5G PPP Phase 1 Security Landscape

Questions and Answers

What is a key difference in the 5G security approach compared to previous generations, particularly concerning trust?

• 5G aims to make trust assumptions an explicit part of the architecture, unlike previous generations where it was largely implicit. (correct)
• 5G relies entirely on implicit trust models, whereas previous generations used explicit models.
• 5G eliminates the need for trust models due to advanced encryption techniques.
• 5G centralizes the trust model, making it easier to manage compared to the distributed models of previous generations.

5G regulation conformity intends to apply data retention regulations in the case of slicing deployment.

True (A)

What security concern arises from the integration of non-virtualized equipment within the Radio Access Network (RAN) in 5G, specifically concerning flexible allocation?

The need to implement flexible allocation and dynamic relocation of functions between different implementation domains.

In the context of 5G security, inconsistencies between orchestrator abstraction, SDN control abstraction, and the physical and network resources, may lead to ______ by third parties.

traffic capture and rerouting

Match the example security risks with their appropriate categories.

5G Identity thefts or cloning = Unauthorized access or usage of assets Weak slice isolation and connectivity = Sensitive data exposure Traffic embezzlement due to virtualization = Traffic Capture VNF lifecycle is outside of Operator control = Trojan Proof

In the context of 5G network slicing, what is the relationship between network slicing and neutrality?

The slicing concept seems not to be fully compatible with Neutrality concepts. (D)

In a service-oriented 5G ecosystem, all services are expected to have the same security requirements.

False (B)

What specific aspect of device integrity in 5G networks is highlighted as crucial to prevent Identity theft and cloning.

The incapacity of Software technology to prevent Identity theft and clone.

To ensure that the integrity of VNFs is maintained it is important that the VNFs are properly ______.

hardened

Match the 5G PPP project with its security focus.

5G-ENSURE = Identifying and specifying risks. COGNET = Attack analysis. CHARISMA = Policy management. VirtuWind = Inter-domain SDN architecture.

What approach is most suitable for addressing the challenges on network-related difficulties?

Deep Packet Inspection. (B)

To be as interoperable as possible regarding new systems, a multi-domain approach is recommended, to model trust.

True (A)

What data types for multiple, differentiated, and specialized security VNFs can be chained what do they provide?

traffic is attracted to a honeynet

An essential aspect in 5G architecture is to deliver vertical service, but in particular to regard the delivery of ______ services

verticals

Match the correct description to it's key term.

Open standards = Allow scrutinization and analysis by a wide range of experts such as academics and therefore promote transparency and trustworthiness. Adherence to standards = Help to ensure safety and reliable environment. Standards = The best guarantee of interoperability Security = Involves all aspects of 5G networks

To get an efficient result and avoid mistakes, what procedure is recommended to maintain security in accordance with The Endsley's model?

To make the understanding of environment via contextual analysis more comprehensive (B)

To enable a 5G system all stakeholders should have the power to check what is happening as part of design itself

True (A)

According to The article, What are the 2 main sides to understand for security in virtualisation architecture?

increased surface attacks, easy containment

What aspects are essential to be capable to guarantee multi tenancy support following strict regulations over data planes? ______,,and resource isolation have to investigated and guarantee to ensure zero correlation across the operations of different tenants.

control planes

Match the main 5G security principles.

Logical, rather than physical architecture emphasis = Slicing must isolate resources. Support of 5G should be multidomain = Consistency for slices in security must be held. A hierarchalrecursive approach should be used = trade centrally vs distribued can give best defence Flexibility, extensibilty is desirable = Broken crypto needs to be replaced.

Why might certain verticals elect to have outsourcing within the network?

To remain in control of security while achieving savings. (A)

Access to the HNB may rise potential signilizaiton issues.

True (A)

In previous generation mobile networks, trust was implicit. For 5G, what kind of changes are persued?

Make trust assumptions an explicit part of the architecture

What kind of new component will new devices and users to be added to the chain, if they trust them

certified VNF

Match the 3GPP stratum name with its functionality.

Access stratum = Mechanisms related to user authorization. Transport stratum = Mechanisms related to user intercommunication. Serving stratum = Mechanisms related to the management. Application stratum = Visibily & Configurability (V)

When the end user is part of what is called the 5G Exchange, what should they consider about the operators?

To apply encryption when traffic leaves. (A)

As in security, not every aspect requires standardization between domains

False (B)

According to The specifications, for the data to be safe, what's state of the art protocol?

Key Agreement protocol

Regarding security for different types of access; What does 4G use make access homogeneous, which supports authentication thanks to ______?

Card

Match the potential challenges mentioned on the guide.

