5G Non-Public Networks For Industrial Scenarios: White Paper
5G Non-Public Networks For Industrial Scenarios: White Paper
5G Non-Public Networks For Industrial Scenarios: White Paper
5G Non-Public Networks
for Industrial Scenarios
July 2019
5G Alliance for Connected Industries and Automation
5G Non-Public Networks for Industrial Scenarios
Contact:
Email: [email protected]
www.5g-acia.org
Published by:
ZVEI – German Electrical and
Electronic Manufacturers’ Association
5G Alliance for Connected Industries and Automation
(5G-ACIA), a Working Party of ZVEI
Lyoner Strasse 9
60528 Frankfurt am Main, Germany
www.zvei.org
July 2019
Graphics: ZVEI
The work, including all of its parts, is protected
by copyright. Any use outside the strict limits of
copyright law without the consent of the publisher is
prohibited. This applies in particular to reproduction,
translation, microfilming and storage and processing
in electronic systems.
Despite the utmost care, ZVEI accepts no
liability for the content.
Contents
1 Introduction 4
2 3GPP 4
3 5G-ACIA 4
4 Non-public networks 5
7 Conclusions 14
9 References 16
3
1 Introduction
This paper describes four industrial (IIoT) deployment scenarios for 3GPP-defined 5G non-
public networks. The paper also considers key aspects, in particular service attributes that
can help to highlight the differences between these scenarios.
The primary target audience is any organisation considering 5G deployment for IIoT. At the
very least, these include operational technology (OT) companies – in other words, those
user organisations that will need to apply 5G technologies to their own real-world require-
ments – and ICT companies, who are considering IIoT as part of their 5G offering.
Some of the terminology and notation employed by 3GPP has been modified to make it
more easily understood.
2 3GPP
The 3rd Generation Partnership Project (3GPP) is a collaborative project that brings
together standardisation organisations from around the world to create globally accept-
able specifications for mobile networks.
As its name implies, it was first created to establish such specifications for the third genera-
tion (3G) of mobile systems. It has continued its work for subsequent generations, includ-
ing the one considered here, the fifth generation (5G).
This paper refers to technical specifications (TSs) published by 3GPP, i.e. the 5G standards.
3 5G-ACIA
The 5G Alliance for Connected Industries and Automation (5G-ACIA) was established to
serve as the central and global forum for addressing, discussing, and evaluating relevant
technical, regulatory, and business aspects with respect to 5G for the industrial domain. It
reflects the entire ecosystem and all relevant stakeholder groups, ranging from operational
industry (OT) players (industrial automation companies, engineering companies, produc-
tion system manufacturers, end users, etc.), the ICT industry (chip manufacturers, network
infrastructure vendors, mobile network operators, etc.), academia and other groups.
The paramount objective of 5G-ACIA is to ensure the best possible applicability of 5G tech-
nology and 5G networks for connected industries, particularly the manufacturing and the
process industry. 5G-ACIA’s mission is to ensure that the interests and needs of the indus-
trial domain are adequately considered in 5G standardisation and regulation. 5G-ACIA will
further ensure that ongoing 5G developments are understood by and effectively trans-
ferred to the industrial domain.
4
4 Non-public networks
In contrast to a network that offers mobile network services to the general public, a 5G
non-public network (NPN, also sometimes called a private network) provides 5G network
services to a clearly defined user organisation or group of organisations. The 5G non-public
network is deployed on the organisation’s defined premises, such as a campus or a factory.
The first category comprises a single configuration, while the second comprises three, each
differing in terms of the degree of interaction and infrastructure sharing with the public
network. For all scenarios, it is assumed that all networks provide all services and capabili-
ties required by the NPN at the defined level, and that corresponding service level agree-
ments are in place between the NPN operator and one or more public network operators.
There are many other factors to be considered when deploying NPNs. These include, for
instance, what frequencies are to be used, who owns and operates each network, and what
level of trust exists between the NPN operator and the public network operator. In addition,
consideration needs to be given to the availability of solution components and economic
feasibility, e.g. in terms of total cost of ownership. While these factors are very important,
and some of them may be implicitly addressed in the scenarios given, they are beyond the
scope of this paper. Spectrum aspects are discussed in 5G-ACIA “5G for Connected Indus-
tries and Automation” white paper [1].
5
5.1 Notation
Table 1 below lists and describes the logical elements used to depict network configura-
tions. These are mapped to the 3GPP-defined architecture in Annex 1.
