Cyber Security Differential Analysis of 5G RAN and Core Networks – Part One
Executive summary
Cyber Security Differential Analysis of 5G RAN and Core Networks – Part One. The goal of this research is to present an objective view on the criticality of 5G RAN and CORE networks from the security standpoint. The research identified arguments used to justify different perception of criticality of 5G RAN and CORE.
Criticality is here understood in a broader sense and is not limited to the functions of the 5G network elements. As a risk-based approach was adopted in the EU to assess criticality of 5G network elements, the factors affecting probability of exploitation, including security improvements or known vulnerabilities have been also taken into consideration. These aspects naturally appear in the context of criticality and can be raised as arguments in favour or against criticality. However, the aim of the document is not to analyse security features or vulnerabilities in depth, rather to summarize possible arguments.
The selected approach is desk-top research, based on publicly available information from the market. The source documents include reports from cybersecurity organizations, government and regulatory bodies, researchers and analysts, vendors of network equipment, press articles. The intention of this document was not to perform its own risk analysis, rather to present different opinions from the market and industry.
Introduction
Commercial implementations of 5G networks have now become a reality. After the first pilots started even before the first full 5G standard release in 2018 (Release 15) and the first commercial services offered soon after, the proliferation of 5G has recently accelerated with spectrum assignments. As of March 2021, commercial 5G services are offered in 24 EU member states (apart from Lithuania, Malta and Portugal) and in 26 other countries globally. There are also 258 trials covering multiple verticals still being conducted all over the world [1].
The 5G implementation process has also triggered a discussion about its security. Since the 5G standard was the first one designed to support specific use cases, it should meet the requirements defined by ITU-R for IMT-2020. Apart from enhanced mobile broadband (eMBB) the new use cases cover: massive machine-type communications (mMTC) and ultra-reliable as well as low latency communications (URLLC) [2]. The latter two use cases are the ones expected to boost digital transformation across many verticals. Industrial IoT, VR/AR, Industry 4.0, V2X, public safety, remote healthcare and other applications will benefit from capabilities offered by 5G. As various mission critical applications, business continuity and many public services including critical infrastructure and essential services will rely on 5G networks, it results in the increased demand for security and reliability. The 5G network itself becomes a key component in end-to-end service delivery. Because of that, the major concern is the fact that some inherent features of 5G architecture, introduced in order to support the new use cases, also generate new security vulnerabilities and threats [3].
Compared to previous generations of cellular networks the key changes introduced in 5G include (but are not limited to) [3][4][5]:
Radio Access Network (RAN):
- New spectrum & increased density of base stations (gNB)
- Beamforming and massive Multiple Input Multiple Output (MIMO)
- Multi-RAT support
- More efficient multiplexing and modulation schemes
- Private network support
Core Network (CORE):
- Full virtualization of network functions (NFV)
- Use of Software Defined Networks (SDN)
- Network Slicing (NS) support
While 5G New Radio (NR) can be perceived as an evolution of 4G RAN, the concept of full virtualization accompanied with IP based protocol stack and network slicing capability is a major change. However, this shift towards software-based technologies widely used in the IT world may also have a significant impact on security [3][6][8].
Chart 1. 5G network architecture, source: http://5gblogs.com/5g-network-architecture/
Given the urgent need to deploy 5G networks and considering the criticality of 5G use cases and challenges coming from the new network architecture outlined above, the decision makers – both on a national level as well as MNOs – need to select solutions and vendors assuring the high level of security [7][8]. In particular, in the EU, the member states are obliged to follow the so-called 5G Toolbox [8] as a risk mitigating measure. The 5G Toolbox employs a risk-based approach and defines measures to ensure security in the 5G deployments. The criticality of different network components has been assessed during EU-coordinated risk assessment [12], which was an important input to the 5G Toolbox. However, the implementation of the 5G Toolbox is up to the member states. From a vendor perspective this becomes a crucial decision.
