Preparation for 5G TCs Security - MTSFB

5G Security Requirements

10 June 2020, Wednesday

10:00am – 12:30pm

Preparation for 5G TCs Security

Mohd Fairuz Ismail

Security, Trust and Privacy Sub-Working Group

Let’s collaborate @ MTSFB! 2

▪ To establish 5G security guidelines and infrastructure requirements

▪ To provide all recommended technical performance & requirements

▪ To evaluate and measuring the effectiveness of security controls and E2E framework

▪ Benchmarking or rating the overall security posture of the organisation

OBJECTIVE

This Technical Code applies to Telecommunication Operators, Telecommunication Regulatory Bodies, Mobile

Technology Developers and/or Vertical Industries to use 5G for its vertical services.

▪ 5G Security Architecture

▪ 5G Security Standards and Recommendation

▪ 5G End-to-End (E2E) Framework & Control Classes

▪ 5G Security Infrastructure Guidelines

▪ 5G Performance and Technical Requirements

SCOPE

5G Security Requirements Technical Code

Let’s collaborate @ MTSFB!

Outlines

1

2

3

5G Security Overview

5G Security Guidelines and Infrastructure Requirements

5G Technical Performance and Requirements

3

45G Security Architecture (Security domains)

5 5G Security Control Classes And E2E Framework

65G Security Elements And Recommendations

7 5G Technical Feedback

8 Annex


1 5G Security Overview

4


5G Security Overview

5

In 5G, the security systems shall able to provide the following abilities:

Flexible enough tocater for the expecteddiversity of connecteddevices and systems

Provide the ability tomonitor their real-timestatus and traffic

Provide protectionagainst the main attackvectors.

5G network assets to be secured are as follow:

User Information SecurityNetwork Elements (NEs)

Security

Transport / Interface Security.


2 5G Security Guidelines and Infrastructure Requirements

6


5G Security GuidelinesPublic Key Infrastructure

This standard affects any vendor that is developing products, profiling applications or deploying security solutions that are based on Public-KeyInfrastructure (PKI) or Privilege Management Infrastructure (PMI). The standard is particularly applicable for services such as authentication,encryption and confidentiality, digital signatures, nonrepudiation, and authorization.

Cybersecurity Overview

Anyone developing products, profiling application security, or deploying security solutions across the enterprise, or public and privateorganizations, should read Recommendation ITU-T X.1205.

Security Architecture Systems End-to-End Communications

This recommendation is essential for any entity that is performing comprehensive network security assessment and planning.Recommendation ITU-T X.805 addresses the inherent complex security problems in 5G Networks with their division into layers and planes andelements and the need to have at hand a holistic security methodology to systematically engineer security for such systems.

Security Assertion Markup Language

SAML (Security Assertion Markup Language) is a standard that facilitates the exchange of security information among different organizations (with different security domains) to securely exchange authentication and authorization information.

Entity Authentication Assurance Framework

This work affects organizations that are developing products, profiling application security, or deploying security solutions that require authentication.


5G Security GuidelinesCommon Alerting Protocol

Access Control Markup Language (XACML)

Information Security Management Guidelines for Telecommunications Organizations Based on ISO/IEC 27002

Interactive Gateway System for Countering Spam (Recommendation ITU-T X.1243)

Abstract Syntax Notation One (ASN.1)

Cybersecurity Information Exchange Framework

Many Integrated Public Alert and Warning Systems (IPAWS) are based on this protocol. This protocol touches millions of people on daily basis since it is the foundation for passing warning messages.

This standard plays an important role within organization to provide real time role based access control to protect access to all types of resources within any organization.

For the most part, ITU-T security-related Recommendations focus on the technical aspects of systems and networks. Additionally some aspects of personnel security are identified in Recommendation ITU-T X.1051.

Technology collaboration has been recognized as a key component in countering spam. Recommendation ITU-T X.1243 illustrates such a system and specifies a technical means for countering inter-domain spam.

Though initially used for specifying the email protocol within the Open Systems Interconnection environment, ASN.1 has since then been adopted for a wide range of other applications, as in network management, secure email, cellular telephony, air traffic control, and voice and video over the Internet.

The CYBEX Recommendations facilitate exchange of information across all stakeholders of cybersecurity.


5G Security Infrastructure RequirementSecurity for Next Generation (NG) radio interface and radio access network (RAN)

RAN Security

Architectural aspects of the security for 5G system

Security Architecture

Security aspects related to management of security context and security keys.

