1. 5g - huawei australia hub
TRANSCRIPT
1
Executive Summary ......................................................................................................................... 3
1. 5G – A Coming Evolution ......................................................................................................... 4
1.1 What is 5G? ..................................................................................................................... 4
1.2 Why is 5G important? ...................................................................................................... 4
1.3 Multi-service Networks ................................................................................................... 6
1.4 5G Mode .......................................................................................................................... 7
1.5 Access-Core Separation ................................................................................................... 7
2. 5G-RAN Threat Model ............................................................................................................. 8
2.1 Cyber Attack .................................................................................................................... 8
2.2 Threat Actors ................................................................................................................... 9
2.3 5G RAN Threat Inventory .............................................................................................. 10
3. 5G-RAN Risk Management .................................................................................................... 13
3.1 Risk Management .......................................................................................................... 13
3.2 Risk Context ................................................................................................................... 14
3.3 Identifying the Risks ...................................................................................................... 15
3.4 Risk Analysis ................................................................................................................... 16
3.5 Risk Evaluation ............................................................................................................... 19
3.6 Risk Treatment .............................................................................................................. 19
3.7 Conclusion ..................................................................................................................... 20
4. 5G-RAN Isolation ................................................................................................................... 21
4.1 What is Isolation? .......................................................................................................... 21
4.2 5G-RAN NSA Isolation .................................................................................................... 21
4.3 5G-RAN SA Isolation ...................................................................................................... 22
4.4 EMS Northbound Interface ........................................................................................... 22
5. Network Trust ........................................................................................................................ 24
5.1 Research into Element Compromise ............................................................................. 24
5.2 Byzantine Behaviour ...................................................................................................... 25
5.3 Industry Observations ................................................................................................... 26
6. Security Evaluation ................................................................................................................ 27
6.1 Early Approaches ........................................................................................................... 27
6.2 The Emergence of Cybersecurity ................................................................................... 28
6.3 Common Criteria Evaluation Scheme ............................................................................ 28
6.4 Huawei Deep Evaluation ............................................................................................... 29
2
6.5 Continuous Security Quality Improvement ................................................................... 30
7. Technology Balkanization ...................................................................................................... 31
7.1 Equipment Tampering ................................................................................................... 31
7.2 Security Agency Access to Equipment ........................................................................... 31
7.3 Technology Balkanization .............................................................................................. 31
7.4 Rejecting Risk Management .......................................................................................... 32
3
Executive Summary
The 3GPP LTE standard continues to evolve, with carriers expected to progress from Release 14
to Release 15 over the next year or so. This new release provides additional functionality,
better security, and the use of new radio system to deliver more broadband capacity. The new release has been named 5G, and is a direct evolution of the existing 4G LTE. For carriers it offers
a more cost effective solution due to virtualization and the ability to introduce new business
models based on network slicing.
5G enhances the security provided in 4G, introducing an increased key length and better
protection of sensitive data. It retains the access-core separation which enables carriers to operate a multi-vendor network, and governments to control the use of certain foreign vendor
technologies. The ITU X.805 security architecture continues to be a valuable reference for
design of security in these networks, and 5G is fully consistent. The US National Institute of Standards and Technology (NIST) has also released a special publication SP800-187: Guide to LTE
Security which provides a technology specific view of LTE threats and mitigations across the
spectrum of LTE releases.
Carrier networks are prime targets for cyber attack, from both allies and adversaries. These
attacks include supply chain and remote internet-borne attacks, and both may seek to establish an internal beachhead from which to mount an attack deeper into the network. As with any
business endeavour, there are business risks which need to be identified and mitigated. These
risks can be considered in two parts, the risks associated with the 5G radio access domain or 5G
RAN, and the risks associated with the more sophisticated 5G core.
