March 26, 2021
Telecom security in the 5G era
Last year marked successful 5G deployments around the globe. In 2021 and on, the telecom industry will be fast at work, rolling out next-gen connectivity on a wider scale across cities and rural areas as well as verticals and enterprises.
Indeed, the successor of 4G presents a wellspring of opportunities for communications service providers. On the one hand, the higher speed, improved bandwidth and lower latency of 5G offers a user experience step-up and paves the way for higher-value consumer services beyond traditional internet connection, mobile telephony, and television. On the other hand, enterprises across industries harbor high expectations for the technology’s advanced connectivity and its fundamentally new architecture, as it will allow them to ramp up IoT in telecom and harness other disruptive technologies.
Since 5G is expected to become an enabler of digitization and modernization for the business world, the bar of service availability and security is high. To facilitate that, the Third Generation Partnership Project (3GPP), which is the main body developing technical specifications for 5G networks, has laid out major security mechanisms and good practices CSPs are advised to implement in their deployments. However, many features are defined as optional, so telecom providers pressed for time, money, or resources can potentially make security trade-offs, leaving their architectures vulnerable.
On top of it, due to the inherently different nature of 5G, the operators are expected to face risks and attacks they may not know how to recognize and handle, so a comprehensive and well-equipped security architecture proves particularly important for ensuring enterprise-grade cybersecurity.
To help CSPs render their 5G networks as well as new consumer services secure by design, we have outlined the most effective protection measures to adopt during network deployment and service development.
Virtualization is perhaps the most revolutionary step telcos can take when deploying 5G, yeta a necessary one. Software-defined network (SDN) and network functions virtualization (NFV) are the two technologies used to build virtual network overlays on top of physical networks. According to the BPI Network’s 5G Headway Report 2020, a whopping 95% of respondents include virtualization into their 5G strategies, and around three-quarters are already progressing with it.
A shift away from the monolithic and closed hardware-centric infrastructure to an environment based on and managed by telecommunication software empowers providers to customize and configure their network offering without any previous limitations. Yet, this agility comes at a dear price. Firstly, virtualization makes core network functions, previously susceptible only to physical tampering, hackable by nature. Other than that, in a vast software-defined network, functions take place at a virtual network edge, so a single trivial but well-targeted attack can be enough to compromise the entire ecosystem.
There are several possible attack vectors in a virtualized network. SDN controllers are the most obvious targets, as they are the strategic control points, or “brains,” of a network, so a successful attack on them can bring the network down or give hackers control over it. Data plane, carrying network traffic, is another element of SDN at risk of spoofing or sniffing. For telecom operators that wish to venture into vertical service provision, multi-tenant NVFs are major weak points since they are associated with a range of security challenges.
But the programmable nature of virtualized networks is the cure as much as the source of the problem. A software-defined environment allows for rapid detection of breaches or attacks at any network location and a speedy response to them. Thus, telecom providers are advised to make use of this feature by automating network traffic filtering and security monitoring, powered with AI for enhanced threat detection precision.
To render a virtualized environment impregnable to spoofing, tampering, and other traffic-targeting attacks, telecom providers should also focus on strengthening the communication security within their networks. This can be achieved by departing from the traditional IPsec protocol in favor of the TLS v.1.2 or higher cryptographic and mutual authentication protocols, which prove more flexible and therefore better suited to multi-tenant environments.
To benefit from 5G’s much-vaunted vertical connectivity offers and business use cases, telecom providers need to undertake network slicing, or divide their single network architecture into multiple independent logical networks with different characteristics. The virtualized infrastructure together with NFV and SDN makes the creation of scalable and flexible network slices possible and quite straightforward, but safeguarding them requires novel security layers and methods. This therefore poses unprecedented challenges to operators.
A major security requirement for a multi-slice architecture is that each slice needs to be fully isolated from others, both physically and virtually, so that a successful attack couldn’t spread out and take down the entire network.
To reliably separate network slices sharing the same physical infrastructure, telecom enterprises need to introduce equipment-specific management mechanisms and develop custom scheduling policies, so that slices won’t use the same resources. If possible, enterprises should avoid hosting slices with very different characteristics on the same hardware, as it opens the door to side-channel attacks.
