The Cybersecurity Framework and 5G RAN -...
Transcript of The Cybersecurity Framework and 5G RAN -...
The Cybersecurity Frameworkand 5G RAN
Dr. Malcolm Shore
Huawei Technologies | Australia
June 2018
Cybersecurity Officer
Table of Contents Executive Summary ......................................................................................................................... 2
1. 5G – A Coming Evolution ......................................................................................................... 3
1.1 What is 5G? ..................................................................................................................... 3
1.2 Why is 5G important? ...................................................................................................... 3
1.3 Multi-service Networks ................................................................................................... 4
1.4 5G Mode .......................................................................................................................... 5
1.5 Access-Core Separation ................................................................................................... 6
2. Cybersecurity ........................................................................................................................... 7
2.1 Introduction ..................................................................................................................... 7
2.2 LTE Security ..................................................................................................................... 7
2.3 Assurance ........................................................................................................................ 8
2.4 NIST Cybersecurity Framework ....................................................................................... 9
2.5 Cybersecurity and Networks ........................................................................................... 9
2.6 Advanced Assurance...................................................................................................... 10
2.7 Supply Chain and the 100 Requirements ...................................................................... 11
3. Clarifying the 5G RAN Risks ................................................................................................... 13
3.1 X.805 .............................................................................................................................. 13
3.2 SP800-187 ...................................................................................................................... 13
3.3 Byzantine Attacks .......................................................................................................... 14
3.4 5G RAN Threat Inventory .............................................................................................. 14
4. Aligning 5G RAN with the Cybersecurity Framework ............................................................ 16
4.1 Introduction ................................................................................................................... 16
4.2 Threat Alignment ........................................................................................................... 16
4.3 Summary Alignment ...................................................................................................... 17
5. Conclusion ............................................................................................................................. 18
5.1 5G RAN Security............................................................................................................. 18
APPENDIX ...................................................................................................................................... 19
NIST Cybersecurity Framework for 5G RAN .............................................................................. 19
Executive Summary
The 3GPP LTE standard continues to evolve, with carriers expected to progress from Release 14 to Release 15 over the next year or so. This new release provides additional functionality, better security, and the use of new antennae to deliver more broadband capacity. The new release has been named 5G, and is a direct evolution of the existing 4G LTE. For carriers it offers a more cost effective solution due to virtualization and the ability to introduce new business models based on network slicing.
5G enhances the security provided in 4G, introducing an increased key length and better protection of sensitive data. It retains the access-core separation which enables carriers to operate a multi-vendor network, and governments to control the use of certain foreign vendor technologies. The ITU X.805 security architecture continues to be a valuable reference for design of security in these networks, and 5G is fully consistent. The US National Institute of Standards and Technology (NIST) has also released a special publication SP800-187: Guide to LTE Security which provides a technology specific view of LTE threats and mitigations across the spectrum of LTE releases.
Carrier networks are prime targets for cyber attack, from both allies and adversaries. These attacks include supply chain and remote internet-borne attacks, and both may seek to establish an internal beachhead from which to mount an attack deeper into the network. While older security standards such as ISO 27000 and SP800-53 provide good control guidance, they are not specifically cyber attack focused. The US National Institute of Standards and Technology, however, has released a framework to manage the evolving cyber threats called the Framework for Improving Critical Infrastructure Cybersecurity, or simply the Cybersecurity Framework.
In this white paper, we demonstrate how the 5G radio access network (5G RAN) protection detailed in X.805 and in the NIST SP800-187 can be aligned to become part of a wider carrier approach to adopting the protection detailed in the Cybersecurity Framework. We also extend this with our 100 requirements for end-to-end cybersecurity, which provide additional guidance on supply chain risk, and our deep evaluation testing approach, which provides assurance of the integrity of products.
In conclusion, an assured 5G RAN is not a risk to any carrier network. There are much more important risks to address in order to achieve a secure and resilient national infrastructure.
John Suffolk
Global Privacy and Cybersecurity Officer
2
1. 5G – A Coming Evolution
1.1 What is 5G?
There has been a lot of speculation about the next generation network – 5G – and what it means for carriers, for users, and for governments. 5G has been held up as the technology which will enable carriers to build the next generation of their business models; as the existential threat to critical infrastructures; as the ubiquitous last mile network; and as the solution to slow and unreliable mobile networks. While there are varying degrees of fact or truth in these expectations, the one clear thing is that 5G is a network technology which is emerging into the mainstream and one which will open up the next generation of opportunities for those nations which successfully adopt it.
Understanding 5G is quite simple. 5G is no more than a step along the development of the industry standard 4G LTE technology. Where LTE release 14 is what is currently known as 4G, release 15 is the start of what has been called 5G. 5G is not a revolution in network technology but the start of a series of incremental improvements to 4G to deliver an evolutionary path to the next generation of network capabilities. In its first release, it’s just a bigger and better 4G.
1.2 Why is 5G important?
Early mobile phone systems concentrated on providing voice and a short messaging service, and communications networks that could provide an analogue channel of around 64 kb/s were perfectly adequate to deliver the functionality required. From this beginning, the smartphone emerged with its ability to connect to the internet and to run application software. The demand for bandwidth increased, and the two network architectures of CDMA and GSM merged to deliver the first really effective smartphone network, 3G. The standards for this network are defined internationally, by an organization called the 3rd Generation Protocol Partnership, or simply 3GPP.
The bandwidth and base station capacity available on 3G networks was quickly swamped, and the demand for more data capacity drove improvements to 3G and the new release became known as 4G. This is now the standard for the higher quality networks and is in use by most carriers. 3G still exists, typically as a fall back option for 4G saturation or where 4G is unavailable. Still, 4G is not the complete answer.
The dramatic rise in utilization of the internet to provide connectivity for everything has driven a number of different demands. On the one hand, the rise of small sensors with internet connectivity means a base station needs to support many more devices per square kilometre and this either requires more base stations – a costly exercise – or more capacity per base station to support massive machine type communications (mMTC). The demand for a real time operational network drives the requirements of performance reliability and low network latency, the time a packet takes to travel across the network. These characteristics can be realized with a network approach known as ultra-reliable low latency communications (URLLC). Finally, the demand for bandwidth to support applications such as real time video streaming is driving massive bandwidth in what is known as enhanced mobile broadband (eMBB). These demands cannot be met with the current design LTE, and improvements are necessary. These three forms of network characteristics are often shown in the 5G capability triangle, as shown in Figure 1.
3
Figure 1: 5G Capability Triangle
The roadmap for next two releases of LTE with the associated new radio technology offers those improvements. In the first instance, it offers just more broadband capacity to deliver eMBB. With release 16, the additional use cases of eMBB and URLLC will be delivered. The evolution of LTE is shown in Figure 2.
Figure 2: LTE Evolution
The most visible difference between release 14 and release 15 is the use of a new waveform to support the higher carrier frequencies and bandwidth, and with release 16 comes changes to the core and RAN to minimize latency to support the additional usage scenarios, as well as fixed wireless convergence, unlicensed spectrum, multi-connectivity, multicast-broadcast services, satellite access, etc.
From a carrier perspective, the ability to host many more connections with just an upgrade to existing infrastructure is very important – replacement of infrastructure is an unacceptable cost. Carriers are already starting to introduce virtualised infrastructure, and release 15 – LTE-Advanced Evolution with its new radio, together known as 5G – continues with more virtualization of the core network infrastructure, meaning that expensive proprietary components can be replaced with much more cost effective commodity systems. The RAN segment, however, is typically not virtualized because hardware-level performance continues to be a defining characteristic for 5G success.
1.3 Multi-service Networks
Traditional 3G and 4G carrier solutions have used a three layer infrastructure of management, control, and user plane which delivers network services and applications, as described the ITU
4
X.8051 standard. With the evolution to 5G, a new architecture is possible in which the key focus is on providing multiple virtual networks to deliver heterogeneous end-to-end services each with its own network characteristics and its own planes. This is exactly the architecture required to support the future demands of sensors, smart cities, smart transport, and so on with their differing network characteristics. While initial deployments of the 5G radio access network (5G RAN) will run on 4G core solutions, the full 5G RAN and core with its network service-defined characteristics will quickly become the target architecture for networks.
In order to deliver an integrated set of heterogeneous network services, the 5G protocol supports virtual network functionality (VNF) which can be orchestrated through software defined networking (SDN) to use the resources in the traditional transmission and core segments of the network infrastructure layer, as shown in Figure 3. These resources will form dedicated business driven logical networks within the core, otherwise known as network slices, which are able to multiplex through throughout the core to provide the edge-to-edge service for the user. The
three capabilities of mMTC, URLLC, and eMBB define the first three forms of network slice. The detailed specifications for slicing have been, and are continuing to be, developed by more than a dozen standards bodies, concurrently with the evolution of LTE by 3GPP. Huawei is a leading contributor to those standards.
VFN/SDN concepts shift how an operator designs, develops, manages and delivers products and services to achieve technological and operational efficiencies. These benefits are aimed at fundamentally redefining the cost structure and operational processes, enabling the rapid development of flexible, on-demand services and maintaining a competitive position.
Huawei has developed an ICT functional converged reference architecture for 5G which incorporates edge-to-edge network slicing and security, decoupling of the RAN and core, functional decomposition which separates the central and distributed units of the radio access network and separates the control and data plane in the core, and delivers agile and automated operation. This enables integration of not only cellular but also WiFi and Ethernet communications to deliver further efficiencies for operators.
1.4 5G Mode
There are two modes of deployment for a 5G RAN. The first is what is known as Non-Stand Alone (NSA) mode and works concurrently with a 4G network. In this mode, the 5G RAN handles the device traffic and forwards its data plane directly to an existing 4G evolved packet
1 ITU Recommendation X.805 Security architecture for systems providing end-to-end communications
Figure 3: 5G Architecture
5
core (ePC). The control and management plane traffic, however, is handed off to a 4G RAN element which sends it on to the core.
The second form of deployment is known as Stand Alone (SA) mode. In this mode, the network has a 5G core which enables the additional capability of slicing. The 5G RAN in this case delivers the full data, control, and management plane traffic to the network edge. There is no requirement for an existing 4G network.
While eMBB deployments can be usefully supported by NSA mode, the demands of mMTC and particularly URLLC will drive the evolution to a 5G core in order to get the benefits of slicing. The cost advantages of a cloud-based core may also drive a carrier to deploy the 5G core.
1.5 Access-Core Separation
The 3GPP standards provide full separation between the access network and the core. This is the case currently with 4G, where connection from a 4G RAN to the core is via a security gateway. In NSA mode, the 5G RAN site will send its data to the core via the security gateway, but will interface to an existing 4G radio site for control and management plane traffic. The NSA 5G RAN is fully separated from the core.
Figure 4: Deployment Scenarios
With the evolution to SA mode, the 5G RAN will then connect to the core through a security gateway, exactly as 4G does now. These scenarios are shown in Figure 4. Importantly, the 5G RAN does not become part of the network slice. Rather, the network slice terminates at the network far edge, and connects to the 5G RAN through a standard interface which translates the network slice identifier value (called the NSSAI) into a standard 4G quality of service (QoS) value. This means that the 5G RAN in either mode can operate in exactly the same way as the 4G RAN operates, i.e. with no requirement for any core interaction.
6
2. Cybersecurity
2.1 Introduction
The evolution of technology over the last two decades has been rapid, particularly in the telecommunications field. Simple internet services and bulletin boards have evolved into the World Wide Web, sophisticated cloud technologies and the internet of things. Increasingly, digital innovation and smart cities are the keys to prosperity and a nation’s success in the technological world. At the same time there has been a substantial increase in cyber attacks, with more sophisticated attack techniques being discovered and used every day. The early focus for amateur hackers on viruses and worms has evolved to more sophisticated system exploitation and use of backdoors by nation states.
