The Evolving Threat Landscape

Welcome, to the ever-evolving world of 5G security! The GSMA has once again graced us with an updated roadmap, the "5G Security Guide," Version 3.0, dated July 16, 2024. As someone who spends their days in the trenches, translating these comprehensive (and often dense) documents into tangible security measures, the goal of this article is to cut through the complexity and highlight what this latest iteration means for us on the ground.

5G isn't just an incremental upgrade; it's a foundational shift promising to power Enhanced Mobile Broadband (eMBB), massive Machine Type Communications (mMTC), and Ultra-Reliable Low-Latency Communications (URLLC). This expansion opens the door for a diverse range of industries to build upon and operate 5G services. However, this bright future comes with a significantly expanded and more intricate attack surface.

The way we build, secure, and manage networks is undergoing a revolution. We're grappling with virtualization, containerization, Network Function Virtualization (NFV), the pervasive use of Open-Source Software (OSS), the rise of Open RAN (O-RAN) interfaces, dynamic network slicing, multi-access edge computing (MEC), and the agile methodologies of DevOps. While these technologies offer unprecedented flexibility and agility, they also introduce a host of new attack vectors that bad actors are keen to exploit.

The good news is that considerable thought has gone into the security enhancements for 5G, with contributions from a wide array of industry stakeholders and government agencies. The GSMA guide underscores several principled-based concepts and methodologies that form the bedrock of 5G security:

• Mutual Authentication: Ensuring both sender and receiver have an established, trusted, and secure relationship is paramount. For us, this means rigorous implementation and verification of authentication protocols across all relevant interfaces. 
• Assume Zero Trust Design Principles: This is a big one. We can no longer automatically trust entities or traffic, whether they're inside or outside our network perimeters. Encrypted traffic isn't inherently valid. This philosophy needs to permeate our architecture and operational postures (more on this in Section 8.9.1 of the guide). 
• Do Not Assume Transport Links Are Secure: Even if a link is "internal" or presumed "safe," encryption is key to ensuring that any compromised information is useless to an attacker. 

This document, as the GSMA states, aims to discuss various aspects of 5G security that require attention. It primarily refers to capabilities supported by 3GPP Release 17, with the understanding that future updates will reflect subsequent releases like Release 18. For us practitioners, this means continuous learning and adaptation as the standards mature. The shift in 5G towards technologies common in the broader IT world (like HTTP/2, TLS, JSON) brings both advantages and fresh challenges. While it allows leveraging existing knowledge and tools, it also means vulnerabilities discovered in the wider IT ecosystem can have a more immediate and potentially higher impact on telecom networks. The days of security through obscurity with proprietary telecom protocols are fading. This necessitates a more proactive and rapid approach to security patching, a topic the guide rightly emphasizes.

In the pages that follow, We'll delve into some of the specific features and innovations highlighted in the guide, always with an eye on what they mean for those of us responsible for securing these next-generation networks. Let's navigate this labyrinth together.

Key Security Features Demystified - Part 1

Having set the stage with the evolving landscape, let's now dissect some of the core security features and enhancements outlined in the GSMA's July 2024 guide. From a practitioner's standpoint, understanding the "why" and "how" of these features is crucial for effective implementation.

Unified Authentication Framework & Access-Agnostic Authentication

One of the significant strides in 5G is the move towards a unified authentication framework. The Authentication Server Function (AUSF) now enables a common approach for both 3GPP and non-3GPP access types. Release 15 laid the groundwork for 3GPP and untrusted non-3GPP access, and Release 16 extended this to all access types, crucially including trusted non-3GPP access. This is a welcome simplification, moving away from disparate authentication silos.

What this means for us:

• A single authentication infrastructure, particularly with the Non-3GPP Inter-Working Function (N3IWF) from Release 16, simplifies management and policy enforcement. 
• We need to be proficient in a range of authentication methods, as 5G AKA, Extensible Authentication Protocol - Authentication and Key Agreement (EAP-AKA'), and other EAP methods like EAP-TLS can be used across both access types. EAP-TLS, for instance, might be particularly relevant for isolated deployments. 

Increased Home Control

A pivotal change is that the AUSF, residing in the home network, now terminates the authentication procedure. This is a departure from LTE, where this occurred in the visited network's Mobility Management Entity (MME). This shift gives the home network greater control and visibility. The home network receives confirmation of successful UE authentication and the Unified Data Management (UDM) is informed. Final device authentication in a visited network is only completed after the home network has verified the device's authentication status in that visited network.

