The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) recognizes the challenges that organizations face in transitioning from 4G to 5G. The need to safeguard new 5G technologies is a concern while 5G development, deployment, and usage are evolving. Some aspects of securing and using 5G components lack standards and guidance, making it challenging for 5G network operators and users to know what must be done and how to accomplish it.
To help organizations effectively manage 5G security risks, NCCoE developed the 5G Cybersecurity project to provide sample approaches for securing 5G networks through a combination of 5G security features defined in the 5G standards and third-party security controls.
In a landmark analysis at the dawn of 5G, the National Cyber Security Centre (NCSC) of the United Kingdom (UK) published a January 2020 paper that summarizes the findings of its analysis of the UK telecommunication sector. According to the report, "The potential economic and social benefits of 5G and full-fibre digital connectivity can only be realized if we have confidence in the security and resilience of the underpinning infrastructure."
The NCSC recommends the establishment of a robust security framework based on a new set of Telecommunication Security Requirements (TSRs) that are intended for Communications Service Providers (CSPs) to operate secure networks. In the U.K., this security framework is underpinned by legislation. The NCSC's summary of these security requirements addresses some of the security concerns raised by the 5G PPP Security Working Group in a 2017 paper that identified 5G security risks.
The challenges that 5G networks face in supporting new business requirements "have rendered current network security approaches inadequate," the 5G PPP Security Working Group wrote, calling for "a security makeover of how confidentiality, integrity, and availability is maintained and managed in 5G networks."
The use of network functions virtualization and the transition from 4G networks to 5G, coupled with the necessity to protect user information, only increases the complexity of the security landscape. The use of public clouds magnifies these trends.
At the same time, the network virtualization expands the application and management of security measures.
A 5G deployment might result in fragmented and difficult-to-manage security measures. The combinatorial nature of 5G, in which CSPs can mix elements of 4G and 5G networks, means that the application of network security measures might be uneven—the security measures are likely to evolve and shift with a network as it combines various 4G and 5G elements. New 5G network elements and the use of public clouds might intensify the importance of centralized management and monitoring. Flexible, intrinsic, and automated approaches to imposing and enforcing security measures are becoming important.
To identify the key security risks and requirements in the changing telecommunication landscape, this guide relies on the following standard-setting papers:
Security Analysis for the UK Telecom Sector: Summary of Findings, published by the National Cyber Security Centre of the United Kingdom in January 2020.
5G PPP Phase 1 Security Landscape, published by the 5G PPP Security Working Group in June 2017.
Cybersecurity of 5G Networks EU Toolbox of Risk Mitigating Measures, published by the European Commission in January 2020.