Saudi Telecom and Nokia Publish 5G Security Risk Assessment

It is always good to see leading telcos talking openly about the risks they face, as it shows they are taking them seriously whilst also setting an example that other telcos can emulate. Hence it is pleasing that Saudi Telecom Company (STC) and Nokia have used social media to share a 5G security risk assessment that they jointly authored. Yasser N. Alswailem, Vice President of Cybersecurity at STC (pictured), made the document publicly available using LinkedIn, as embedded below.

Saudi culture places a greater emphasis on security than some other cultures, so it makes sense for STC to be forthright in tackling 5G challenges. This paper is succinct and well-written; any operator should compare it with their own policy towards 5G security.

The assessment highlights how the exploitation of security weaknesses can lead to many kinds of undesirable outcomes, ranging from fatalities through privacy violations to financial leakage.

Loss of availability of the network or a communication service: This may be restricted to certain parts of the network (e.g. a set of radio cells, or a set of subscriptions, core network, RAN, management/control), but it may also impact the network as a whole. Loss of a mission critical service, that is expected to be run over 5G networks, can obviously have severe impact on the “real world” beyond the network. Even a localized loss of availability can be devastating, for example terroristic activities at critical locations such as a powerplant or an airport.

Leak of confidential information: In a 5G network, leakage of confidential information in user plane traffic and any data stored in the network, in particular subscription data or tenant data (assuming a business model where tenants such as industry verticals can rent and operate network slices). An example of notable user-related confidential information available in the network is a user’s geographical location. Depending on the sensitive information, loss of its confidentiality can obviously have various kinds of severe negative impacts.

Loss of the integrity is often listed as the third of the high-level information security threats. On the one hand, compromising the integrity of the network can be used as a step towards the first two threats mentioned above. On the other hand, it may lead to undesired behaviour of the network that may have various impacts reaching outside the confines of the network itself. For example, loss of integrity of the network’s authentication function may allow attackers to impersonate other service users, and abuse this to deliver wrong information to these service users’ communication peers, potentially with huge negative impact. As another example, loss of integrity of charging and billing systems may lead to theft of service and the network operator losing revenue.

The authors of the paper express strong support for the GSMA’s NESAS scheme, which promises to audit vendors for compliance with generally agreed security standards.

NESAS is the most suitably global security assurance scheme, and adopting it brings benefits for

  • Operators: reduced effort for tender with security by default and measurable security
  • Vendors: uniform security requirements for network equipment and demonstration of commitment to secure product development and maintenance
  • Governments: developed scheme, supported by the industry, introducing basic cybersecurity “hygiene”

The paper concludes that the physical and virtual technologies that comprise 5G networks need “special attention from a cybersecurity perspective”. The argument is well made, and both STC and Nokia have highlighted why the telecoms sector should give 5G security the attention it deserves.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.