Practically speaking:

• This enhanced home control is a powerful tool against fraud. For instance, if a UE attempts to register via an AMF in a visited network where it isn't actually present, the UDM can detect this.
• Binding the serving network ID to session keys ensures these keys are only used by the legitimate roaming network serving the UE, giving assurance to both the UE and the home network. 

Enhanced Subscriber Privacy (SUPI & SUCI)

Subscriber privacy sees a major boost with the introduction of the Subscription Concealed Identifier (SUCI). The SUCI is a privacy-preserving identifier that conceals the permanent Subscription Permanent Identifier (SUPI), which is the 5G equivalent of the IMSI. The SUCI is typically generated using Elliptic Curve Integrated Encryption Scheme (ECIES) based on the home operator's public key.

Key considerations for practitioners:

• "Null-Scheme" vs. Non-"Null-Scheme": The guide strongly recommends that carriers enable a non-"null-scheme" for SUCI protection. A "null-scheme" offers no over-the-air privacy protection and should only be used if mandated by specific regulatory environments. Enabling robust encryption here is critical to thwarting "IMSI catchers". 
• SIM Provisioning: SUPI concealing isn't just a network feature; it requires UE support and, crucially, that the physical SIM (pSIM) or embedded SIM (eSIM) is provisioned with the home network's public key. Reusing an older pSIM not configured for 5G-SA SUCI management means this feature won't work, regardless of carrier settings. This has implications for device rollout and customer communication. 
• Paging & Temporary Identifiers: SUPI is decoupled from paging; UEs are paged using temporary identifiers. 5G mandates stricter refreshment of the 5G Globally Unique Temporary Identifier (5G-GUTI). This makes tracking users via paging messages significantly harder for false base stations. 

RAN Security Highlights

The Radio Access Network (RAN) also receives notable security upgrades:

• User Plane (UP) Integrity: Beyond confidentiality, UP integrity protection is now supported. This is a vital step in preventing data manipulation. 
• Backhaul & Handover Security: Mandatory support for Datagram Transport Layer Security (DTLS), in addition to IPsec, is required for N2 (backhaul control) and Xn (handover) interfaces. 
• Internal RAN Interfaces: Interfaces like F1 (gNB-CU to gNB-DU) and E1 (gNB-CU-CP) also get mandatory DTLS and IPsec ESP/IKEv2 certificate-based authentication, confidentiality, integrity, and replay protection. 
• Integrated Access and Backhaul (IAB): IAB nodes (acting as IAB-UEs) support NAS signaling protection and mutual authentication with the 5G Core. The F1-C interface between the IAB-node (gNB-DU) and IAB-donor-CU requires confidentiality, integrity, and replay protection, with options for IPsec or DTLS. 

These are just some of the foundational enhancements. Implementing them correctly and consistently is where the real work lies for us practitioners, ensuring that the theoretical security benefits translate into a genuinely hardened 5G infrastructure.

Key Security Features Demystified - Part 2

Continuing our practitioner's journey through the GSMA 5G Security Guide, this page focuses on the security of the Service Based Architecture (SBA), the critical aspects of roaming, and interworking scenarios. These areas are undergoing significant transformation in 5G, introducing both powerful new security mechanisms and new complexities we need to manage.

Service Based Architecture (SBA) Security

The 5G core’s SBA is a paradigm shift, and its security is built on modern IT principles:

• Interface Security: Network Functions (NFs) communicate using Hypertext Transfer Protocol version 2 (HTTP/2) over Transport Layer Security (TLS), mandating both server and client-side certificates. This ensures authenticated and encrypted links between NFs. 
• Authorization: The OAuth 2.0 framework is used for authorizing NF service access. This allows for granular control, specifying which operations or data an NF consumer can access from an NF producer. 
• Comprehensive Protection: The goal is to provide confidentiality, authentication, integrity protection, and authorization for all service-based interfaces within a Public Land Mobile Network (PLMN). 
• Inter-PLMN Security: Crucially, interconnect security is also provided for all service-based signaling traffic between PLMNs. This directly addresses the IP Exchange (IPX) network security issues that were prevalent in LTE. 
• Service Communication Proxy (SCP): When used in indirect communication mode, the SCP can offer additional layers of security, such as authorizing NF Service Consumer access to an NF Service Producer API, load balancing, and monitoring. 
• Non-SBA Interfaces: Even interfaces internal to the 5G Core that are not strictly SBA, like N4 (SMF-UPF) and N9 (UPF-UPF), must be confidentiality, integrity, and replay protected. 