Security Context and Key Management

Security of sensitive data handled within the 5G-UE

Security Within 5G-UE

Authorization of the UE to access the network and authorization of the network to serve the UE.

Authorization

Authentication framework, identifiers, and credentials, authentication methods

Authentication

Security aspects related to the protection of subscribers’ personal information, e.g. identifiers, location, data, etc

Subscription Privacy

Security aspects related to the network slicing concept such as service access, network function sharing and isolation

Network Slicing Security

Security of the 5G connectivity over relays

Relay Security

Security of the signalling protocols in the network domain such as authentication, integrity, and availability

Network Domain Security

Presentation of security information to a user of a UE, and management of security configuration by a user or a UE.

Security Visibility and Configurability

Security aspects of provisioning 3GPP credential(s) on equipment that will access the 5G system.

Credential Provisioning

Security aspects related to the interworking and migration scenarios between radio technologies and possible core network concepts.

Interworking and Migration

Procedures on handling huge number of IoT UEs that sends small amount of data sporadically that moves from one location to another

Small Data

Security of for broadcast services that will be used in verticals, for example MCPTT, Critical Communication, V2X, and massive MTC

Broadcast/ Multicast security

Security aspects related to management plane and deployment scenarios

Management Security

Cryptographic algorithms to be used for security mechanisms and protocols within 5G system

Cryptographic Algorithms

Security aspects related to physical security of the network elements, such as ease of physical access.

Physical Security


3 5G Technical Performance and Requirements

10


5G Minimum Technical PerformanceEnergy Efficiency

• The capability of a RIT/SRIT to minimize the radio access network energy consumption in relation to the traffic capacity provided.

• Energy efficiency of the network and the device can relate to the support for the following two aspects:a) Efficient data transmission in a loaded

case;b) Low energy consumption when there is

no data.

• This requirement is defined for the purpose of evaluation in the eMBB usage scenario.

User Plane Latency

• 4 ms for eMBB

• 1 ms for URLLC.

Mobility Interruption Time

• Shortest time duration supported by the system where a user terminal cannot exchange user plane packets with any base station during transitions.

• This requirement is defined for the purpose of evaluation in the eMBB and URLLC.

• Mobility interruption time is 0 ms.

Mobility

• Stationary: 0 km/h

• Pedestrian: 0 km/h to 10 km/h

• Vehicular: 10 km/h to 120 km/h

• High speed vehicular: 120 km/h to 500 km/h.

Bandwidth

The maximum aggregated system bandwidth. The bandwidth may be supported by single or multiple radio frequency (RF) carriers:

Connection density

• The total number of devices fulfilling a specific quality of service (QoS) per unit area (per km2).

• Used in evaluation for mMTC usage scenario

• Connection density is 1 000 000 devices per km2.

Reliability

• It relates to the capability of transmitting a given amount of traffic within a predetermined time duration with high success probability.

• This requirement is defined for the purpose of evaluation in the URLLC usage scenario.

Control Plane Latency

• 20 ms (encouraged to consider 10ms for this parameter)


5G Minimum Technical Performance Specifications

Use Case Category Downlink Uplink

Peak Data Rate 20 Gbps 10Gbps

Peak spectral efficiency 30 bit/s/Hz 15 bit/s/Hz.

User experienced data rate 100 Mbps 50 Mbps

5th percentile user spectral efficiency

Indoor Hotspot – eMBB 0.3 bit/s/Hz 0.21 bit/s/Hz

Dense Urban – eMBBB 0.225 bit/s/Hz 0.15 bit/s/Hz

Rural – eMBB 0.12 bit/s/Hz 0.045 bit/s/Hz

Average spectral efficiency

Indoor Hotspot – eMBB 9 bit/s/Hz/TRxP 6.75 bit/s/Hz/TRxP

Dense Urban – eMBB 7.8 bit/s/Hz/TRxP 5.4 bit/s/Hz/TRxP

Rural – eMBB 3.3 bit/s/Hz/TRxP 1.6 bit/s/Hz/TRxP

Mobility Classes

Test environments for eMBB

Indoor Hotspot – eMBB Dense Urban – eMBB Rural – eMBB

Mobility classes supported Stationary, pedestrian Stationary, pedestrian, vehicular (up to 30km/ h)

Pedestrian, vehicular, high speed vehicular


5G Use Case Category Minimum Performance Specifications

5G use case category minimum performance specifications.


