Huawei 5g Security White Paper 2021 en
Huawei 5g Security White Paper 2021 en
Huawei 5g Security White Paper 2021 en
White Paper
Partnering with the Industry for
5G Security Assurance
Contents
01 Executive Summary P01
References P24
01 Executive Summary
This 5G security white paper focuses on the following:
Why is 5G secure? How do experts from industry and standards organizations ensure that 5G security risks can be
effectively managed in terms of security protocols and standards as well as security assurance mechanisms?
Why are Huawei 5G products secure? What technical and management measures has Huawei adopted to ensure
cyber security of Huawei equipment?
How to ensure 5G cyber security, including Huawei's support for cyber resilience and recommendations on how to
deploy and operate 5G networks in a secure manner.
How to ensure 5G operations comply with national security regulations, including suggestions for regulators in
developing laws and regulations and implementing regulatory policies.
How to continuously improve the 5G security level from the perspectives of different stakeholders in order to address
future challenges. It is recommended that stakeholders work together using their expertise to build a 5G security
system, continuously improve 5G security, and ensure that 5G security risks are controllable.
Unified, authoritative, and continuously evolving standards, such as the Network Equipment Security Assurance
Scheme (NESAS) jointly defined by the GSMA and 3GPP, are required in the assessment of 5G cyber security to
promote continuous improvement of 5G security in the mobile industry.
This document describes 5G security standards, Huawei's 5G security system, and the joint efforts of stakeholders.
As mobile broadband begins to reach every corner of the world, people's desire to unfold the blueprint of
the coming fully connected world is increasing. In the era where all things will be connected over mobile
broadband, 5G networks need to meet the requirements of unprecedented connectivity in three scenarios:
Enhanced Mobile Broadband (eMBB) focuses on services that require ultra-high bandwidth, such as
high-definition video (4K/8K), virtual reality (VR), and augmented reality (AR), meeting user demands for
a digital life.
eMBB
(Enhanced Mobile Broadband)
lndustrial automation
Voice Mission-critical application
mMTC URLLC
(Massive Machine-Type Communications) (UItra-Reliable and Low-Latency Communications)
Figure 1: 5G scenario
Harmonized Communication and Sensing (HCS) extends the capability boundaries of mobile networks
and enables centimeter-level positioning and sensing. It applies to indoor digital management, intelligent
transportation, and low-altitude drone scenarios.
So far in 5G evolution, visions have been proposed, technical directions have been defined, and the pace of
standards formulation has been determined. Currently, the action plan is being implemented. As the
communications industry has high expectations for the future development and evolution of 5G, Huawei will
continue to innovate and work with the industry to create a golden decade for 5G.
2.2 5G New Architectures, Services and Technologies Will Bring Security Challenges
In general, most threats and challenges faced by 5G security are the same as those faced by 4G
security. However, the additional security challenges brought by new architectures, services, and
technologies to 5G networks must be considered[1].
New Services
As for new services, 5G networks empower vertical industries and shall provide better
security capabilities for industry applications to meet these industries' security
requirements.
New Technologies
In terms of new technologies, cloudification and virtualization technologies are widely
used on 5G core networks, which creates security risks in the sharing and virtualization
of infrastructure resources. In the future, the impact of quantum computing on
traditional cryptographic algorithms shall also be considered to ensure network security.
The industry is working together to address new security risks faced by 5G architectures,
technologies, and services, and address potential security challenges through unified 5G security
standards, common 5G security concepts, and an agreed 5G security framework. In 2020, 111
companies (including their subsidiaries) from around the world sent technical experts to six SA3 meetings[2]
to develop the latest 5G security standards. The 3GPP SA3 Working Group has established 42 projects to
analyze security threats and risks in various 5G scenarios. Conclusions are gradually being drawn from these
projects and implemented in security standards. The GSMA and 3GPP jointly define NESAS[3] to assess the
security of mobile network equipment development and verification. The GSMA 5G Cybersecurity Knowledge
Base proposes the security concept of shared responsibility and baseline security controls based on typical
5G network threats and key security solutions[4]. The top-down design principles of the 5G security
architecture ensure a systematic, dynamic, and adaptive security framework. With these measures, we believe
that 5G cyber security is manageable and verifiable.