Firewall
Path for payload data traffic, i.e. the user plane (solid line).
Blue = non-public network, pink = public network
Path for the wireless network control signals, i.e. the control plane
(dashed line). Blue = non-public network, pink = public network
Source: 5G-ACIA
6
5.2 Standalone non-public network (isolated deployment)
In this scenario, the NPN is deployed as an independent, standalone network. As shown
in Figure 1, all network functions are located inside the logical perimeter of the defined
premises (e.g. factory) and the NPN is separate from the public network.
The only communication path between the NPN and the public network is via a firewall.
The firewall is a clearly defined and identifiable demarcation point. The OT company has
sole and exclusive responsibility for operating the NPN and for all service attributes up to
this point.
Public
network
services
Public network
Optional
connection
Local path
Non-public
network
services
Source: 5G-ACIA
The NPN is based on 3GPP-defined technologies and is entirely independent with its own
dedicated NPN ID. An optional connection to the public network services via the firewall,
as shown in Figure 1, can be employed to enable access to public network services, such as
voice, while within NPN coverage.
Alternatively, NPN devices can subscribe directly to the public network to access its services
(dual subscription). If desired, the optional connection can be leveraged to access NPN
services via the public network.
Furthermore, the NPN operator can conclude roaming agreements with one or more public
network operators, and the optional connection also be used for this purpose. Roaming
agreements with public networks may entail technical constraints. This will depend on the
specific case.
7
5.3 Non-public network in conjunction with public networks
These deployments are a combination of public and non-public networks. These scenarios
assume that certain use cases on the defined premises can be supported entirely by the
public network, whereas others require a dedicated NPN.
There are therefore two network parts, one public and one non-public, with traffic assigned
to the appropriate part.
For the sake of simplicity, Figure 2 only shows a single shared base station for the RAN
on the defined premises. It is possible to configure additional base stations that are only
accessible to NPN users.
Public
network
services
Public network
Local path
Non-public
network
services
Source: 5G-ACIA
The NPN is based on 3GPP-defined technologies and has its own dedicated NPN ID. How-
ever, there is a RAN sharing agreement with a public network operator.
As discussed in section 5.2, it is possible to have an optional connection between the NPN
and the public network via a firewall (not shown in Figure 2), and the same considerations
as described in section 5.2 apply.
8
5.3.2 Shared radio access network and control plane
In this scenario, the NPN and the public network share the radio access network for the
defined premises, and network control tasks are always performed in the public network.
Nevertheless, all NPN traffic flows remain within the logical perimeter of the defined prem-
ises, while the public network traffic portion is transferred to the public network.
This can be implemented by means of network slicing, i.e. the creation of logically inde-
pendent networks within a single, shared physical infrastructure. Segregation of the public
and the private networks is achieved by employing different network slice identifiers.
This scenario can also be implemented by means of a 3GPP-defined feature called access
point name (APN). The APN denotes the final target network (where to route traffic), allow-
ing differentiation between traffic portions.
Figure 3 shows a single shared base station for the factory RAN but it is also possible to
configure additional base stations accessible only to NPN users.
Public
network
services
Public network
Local path
Non-public
network
services
Source: 5G-ACIA
In this scenario, the NPN is hosted by the public network, and NPN devices are public net-
work subscribers. This makes the contractual relationship between the NPN and the public
network operator more straightforward. It allows NPN devices to connect directly to the
public network and its services, including roaming.
9
There may also be an optional connection from the private network services to public net-
work services, as shown in Figure 1 in section 5.2. It is possible to harness this optional
connection to connect NPN devices to private network services via the public network when
the device is outside NPN coverage, but within public network coverage. If public network
services are accessed directly via the public network, the optional connection is not needed
for this purpose.
This scenario can be implemented by means of network slicing or APN (access point name)
functionality.
Public
network
services
Public network
Non-public
network
services
Source: 5G-ACIA
In this scenario NPN subscribers are, by definition, also public network subscribers. Since
all data is routed via the public network, access to public network services and the ability to
roam can be implemented easily in accordance with the agreement between the NPN and
the public network operator. The optional connection depicted in Figure 1 in section 5.2 is
not needed in this scenario.
10
6 Selected 3GPP-defined service attributes
This paper focuses on selected service attributes of 3GPP-defined 5G non-public networks,
i.e. those attributes of greatest significance to industrial (IIoT) use cases. The degree of
compliance with these attributes should be considered when evaluating the suitability of
an NPN deployment scenario for a planned IIoT use case.