The attack surface for most business and government systems through to the late 1990s was quite small, and cyber fraud was the most prevalent concern. Networks were often not connected to the internet, or did so only briefly for regular up- and downloads of mail. Browsing was typically done using a standalone workstation. However, the vast majority of networks are now connected all the time, and the adoption of web technologies means the attack surface has grown dramatically. The threat of cyber attack has also grown sufficiently high to become a key Board level concern.
2.2 LTE Security
The end-to-end security of 4G and 5G LTE networks is provided for in the 3GPP standards. 5G RAN security introduces some enhancements in the airlink segment to the current 4G security model, a key one being that the encryption key length is increased to 256 bits. The overall security model is shown in Figure 5.
Figure 5: LTE Security
The radio access domain connects through backhaul to the trusted core. Within the core the backbone network connects trusted components and incorporates firewalls and security gateways for perimeter defence. An anti-DDOS solution is used to protect the core from internet attacks coming in from enterprise domain connections. These are standard security solutions in 4G LTE which continue through to 5G, to ensure only authorized end point devices can communicate and voice, text and signalling are reliable and secure. Together with device level plausibility validation, this provides a robust and necessary baseline of communications security.
7
2.3 Assurance
Governments have from an early stage needed to address security concerns with their use of technology. There has been an evolution of information security standards with the original UK Department of Industry code of practice PD0003 becoming recognized as the British Standard BS7799, and then being adopted by the International Standards Organisation into what is now known as ISO27000: Code of Practice for Information Security Management System. In the US, NIST published a security controls standard for Government agencies called Special Publication (SP) 800-53: Security and Privacy Controls for Federal Systems and Organisations.
At the same time as auditors were developing assessment standards for information security, a number of governments were developing a more robust approach to technology trust. In the 1960s, the US Department of Defense introduced a set of trusted systems criteria in what was known as the Orange Book. Systems could be evaluated against the criteria to achieve trusted system levels from the entry-level C2 trust through to a rigorous A1 standard. The UK Government introduced an alternative scheme called the IT Security Evaluation Criteria which decoupled security functionality from its level of assurance. Eventually, in the late 1990s, the Orange Book and ITSec approaches merged into a single set of criteria recognised by the US, UK, Canada, Australia and New Zealand. This scheme, known as the Common Criteria, is now recognized by 28 countries as the means of approving equipment for use by governments in their national infrastructure. Figure 5 shows the development paths of the security standards and evaluation criteria.
Figure 5: Cybersecurity Standards and Evaluation Criteria
Concerns relating to emerging technology are not new. In the late 1990s, many countries agreed to limit the spread of one key technology – cryptography. Encryption was included as a category of strategic arms, with export controls being applied to the more powerful cryptographic products. These controls proved to be counter-productive, encouraging many countries to develop their own products in competition with products from, and outside the control of, the US. Moreover, with the posting and exchange of high grade cryptographic techniques over the internet, these controls were never particularly effective. Encryption is now a standard part of every IT system and mobile phone.
Government controls on outsourcing and cloud computing have been more effective at limiting the use of cloud technology. The original models of a pure global cloud with data stored anywhere and moving as necessary have given way under government pressure to more sophisticated models in which users can determine the location of their data. Some governments have promoted the use of government-approved clouds, which may not scale to the extent of global cloud services but are more predictable in their cybersecurity. Evaluation and accreditation which started with products has now extended to touch cloud services.
8
2.4 NIST Cybersecurity Framework
As connectivity has become ubiquitous, the risk of cyber attack has grown substantially and information security controls have failed to adequately protect governments and businesses. Consequently, the US National Institute for Standards and Technology (NIST) has developed and published the Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework). This Framework has been widely adopted. Other schemes such as the UK Cyber Essentials have been proposed, but have not achieved global recognition.
The NIST Cybersecurity Framework takes an attack-centric view of security, providing a control framework to all stages of a cyber attack. It is a control framework which addresses cybersecurity in the five categories of identity and access management, preventative controls, detective controls, incident response, and recovery. It does not define a new set of controls, but shows how existing controls from ISO 27000, SP800-53, and other sources can be applied to mitigate cybersecurity risks.
2.5 Cybersecurity and Networks
As the national infrastructure has become dependent upon internet connectivity and advanced network technologies, distrust of technology has become a significant issue. A number of government-directed strategies have emerged, in particular in modern cellular networks. Some countries have limited the deployment of certain foreign technologies in current 3G and 4G networks to the access layer. This enables governments to isolate what they rate as higher-risk technology to the access domain, to contain any malicious activity to non-critical items. This does, however, introduce an increased risk of network failure due to limiting the choice of core technologies. At the time of writing, after many years of operation, there has been no documented evidence of any malicious LTE technology.
In the national security realm, a nation will assume that any technology it deploys that has the potential to be hostile will be used by an adversary in a hostile manner. This is a threat that needs to be included in the national risk assessment, but it is just one threat. Similar threats are emerging every day – for example, the use of agile technologies brings in a much greater risk of internet based library contamination introducing backdoors at the application level than exists in technology supply. Cloud technology has been a concern with its original concept of global data storage. In fact, since government stopped using government developed (GOTS) technology and started using commercial off-the-shelf (COTS) technology there has been a significant risk of externally introduced vulnerabilities. These all need to be addressed and mitigated, and any single-minded focus to the exclusion of other threats is likely to be a failing strategy.
Concerns about technology sourcing need to be generalized, not focused on any single adversary. Many nation states have not only demonstrated the ability to mount cyber attacks but have established government programmes of cyber espionage which are not only directed at adversaries: such attacks have spilled over into nation state attacks on allies for direct or indirect sources of intelligence, as evidenced in the UK attack on Belgacom2. Any foreign technology poses a risk. Further, the current lack of cybersecurity that prevails across industry
2 Gallagher [2014] Gallagher R, Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco, https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/
9
means there is very little need to resort to subversion of vendor technology to achieve access into an adversary. There are daily reports of cyber attacks that come from software bugs or bad security management.
From a carrier perspective, and from a bigger picture critical infrastructure perspective, focusing on delivering a network which meets the level of security defined in the NIST Cybersecurity Framework is a much more effective approach than focusing on one rare form of threat.
2.6 Advanced Assurance
Internal vendor testing and independent Common Criteria testing together provide what was supposed to be the complete approach to delivering assurance, at a significant cost to industry. Despite significant investment by vendors, the Common Criteria scheme is now considered inadequate by the countries that originally set it up.
The US and Australia are promoting new standards known as Protection Profiles which move evaluations from vendor-specified security functionality to state-specified security functionality, but this scheme has yet to be adopted to any great extent, and in fact the vast majority of technology used in government has not been independently tested.
In the UK and Canada, Huawei has helped the government to introduce a more advanced approach to assurance testing and is currently working with the New Zealand Government to do the same. The approach involves establishing a security assurance laboratory in which Huawei product testing is carried out by security cleared testers, with both the tests and test results can be managed by the government at a classified level with no Huawei involvement. This testing is supported by access to full hardware schematics and source code. Having such a test facility enables testing to extend beyond the standard claims testing of Common Criteria into more focused vulnerability-based testing, in which a constantly growing knowledge base of vulnerabilities drives advanced test cases. This has proved to be effective in the UK using a model where testers are employed by the facility, and in Canada where third party testers are employed. The use of a classified test facility provides the very highest level of assurance possible that equipment as designed does not contain vulnerabilities which can be exploited and does not contain backdoors to enable unauthorized access.
Having assured trustworthy design through deep testing, continuous monitoring will provide through life operational assurance. By monitoring the flows inside the network, government and/or carriers can watch for any abnormalities which would indicate any unauthorised access or an attack of some form. By incorporating secure monitoring probes into the 5G RAN and having the results fed into a correlation and anomaly detection system, the carrier, and so government, can verify operational assurance of the RAN segment. Further, just having operational monitoring in the 5G RAN is a significant deterrent to attack. The stages of increasing assurance are shown in Figure 6.
Figure 6: Assurance Stages
10
Any product that passes through the three stages of design testing and the final stage of continuous monitoring is much more secure than the vast majority of technology running today.
2.7 Supply Chain and the 100 Requirements
The assurance of any single product in the 5G RAN segment will be of little benefit if the rest of the network is compromised by external attack or through other components in the supply chain. Applying the Cybersecurity Framework to the network as a whole will address the former issue, and applying Huawei’s White Paper 100 Requirements when considering end-to-end cybersecurity will go some way to addressing the latter.
The legal and industry requirements relating to cybersecurity are becoming key obligations for carriers and enterprise in many countries, and it is not uncommon to see governments and regulators passing accountability onto national critical infrastructure providers. A key part of that accountability is the control carriers have over their supply chain of products and services.
Huawei’s 100 requirements starts with seeking from the vendor their formal strategy and approach to risk management, information security and cyber security. If there is no strategy then it’s unlikely that investment or resources will be allocated to mitigate the risks. With a strategy, the governance structure and the approach to managing security are important factors which ensure that the security posture is visible and that risk management is effective. It is important to know whether the vendor has suffered a cyber attack, and if so whether the learnings have been fed back into their cybersecurity programme.
The adoption of practices and standards is an important element at the process and technical level, ensuring that recognized security measures are adopted and that standards based testing is used.
The vendor should provide evidence that the laws and regulations for a specific country are proactively reviewed and understood, and taken into account in the business life cycle to ensure that its products and services are fit for purpose. Another requirement is that all components used in a product or service have been appropriately licenced.
One of the main vectors for attack is the insider, and vendors should demonstrate that they have an appropriately robust HR security programme in place to ensure they do not employ untrustworthy employees. It is also important that their culture is sufficiently positive that they do not have disgruntled employees.
Adopting a vendor in a network strategy is likely to be a long term commitment, and it’s important for the purchaser to know that the vendor has a strong R&D programme which will ensure consistently high quality delivery of safe products and services which keep up to date with evolving technologies.
Of particular importance to the effectiveness of supply chain cybersecurity is how well it has been integrated into the whole end-to-end lifecycle from R&D to product manufacturing, as well as through to delivery and installation on the customer premises. This is a complex area involving vendor control over their suppliers and open source components they use, and the vendor’s ability to manage product configuration in order to avoid tampering. The tools used by vendors in their development processes also need to be managed to avoid problems being introduced through their toolsets.
11
Verification plays a big part in gaining confidence in the development processes. A policy of assume nothing, believe no-one, and check everything will be an effective way of doing verification. This can be achieved using an independent test capability within the company, and the vendor should be able to provide not only test reports but evidence that R&D has taken the test reports into account, corrected issues, and used the test to drive continuous improvement. This should also extend to full independent testing through schemes such as Common Criteria and through to classified government testing facilities.
Just as the carrier should seek to satisfy themselves on the 100 requirements for considering end-to-end cybersecurity, so should their suppliers and partners. The carrier should establish requirements to gain confidence in their vendor’s supply chain management, including sighting ISO28000 certification.
There should be requirements on vendors to demonstrate that their manufacturing processes can avoid components becoming tainted to corrupted either before the part reaches the vendors manufacturing facility or after a product has been built and dispatched. This requires evidence of controls to verify the integrity of manufacturing input, secure the manufacturing process, and secure the warehousing where components are stored and products built but not shipped are held. Other issues such as protection of products returned for repair, and of sanitization of any data on those components, should be included in vendor requirements.
