Network transformation and modernization are revealing a proliferation of concerns regarding security, fraud, and privacy – which if left unchecked will lead to significant problems, legal and financial penalties for progressive communication service providers.

As a counter-action, the industry is turning to network vendors, regulatory and standardization bodies to come together and collaborate to keep our communications, data, and privacy secure. Independently these interested parties along with service providers have their contextual concerns and challenges.

In a recent webinar from Light Reading, NetNumber’s Senior Manager for Product Development (Security and Routing), Pieter Veenstra was in discussion with Jim Hodges of Heavy Reading regarding some essential research and a report on Securing 5G Networks. This blog adds depth, insight, and conclusions to the survey responses and findings.

In 2016 Pieter started his editor role in the GSMA Fraud and Security Group (FASG) for the definition of Signaling Firewall requirements for SS7 and Diameter, to enhance the protection of international roaming traffic between mobile networks worldwide. Based on his extensive background in KPN, Pieter is also actively involved in new use case definitions and core network simplification programs with customers, together with establishing new partnerships based on the NetNumber TITAN Centralized Signaling, Routing and Control (CSRC) paradigm.


Confidence in the industry’s ability to secure the 5G Control Plane

As a first discussion point from the report, concerning control plane considerations, there were open questions about the ability and relative confidence levels associated with securing the range of standard 5G security use-case cases that were utilized in the study.

While about half were “confident”, when you break down the numbers it translates into about 40% either only “somewhat confident” or “not confident” which is not a strong endorsement.

The increasing complexity of the control plane makes operators concerned about the impending paradigm shift and evolving trust model, with multiple actors, network slicing, distributed service execution and the use of internet protocols, etc. In conversations with our customers, NetNumber hears similar concerns as these, which come with different challenges. For example:-

  • The potential for attacks such as signaling storms, malware, etc. on the expected billions of IoT devices and sensors.
  • The multiplication of computer power that Mobile Edge Computing (MEC) brings, also introduces security risks when malware infiltrates with direct access to core elements
  • API exposure security, with a new trust model around distributed control over network resources.


Reasons for the industry’s low confidence in future 5G security

If we look deeper into why there are low relative levels of security confidence and based on the level of ‘agree’ responses, it’s clear that a majority of respondents see more fraud, more signaling storms in the core and RAN, multi-protocol attacks and even greater threats of CLI spoofing and robocalling.

The security of mobile roaming in a pure 5G eco-system is expected to be solved with the “security by design” Security Edge Protection Proxy (SEPP) and with signaling encryption over the N32 interface. However, fundamental issues arise with the co-existence of the existing SS7 and Diameter world that is less secure. The main risk is introduced when access to the IPX signaling network is via SS7 or Diameter and the receiving MNO assumes the same trust as if the traffic was secured via SEPPs and N32 methods.

Today operators are faced with a steep increase in fraud cases. 5G brings elementary enhancements in native 5G core networks with concealed (encrypted) identity, such as IMSI over the RAN and the 2-way verification of roaming network identity. But to begin with, there will be no native 5G core, so as the magnitude of devices connected to the network increases, so does the potential impact of security breaches.


Implementing 5G security – the expectations

To address control plane security challenges service providers are starting with the basics. This translates into supporting the Network Repository Function (NRF) to secure network discovery and Network Exposure Function (NEF) to secure applications at commercial launch. However, it’s notable that even here Machine Learning and automation had relatively high commercial scores.  While the SEPP scored in third place, it did seem to drive a significant amount of discussion at the GSMA Mobile World Congress this year (2019), suggesting it will be deployed not long after commercial launch even before 5G roaming traffic starts to ramp up.

The SEPP will undoubtedly bring many security improvements for mobile roaming compared to the existing practices with SS7 and Diameter. However, there are still many issues not covered in 3GPP Release 15 that are fundamental for running an operational service like load distribution, error handling or failover mechanism, etc. These functions will first be available with 3GPP Release 16.

Consequently, we expect that 3GPP Release 15 is ready for deployment as 5G core within the domain of an operator (as 5G network islands). We need to wait for 3GPP Release 16 before 3GPP core networks will be interconnected and 5G roaming traffic starts to increase. We’ve seen a similar situation with IMS in the past.

In parallel, a secured version of Diameter for mobile roaming is close to finalization in the GSMA DESS group, which may bridge the time until 3GPP Release 16 implementations are ready to be deployed between operator networks. This may take some time because the 3GPP standardization groups are still very occupied with the completion and error patching of the 3GPP Release 15 standards for 5G phase 1.


Existing firewall support for 5G capabilities

One other important topic the survey addressed was how does this 5G control plane security complexity impact the evolution path of existing 3G/4G control plane signaling firewalls? Based on “extremely important” response levels, HTTP/2 interworking with protocols such as Diameter is critical, while interworking with SIP and even SS7 is still very important.

Fraud via SIP is already starting to become a major concern to operators in 3G and 4G with vulnerability to CLI spoofing, robocalling and other forms of nuisance calls. Also, we see operators starting to ask for protection for the combination of SIP with mobile roaming services via SS7 and Diameter.

When 5G interconnection begins to roll-out, the thirty-year-old SS7 network will still be there – even bigger and carrying more roaming traffic than today. The steep uptake of mobile roaming will likely be due to developments such as ‘EU roaming as at home’ and roaming support for M2M and IoT services. This will include static devices because many operators deploy M2M services with roaming arrangements in foreign networks.

The other issue is how interworking between HTTP/2 and SS7 will be implemented. There is a certain preference to interwork SS7 via Diameter to HTTP/2 and in reverse, but this is a ‘poor-mans-solution’ as it may only partially cover the SS7 attack interface (enabling attackers with an entry point to the HTTP/2 core networks via imperfections of the two-stage interworking from SS7 via Diameter to HTTP/2).


In summary

Given the critical role of 5G in digital transformation and the more stringent legislation for data protection with e.g. GDPR, security in 5G is an absolute critical success factor for this new technology. However, the Light Reading report on Securing 5G Networks shows low confidence levels among the respondents that likely evolve as operators gain experience with the implementation of 5G core networks. 5G security will significantly improve but the interworking with legacy networks will ask for special attention.

The accompanying complimentary whitepaper for this blog can be downloaded here. This blog is also featured as part of the GSMA Mobile360 Series on Security.


Leave a Reply

Your email address will not be published.