Security in 5G Networks

5G internet has arrived in Brazil, in capitals and large cities, bringing greater bandwidth and lower latency to enable a range of new business applications. This latest generation of cellular technology was designed to be more robust than its 3G and 4G predecessors. However, the security of 5G mobile networks also brings a new challenge for companies and new users.

5G can potentially represent security threats, partly because there are more vectors through which adversaries can attack. The technology is configured to allow a large number of connected devices, known as IoT. IoT devices act as threat agents because they can be controlled to form what is known as a botnet (a network of infected machines that can be controlled remotely) to carry out distributed denial-of-service, or DDoS, attacks to paralyze networks. The challenge is amplified by 5G use cases, such as connected cars and healthcare, which bring specific industry-critical security requirements.

The good news is that there is protection too! 5G is based on the 3GPP SBA architecture, being built on VNFs and CNFs, operating in virtualized networks that are typically governed by robust protocols. The figure below shows a high-level overview of the SBA architecture, composed of several layers:

In a multi-layered environment, some attack vectors can hit a layer left without sufficient protection, giving the attacker a vantage point in the environment and opening the doors for lateral movement to compromise other layers. Thus, protection and security assurance must span all network layers, from the Core to the gNodeBs.

The security of 5G networks creates an urgent need for the ecosystem — mobile operators, infrastructure providers, vertical sectors, and regulators — to work together.

Fundamentally, 5G security is important now because it is becoming essential for many other parts of our lives, not just for traditional internet connectivity and voice calls, but for entire industrial and commercial operations.

Native 5G Protections

Before entering into the new security challenges that 5G brings, it is important to establish that 5G networks are much more secure than 3G and 4G. Security issues — from the RAN to the network Core, passing through the various aggregation stages — were addressed and mitigated during the standardization process by the 3GPP (3rd Generation Partnership Project) teams.

Within 3GPP, the area that handles 5G network security is the 3GPP TSG SA WG3/SA3 (Security Assurance Specification). SA3 is responsible for defining the security requirements for 5G networks and developing the corresponding security standards. The SA3 team works closely with other 3GPP teams to ensure that security aspects are considered in all phases of the 5G network lifecycle, from conception to deployment and maintenance.

Several organizations join their efforts to offer standards regarding security in mobile networks.

Therefore, 5G security started from a much more advanced baseline than existing mobile systems. However, security threats are a constantly evolving arms race. New technologies and new ways of using them will create additional vulnerabilities.

Some of the security improvements introduced by 3GPP in the 5G network architecture include:

• Stronger authentication: The 5G architecture uses stronger authentication than 4G networks. Furthermore, authentication is done in several steps, making it harder for attackers to spoof the identity of a device or user.
• Enhanced encryption: 5G uses enhanced encryption to protect information transmitted over the network. Additionally, the 5G architecture allows for end-to-end encryption, meaning that information is encrypted from the source device to the destination device.
• Network compartmentalization: The 5G architecture uses a compartmentalization approach, meaning that different types of traffic are separated into separate virtual networks (Control and User Planes). This makes it harder for attackers to access sensitive information, as it is kept separate from non-sensitive traffic.
• Stricter access control: The 5G architecture uses stricter access control than 4G networks. This means that only authorized devices and users can access the network.
• Protection against network attacks: The 5G architecture includes several protection measures against network attacks, such as traffic anomaly detection and protection against denial-of-service (DDoS) attacks.