What if network integrity is compromised? = This may allow new access vectors Side channel leakages may exist = seamless based fraud may arise Side channel may arise = resources sharing exploit is possible SBD may result in attacks = Side channel may arise

What is one way in which the 5G security architecture can help reduce harm to individuals?

Calculating realibilities and ensuring certain guarantees (A)

VNF components does not impact the overall 5G architecture

False (B)

What is the recommendation to address both security and performance for Virtual security features? and prevent a singular crash?

Distribute the operations amongst a VNFC

Regarding devices using 5G connectivity, the equipment must include ______.

certified hardware

Match to it description what a trust by design models does.

Design by system = Identify where the risks of compromising may need to decide. One of two responses = When to engage in the system Risk management = The transfer of security can go a long way Security controls = Security levels can be set and risks can be reduced

Which of the answers would make a reliable network?

Incorporate 100 % geographic coverage (B)

DPI causes difficulty for organizations as each country has different regulations

True (A)

In the proposed design for 5G, what functionality is placed in the third domain?

Management

To create a better protection against fraud the system's ______ data should be used.

streamed

Match aspects covered for high analysis for 5G Networks to their definition.

Application isolation = Isolation through connection and control is a good step Resource = More network will be allocated management = Will be easy to understand Threat recognition = Data will be well distributed ,and fast.

Flashcards

5G Security Risk: Asset Access

Unauthorized access or misuse of assets, including identity theft and fraudulent usage.

5G Security Risk: Slice Isolation

Weak slice isolation can expose sensitive data between different slice services, potentially through side channel attacks.

5G Security Risk: Traffic Embezzlement

Traffic capture and rerouting is facilitated by the combination of SDN and NFV, potentially without detection by the operator.

5G Security Risk: Tech Readiness

New and non-mature technologies may be put into production, This may allow new attack vectors.

5G Security Risk: Vertical SLA

An orchestrator may allow direct access or command from third parties to operator's infrastructure or assets.

5G Security Risk: Slicing vs. Neutrality

Slicing may not fully align with network neutrality principles, potentially leading to regulatory issues and restrictions on delivered services.

5G Security Risk: Domain Lock-in

A slice owner being unable to easily and flexibly migrate all or parts of its virtual service infrastructure.

5G Security Requirement: Automation

Automation of security process is vital to successful adaptiatation in 5G technologies.

5G Security Requirement: Monitoring

Capable of detecting advanced cyber security threats and support coordinated monitoring between different domains and systems.

5G Security Requirement: Management

Taking into account correlation and consistency between data exchanged/shared at security architecture inter-domain interfaces.

5G Security Requirement: Liability

To address breach of Trust/Security between parties.

5G Security Requirement: Inter-tenant isolation

Infrastructure sharing by multiple network operators will require strict isolation at multiple levels to ensure the expected security level.

5G Security Requirement: Regulation Conformity

To address existing and anticipated regulation.

Design principles for a 5G security architecture

The 5G security architecture cannot be built independently of the overall architecture.

5G security architecture: Multi level

A distributed, hierarchal and recursive approach.

5G security architecture: AAA

AAA mechanisms for all actors involved in intra-and inter-domain deployments.

5G security architecture: SDN Plane

The SDN control plane itself must be fault tolerant.

Trust Model

Trust models can be used to gauge the security level of a telecommunication system

5G Trust Model Levels

5G is developed with two levels of trust models that are embedded into the 5G architecture.

Group-based AKA protocol family

Authenticate a group of devices reducing the signalling and communication latency with the home network.

Privacy: subscriber and device identifiers

Data Retention regulation

Infrastructure Provider Domains

The set of physical domains.

Tenant Domains

the logical/ functional domains

Tangible Measure

A measure of the effect of 5G security enablers on the trustworthiness (and where appropriate trust) in 5G networks.

Functions within a network slice

They can be chained in dynamic and rapidly adapting way within the logical instance of a network slice.

Security-management Framework

In which a comprehensive threat intelligence is built leveraging per tenant functions

innovations

5G relies on new innovative solutions for security monitoring and management

Lawful Interception

the application of Deep Packet Inspection (DPI).

isolation verticals

Used to highlight the requirement of ensuring secure multi-tenant support

GDPR compliance in 5G

5G technology should comply with the GDPR to avoid hefty fines.