The guide presents an overview of the security architecture encompassing several domains: network access security, network domain security, user domain security, application domain security, SBA domain security, and visibility/configurability of security. For us, this means a holistic view is essential, ensuring each domain's specific security requirements are met and integrated.

Roaming Security: The SEPP Takes Center Stage

Roaming is a critical service, and 5G significantly bolsters its security, primarily through the Secure Edge Protection Proxy (SEPP).

• SEPP Functionality: The SEPP is a non-transparent proxy that sits at the perimeter of the PLMN, protecting messages sent over the N32 interface between Service Consumers and Producers in different PLMNs. It implements Application Layer Security (ALS) for this inter-PLMN signaling, offering protection against eavesdropping and replay attacks. The SEPP is also responsible for message filtering, policing, and topology hiding. 
• N32 Interface Protection: Roaming interfaces must be provisioned with confidentiality, integrity, and replay protection, and message origins authenticated. The N32-f interface (for actual data exchange) can use either Protocol for N32 Interconnect Security (PRINS) or TLS. 
• Transport Layer Protection (SEPP to IPX): Additional transport protection, such as Network Domain Security / Internet Protocol (NDS/IP) or a TLS VPN with mutual authentication, must be applied between the SEPP and the IPX provider. The identities in end-entity certificates are used for authentication and policy checks, compliant with HTTP/2 profiles. 
• A Major Leap from Legacy: The introduction of the SEPP is a huge improvement over 4G/3G/2G roaming, where SS7 and Diameter vulnerabilities were significant concerns. It gives operators direct control over which signaling messages are visible to roaming intermediaries like IPX providers. 

5GS-EPS Interworking Security

As we transition, interworking between 5G Systems (5GS) and the Evolved Packet System (EPS) is unavoidable. Key considerations include:

• Ensuring security for seamless mobility between these systems. 
• Careful handling of security contexts during state transitions. 
• Restricting interworking functions on a "need-to-use" basis is vital; not every node should have access to all interworking features. 

Non-Public Networks (NPN) Security

NPNs, whether Standalone (SNPN) or Public Network Integrated (PNI-NPN), have specific security needs:

• NPNs can support additional authentication methods beyond AKA, such as EAP-TLS. 
• SUPI privacy is supported in NPNs. 
• For SNPNs communicating with a Credentials Holder (e.g., for primary authentication), this communication occurs via SEPPs, applying the robust security requirements of inter-PLMN communication. 

Implementing these features—particularly the SEPP and its associated protocols—requires significant effort and careful configuration. The promise of truly secure roaming hinges on the correct deployment and diligent management of these new entities and interfaces. For practitioners, this means deep-diving into specifications like TS 33.501, FS.37 for N9 interface traffic, and understanding the nuanced roles of each new security function.

Innovations, Challenges, and Practical Implications

The GSMA's July 2024 5G Security Guide not only details enhanced features but also introduces new architectural elements and highlights innovations within the 5G core. For practitioners, these changes bring both opportunities for stronger security and significant new challenges, especially concerning the underlying technologies and the speed of potential threats.

New Elements and Functions in the 5G Security Architecture

Several new or significantly evolved functions play critical roles:

• SEPP (Secure Edge Protection Proxy): As discussed, this is a cornerstone for inter-PLMN security, managing N32 interface protection and ALS. 
• AMF (Access and Mobility Management function): Beyond mobility, the AMF is central to access authentication and authorization, assigning the 5G-GUTI, and supporting network slicing. 
• SEAF (Security Anchor Function): Located in the serving network's AMF, the SEAF acts as the anchor for security, using the KSEAF​ key provided by the home AUSF to derive subsequent keys. 
• AUSF (Authentication Server Function): Residing in the home network, the AUSF generates authentication vectors and, importantly, can act as the EAP server in primary authentication or an authenticator with an external AAA server in SNPNs. 
• UDM (Unified Data Management):
  • UDM/ARPF (Authentication Credential Repository and Processing Function): Chooses the authentication method based on SUPI and provides the 5G Home Environment Authentication Vector (HE AV) to the AUSF. 
  • UDM/SIDF (Subscription Identifier De-concealment Function): This function is responsible for de-concealing the SUCI to reveal the SUPI, a critical step for subscriber identification within the home network. The guide notes that the implementation (integrated or separate SIDF) is not defined by 3GPP, allowing flexibility. This disaggregation allows for scalable resource allocation. 
• IPUPS (Inter PLMN User Plane Security): UPFs can deploy IPUPS functionality at the network border to protect against invalid inter-PLMN N9 traffic in home-routed roaming scenarios. It discards malformed GTP-U messages and only forwards packets for active PDU sessions. 