4 5G Security Architecture (Security Domains)

14


5G 3GPP Security Architecture

User Application Provider Application

ME

USIM

3GPP AN

Non-3GPP AN

SN

HE

IV

I

III

I

I

I

III

I

I

V

II

Home Stratum/ Serving Stratum

Application Stratum

Transport Stratum

I – Network access security

IV – Application domain security

II – Network domain security III – User domain security

VI – Visibility and configurability of security

V – Service based architecture (SBA) domain security


5G 3GPP Security Architecture

Source: 3GPP TS 33.501 v16.1.0 – Security architecture and procedures for 5G system

Security Domains Description

Network Access Security - Allows a UE to authenticate and access services in 3GPP and non-3GPP network securely- Protect the network against attacks on the radio interfaces- Provides security context delivery from serving network (SN) to access network (AN) for the access security.

Network Domain Security - Allow network nodes to safely and securely exchange signaling data and user plane data.

User Domain Security - Ensure a secured user access to mobile equipment.

Application Domain Security - Allows applications in the user domain and in the provider domain to securely exchange messages between each other.

Service Based Architecture (SBA) Security

- Allows network functions of the SBA architecture to securely communicate within the serving network domain and with other network domains.

Visibility and Configurability of Security

- Allows the user to be informed whether a security feature is in operation or not.

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169


5G Security Architecture Planes

ME AN SN HN

Security Function Management ID Management

Vertical Service Provider

Security Slicing ControlE2E Security Slicing Management

Application Server

Application Security

Network Access Security

Secondary Authentication

Network Access Security

Authentication and Key Agreement

Network Domain Security

E2E Slicing

Security Plane for User Data

Security Plane for Management System

Security Plane for Control Signaling

Remote ID managementFundamental security function

Service-oriented security function

SBA security

Security function management Security isolation between slice

Security event control and security intelligence sharing

Security capability exposure


5G Security Architecture Planes

The security architecture design implement 3 security planes, which are:

Security Plane For Management System

This plane will carry out service-orientedsecurity function orchestration such asmodifications and deployment of securityfunctions and security protection mechanismsalong with orchestration of network securityfunctions within slices. It also performsidentity management.

Security Plane For User Data

This plane will enforce a service-orienteddifferentiated security protection, where thesecurity protection mechanism of the userplane is tailored according to security policiesrequired by various services.

Security Plane For Control Signalling

This plane allows a flexible deployment of thenetwork security function can be based on theservice-based architecture and virtualisationtechnology, as well as supports scalableauthentication mechanism and remote identitymanagement, such as tiered identitymanagement mechanisms.

The security architecture design also implemented 2 security mechanisms, which are:

Slicing Management Security Mechanism Slicing Management Security Mechanism

- Slicing security as a Service (SsaaS) which will enable operators toprovide customised security packages for vertical industries.

- Slicing lifecycle security which will ensure security in slice design,configuration, activation, operation and termination phases.

- Intelligent slicing security Operations and Maintenance (O&M).

Security events control and security intelligence sharing center schedulesand coordinates security components in order to implement intelligencesharing and security policy control between carriers’ networks and verticalindustries based on security events.


5 5G Security Control Classes and E2E Framework

19


5G E2E Security Framework

The 5G E2E security framework, when defined using the 5G 3GPP security architecture layout



The 5G E2E security framework, when defined using the 5G security architecture planes layout



5G E2E security framework, when defined using the security control layer and classes


5G Security Planes & Layers

End User Security Plane

Protection of activities that ensures the efficient delivery of control and signaling information, services and applications across the 5G network.

Control Security Plane

Protection of the operation, administration, maintenance and provisioning of network elements, transmission facilities, back-office systems and data centers.

Management Security Plane

Protection of end user data flow, along with the usage and access service provider’s network by customers.

5G Security Planes

Application Security Layer

Protection of services, such as basic transport and connectivity for Internet access and value added services such as QoS, VPN and location services, that are provided by service providers to their customers.

Infrastructure Security Layer

Protection of the network transmission facilities and individual network elements.

Service Security Layer

Protection of network based applications such as email, file transport and web browsing applications that are accessed by the service providers’ customers.

5G Security Layers

Source: ITU-T Recommendation X.805 – Security architecture for systems providing end-to-end communications

https://www.itu.int/rec/T-REC-X.805-200310-I/en


5G Security Control Classes

Access Control

Ensures only authorized user ordevices are allowed to performadministrative and/ or managementactivities.

Authentication

Ensure that the user or deviceperforming administrative and/ ormanagement activities is a verifiedidentity.