Security Threats to 5G Networks

First, 5G security challenges need to be recognized and addressed. The threats below stand out as the main dangers:

• New terminal categories: The initial stages of 5G evolution were concentrated on providing greater bandwidth, latency improvements, and functional redesign of mobile networks to allow for more agility, efficiency, and openness (5G phase 1 – eMBB). Release 17, with the newly defined RedCap (Reduced Capability Devices), promises the true revolution in IoT, as predicted 10 years ago. These RedCap devices, also known as NR-Light, are a new category of devices that fill the capacity and complexity gap between old LPWA and new 5G URLCC, with an optimized design for intermediate use cases. While these improvements generate revenue opportunities for the entire ecosystem, the predicted explosion in the number of low-cost/low-power IoT devices also represents greater security risks for operators and users due to the larger attack surface.
• Switching between networks increases risk: Another security risk is represented by the protocol designed to allow 4G or 3G connections when the 5G signal is not available. At the moment a 5G device performs a RAT handover to 3G or 4G, it is exposed to vulnerabilities that were not addressed in the previous generations’ protocol. When moving a UE from 5G to 3G or 4G, the mobile operator’s architecture must ensure there are no risks.
• Network slicing and virtual networks: No discussion about 5G is complete without mentioning network slicing (NW slicing). What is slicing? 5G networks make intensive use of software to run most of the necessary functions, following the 3GPP SBA architecture. In the past, this would have been done in dedicated hardware. With 5G, everything is in software, so configurations can be changed and customized instantly. This allows operators to create customized virtual networks according to customer requirements. Someone using a slice can also combine their own software, systems, and network elements with it. All this flexibility and complexity in the architecture creates even more attack surfaces for 5G networks.
• Attack Surface: 5G will have many more base stations (estimated up to 100x more, with mmWave fully deployed). There will also be many more devices connected to the network, from smartphones to CPEs, IoT devices, FWA, and all types of “modems.” The downside of this is something called “increased attack surface,” as it is popularly called in security jargon. Careful thought will be required to protect all these new IoT devices, which historically have lower security standards and features, from NB-IoT, Cat-M, and other non-3GPP networks (such as Wi-Fi).
• Physical Access Security: It’s not just the devices that need attention. Many more small cells mean that physical security at facilities will need more careful consideration. Leaving a door unprotected at a small base station could allow someone to plug in a laptop and take control of the cell, and this is a surprisingly easy problem to occur. In the past, when cell sites were large secure sites, this didn’t matter. Now it becomes another risk factor.
• Heterogeneous Networks: 5G allows separate networks, operated by different entities, to function together seamlessly. This includes Private Networks and NPNs (non-terrestrial networks) using satellite systems or HAPS. The security risks here relate to the fact that “the whole is only as strong as the weakest link.” In practice, how do you ensure that all networks run by different organizations are configured correctly and that consistent security levels are maintained?
• High-impact applications: An important part of the 5G security debate concerns the consequences of security breaches. Currently, if a mobile network stops working, it causes problems — but ultimately, the impact is low (sending messages, watching videos, making calls, or using apps). Security breaches can also lead to fraud or data theft. However, if 5G meets expert expectations, the compromise of a network due to security failures could be fundamentally different. Scenarios include exposing personal health data, interrupting production in a factory, crashing or colliding autonomous vehicles, or interrupting a remotely directed medical operation, to name just a few examples.

What about Private 5G Networks?

The Enterprise sector is moving rapidly toward Digital Transformation, despite successive economic crises, the pandemic, and geopolitical problems that have plagued the world. Large companies with significant presence in their field are undergoing unprecedented changes, driven by the adoption of cloud services, IIoT, Data Analytics, AI, AR/VR, Edge, and Blockchain. Although the degree of implementation of these technologies varies in each vertical, there is a common factor: the need for connectivity in a fast, secure, and manageable network.

A Private 5G Network is a corporate network that provides communication connections for users belonging to a private organization, with specific application services tailored to each business’s needs. For industrial applications, the ability to deploy mobile networks to meet the reliability, latency, and security requirements of critical applications is fundamental for the new wave of cyber-physical systems known as Industry 4.0.

These networks can be implemented in various modes, much more flexible than previous 3G and 4G generations. One can use both equipment totally separate from public networks or implement Private Networks in varying degrees of sharing with operators.

