Managing the 5G risks in an unified and standardized way

Inevitably, following the 4G, the new 5G generation is here to stay. In an era where the Internet of Things (IoT), Smart Cities, Intelligent Vehicles and machine-to-machine connections are a reality, 5G brings yet another layer of innovation and support for this evolutionary trend, unveiling a plethora of business cases and capabilities.

The 5G is expected to hugely impact our economy and society thus making it one of the most important recent innovations of the telecommunications field. The ability of the 5G capabilities for offering better quality and reliability to an entire population, is of the utmost relevance, along with the promise of low latency and high speed associated with reliability that promises to dramatically change the way society communicates and provides ubiquitous connectivity, enhancing machine to machine connectivity and interaction.

As most often, new technologies usually introduce both digital and business revolution along with a plethora of new threat vectors. 5G is no exception, and in particular with the exposure of new connected devices, industries and services, sensitive assets will undoubtedly be affected by new cyber threat agents.

As part of the evolving threat landscape, along with the political, social and economic impact of 5G threats, a detailed assessment on this technology has been made, where core network, access management and SDN threats (among others) have been identified, culminating in a series of controls specifically designed for their mitigation.

As part of this great effort to standardize an approach to secure the 5G networks, a toolbox was defined by the EU for supporting the 5G security, scoping strategic measures, technical measures and supporting actions. The overall goal is to ensure the 5G networks’ resilience given their relevance for the modern society and the impact on digital communications, and critical infrastructures such as energy, transport, banking and health.

Where does the EU stand on 5G cybersecurity?

As part of this joint effort and following the Cybersecurity Act, ENISA will be requested to contribute and support the development of a cybersecurity certification scheme for 5G along with the cooperation of all the relevant stakeholders. This way, the European Cybersecurity Certification Group (ECCG), NIS Cooperation Group and the 5G standardization will be direct stakeholders for this activity, where 5G experts from private companies and organizations will work together for the achievement of a common goal.

A common understanding of the impact of such threats was defined and a risk management approach created, where some such measure have been drafted by the NIS Cooperation Group within the Cybersecurity of 5G networks EU Toolbox, supporting the overall objective of standardizing the 5G cybersecurity approach.

As widely known, one of the core measures is the suppliers risk profile assessment and the application of restrictions for suppliers considered to be high risk, where applying exclusions to those vendors is included as a measure for risk mitigation for key-assets. It should be noted, however, that the definition of what is a high-risk suppliers is not yet created, thus created for now a common baseline for risk assessment for all vendors. Coincidently, it was noted that there wasn’t a common framework in place to assess the risk profile of individual suppliers. This was be a core improvement, designing and implementing a common ground for assessment, transparent and uniform to be used across the EU.

The reality is that there is now a twofold range of actions that scope both 5G technology suppliers (that might or might not be classified as high-risk vendors), and MNOs, that will use these vendors’ technology. Not only mobile operators will have to strengthen their security requirements and monitoring, they will also need to assess the risk profile on their suppliers and apply a risk based approach for maintaining the necessary cyber hygiene on the core, network management and access network functions. From an ecosystem perspective, strategies such as multi-vendor strategy to avoid or manage supplier dependency will have to be put in place in order to ensure adequate balance at a national level.

Major telecom equipment providers support the EU to raise a unified 5G security evaluation and certification standard, strengthening the EU role and national authorities with open and transparent supervision. The right of choosing 5G suppliers should belong to the operators and with less restrictions from governments, relying on the compliance with an open, transparent and standardized framework.

Moreover, the suppliers’ assessment should be based on facts and follow consistent and measurable principles to create a fair and trustworthy environment.

It is only by creating this fairness and transparency within the 5G suppliers’ ecosystem that the world will fully benefit of the best technologies, embracing what will be a technology driven deployment and innovation, rather than a political one.

A standardized approach will create a baseline for assessment based on real threats and measurable mitigation controls, where the major telecom providers should be able to play all by the same rules, demonstrating commitment with the cybersecurity standards and best practices, creating a trust ecosystem among nations.