Ensuring good security in the deployment and servicing of products is just as important as including it in the manufacturing process. This is another area in which there are many opportunities for weak controls to allow products to be tainted or corrupted, and for an attack on the vendor to jump into the carrier network. A strong cybersecurity regime on service delivery is
Finally, it goes without saying that nothing is every 100% secure and the vendor’s ability to respond effectively to any problems that might be identified is yet another important requirement.
12
3. Clarifying the 5G RAN Risks
3.1 X.805
The X.805 network security architecture defines five threats to networks: destruction of information and/or other resources; corruption or modification of information; theft, removal or loss of information and/or other resources; disclosure of information; interruption of services. The 5G RAN segment sits in the infrastructure layer in the X.805 model. It uses the data, control, and management planes. The interpretation of security for the 5G RAN in the infrastructure layer is shown in Table 1.
Table 1: X.805 Security Requirements for 5G RAN
Security Dimension Description
Access Control Ensure that only authorized personnel or devices are allowed to perform administrative or management activities. This applies to both direct management of the network element via the console, remote management of the element via the element management system (EMS), and administration of the EMS.
Authentication Verify the identity of the person or device performing the administrative or management activity on the network element or EMS.
Non-Repudiation Securely record the identity of the individual or device that performed each administrative or management activity and the action that was performed.
Data Confidentiality Protect the network element or EMS from unauthorized access or viewing. This applies to configuration information resident in the network device or information being transmitted. Protect the access credentials from unauthorized access or viewing.
Communications Security When remotely managing the network element, ensure that management information only flows between the EMS and the element and is not diverted or intercepted as it flows between these endpoints.
Data Integrity Protect the configuration information including access credentials against unauthorized modification, deletion, creation, and replication.
Availability Ensure that management access to the network element or EMS is not denied.
Privacy Ensure that information that can be used to identify the network element or EMS is not available to unauthorized personnel or devices.
3.2 SP800-187
For an LTE based network, NIST has issued Special Publication 800-187: Guide to LTE Security which provides additional technology specific guidance. The specific areas raised in respect of the LTE RAN are: denial of service attacks on the base station infrastructure from end user devices; unauthorised access to the EMS; rogue base stations; air interface eavesdropping; radio jamming; and physical attacks. The key countermeasures identified include network element and EMS hardening, using encryption for data in transit both in the network and at the application level (i.e. over the top of the RAN) and physical protection. Note that one of the key threats to LTE is exposure of the secret value used to generate keys, K. This value is visible only in the SIM and in the core HSS, and so is not a threat that is relevant to the 5G RAN.
13
3.3 Byzantine Attacks
A more advanced form of attack is known by the term Byzantine, and is one where an element of the network which has been operating according to specification suddenly goes rogue and becomes the source of an attack. This type of attack has been used by national security advisors as the reason for blocking certain foreign technologies. Their argument is that a government may induce a manufacturer at some stage in the future to insert malicious code into a device, and then remotely trigger that code to turn the device into a Byzantine attacker. As evidenced by the Belgacomm case, this issue could result from technology sourced from an ally or an adversary.
Further consideration of this issue shows that a Byzantine attack is no different to that which occurs when an external hacker gains access to the network and establishes a beachhead on a network element, other than happening through the supply chain. In both cases the next stage of the attack is mounted from an otherwise trusted node inside the network, a common hacker technique and one of the forms of attack for which the NIST Cybersecurity Framework has been designed.
3.4 5G RAN Threat Inventory
From the above threats, an initial threat inventory can be developed to cover the known risks for the 5G RAN.
Table 2: 5G RAN Threat Inventory
# Threat Description Threat Actor Control
T.01 Physical Attack An intruder into a site gains physical access to the network element to cause damage
Public, Activist
Fence, CCTV, Locks
T.02 An intruder into a site attempts to gain electronic access to the network element and hence into the network
Activist Fence, CCTV, Locks, Access Control, Authentication, Hardening
T.03 An intruder into the exchange attempts to gain electronic access to the EMS
Activist
T.04 Interception An attacker intercepts the airlink Public, Media Encryption
T.05 An attacker intercepts the fronthaul Public Encryption, Ducting
T.06 An attacker intercepts the backhaul Public
T.07 Denial of Service
An attacker jams the airlink signal Public, Activist
Out of scope
T.08 Rogue Base Station
An attacker stands up a rogue base station Public, Activist
Out of scope
T.09 Electronic Attack
An attacker penetrates the 5G RAN through an end-user device
Public, Activist
Techniques not currently known
T.10 An attacker penetrates the supply chain Nation State Supply Chain Security
T.11 An attacker penetrates the EMS from the core Nation State, Criminal, Public
Hardening Evaluation Intrusion Monitoring Anomaly Monitoring
T.12 An attacker penetrates network element from the core
14
T.13 The EMS initiates Byzantine behaviour Nation State Supply Chain Security Hardening Evaluation Intrusion Monitoring Anomaly Monitoring
T.14 A network element initiates Byzantine behaviour
15
4. Aligning 5G RAN with the Cybersecurity Framework
4.1 Introduction
The threat inventory shown at Table 2 provides an insight into the way in which the 5G RAN needs to be protected. However, applying the NIST Cybersecurity Framework to protecting the complete carrier operations provides a more holistic solution. It is therefore useful to show alignment of 5G RAN security with the Cybersecurity Framework so that it can be part of this holistic solution.
4.2 Threat Alignment
Appendix I shows in detail how the Cybersecurity Framework can be applied to the 5G RAN, as well as indicating those Cybersecurity Framework controls which are not specifically related to any segment of the network. The alignment of Cybersecurity Framework controls to the identified threats to 5G RAN are shown below in Table 3.
Table 3: 5G RAN Threat Alignment with Cybersecurity Framework
Threat Description Controls
T.01 An intruder into a site gains physical access to the network element to cause damage
PR-AC-2, DE-CM-2
T.02 An intruder into a site attempts to gain electronic access to the network element and hence into the network
PR-AC-1, PR-AC-2, PR-AC-3, PR-AC-4, PR-AC-6, DE-CM-2
T.03 An intruder into the exchange attempts to gain electronic access to the EMS
PR-AC-1, PR-AC-3, PR-AC-4, PR-AC-6
T.04 An attacker intercepts the airlink PR-DS-2
T.05 An attacker intercepts the fronthaul PR-DS-2
T.06 An attacker intercepts the backhaul PR-DS-2
T.07 An attacker jams the airlink signal Out of scope, threat to the user not the network
T.08 An attacker stands up a rogue base station Out of scope, threat to the user not the network
T.09 An attacker penetrates the 5G RAN through an end-user device
PR-AC-1, PR-AC-3, PR-AC-4, PR-AC-6
T.10 An attacker penetrates the supply chain ID-SC
T.11 An attacker penetrates the EMS from the core DE-CM-1
T.12 An attacker penetrates network element from the core DE-CM-1
T.13 The EMS initiates Byzantine behaviour ID-SC-1, ID-SC-2, ID-SC-3, DE-CM-1
T.14 A network element initiates Byzantine behaviour ID-SC-1, ID-SC-2, ID-SC-3, DE-CM-1
Many of the remaining Cybersecurity Framework controls work in conjunction with the direct threat controls in the above table.
The use of product evaluation techniques is not covered specifically in the Cybersecurity Framework, nor is the evaluation of the integrity and quality of testing within the vendor
16
organisation. These can, however, be considered in the ID-SC-4 control by applying the Huawei approach of 100 requirements for end-to-end cybersecurity.
4.3 Summary Alignment
There are many controls in the Cybersecurity Framework and all should all be considered at the network and application level, however there are some which deserve specific mention.
Detect - Anomalies and Events (DE-AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. This is a key control to apply to the IP backhaul service, looking for anomalies both inbound and outbound that might relate to hacking or malware that has penetrated the solution. Having an independent and trusted anomaly detection service, possibly connected using a one way data diode, is required to ensure the monitoring cannot be subverted. There are now some very sophisticated anomaly detection systems which integrate network learning. Such systems are well positioned to detect a Byzantine attack – or a hacker’s beachhead.
Detect - Continuous Monitoring (DE-CM): The 5G RAN assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. This is an important control to ensure that the cyber defences are effective and have not suffered degradation through system changes, or a partial penetration.
Detect - Processes (DE-DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. The effectiveness of the protection should be tested at regular intervals.
Protect - Protective Technology (PR-PT): Technical security solutions are managed to ensure the security and resilience of systems. In particular, the PR.PT-5 controls provides for systems to operate in pre-defined functional states to achieve availability, and this is the basis of a survivable system. The overall system should have an ability when under attack to continue to operate in a way which ensures safety and to dynamically remove unnecessary services to reduce the attack surface. Designing networks to be survivable under cyber attack has yet to become a mainstream carrier approach.
17
5. Conclusion
5.1 5G RAN Security
The 5G RAN is isolated from the core and can be fully protected in accordance with the NIST Cybersecurity Framework. Any concerns regarding source of technology are a supply chain issue, which is managed through ISO28000 supply chain management.
An attack from embedded malware in a product is no different to an internal network beachhead attack from an external hacker, and this is covered in the Cybersecurity Framework through the use of anomaly detection. With the sophistication of contemporary self-learning anomaly detection systems, the risk can be effectively mitigated. There has been no documented case of embedded malicious code in LTE equipment.
The risk from an assured 5G RAN element, no matter its source, is much less than that from most other hardware or software elements in the network.
18
APPE
NDI
X
NIS
T Cy
bers
ecur
ity F
ram
ewor
k fo
r 5G
RAN
Not
e th
e re
leva
nt N
IST
Cybe
rsec
urity
Fra
mew
ork
cont
rols
are
mar
ked
in g
reen
, and
thos
e re
leva
nt to
the
netw
ork
as a
who
le o
r the
bus
ines
s ov
eral
l are
mar
ked
in a
mbe
r.
ID-A
M-1
Ph
ysic
al d
evic
es a
nd sy
stem
s with
in th
e or
gani
satio
n ar
e in
vent
orie
d An
ele
ctro
nic
inve
ntor
y (a
sset
regi
ster
) is t
ypic
ally
pro
vide
d by
the
EMS,
inco
rpor
atin
g bo
th
man
ual e
nrol
men
t and
aut
omat
ed d
iscov
ery.
Thi
s can
be
augm
ente
d w
ith e
xter
nally
inpu
t phy
sical
as
set d
etai
ls. F
or th
e 5G
RAN
, thi
s will
cov
er th
e an
tenn
ae, R
RUs,
fron
thau
l rou
ters
, BBU
s, IP
ba
ckha
ul ro
uter
s, a
nd e
lem
ent m
anag
er.
ID-A
M-2
So
ftw
are
plat
form
s and
app
licat
ions
with
in th
e or
gani
satio
n ar
e in
vent
orie
d Th
e as
set r
egist
er sh
ould
iden
tify
whe
ther
the
devi
ce is
pas
sive
(har
dwar
e on
ly) o
r act
ive
(firm
war
e or
soft
war
e dr
iven
) and
incl
ude
the
oper
atin
g sy
stem
soft
war
e an
d ve
rsio
n fo
r eac
h ac
tive
devi
ce in
the
regi
ster
.
ID-A
M-3
O
rgan
isatio
nal c
omm
unic
atio
n an
d da
ta fl
ows a
re m
appe
d Th
e co
mm
unic
atio
ns a
nd d
ata
flow
map
for t
he 5
G RA
N is
the
set o
f ITU
X.8
05 p
lane
s: th
e co
ntro
l pl
ane,
the
man
agem
ent p
lane
, and
the
data
pla
ne.
