti-replay protection of user-plane data between UE (User Equipment) and gNodeB to protect the security of air interface user-plane data transmission.

• User ID Security

In order to solve the problem that the user ID is transmitted in plain text on the network, giving hackers the opportunity to steal the user ID over the air interface and threatening the user's privacy and security, 5G network operators can provide user ID privacy protection services. The industrial Internet terminal uses a 5G SIM card with a built-in 5G network public key to encrypt SUPI (SUbscription Permanent Identifie) into SUCI (SUbscription Concealed Identifie) for transmission. The encrypted SUCI can only be decrypted by the private key in the 5G core network, which can effectively prevent the user ID from being exposed during network transmission.

Network security isolation

• Wireless access network isolation

The isolation of the wireless access network is mainly aimed at wireless spectrum resources and base station processing resources, and is achieved using private network technology or slicing technology. The main implementation methods are independent base stations, exclusive spectrum, and exclusive PRB (Physical Resource Block).

For applications with the highest security level (such as industrial control) or only serving local areas of industrial Internet applications, such as mines and unmanned factories, RAN isolation can be achieved in the form of independent base stations. For industrial Internet applications with higher resource isolation and service quality assurance requirements, the resource spectrum exclusive method can be adopted to divide a part of the operator's spectrum resources and allocate it separately to industrial Internet application services. For industrial Internet applications with certain resource isolation and service quality assurance requirements, the PRB exclusive method can be adopted to configure a certain proportion of PRBs for industrial Internet application slices. The orthogonality of PRBs ensures the isolation of slices.

• Bearer network isolation

The main implementation methods of bearer network isolation are FlexE isolation and VLAN isolation. FlexE isolation divides a physical Ethernet port into multiple Ethernet elastic pipes (logical ports) based on time slot scheduling, so that the bearer network has the characteristics of exclusive time slots and good isolation similar to time division multiplexing. VLAN isolation is achieved by mapping VLAN tags with network slice identifiers. Different VLAN tags are encapsulated for different slice data mappings according to the slice identifier, and slice bearer isolation is achieved through VLAN isolation.

• Core network isolation

The 5G core network is built by virtualized network elements with many different network functions. It can adopt multiple isolation mechanisms to meet the different security needs of industrial Internet companies. There are four main implementation methods.

First, CPF and UPF are exclusive, mainly for scenarios with the highest security requirements such as power grids. In this way, all control plane network elements (including AMF, AUSF, UDM, UDR, PCF, SMF) and user plane network element UPF of the core network are exclusive to users in the industrial Internet industry.

The second is to use CPF exclusively and UPF exclusively, which is mainly for industrial Internet enterprises with high network security isolation requirements such as industrial control. In this way, the control plane network element of the core network is partially exclusive, and the user plane network element UPF is exclusively used by industrial Internet industry users. UPF can be built in the core computer room or edge computer room according to capacity, latency and other requirements.

The third is that all CPFs are shared and UPFs are exclusive, which is mainly aimed at industrial Internet enterprises such as factories and parks that have certain data security isolation requirements and strict requirements on the deployment location of UPFs. In this way, all control plane network elements of the core network are shared, and the user plane network element UPF is newly built, which is exclusively used by industrial Internet industry users and can be deployed in industrial Internet enterprise parks.

Fourth, CPF and UPF are fully shared, and sliced ​​virtual resources are isolated, which is mainly for industrial Internet industry users who have certain data security isolation requirements and have no requirements for the UPF deployment location. In this way, the control plane network elements and user plane network elements UPF of the core network are all shared to serve industrial Internet industry users, and virtual resources are isolated through slicing.

Edge computing security capabilities

• Data does not leave the park

Enterprise data is crucial to industrial Internet companies, and industrial Internet companies have a strong demand for user-plane data not to leave the park. In this regard, operators can provide industrial Internet companies with data-not-leaving-the-park services by designing a network architecture that does not allow data to leave the park and identifying and blocking data leaving the park. 5G network operators can deploy 5G user-plane network elements UPF in industrial Internet parks and implement user-plane data not leaving the park through industrial Internet terminal contract constraints. Deploy traffic probes on the signaling management plane of UPF to perform intelligent analysis and identification. Only signaling and OM-related data can flow out, ensuring that no business data flows out of the industrial Internet park.

• APP security protection

Under the open architecture of the edge computing platform, industrial Internet companies are very concerned about the security protection of third-party apps. App security protection includes app network security isolation, app access control, and application list security management. For different apps that share a physical link, logical separation should be performed at the network layer to achieve security isolation between MEP and APP, and between APPs, and deploy different vFWs (Virtual Fire Walls) for protection. Storage encryption, image encryption, and integrity verification can be used to prevent container-level attacks, resource-layer lateral movement attacks, application-layer attacks, and business traffic attacks caused by unprotected access between apps. MEC asset lists can be collected to conduct security analysis on tenants' files and apps, and manage application blacklists and whitelists.

5G provides support for industrial Internet companies in terms of network connection and computing processing platform. Security is the prerequisite for ensuring the implementation of the industrial Internet in various production fields, and it is also an important foundation and guarantee for industrial security and national security. We must attach great importance to the security of the industrial Internet, based on the security capabilities of 5G itself, combined with the business characteristics and operation models of the industrial Internet, to provide targeted security protection solutions and enhance the security protection capabilities of the industrial Internet.