Cybersecurity And The EU's Regime For 5G Networks

According to the EU Coordinated Risk Assessment of 5G Networks Security, published this month, the cybersecurity of 5G networks is an essential requirement to protect EU members economies and societies and to enable the full potential of the important opportunities they will bring.  
 
It is also crucial for ensuring the strategic autonomy of the European Union. But what exactly are 5G Networks? The definition is provided in the EU Commission Recommendation Cybersecurity of 5G network:
 
“5G networks mean a set of all relevant network infrastructure elements for mobile and wireless communications technology used for connectivity and value-added services with advanced performance characteristics such as very high data rates and capacity, low latency communications, ultra-high reliability, or supporting a high number of connected devices. These may include legacy networks elements based on previous generations of mobile and wireless communications technology such as 4G or 3G. 5G networks should be understood to include all relevant parts of the network”.
 
With worldwide 5G revenues estimated at €225 billion in 2025, It could include a ‘diverse range of services essential for the functioning of the internal market as well as for the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organisation of democratic processes, such as elections, is also expected to rely more and more on digital infrastructure and 5G networks’.
 
5G networks embody several new technological features, these incldude: 
 
Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies. This will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software. From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities;
 
Network slicing. This will make it possible to support to a high degree the separation of different service layers on the same physical network, thus increasing the possibilities to offer differentiated services over the whole network.
 
● Mobile Edge Computing. Which allows the network to steer traffic to computing resources and third-party services close to the end-user, thus ensuring low response times. Enhanced functionality at the edge of the network and a less centralized architecture than in previous generations of mobile network.
 
According to the section1.16 of the European report, these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
 
At the same time, 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions, such as stricter authentication processes in the radio interface (section 1.18).
 
These new security features will however not all be activated by default in the network equipment and their implementation will greatly depend upon how the operators deploy and manage their networks.
 
The EU report also approaches the deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the principal traditional categories of threats: these concerns are related to the compromise of confidentiality, availability and integrity (section 2.3).
 
More specifically, a number of threat scenarios targeting 5G networks were found to be particularly concerning:
 
● Local or global 5G network disruption (Availability)
 
● Spying of traffic/data in the 5G network infrastructure (Confidentiality)
 
● Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality)
 
● Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
 
The EU report has a detailed  analysis showing potential vulnerabilities related to hardware, software, processes and policies,  supplier-specific vulnerabilities, risk scenarios related to insufficient security measures and to the 5G supply chain.
 
From the end-user perspective and the companies risk’s concerns, the most important part of the report is related to the existing mitigating measures/security baseline, which means that in EU level we are speaking about EU telecoms legislation and in the NIS Directive.
 
Under the EU telecommunications framework, obligations can be imposed on telecommunication operators by the relevant Member State(s) in which it is providing service. On the other hand, the NIS Directive requires operators of essential services in other fields (energy, finance, healthcare, transport, water, etc.) to take appropriate security measures and to notify serious incidents to the relevant national authority. The NIS Directive also foresees coordination between Member States in case of cross-border risks and incidents. 
 
Other relevant frameworks at EU and national level include data protection and privacy rules (in particular the General Data Protection Regulation and e-Privacy Directive) as well as requirements applicable to critical infrastructures. In addition, various security measures may already be applied by mobile network operators, for instance: technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning). Finally, from a standardisation perspective, 3GPP SA3 has addressed several 5G security-related concerns, advocating, inter alia, end-to-end encryption. However, the work carried out within these bodies does not deal with security concerns related to the deployment and configuration of the technology.
 
The cybersecurity new era is coming. 5G networks increase the technological quality of the internet and at the same time, open new vulnerabilities. Cybercriminals, hackers and different sorts of attacks will push regulatory and compliance measures for the centre of the EU Member States and companies agenda of priorities. 
 
Joao Paro is a regulatory consultant at Compliance and Risks  
 
You Might Also Read:
 
The EU's New Cybersecurity Certification Framework:
 
A Cyber Compliance Economy:
 
 
« Lost Russian Cyber Spies Return
Just A Normal Day At The Office For Huawei »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Finjan Holdings

Finjan Holdings

Finjan solutions are aimed at keeping the web, networks, and endpoints safe from malicious code and security threats.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

Assuria

Assuria

Assuria Cyber Security solutions provide protective monitoring of systems and user activity across the whole IT infrastructure.

Adlink Technology

Adlink Technology

ADLINK is a leading provider of embedded computing products and services for applications including IoT and industrial automation.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

CybernetIQ

CybernetIQ

CLAW by CybernetIQ is the industry's most advanced SOAR platform helping unify all cybersecurity tools under one umbrella and providing organizations faster, better and more accurate cybersecurity.

Digital Magics

Digital Magics

Digital Magics is an incubator for innovative startups which offer content and services with high technological value. Areas of focus include IoT, Enterprise Software, AI, Industry 4.0 and Blockchain.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

Barikat Cyber Security

Barikat Cyber Security

Barikat is a provider of information security solution and services including security analysis and compliance, security testing, managed security services, incident response and training.

Infinidat

Infinidat

Infinidat delivers enterprise-proven solutions for data storage, data protection, business continuity, and sovereign cloud storage.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

IgmGuru

IgmGuru

Igmguru offers certification online training courses for IT professionals and students. Get certified with high-in-demand job-oriented professional courses.

CyberHub

CyberHub

CyberHub is an educational platform that offers professional courses and knowledge sharing through articles and videos to help students discover their potential in cybersecurity.

Myntex

Myntex

Myntex® builds the future of mobile security. We empower our partners to deliver exclusive mobile endpoint security software, fortifying against mobile threats, device exploits and data exfiltration.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

CyberAntix

CyberAntix

CyberAntix offers Premium CyberSecurity for your business using an advanced Security Operations Centre technology and process platform reinforced by a steadfast and expert SOC team.