Virtualisation

The 5GC network architecture will be service-based, meaning that core network operations may be performed through functions outside the operator network e.g. the cloud. This is a major shift from established core network security controls, however offers the operator the opportunity to leverage virtualization technologies.

With this opportunity comes new threat vectors to contend with. Traditional virtualisation controls, including tenant and resource isolation, should be considered. Suitable isolation controls reduce the risk of data leakage and the impact of virtualisation aware malware outbreaks. Microprocessor level vulnerabilities e.g. Spectre and Meltdown have highlighted that tenancy isolation within a virtual environment is not guaranteed, as such tenants should be housed together based on security requirements e.g. do not house lower-level security tenants with high-level security tenants.

Containerisation is an OS level virtualisation technology that is gaining traction. The host OS constrains the container’s access to physical resources, such as CPU, storage and memory, so a single container cannot consume all of a host’s physical resources. Therefore reducing the impact of availability attacks against the platform. Containers often run as root and as such the ability to escape the container and access the underlying file system is possible.

Software defined networking (SDN) provides the operators the opportunity to virtualise their network flows, leading to a simplification of hardware.

All virtualisation technologies enable network segmentation and resource isolation, ensuring security and reducing the impact of successful attacks. The configuration of these services should be carried out with a secure by design ethos to ensure the protection offered is not nullified by poor management and orchestration processes (MANO).

The central control system, often the hypervisor, acts as the brain of virtualised technologies. As such the protection of this underlying technology should be high. Specific threat modelling for virtualisation aware attacks and vulnerabilities should be completed.

Cloud Services

Building on virtualised services the Cloud is a key 5G enabler, 5G architecture has been designed to be cloud native as it brings elasticity and scalability. Using cloud technology can complicate the supply chain and liability chain.

According to Mobile World Live, 5G allows operators to expose rich services through the Cloud and Restful API’s. Secure coding practices should be followed ensuring data is not leaked and the code cannot be used to exploit the cloud provider or operator network.

Network Slicing

Network slicing allows the operator to customise the behaviour of the network, adapting (slicing) the network to service specific use cases using the same hardware. The GSMA has defined 35 attributes that characterise a network slice in Permanent Reference Document (PRD) NG.116.

The security model for each slice should be adapted to the use case. Different levels of isolation can be envisaged spanning from a single node of the core network to fully dedicated radio access.  Each isolation type must be integrated at design phase. For example a network slice for remote surgery must consider constant mutual identification and authorisation to stop MITM threats, but a slice for AR/VR content management will not require the same level of security.

Mobile IoT

Although the IoT is already prevalent in 2G/3G/4G networks the number of IoT connections are due to increase exponentially in 5G. Bigger doesn’t mean the security controls must change significantly, however they must scale. The IoT needs to be securely coded, deployed and managed throughout its lifecycle. Most IoT services share a common architecture and as such the attacks each service will be subjected to are likely to fit within three common attack scenarios:

On the outbound leg, IoT devices are increasingly being leveraged to launch DDoS attacks as each device creates some form of data, this linked with the volumes of devices results in significant volume-based attacks.

eSIM

An eSIM eliminates the need for a removable SIM card on the mobile device, with the data on that card instead being prepared on a remote SIM provisioning platform (SM-DP+) then downloaded in the form of an eSIM Profile via HTTPS into a secure element (eUICC) permanently embedded into the mobile device.

This eUICC, identified by a globally unique EID, is able to store many Profiles, and when a Profile is enabled, the data in that Profile is used to identify and authenticate the subscriber to the mobile network in the same way a removable SIM card would.

The system uses Public Key Infrastructure (PKI) certificates allowing the SM-DP+ and eUICC to mutually authenticate each other. All keys are generated with Perfect Forward Secrecy (PFS).

Management of eSIM Profiles on the eUICC is carried out by the End User in the consumer use case, or a remote sim provisioning platform in the M2M/IoT use case.

Artificial Intelligence (AI)

Although an umbrella term for many technologies AI is expected to be widely employed in 5G networks and should benefit security. Operators should leverage Machine Learning (ML) and Deep Learning (DL) to automate threat and fraud detection.

Use of AI is particularly relevant when considering the volumes of data that 5G networks will generate. AI may be a more feasible way to mitigate previous unknown attacks in real time. AI may also be used to power self-healing networks where the system is able to identify issues and take automated action to deliver the fix.

However, this technology is also available to the attacker and AI-driven attacks are anticipated.