Innovations in the 5G Core & The Protocol Shift

The 5G core embraces a suite of protocols widely used in the IT industry:

• HTTP/2 as the application layer protocol. 
• TLS for securing communication between all NFs within a PLMN. 
• TCP as the transport layer for HTTP/2. 
• JSON for data serialization. 
• RESTful frameworks for API design. 

This shift is a double-edged sword. On one hand, it allows leveraging mature technologies and a broader talent pool. On the other, these common protocols have a larger and more actively probed attack surface. Vulnerabilities are often discovered and exploited more quickly than with the more obscure, proprietary protocols of older 2G/3G/4G core networks. This reality, as the guide points out, demands increased and rapid security patching. We can no longer afford lengthy patch cycles.

Intra-PLMN SBA Security: The Certificate Conundrum

Securing the dynamic, virtualized SBA within a PLMN presents unique certificate management challenges. With NFs potentially spinning up and down rapidly, dynamically creating and managing certificates (and their keys) for TLS is complex. The guide notes that some vendors propose wildcard certificates to simplify this, but this approach, while supporting transport encryption, undermines the ability to validate the specific identity of an endpoint. Given that a key threat in virtualized cores is an attacker creating false NFs, identity authentication is crucial. The GSMA's advice is pertinent: MNOs should consider reusing the robust key management procedures specified for inter-PLMN security (GSMA PRD FS.34) for their intra-PLMN SBA environments.

The Impact of Cloud on 5G Security

5G is inextricably linked with cloud technologies:

• Key Trends: We're seeing 5G Core and RAN functions deployed as cloud-native containerized applications. Major public cloud providers are expanding their edge presence, and SDN overlay fabrics are becoming readily available. This momentum is pushing towards Containerized Network Functions (CNFs) over traditional VNFs. 
• New Security Paradigms: Securing these cloud-native networks is vastly different. Traditional network-layer firewalls are less effective when dealing with short-lived containers that have dynamic IP addresses and can move across data centers. 
• Patching Immutable Containers: A CNF is an immutable block; it can't be patched in place. Updates involve replacing the old container with a new version. While this can be much faster and automated, it requires robust CI/CD pipelines where security is embedded at every stage. 
• Multi-Cloud Complexity: The 5G ecosystem often involves multiple cloud environments (private, public, edge) managed by different entities. This necessitates consistent policy synchronization, comprehensive visibility across domains, centralized monitoring, automation of security tasks, and robust access management.
• Containerization Specifics: Host OS security is a major concern as containers share a kernel. We must protect against compromised container images, secure registries, and harden container management platforms such as Kubernetes. 
• HSM for Credentials: Even in a virtualized world, critical secrets like UICC credentials (Ki) must be protected. The guide reinforces the need for Hardware Security Modules (HSMs), ensuring Ki is never exposed in memory of functions like the UDM. Unencrypted Ki should never exist outside an HSM, and 5G vector calculation should occur within it. 

These innovations and technological shifts demand a new mindset from security practitioners. We must be as agile and adaptable as the networks we're trying to secure, embracing automation and continuous security validation.

Network Slicing, O-RAN, Open Source, NESAS & Palindrome's Expertise

Our final section explores some of the more specialized yet increasingly critical areas of 5G security: network slicing, Open RAN (O-RAN), the use of open-source software, and the vital role of security assurance schemes like NESAS. These elements represent the cutting edge of 5G's capabilities and, consequently, new frontiers for security practitioners.

Network Slicing Security: Dedicated Networks on Shared Infrastructure

Network slicing allows multiple logical networks to run as virtually independent operations on a common physical infrastructure. This is a game-changer for offering tailored services but introduces complex security considerations.

• Key Management Functions: The Network Slice Selection Function (NSSF) selects slice instances for the UE and determines allowed configurations. The Network Slice Specific Authentication and Authorization Function (NSSAAF) handles additional, slice-specific authentication with an AAA server. 
• Standardized Security Features:
  • A UE needs authorization from the home/serving PLMN to access a slice, granted only after successful primary authentication.
  • Operators can define S-NSSAIs that require Network Slice-Specific Authentication and Authorization (NSSAA), using the EAP framework. This provides an additional layer of access control for sensitive slices. 
  • Operators can control if and when a UE includes its NSSAI (Network Slice Selection Assistance Information) in Access Stratum requests, offering privacy for slice selection. 
• Isolation is Key: Achieving robust isolation (both logical and potentially physical) between slices sharing resources in the RAN, Transport Network (TN), and Core Network (CN) is paramount to prevent cross-slice attacks or interference. The guide also mentions that for data in transit, the Network Slice must always be re-affirmed to prevent slice hijacking. 
• Lifecycle Management Security: The creation, modification, and termination of Network Slice Instances (NSIs) are management services that must be secured. This involves mutual authentication (e.g., using TLS with client/server certificates or pre-shared keys) between the management service consumer and producer, especially if the consumer is outside the operator's trust domain. Authorization of these management requests, for instance, via OAuth tokens or local policy, is also critical. 