The
plan
es m
ay ru
n al
ong
the
path
from
the
RRU
thro
ugh
to th
e IP
bac
khau
l. F
or a
n N
SA m
ode
depl
oym
ent,
the
cont
rol a
nd m
anag
emen
t pl
ane
will
map
acr
oss t
o th
e 4G
net
wor
k w
hile
the
data
pla
ne w
ill m
ap d
irect
ly to
the
IP b
ackh
aul
rout
ing.
ID-A
M-4
Ex
tern
al in
form
atio
n sy
stem
s are
cat
alog
ued
The
5G S
A m
ode
RAN
doe
s not
hav
e an
y ex
tern
al in
form
atio
n sy
stem
s. T
he 5
G N
SA m
ode
RAN
will
ha
ve th
e 4G
RAN
as a
supp
ortin
g ex
tern
al sy
stem
.
ID-A
M-5
Re
sour
ces (
e.g.
, har
dwar
e, d
evic
es, d
ata,
tim
e, a
nd
soft
war
e) a
re p
riorit
ized
base
d on
thei
r cla
ssifi
catio
n,
criti
calit
y, a
nd b
usin
ess v
alue
The
5G R
AN is
typi
cally
dep
loye
d in
a h
omog
enou
s man
ner w
here
eac
h el
emen
t has
the
sam
e op
erat
iona
l prio
rity.
How
ever
, for
serv
ice
leve
l man
agem
ent p
urpo
ses,
diff
eren
t ava
ilabi
lity
zone
s m
ay b
e se
t to
refle
ct d
iffer
ent s
ervi
ce le
vel e
xpec
tatio
ns.
ID-A
M-6
Cy
bers
ecur
ity ro
les a
nd re
spon
sibili
ties f
or th
e en
tire
wor
kfor
ce a
nd th
ird-p
arty
stak
ehol
ders
(e.g
., su
pplie
rs,
cust
omer
s, p
artn
ers)
are
est
ablis
hed
A Re
spon
sibili
ty, A
ccou
ntab
ility
, Con
sulta
ncy,
and
Info
rm (R
ACI)
char
t can
be
used
to d
escr
ibe
role
s and
resp
onsib
ilitie
s for
5G
RAN
O&
M.
Thi
s sho
uld
cove
r Lev
el 1
to 4
supp
ort t
asks
.
ID-B
E-1
The
orga
nisa
tion’
s rol
e in
the
supp
ly c
hain
is id
entif
ied
and
com
mun
icat
ed
All p
artie
s (ow
ner,
oper
ator
, sup
plie
r, su
ppor
t ser
vice
pro
vide
r) sh
ould
be
show
n in
a su
pply
cha
in
map
.
19
ID-B
E-2
The
orga
niza
tion’
s pla
ce in
crit
ical
infr
astr
uctu
re a
nd it
s in
dust
ry se
ctor
is id
entif
ied
and
com
mun
icat
ed
The
5G R
AN m
ay b
e us
ed in
a T
ier-
1 na
tiona
l car
rier,
a Ti
er-2
+ na
tiona
l or r
egio
nal c
arrie
r, or
in a
n En
terp
rise.
The
spec
ific
depl
oym
ent s
cena
rio sh
ould
be
iden
tifie
d in
the
cont
ext o
f nat
iona
l crit
ical
in
fras
truc
ture
, and
the
rele
vant
regu
lato
ry in
stru
men
ts fo
r tha
t sce
nario
iden
tifie
d.
ID-B
E-3
Prio
ritie
s for
org
aniza
tiona
l miss
ion,
obj
ectiv
es, a
nd
activ
ities
are
est
ablis
hed
and
com
mun
icat
ed
As fo
r ID-
AM-5
, the
prio
rity
shou
ld b
e de
fined
with
pub
lic sa
fety
firs
t, fo
llow
ed b
y ne
twor
k re
silie
nce
and
then
bus
ines
s val
ue.
ID-B
E-4
Depe
nden
cies
and
crit
ical
func
tions
for d
eliv
ery
of c
ritic
al
serv
ices
are
est
ablis
hed
In th
e bu
sines
s con
text
, a S
ABSA
con
cept
ual a
naly
sis c
an b
e ca
rrie
d ou
t to
dete
rmin
e cr
itica
lity
and
depe
nden
cies
of t
he 5
G RA
N th
roug
h a
form
al a
nd d
iscip
lined
pro
cess
. In
NSA
mod
e, th
e 5G
RAN
w
ill b
e de
pend
ent u
pon
the
exist
ing
4G R
AN fo
r con
trol
and
man
agem
ent.
The
5G R
AN w
ill a
lso b
e pa
rt o
f a la
rger
RAN
+Cor
e ne
twor
k, a
nd w
ill b
e de
pend
ent u
pon
the
Core
for e
nd-t
o-en
d op
erat
ion
and
perf
orm
ance
.
ID-B
E-5
Resil
ienc
e re
quire
men
ts to
supp
ort d
eliv
ery
of c
ritic
al
serv
ices
are
est
ablis
hed
for a
ll op
erat
ing
stat
es (e
.g. u
nder
du
ress
/att
ack,
dur
ing
reco
very
, nor
mal
ope
ratio
ns)
A SA
BSA
conc
eptu
al a
naly
sis w
ill d
escr
ibe
the
criti
cal s
ervi
ces,
and
will
trac
eabl
y sh
ow h
ow th
e so
lutio
n is
desig
ned
with
resil
ienc
e an
d re
dund
ancy
in m
ind.
Thi
s will
cov
er th
e en
d-to
-end
so
lutio
n an
d w
ill p
rovi
de th
e ev
iden
ce th
at th
ere
are
no sy
stem
ic si
ngle
poi
nts o
f fai
lure
.
ID-G
V-1
Org
anisa
tiona
l inf
orm
atio
n se
curit
y po
licy
is es
tabl
ished
Re
fere
nce
the
corp
orat
e In
form
atio
n se
curit
y po
licy
ID-G
V-2
Info
rmat
ion
secu
rity
role
s & re
spon
sibili
ties a
re
coor
dina
ted
and
alig
ned
with
inte
rnal
role
s and
ext
erna
l pa
rtne
rs
Role
s and
resp
onsib
ilitie
s sho
uld
be in
clud
ed in
the
RACI
at I
D-AM
-6, a
nd e
xter
nal p
artn
er
inte
rfac
e s sh
ould
be
defin
ed.
In p
artic
ular
, the
supp
ly c
hain
role
in in
form
atio
n se
curit
y sh
ould
be
esta
blish
ed a
nd e
xplic
itly
iden
tifie
d.
ID-G
V-3
Lega
l and
regu
lato
ry re
quire
men
ts re
gard
ing
cybe
rsec
urity
, in
clud
ing
priv
acy
and
civi
l lib
ertie
s obl
igat
ions
, are
u n
ders
tood
and
man
aged
Legi
slativ
e an
d re
gula
tory
requ
irem
ents
shou
ld b
e co
vere
d in
Info
rmat
ion
Secu
rity
polic
y. T
he 5
G ne
twor
k in
trod
uces
add
ition
al o
blig
atio
ns re
gard
ing
spec
trum
use
, and
its u
se in
a n
atio
nal T
ier-
1 ca
rrie
r may
incl
ude
criti
cal i
nfra
stru
ctur
e no
tific
atio
n or
repo
rtin
g ob
ligat
ions
.
ID-G
V-4
Gove
rnan
ce a
nd ri
sk m
anag
emen
t pro
cess
es a
ddre
ss
cybe
rsec
urity
risk
s A
cybe
rsec
urity
risk
ass
essm
ent o
f the
5G
RAN
dep
loym
ent s
houl
d be
car
ried
out a
nd m
aint
aine
d,
and
risks
regi
ster
ed a
nd m
anag
ed th
roug
h th
e lif
e of
the
acce
ss n
etw
ork
solu
tion.
Thi
s will
take
in
to a
ccou
nt th
e sp
ecifi
c ph
ysic
al e
nviro
nmen
tal t
hrea
ts in
the
depl
oym
ent,
as w
ell a
s the
thre
ats
from
pot
entia
l ele
ctro
nic
atta
ck.
ID-R
A-1
Asse
t vul
nera
bilit
ies a
re id
entif
ied
and
docu
men
ted
Asse
t vul
nera
bilit
ies s
houl
d be
iden
tifie
d an
d do
cum
ente
d du
ring
the
risk
asse
ssm
ent a
t ID-
GV-4
.
ID-R
A-2
Cybe
r thr
eat i
ntel
ligen
ce a
nd v
ulne
rabi
lity
info
rmat
ion
is re
ceiv
ed fr
om in
form
atio
n sh
arin
g fo
rum
s and
sour
ces
Thre
at in
telli
genc
e sh
ould
be
sour
ced
from
pub
lic so
urce
s, e
quip
men
t ven
dors
, and
/or a
co
mm
erci
al th
reat
inte
llige
nce
serv
ice.
In p
artic
ular
, ven
dor i
ntel
ligen
ce o
n an
y at
tack
s bei
ng se
en
in o
ther
cus
tom
ers t
o its
5G
RAN
is a
goo
d ea
rly w
arni
ng.
ID-R
A-3
Thre
ats,
bot
h in
tern
al a
nd e
xter
nal,
are
iden
tifie
d an
d do
cum
ente
d Th
e ris
k as
sess
men
t at I
D-GV
-4 sh
ould
star
t with
a m
atrix
of t
hrea
t cat
egor
ies,
pop
ulat
ed w
ith
thre
at m
odel
s fro
m X
.805
, the
LTE
Sec
urity
Gui
danc
e, E
NIS
A, a
nd S
TRID
E. In
add
ition
, rea
l tim
e op
erat
iona
l tec
hnic
al th
reat
s may
be
iden
tifie
d th
roug
h an
y m
onito
ring
syst
ems.
ID-R
A-4
Pote
ntia
l bus
ines
s im
pact
s and
like
lihoo
ds a
re id
entif
ied
The
risk
asse
ssm
ent w
ill a
ddre
ss b
usin
ess i
mpa
cts f
or v
ario
us th
reat
s, a
nd th
is sh
ould
be
furt
her
expa
nded
as a
resu
lt of
the
SABS
A as
sess
men
t. W
here
the
netw
ork
is de
ploy
ed a
s par
t of a
20
natio
nal T
ier-
1 ca
rrie
r the
bus
ines
s im
pact
s sho
uld,
to th
e ex
tent
requ
ired
by re
gula
tory
or o
ther
pu
blic
-priv
ate
part
ners
hip
oblig
atio
ns, i
nclu
de th
e im
pact
to th
e na
tion.
ID-R
A-5
Thre
ats,
vul
nera
bilit
ies,
like
lihoo
ds, a
nd im
pact
s are
use
d to
det
erm
ine
risk
The
risk
asse
ssm
ent s
houl
d fo
llow
the
ISO
3100
0 m
odel
whi
ch in
corp
orat
es a
ll th
ese
fact
ors,
and
th
ese
will
cov
er th
e fu
ll ac
cess
net
wor
k op
erat
ion
and
asso
ciat
ed m
anag
emen
t pro
cess
es.
ID-R
A-6
Risk
resp
onse
s are
iden
tifie
d an
d pr
iorit
ized
The
risk
asse
ssm
ent i
s rep
orte
d fo
r miti
gatio
n pu
rpos
es in
risk
prio
ritize
d or
der.
ID-R
M-1
Ri
sk m
anag
emen
t pro
cess
es a
re e
stab
lishe
d, m
anag
ed, a
nd
agre
ed to
by
orga
nisa
tiona
l sta
keho
lder
s Th
e ris
k m
anag
emen
t pro
cess
es fo
llow
ISO
310
00.
