It is always good to see leading telcos talking openly about the risks they face, as it shows they are taking them seriously whilst also setting an example that other telcos can emulate. Hence it is pleasing that Saudi Telecom Company (STC) and Nokia have used social media to share a 5G security risk assessment that they jointly authored. Yasser N. Alswailem, Vice President of Cybersecurity at STC (pictured), made the document publicly available using LinkedIn, as embedded below.
Saudi culture places a greater emphasis on security than some other cultures, so it makes sense for STC to be forthright in tackling 5G challenges. This paper is succinct and well-written; any operator should compare it with their own policy towards 5G security.
The assessment highlights how the exploitation of security weaknesses can lead to many kinds of undesirable outcomes, ranging from fatalities through privacy violations to financial leakage.
Loss of availability of the network or a communication service: This may be restricted to certain parts of the network (e.g. a set of radio cells, or a set of subscriptions, core network, RAN, management/control), but it may also impact the network as a whole. Loss of a mission critical service, that is expected to be run over 5G networks, can obviously have severe impact on the “real world” beyond the network. Even a localized loss of availability can be devastating, for example terroristic activities at critical locations such as a powerplant or an airport.
Leak of confidential information: In a 5G network, leakage of confidential information in user plane traffic and any data stored in the network, in particular subscription data or tenant data (assuming a business model where tenants such as industry verticals can rent and operate network slices). An example of notable user-related confidential information available in the network is a user’s geographical location. Depending on the sensitive information, loss of its confidentiality can obviously have various kinds of severe negative impacts.
Loss of the integrity is often listed as the third of the high-level information security threats. On the one hand, compromising the integrity of the network can be used as a step towards the first two threats mentioned above. On the other hand, it may lead to undesired behaviour of the network that may have various impacts reaching outside the confines of the network itself. For example, loss of integrity of the network’s authentication function may allow attackers to impersonate other service users, and abuse this to deliver wrong information to these service users’ communication peers, potentially with huge negative impact. As another example, loss of integrity of charging and billing systems may lead to theft of service and the network operator losing revenue.
The authors of the paper express strong support for the GSMA’s NESAS scheme, which promises to audit vendors for compliance with generally agreed security standards.
NESAS is the most suitably global security assurance scheme, and adopting it brings benefits for
- Operators: reduced effort for tender with security by default and measurable security
- Vendors: uniform security requirements for network equipment and demonstration of commitment to secure product development and maintenance
- Governments: developed scheme, supported by the industry, introducing basic cybersecurity “hygiene”
The paper concludes that the physical and virtual technologies that comprise 5G networks need “special attention from a cybersecurity perspective”. The argument is well made, and both STC and Nokia have highlighted why the telecoms sector should give 5G security the attention it deserves.