Private 5G Network Security

A lot has been written about the new world 5G can provide, ubiquitous connectivity delivering a multitude of services over networks tailored in different «slices» each to maximize an applications potential. The conversation then moves on to discuss the three high level primary solutions, enhanced Mobile Broadband (eMBB), Ultra Reliable Low Latency Communications (URLLC) and Massive Machine Type communications (mMTC). In most circumstances a business case will fit into one of these and can use the 5G public mobile networks (PLMN) for the maximum global coverage.

However, some businesses may require a combination of these elements merged together to support their individual multifaceted needs. Alternatively, they could require even more bespoke configuration of the «slices», or possibly just greater isolation to best utilize 5G, and it’s here Private 5G networks come to the fore.

Currently industry leads the way, and it is easy to see why a factory complex or similar could benefit from private 5G’s complete focus on their specific business goals, without any external constraints. Being able to monitor everything from the environment conditions, to machinery performance, supply chain, logistics all the way to the products quality control via sensors would give incredibly valuable insight. Feeding this huge volume of data into AI software, or other machine learning algorithms and then having a localized network with sufficiently low latency and reliability to push commands to smart factory equipment or drones could maximize efficiency and productivity like never before.

The potential benefits are clear, but private 5G, much like public 5G networks, are early in their development and the technology components and use cases are evolving quickly.

To deliver private 5G requires the deployment of a 5G Radio Access Network (RAN) and core network resources, both delivered on virtual/cloud infrastructure and based on new architectural principles. O-RAN on the edge and the Service Based Architecture (SBA) in the core. It is also expected many of the 5G applications will necessitate low latency, so would require compute resources as close to the equipment as possible, meaning Multi-Access Edge Computing (MEC) infrastructure would be required. Beyond these three major elements management and orchestration, radio frequency (RF) planning, IT and public cloud integration and a comprehensive suite of support and maintenance services will be required.

All of these elements must be addressed and secured, as well as the sensitive information and data gathered and stored by the network.

The first step is to secure the bandwidth you need to run the private network. Globally only a few countries have reserved bandwidth. France, Germany, Netherlands, Sweden, & UK in Europe, as well as Japan, Australia, and the US. Though this is continually increasing, South Korea announcing this month they will providing network bandwidth to non-telecommunications companies in the first half of 2021.

Immediately the service is faced with a design and delivery situation that requires niche skillsets (e.g. RF planning) and the need to understand and bring together new and diverse technologies just to deliver the edge connectivity. These present major security headaches for large mobile operators, and even factoring in the private 5G network being levels of magnitude smaller, handling them efficiently will be a challenging.

The higher frequencies used in 5G mean the signals have less penetration through physical objects or barriers and necessitates the use of multiple smaller base station equipment, small cells, picocells, or microcells, to deliver coverage. This brings with it a new threat vector as physically securing them is more onerous than large (Macro) cell towers. In private 5G this should be easier than in a public 5G networks but will still apply to any outside radio units, for instance logistics terminals or other exposed locations.

The RAN in 5G is a virtualized environment. It could be delivered by one vendor but to fully benefit from niche network customization and innovation private 5G will more likely leverage the multivendor Open RAN environment. This consists of commercial off-the-shelf (COTS) equipment hosting multiple vendor’s software to deliver the various network functions over standardized open interfaces.

This promises to be hugely flexible and very cost effective in the long term and so ideal for private networks. Nevertheless, it exposes a number of security considerations. Multiple vendors inevitably create an ever increasing supply chain security threat, as does integration between them. Even with standardization there is always the opportunity for different interpretations, this can lead to the behavior of one vendor inadvertently effecting another and creating a situation a malefactor can utilize. Management and Orchestration of the underlying virtual environment can be diverse (SDN, NFV, Kubernetes, COTS API’s, etc.) and hugely complex with any vulnerabilities having enormous impact.

The same virtualization considerations are mirrored but amplified even further in the private 5G core. 5G utilizes a service base architecture (SBA) to more effectively deliver services than previous generations. This represents and move from point-to-point interactions between network function services, to elements connected by a single network bus. Protecting this central point of connectivity and its protocols is imperative as early research is pointing to massive implications should it be breached.

In today’s network the use of public cloud resources is omnipresent, and private 5G will be no exception. This could extend all the way to hosting the 5G Core but will almost certainly be utilized for MEC. Access to the compute and storage capacity of the hyperscale provider’s datacenters located locally to the private 5G network will give the cost effective support to low latency applications.

Again the integration of environments and management of multivendor environments is a security concern for MEC.

API are leveraged extensively in MEC needed to provide support for the federated services and interactions with different vendors and content providers. API’s are soon to become the most attacked threat vector on the planet and are associated with DoS, man-in-the-middle, privacy leakages, and any number of other attacks. Additionally, any attacks launched from the cloud can use the incredibly powerful computing infrastructure, to create brute force attacks to deliver substantial DDoS.

Beyond the network itself, private 5G also need to consider the devices they are connecting. 5G IoT devices will benefit from the eSIM/eUICC security which is a massive advantage over WiFi, or other connection mediums. Nonetheless, they have security considerations and should be provided by a trusted source, such as a member of the GSMA Security Accreditation Scheme. With all profile management and maintenance interfaces also systematically secured.

Universal connectivity inevitably means IoT devices will be built and configured by suppliers who’s core competency is not network connectivity. Other equipment may be even retro fitted with connectivity removing a continuity of design. In this case the network needs to not only protect itself from malicious actors utilizing any issues on these devices but also inadvertent misconfiguration, or simply misbehaving software.

Private 5G is an opportunity to build a network that precisely supports an enterprises unique requirements, but end-to-end deployment, supervising the various vendors and ongoing management is complex. It is unlikely any company will have enough in-house expertise, so delivery will rely on system integrators, or managed service providers support. Security must also be integral to the project from the offset to ensure its successful implementation, and the long term protection of mission-critical applications, intellectual property and other sensitive data.

Engaging the right independent multi-skilled cyber security advisor, who fully understands the idiosyncrasies of the telecoms industry, is absolutely key to securing the network and protecting your companies brand.