Non-Repudiation

Provides a record identifying user ordevice performing administrativeand/ or management activity, asevidence.

Data Confidentiality

Protects the network device, devicelink and sensitive data fromunauthorized viewing.

Data Integrity

Protection of configuration andadministrative data againstunauthorized modification, deletion,creation and replication.

Availability

Ensure that the management ofnetwork devices andcommunication links are not denied.

Privacy

Ensures that information that can beused to identify users/ devices arenot visible to unauthorized users/devices.

Communication Security

Ensures that the managementinformation only flows between thenecessary devices andcommunication links without beingintercepted.


5G Security Control Layers & Classes

Service Security Layer

Infrastructure Security Layer

Security Layers

Application Security Layer

End user plane

Control plane

Management plane

Vulnerabilities

Acc

ess

Contr

ol

Auth

entica

tion

Non

-repudia

tion

Dat

a C

on

fid

en

tial

ity

Com

munic

atio

n S

ecu

rity

Dat

a In

tegrity

Ava

ilabili

ty

Priva

cy

Attack &

Threats

Security Control Classes


5G E2E Security FrameworkCategory Elements Security Control Security Threats

End Users

Physical - Secured hardware - Security accreditation scheme (SAS) of UICC/ eSIM

- Device tampering

Technical - Subscriber device identifiers and credentials

- Authentication/ authorization key agreement (AKA)

- Security negotiation, key hierarchy

- Trust model between telco network, vertical service network and user

- Hybrid authentication management with either/ both network provider and service provider

- EAP-AKA’ and 5G-AKA authentication for attach procedure

- Malware- TFTP MitM attacks- Bots DDoS- Firmware hacks- User identity theft

Administration - Enhanced subscriber privacy - Concealment of subscriber identity via SUCI - Privacy breach

NR RAN

Physical - Secured hardware - Implementation of physical security measures at RAN site (security fence, CCTV, physical locks etc)

- Device tampering- Damage to RAN network elements

Technical - Cryptographic algorithms- Air interface jamming

protection- Fronthaul and backhaul

security

- Detection mechanism for DDoS attacks (e.g. threshold based detection of RRC requests)

- Quantum key distribution for signaling encryption

- Anti-jamming mobile offloading mechanisms- IPSec tunnel security for transport links

- MitM attack- Jamming- IMSI catching- Flooding attacks- Rogue nodes- Signaling fraud- Signaling storm

Administration - Secured user access - User access control - Unauthorized access- Data/ information exfiltration



Category Elements Security Control Security Threats

Edge Network

Physical - Secured hardware - Implementation of physical security measures for MEC elements (anti-theft, anti-damage, access control etc)

- Device tampering- Damage to MEC elements

Technical - NFV/ SDN security- Network slicing security- MEC security- Cloud security- Fronthaul and backhaul

security

- Resource isolation and multi layer isolation (zoning isolation)

- Security isolation mechanism and policy- Software defined segmentation- Encryption of sensitive security assets- IPSec tunnel security for transport links

- DDoS & DoS attacks- CP/UP sniffing- MEC backhaul sniff- MEC server vulnerability- Slice/ resource theft- Rogue MEC gateway- API vulnerability exploit- Side channel attack- Roaming partner vulnerabilities- Signaling fraud

Administration - Secured user access - User access control - Improper access control- Data/ information exfiltration




Core Network

Physical - Secured hardware - Implementation of physical security measures for core elements (anti-theft, anti-damage, access control etc)

- Device tampering- Damage to core elements

Technical - NFV/ SDN security- Network slicing security- Cloud security- SBA security- Fronthaul and backhaul

security- Inter-networking security- Network capability exposure

security

- Resource isolation and multi layer isolation (zoning isolation)

- Security isolation mechanism and policy- Software defined segmentation- Authentication framework for SBA using

OAuth 2.0- Authentication and transport protection

between functions using TLS- Usage of security edge protection proxy

(SEPP) for interconnection security- Securing east-west traffic

- DDoS & DoS attacks- CP/UP sniffing- Slice/ resource theft- API vulnerability exploit- Side channel attack- Roaming partner vulnerabilities- Signaling fraud





Application/ Services

Physical - Secured hardware - Implementation of physical security measures for network elements (anti-theft, anti-damage, access control etc)

- Physically secured IoT endpoints

- Device tampering- Damage to network elements

Technical - Vertical industries applications- Nb-IoT- STIR/ SHAKEN

- Securing 3rd party application interfaces- Enforcing cloud security policies- Enforcing API security- Root of trust for IoT endpoints

