The past few years marked successful 5G deployments around the globe. In 2022 and on, the telecom industry will be fast at work, rolling out next-gen connectivity on a wider scale across cities and rural areas as well as verticals and enterprises.
To help communication service providers (CSPs) render their 5G networks, telecommunications software, as well as new consumer services secure by design, we have outlined the most effective protection measures to adopt during network deployment and service development.
Why 5G poses new challenges for telecom security
Indeed, the successor of 4G presents a wellspring of opportunities for communications service providers. On the one hand, the higher speed, improved bandwidth and lower latency of 5G offers a user experience step-up and paves the way for higher-value consumer services beyond traditional internet connection, mobile telephony, and television. On the other hand, enterprises across industries harbor high expectations for the technology’s advanced connectivity and its fundamentally new architecture, as it will allow them to ramp up IoT in telecom and harness other disruptive technologies.
Because 5G is expected to become an enabler of digitization and modernization for the business world, the bar of service availability and security is high. To facilitate that, the Third Generation Partnership Project (3GPP), which is the main body developing technical specifications for 5G networks, has laid out major security mechanisms and good practices CSPs are advised to implement in their deployments. However, many features are defined as optional, so telecom providers pressed for time, money, or resources can potentially make security trade-offs, leaving their architectures vulnerable.
On top of it, due to the inherently different nature of 5G, the operators are expected to face risks and attacks they may not know how to recognize and handle, so a comprehensive and well-equipped security architecture proves particularly important for ensuring enterprise-grade cybersecurity.
How to adjust telecom security to 5G
Enable network virtualization
Virtualization is perhaps the most revolutionary, yet necessary, step telcos can take when deploying 5G. Software-defined network (SDN) and network functions virtualization (NFV) are the two technologies used to build virtual network overlays on top of physical networks. According to the BPI Network’s 5G Headway Report, a whopping 95% of respondents include virtualization in their 5G strategies, and around three-quarters are already progressing with it.
A shift away from the monolithic and closed hardware-centric infrastructure to an environment based on and managed by telecommunication software empowers providers to customize and configure their network offerings without any previous limitations. Yet, this agility comes at a dear price. Firstly, virtualization makes core network functions, previously susceptible only to physical tampering, hackable by nature. Other than that, in a vast software-defined network, functions take place at a virtual network edge, so a single trivial but well-targeted attack can be enough to compromise the entire ecosystem.
There are several possible attack vectors in a virtualized network. SDN controllers are the most obvious targets, as they are the strategic control points, or “brains,” of a network, so a successful attack on them can bring the network down or give hackers control over it. Data plane, carrying network traffic, is another element of SDN at risk of spoofing or sniffing. For telecom operators that wish to venture into vertical service provision, multi-tenant NVFs are major weak points since they are associated with a range of security challenges.
But the programmable nature of virtualized networks is the cure as much as the source of the problem. A software-defined environment allows for rapid detection of breaches or attacks at any network location and a speedy response to them. Thus, telecom providers are advised to make use of this feature by automating network traffic filtering and security monitoring, powered with AI for enhanced threat detection precision.
To render a virtualized environment impregnable to spoofing, tampering, and other traffic-targeting attacks, telecom providers should also focus on strengthening the communication security within their networks. This can be achieved by departing from the traditional IPsec protocol in favor of the TLS v.1.2 or higher cryptographic and mutual authentication protocols, which prove more flexible and therefore better suited to multi-tenant environments.
Ensure end-to-end network slicing
To benefit from 5G’s much-vaunted vertical connectivity offers and business use cases, telecom providers need to undertake network slicing, or divide their single network architecture into multiple independent logical networks with different characteristics. The virtualized infrastructure together with NFV and SDN makes the creation of scalable and flexible network slices possible and quite straightforward, but safeguarding them requires novel security layers and methods. This therefore poses unprecedented challenges to operators.
A major security requirement for a multi-slice architecture is that each slice needs to be fully isolated from others, both physically and virtually, so that a successful attack couldn’t spread out and take down the entire network.
To reliably separate network slices sharing the same physical infrastructure, telecom enterprises need to introduce equipment-specific management mechanisms and develop custom scheduling policies, so that slices won’t use the same resources. If possible, enterprises should avoid hosting slices with very different characteristics on the same hardware, as it opens the door to side-channel attacks.
On the virtual layer, end-to-end slices isolation, achieved by chaining together appropriate network functions, should also be reinforced with additional protection layers. Leveraging cryptographic mechanisms, telecom security specialists can isolate vulnerable NVFI boundaries, NVF management and orchestration elements, and service instances, creating multi-layer isolation.
Needless to say that robust access policies should be adopted for each network slice to protect it from insider attacks, including misconfiguration or physical tampering.
Apart from impenetrable isolation, telecom operators need to embed cybersecurity controls into network slices themselves. At large, slicing security should draw on its purpose, specifications, and applications it supports, but the standard good practices include virtual firewalls, traffic types separation, traffic encryption, and endpoint authentication mechanisms. The situation when some devices need to access multiple network slices poses a particular threat, so these endpoints should first be authenticated by the 5G network and only then authorized to access a network slice.
Final thoughts
5G network deployment is a complex and multi-layered transformation, and security should be at the top of the agenda. Baking in effective safeguards and protection mechanisms when developing a network is the best way for a telecom provider to ensure their own impregnability as well as the security of their consumers and B2B partners.
Although the requirements related to 5G security are stringent, by meeting them telcos can tap into new addressable markets and refine their existing service offers, which makes all these efforts worthwhile.