ID-R
M-2
O
rgan
isatio
nal r
isk to
lera
nce
is de
term
ined
and
cle
arly
ex
pres
sed
The
risk
asse
ssm
ent s
houl
d be
use
d to
con
firm
risk
tole
ranc
e ei
ther
thro
ugh
acce
ptin
g or
m
itiga
ting
the
iden
tifie
d ris
ks.
ID-R
M-3
Th
e or
gani
satio
n’s d
eter
min
atio
n of
risk
tole
ranc
e is
info
rmed
by
its ro
le in
crit
ical
infr
astr
uctu
re a
nd se
ctor
sp
ecifi
c ris
k an
alys
is
The
role
of t
he o
rgan
izatio
n as
def
ined
at I
D-BE
-2 w
ill b
e us
ed a
s not
ed in
ID-R
A-4
to e
nsur
e th
e co
rrec
t risk
leve
l is c
aptu
red,
and
risk
tole
ranc
e sh
ould
then
be
esta
blish
ed w
ith in
put f
rom
ex
tern
al st
akeh
olde
rs. G
over
nmen
t risk
tole
ranc
e fo
r nat
iona
l crit
ical
infr
astr
uctu
re sh
ould
be
defin
ed in
regu
lato
ry o
blig
atio
ns.
ID-S
C-1
Cybe
r sup
ply
chai
n ris
k m
anag
emen
t pro
cess
es a
re
iden
tifie
d, e
stab
lishe
d, a
sses
sed,
man
aged
, and
agr
eed
to
by o
rgan
isatio
nal s
take
hold
ers
The
supp
ly c
hain
pro
cess
es in
line
with
ID-B
E-1
shou
ld b
e fu
lly d
escr
ibed
in a
form
ally
app
rove
d Su
pply
Cha
in S
ecur
ity d
ocum
ent.
Idea
lly, t
he o
pera
tor s
houl
d se
ek e
vide
nce
of IS
O28
000
cert
ifica
tion
from
its s
uppl
iers
.
ID-S
C-2
Iden
tify,
prio
ritize
and
ass
ess s
uppl
iers
and
par
tner
s of
criti
cal i
nfor
mat
ion
syst
ems,
com
pone
nts a
nd se
rvic
es
usin
g a
cybe
r sup
ply
chai
n ris
k as
sess
men
t pro
cess
3rd P
arty
Sec
urity
con
trol
s sho
uld
be im
plem
ente
d, in
clud
ing
annu
al se
lf-as
sess
men
ts a
nd 3
rd P
arty
au
dits
.
ID-S
C-3
Supp
liers
and
par
tner
s are
requ
ired
by c
ontr
act t
o im
plem
ent a
ppro
pria
te m
easu
res d
esig
ned
to m
eet t
he
obje
ctiv
es o
f the
Info
rmat
ion
Secu
rity
prog
ram
or C
yber
Su
pply
Cha
in R
isk M
anag
emen
t Pla
n.
Appr
opria
te c
ontr
actu
al o
blig
atio
ns sh
ould
agr
ee w
ith su
pplie
rs.
In p
artic
ular
, the
requ
irem
ents
ou
tline
d in
Hua
wei
’s 1
00 R
equi
rem
ents
whe
n Co
nsid
erin
g En
d-to
-End
Cyb
erse
curit
y sh
ould
be
refle
cted
in c
ontr
actu
al o
blig
atio
ns.
ID-S
C-4
Supp
liers
and
par
tner
s are
mon
itore
d to
con
firm
that
they
ha
ve sa
tisfie
d th
eir o
blig
atio
ns a
s req
uire
d. R
evie
ws o
f au
dits
, sum
mar
ies o
f tes
t res
ults
, or o
ther
equ
ival
ent
eval
uatio
ns o
f sup
plie
rs/p
rovi
ders
are
con
duct
ed
This
requ
irem
ent c
an b
e m
et th
roug
h IS
O28
000
evid
ence
as w
ell a
s 3rd
Par
ty S
ecur
ity A
udits
.
ID-S
C-5
Resp
onse
and
reco
very
pla
nnin
g an
d te
stin
g ar
e co
nduc
ted
with
crit
ical
supp
liers
/pro
vide
rs
An in
cide
nt m
anag
emen
t pro
cess
shou
ld b
e de
fined
whi
ch in
clud
es a
nnua
l cris
is ex
erci
ses
incl
udin
g cr
itica
l sup
plie
rs. T
he U
K Cr
est I
ncid
ent M
anag
emen
t Fra
mew
ork
prov
ides
a u
sefu
l m
atur
ity a
sses
smen
t app
roac
h fo
r est
ablis
hing
and
con
tinuo
usly
impr
ovin
g an
inci
dent
m
anag
emen
t sch
eme.
Tes
ting
of su
pply
cha
in c
apab
ility
may
be
usef
ul.
21
PR-A
C-1
Iden
titie
s and
cre
dent
ials
are
issue
d, m
anag
ed, v
erifi
ed,
revo
ked,
and
aud
ited
for a
utho
rized
dev
ices
, use
rs, a
nd
proc
esse
s
For t
he d
ata
plan
e, id
entit
ies a
re e
stab
lishe
d by
regi
stra
tion
with
the
core
usin
g a
rem
ovab
le o
r bu
ilt-in
SIM
. The
RAN
is in
volv
ed o
nly
as a
tran
spor
t mec
hani
sm fo
r aut
hent
icat
ion.
For
the
man
agem
ent p
lane
, ide
ntity
is ty
pica
lly v
alid
ated
at t
he E
MS
and
not d
irect
ly a
t the
RAN
ele
men
ts.
How
ever
, act
ive
RAN
ele
men
ts d
o ha
ve a
uthe
ntic
atio
n ca
pabi
lity
to e
nsur
e th
at o
nly
auth
orize
d ac
cess
is p
erm
itted
eith
er fr
om th
e co
nsol
e or
rem
otel
y.
PR-A
C-2
Phys
ical
acc
ess t
o as
sets
is m
anag
ed a
nd p
rote
cted
5G
RAN
site
equ
ipm
ent w
ill in
clud
e th
e RR
U a
nd si
te O
SN, a
nd m
ay a
lso in
clud
e BB
U a
nd si
te
rout
er e
quip
men
t. P
hysic
al a
cces
s to
build
ings
and
net
wor
k sit
es sh
ould
be
in p
lace
and
man
aged
as
for a
ny R
AN si
te. A
cces
s to
exch
ange
s sho
uld
be c
ontr
olle
d, a
nd si
te a
nd e
xcha
nge
phys
ical
ac
cess
logs
shou
ld b
e re
view
ed.
PR-A
C-3
Rem
ote
acce
ss is
man
aged
A
rem
ote
acce
ss m
anag
emen
t pro
cess
shou
ld b
e de
fined
for a
ll re
mot
e ac
cess
incl
udin
g 3rd
leve
l ve
ndor
supp
ort.
Rem
ote
acce
ss to
the
RAN
ele
men
ts sh
ould
be
via
the
EMS,
and
rem
ote
acce
ss to
th
e EM
S sh
ould
be
via
a co
ntro
lled
jum
p ho
st e
nviro
nmen
t suc
h as
Citr
ix.
PR-A
C-4
Acce
ss p
erm
issio
ns a
nd a
utho
rizat
ions
are
man
aged
, in
corp
orat
ing
the
prin
cipl
es o
f lea
st p
rivile
ge a
nd
sepa
ratio
n of
dut
ies
The
5G R
AN is
a p
urel
y tr
ansp
ort d
omai
n fo
r acc
ess t
o th
e en
d-to
-end
net
wor
k se
rvic
e, a
nd is
not
di
rect
ly a
cces
sed
by u
sers
. Acc
ess i
s req
uire
d fo
r O&
M, a
nd th
is is
man
aged
via
the
EMS.
The
op
erat
or w
ould
typi
cally
ens
ure
EMS
acce
ss is
con
trol
led
as p
art o
f tro
uble
tick
et re
spon
se. T
here
w
ill b
e a
requ
irem
ent f
or so
me
dire
ct c
onso
le a
cces
s dur
ing
inst
alla
tion,
and
this
shou
ld b
e co
ntro
lled
to e
nsur
e th
e in
tegr
ity o
f ful
l end
-to-
end
supp
ly c
hain
sec
urity
.
PR-A
C-5
Net
wor
k in
tegr
ity is
pro
tect
ed, i
ncor
pora
ting
netw
ork
segr
egat
ion
whe
re a
ppro
pria
te
The
5G R
AN is
a se
para
te n
etw
ork
dom
ain
segr
egat
ed fr
om th
e co
re. I
t con
nect
s to
the
core
th
roug
h a
secu
rity
gate
way
und
er c
ore
cont
rol.
Full
inte
r-do
mai
n co
ntro
l sho
uld
be in
pla
ce fo
r any
no
rthb
ound
(ire
acc
ess t
o co
re) t
rans
fers
such
as e
lem
ent m
anag
er lo
gs.
PR-A
C-6
Iden
titie
s are
pro
ofed
and
bou
nd to
cre
dent
ials,
and
as
sert
ed in
inte
ract
ions
whe
n ap
prop
riate
As
a p
urel
y tr
ansp
ort d
omai
n w
ithin
the
end-
to-e
nd n
etw
ork
serv
ice,
ther
e is
no e
nd-u
ser i
dent
ity
visib
le to
the
5G R
AN.
With
in th
e m
anag
emen
t pla
ne, u
sern
ame
and
pass
wor
d cr
eden
tials
shou
ld
be re
ques
ted
by e
lem
ents
to e
nabl
e ac
cess
.
PR-A
T-1
All u
sers
are
info
rmed
and
trai
ned
End-
user
s do
not r
equi
re k
now
ledg
e or
trai
ning
on
the
5G R
AN a
s it a
cts p
urel
y as
the
tran
spor
t fa
bric
for t
he e
nd-t
o-en
d se
rvic
e. O
pera
tors
will
requ
ire fu
ll kn
owle
dge
of th
e RA
N e
quip
men
t and
be
trai
ned
in it
s use
to th
e le
vel r
equi
red
by th
eir s
uppo
rt ro
le.
PR-A
T-2
Priv
ilege
d us
ers u
nder
stan
d ro
les &
resp
onsib
ilitie
s O
&M
use
rs sh
ould
form
ally
ack
now
ledg
e th
eir r
espo
nsib
ilitie
s ass
ocia
ted
with
bot
h op
erat
or a
nd
priv
ilege
d ac
cess
to th
e el
emen
t man
ager
and
ele
men
ts.
PR-A
T-3
Third
-par
ty st
akeh
olde
rs (e
.g.,
supp
liers
, cus
tom
ers,
pa
rtne
rs) u
nder
stan
d ro
les &
resp
onsib
ilitie
s Su
pplie
r obl
igat
ions
shou
ld b
e de
fined
in c
ontr
acts
. Whe
re P
artn
ers e
xist
, for
exa
mpl
e as
net
wor
k se
rvic
e pr
ovid
ers,
obl
igat
ions
shou
ld b
e de
fined
in M
oUs.
End
-use
rs o
f the
net
wor
k se
rvic
e ar
e no
t di
rect
stak
ehol
ders
of t
he 5
G RA
N so
lutio
n.