- API vulnerabilities- Application server vulnerabilities- Application vulnerability exploits- DDoS & DoS attacks- Hacking of IoT endpoints- Spam calls





Operations

Physical - Secured hardware - Implementation of physical security measures for network elements (anti-theft, anti-damage, access control etc)

- Device tampering- Damage to network elements

Technical - NIST’s IPDRR (identify, protect, detect, response and recover) framework

- System security monitoring, auditing and traceability

- System integrity protection via secure boot

- DDoS & DoS attacks- MitM- Hacking

Administration - Change management- Business continuity- Incident management- Operation resiliency- Secured user access

- Privacy procedures for handling user data during network O & M routines

- Enforcement of security rules for O & M tasks

- Enforce in house/ 3rd party audit- User access control

- Privacy breach- Improper access control- Vulnerable network and systems- Data/ information exfiltration


6 5G Security Elements and Recommendations

31


5G Security Elements Severity

Category of Network Function/ Elements

Example of Key Elements Description Severity

Core network functions - User equipment authentication, roaming and session management functions

- User equipment data transport functions- Access policy management - Registration and authorization of network services - Storage of end-user and network data Link with third-party

mobile networks Exposure of core network functions to external applications

- Attribution of end-user devices to network slices

Threat affecting the core network will affect the entire network’s confidentiality, integrity and availability, in addition to potential sensitive data leakage, as sensitive data are being transmitted through the core network components.

Critical

NFV management and network orchestration (MANO) Many high important functions such as core access and control functions, lawful interceptions, security and cryptographic functions are located in this area. Attacks in this area will affect functions necessary to operate the 5G network.

Critical

Management systems and supporting services (other than MANO)

- Security management systems- Billing and other support systems such as network

performance

Despite not carrying network traffic, any threat attacks to this area can put the entire network at risk to sabotage and malicious attacks disrupting the entire 5G network function.

High

Criteria for evaluating 5G security elements severity :1) Type of impact – compromised confidentiality, integrity and/or availability of network2) Scale of impact – number of affected users, service downtime, number of nodes affected and etc.


5G Security Elements Severity

Category of Network Function/ Elements

Example of Key Elements Description Severity

Radio access network (RAN) - Base stations Some network functions, which are considered less sensitive in the traditional network, will become more sensitive in the 5G network due to handling user data or performing smart and sensitive function. With the introduction of MEC, more sensitive network functions are physically moved from the core network to be closer to the edge network.

Medium

Transport and transmission functions - Low-level network equipment (routers, switches, etc.)- Filtering equipment (e.g. firewalls, IPS)

The assessment of the sensitivity of the transport and transmission functions depends various factors, such as their role in the transmission network.

High

Internetwork exchanges - IP networks external to MNO premises - Network services provided by third parties

The assessment of the sensitivity of the internetwork exchanges depends various factors, such as their interconnection role between various network operators.

High

Source: NIS Corporation Group – EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks

https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2019/10/Report-EU-risk-assessment-final-October-9.pdf


5G Security NIST RecommendationIdentify

Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the businesscontext, the resources that support critical functions, and the related cybersecurity risks allows an organization to focus and prioritize its efforts, consistentwith its risk management strategy and business needs.

Protect

Outline the appropriate safeguards to ensure delivery of critical infrastructure services, and supports the ability to limit or contain the impact of a potential cybersecurityevent.

Detect

Define the appropriate activities to identify the occurrence of a cybersecurity event, allowing a timely discovery ofcybersecurity events.

Respond

Outline the activities to take action regarding a detected cybersecurity incident and supports the ability to contain the impact of a potential cybersecurity incident.

Recover

Identify the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident, and support timely recovery to normal operations to reduce the impact from a cybersecurity incident.


7 5G Technical Feedbacks

35


5G Security Requirement FeedbacksFeedback Topic Celcom CSM

Comments/ Suggestion on Technical Code Proposed

Scope

- Versioning and control are required for the 5G Security Technical Code documentation.

- Apply relevant and verified security technical requirement from Global Key Standardization Bodies and industry forums involved in 5G. for various criteria (e.g. business case, network design, architecture etc)

- Classification and categorization of various 5G security area of concern.

- Identification and investigation of level of 5G network exposure scenarios.

- Identification of security requirement sources to be considered in developing the technical security requirements (risks, legal requirements and business requirements)

- Security threats needs to be added into the documentation. The threats are mapped to the security controls proposed, so that all the threats can be mitigated by the proposed controls.