Currently, 3GPP SA3 has developed 5G R16 security the SBA architecture to securely communicate
standards and is developing 5G R17 security within the serving network domain and with other
standards[5]. To ensure that 5G standards move network domains. These features include network
ahead consistently at all technical levels, the 3GPP is function registration, discovery, and authorization
developing security standards at the same pace as security aspects, as well as protection for
that of architecture and wireless standards. 5G R15 service-based interfaces. An SBA forms the basis of
standards have defined security architectures and the 5G core network. To ensure security between
security standards for eMBB scenarios, covering UEs in the SBA, security mechanisms such as
Standalone (SA) and Non-Standalone (NSA) Transport Layer Security (TLS) and Open
architectures. Based on the 5G R15 security Authorization (OAuth) are needed.
architecture, 5G R16 and R17 standards will cover
The 5G network inherits the 4G network security
security optimization for mMTC and URLLC
framework, but provides enhanced security
scenarios, and provide further enhancements to the
features. The 5G access and core networks have
security infrastructure.
clear boundaries. Even though some 5G core
The security architecture of mobile networks is network functions (such as the User Plane
hierarchical and classified by domain in design. The Function [UPF]) are moving closer to
5G security architecture contains the following applications, they are still part of the 5G core
security domains: network access security, network network and therefore comply with its traffic
domain security, user domain security, application distribution policy. The access and core networks
domain security, SBA security, and visibility and interconnect through standard protocols, support
configurability of security, where SBA security is a inter-vendor interoperability, and have
new security domain in 5G. SBA security is the set of standards-based security protection mechanisms[6].
security features that enable network functions of
The 5G SA network supports more security features to tackle potential security challenges in the future 5G
lifecycle. 5G NSA and 4G networks share the same security mechanisms and work in standard and practice
consistently to keep improving their security levels.
Stronger air interface security: In addition to user data encryption on 2G, 3G, and 4G networks, the 5G
SA architecture provides user data integrity protection to prevent user data from being tampered with.
Better roaming security: Operators usually need to set up connections via third-party operators.
Attackers can forge legitimate core network nodes to initiate Signaling System 7 and other attacks by
manipulating third-party operators' devices. 5G SBA defines Security Edge Protection Proxy (SEPP) to
implement security protection for inter-operator signaling at the transport and application strata. This
prevents third- party operators' devices from tampering with sensitive data (e.g. key, user ID, and SMS)
exchanged between core networks.
Enhanced cryptographic algorithms: 5G R15 standards currently define security mechanisms such as
256-bit key transmission. Future 5G standards will support 256-bit cryptographic algorithms to ensure
that such algorithms used on 5G networks are sufficiently resistant to attacks by quantum computers.
In R16 and R17, the existing security infrastructure was further optimized by enhancing SBA security,
providing user-plane integrity protection for 5G NSA and 4G networks, and other means.
Enhanced SBA security: The new SBA architecture of the 5G core network provides network functions as
services. The relevant standard defines service security mechanisms for the architecture, including
finer-grained authorization between network functions (NFs) and stronger protection for user-plane data
transmission between operators, which ensures the security of data transmission on the signaling and
user planes of the core network[7].
User-plane integrity protection for 5G NSA and 4G networks: The user-plane integrity protection
mechanism of 5G SA networks is introduced to 5G NSA and 4G networks to enhance air interface
security[8].
e.g.
L=256
vSEPP IPX hSEPP L=256
Based on R15's basic security architecture, R16 and R17 provided diversified and customized security features
for vertical industries, for example, security of small data transmission on IoT devices, security of redundant
session transmission in URLLC, authentication and authorization for slices, and flexible authentication for
multiple forms of private networks, to meet diversified security requirements of different industries and open
up 3GPP security capabilities to third parties.
