THANK YOU FOR SUBSCRIBING
Addressing the 5G threat landscape with standardization and equality
Nuno Teodoro, Cyber Security Officer, Huawei
While 5G brings a whole new set of capabilities, opportunities and business cases for enhancing the way society communicates and operates, it is also commonly accepted that it brings additional sources of new potential threats that have the capability to disrupt an entire ecosystem, industry or Nation.
Moreover, as a future digital enabler, 5G will have a massive impact and active role in industries such as medicine, agriculture, energy grids and connected devices (to name a few), thus affecting almost every citizen in the World. This, along with the 5G architecture relying on a bigger decentralization and more software based components, adds several new attack entry points and threat vectors, resulting in an obvious need of added efforts and collaboration from cybersecurity entities such as ENISA, and industry associations such as GSMA and 3GPP, in standardizing an enhanced frameworks for securing 5G networks.
Additionally, taking into consideration that operators will be mostly responsible for the 5G secure rollout, each country will embrace the individual responsibility for national security, thus taking advantage of this a strategic coordinated effort from the European Union (EU) in order to achieve an unified and standardized approach in the cyber security measures around this ecosystem.
With the release of ENISA’s report on the threat landscape for 5G networks, it is clear the need for additional requirements and cybersecurity controls on all the key stakeholders that compose the 5G ecosystem: Service customers, Service Providers and Mobile Network Operators (MNOs) (to name a few), along with new and additional responsibilities and competences for ensuring a trustworthy and safe 5G ecosystem assigned to Network Infrastructure Providers, National Regulators, National Cybersecurity Centers and National Certification Authorities
It is only by combining these new cybersecurity controls and responsibilities and competences, using coordinated actions and following standardized frameworks and guidelines, that the overall objective of safeguarding the 5G networks will be achieved, measured and managed.
As a result, to tackle those requirements, the 5G Toolbox was created, aiming to establish the goal of steering a cohesive and pragmatic framework for cybersecurity, ensuring an adequate level of protection on 5G networks across the EU.
These coordinated efforts among member states are to be implemented across three main groups of measures such as “Strategic measures”, “Technical measures” and “Supporting actions”, where the adequacy of each one of them is a direct result of anin-depth risk management process where key assets defined as critical and sensitive (e.g. core network functions and access network functions) along with supplier risk management, are two of the main impacted areas, where a complex balance should be achieved regarding the implementation of appropriate multi-vendor strategy vs technical security on equipment and products from those vendors.
The thematic, although not simple nor consensual, aims to develop a standardized approach based on audits and risk management, where equality among suppliers should be the baseline, while effectively implementing the toolbox measures for suppliers and equipment, and if necessary, apply restrictions or exclusions (to both) if deemed not secure nor trustworthy when assessed towards a recognized and accepted cybersecurity standard.
As a result, and in order to properly implement the technical measure of using EU certification for 5G network components, customer equipment and/or suppliers’ processes, one of the critical steps will be moving towards a direction of 5G security assessments becoming standardized across the industry, placing NESAS as a cornerstone.
The Network Equipment Security Assurance Scheme (NESAS) is jointly defined by GSMA and 3GPP for security evaluation of mobile network equipment. Developed according to security standard guidelines pertaining to vendors' product development and lifecycle processes, the scheme provides a security baseline to evidence that network equipment satisfies a series of security requirements.
With this into consideration, NESAS brings the following benefits to equipment vendors:
• Provides accreditation from the world's leading mobile industry representative body
• Delivers a world-class security review of security related processes
• Offers a uniform approach to security audits
• Avoids fragmentation and potentially conflicting security assurance requirements in different markets
Additionally, NESAS also brings the following benefits to mobile operators:
• Sets a rigorous security standard requiring a high level of vendor commitment
• Offers peace of mind that vendors have implemented appropriate security measures and practices
• Avoid financial and time waste in conducting individual vendor audits.
We are entering an era where 5G cyber-attack vectors will rule nation states security and may have a high impact in the social, political and economic vectors, thus making this a perfect time for empowering government and regulators to audit telecom operators on their unbiased and transparent selection of suppliers, while suppliers will also have to up their game and provide assurance on their due diligence with regards to the cybersecurity and equipment security.
It is only by using a standardized model, demonstrating and providing the tools and mechanisms totest, in a transparent and independent way, the end-to-end cyber security controls, ranging from source code verification, penetration testing, vulnerability management and compliance with local cybersecurity and privacy laws and regulations, that we will have the ability to truly emerge in the 5G world with security, and take advantage of all its capabilities.