5G Security 03-10-2021

New 5G Specification Report for EU Provides Guidance for Securing 5G

Brian Trzupek

New 5G specifications are far improved when compared to 4G and earlier generations; however, if the specifications are not fully understood, implemented and refined over time, 5G networks can still be vulnerable. Technical specifications for 5G networks mainly stem from 3GPP, the 3rd Generation Partnership Project, which dictates much higher security levels compared to 4G and earlier networks. However, government regulatory authorities and other standardization bodies are developing their own specifications.

The European Union Agency for Cybersecurity (ENISA) just released their Security in 5G Specifications — Controls in 3GPP report to help regulatory authorities better understand 3GPP and what operators must do to secure 5G networks. ENISA contributes to EU cyber policy and its mission is to define a high level of cybersecurity across Europe. Essentially, if MNOs wish to operate 5G networks in Europe, they should be familiar with ENISA’s guidelines.

The report gives an in-depth look at what other standards groups are doing, key security areas for 5G networks and key findings and best practices. Here are their top three findings and what they mean for securing 5G.

1. 3GPP specifications on security architecture and procedures for 5G need to be fully defined and correctly implemented.

3GPP TS 33.501 offers a detailed explanation of the security architecture and procedures for 5G. ENISA lists several best practices to accomplish this, including:

  • Encrypt UE by default
  • Apply a not-NULL ciphering for user and signaling data
  • Use a secure protocol on network for both user and control plane data on RAN interfaces
  • Use state-of-the-art mechanisms for transport protection and mutual authentication
  • Implement the required authentication specifications and consider secondary authentication
  • Ensure keys are properly protected and stored
  • Ensure usages of current security protocols for TLS and appropriate key and certificate management practices
  • Use tamper-resistant hardware for storing/processing critical data

Following these specifications is critical to maintaining the security of 5G networks.

2. Technical specifications and standards should be properly implemented in products that suppliers supply and5G networks, and they should be tested and assessed regularly.

Best practices to accomplish this include regular security testing, security built into product development, proper network operation and management, as well as solid network design that includes security features like PKI (public key infrastructure). All 5G network components and equipment should undergo rigorous security testing with regular vulnerability assessments.

At DigiCert, we support these best practices and agree that an ounce of prevention is worth a pound of cure. Implementing good security measures from the start and regularly testing them is much more efficient than addressing security after a breach. When it comes to network design, ENISA also recommends establishing PKI infrastructure for secure admin access and protecting your network against external access, especially in a cloud environment.

Why PKI for 5G

PKI offers the authentication and encryption that Mobile Network Operators (MNOs) need to authenticate users and devices. PKI can authenticate and encrypt across a huge scale in the cloud. PKI has been used to secure websites, documents, code, email, devices and users for decades, and modern PKI solutions can also be applied to enable trust for 5G networks.

ENISA also warns that, at scale, PKI networks can be difficult to manage without automation. “With continuous deployment and fast-paced updates, it will not be feasible to perform certificate issuance manually and that high automation is needed” (section 4.1.4). For 5G networks, the ability to automate PKI management will save time, money and increase efficiency.

DigiCert’s modern PKI solutions

DigiCert is a leading provider of world-class PKI solutions and is innovating new, automated ways to manage PKI infrastructure simply. For securing networks of 5G connected devices, DigiCert IoT Device Manager offers scalability, flexibility, control and efficiency. Administrators can monitor the entire device lifecycle, rollout their PKI infrastructure quickly and efficiently, and automate updates and orchestration, making it easy to manage a large network of devices.

IoT Device Manager is built on DigiCert ONE™, a modern PKI management platform with new architecture and software to be the PKI infrastructure service for today’s cloud migration challenges. Released in 2020, DigiCert ONE offers multiple management solutions and is designed for all PKI use cases. Visit https://www.digicert.com/ideas/digicert-one to learn more about DigiCert’s PKI solutions.

3. Ensure continued collaboration between stakeholders, standards bodies and private sector to identify gaps and understand needs.

Discussion between stakeholders and standards bodies needs to continue to facilitate understanding as 5G technology evolves. This includes EU-facilitated coordination between member states and exploring new ways to strengthen collaboration between parties. DigiCert is involved with several standards groups to further promote security best practices for 5G. DigiCert is also developing innovative solutions to help our customers and partners gain more control and security over 5G networks, in addition to our current DigiCert 5G Network Solutions.

DigiCert 5G Network Solution — built on DigiCert ONE

DigiCert 5G Network Solution is a modern container-based PKI solution with cloud-native architecture that enables MNOs to authenticate, encrypt and verify the integrity of their cloud infrastructure and communications, so that they can deliver high performance, scalability and reliability for 5G products and services. It is flexible enough to deploy on-prem or private or hybrid cloud, and easily transition between them as your network grows.

DigiCert automation tools make it even easier to manage even the most complex networks. DigiCert 5G Network Solution offers automation tools based on protocols such as SCEP, EST, CMPv2 and REST API, which enable the orchestration of secure services for dynamic scaling in 5G networks.

For more information about DigiCert 5G Network Solution, contact us at pki_info@digicert.com or visit www.digicert.com.