Study Notes

5G PPP Phase1 Security Landscape

• First white paper from the 5G PPP Security Working Group
• Launched in April 2016 and led by 5G-ENSURE
• Encompasses Phase 1 projects active or interested in 5G security
• Projects with largest contributions: 5G-ENSURE and CHARISMA
• Most Phase 1 projects joined the working group and provided inputs

Purpose of the Paper

• Describe the 5G PPP Security Landscape of Phase 1 projects
• Covers the scope in Phase 1 projects with specific reference to 5G Security
• Introduce the reader to 5G Security as addressed in Phase 1
• Important for Phase 2 Projects, they can leverage achievements from Phase 1

Document Structure

• Organized into sections covering different facets of 5G security
• Each section has authors, and inputs from others, following chair/editor guidance
• Projects active in each topic are mentioned with their targeted results

Novel Business Requirements

• The challenging traits of 5G networks, which are designed to support novel and diverse business requirements render current network security approaches inadequate
• Multi-tenancy requires strict isolation
• Reliability covers ensuring connectivity, capacity, and coverage anytime, anywhere
• Demands a security makeover of confidentiality, integrity, and availability maintenance
• The introduction of SDN and NFV has scaled up the high complexity of securing a network

5G Security Risks and Requirements

• Foreseen those by Phase 1, preliminary and not exhaustive
• Includes unauthorized access or usage of assets because of the heterogeneous nature of the 5G infrastructure

AAA Evolutions

• Chapter 4 investigates potential AAA evolutions, which may induce potential heterogeneity of access control security levels to 5G
• A new list of 5G security risks and requirement will be listed in this document
• In a multi-tenant 5G infrastructure, the access controls performed at each sub-party might be heterogeneous and not easily interoperable

5G Security Risks Examples

• 5G Identity thefts or cloning
• Usages of shared resources, unauthorized access and/or modification of 5G connected devices critical data
• Exposure of the security level of 5G network access technologies to new threats
• Massive IoT 5G security protocols introduced with low security level

Weak Slices

• In the context of 5G infrastructure slicing, a weak slice isolation and connection may compromise the entire 5G security
• Sensitive data could be exposed to apps running in other slices, through side channel attacks
• Complexity arises from managing such a chain of connections among each of the security domains

Traffic Embezzlement

• Double virtualization allows traffic capture and rerouting
• Inconsistency between Orchestrator abstraction, SDN control abstraction and the physical and network resources may allow third parties to capture /embezzle/alter control plane and user plane

Insufficient Technology

• In the first steps of 5G deployments (2020), new and non-mature technologies may be put into production, allow new violations to surface
• Security by Operation (RUN) will manage delivered security levels to 5G customers and Vertical services providers
• High TRL stands for Technology Readiness Level, which the phase 3 projects will implement

Difficulties

• Vertical SLA and regulation compliance. due to multiple factors including no clear responsibility scheme

Slicing vs Neutrality

• Slicing seems not to be fully compatible with Neutrality concepts
• Both concepts are regulated by EU regulation
• BEREC in its guidelines mentions that "Network-slicing in 5G networks may be used to deliver specialized services," assumed that slicing delivers services needing optimization

Trust Management

• Trusts concepts, as understood now, are insufficient to manage complex 5G infrastructures
• Trust may also include liability, i.e., new concept of liabilities between parties should emerge
• Particularly regarding the delivery of Verticals services that may oblige delegation to third party some regulation constraints

Service changes

• Network slices are expected to span multiple administrative domains
• Tenants may be unable to migrate virtual infrastructure due to lack of security standards

Securing 5G

• 5G must provide higher or equal security and privacy than 4G.
• Must maintain SLA to verticals
• Mutually authenticate and authorize, unaffected by legacy systems

Security Automation

• 5G infrastructures' heterogeneity and complexity require security automation
• 5G security will be composed and dynamically adapted upon context

Security Monitoring

• Systems must detect advanced cyber threats
• Support coordinated monitoring between different domains
• New approaches may be beneficial, like analytics for enhanced security operations

Security Management

• End to End security management and orchestration should be in place
• Data should be correlated/coherent between Security Architecture Inter-domain interfaces
• Big Data may allow consistency evaluation (Between RAT to Verticals)

Security Awareness

• Customers, slice owners and vertical services should be aware of their technical 5G contextualization

Security for Regulations

• Should have new responsibility schemes in line with existing regulation
• Regarding distribution/allocation of responsibilities/obligations in multi-tenant softwarized telecom infrastructure
• Regulation obligation to non-regulated third parties

Slice Isolation

• Infrastructure sharing requires strict isolation to ensure required level
• Aspects of control-plane, data-plane and resource isolation must minimize correlations
• Guarantees a reliable/warranted service assurance, data and communication integrity and confidentiality

Liability in 5G

• Chain of Trust and liability of multi-tenants should be managed and auditable
• For each service, component supplier, operator and customer

Encryption

• Value-added security services in the context of encrypted traffic must comply with privacy regulations and user data protection
• End-to-end encryption (expected) may hamper the use of security services such as attack detection, QoS monitoring

Regulation Conformance

• Technology should be in compliance with current and anticipated legislation
• Include anticipated LI and Data Retention Regulations
• Difficult in the case of Slicing implementation

Introducing Architecture

• Why is a new security architecture for 5G needed?
• What are the design principles for a 5G security architecture?