A public network can provide connectivity when a device leaves NPN coverage, i.e. it
extends the NPN to other geographical locations. The public network can also be used to
access public network services while remaining connected to the NPN.
In many deployment scenarios, the NPN and the public network will use the same infra-
structure and resources. Due to this sharing, traffic in one network may impact the traffic
in the other network unless proper traffic isolation is provided through isolation of network
resources. It is therefore necessary to consider the following two possible forms of isolation
to achieve the above mentioned QoS requirements:
11
1. Logical network resource isolation means that the NPN and the public network func-
tions, although sharing a common physical network infrastructure, cannot communicate
with each other. This can be achieved thanks to efficient resource allocation mechanisms
(e.g. through network slicing).
2. Physical network resource isolation indicates that the network resources for the NPN and
for the public network are physically segregated from each other.
Since the QoS in both networks are influenced by the degree of traffic isolation as described
above, the different deployment scenarios are evaluated from an isolation point of view.
12
The chosen deployment scenario impacts the following privacy and security aspects:
• Data privacy through isolation: Data in the NPN and the public network need to be seg-
regated (physically or logically) and processed separately, in order to fulfil the security
and privacy requirements of both networks. Note that the OT data includes not only the
user payload data, but also operational data such as subscriber identities, number of
active devices, devices identities etc. Network resource isolation (physical and/or logical)
as described in the above sub-section, can be a means to provide the isolation of user
payload data but not necessarily the operational data. Consideration also has to be given
to the infrastructure used to transmit and possibly store data in the NPN, and to safe-
guarding the privacy of the OT company and other users of the public network, especially
with regard to possible visibility into the volume of data traffic in the NPN, and when
this traffic is taking place.
• Control and management privacy through isolation: This service aspect relates to the
degree of segregation/isolation of the control and management plane functions of both
networks for privacy and security reasons. This isolation can be provided through network
resource isolation (physical and/or logical) as described in the above sub-section and/or
through 3rd party APIs.
• Flexibility in choice of security mechanisms: There is a need for flexibility in terms of
selecting and administering security mechanisms. The degree of flexibility depends upon
the network type, i.e. public or non-public. With NPNs, attention needs to be given to
the use of USIM and/or certificates for device authentication and identification, and for
access authorisation. Dedicated NPN certificates can be administered locally, and may
allow greater security customisation whereas USIM-based authentication allows devices
to also access public networks. The same considerations apply to the selection of algo-
rithms for data confidentiality and integrity. Additionally, it may be necessary to enable
lawful interception, depending on the deployment scenario and country of operation.
• Global availability of security mechanisms: There may be a need for a globally avail-
able single security mechanism to minimize administration, and to aid interoperability.
The selected deployment scenario affects how universally security mechanisms can be
assumed to be available.
13
7 Conclusions
This paper describes a number of network implementation options for NPNs based on 3GPP
specifications. These range from completely self-contained standalone NPNs (section 5.2)
that have no connection to the public network, to NPNs that are hosted entirely by public
network operators (section 5.3.3). Between these two extremes, there are a number of
other options.
It is important to highlight that all 3GPP-specified services are available in all deploy-
ment scenarios presented in this paper, but the service attributes are delivered to varying
degrees of compliance in each scenario.
Parties (in most instances, OT companies) interested in implementing or using NPNs should,
through careful analysis, identify which use cases are business-critical for them, and what
service requirements those use cases have. It is also essential to consider what effort and
resources they are willing to invest in implementing and operating an NPN, and to identify
the degree of security needed for their mission-critical data in the long term.
This list is not exhaustive, but answering these questions may help potential user organi-
sations to draw up a shortlist of viable options, and to evaluate the shortlisted options in
collaboration with network service providers.
Annex 2 provides a more thorough analysis on the degree of compliance with each service
attribute in the deployment scenarios.
14
8 Keywords and abbreviations
3GPP The 3rd Generation Partnership Project (international body
responsible for defining 5G specifications/standards)
5G-ACIA 5G Alliance for Connected Industries and Automation
API Application programming interface (a defined interface between two
software systems. In this context between networks for information
exchange and control purposes)
APN Access point name (identifier for the data network, where connection
through 5G system is provided)
Control plane Logically separate area of a 3GPP system, where control functions
and interfaces operate. These are used for controlling the service
provided to devices, such as connectivity.