For RAN sharing, the two most used solutions are known as MOCN (Multi Operator Core Network) and MORAN (Multi Operator RAN):

• In the MORAN architecture, everything in the RAN (antenna, tower, site, power), except for the radio spectrum, is shared between the private network and the operator. The network Cores are kept separate.
• In the MOCN architecture, the networks share the same RAN, meaning that the bands are also shared. The network Cores are kept separate. MOCN is the more resource-efficient solution, as it offers mobile operators the opportunity to pool their respective spectrum allocations, resulting in greater trunking efficiency.

In addition to the existing solutions above, Private Networks can be implemented using a sharing part of the public operators’ Core, in various formats, as shown in the figure below:

Currently, equipment for independent 4G/5G Private Networks is supplied in a small rack, with a server running the Core — implemented entirely in SW (VNF/CNF) — and with macro and/or small cells at the locations (on premises). If necessary, local processing capacity can be implemented via Edge Computing.

And how does security work in these Private Networks?

• User enablement: Only UEs with SIM cards compatible with the Private Network will be able to access the services. These SIM cards will have parameters recorded with MCC, MNC, user authentication key, SPN/APN, network permissions, roaming information, and others specific to the corporate network. Beyond this “physical” protection, all enabled UEs will be in the local HSS database.
• For obtaining local 5G services of the URLLC type (extremely low latency), many of the core components need to be within or as close as possible to the company. From a security standpoint, companies want their data kept on-site. Many Private Network tests exposed real-world needs that were incorporated into 3GPP Release 17 requirements. These needs range from changes in the RAN Scheduler to how to grant temporary access to guest users, similar to how corporate Wi-Fi user management works today.
• The security of a private 5G network is very similar to a core or edge deployment. RAN and NAS encryption and integrity protection must be activated with equipment stored in a physical environment with controlled access. The administrator can create and distribute the NID root public key to the UEs (IoT, smartphones, CPs in general).
• Private Networks using the slicing method (Core slicing): Care must be taken to protect the identification of UEs of a specific company, at the risk of allowing unauthorized access.
• 5G MOCN and MORAN RAN sharing: Corporate Cores are on premises, while operator Cores are usually at the edge or distant, in a regional datacenter. RAN components are recommended to communicate with operator Cores using IPSEC. Generally, control and user planes must be heavily protected.

Strategy for 5G Operators

Today’s cyberattacks can already bypass mobile network security, and 5G, with billions of attack points, only makes things worse. Old protection approaches are not scaled or will not be able to adequately prevent successful attacks on 5G networks. We must always remember that 5G radio network deployments include tens of thousands of small cells, device-to-device communications, and devices connected to several cells at the same time.

This evolution expands the threat landscape by increasing the number of intrusion points. With billions of connected devices and critical industrial applications depending on 5G networks, operators will have to deal with more frequent attacks and security incidents than in 4G. Given this scenario, it is important to adopt a comprehensive end-to-end security strategy that includes:

• Complete visibility, inspection, and controls applied at all network layers, including applications, signaling, and data planes;
• Cloud-based threat analysis combined with advanced big data;
• Machine learning algorithms that can be utilized at different mobile network locations to provide rapid responses to known and unknown threats in real-time;
• Security functions integrated with open APIs, to offer consistent security across software and hardware to support distributed 5G architectures;
• Contextual security results, using data-driven threat prevention to locate and isolate infected devices before chain attacks can occur.

With these security features deployed, operators will be able to protect their network elements and subscribers, while providing differentiated network security services so that companies can transform their businesses, with confidence in the new 5G applications.

Is 5G Security a Shared Responsibility?

In many ways, 5G is a “shared responsibility model,” much like cloud services:

• Standardization bodies determine how to implement a secure 5G network architecture, and operators are responsible for network security;
• Companies are responsible for the data transported over the networks. These need to be aware of 5G security problems and risks so that they can be effectively protected;
• Mobile network operators must adopt a continuous risk-based approach to monitor their network and services, evolving their security controls around emerging threats.

It is important that these groups are aligned and collaborating to ensure end-to-end security.