As the wave of 5G security approaches, how can we play the 5G security card well?

From 2G to 4G, mobile networks have become an indispensable symbol of daily life, and the arrival of 5G will penetrate into all areas of future society. It provides faster speeds and more reliable connections, successfully promoting the era of the Internet of Everything. At the same time, 5G mobile communication technology will also face security challenges and opportunities brought by new services, new architectures, and new technologies, as well as higher user privacy protection requirements.

[[319778]]

In terms of quality alone, 5G is ahead of 4G, but the risks are far greater than 4G

From a user's perspective, 5G is fundamentally different from any previous mobile generation. In the long run, machine-type communications enabled by 5G will become a strategic differentiator and unique selling point for 5G. 5G networks will become key infrastructure to facilitate digitalization, automation, and connectivity such as M2M and transportation solutions. Therefore, 5G network security also faces significant risks.

Why 5G networks pose greater security risks

According to a 2019 Brookings University report, 5G networks are more vulnerable to attacks than 4G:

• 5G networks shift from traditional hardware-based centralized switching to distributed, software-defined digital routing, making them more vulnerable to attacks.
• Advanced network functions that were previously performed by physical devices are now virtualized through software, increasing network vulnerabilities.
• Even if software vulnerabilities in the network are locked down, 5G networks are still managed by software, which means that an attacker who gains control of the network management software can also control the network.
• The dramatic expansion of 5G bandwidth creates more attack vectors.
• In the future, the connection of a large number of smart devices to the Internet of Things will also lead to a surge in network vulnerabilities.

Security division of three major 5G scenarios

First of all, we know that 5G has three typical business scenarios, namely enhanced mobile broadband (eMBB), ultra-reliable and low-latency connection (uRLLC), and massive machine-type communications (mMTC). They all have different requirements for security:

• The main feature of eMBB is to provide higher experience rate and greater bandwidth access capabilities to meet the needs of services such as virtual reality (VR) and big video that have extremely high bandwidth requirements. However, this also requires higher security processing performance, support for external network secondary authentication, and the ability to patch known vulnerabilities.
• uRLLC can provide low-latency and highly reliable information exchange capabilities, with end-to-end latency at the millisecond level, and is mainly used in applications such as Internet of Vehicles and telemedicine. Network security is usually contradictory to network performance and efficiency. Enhancing network security protection mechanisms will inevitably sacrifice network performance and reduce network efficiency. Therefore, uRLLC requires low-latency security algorithms/protocols, edge computing security architecture, and privacy and key data protection;
• mMTC can provide optimized signaling control capabilities at higher connection density, supporting efficient access and management of large-scale, low-cost, and low-energy IoT devices, but it requires lightweight security, group authentication, and the ability to resist DDos attacks.

Different security challenges of 5G

There are significant differences in the access methods and network service methods provided by 5G for different scenarios, and the business delivery methods supported are also different, and the differences in security requirements are very obvious. In particular, the security requirements such as large connection authentication, high availability, low latency, and low energy consumption brought by IoT application scenarios, as well as the changes and security risks brought about by new technologies such as SDN/NFV, virtualization, mobile edge computing, and heterogeneous wireless network integration introduced by 5G, have brought new challenges to the access, slicing security, data protection, and user privacy protection of 5G mobile communication systems.

Access security

In the 5G era, networks are not only used for communication between people, but also for communication between people and things, and things and things. To this end, 5G networks need to support diverse access terminals, multiple access types, and multiple access technologies.

• From the perspective of terminal type, there are card terminals and cardless terminals. Card terminals use SIM/USIM cards as user identity and key carriers and have certain computing and storage capabilities; cardless terminals do not have built-in dedicated carriers to store identity key information, usually use IP addresses or MAC as their own identities, and use digital certificates to provide security;
• From the perspective of access type, 5G networks need to support 3GPP access, non-3GPP access, trusted access, and untrusted access;
• From the perspective of access technology, in addition to supporting 5G new wireless access technology, 5G networks must also be compatible with 3G access, LTE access, WLAN and fixed access technologies.

The 5G network is a heterogeneous network that integrates multiple types of terminals, access types, and access technologies. Different terminals, different access types, and access technologies have different security requirements and use different authentication protocols and key negotiation mechanisms. The 5G network needs to study and build a unified authentication framework to integrate different access authentication mechanisms to meet the security access requirements of terminals with different security capabilities.

Slice safety

5G network slicing is a logical network for different business characteristics based on wireless access network, bearer network and core network infrastructure, as well as network virtualization technology. Operators can build isolated 5G network slices for different industry applications on a shared network infrastructure through technologies such as capability exposure, intelligent scheduling, and security isolation, and provide differentiated network services.

Similarly, network slicing technology also puts forward higher requirements for security. For example, slice authorization and access control; resource conflicts between slices; security isolation between slices; privacy protection of slice users, etc. The benefit of slicing technology is that it can isolate faulty network elements and achieve network service isolation. But from another perspective, slicing depends on network resources, service types and traffic, and must be accurately grasped, otherwise it will not be possible to organize the slices corresponding to the service. Network slicing needs to provide an isolation mechanism between different slice instances to prevent resources within the slice from being illegally accessed by network nodes in other types of network slices.