The goal of this research is to present an objective view on the criticality of 5G RAN and CORE networks from the security standpoint. In particular it will focus on two issues. Is RAN equally critical as CORE? What arguments can be used to justify the perception of RAN’s criticality?
The desk-top research is based on publicly available information from the market. The source documents include reports from cybersecurity organizations, government and regulatory bodies, researchers and analysts, suppliers of network equipment, press articles. The meta-analysis covered over 400 sources related to the topic of 5G security. After a review, a subset of identified sources has been eventually referenced and listed.
The following articles of this series present the point of view on the RAN and CORE criticality presented by various entities:
- government, regulatory and standardization bodies (EC, 3GPP/ETSI, GSMA, ITU, etc.),
- security agencies (ENISA, CISA),
- vendors,
- other entities, like: researchers, analysts, press
The Summary article presents the overview of arguments used in discussion about RAN and CORE criticality.
Risk analysis of 5G network: RAN and CORE criticality
Security Organizations
Organizations specializing in cybersecurity, operating in different countries, unanimously pay attention to the need to be particularly careful when planning, implementing and maintaining 5G infrastructure, and to adhere to the developed security standards. Organizations of particular importance in the international context include the European Union Agency for Cybersecurity (ENISA) and the Cybersecurity and Infrastructure Security Agency (CISA), which are the key authorities responsible for security policy in Europe and the United States.
The new generation of 5G networks requires the implementation of many additional devices and systems to the current ICT infrastructure. The authors of the reports claim that their operation can significantly affect the change of threat profiles, through the emergence of many new vulnerabilities, exposure, the number of critical resources, new tools and methods of using vulnerabilities, new targets of threat actors and new attack motives and targets. Additionally, they place a noticeable emphasis on the criticality of the planned implementation of physical hardware and software. In addition to significant benefits (such as automatic configuration and updating), they emphasize the high level of threat resulting from the greater role of external suppliers of the listed assets. The authors indicate that external providers may be used by external countries for activities threatening the security of the ICT network in a given area.
In November 2019, the European Union Agency for Cybersecurity, with the support of the EU Member States, the European Commission and experts, published the first 5G Threat Landscape, assessing the threats related to 5G.
Based on the analysis of the report “ENISA Threat Landscape For 5G Networks” [3], 89 possible vulnerabilities can be determined in the area of the core network (Tab. 2). Additionally, the report includes tables: related to the Network Slicing (Tab. 3), Network Function Virtualization – Mano (Tab. 3), Software Defined Networks (Tab. 4) and Physical Core Infrastructure vulnerabilities (Tab. 4), from which 12, 38, 13 and 1 core network related vulnerabilities can be designated. Generic vulnerabilities were not included in this summary.
In the CISA report “Potential Threat Vectors To 5G Infrastructure” [16], the authors emphasize the criticality of the shifted core functions to the edge of the network. They describe “the presence of system components, such as hypervisors, operating systems, and applications in the MEC, may provide malicious actors with additional attack vectors to intercept, manipulate, and destroy critical data. Untrusted components or malware inserted within the MEC may impact user privacy by providing malicious actors the capability to clone devices and impersonate end-users to make calls, send texts, and use data. Malicious actors can use untrusted components or malware to gain access to the MEC and end-user components, leveraging them to gain access to the wider radio access network (RAN) “.
Additionally, it also gives an example of an attack on the 5th generation network using LTE networks. The purpose of this example was to highlight the first phases of the development of next-generation (“Non-Standalone”) networks, in which older versions will be present. The authors of the report point out that by using the old, unnoticed vulnerabilities of the 4G network, it is possible to lower the 5G security level, affecting the modification of the device. As a result of this action, the attackers could use the vulnerabilities in the SS7 System and the Diameter protocol, and then penetrate the network, acquiring sensitive data.
Radio Access Network
In the case of Radio Access Networks, the ENISA report [3] shows less vulnerability compared to the core network. The authors of the report identified 73 examples (Table 7) related to the RAN. However, the ENISA reports do not make a clear comparison of the criticality levels of the core network and the radio access network.
