YOU ARE AT:FundamentalsThree cybersecurity considerations in the 5G era

Three cybersecurity considerations in the 5G era

Standards, compliance, and constant mindfulness play roles

Communication Service Providers (CSPs) operate essential communications infrastructure for billions around the world. As new cybersecurity threats emerge, the safe and secure operation of networks isn’t simply a customer service exercise: It is a matter of national security. The 5G telco cloud, the near and far edge, and Radio Access Network (RAN) disaggregation efforts such as Open RAN all present new risks for networks operators to mitigate.

These challenges were the topic of conversation at RCR Wireless News’ recent Telco Cloud Forum 2022. George Stefanopoulos, General Manager of the Greek Mobile Operators Association spoke about the challenges facing telcos with Vassiliki Gogou, cybersecurity expert with ENISA, the European Union Agency for Cybersecurity, Patricia Díez Muñoz, Head of Network, IT Platforms and Customer Devices Security for Telefónica, and Matt Beal, senior VP of software development for Oracle Communications. Their comments have been edited for clarity. 

Embrace transformation

“The 5G network itself actually has some really critical security enablement and protections built in, from the subscriber to the radio to the core. As an application across the cloud, the 5G network in its own right has [set] a pretty high bar,” said Beal.

Beal noted that the cloud-native 5G core requires telcos to adopt the cybersecurity disciplines and best practices intrinsic to industrial and enterprise cloud IT management. He provided a long list of examples that Oracle says are critical:

“The insistence on automating everything. Disposability: That ability to have something in one moment and completely erase it and re-instantiate it. Externalization of configuration: Putting that control into a very, very secure external area, so you’ve got additional layers of security.”

Beal said that best cybersecurity practices for carriers involve multiple tiers of security and management, drawn from both telco and cloud.

Díez Muñoz points out that 5G telco cloud is built on open principles. 

“Not just Open RAN, we have open broadband, open devices. We have open everything,” she said. 

“If it’s something that is well-defined, well-implemented, and you apply this into a security governance, it shouldn’t be any more insecure than any other technologies and implementations you will be deploying,” she added.

Support standardization and certification

“Standardization is the key element, the set of rules we can follow, and we decide how strict we can be,” said Gogou.

Gogou explained that cybersecurity certification, which is where ENISA is focusing its attention on 5G at present, provides steps to follow, a harmonized approach to protection.

“The certification is going to be the seal of trustworthiness for 5G,” she said.

“As 5G risks in general are addressed, certification is not a panacea. We know that. But it’s a decent way forward to the trustworthiness of citizens,” said Gogou.

Securing the app supply chain and managing that lifecycle presents challenges to CSPs as they introduce new network functions and updates. Carriers must be vigilant against exposing security risks through unpatched software or through dependencies with other apps and services.

“We have specific security requirements depending on the solution,” said Díez Muñoz. Depending on the solution, Telefónica will perform specific security testing on elements and end-to-end services to assess security vulnerabilities.

Take care with implementation

Security standardization is top of mind for Telefónica as they continue RAN disaggregation efforts. 

“The key is implementation, because at the end, any equipment or network function, or any solution, may be secure or insecure depending on how you implement it,” said Díez Muñoz.

This is particularly important against the backdrop of the telco cloud’s open architecture. Díez Muñoz explained that Telefónica’s global cybersecurity team maintains constant vigilance on patch and update issues, and continuously does critical vulnerability testing to detect issues.

In the end, Beal says carriers need to be thoughtful at every level about how cybersecurity is implemented, tested, and monitored. And their vigilance needs to be constant.

“Shockingly, its still something like phishing and basic consumer attacks that can undo the most secure network if you’re not careful,” he said. “So make sure you have your entire discipline lined up, coordinated, and automated where possible.”

ABOUT AUTHOR