PR-A
T-4
Seni
or e
xecu
tives
und
erst
and
role
s & re
spon
sibili
ties
Seni
or e
xecu
tive
resp
onsib
ilitie
s reg
ardi
ng th
e 5G
RAN
are
lim
ited
to re
spon
sible
gov
erna
nce
of
cybe
rsec
urity
and
the
busin
ess o
pera
tions
. The
RAC
I at I
D-AM
-6 sh
ould
incl
ude
thei
r re
spon
sibili
ties
22
PR-A
T-5
Phys
ical
and
info
rmat
ion
secu
rity
pers
onne
l und
erst
and
role
s & re
spon
sibili
ties
The
RACI
at I
D-AM
-5 sh
ould
incl
ude
phys
ical
secu
rity
resp
onsib
ilitie
s reg
ardi
ng a
cces
s to
exch
ange
s, si
tes,
and
net
wor
k el
emen
ts.
It sh
ould
also
cov
er th
e re
spon
sibili
ties f
or m
anag
ing
elem
ent s
ecur
ity fo
r bot
h th
e bu
sines
s and
the
info
rmat
ion
secu
rity
team
. Th
is sh
ould
incl
ude
acce
ss m
anag
emen
t and
ope
ratio
nal m
onito
ring.
PR-D
S-1
Data
-at-
rest
is p
rote
cted
Th
e on
ly d
ata
rele
vant
to th
e 5G
RAN
is c
onfig
urat
ion
data
and
ope
ratio
nal l
ogs.
Net
wor
k el
emen
ts sh
ould
hav
e st
rong
phy
sical
secu
rity
and
elem
ent l
ogs s
houl
d be
col
lect
ed a
nd p
rote
cted
at
rest
in th
e el
emen
t man
ager
.
PR-D
S-2
Data
-in-t
rans
it is
prot
ecte
d Th
e 3G
PP e
LTE
spec
ifica
tion
prov
ides
for a
irlin
k da
ta p
rote
ctio
n, a
nd IP
Sec
shou
ld b
e us
ed to
pr
ovid
e en
cryp
tion
of d
ata
on th
e fr
ont-
and
bac
k-ha
ul li
nks.
PR-D
S-3
Asse
ts a
re fo
rmal
ly m
anag
ed th
roug
hout
rem
oval
, tr
ansf
ers,
and
disp
ositi
on
Data
shou
ld b
e sc
rubb
ed fr
om a
sset
s prio
r to
disp
osal
and
whe
n be
ing
retu
rn fo
r sup
port
usin
g an
er
asur
e m
echa
nism
whi
ch m
eets
NIS
T St
anda
rd S
P800
-88.
PR-D
S-4
Adeq
uate
cap
acity
to e
nsur
e av
aila
bilit
y is
mai
ntai
ned
The
5G R
AN o
pera
tiona
l cap
acity
shou
ld b
e m
onito
red
at th
e el
emen
t man
ager
as p
art o
f ove
rall
netw
ork
capa
city
man
agem
ent.
PR-D
S-5
Prot
ectio
ns a
gain
st d
ata
leak
s are
impl
emen
ted
Unl
ess t
he e
nd u
ser d
ata
is en
d-to
-end
enc
rypt
ed, t
he 5
G RA
N m
ay se
e us
er d
ata
as it
is
tran
sfer
red
from
the
RRU
to th
e BB
U.
Secu
rity
eval
uatio
n of
the
RRU
/BBU
equ
ipm
ent s
houl
d be
ca
rrie
d ou
t to
ensu
re th
ere
are
no v
ecto
rs fo
r dat
a le
akag
e. N
etw
ork
mon
itorin
g sh
ould
be
used
to
dete
ct si
gnifi
cant
dat
a le
akag
e ev
ents
PR-D
S-6
Inte
grity
che
ckin
g m
echa
nism
s are
use
d to
ver
ify so
ftw
are,
fir
mw
are,
and
info
rmat
ion
inte
grity
Th
e bo
ot u
p pr
oces
s in
the
activ
e co
mpo
nent
s sho
uld
incl
ude
chec
ksum
ver
ifica
tion
of th
e in
tegr
ity o
f the
ope
ratin
g so
ftw
are
and
firm
war
e th
roug
h a
secu
re b
oot p
roce
ss. C
heck
sum
s sh
ould
be
able
to b
e m
anua
lly v
erifi
ed a
s par
t of a
udit.
Sec
ure
boot
shou
ld a
lso c
heck
the
inte
grity
of
con
figur
atio
n da
ta.
PR-D
S-7
The
deve
lopm
ent a
nd te
stin
g en
viro
nmen
t(s)
are
sepa
rate
fr
om th
e pr
oduc
tion
envi
ronm
ent
Typi
cally
, an
oper
ator
will
hav
e a
sepa
rate
mod
el e
nviro
nmen
t for
test
ing
and
deve
lopm
ent.
The
oper
atio
nal n
etw
ork
shou
ld n
ot b
e us
ed fo
r any
thin
g ot
her t
han
prod
uctio
n.
PR-D
S-8
Inte
grity
che
ckin
g m
echa
nism
s are
use
d to
ver
ify h
ardw
are
inte
grity
W
here
pos
sible
, har
dwar
e in
tegr
ity c
heck
s sho
uld
be c
onfig
ured
.
PR-IP
-1
A ba
selin
e co
nfig
urat
ion
of in
form
atio
n te
chno
logy
/indu
stria
l con
trol
syst
ems i
s cre
ated
and
m
aint
aine
d in
corp
orat
ing
appr
opria
te se
curit
y pr
inci
ples
(e
.g. c
once
pt o
f lea
st fu
nctio
nalit
y)
The
3GPP
secu
rity
optio
ns sh
ould
be
switc
hed
on fo
r the
5G
RAN
airl
ink,
and
all
netw
ork
elem
ents
sh
ould
be
hard
ened
prio
r to
oper
atio
nal a
ccep
tanc
e
PR-IP
-2
A Sy
stem
Dev
elop
men
t Life
Cyc
le to
man
age
syst
ems i
s im
plem
ente
d Th
e op
erat
or sh
ould
man
age
the
over
all n
etw
ork
usin
g a
Syst
ems D
evel
opm
ent L
ife C
ycle
, in
clud
ing
cybe
rsec
urity
as a
ll st
ages
of t
he li
fe c
ycle
.
PR-IP
-3
Conf
igur
atio
n ch
ange
con
trol
pro
cess
es a
re in
pla
ce
Chan
ge m
anag
emen
t sho
uld
be e
nfor
ced
for t
he w
hole
net
wor
k, in
clud
ing
the
5G R
AN
23
PR-IP
-4
Back
ups o
f inf
orm
atio
n ar
e co
nduc
ted,
mai
ntai
ned,
and
te
sted
per
iodi
cally
Th
e on
ly in
form
atio
n re
quiri
ng b
acku
p fo
r the
5G
RAN
is th
e co
nfig
urat
ion.
Bac
kups
shou
ld b
e m
ade
prio
r to
any
chan
ges.
Log
s will
be
colle
cted
at t
he e
lem
ent m
anag
er a
nd m
ay b
e ba
cked
up
or se
nt to
a c
entr
alise
d lo
ggin
g sy
stem
for r
eten
tion
and
back
up.
PR-IP
-5
Polic
y an
d re
gula
tions
rega
rdin
g th
e ph
ysic
al o
pera
ting
envi
ronm
ent f
or o
rgan
isatio
nal a
sset
s are
met
Po
licy
on p
hysic
al o
pera
ting
envi
ronm
ents
, par
ticul
arly
the
5G R
AN si
tes,
shou
ld b
e de
fined
.
PR-IP
-6
Data
is d
estr
oyed
acc
ordi
ng to
Pol
icy
In th
is co
ntex
t, th
ere
is no
dat
a m
anag
ed b
y th
e 5G
RAN
PR-IP
-7
Prot
ectio
n pr
oces
ses a
re c
ontin
uous
ly im
prov
ed
Regu
lar s
ecur
ity te
stin
g sh
ould
be
carr
ied
out t
o id
entif
y w
eakn
esse
s and
miti
gatio
ns a
pplie
d th
roug
h th
e ris
k re
gist
er a
nd re
med
iatio
n pr
ogra
mm
e.
PR-IP
-8
Effe
ctiv
enes
s of p
rote
ctio
n te
chno
logi
es is
shar
ed w
ith
appr
opria
te p
artie
s Se
curit
y re
port
s may
be
incl
uded
in in
form
atio
n sh
arin
g ex
chan
ges.
PR-IP
-9
Resp
onse
pla
ns (I
ncid
ent R
espo
nse
and
Busin
ess
Cont
inui
ty) a
nd re
cove
ry p
lans
(Inc
iden
t Rec
over
y an
d Di
sast
er R
ecov
ery)
are
in p
lace
and
man
aged
Inci
dent
resp
onse
pro
cess
shou
ld b
e de
fined
and
pla
ns d
evel
oped
for s
peci
fic ty
pes o
f inc
iden
t.
PR-IP
-10
Resp
onse
and
reco
very
pla
ns a
re te
sted
Ty
pica
lly fo
r any
RAN
, any
failu
re m
eans
a tr
uck
roll
to re
plac
e an
ele
men
t, an
d in
trod
ucin
g a
netw
ork
outa
ge to
test
this
is un
acce
ptab
le. H
owev
er, r
espo
nse
plan
s sho
uld
be in
clud
ed in
cyb
er
crisi
s exe
rcise
s.
PR-IP
-11
Cybe
rsec
urity
is in
clud
ed in
hum
an re
sour
ces p
ract
ices
(e
.g. d
epro
visio
ning
, per
sonn
el sc
reen
ing)
N
etw
ork
oper
atio
ns a
nd su
ppor
t sta
ff sh
ould
be
vett
ed p
rior t
o em
ploy
men
t and
sign
cy
bers
ecur
ity o
blig
atio
n st
atem
ents
. Any
cre
dent
ials
and
acce
ss to
the
elem
ent m
anag
er sh
ould
be
rem
oved
on
term
inat
ion.
Thi
s req
uire
men
t sho
uld
flow
thro
ugh
to se
rvic
e pr
ovid
er p
roce
sses
.
PR-IP
-12
A vu
lner
abili
ty m
anag
emen
t pla
n is
deve
lope
d an
d im
plem
ente
d A
vuln
erab
ility
scan
ning
and
pat
chin
g m
anag
emen
t pla
n sh
ould
be
defin
ed, n
otin
g th
at ty
pica
lly a
ne
twor
k op
erat
or w
ill n
ot ta
ke d
own
netw
ork
elem
ents
for r
outin
e pa
tchi
ng. T
his n
eeds
to
bala
nce
oper
atio
nal a
vaila
bilit
y ag
ains
t sec
urity
risk
.
PR-M
A-1
Mai
nten
ance
and
repa
ir of
org
anisa
tiona
l ass
ets i
s pe
rfor
med
and
logg
ed in
a ti
mel
y m
anne
r, w
ith a
ppro
ved
and
cont
rolle
d to
ols
Mai
nten
ance
of t
he 5
G RA
N e
quip
men
t sho
uld
be m
anag
ed a
s par
t of o
vera
ll ne
twor
k m
aint
enan
ce, n
otin
g th
e ne
ed to
bal
ance
net
wor
k av
aila
bilit
y ag
ains
t any
sugg
este
d ro
utin
e m
aint
enan
ce ta
sks.
PR-M
A-2
Rem
ote
mai
nten
ance
of o
rgan
isatio
nal a
sset
s is a
ppro
ved,
lo
gged
, and
per
form
ed in
a m
anne
r tha
t pre
vent
s un
auth
orize
d ac
cess
Acce
ss fo
r rem
ote
mai
nten
ance
of a
sset
s sho
uld
be su
bjec
t to
an a
ctiv
e tr
oubl
e tic
ket,
and
all
acce
ss sh
ould
be
via
a ju
mp
host
whi
ch p
rovi
des s
essio
n re
cord
ing.