On the virtual layer, end-to-end slices isolation, achieved by chaining together appropriate network functions, should also be reinforced with additional protection layers. Leveraging cryptographic mechanisms, telecom security specialists can isolate vulnerable NVFI boundaries, NVF management and orchestration elements, and service instances, creating multi-layer isolation.
Needless to say that robust access policies should be adopted for each network slice to protect it from insider attacks, including misconfiguration or physical tampering.
Apart from impenetrable isolation, telecom operators need to embed cybersecurity controls into network slices themselves. At large, slicing security should draw on its purpose, specifications, and applications it supports, but the standard good practices include virtual firewalls, traffic types separation, traffic encryption, and endpoint authentication mechanisms. The situation when some devices need to access multiple network slices poses a particular threat, so these endpoints should first be authenticated by the 5G network and only then authorized to access a network slice.
5G is set to spur a wide-scale adoption of connected devices in the business and consumer spheres, driving the projected number of connections from 13.8 billion units in 2021 to 30.9 billion units in 2025, according to Statista. But apart from new revenue opportunities, the influx of IoT devices, designed with limited computational abilities and little to no in-built security, presents a security concern to network operators.
This complication, however, was anticipated during 5G development, and the network was supplied with the new authentication framework. Building on 4G’s cryptographic primitives and security characteristics, it allows for non-SIM-based credentials, such as token cards, certificates, and pre-shared keys, in addition to traditional physical SIM cards.
Moreover, 5G offers telecom operators to choose between three mutual authentication protocols—5G-AKA, EAP-AKA, and EAP-TLS, compatible with both mobile phones and SIMless devices.
But because of the unique specifications of each protocol, the choice needs to be thorough. The novel 5G authentication and key agreement (5G-AKA) protocol, built-for-purpose by 3GPP, is understandably making waves at the moment. This challenge-response authentication method uses asymmetric randomized encryption, making it immune to IMSI-catcher attacks, and stands out with improved roaming security features that prevent billing fraud. However, due to its novelty, 5G AKA is not fully studied, and some researchers have already recognized security shortcomings in the protocol, which render it vulnerable to linkability attacks.
EAP-AKA is an older AKA-based challenge-response authentication protocol that has the same level of security properties as 5G-AKA but differs from it in some technicalities, such as message flow and key derivation.
The addition of non-AKA-based authentication protocol EAP-TLS in 5G is a positive innovation, even if its use is limited to private networks or IoT environments. EAP-TLS uses a fundamentally different certificate-based mutual authentication model, which removes the need to store a large volume of long-term keys in the home network, as in the case with 5G-AKA and EAP-AKA. But on the other hand, EAP-TLS comes with a certificate management overhead and has security vulnerabilities that can be exploited when the infrastructure is misconfigured.
The pivot to 5G and environment virtualization not only creates new security challenges for telcos but also exacerbates some all-time threats. That’s why providers are encouraged to upgrade their existing safeguards.
First and foremost, the onset of 5G is bringing about the escalation of DDoS attacks in number, scale, and complexity, so telecom operators, who have been hackers’ primary targets over the years, need to enhance their protection even more in 2021.
Blackholing, or rerouting suspicious traffic into a “black hole” and thus dropping it from the network, is the most common DDoS mitigation measure in the telecom industry. The tactic would be efficient if not for one fatal flaw—it destroys both malicious and legitimate traffic, which in the highly connected nearest future can have disastrous consequences for a smart hospital, factory, or city.
So in preparation for 5G, operators can pivot to a more preserving tactic of DDoS mitigation involving scrubbing centers—dedicated facilities where DDoS-generated traffic is analyzed and legitimate traffic is separated and forwarded back to the original destination. To minimize the traffic downtime, which can reach up to 30 minutes, telecoms can adopt machine learning detection mechanisms to discern malicious traffic in a fraction of the time an infosec specialist needs.
Due to the pivot to vertical connectivity, the telecom industry also puts itself in the firing line of high-scale ransomware attacks targeting consumers. In the summer of 2020, Orange, the major French telecommunications provider, fell prey to Nefilim ransomware that exfiltrated sensitive data of twenty enterprise customers. Around the same time, Telecom Argentina found massive volumes of their data encrypted and held for a $7.5 million ransom.