Edge computing security

As one of the new network architectures of 5G networks, multi-access edge computing (MEC) adopts a distributed network architecture to push service capabilities and applications to the edge of the network, thereby building a telecom-grade service environment with high performance, low latency and high bandwidth. The advantage of edge computing is that it processes data locally, reducing the risk of sensitive data leakage. The disadvantage is that since edge computing is not centralized cloud computing, it has weak protection capabilities and is vulnerable to attacks. In terms of management, the original centralized management of content supervision has been decentralized to each edge node, which adds additional difficulty to management.

A typical MEC carries some core network functions, value-added services of operators, and vertical industry services, and is interconnected with multiple external networks such as wireless access networks, core networks, enterprise networks, and the Internet. In general, MEC is an extension of central computing, inheriting the advantages of central computing and facing similar threats as central computing; specifically, due to changes in physical location, network boundaries, customer entities, business types, etc., MEC has significant differences in networking architecture and operation mode from traditional telecommunications networks, and therefore faces new challenges in terms of security.

Privacy Protection

5G networks need to provide differentiated security services for different business scenarios and be able to adapt to a variety of network access methods and new network architectures. These new scenarios, new architectures, and new technologies all put higher privacy protection requirements on 5G networks. In addition, 5G networks will generate a large amount of sensitive information for vertical industry users, and there is an urgent need to take measures to ensure the privacy and security of industry users on the 5G open network environment. 5G networks will enable a variety of new applications, and a large amount of sensitive data will be transmitted through 5G networks. Privacy protection in different usage scenarios may vary depending on security requirements (such as location privacy, identity privacy). For example, the Internet of Vehicles can monitor our activity routes, and smart city applications can collect information about our lifestyles. In the 5G scenario, how to achieve the classification of privacy data and improve the ability to protect privacy against big data attacks will become an urgent problem to be solved.

5G Security Standardization Organization

Currently, the main international standardization organizations conducting research on 5G security standards include 3GPP SA3, ETSI NFV, ITU-T SG17, NGMN and other international standardization organizations.

3GPP

In December 2017, 3GPP approved the 5G NR non-standalone (NSA) specification, and then passed the standalone (SA) specification in June 2018, completing the radio part of the first phase of 5G (3GPP version 15). Among them, the 3GPP Security Working Group (SA3) is responsible for the design of the 5G network security architecture. At the 82nd meeting held in February 2016, 3GPP SA3 started research work on the 5G security project (next generation system security). This research project undertakes SA2's 5G research, collects, analyzes and studies potential security threats and requirements in the next generation network, and cooperates with SA2, RAN2 and RAN3 to carry out research on the security architecture and access network security of the next generation network. At the 86th meeting held in March 2017, 3GPP SA3 started the standard work of 5G System and Security Architecture-Phase 1, which mainly focused on security framework, access security, confidentiality and integrity protection of user data, mobility and session management security, privacy protection of user identity, and interoperability with EPS (Evolved Packet System). Subsequently, 3GPP carried out relevant standard work such as slice security, capability exposure security, and 256-bit cryptographic algorithm in the second phase. In September 2018, at the 92nd meeting of the 3GPP SA3 Security Research Group, the 5G virtualized network element security research project led by China Mobile was successfully established. This project fills the gap in the industry in the field of virtualized network element security assurance and evaluation standards, and has been signed and supported by 10 companies including operators, equipment manufacturers, and research institutions.

ETSI

ETSI has mainly conducted research on NFV security, and has set up a security subgroup under NFV to conduct in-depth research on NFV security, focusing on the research and standardization of NFV security architecture, privacy protection, lawful interception, MANO security, certificate management, security management, and security deployment. ONF and ITU-T have also carried out relevant standardization work on SDN security.

NGMN

In 2014, the NGMN Council, composed of more than 20 CTOs of leading international operators, decided to focus NGMN's activities on defining the end-to-end requirements of 5G. In March 2015, NGMN released a 5G white paper, expressing its views on 5G vision, requirements, technology and architecture, spectrum, IPR ecology, and roadmap, aiming to guide the development of future technology platforms and related standards to meet future end-user needs. In 2017, NGMN established a formal SCT security working group to carry out comprehensive security technology work in 5G end-to-end architecture, 5G capability opening, and Internet of Vehicles. In the white paper "5G End-to-End Architecture Framework", NGMN elaborated on the technical requirements of 5G security from the network layer, service enablement layer, service application layer, management and orchestration, and terminal equipment. NGMN also analyzed the security threats and security defects that 5G may face after adopting network slicing technology.

Summarize

In the 4G era, we have witnessed many network security incidents. In the upcoming 5G era, new business scenarios are constantly emerging, and the security challenges brought by the development of new technologies cannot be ignored. At present, the standardization of 5G network security is in full swing, and the development of 5G in the future will continue to improve with the implementation of practical applications.