There are also a number of vulnerabilities identified for MEC function, which can be assigned either to RAN or CORE depending on selected approach or deployment scenario.
Referring to the criticality level of the radio network, its lower criticality level in relation to the backbone network was also recognized by ENISA in 5G SUPPLEMENT [17], which was released in December 2020. This document contains a 5G technology profile which supplements the technology-neutral Guideline on Security Measures under the EECC. In the document, ENISA refers to the NIS Cooperation Group table (Tab. 1), in which the Radio Access Network threat level is “High”, compared to core network functions defined as “Critical”.
ENISA, with the document SECURITY IN 5G SPECIFICATIONS, published in February 2021, [18] emphasizes the importance of protecting keys held in gNB (i.e., RAN base stations), such as session keyring material that also contains long term keys used for authentication and security association setup. These requirements specify that any part of gNB deployment that stores or processes keys in clear text has to be protected from physical attacks. No specificities are given, however, with regards to the type and required level of such protection. However, this case of encryption can be considered serious due to the existing (according to ENISA) possibility of intercepting the keys from the base station, which can be interpreted as a high level of criticality.
A 2020 CISA report, “Edge Vs. Core -An Increasingly Less Pronounced Distinction In 5G Networks”, [18] pays particular attention to the increased sensitivity of the new generation of networks as a result of the implementation of Edge Computing. While edge computing will support core functionality at the RAN, it is not part of the core and any issues that affect the edge may not reach the core network. The integration of some core functions into the RAN and the blurring of traditional network boundaries may increase the risk that compromises previously non-sensitive equipment (e.g., base stations, small cells) and will lead to greater impacts to the confidentiality, integrity, and availability of the overall network.
In CISA 5G STRATEGY [19], CISA proposed a strategy for government bodies. Each of the strategic initiatives address critical risks to secure 5G deployment, such as physical security concerns, attempts by threat actors to influence the design and architecture of the network, vulnerabilities within the 5G supply chain, and an increased attack surface for malicious actors to exploit weaknesses. CISA will focus on Use Cases.
To be continued…
References
[1] https://5gobservatory.eu/, Date of website access 17.06.21
[2] Recommendation ITU-R M.2083-0 (09/2015), ITU 2015
[3] ENISA ‘Threat landscape for 5G networks (Updated)’, December 2020
[4] 3GPP TR 21.915 V2.0.0, 3GPP Specification
[5] 3GPP TR 21.916 V2.0.0, 3GPP Specification
[6] ‘5G Security Issues’, Positive Technologies, 2019
[7] EC ‘Cybersecurity of 5G networks’, Commission Recommendation, March 2019
[8] NIS CG ‘Cybersecurity of 5G networks EU Toolbox of risk mitigating measures’, January 2020
[9] https://ec.europa.eu/growth/tools-databases/tris/index.cfm/en/search/?trisaction=search.detail&year=2021&num=137&dLang=EN
[10] https://ec.europa.eu/growth/tools-databases/tris/en/search/?trisaction=search.detail&year=2021&num=137
[11] Reference: C(2019)2335, Commission Recommendation Cybersecurity of 5G networks, European Commission, , March 2019,
[12] EU coordinated risk assessment of the cybersecurity of 5G networks. Report, p. 17,
[13] EU Toolbox For 5G Security, European Commission, January 2020,
[14] EU coordinated risk assessment of the cybersecurity of 5G networks, NIS Cooperation Group, October 2019,
[16] Potential Threat Vectors To 5G Infrastructure, CISA, 2021
[17] 5G Supplement – to the Guideline on Security Measures under the EECC, ENISA, December 2020,
[18] Security in 5G Specifications – Controls in 3GPP, ENISA, February 2021,
[19] EDGE VS. CORE – AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS, CISA, 2020
Follow Us
Cyber Security Differential Analysis of 5G RAN and Core Networks – Part One