Against this backdrop, the importance of backing up customer and device data as well as making it inaccessible to third parties with encryption cannot be stressed enough. Other than that, providers are advised to implement automated malware monitoring and detection engines into each network slice, tailored to the type of devices it serves, instead of a single, one-size-fits-all solution.
Last but not least is the security risk resting with the legacy 3G and 4G networks that telcos still run and support. Exploiting their well-known vulnerabilities and flaws, hackers can potentially gain backdoor access to a 5G infrastructure. This alarming opportunity signifies the importance of solid end-to-end 5G network slices isolation and the need to keep previous-generation networks’ protection mechanisms
In addition to following the 3GPP standards while deploying their 5G networks, telecom companies looking to partner with enterprises across industries and geographies need to be mindful of other relevant cybersecurity regulations.
In the EU, the GDPR is the major regulation defining data protection and privacy. Since it applies to the IoT devices lifecycle, telecom operators with plans to venture into vertical connectivity must follow it. Such network providers also need to take into account the Cybersecurity Act, an EU-wide cybersecurity certification framework for ICT products, services, and processes.
There is also the Toolbox on 5G Security issued by the European Commission for EU member states as a recommendation for telecom companies on strengthening their 5G deployment security. Although the regulation is voluntary, it is implemented on a national level, so service providers are expected to comply with it. Beyond this, the ePrivacy Regulation, focusing mostly on electronic communications, is currently under discussion. When passed, it is expected to strengthen communications security while also opening up new business opportunities for telcos.
In the US, there was no single federal IoT legislation until the Internet of Things Cybersecurity Improvement Act was signed into law at the end of 2020. The Act requires the National Institute of Standards and Technology (NIST) to develop security standards for managing federal government smart devices, and despite its narrow focus, it is highly anticipated to have a wide-ranging impact on IoT device manufacturers and connectivity providers. NIST hasn’t released the final version of their guidelines yet, but telcos developing service offers in the US are advised to keep them in mind.
In contrast, despite being at the forefront of IoT development, the Asia-Pacific region does not have substantial public or private IoT cybersecurity initiatives. Still, considering the rising importance of smart devices in the services sector and manufacturing as well as an alarming growth in cyberattacks against IoT, countries are highly likely to start drafting and enacting relevant laws in the nearest future.
While most industries usually conform with national data privacy and security laws, there are other sectors handling sensitive data that follow their own regulations.
Healthcare is a sector with one of the most rigorous data security laws aimed at protecting patients’ health information—HIPAA in the US, PDA in some EU countries, and DISHA in India. For IoMT connectivity providers to comply, it’s necessary to build specific data transmission, storage, and integrity safeguards together with sophisticated access control mechanisms into their services.
Another industry with established data security guidelines is banking and finance. PCI DSS, a universal standard mostly focusing on payment data security, also contains hardware and software security policies. They touch upon device communication encryption, specific protocols and standalone device security measures, and recommendations for IoT application development.
5G network deployment is a complex and multi-layered transformation, and security should be at the top of the agenda. Baking in effective safeguards and protection mechanisms when developing a network is the best way for a telecom provider to ensure their own impregnability as well as the security of their consumers and B2B partners.
Although the requirements related to 5G security are stringent, by meeting them telcos can tap into new addressable markets and refine their existing service offers, which makes all these efforts worthwhile.
Learn how telecom operators are emerging as industry-specific IoT connectivity providers and explore four real-life telco-facilitated IoT use cases.
Learn what security threats plague industrial IoT today and what countermeasures to adopt against them.
Itransition helped life:) automate its mobile network resource management with a high scalability web-based solution.
We look into the companies across industries that invested in IoT among the first and their IoT success stories.
Learn how Itransition delivered an integration environment that utilize multiple communication protocols in a distributed infrastructure.
Itransition took over a mobile carrier’s software development project to grow their subscriber base and strengthen its market positions.
End-to-end automation of assembly, testing and delivery resulted in a productivity increase of 800% with the whole cycle taking up 30-60 minutes.