Cellular Internet of Things (CIoT) data transmission security: Defined secure transmission and
simplified mobility protection mechanisms for small data transmission to meet requirements for user
data protection on IoT devices in unique small-scale data transmission scenarios [9]
.
Redundant session transmission security: Defined equivalent user-plane security policies of the
redundant session transmission mechanism to implement the same level of security protection for two
user sessions during redundant transmission in high-reliability and low-latency scenarios[10].
Slice access security: Defined the authentication and authorization process for slice access from UEs to
meet vertical industries' requirements for controllable user access and authorization when using 5G
networks[11].
Private network authentication security: Defined authentication modes in different enterprise private
network forms to flexibly meet different industries' authentication requirements. In the public network
integrated non-public network (PNI-NPN), for example, in scenarios where a slice provided by the
operator is used to access a private network, slice authentication can be used to authenticate and
authorize access from vertical industry users. When the data network provided by the operator is used to
access a private network, enterprises authenticate and authorize vertical industry users. For independent
private networks, initial authentication modes (EAP framework) other than symmetric authentication are
introduced for UEs[12].
Security capability openness: Used the basic key provided on operators' networks to protect the data
transmission of third-party applications, and provided a security capability openness framework for
third-party services to use operators' networks[13].
5G networks provide mobile network services for more and more vertical industries. The security of 5G
networks addresses potential security challenges to services.
Cyber security assessment mechanisms shall follow evaluation of multiple 5G network equipment, and
globally accepted uniform standards to ensure that major equipment vendors and operators are actively
their operations are cost-effective and sustainable for participating in the NESAS standard formulation.
the ecosystem. NESAS jointly defined by the GSMA
NESAS promotes security cooperation and mutual
and 3GPP has been used to assess the security of
trust in the global mobile communications industry,
mobile network equipment. It provides an
and enables operators, equipment vendors, and other
industry-wide security assurance framework to
stakeholders to jointly promote 5G security
improve security across the mobile industry. NESAS
construction. It provides customized, authoritative,
defines the security requirements and assessment
efficient, unified, open, and constantly evolving cyber
framework for security product development and
security assessment standards for the
lifecycle processes, and uses security test cases in
communications industry, and is a good reference for
the Security Assurance Specifications (SCAS)
stakeholders such as operators, equipment vendors,
defined by 3GPP to assess the security of network
and government regulators.
equipment. Currently, 3GPP has initiated security
About NESAS[3]
The GSMA released NESAS 1.0 in October 2019, continued to drive the evolution of NESAS based on industry requirements, and
released NESAS 2.0 in February 2021. Currently, the NESAS ecosystem has been established. Mainstream equipment vendors actively
participate in NESAS evaluation, where Huawei's RAN and core network are the first to pass its audit and security function tests. The
world's top audit bodies and well-known testing labs are qualified for evaluation. Multiple tier-1 operators require that NESAS
compliance be included in 5G bidding documents.
Vertical/
Terminal provider Application provider
Industry standards and
L3: Application security methodologies
(SP compliance, application security, and service protection)
IEC62443 IACS,
Apps ISO/IEC 27034
AAU
Vendor
BBU ISO19600, NIST SSDF,
Base Station Router Core NIST SP800-160, 3GPP,
L1: Product security NESAS
(Vendor compliance and trustworthiness, security development lifecycle [SDL],
and network element protection)
Application security is for both traditional mobile end users and vertical industries that provide or use a
range of applications. This security layer requires collaboration among operators, device suppliers, and
application providers to ensure the security of 5G networks and the users and services they support.
Application security is not heavily dependent on the security of network pipes. Vertical industries must
take responsibility for the security of their solutions, protect critical assets at the application layer from
network attacks, promptly detect security threats, and quickly restore basic services. The Open Web
Application Security Project (OWASP) provides an excellent set of best practices on the development
assurance for application security, including the application security threat analysis methodology,
Application Security Verification Standard (ASVS), and penetration test guide. In addition, ISO 27034
provides systematic suggestions for ensuring application security from an organizational perspective,
including identifying risks from three dimensions, defining application security levels, and establishing
application security controls (ASCs) along with mapping organization normative framework (ONF).