Out
side
of a
n ac
tive
trou
ble
ticke
t, cr
eden
tials
and
acce
ss g
atew
ays s
houl
d be
disa
bled
.
PR-P
T-1
Audi
t/lo
g re
cord
s are
det
erm
ined
, doc
umen
ted,
im
plem
ente
d, a
nd re
view
ed in
acc
orda
nce
with
pol
icy
A lo
g m
anag
emen
t pol
icy
is de
fined
for t
he c
onte
nt a
nd m
anag
emen
t of a
udit
logs
on
a do
mai
n ba
sis, a
nd th
is sh
ould
be
impl
emen
ted
for t
he 5
G RA
N.
PR-P
T-2
Rem
ovab
le m
edia
is p
rote
cted
and
its u
se re
stric
ted
acco
rdin
g to
pol
icy
Rem
ovab
le m
edia
shou
ld n
ot b
e en
able
d on
any
net
wor
k el
emen
t, no
r on
the
elem
ent m
anag
er.
24
PR-P
T-3
The
prin
cipl
e of
leas
t fun
ctio
nalit
y is
inco
rpor
ated
by
conf
igur
ing
syst
ems t
o pr
ovid
e on
ly e
ssen
tial c
apab
ilitie
s Al
l tec
hnol
ogy s
yste
ms,
inclu
ding
the
EMS a
nd n
etw
ork e
lem
ents
, will
be h
arde
ned
to re
mov
e un
nece
ssar
y fun
ctio
nalit
y.
PR-P
T-4
Com
mun
icat
ions
and
con
trol
net
wor
ks a
re p
rote
cted
Th
e ai
rlink
has
3GP
P LT
E st
anda
rds p
rote
ctio
n an
d IP
Sec i
s use
d to
pro
tect
the
front
- and
bac
khau
l
PR-P
T-5
Syst
ems o
pera
te in
pre
-def
ined
func
tiona
l sta
tes t
o ac
hiev
e av
aila
bilit
y (e
.g. u
nder
dur
ess,
und
er a
ttac
k, d
urin
g re
cove
ry, n
orm
al o
pera
tions
).
The
oper
atin
g st
ates
shou
ld b
e de
fined
and
spec
ific a
ttent
ion
will
be g
iven
to a
ny ch
ange
s req
uire
d fo
r op
erat
ing
unde
r atta
ck.
DE-A
E-1
A ba
selin
e of
net
wor
k op
erat
ions
and
exp
ecte
d da
ta fl
ows
for u
sers
and
sys
tem
s is e
stab
lishe
d an
d m
anag
ed
The
EMS s
houl
d co
llect
RAN
segm
ent l
ogs a
nd h
ave
a ba
selin
e kn
owle
dge
of n
orm
al b
ehav
ior.
DA-A
E-2
Dete
cted
eve
nts a
re a
naly
sed
to u
nder
stan
d at
tack
targ
ets
and
met
hods
Th
e EM
S sho
uld
mon
itor R
AN se
gmen
t per
form
ance
to id
entif
y per
form
ance
ano
mal
ies.
RAN
segm
ent
logs
can
be fo
rwar
ded
from
the
EMS t
o a
cent
raliz
ed lo
g m
anag
emen
t and
mon
itorin
g sy
stem
to
cont
ribut
e to
ove
rall n
etw
ork b
ehav
ior n
orm
s and
ale
rt on
ano
mal
ous a
ctivi
ty.
DA-A
E-3
Even
t dat
a ar
e ag
greg
ated
and
cor
rela
ted
from
mul
tiple
so
urce
s and
sens
ors
By fo
rwar
ding
RAN
segm
ent l
ogs t
o th
e ce
ntra
l cor
e m
onito
ring
syst
em, e
vent
s can
be
corr
elat
ed a
cros
s th
e ne
twor
k.
DE-A
E-4
Impa
ct o
f eve
nts i
s det
erm
ined
Th
e EM
S sho
uld
have
thre
shol
ds a
t whi
ch u
nacc
epta
ble
perfo
rman
ce le
adin
g to
impa
ct ca
n be
ale
rted.
De
term
inin
g th
e ov
eral
l impa
ct o
f eve
nts a
cros
s the
net
wor
k and
the
busin
ess w
ill be
the
resp
onsib
ility o
f th
e ce
ntra
lized
mon
itorin
g sy
stem
, sup
porte
d by
SABS
A bu
sines
s dep
ende
ncy a
nalys
is as
indi
cate
d at
ID-
BE-4
.
DE-A
E-5
Inci
dent
ale
rt th
resh
olds
are
est
ablis
hed
In th
e co
ntex
t of t
he R
AN se
gmen
t, in
ciden
t ale
rt th
resh
olds
rela
te to
RAN
per
form
ance
and
shou
ld b
e ra
ised
by th
e EM
S.
DE-C
M-1
Th
e ne
twor
k is
mon
itore
d to
det
ect p
oten
tial c
yber
secu
rity
even
ts
Mon
itorin
g at
the
IP n
etw
ork l
evel
shou
ld b
e ca
rrie
d ou
t on
the
back
haul
thro
ugh
an in
depe
nden
t sec
ure
dom
ain
mon
itorin
g se
rvice
. Thi
s wou
ld p
ick u
p tra
ces o
f RAM
segm
ent a
ttack
that
are
abl
e to
flow
th
roug
h to
the
back
haul
stag
e. M
onito
ring
at th
e se
cure
gat
eway
shou
ld a
lso b
e in
pla
ce to
det
ect a
ny
even
ts a
ttem
ptin
g to
tran
sit to
the
core
.
DE-C
M-2
Th
e ph
ysic
al e
nviro
nmen
t is m
onito
red
to d
etec
t pot
entia
l cy
bers
ecur
ity e
vent
s In
trude
r ala
rms a
nd C
CTV
shou
ld b
e in
pla
ce a
t all R
AN si
tes t
o de
tect
atte
mpt
s to
use
phys
ical a
cces
s to
gain
acc
ess t
o th
e ne
twor
k, o
r to
caus
e da
mag
e. In
trude
r ala
rms a
nd C
CTV
shou
ld b
e in
pla
ce a
t all R
AN
sites
to d
etec
t atte
mpt
s to
use
phys
ical a
cces
s to
gain
acc
ess t
o th
e ne
twor
k, o
r to
caus
e da
mag
e. S
ite
mon
itorin
g fe
eds s
houl
d be
pas
sed
back
thro
ugh
the
man
agem
ent p
lane
to a
cent
ralis
ed p
hysic
al se
curit
y op
erat
ions
cent
re.
DE-C
M-3
Pe
rson
nel a
ctiv
ity is
mon
itore
d to
det
ect p
oten
tial
cybe
rsec
urity
eve
nts
The
busin
ess H
R pr
oces
ses s
houl
d m
onito
r for
indi
cato
rs th
at p
erso
nnel
may
be
unde
r stre
ss, o
r are
be
havin
g ab
norm
ally.
Thi
s is n
ot sp
ecifi
c to
the
5G R
AN b
ut is
a w
hole
-of-b
usin
ess c
once
rn.
DE-C
M-4
M
alic
ious
cod
e is
dete
cted
An
y cod
e lo
aded
ont
o th
e ne
twor
k ele
men
ts th
roug
h se
rvice
man
agem
ent s
houl
d be
inte
grity
chec
k to
ensu
re it
has
not
bee
n ta
mpe
red
with
. The
pur
pose
of a
ny ch
ange
s sho
uld
be w
ell d
ocum
ente
d, a
nd
whe
re th
e 5G
RAN
is fo
r a T
ier-1
carri
er th
e co
de sh
ould
be
inde
pend
ently
ass
esse
d pr
ior t
o de
ploy
men
t.
25
Mal
iciou
s cod
e ca
nnot
reac
h th
e 5G
RAN
via
the
end-
user
dev
ice, b
ut it
coul
d re
ach
netw
ork e
lem
ents
fro
m th
e co
re n
etw
ork s
houl
d th
e or
gani
satio
n al
low
the
core
net
wor
k to
be co
mpr
omise
d. T
he se
curit
y ga
tew
ay sh
ould
ens
ure
no m
alici
ous c
ode
is ab
le to
vect
or in
to th
e RA
N se
gmen
t.
DE-C
M-5
U
naut
horiz
ed m
obile
cod
e is
dete
cted
M
alici
ous o
r una
utho
rized
mob
ile co
de ca
nnot
acc
ess o
r int
erfe
re w
ith th
e 5G
RAN
segm
ent.
DE-C
M-6
Ex
tern
al se
rvic
e pr
ovid
er a
ctiv
ity is
mon
itore
d to
det
ect
pote
ntia
l cyb
erse
curit
y ev
ents
Al
l ext
erna
l acc
ess t
o th
e sy
stem
(e.g
. rem
ote
mai
nten
ance
) sho
uld
be su
bjec
t to
troub
le ti
cket
aut
horit
y an
d se
ssio
ns sh
ould
be
reco
rded
.
DE-C
M-7
M
onito
ring
for u
naut
horiz
ed p
erso
nnel
, con
nect
ions
, de
vice
s, a
nd so
ftw
are
is pe
rfor
med
Co
nnec
tivity
requ
ires a
n ac
tivat
ed S
IM a
nd e
nrol
men
t at t
he O
SS. A
irlin
k mon
itorin
g fo
r rog
ue st
atio
ns is
ty
pica
lly n
ot d
eplo
yed
othe
r tha
n du
ring
audi
t. Ce
ntra
lised
net
wor
k mon
itorin
g sh
ould
be
conf
igur
ed to
lo
ok fo
r una
utho
rized
dev
ices a
nd a
ctivi
ty, a
nd re
gula
r sys
tem
aud
its sh
ould
be
carr
ied
out.
DE-C
M-8
Vu
lner
abili
ty sc
ans a
re p
erfo
rmed
W
hile
vuln
erab
ility s
cans
can
be ca
rrie
d ou
t on
the
EMS,
it is
not
typi
cally
don
e fo
r act
ive n
etw
ork
elem
ents
due
to th
e hi
gh ri
sk o
f net
wor
k out
age
and
subs
eque
nt u
nacc
epta
ble
busin
ess i
mpa
ct. S
elec
ted
elem
ents
shou
ld fr
om ti
me
to ti
me
be sw
appe
d ou
t of t
he n
etw
ork a
nd fu
lly te
sted
for v
ulne
rabi
litie
s tha
t ar
e pr
eval
ent a
cros
s the
flee
t.
DE-D
P-1
Role
s and
resp
onsib
ilitie
s for
det
ectio
n ar
e w
ell d
efin
ed to
en
sure
acc
ount
abili
ty
This
is no
t a 5
G RA
N sp
ecifi
c req
uire
men
t. Ro
les a
nd re
spon
sibilit
ies a
re in
clude
d at
ID-A
M-6
DE-D
P-2
Dete
ctio
n ac
tiviti
es c
ompl
y w
ith a
ll ap
plic
able
re
quire
men
ts
This
is no
t a 5
G RA
N sp
ecifi
c req
uire
men
t but
is n
etw
ork w
ide.
The
des
ign,
dep
loym
ent,
and
oper
atio
n of
de
tect
ion
syst
ems s
houl
d en
sure
that
mon
itorin
g an
d an
omal
y det
ectio
n do
es n
ot co
mpr
omise
priv
acy,
do
es n
ot b
reak
lega
l req
uire
men
ts re
latin
g to
inte
rcep
tion
activ
ities
, and
mee
ts a
ny sp
ecifi
cally
regu
late
d ob
ligat
ions
.