- For network encryption defined in the documentation, it is recommended to refer to the the “AKSA MySEAL’ guidelines proposed by MySEAL.

Clause 5: Security Architecture or Security

Controls

- The 5G Security Technical Code documentation is expected to have various versions to cover additional 5G security requirements and updates.

- To protect key assets, 18 security areas having threats and risks that require attention and countermeasures are proposed.

- Security control is to be included in the documentation as it is more suitable to be discussed in Malaysian environment.

Sub-Clause 5: Domains or Classes

- Security domain is to be included as it is more suitable to be implemented in the telco sites, and security classes can be listed under the sub-security domain.


5G Security Requirement FeedbacksFeedback Topic Maxis NACSA TM

Comments/ Suggestion on Technical Code

Proposed Scope

- Security handling details, such as detailed list of threats and vulnerabilities, along with incident handling/ threat mitigation.

- Technical code documentation is required to cover the following security areas:

a) Network domain security - service based architecture (SBA) or network slicing

b) Data protection algorithm

c) Network element security

d) Device security

e) Identity management

- Requirements for establishing, implementing, maintaining and enhancing of information and network security management system that is applicable to all types of organization has to be covered in the documentation.

- Technical code documentation must cover the following areas as well:

a) System infrastructure requirements

b) Minimum installation guidelines and standards

c) Minimum technical and performance specifications for the service.

- Include measurement of security controls, for example additional latency due to security inspection, processing, handshaking, cryptography workload etc.

Clause 5: Security Architecture or

Security Controls

- Security control is to be included in the documentation as it allows operators to have a detailed baseline on relevant security risks, along with standard countermeasures based on the controls specified to minimize data loss/ leakage and service interruption.

- Security control is to be included in the documentation as it allows the implementation of a comprehensive organization’s risk management process.

- The security control category is to be further classified into physical, technical and administration elements.

- Security architecture per domain is to be included as the content security has to be end-to-end for visualization, and it must cover the security requirement for NSA and SA architectures for 5G network.

Sub-Clause 5: Domains or Classes

- Security domains as it will help operators to identify the needed security features in each listed domains. This would help in defining of rules for users, processes, systems, and services that apply to activity within the domains.

- Security classes is to be included in order to address all the basic criteria for an efficient data security plan as a baseline.

- Security domain is to be included as it iterates all the requirement for security controls for each domains..


Acknowledgements

38

Members of the Application Security Sub Working Group

Mr Azlan Mohamed Ghazali (Chairman) KPMG Management & Risk Consulting Sdn Bhd

Mr Mohd Fairuz Ismail (Vice Chairman) KPMG Management & Risk Consulting Sdn Bhd

Ms Norkhadhra Nawawi/

Mr Ahmad Syazilie Shamsuddin (Secretariat)

Malaysian Technical Standards Forum Bhd

Mr Sazali Musa/

Mr Zef Zalmi Mohamed

Celcom Axiata Berhad

Mr Ahmad Dahari Jarno/

Mr Farhan Arif Mohamad/

Mr Muhammad Ashraff Ruzaidi/

Ms Norahana Salimin/

Mr Shahrin Baharom

CyberSecurity Malaysia

Mr Mohd Edymainoe Mohd Noh/

Mr Syahril Hafiz Abu Hassan/

Mr Wong Chup Woh

Maxis Bhd

Mr Ahmad Fairuz Mohamed Noor/

Ms Azleyna Ariffin/

Ms Siti Hajar Roslan

National Cyber Security Agency

Mr Muhamad Hasyimi Shaharuddin/

Mr Shahril Azwar Abas

Telekom Malaysia Berhad


8 Annex 1: Robocall Security Issues and STIR/ SHAKEN Framework Recommendation

39


Robocalls Statistics in 2019Analyzing this year’s data, we can see that Malaysia is the market that receives thebiggest percentage of scam calls in the world. Today, 63% of the top spam calls inMalaysia are of fraudulent nature. Fake insurance and debt collecting calls are thenormal scam calls. ‘Astro’ and ‘Macau’ scam has been flooding the market in therecent year.

Lately, there has been scammers pretending to be calling from local post deliveryservices that a package is stuck somewhere and that they need you to pay before theycan release it. Over the past 12 months Malaysia has seen a 24% increase of spamcalls, going from 6.7 spam calls/month to 8.3. The study was conducted from Jan 1 toOct 31.