Product security must be provided by equipment vendors. It focuses on the compliance, secure
development process, and security capabilities of products. Security assessment is critical for product
security. It provides a basis for assessing whether network equipment and components are designed and
implemented in compliance with security requirements. NESAS, established by the GSMA and 3GPP
together with global operators, equipment vendors, and third parties, is a widely recognized NE security
assurance standard in the industry.
Huawei R&D provides the Integrated Product Development (IPD) process to guide end to end (E2E) product
development. Since 2010, Huawei has started to build cyber security activities into the IPD process according to industry
security practices and standards such as OWASP's Open Software Assurance Maturity Model (OpenSAMM), Building
Security In Maturity Model (BSIMM), Microsoft Security Development Lifecycle (SDL), and NIST CSF as well as cyber
security requirements of customers and governments. Such activities include security requirement analysis, security
design, security development, security test, secure release, and vulnerability management. Check points are used in the
process to ensure that security activities are effectively implemented in product and solution development. This practice
improves the robustness of products and solutions, enhances privacy protection, and ensures Huawei provides customers
with secure products and solutions.
In the security requirement analysis phase, Huawei collects cyber security and privacy requirements through various
channels such as customer feedback, industry standards, laws and regulations, and certifications. It also gains
insights into the service scenarios of products and solutions; analyzes the network architecture, deployment
environment, O&M management, and service characteristics to identify potential threats; assesses risks in terms of
security, privacy, resilience, availability, reliability, and safety; and determines security requirements based on the
threat assessment results. Huawei will analyze and manage these requirements.
In the development phase, Huawei has developed its own secure coding standards with reference to the best
practices of the industry's secure coding standards of Computer Emergency Response Team (CERT), Common
Weakness Enumeration (CWE), SysAdmin, Audit, Network, Security (SANS), and OWASP. Huawei implements a series
of security development controls to ensure the quality of completed code, for example, local static code analysis
using tools, the committer review mechanism, and enabling compiler security options.
In the test phase, Huawei has designed test cases based on the threat modeling to verify the effectiveness of the
threat mitigation measures designed. Huawei has adopted a "many eyes and many hands" security verification
mechanism. In addition to security tests of product lines, Huawei established the Independent Cyber Security Lab
(ICSL), which is independent of the R&D system, to be responsible for the final verification of products. Test results
are directly reported to the Global Cyber Security & Privacy Officer (GSPO), who has veto power over product launch.
Third-party testing and verification schemas are supported with the cooperation of customers and industry
regulators.
In the version release phase, Huawei scans software packages for viruses and releases signatures before version
release. It then verifies the integrity of software packages during software transfer and delivery to ensure that they
are not tampered with.
In the lifecycle management phase, Huawei continuously focuses on security vulnerabilities to ensure customer
service continuity. The vulnerability response process involves vulnerability awareness, vulnerability validation,
remediation solution development, and post-remediation activities. The Product Security Incident Response Team
(PSIRT) detects vulnerabilities through internal and external channels and identifies all products with vulnerabilities
based on dependencies. It classifies, assesses, and grades detected vulnerabilities, and assigns them to relevant teams
for remediation. All patches comply with Huawei's code quality requirements and undergo strict security tests. The
PSIRT tracks vulnerability remediation to ensure the effectiveness of remediation solutions.
Gowernance
OpenSAMM
Methods &
practices
ISO
NIST Microsoft SANS OWASP
security
Microsoft SDL
Tools
Huawei is committed to not only building confidentiality, integrity, availability, traceability and user privacy
protection in 5G equipment based on the 3GPP security standards, but also collaborating with operators to build
high cyber resilience in networks from the O&M perspective. Looking to the future, as cloud, digitization, and
software-defined everything become more and more prevalent and networks become more and more open,
Huawei R&D will continuously build secure, trustworthy, and high-quality products and solutions.
