Cybersecurity And The EU's Regime For 5G Networks

Uploaded on 2019-10-22 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms, GOVERNMENT-National, INTELLIGENCE--Europe, TECHNOLOGY-Key Areas-5G Networks, TECHNOLOGY--Developments

According to the EU Coordinated Risk Assessment of 5G Networks Security, published this month, the cybersecurity of 5G networks is an essential requirement to protect EU members economies and societies and to enable the full potential of the important opportunities they will bring.  
 
It is also crucial for ensuring the strategic autonomy of the European Union. But what exactly are 5G Networks? The definition is provided in the EU Commission Recommendation Cybersecurity of 5G network:
 
“5G networks mean a set of all relevant network infrastructure elements for mobile and wireless communications technology used for connectivity and value-added services with advanced performance characteristics such as very high data rates and capacity, low latency communications, ultra-high reliability, or supporting a high number of connected devices. These may include legacy networks elements based on previous generations of mobile and wireless communications technology such as 4G or 3G. 5G networks should be understood to include all relevant parts of the network”.
 
With worldwide 5G revenues estimated at €225 billion in 2025, It could include a ‘diverse range of services essential for the functioning of the internal market as well as for the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organisation of democratic processes, such as elections, is also expected to rely more and more on digital infrastructure and 5G networks’.
 
5G networks embody several new technological features, these incldude: 
 
Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies. This will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software. From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities;
 
Network slicing. This will make it possible to support to a high degree the separation of different service layers on the same physical network, thus increasing the possibilities to offer differentiated services over the whole network.
 
● Mobile Edge Computing. Which allows the network to steer traffic to computing resources and third-party services close to the end-user, thus ensuring low response times. Enhanced functionality at the edge of the network and a less centralized architecture than in previous generations of mobile network.
 
According to the section1.16 of the European report, these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
 
At the same time, 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions, such as stricter authentication processes in the radio interface (section 1.18).
 
These new security features will however not all be activated by default in the network equipment and their implementation will greatly depend upon how the operators deploy and manage their networks.
 
The EU report also approaches the deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the principal traditional categories of threats: these concerns are related to the compromise of confidentiality, availability and integrity (section 2.3).
 
More specifically, a number of threat scenarios targeting 5G networks were found to be particularly concerning:
 
● Local or global 5G network disruption (Availability)
 
● Spying of traffic/data in the 5G network infrastructure (Confidentiality)
 
● Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality)
 
● Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
 
The EU report has a detailed  analysis showing potential vulnerabilities related to hardware, software, processes and policies,  supplier-specific vulnerabilities, risk scenarios related to insufficient security measures and to the 5G supply chain.
 
From the end-user perspective and the companies risk’s concerns, the most important part of the report is related to the existing mitigating measures/security baseline, which means that in EU level we are speaking about EU telecoms legislation and in the NIS Directive.
 
Under the EU telecommunications framework, obligations can be imposed on telecommunication operators by the relevant Member State(s) in which it is providing service. On the other hand, the NIS Directive requires operators of essential services in other fields (energy, finance, healthcare, transport, water, etc.) to take appropriate security measures and to notify serious incidents to the relevant national authority. The NIS Directive also foresees coordination between Member States in case of cross-border risks and incidents. 
 
Other relevant frameworks at EU and national level include data protection and privacy rules (in particular the General Data Protection Regulation and e-Privacy Directive) as well as requirements applicable to critical infrastructures. In addition, various security measures may already be applied by mobile network operators, for instance: technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning). Finally, from a standardisation perspective, 3GPP SA3 has addressed several 5G security-related concerns, advocating, inter alia, end-to-end encryption. However, the work carried out within these bodies does not deal with security concerns related to the deployment and configuration of the technology.
 
The cybersecurity new era is coming. 5G networks increase the technological quality of the internet and at the same time, open new vulnerabilities. Cybercriminals, hackers and different sorts of attacks will push regulatory and compliance measures for the centre of the EU Member States and companies agenda of priorities. 
 
Joao Paro is a regulatory consultant at Compliance and Risks  
 
You Might Also Read:
 
The EU's New Cybersecurity Certification Framework:
 
A Cyber Compliance Economy:
 
 
« Lost Russian Cyber Spies Return
Just A Normal Day At The Office For Huawei »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Cybernetica

Cybernetica

Cybernetica is an ICT company with activities in e-government, marine comms, data analysis and research in information security technologies.

European Network for Cyber Security (ENCS)

European Network for Cyber Security (ENCS)

ENCS’s core focus is around educating and solving cyber security challenges in the development and operation of energy grids across Europe.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

Lionfish Cyber Security

Lionfish Cyber Security

Lionfish Cyber Evolution & Empowerment Model™ empowers SMBs to prepare and protect themselves against cyber threats using a unique combination of on-demand training, support and managed services.

Firmus

Firmus

As the leading penetration testing services provider in Malaysia, Firmus evaluates the ability of your internal or external information assets to withstand attacks.

Cynalytica

Cynalytica

Cynalytica deliver pioneering cybersecurity and machine analytics technologies that help protect critical infrastructure, securely enable Industry 4.0 and help accelerate digital transformation.

Digistor

Digistor

Digistor is a leading manufacturer of industrial-grade flash storage products, secure storage products, and Removable Secure Data Storage.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

National Coordinator for Security and Counterterrorism (NCTV) - Netherlands

The NCTV serves the Netherlands’ national security. We protect national interests, identify threats and strengthen resilience.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.

Qryptonic

Qryptonic

Qryptonic pioneers next-generation cybersecurity by leveraging the unparalleled capabilities of quantum computing to defend against evolving threats.

Cyver Core

Cyver Core

Cyver Core is a pentest management and pentest report automation platform that consolidates cybersecurity work, automates overhead, and frees cybersecurity professionals up for the work that matters.