Current 3G/4G

• Security architectures are currently defined
• Why is new architecture needed in 5G, that current architectures do not have the power the manage the new security concerns
• Trust Model: there is no explicit and complete trust model documented for 3G and 4G networks.
• This produces concerns of impersonation on signalling interchange networks. Virtualization: Virtualization and management is left outside current architectures scope

New threats

• Completely new threat and risk situation occurs for mission critical services such as health, transport and industrial automation

Design Principles 1

• A Logical Rather Than Physical Security Architecture for 5G that follows the design principles and must isolate resources even on shared infrastructure
• The RAN security architecture should support flexible allocation and dynamic relocation of functions including edge cloud implementations

Design Principles 2

• A distributed hierarchy will coordinate security architecture
• Probes extracting security threats/events from a tenant's data plane should be distributed across administrative domains
• Hierarchy gives trade offs between centralized and distributed functions, allows for defense in depth [Selfnet]

Design Principles 3

• The vision is to provide a secure SDN/NFV industrial network architecture, supporting coordination and orchestration
• Must Mitigate Cross-operator/domain damages, and Slices that extend across several domains must maintain a consistent security view

Design Principles 4:

• Security as a Service is presumed to lie in the ability of verticals to improve cost/efficiency by using shared infrastructure

Industry design musts

• Architecture should provide AAA mechanisms for all actors involved in intra - and inter- domain deployments.
• Appropriate interfaces should be included to provide means for the designation of access control policies
• Automation of security monitoring, analysis, and incident response These features can exploit the flexibility of SDN/NFV deployment via Service Function Chaining

SDN Control Plane

• Must be fault tolerant, additionally, architecture such as controller clustering provides reliable and consistent network control
• This even if some control fail or are compromised

Key Parts

• Securing the management (e.g. securing orchestration)
• Managing the security (e.g. preventing unwanted traffic).
• Security Management: Needs to provide a holistic system view, by monitoring/analytics, and ensure SLA security levels

Support

• DevOps
• service platforms needs to validate the services submitted to that platform. manifest describing the functional scope that permits proper authorization and liability of the supplier

Wanted Traffic

• Traffic detection in the tenant's data plane could in 5G enhanced by SDN / NFV

Flexible design

• Design must for both flexibility to provide different user groups and diversity
• Extensibility, extensible of authentication methods must be supported
• Broken cryptographic algorithms must be replaceable
• Backward compatibility must not result in a downgrade attack

Metrics

• MTC-Divided in two primary dimensions, the scale of the MTC service and the criticality.
• Have differing implications depending on MTC.

Additional needs

• Access to actuators secured, flexible choice of crypto-algo
• Regulatory compliance such Lawful Intercept and user privacy
• Level of security must be demonstrated

High level security architecture draft

• It's design principles include, architecture is multi domain support, management, with visible aspects and others need to be reviewed still

Principles

A sound principle is to not re-invent the wheel. While the current 3GPP security architecture fails to meet all the 5G needs

• It has created a huge, trusted ecosystem and provides a proven basis to build on
• 3GPP already defines and in turn builds architecture
• 5 defined strata

Domains Require Changes

• Adopt Domains requires to a 5G Context TS23.101 defines a domain to be a “physical grouping”, which we need to generalize In general define akin to ETSI

Extension summary

• Domains require more changes to be adopted to a 5G context
• Slicing is another dimension of adding special slice domains into network

Three Important Domains

• Slice Domains: Model slices that extend across access/core domains, across-domains"

• Management Domains: Management functionality that would allow even third party managment

• UE Domain has additional Identity module

• Final extension captures added (Additional) UE Domain: addition captures mode and UE domains

Providing control

• 4G Mobile Network access control is homogenous
• Secure thanks USIM hardware Card

Providing authentication

• To allow, concept of embedded Solders eUICC, on which allow and certify, operator remotely provision credentials

AAA-Central is key

• The Authentication and Key Agreement (AKA, USIM card and Core Network HSS) plays central role security parameters via provides context

Challenges

• 5G signalling data is growing faster than data traffic of 5G, should investigate this to fully support iot

More challenges to face

Two approach currently being investigate

• 1 first lightweight Authentication for mass conmmunication is SPEED-5G
• 2 two , with device Authentication in group allowing reduction group based AKA is in 5G-Ensure

Propagation

• It is seems crucial to propagate evidences of user equipment or stakeholders, that allow AAA
• Seven 5G PPP projects have anticipated for multi-tenant and trusted party, Infrastructure to allow Identity for access

Heterogeneity AAA to consider

AAA potential for security AAA could composes types

• access not be easy inter operate with RAN with the Verticals

Need to see

• In 2.25 delegation of the above from end to end in sector will have to see