ICT Information and communications technology
IoT Internet of Things
IIoT Industrial Internet of Things
IT Information technology
Management plane A logically separate area of 3GPP system where O&M functions and
interfaces operate
Mobile broadband Broadband connectivity service provided by a 5G system
Network slicing Network slicing is a means of providing “a network within a
network” for the delivery of specific services, and to achieve
varying degrees of segregation between the various service traffic
types and the network functions associated with those services.
NPN Non-public network (a 5G network that is used to provide dedicated
services to defined, closed group of devices)
NPN ID NPN identity (identifier assigned to the NPN)
O&M Operation and management (a set of 3GPP system functions
and interfaces for configuring, managing and operating
the 5G system)
OT Operational technology
Public network Network employed to provide services for devices used by the
general public
QoS Quality of service
RAN Radio access network
SLA Service level agreement
TS Technical specification (the normative and binding specifications
defined and published by 3GPP)
User plane A logically separate area of a 3GPP system, where functions and inter-
faces for transferring payload data sent to and from devices operate
USIM A universal subscriber identity module (an application on a
physically secured device that is used to access network services in a
secure way)
15
9 References
[1] 5G for Connected Industries and Automation, White Paper, 5G Alliance for Con-
nected Industries and Automation (5G-ACIA), November 2018
[2] 3GPP TS 23.251 v15.1.0 Network sharing; Architecture and functional description.
Latest version available at: http://www.3gpp.org/ftp/specs/archive/23_series/23.251/
[3] 3GPP TS 22.104 v16.0.0, Service requirements for cyber-physical control applica-
tions in vertical domains, Stage 1. Latest version available at: http://www.3gpp.org/
ftp/SPecs/archive/22_series/22.104/
[4] 3GPP TS 23.501 v15.4.0. System architecture for the 5G System, Stage 2. Latest
version available at: http://www.3gpp.org/ftp/Specs/archive/23_series/23.501/
16
10 Annex 1 - Mapping of logical network elements to the
3GPP-defined architecture
For the sake of simplicity, the logical network elements shown and described in this paper
are an abstraction of the architecture defined in 3GPP TS 23.501 [4]. Figure 5 below shows
how these relate to each other. The 3GPP architecture is depicted by black lines. The beige
lines surround multiple 3GPP functions and build a visual link to the corresponding single
logical element used in this paper. Please refer to section 5.1 for further explanations of
the notation used.
N1 N2 N4
UE (R)AN N3 UPF N6 DN
N9
Source: 5G-ACIA
It should be noted that the 3GPP-defined architecture shown here is itself a simplification.
17
11 Annex 2 - Service attribute degree of compliance in net
work scenarios
The degree of compliance with the service attributes described in section 6 is given in a
table for each scenario. The degree is either “high”, “medium” or “low”. High compliance
indicates that the service in question is fully supported with existing standardized network
and device functions without further adaptations. Low compliance indicates that the service
is either not supported or only supported with significant adaptations. Such adaptations
are e.g. deployment and configuration of multiple NPN IDs and credentials on devices
and networks, integration of security gateways to interconnect networks, administration
and deployment of non-USIM based security mechanisms, or roaming agreements between
two or more parties. Medium compliance indicates that a service is supported under cer-
tain conditions or with some adaptations. Clarifying comments are given in the evaluation
table explaining the conditions and adaptations needed to reach the respective degree of
compliance.
Degree of compliance
Service attribute Isolated deployment Shared radio access Shared radio access NPN hosted by the public
network network and control plane network
connectivity
Low when devices can Low when devices can Public network subscripti- Public network subscription
connect to the NPN only, connect to the NPN only, on can be used for global can be used for global con-
and there is no direct and there is no direct connectivity, e.g. via nectivity, i.e. via roaming.
connection to the public connection to the public roaming.
network. network.
High when an optional High when an optional
connection to the public connection to the public
network and a public network and a public
network subscription are network subscription are
in place. This requires in place. This requires
additional configuration additional configuration
in NPN devices for auto- in NPN devices for auto-
matic network selection. matic network selection.