STIR/ SHAKEN FrameworkSTIR (Secure Telephone Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) are standards designed to enable service providers to cryptographically sign calls in the SIP (Session Initiation Protocol) header, to help validate incoming calls and to indicate whether a fraud is occurring.

With STIR/ SHAKEN standards, SIP headers will contain a level of confidence indicator from the originating service provider to signal whether the party originating the call has the right to use the number via the attestation field, which is based on PASSporT (Personal Assertion Token) attestation claim:

• Full Attestation - The service provider has authenticated the calling party, and the calling party is authorized to use the calling number

• Partial Attestation - The service provider has authenticated the call’s origination (e.g., a known customer) but cannot verify whether the call’s source is authorized to use the calling number.

• Gateway Attestation - The service provider has authenticated the source from which it received the call but cannot authenticate the call source.

Originating Service Provider

Authentication Service

Certificate Repository

Terminating Service Provider

Verification Service

1

SIP INVITE

SIP INVITE2 3SIP INVITE

+ SIP

Identity Header

SIP INVITE +

SIP Identity Header

4

SIP INVITE +

SIP Identity Header

5

• Obtains digital certificate with the public key

• Decodes the SIP Identity Header

• Verification of originating call

6

7 Verification results from (6)

8

SIP INVITE(call completion)

SIP Identity Header:• PASSporT header• PASSporT payload• PassporT signature• Encryption algorithm• Location certificate of

respiratory

STIR/ SHAKEN Call Flow


Case Study: TRACED Act (USA)In order to combat the rampant robocalls issues in USA, on December 30th 2019, the President of the United States of America signed the Pallone – Thune TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act, which enforces the following policies and actions in summary:

1. Extends FCC’s statute of limitations on robocall offenses and increases potential fines

2. Requires an FCC rulemaking helping protect consumers from spam calls and texts (this is already underway)

3. Requires annual FCC report on robocall enforcement and allows for it to formally recommend legislation

4. Requires adoption on a reasonable timeline of the STIR/SHAKEN framework for preventing call spoofing

5. Prevents carriers from charging for the above service, and shields them from liability for reasonable mistakes

6. Requires the attorney general to convene an interagency task force to look at prosecution of offenders

7. Opens the door to Justice Department prosecution of offenders

8. Establishes a handful of specific cutouts and studies to make sure the rules work and interested parties are giving feedback


8 Annex 2: ITU Standards - Security Key Area

43


ITU Standards - Security Key AreaNo Security key area ITU standards Descriptions

1 Public Key Infrastructure (PKI)

ITU-T X.509, Information technology -Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks

a) Provides a security framework for both PKI and Privilege ManagementInfrastructure (PMI).

b) Used for services such as authentication, encryption and confidentiality,digital signatures, nonrepudiation, and authorisation.

c) Applicable to any vendors providing security solutions, profiling andproducts that are based on PKI and PMI.

d) Defines the framework for both PKI and PMI, which includes infrastructuremodels, certificate and Certificate Revocation Lists (CVL) syntax definitions,directory schema object definitions and certificate path processingprocedures.

2 Cybersecurity overview ITU-T X.1205, Overview of cybersecurity

a) Applicable to any party involved in providing security solutions, profiling andproducts for various organisations.

b) Provides insight on various cybersecurity threats from an organisationalpoint of view across various network layers, along with threatcountermeasures, network protection principles and risk managementstrategies and techniques.

3Security architecture for systems providing E2E communications

ITU X.805

NOTE: Further details, please referClause 7.

a) Required for any party that is performing comprehensive network securityassessment and planning.

b) Addresses complex security problems in Next Generation Networks withtheir division into layers and planes and elements and the need to have athand a holistic security methodology to systematically engineer security forsuch systems.

c) Provides a comprehensive, multi-layered, E2E network security frameworkacross 8 security dimensions in order to combat network security threatsand to achieve E2E security.


No Security key area ITU standards Descriptions

4Security Assertion Makeup

Language (SAML)ITU-T X.1141, Security Assertion Markup Language (SAML 2.0)

a) Extensible Markup Language (XML) based framework used tofacilitate the exchange of security information among differentorganisations with different security domain.

b) Ensure a secured exchange of authentication and authorisationinformation.

Enables Single Sign On (SSO) capabilities, where organisations can share information about user identities and access privileges in a safe, secure and

standardised manner.

