YOU ARE AT:5G5G cybersecurity: 3GPP vs. NIST—understanding the standards

5G cybersecurity: 3GPP vs. NIST—understanding the standards

 

5G is very much an evolving technology and will be for some time as the 3GPP continues to refine the standard and vertical-specific use cases like autonomous manufacturing robotics and remote surgical procedures become a reality. As such, 5G cybersecurity needs to be equally dynamic–building on principles established in LTE and enhancing those protocols to better protect data transmissions through increasingly cloud-based, distributed networks. 

In describing the 5G cybersecurity mechanisms built into Release 15, the most current standard for 5G New Radio, three industry experts wrote in a blog: “The 5G system is an evolution of the 4G mobile communication systems. Accordingly, the 5G security architecture is designed to integrate 4G equivalent security. In addition, the reassessment of other security threats such as attacks on radio interfaces, signalling plane, user plane, masquerading, privacy, replay, bidding down, man-in-the-middle and inter-operator security issues have also been taken in to account for 5G and will lead to further security enhancements.”

Here we’ll examine the 5G cybersecurity work being conducted by the Third Generation Partnership Project (3GPP), an industry consortium that collaborates to develop cellular standards, and the U.S. National Institute of Standards and Technology, which has developed a cybersecurity framework that has seen wide, international adoption. 

3GPP

Like with LTE, 5G cybersecurity covers network access security, which protects transmissions between the device and the radio and base station, an eNodeB for LTE and a gNobeB for 5G. Then, network domain security protects communications between the base station and the core network, signaling data for example. 

Both LTE and 5G employ the EAP, extensible authentication protocol. Primary authentication occurs at initial attach and generations session keys. Secondary authentication, also based on EAP, kicks in when the user equipment makes a call or initiates a web browsing session.  

Right now most commercial 5G networks are non-standalone, meaning the network is built on an LTE core and RAN with the addition of a new 5G component carrier. While this will quickly give way to standalone 5G, non-standalone requires a unique security mechanism. 

Based on 3GPP guidelines, a UE initially connects to a “master” eNodeB that determines whether the device is 5G compatible. If so, the master eNodeB creates a key that is passed to the 5G base station, gNodeB, giving the device access to the 5G signal. 

5G also contemplates a service-based architecture, which comes with security protocols protecting transmissions between core components at the IP layer, as well as at higher layers including the transport and application layers. 

NIST

Huawei Australia’s Malcolm Shore, in a 2018 white paper, described the NIST Cybersecurity Framework as taking “an attack-centric view of security, providing a control framework to all stages of a cyber attack.” 

The framework considers a five-fold framework covering cybersecurity as it relates to identity and access management, preventative controls, detective controls, incident response, and recovery. 

Based on the 2014 Cybersecurity Enhancement Act, NIST was charged with developing guidelines following “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.”

At a high-level, the NIST framework addresses: 

  • A Framework Core described as “a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure” resulting in organization-specific profiles that help prioritize cybersecurity initiatives. NIST boil that down to Identify, Protect, Detect, Respond, Recover. 
  • Implementation Tiers “provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk…” 
  • And the Framework Profile provides a “roadmap” that applies principles established in the core and implementation tiers in a manner aligned with specific “business requirements, risk tolerance, and resources of the organization.” 

This is part of a series examining 5G cybersecurity. For more information, explore the following materials: 

Video: How can Huawei or any vendor guarantee cybersecurity absent uniform standards?

ABOUT AUTHOR