DE-D
P-3
Dete
ctio
n pr
oces
ses a
re te
sted
Te
stin
g of
the
RAN
segm
ent a
ctive
ele
men
ts is
not
gen
eral
ly do
ne d
ue to
the
pote
ntia
l for
net
wor
k ou
tage
and
una
ccep
tabl
e bu
sines
s im
pact
. Con
sequ
ently
, tes
ting
is co
nduc
ted
in th
e m
odel
en
viron
men
t. W
hole
-of-n
etw
ork c
yber
dril
ls an
d re
d te
am te
stin
g ca
n al
so u
sefu
lly ch
eck o
ut n
ot o
nly t
he
exist
ence
of v
ulne
rabi
litie
s, bu
t also
whe
ther
det
ectio
n sy
stem
s are
effe
ctive
. Pen
etra
tion
test
ing
in th
e m
odel
env
ironm
ent w
ill in
clude
valid
atio
n th
at kn
own
class
es o
f mal
war
e an
d un
auth
orise
d ac
tivity
can
be d
etec
ted
DE-D
P-4
Even
t det
ectio
n in
form
atio
n is
com
mun
icat
ed to
ap
prop
riate
par
ties
Even
t det
ectio
n in
form
atio
n (a
lerts
) fro
m th
e 5G
RAN
segm
ent s
houl
d be
forw
arde
d to
a ce
ntra
l m
onito
ring
serv
ice fo
rm h
andl
ing
and
onw
ards
com
mun
icatio
ns. S
houl
d an
eve
nt e
scal
ate
to b
ecom
e an
in
ciden
t, in
form
atio
n w
ill be
com
mun
icate
d as
det
aile
d in
the
Incid
ent M
anag
emen
t pol
icy.
DE-D
P-5
Dete
ctio
n pr
oces
ses a
re c
ontin
uous
ly im
prov
ed
This
is no
t a 5
G RA
N sp
ecifi
c req
uire
men
t but
is n
etw
ork w
ide.
Det
ectio
n pr
oces
ses a
cros
s the
who
le
netw
ork s
houl
d be
revie
wed
on
a co
ntin
uous
bas
is an
d im
prov
emen
ts a
pplie
d to
ens
ure
dete
ctio
n te
chni
ques
keep
up
with
ext
erna
l thr
eats
.
RS-R
P-1
Resp
onse
pla
n is
exec
uted
dur
ing
or a
fter
an
even
t Th
is is
not a
5G
RAN
spec
ific r
equi
rem
ent b
ut is
net
wor
k wid
e. In
ciden
t res
pons
e pl
ans s
houl
d be
ac
tivat
ed b
y the
cent
raliz
ed m
onito
ring
serv
ice u
pon
dete
ctio
n of
an
even
t whi
ch is
esc
alat
ed to
bec
ome
an in
ciden
t. T
his i
s a ce
ntra
l mon
itorin
g se
rvice
requ
irem
ent.
26
RS-C
O-1
Pe
rson
nel k
now
thei
r rol
es a
nd o
rder
of o
pera
tions
whe
n a
resp
onse
is n
eede
d Th
is is
not a
5G
RAN
spec
ific r
equi
rem
ent b
ut a
pplie
s acr
oss t
he n
etw
ork.
Sta
ff sh
ould
be
train
ed in
re
spon
se p
roce
dure
s for
any
net
wor
k eve
nt a
nd a
n an
nual
incid
ent r
espo
nse
exer
cise
shou
ld b
e co
nduc
ted
RS-C
O-2
Ev
ents
are
repo
rted
con
siste
nt w
ith e
stab
lishe
d cr
iteria
Ev
ents
will
be re
porte
d fro
m th
e 5G
RAN
segm
ent a
s def
ined
in th
e EM
S. O
nwar
ds re
porti
ng o
f eve
nts
will
be a
s def
ined
in th
e ru
les c
onfig
ured
for t
he ce
ntra
lized
mon
itorin
g SI
EM.
RS-C
O-3
In
form
atio
n is
shar
ed c
onsis
tent
with
resp
onse
pla
ns
This
is no
t a 5
G RA
N re
quire
men
t but
is n
etw
ork w
ide.
Info
rmat
ion
shou
ld b
e sh
ared
to e
nsur
e re
spon
se
plan
s can
be
exec
uted
effi
cient
ly an
d ef
fect
ively.
RS-C
O-4
Co
ordi
natio
n w
ith st
akeh
olde
rs o
ccur
s con
siste
nt w
ith
resp
onse
pla
ns
This
is no
t a 5
G RA
N re
quire
men
t but
is n
etw
ork w
ide.
Coo
rdin
atio
n an
d co
mm
unica
tion
with
st
akeh
olde
rs w
ill be
def
ined
in th
e ov
eral
l incid
ent r
espo
nse
polic
y and
in th
e re
spon
se p
lans
. Ann
ual
resp
onse
pla
n ex
ercis
es w
ill en
sure
coor
dina
tion
and
com
mun
icatio
n is
test
ed.
RS-C
O-5
Vo
lunt
ary
info
rmat
ion
shar
ing
occu
rs w
ith e
xter
nal
stak
ehol
ders
to a
chie
ve b
road
er c
yber
secu
rity
situa
tiona
l aw
aren
ess
This
is no
t a 5
G RA
N re
quire
men
t but
is n
etw
ork w
ide.
Cyb
erse
curit
y eve
nt In
form
atio
n m
ay b
e ap
prov
ed
for s
harin
g w
ithin
info
rmat
ion
exch
ange
foru
ms.
RS-A
N-1
N
otifi
catio
ns fr
om d
etec
tion
syst
ems a
re in
vest
igat
ed
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is n
etw
ork w
ide.
Ale
rts fr
om th
e in
trusio
n an
d an
omal
y det
ectio
n sy
stem
s sho
uld
be co
rrel
ated
at t
he SI
EM, t
riage
d, a
nd th
en if
nec
essa
ry th
ey ca
n be
inve
stig
ated
.
RS-A
N-2
Th
e im
pact
of t
he in
cide
nt is
und
erst
ood
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is n
etw
ork w
ide.
Iden
tifyin
g th
e bu
sines
s im
pact
of a
ny in
ciden
t sh
ould
be
part
of th
e SA
BSA
asse
ssm
ent o
f risk
and
this
shou
ld b
e tra
ceab
le fr
om th
e sp
ecifi
c inc
iden
t.
RS-A
N-3
Fo
rens
ics a
re p
erfo
rmed
W
here
app
ropr
iate
, inte
rnal
or e
xter
nal f
oren
sics s
ervic
es m
ay b
e us
ed.
How
ever
, for
the
5G R
AN, t
he
busin
ess i
mpa
ct o
f con
duct
ing
fore
nsics
on
a ru
nnin
g el
emen
t may
be
unac
cept
able
.
RS-A
N-4
In
cide
nts a
re c
ateg
orize
d co
nsist
ent w
ith re
spon
se p
lans
Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s net
wor
k wid
e. In
ciden
t cat
egor
izatio
n m
ay fo
llow
the
agre
ed
corp
orat
e IT
incid
ent m
anag
emen
t cat
egor
y sch
eme
or m
ay b
e sp
ecifi
c to
netw
ork o
pera
tions
. Spe
cific
incid
ent t
ypes
shou
ld b
e al
igne
d w
ith re
spon
se p
lans
whe
re su
ch p
lans
exis
t.
RS-M
I-1
Inci
dent
s are
con
tain
ed
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is n
etw
ork w
ide.
The
incid
ent m
anag
emen
t pro
cess
will
seek
to
cont
ain
incid
ents
as q
uick
ly as
pos
sible
in o
rder
to lim
it th
e da
mag
e an
d m
inim
ize th
e re
cove
ry e
ffort.
RS-M
I-2
Inci
dent
s are
miti
gate
d Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s net
wor
k wid
e. In
ciden
ts re
spon
se w
ill re
quire
reco
very
of a
ny
impa
ired
serv
ices,
root
caus
e an
alys
is, a
nd m
itiga
tion
of th
e ro
ot ca
use.
RS-M
I-3
New
ly id
entif
ied
vuln
erab
ilitie
s are
miti
gate
d or
do
cum
ente
d as
acc
epte
d ris
ks
New
vuln
erab
ilitie
s will
be a
sses
sed
and
adde
d to
the
risk r
egist
er. T
reat
men
t prio
rity w
ill be
ass
esse
d.
Spec
ial c
onsid
erat
ion
need
s to
be g
iven
to m
anag
ing
vuln
erab
ilitie
s tha
t exis
t on
activ
e ne
twor
k ele
men
ts
due
to th
e bu
sines
s im
pact
s of n
etw
ork o
utag
e. T
akin
g an
out
age
to p
atch
whe
n th
ere
is ne
glig
ible
risk
of
the
vuln
erab
ility b
eing
exp
loite
d is
gene
rally
una
ccep
tabl
e.
RS-IM
-1
Resp
onse
pla
ns in
corp
orat
e le
sson
s lea
rned
Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s net
wor
k wid
e. T
he in
ciden
t man
agem
ent p
roce
ss sh
ould
inclu
de
feed
back
on
lear
ning
s
27
RS-IM
-2
Resp
onse
stra
tegi
es a
re u
pdat
ed
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is n
etw
ork w
ide.
Res
pons
e st
rate
gies
shou
ld b
e re
view
ed a
nnua
lly
and
upda
ted
as a
ppro
pria
te. W
here
shor
tcom
ings
are
iden
tifie
d du
ring
an in
ciden
t, pl
ans w
ill be
upd
ated
as
par
t of l
earn
ings
feed
back
.
RC-R
P-1
Reco
very
pla
n is
exec
uted
dur
ing
or a
fter
an
even
t Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s net
wor
k wid
e. T
he re
cove
ry p
lan
will
be in
voke
d as
def
ined
in th
e in
ciden
t man
agem
ent p
roce
ss
RC-IM
-1
Reco
very
pla
ns in
corp
orat
e le
sson
s lea
rned
Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s net
wor
k wid
e. W
here
less
ons l
earn
ed id
entif
y im
prov
emen
ts to
re
cove
ry p
lans
, the
se w
ill be
par
t of i
ncid
ent f
eedb
ack a
nd b
e in
corp
orat
ed in
to th
e pl
ans
RC-IM
-2
Reco
very
stra
tegi
es a
re u
pdat
ed
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is n
etw
ork w
ide.
Rec
over
y stra
tegi
es sh
ould
be
revie
wed
ann
ually
an
d up
date
d as
app
ropr
iate
. Whe
re sh
ortc
omin
gs a
re id
entif
ied
durin
g an
incid
ent,
plan
s will
be u
pdat
ed
as p
art o
f lea
rnin
gs fe
edba
ck
RC-C
O-1
Pu
blic
rela
tions
are
man
aged
Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s bus
ines
s wid
e. C
orpo
rate
PR
will
man
age
repu
tatio
n an
d pu
blic
rela
tions
RC-C
O-2
Re
puta
tion
afte
r an
even
t is r
epai
red
This
is no
t a 5
G RA
N re
quire
men
t, bu
t is b
usin
ess w
ide
and
typi
cally
han
dled
by t
he e
xecu
tive
and
PR
team
s.
RC-C
O-3
Re
cove
ry a
ctiv
ities
are
com
mun
icat
ed to
inte
rnal
st
akeh
olde
rs a
nd e
xecu
tive
and
man
agem
ent t
eam
s Th
is is
not a
5G
RAN
requ
irem
ent,
but i
s bus
ines
s wid
e. Sh
ould
an
incid
ent o
ccur
, the
Incid
ent M
anag
er
will
mai
ntai
n re
gula
r com
mun
icatio
ns w
ith in
tern
al st
akeh
olde
rs a
nd m
anag
emen
t tea
ms.
28
29
30