5Entity authentication assurance framework

ITU-T X.1254, Entity authentication assurance framework

a) Affects organisations that are provides security-based products,profiling application and security solutions that requires authentication.

b) 4 levels of entity authentication assurance are defined along with thecriteria and threats for each of the four levels.

c) Provides guidance concerning control technologies to be used tomitigate the threats.

d) Provides guidance for mapping the 4 levels of assurance to otherauthentication assurance schemas and for exchanging the results ofauthentication based on the four levels of assurance.

6Common Alerting Protocol (CAP)

ITU-T X.1303, Common alerting protocol (CAP 1.1)

a) Affects Integrated Public Alert and Warning Systems (IPAWS), as theyare based on CAP.

b) Exchange all-hazard emergency alerts and public warnings over allkinds of networks.

c) Allows a consistent warning message to be disseminatedsimultaneously over many different warning systems.

d) Increase warning effectiveness while simplifying the alerting task.

ITU Standards - Security Key Area



7Access Control MarkupLanguage (ACML)

ITU-T X.1142, eXtensible Access Control Markup Language (XACML 2.0)

a) Covers the eXtensible Access Control Markup Language (XACML).

b) XACML defines an attribute-based access control policy language,architecture and a processing model.

c) Describes how access requests are evaluated according to some rulesdefined in an enterprise policy.

d) Plays important role within an organisation to provide real time Role-BasedAccess Control (RBAC) to protect access to all types of resources withinany organisation.

ITU-T X.1144, eXtensible Access Control Markup Language (XACML) 3.0




8

Information security management guidelines for telecommunications organisations based on ISO/IEC 27002

ITU-T X.1051, Information technology -Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations

a) General principles for initiating, implementing, maintaining and improvinginformation security management in telecommunications organisations.

b) Provides an implementation baseline for information security managementto help ensure the confidentiality, integrity and availability oftelecommunications facilities and services.

c) Covers several areas in the telecommunication sector such as:

i) information security policies;

ii) organisation of information security;

iii) asset management;

iv) access control;

v) cryptography;

vi) physical and environmental security;

vii) operations security;

viii) communications security;

ix) systems acquisition, development and maintenance;

x) supplier relationships;

xi) information security incident management;

xii) information security aspects of business continuity management;and

xiii) compliance.

d) Addresses several security concerns such as protection of informationfrom unauthorised disclosure, controlled installation and use oftelecommunication facilities and provision of authorise access totelecommunication facilities when necessary.




9Interactive gateway system for countering spam

ITU-T X.1243, Interactive gateway system for countering spam

a) Enables spam notification among different domains and prevents spamtraffic from passing from one domain to another.

b) Specifies the architecture for the gateway system and describes basicentities, protocols and functions of the system.

c) Specifies mechanisms for spam detection, information sharing andspecific actions for countering spam.

10Abstract Syntax Notation One (ASN.1)

Abstract Syntax Notation One (ASN.1) specific recommendations:

ITU-T X.680 - X.683 and ISO/IEC 8824, Information technology - Abstract Syntax Notation One (ASN.1)

a) Used for a wide range of other applications, such as networkmanagement, secure email, cellular telephony, air traffic control, and voiceand video over the Internet.

b) Covers various aspects such as the definition of data types and values,Basic Encoding Rules (BER) and Packet Encoding Rules (PER).

c) Applies to various data types under the ASN.1 notation and rules forencoding ASN.1 data value using XML.




11Cybersecurity Information Exchange (CYBEX) framework

ITU-T X.1500, Overview of cybersecurity information exchange

a) Consists of a basic exchange framework with the following extensiblefunctions which are as follows:

i) structuring cybersecurity information for exchange purposes;

ii) identifying and discovering cybersecurity information and entities;

iii) requesting and responding with cybersecurity information;

iv) exchanging cybersecurity information; and

v) enabling assured cybersecurity information exchange.

a) Creates a common global means for cybersecurity entities to exchangecybersecurity information.

b) Allows cybersecurity information to be exchanged between variousorganisations for enhanced cybersecurity and infrastructure protection,as well as accomplishing the principal functions performed by cybersecurity teams.

ITU-T X.1520, Common vulnerabilities and exposures

ITU-T X.1521, Common vulnerability scoring system

ITU-T X.1524, Common weakness enumeration

ITU-T X.1525, Common weakness scoring system

ITU-T X.1526, Language for the open definition of vulnerabilities and for the assessment of a system state

ITU-T X.1528, Common platform enumeration

ITU-T X.1546, Malware attribute enumeration and

characterization


Preparation for 5G TCs Security - MTSFB

Documents

Transcript of Preparation for 5G TCs Security - MTSFB