5G cyber security follows the design principles of defense in depth, Zero-trust@5G, and adaptive security, which
collaboratively provide a systematic, dynamic, and adaptive security framework. Defense in depth provides
multi-layer security measures to protect critical internal assets from external threats. Different security technologies are
used at different layers to prevent the compromise of a single point affecting the entire system. Defense in depth
prevents system breakdown caused by attacks and unauthorized access. In addition, information is encrypted, so even if
it is stolen, no information leakage will occur. Moreover, malicious tampering can be identified so that mitigation
measures can be taken accordingly. Zero trust is becoming a trend in cyber security. It assumes that the network is
always vulnerable to risks and that no access is trusted before authentication. Therefore, access authentication, dynamic
authorization, and continuous assessment are required to implement dynamic access control. Zero trust in the telecom
field, that is, Zero-trust@5G, shall be adapted based on the service characteristics of mobile communications networks to
improve 5G cyber security. Currently, Zero-trust@5G can focus on two important scenarios: O&M management and UE
access. It implements dynamic and precise access control for O&M identity management and 5G UE access, to identify
spoofing and prevent unauthorized access. Through the IPDRR methodology, adaptive security enables dynamic,
continuous, closed-loop optimization of security measures to adapt to ever-changing security threats, supporting rapid
system recovery.
5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.
5G inherits security protection mechanisms in 4G, and adds data integrity protection for the user plane to
prevent data tampering on the user plane. In addition, the confidentiality and integrity protection of
UE capability reporting information is added in R16 to prevent UE privacy breaches or denial of
service (DoS) attacks caused by UE capability eavesdropping or tampering.
In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn
interfaces connecting base stations use Internet Protocol Security (IPsec) in 4G for transport security. 5G
additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission
Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security
between RANs and core networks. Operators can select a transport security protection scheme based on
security requirements to prevent data breach and tampering on the transport network.
In terms of privacy protection, 5G security standards include encryption schemes for concealing the SUPI
to tackle the risk of user information leakage through messages sent for the initial UE access, thereby
enhancing privacy protection.
On the basis of 5G security standards for network equipment, Huawei further provides the following air
interface and system security hardening measures:
Base stations can identify To prevent rogue base stations from Hardware ports of base stations are
distributed denial of service (DDoS) launching spoofing attacks on base hardened to prevent near-end
attacks launched at them through stations and UEs over the air attacks. Unused ports are disabled
the air interface from malicious UEs interface, base stations provide the by default, and an alarm is
and mitigate the attacks using rogue base station detection generated upon any change in the
specific control mechanisms, function based on the 5G NSA/SA port status, reducing the risk of
ensuring the availability of base network architecture, helping near-end attacks.
stations. operators identify and locate
rogue base stations.
OSs are hardened to prevent To prevent the system from being To prevent sensitive data, such as
attacks. By default, unnecessary tampered with during boot and keys and passwords, from being
services are disabled on the OSs of runtime, base stations support stolen or tampered with, base
base stations. Login from an OS secure boot, detection of code stations store encrypted information
user is prohibited, preventing segment tampering during runtime, in chips, which cannot be
attacks. and alarm reporting, enhancing obtained externally.
system integrity protection.
Security Standards
5G core networks enhance the key hierarchy and roaming security mechanisms used in 4G:
In terms of key hierarchy, the UE access authentication and key derivation framework and NAS signaling
encryption and integrity protection for UE access are inherited in 5G. 5G enhances access authentication
by defining a unified authentication framework for both 3GPP and non-3GPP access and supporting EAP
Authentication and Key Agreement (EAP-AKA) and 5G AKA for enhanced security flexibility.
Roaming networks may access to core networks. To address this risk, the SEPP can be deployed on 5G
networks to provide the following security protection functions for signaling messages at the roaming
boundaries: topology hiding, message filtering, TLS channels, and application-layer security protection for
roaming messages through the Internet Packet Exchange (IPX) networks. This prevents data breach and
unauthorized tampering at the transport and application strata, thereby enhancing transport and data
confidentiality and integrity.
