Cybersecurity And The EU's Regime For 5G Networks

According to the EU Coordinated Risk Assessment of 5G Networks Security, published this month, the cybersecurity of 5G networks is an essential requirement to protect EU members economies and societies and to enable the full potential of the important opportunities they will bring.  
 
It is also crucial for ensuring the strategic autonomy of the European Union. But what exactly are 5G Networks? The definition is provided in the EU Commission Recommendation Cybersecurity of 5G network:
 
“5G networks mean a set of all relevant network infrastructure elements for mobile and wireless communications technology used for connectivity and value-added services with advanced performance characteristics such as very high data rates and capacity, low latency communications, ultra-high reliability, or supporting a high number of connected devices. These may include legacy networks elements based on previous generations of mobile and wireless communications technology such as 4G or 3G. 5G networks should be understood to include all relevant parts of the network”.
 
With worldwide 5G revenues estimated at €225 billion in 2025, It could include a ‘diverse range of services essential for the functioning of the internal market as well as for the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organisation of democratic processes, such as elections, is also expected to rely more and more on digital infrastructure and 5G networks’.
 
5G networks embody several new technological features, these incldude: 
 
Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies. This will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software. From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities;
 
Network slicing. This will make it possible to support to a high degree the separation of different service layers on the same physical network, thus increasing the possibilities to offer differentiated services over the whole network.
 
● Mobile Edge Computing. Which allows the network to steer traffic to computing resources and third-party services close to the end-user, thus ensuring low response times. Enhanced functionality at the edge of the network and a less centralized architecture than in previous generations of mobile network.
 
According to the section1.16 of the European report, these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
 
At the same time, 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions, such as stricter authentication processes in the radio interface (section 1.18).
 
These new security features will however not all be activated by default in the network equipment and their implementation will greatly depend upon how the operators deploy and manage their networks.
 
The EU report also approaches the deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the principal traditional categories of threats: these concerns are related to the compromise of confidentiality, availability and integrity (section 2.3).
 
More specifically, a number of threat scenarios targeting 5G networks were found to be particularly concerning:
 
● Local or global 5G network disruption (Availability)
 
● Spying of traffic/data in the 5G network infrastructure (Confidentiality)
 
● Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality)
 
● Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
 
The EU report has a detailed  analysis showing potential vulnerabilities related to hardware, software, processes and policies,  supplier-specific vulnerabilities, risk scenarios related to insufficient security measures and to the 5G supply chain.
 
From the end-user perspective and the companies risk’s concerns, the most important part of the report is related to the existing mitigating measures/security baseline, which means that in EU level we are speaking about EU telecoms legislation and in the NIS Directive.
 
Under the EU telecommunications framework, obligations can be imposed on telecommunication operators by the relevant Member State(s) in which it is providing service. On the other hand, the NIS Directive requires operators of essential services in other fields (energy, finance, healthcare, transport, water, etc.) to take appropriate security measures and to notify serious incidents to the relevant national authority. The NIS Directive also foresees coordination between Member States in case of cross-border risks and incidents. 
 
Other relevant frameworks at EU and national level include data protection and privacy rules (in particular the General Data Protection Regulation and e-Privacy Directive) as well as requirements applicable to critical infrastructures. In addition, various security measures may already be applied by mobile network operators, for instance: technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning). Finally, from a standardisation perspective, 3GPP SA3 has addressed several 5G security-related concerns, advocating, inter alia, end-to-end encryption. However, the work carried out within these bodies does not deal with security concerns related to the deployment and configuration of the technology.
 
The cybersecurity new era is coming. 5G networks increase the technological quality of the internet and at the same time, open new vulnerabilities. Cybercriminals, hackers and different sorts of attacks will push regulatory and compliance measures for the centre of the EU Member States and companies agenda of priorities. 
 
Joao Paro is a regulatory consultant at Compliance and Risks  
 
You Might Also Read:
 
The EU's New Cybersecurity Certification Framework:
 
A Cyber Compliance Economy:
 
 
« Lost Russian Cyber Spies Return
Just A Normal Day At The Office For Huawei »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Veeam

Veeam

Veeam is the leader in intelligent data management for the Hyper-Available Enterprise.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

National Cybersecurity and Communications Integration Center (NCCIC)

National Cybersecurity and Communications Integration Center (NCCIC)

NCCIC is a cyber situational awareness, incident response, and management center for the US Government, intelligence community, and law enforcement.

Cybertekpro

Cybertekpro

Cybertekpro is a specialist insurance broker providing Cyber Liability insurance and cyber risk assessment services.

EdgeWave

EdgeWave

EdgeWave provides simple but highly effective data security and advanced threat protection in solutions that are affordable, scalable and easy to use.

H3C Group

H3C Group

H3C provides a full range of Computer, Storage, Networking and Security solutions.

Security BSides

Security BSides

Security BSides is the first grass roots, DIY, open security conference in the world!. BSides is a community-driven framework for building events for and by information security community members.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

DDLS

DDLS

DDLS is Australia's largest provider of corporate IT, process training and cybersecurity training courses and certification programs.

Humming Heads

Humming Heads

Humming Heads offers a complete solution to fight the advanced threats that target a company's endpoints and servers.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

Sevco Security

Sevco Security

Sevco Delivers Real-time Asset Intelligence to Identify and Close Unknown Security Gaps.

CYSIAM

CYSIAM

CYSIAM provides world-leading expertise in offensive security and critical incident response. We train our clients to be able to protect themselves and respond to attacks and breaches when they occur.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.