O-RAN Security: Openness and Its Challenges

O-RAN represents a significant shift towards disaggregated, virtualized, and open-interface RAN architecture.

• Increased Threat Surface: While fostering innovation and vendor diversity, disaggregation inherently increases the attack surface by exposing new interfaces and relying on underlying cloud infrastructures. Monitoring security in such multi-vendor, multi-domain setups is a new challenge. 
• Latency vs. Security: The stringent latency demands of RAN functions must be balanced with security controls like encryption, especially on interfaces like the Open Fronthaul. 
• Open Source Reliance: O-RAN often encourages open-source components, increasing dependence on secure development practices within those communities.
   
  Zero Trust Application: O-RAN aims to embrace Zero Trust principles, with stringent access controls, network segmentation based on least privilege, and secure, encrypted communication channels. Legitimacy of deployed protocols via added security elements on some O-RAN interfaces is also considered. 

Security of Open-Source Software (OSS)

OSS is ubiquitous in 5G, from vendor solutions to community-driven projects.

• Responsibility: The entity (vendor or operator) deploying a solution containing OSS components is responsible for their maintenance, updates, and patching. The infamous Log4j vulnerability highlighted the critical need for this. 
• Essential Guidelines:
  • Software Bill of Materials (SBOM): Crucial for visibility into all deployed OSS components. 
  • Software Identification: Using hashing and digital signatures to verify the authenticity and integrity of software packages. 
  • Asset Management & Code Inspection: Tracking OSS assets, performing code analysis, and adhering to secure coding standards are vital. 
  • Community/Supplier Support: Ensuring that all OSS components have active support for addressing vulnerabilities. 

Security Assurance for 5G: The Role of NESAS

With complex multi-vendor environments, security assurance becomes indispensable.

• GSMA's NESAS (Network Equipment Security Assurance Scheme): This scheme provides a framework for assessing vendor development and product lifecycle processes, accrediting test laboratories, and conducting security evaluations of network equipment. It aims to provide a common baseline security level for the industry. 
• 3GPP's SCAS (Security Assurance Specifications): 3GPP produces SCASs that define security requirements and test cases for various network product classes (e.g., AMF, UPF, SEPP). GSMA PRD FS.13 provides an overview of NESAS. 
• Scope and Limitations: NESAS focuses on equipment assurance. It doesn't cover aspects like operational security, risk from legacy interworking, or specific cloud security deployments, which remain the operator's responsibility to tailor. 

From Standards to Strengths with Palindrome Technologies

The GSMA's July 2024 5G Security Guide is an invaluable resource for us practitioners. It maps out a complex terrain of new threats, enhanced defenses, and evolving architectures. However, the journey from understanding these standards to implementing robust, practical, and resilient security is where the real challenge—and the real expertise—lies. The sheer breadth of considerations, from the intricacies of SUCI generation and SEPP deployment to the nuances of cloud-native security and O-RAN's open frontiers, can be daunting.

This is precisely where specialized expertise becomes not just beneficial, but critical.

At Palindrome Technologies, we live and breathe these complexities. Our world-leading cybersecurity expertise is dedicated to helping organizations like yours navigate the intricate 5G security landscape with confidence. We understand that security is not just a checklist; it's a continuous process of assessment, adaptation, and assurance.

Whether it's providing in-depth consulting services to help you align your 5G deployments with GSMA guidelines, 3GPP specifications, and global best practices, or delivering rigorous product security testing services, including evaluations for NESAS compliance, Palindrome is your trusted partner. We help you dissect the standards, identify the risks relevant to your specific environment, and implement security measures that are both effective and pragmatic.

Our deep understanding of telecom protocols, cloud security, virtualization, and emerging threats allows us to ensure that your 5G journey is not just innovative, but also secure and resilient from the ground up. Let Palindrome Technologies help you turn the comprehensive standards outlined in the GSMA 5G Security Guide into your organization's tangible strengths, safeguarding your network, your customers, and your future in the 5G era.

Considering options for a 5G Penetration Testing exercise?