5G also provides security requirements and functions for user access authentication on the home
operator networks to address the threat of home network spoofing by roaming networks.
Cloud Security
Compared with legacy architecture, the cloud architecture introduces universal hardware and runs network
functions in a virtual environment, facilitating low-cost network deployment and quick service provisioning.
Many core networks have adopted cloud-based deployment around the globe. Huawei has deployed
cloud-based core network security solutions for multiple operators.
Huawei complies with security protocols and architectures defined by industry-recognized virtualization
standards. The European Telecommunications Standards Institute (ETSI) is responsible for standards
formulation for network functions virtualization (NFV) technologies used in the cloud architecture. Huawei
adheres to NFV security standards, such as SEC009 (multi-tenant hosting management security) and SEC002
(security feature management of open source software), defined by the ETSI.
Huawei believes that NFV security isolation is an end-to-end solution. From the data center (DC) data
interface to the virtual machine (VM) on the core server, NFV security requires a complete security solution
that covers both the external and internal layers and everything in between. The NFV security isolation
solution includes intra- DC security zone isolation, security isolation of different service domains in a zone,
isolation of different host groups in a zone, isolation of VMs in a host, and a series of security hardening
measures, implementing outside-in NFV security isolation.
Huawei has mature virtualization security applications in 4G. In terms of 5G network equipment security,
Huawei provides the following standards-based security hardening measures:
To improve the availability of DCs on the operator's network, resource pools can be deployed across DCs
for data backup, ensuring service continuity in case of geographical disasters and other scenarios.
In a security zone, domains are used to further classify and isolate services. For example, operator
network services are generally classified into O&M domain, gateway domain, control domain, and data
domain. Different service types are aggregated into different domains. Domains are isolated from each
other by firewalls and only authorized access is allowed.
In a multi-vendor environment, intra-domain host isolation can be performed. In the same host, VM,
virtualization layer, and even CPU, storage, and network security isolation is supported.
MEC Security
In the MEC architecture, the computing capabilities of cloud data centers are moved to the edge of the core
network. Huawei provides cloud and virtualization security technologies and supports third-party application
authentication and authorization management and user data protection to build security for edge networks.
The MEC supports security domain division to isolate resources and networks between these domains. MEC
security domains must be strictly defined between the UPF and Multi-access Edge Platform (MEP) and
between the UPF and applications based on services and deployments. Security isolation for software,
resources, systems, and application programming interfaces (APIs) is also supported for third-party
applications deployed on the MEC.
For the security of MEC interfaces, Huawei provides the built-in IPsec solution for the N4 interface to protect
the confidentiality and integrity of signaling data. The solution provides more comprehensive security
protection than an external IPsec gateway. The management interface provides a TLS channel for secure
transmission, enabling data security on the management plane. Moreover, the security deployment solution
is provided to comprehensively protect MEC interfaces. For example, an IPsec gateway can be deployed
on the N3/N6/N9 interface for encrypted transmission of user data, and a firewall can be deployed on the
MEC to defend against DDoS and other traffic attacks.
Network slicing is introduced in 5G networks so that a network can support multiple types of services. In
addition to 5G security features, Huawei provides more security measures for slice access and management:
Slice access security: On the basis of existing user authentication and authorization mechanisms on the
5G network, network slicing allows slice access authentication and authorization for users by operators
and vertical industries collaborating together. This ensures authorized user access to slices and control
over slice networks and end users by vertical industries.
Slice management security: Slice-level rights- and domain-based management is provided. Tenants can
view only their own slice's KPIs and configurations, preventing unauthorized O&M among multiple slices.
The slice management service uses authentication and authorization mechanisms. Security protocols can
be used for slice management and between slices to ensure communication integrity, confidentiality, and
anti-replay. In the slice lifecycle management, the slice templates and configurations have a check and
5.5 Helping Operators Deploy and Operate Networks with High Resilience
In terms of business operations, it is imperative to follow the security design principles of attack and defense.
