Security and Trust in 5G and Beyond

An Overview

Anastasius Gavras
Eurescom

While network security has always been important as a means to protect the physical infrastructure, and the data and content flowing though the network, it is gaining increased attention in the course of 5G and beyond 5G networks, because networks become deeply rooted in our society in the business, governmental and private spaces.

There is an increasing concern about the availability and integrity of networks. All of us have experienced anxiety induced by the outage of network services, whether related to Internet connectivity at the office or at home, or if the mobile network is not reachable due to a failure. Some of the recent cases of mobile network outage could be traced back to malicious or unintentional interventions with the network configuration. Confidentiality and privacy concerns are surfacing in the news when there are breaches of security resulting in a significant impact on customer data. Such cases shatter at least the trust in the technology or the mobile network operators.

Taking a look at some of the fundamental innovations leveraged by 5G, we can derive risks that did not exist with current networks, at least not to such a high extent. Virtualisation and softwarisation are technologies that induce a very high degree of flexibility and agility in the deployment of new services, but at the same time induce complexity. Despite the benefits for every vertical sector and our daily life, complex networks bring along risks that need to be identified and mitigated. The impact of local events, like faults or security breaches, can cause cascading effects, eventually leading to large-scale disruptions.

Generally speaking, end users and consumers accept that software is not perfect. We are used to regular updates pushed by the vendors of our smartphones or our desktop PC operating system vendors. However, when listening to network administrators, there is an unprecedented amount of software updates that have to be deployed in the network infrastructure just to ensure service continuity and security.

Last but not least the role of network component and infrastructure suppliers has found its way to the news headlines as a potential source for 5G network security concerns, even if supply chain considerations are not new concerns for network operators. While this risk is identified by the European Union Agency for Cybersecurity (ENISA), which published a number of recommendations to mitigate 5G network risks, the U.S. took extreme measures when U.S. president Donald Trump signed an executive order laying the groundwork to block Chinese telecommunications companies from selling equipment in the U.S.

Risk scenarios

The EU toolbox of risk-mitigating measures for cybersecurity of 5G networks classifies the 5G network risks in 5 areas:

  • Insufficient security measures – This area is not new and best practices exist since the dawn of computer networks. It is a matter of education, awareness and enforcement of measures to minimise misconfiguration of networks and enforce access control.
  • 5G components supply chain – This area already becomes not that straightforward, because it involves some sort of supply chain evidence and certification that all related 5G components used for building a 5G network are sourced from trusted sources and perform the functions as advertised. Questions could be raised with respect to the organisational and technical applicability of such measures. For example, the update of a certified component that belongs to a fully certified service chain implies a re-certification not only of the component in question, but of the complete service chain.
  • Main threat actors (state interference or organised crime) – This area calls for a strong role of national and European authorities in assessing the risks associated with suppliers and possibly applying restrictions on suppliers of key 5G network assets. Some of the risks in this area can be mitigated by the measures applicable to the first and second area, i.e., enforcing high standards for secure management, operation and monitoring of networks, as well as ensuring high software and system quality and integrity.
  • Interdependencies of 5G networks with critical infrastructures – Similarly, this area calls for a strong role of authorities in assessing the risks of cascading effects that a 5G network outage may have on critical infrastructures such as energy production and distribution, transportation systems, etc. Beyond the enforcement of high security standards, this area depends on measures that must be in place for reinforcing resilience and continuity of operations of affected critical infrastructures. The identification of potential cascading effects including mitigation scenarios belong into this area.
  • End user devices – This area is potentially very vulnerable and represents in itself a large attack vector. While smartphones are generally maintained by the respective vendors, albeit with decreasing maintenance durations due to shorter life expectancy of devices, it is the large number of IoT devices (e.g., simple surveillance cameras, low-end home routers, smart TVs, etc.) that are installed and “forgotten”. These devices contain software, which “ages”, in the sense that vulnerabilities are discovered but not fixed by their respective vendors. Often vendors disappear from the market for various reasons, leaving behind an armada of devices that can be exploited for attacking networks.

Digital sovereignty

The identification of the above risk areas triggered a public debate about the fact that a limited number of components for deploying a 5G network could be sourced from trustworthy suppliers in Europe and, even worse, we could not build a 5G network in Europe without components supplied by other regions of the world.

Digital sovereignty refers to control over our own digital assets – hardware, software and last but not least our data, not only limited in scope to 5G networks. Digital sovereignty has become a concern for many policy-makers that voiced worries about too much control by too few actors in the large tech companies. From a European perspective this includes the fact that none of these large tech companies are located in Europe.

In the cybersecurity area, the Cybercrime Magazine reports a list of the “Hot 150”, the most innovative companies in the cybersecurity market [1]. It should be highly worrying for policy-makers that the list includes only 5 companies located in the EU; mostly smaller companies that grew out of the anti-virus business.

Liability

Further challenges, in particular with respect to trustworthiness, are induced by the multi-party, multi-layer nature of the 5G ecosystem, which makes it difficult to establish liability relations in case something goes wrong.

Traditionally product liability – as judged in most court cases to date – is limited to “products” in the form of tangible personal property. However, the correct functioning of a future network service – in the simplest case the correct functioning of a networked sensor device – includes the functioning network and service. Therefore, the product or service may become defective upon (i) Network or service failure (even temporal) and (ii) Discovered security vulnerabilities. Smart networked devices have a far-reaching impact on device and network vendors, service companies, insurers and consumers.

The open questions in this respect are: How should the legal framework on liability evolve in order to cater for such liability chains? Beyond this, how would liability delegation work?

Conclusion

Following the publication of comprehensive and detailed reports on 5G cybersecurity threats by ENISA [2], the main stakeholders in the landscape, including mobile network operators, vertical industry customers, as well as member state and EU officials have sufficient insight to engage and enact a long-term plan to protect European 5G and beyond 5G networks. Such a plan includes specified security measures, 5G good practices for operation and security assurance and last but not least a strong involvement of European citizens to raise awareness towards adoption of a basic cybersecurity conscious mindset and related behaviour during the use of sophisticated 5G network services.

References

[1] Cybercrime Magazine Hot 150 list –
https://cybersecurityventures.com/cybersecurity-500/

[2] ENISA reports on 5G cybersecurity threats – https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks