Wednesday, June 26, 2024

    How to update telecom security for the 5G era

    Although the wider adoption of 5G, together with faster connection speeds and improved bandwidth, opens up new prospects for telecom service providers, it also poses new risks in terms of network security.

    Here Roman Davydov, technical expert at Itransition explains how telcos can make their newly-established 5G networks as well as telecom software solutions more impenetrable and secure.

    Implement robust device authentication protocols

    5G is set to spur a wide-scale adoption of connected devices in the business and consumer spheres. But apart from new revenue opportunities, the influx of IoT devices, designed with limited computational abilities and little to no in-built security, presents a security concern to network operators.

    This complication, however, was anticipated during 5G development, and the network was supplied with the new authentication framework. Building on 4G’s cryptographic primitives and security characteristics, it allows for non-SIM-based credentials, such as token cards, certificates, and pre-shared keys, in addition to traditional physical SIM cards.

    Moreover, 5G offers telecom operators to choose between three mutual authentication protocols—5G-AKA, EAP-AKA, and EAP-TLS, compatible with both mobile phones and SIMless devices.

    But because of the unique specifications of each protocol, the choice needs to be thorough. The novel 5G authentication and key agreement (5G-AKA) protocol, built-for-purpose by 3GPP, is understandably making waves at the moment. This challenge-response authentication method uses asymmetric randomized encryption, making it immune to IMSI-catcher attacks, and stands out with improved roaming security features that prevent billing fraud. However, due to its novelty, 5G AKA is not fully studied, and some researchers have already recognized security shortcomings in the protocol, which render it vulnerable to linkability attacks.

    EAP-AKA is an older AKA-based challenge-response authentication protocol that has the same level of security properties as 5G-AKA but differs from it in some technicalities, such as message flow and key derivation.

    The addition of non-AKA-based authentication protocol EAP-TLS in 5G is a positive innovation, even if its use is limited to private networks or IoT environments. EAP-TLS uses a fundamentally different certificate-based mutual authentication model, which removes the need to store a large volume of long-term keys in the home network, as in the case with 5G-AKA and EAP-AKA. But on the other hand, EAP-TLS comes with a certificate management overhead and has security vulnerabilities that can be exploited when the infrastructure is misconfigured.

    Upgrade legacy security controls

    The pivot to 5G and environment virtualization not only creates new security challenges for telcos but also exacerbates some all-time threats. That’s why providers are encouraged to upgrade their existing safeguards.

    First and foremost, the onset of 5G is bringing about the escalation of DDoS attacks in number, scale, and complexity, so telecom operators, who have been hackers’ primary targets over the years, need to enhance their protection even more in 2022.

    Blackholing, or rerouting suspicious traffic into a “black hole” and thus dropping it from the network, is the most common DDoS mitigation measure in the telecom industry. The tactic would be efficient if not for one fatal flaw — it destroys both malicious and legitimate traffic, which in the highly connected nearest future can have disastrous consequences for a smart hospital, factory, or city.

    So in preparation for 5G, operators can pivot to a more preserving tactic of DDoS mitigation involving scrubbing centers — dedicated facilities where DDoS-generated traffic is analyzed and legitimate traffic is separated and forwarded back to the original destination. To minimize the traffic downtime, which can reach up to 30 minutes, telecoms can adopt machine learning detection mechanisms to discern malicious traffic in a fraction of the time an infosec specialist needs.

    Due to the pivot to vertical connectivity, the telecom industry also puts itself in the firing line of high-scale ransomware attacks targeting consumers. Against this backdrop, the importance of backing up customer and device data as well as making it inaccessible to third parties with encryption cannot be stressed enough. Other than that, providers are advised to implement automated malware monitoring and detection engines into each network slice, tailored to the type of devices it serves, instead of a single, one-size-fits-all solution.

    Manage security compliance       

    In addition to following the 3GPP standards while deploying their 5G networks, telecom companies looking to partner with enterprises across industries and geographies need to be mindful of other relevant cybersecurity regulations.

    Regional laws

    In the EU, the GDPR is the major regulation defining data protection and privacy. Since it applies to the IoT devices lifecycle, telecom operators with plans to venture into vertical connectivity must follow it. Such network providers also need to take into account the Cybersecurity Act, an EU-wide cybersecurity certification framework for ICT products, services, and processes.

    There is also the Toolbox on 5G Security issued by the European Commission for EU member states as a recommendation for telecom companies on strengthening their 5G deployment security. Although the regulation is voluntary, it is implemented on a national level, so service providers are expected to comply with it. Beyond this, the ePrivacy Regulation, focusing mostly on electronic communications, is currently under discussion. When passed, it is expected to strengthen communications security while also opening up new business opportunities for telcos.

    In the US, there was no single federal IoT legislation until the Internet of Things Cybersecurity Improvement Act was signed into law at the end of 2020. The Act requires the National Institute of Standards and Technology (NIST) to develop security standards for managing federal government smart devices, and despite its narrow focus, it is highly anticipated to have a wide-ranging impact on IoT device manufacturers, connectivity providers, and industrial IoT security overall. NIST hasn’t released the final version of their guidelines yet, but telcos developing service offers in the US are advised to keep them in mind.

    In contrast, despite being at the forefront of IoT development, the Asia-Pacific region does not have substantial public or private IoT cybersecurity initiatives. Still, considering the rising importance of smart devices in the services sector and manufacturing as well as an alarming growth in cyberattacks against IoT, countries are highly likely to start drafting and enacting relevant laws in the nearest future.

    Industrial guidelines

    While most industries usually conform to national data privacy and security laws, there are other sectors handling sensitive data that follow their own regulations.

    Healthcare is a sector with one of the most rigorous data security laws aimed at protecting patients’ health information—HIPAA in the US, PDA in some EU countries, and DISHA in India. For IoMT connectivity providers to comply, it’s necessary to build specific data transmission, storage, and integrity safeguards together with sophisticated access control mechanisms into their services.

    Another industry with established data security guidelines is banking and finance. PCI DSS, a universal standard mostly focusing on payment data security, also contains hardware and software security policies. They touch upon device communication encryption, specific protocols and standalone device security measures, and recommendations for IoT application development.

    Final thoughts

    Like any emerging technology, 5G is a disruptor, so telcos should implement it carefully, paying special attention to the security of their networks and telecommunications software solutions. In particular, organizations should adopt more advanced device authentication protocols, modernize outdated security controls, and manage relevant cybersecurity regulations.


    Roman Davydov is technical expert at Itransition

    Related Articles

    Subscribe to our newsletter

    To be updated with all the latest news, offers and special announcements.

    24 Seven 600x500
    SeriouslyFresh 600x500
    Evina 900x750