Specifically, enhanced cyber resilience based on confidentiality, integrity, and availability is critical in the
design of cyber security. To speed up service recovery if a security incident occurs, the design must realize
continuous monitoring and response to security incidents so that their impact scope and resulting service
loss can be minimized. As an equipment vendor, Huawei implements authoritative industry standards
and best practices, and supports operators in building resilient networks, helping them better meet
the service requirements for cyber resilience of their critical information infrastructure.
The equipment supports secure end-to-end DDoS attacks. In cloud-based scenarios, elastic
transmission at the network layer to ensure data scaling and pool-based disaster recovery are
confidentiality and integrity, and implements also provided to enhance cyber resilience.
encryption, integrity protection, and
The equipment supports system security
anti-replay on interfaces between UEs, base
monitoring and auditing, as well as system
stations, and core networks.
traceability.
Slice isolation is supported, which requires
The equipment provides security management
collaboration among wireless, transmission, and
capabilities. The operations support system
core networks for E2E security isolation. Radio
(OSS) implements security management for
bearer (RB) reservation and spectrum isolation
base stations and core networks based on
are used on the RAN to prevent air interface
alarms, logs, and configurations. In addition, it
resource preemption; FlexE is used on the
interconnects with a third-party service
transport network to isolate slices; NFs, VMs,
operations center (SOC) through a standard
and zones are isolated on the core network.
interface to report data, implementing
Measures are taken to implement precise and
network-wide security management.
flexible slice isolation, preventing resource
Zero-trust@5G is introduced to network
preemption between slices.
management and control units, allowing
The management, control, and signaling planes evolution from "static authentication and
can be isolated to prevent mutual access and authorization" to "user-identity-based
horizontal attacks. authentication and authorization, continuous
trust assessment, and dynamic access control",
The equipment provides the flow control
thereby building a new security O&M system.
mechanism with load monitoring to prevent
To comply with applicable privacy protection laws, such as the EU General Data Protection Regulation
(GDPR), consider the following privacy protection measures:
3GPP 5G standards stipulate that user IDs are encrypted during transmission over the air interface, and
encryption and integrity protection are performed on the end-to-end transmission channel to prevent
personal data from being stolen or tampered with.
User plane data protection: Both the air interface and transmission channel support encryption and
integrity protection according to 3GPP specifications.
Huawei 5G products protect personal data during the collection and processing of individuals' user
identities for network O&M:
a. System users can collect personnel data only with authorization, preventing unauthorized operations.
b. Collected data can be encrypted during storage and processing to prevent data breach. The data can
be automatically deleted upon expiry of the personal data storage period.
c. For boards returned to the manufacturer, a secure deletion mechanism is provided to avoid data breach
during repair.
NEs' personal data descriptions are provided in product documentation to facilitate operators' privacy
compliance.
Operators can build secure and resilient networks by establishing a defense in depth system through security
planning, design, deployment, and operations and identifying and controlling key risks in live network
services through the IPDRR methodology, with the support of suppliers' product security capabilities and in
accordance with industry standards and best practices, such as 3GPP specifications, NIST CSF, and GSMA 5G
Cybersecurity Knowledge Base.
Operators build a comprehensive 5G network protection system through security planning, design, and
deployment.
Operators build the security operations platform and system for efficient and intelligent operations.
Operators build comprehensive security situational awareness for 5G networks; use cloud,
big data, artificial intelligence (AI), and machine learning technologies to improve the
automation and intelligence of security operations; and speed up risk discovery,
identification, and closed-loop handling to improve the efficiency of security operations.
Operators can provide communication channel encryption for users' application-layer data. They should
protect network data and basic user data throughout the lifecycle to prevent data breaches. Application
providers provide end-to-end encryption for application-layer data. When users' application-layer data, such
as online payment/shopping data, is transmitted on operators' networks, network nodes cannot parse the
data, and the data is invisible to operators and equipment vendors.