18
Latency and High High / medium High / medium High / medium /low
QoS
availability
High because this deploy- High if traffic isolation is High if traffic isolation is This deployment scenario
ment scenario provides provided through logical provided through logical provides traffic isolation
traffic isolation through network resource isolati- network resource isolation through logical network
physical network resource on in the shared RAN (via in the shared RAN (via ef- resource isolation on all
isolation. efficient resource alloca- ficient resource allocation network segments (via
tion mechanisms). mechanisms and network end-to-end network slicing).
slicing), or if a dedicated Because NPN data and net-
Medium if the resource
RAN is used to allow phy- work functions are external
allocation mechanisms
sical isolation and traffic to the defined premises, i.e.
in the shared RAN do not
isolation for the user factory, this may result in
fully take into account
plane traffic. an inevitable degradation
the QoS requirements of
in latency (which – among
both networks. Medium if the resource
other factors – depends on
allocation mechanisms
Note that in this de- the distance between the
in the shared RAN do not
ployment scenario, the factory and the public net-
fully take into account the
network segments other work premises). The degree
QoS requirements of both
than RAN provide traffic of compliancy for latency
networks.
isolation through phy- depends on the service
sical network resource Note that in this deploy- requirement level. For very
isolation. ment scenario, the net- stringent latency require-
work segments other than ments (e.g. 1ms) it is low.
RAN and control plane However for moderate to
provide traffic isolation modest latency values (e.g.
through physical network 10-100ms) it may be consi-
resource isolation. dered as medium to high.
The degree of compliancy
for a very stringent avai-
lability requirement may
be considered to be low
if required in combinati-
on with a very stringent
latency requirement, and
medium to high if required
in combination with a mo-
derate to modest latency
requirements.
For a moderate to modest
availability requirement,
compliancy may be medium
or high, depending on the
latency requirement.
19
Access to High / medium High / medium High / medium High / medium
Operation and management
monitoring
High when NPN operator High when the NPN ope- High when the NPN ope- High when the NPN ope-
data and
has full access to its mo- rator has full access to rator has full access to rator has full access to its
O&M
nitoring data and O&M its monitoring data and its monitoring data and monitoring data and O&M
functions
functions/tasks, e.g. in O&M functions/tasks. In a O&M functions/tasks. In a functions through 3rd party
the case an isolated NPN shared infrastructure, this shared infrastructure, this APIs deployed in the public
is operated by the OT. can be achieved through can be achieved through network.
3rd party APIs deployed 3rd party APIs deployed in
Medium when the NPN Medium when the NPN
in the network. the public network.
operator has only de- operator has delayed access
layed or limited access to Medium when the NPN Medium when the NPN to required information and
required information and operator has delayed ac- operator has delayed ac- functions, e.g. due to lack
functions, e.g. due to a cess to required informa- cess to required informati- of support because of the
lack of support from the tion and functions, e.g. on and functions, e.g. due way the network has been
NPN or lack of adequate due to lack of adequate to the conditions of the implemented (lack of 3rd
remote access. remote access or due to network sharing agree- party APIs).
the conditions of the RAN ment between the NPN
Note that with network
sharing agreement bet- operator and the public
slicing, the NPN operator
ween the NPN operator network operator.
may be responsible for
and the public network
some or all network slice
operator.
management tasks. The
choice of network slice ma-
nagement model depends
on the bilateral agreement
between the operator of the
NPN and the operator of
the public network.
privacy
Complete physical isolati- High since logical network Medium because the NPN’s Medium because the sub-
through
on. The NPN data is phy- resource and hence data user subscription and ope- scription data (e.g. profiles
isolation
sically isolated from the isolation can be provided rational data (e.g. active of OT active assets) of both
public network data. in the shared RAN. assets) are accommodated networks share the same
in the public network core. database accommodated in
Note that the data of both
Note that the data of both the public network although
networks shares the RAN
networks share the RAN RAN and core network are
through a logical isolation
and the control plane logically isolated.
but not a physical isola-
through a logical isolation
tion. Still, it´s difficult to
and that the user plane
get information on pro-
data of both networks are
duction activities based on
physically isolated.
data on RAN level without
subscription and operatio-
nal data. Note also that in
this deployment scenario,
the network segments
other than RAN provide
physical data isolation.
20
Privacy & Security
21
11 5G-ACIA members
TM
TM
HHI IIS
TM
22
5G Alliance for Connected Industries and
Automation (5G-ACIA),
a Working Party of ZVEI
Lyoner Strasse 9
60528 Frankfurt am Main, Germany
Phone: +49 69 6302-424
Fax: +49 69 6302-319
Email: [email protected]
www.5g-acia.org