Operators build a network security capability openness platform to open up security capabilities, such as
authentication, network encryption, and anti-DDoS, to meet vertical industries' security requirements.
Formulation of laws and regulations, involving cross-discussion with all public and private partners, to
guarantee a consistent security framework. Governments should take a key role here to define the
requirements of their respective countries in terms of security, and their regulators should encourage
the development of new technologies with risk control mechanisms to address both their
economic objectives and security needs. This can be achieved through collaboration with all
stakeholders, based on a common goal to define global standards. Governments play an important role
in encouraging technological innovation (in 5G in the context of this document), allowing more suppliers
that meet security specifications to participate in national 5G construction and development, and
defining security standards, assurance mechanisms, and certification programs. These measures will
improve national 5G network construction and operation efficiency, reduce costs, and stimulate positive
social and economic development.
Governments can implement specific policies to obtain oversight on the security level of each network
operating in the country. Specifically, they supervise rogue base stations and radio interference that affect
normal 5G communications and impose the necessary penalties for violations. Operators are responsible
for the cyber security of the network infrastructure and manage risks in accordance with international
standards and national security regulations. Regulatory requirements for operators shall be
transparent, fair, and consistent, and unified cyber security requirements shall be applied to all
suppliers, to ensure security throughout the network.
NESAS jointly defined by GSMA and 3GPP provides authoritative, unified, and open security
assessment standards for the communications industry, helping governments, regulators, and
operators monitor and manage local cyber security risks more efficiently.
More and more governments and regulators are working closely with relevant industries and partners to
develop a unified set of rules for 5G security. Operators can implement 5G security policies and mechanisms
based on these rules. The support from equipment vendors and relevant vertical industries is also important.
Equipment vendors: They integrate security technologies and manufacture secure products in compliance
with standards and industry best practices, participate in the development of industry security standards,
and work with customers and other stakeholders to help operators ensure security operations and cyber
resilience.
Operators: They are responsible for the networks' security operations and cyber resilience. Through
security planning, design, and deployment, they build a comprehensive 5G network protection system
with defense in depth. Operators can prevent external attacks with firewalls and security gateways. For
internal threats, operators can manage, monitor, and audit all vendors and partners to verify security
within and between their NEs.
Industry and government regulators: As an industry, we all need to work together on unified standards.
In terms of technologies, we need to continuously contextualize 5G security risks and enhance
protocol-based security. In terms of security assurance, we need to standardize cyber security
requirements and ensure that these standards are applicable to and verifiable for all vendors and
operators.
Huawei calls on the industry to work together to share responsibilities, unify standards, formulate clear
regulatory measures, and build a secure, reliable, open, and transparent 5G security ecosystem that benefits
everyone and is widely recognized by stakeholders.
[1] 3GPP TR 33.899: "Study on the security aspects of the next generation system"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3045
https://www.3gpp.org/dynareport/Meetings-S3.htm?Itemid=451
https://www.gsma.com/security/network-equipment-security-assurance-scheme/
https://www.gsma.com/security/5g-cybersecurity-knowledge-base/
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169
http://www.3gpp.org/news-events/3gpp-news/1975-sec_5g?from=timeline
[7] 3GPP TR 33.875: "Study on enhanced security aspects of the 5G Service Based Architecture (eSBA)"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3845
[8] 3GPP TR 33.853: "Study on key issues and potential solutions for integrity protection of the User Plane (UP)"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3571
[9] 3GPP TR 33.861: "Study on evolution of Cellular Internet of Things (CIoT) security for the 5G System"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3480
[10] 3GPP TR 33.825: "Study on the security of Ultra-Reliable Low-Latency Communication (URLLC) for the 5G System
(5GS)"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3548
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3541
[12] 3GPP TR 33.857: "Study on enhanced security support for Non-Public Networks (NPN)"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3764
[13] 3GPP TS 33.535: "Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the
5G System (5GS)"
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3690