In this White Paper, we show how risk can be managed in the context of the 5G RAN. Building
on the threat matrix developed in our white paper: 5G RAN and the Cybersecurity Framework,
and considering the types and motivations of threat actors, we provide the templates for
carriers to identify and quantify the risks associated with both the non-stand alone and stand-
alone modes of operation. In doing this, we include both the operator business perspective and
the national infrastructure security perspective. Once the risks have been quantified, the
necessary remediation can then be achieved through application of the controls in the Cybersecurity Framework. Together, these white papers provide the full cybersecurity
blueprint for introducing and managing the next evolution of 5G radio capability.
Responsible management is not about all or nothing dramatic choices, it’s about thoughtful
assessment and management of risk. Running a properly risk managed 5G network poses no
threat to the national infrastructure, rather it is the path to success for the operator and a most
valuable economic asset for the nation.
John Suffolk
Global Privacy and Cybersecurity Officer
4
1. 5G – A Coming Evolution
1.1 What is 5G?
There has been a lot of speculation about the next generation network – 5G – and what it
means for carriers, for users, and for governments. 5G has been held up as the technology
which will enable carriers to build the next generation of their business models; as the
existential threat to critical infrastructures; as the ubiquitous last mile network; and as the
solution to slow and unreliable mobile networks. While there are varying degrees of fact or truth in these expectations, the one clear thing is that 5G is a network technology which is
emerging into the mainstream and one which will open up the next generation of opportunities for those nations which successfully adopt it.
Understanding 5G is quite simple. 5G is no more than a step along the development of the
industry standard 4G LTE technology. Where LTE release 14 is what is currently known as 4G, release 15 is the start of what has been called 5G. 5G is not a revolution in network technology
but the start of a series of incremental improvements to 4G to deliver an evolutionary path to
the next generation of network capabilities. In its first release, it’s just a bigger and better 4G – and it’s more secure.
1.2 Why is 5G important?
Early mobile phone systems concentrated on providing voice and a short messaging service, and
communications networks that could provide an analogue channel of around 64 kb/s were
perfectly adequate to deliver the functionality required. From this beginning, the smartphone
emerged with its ability to connect to the internet and to run application software. The demand
for bandwidth increased, and the two network architectures of CDMA and GSM merged to
deliver the first really effective smartphone network, 3G. The standards for this network are
defined internationally, by an organization called the 3rd Generation Protocol Partnership, or
simply 3GPP.
The bandwidth and base station capacity available on 3G networks was quickly swamped, and
the demand for more data capacity drove improvements to 3G and the new release became known as 4G. This is now the standard for the higher quality networks and is in use by most
carriers. 3G still exists, typically as a fall back option for 4G saturation or where 4G is
unavailable. We’ve seen incremental components added to 4G to form step improvements arbitrarily called 4.5G and 4.9G. Still, 4G and its variants is not the complete answer.
The dramatic rise in utilization of the internet to provide connectivity for everything has driven a number of different demands. On the one hand, the rise of small sensors with internet
connectivity means a base station needs to support many more devices per square kilometre
and this either requires more base stations – a costly exercise – or more capacity per base station to support massive machine type communications (mMTC). The demand for a real time
operational network drives the requirements of performance reliability and low network
latency, the time a packet takes to travel across the network. These characteristics can be realized with a network approach known as ultra-reliable low latency communications (URLLC).
Finally, the demand for bandwidth to support applications such as real time video streaming is driving massive bandwidth in what is known as enhanced mobile broadband (eMBB). These
demands cannot be met with the current design LTE, and improvements are necessary. These
5
three forms of network characteristics are often shown in the 5G capability triangle, as shown in
Figure 1.
Figure 1: 5G Capability Triangle
The roadmap for next two releases of LTE with the associated new radio technology offers those
improvements. In the first instance, it offers just more broadband capacity to deliver eMBB. With release 16, the additional use cases of eMBB and URLLC will be delivered. The evolution of
LTE is shown in Figure 2.
Figure 2: LTE Evolution
The most visible difference between release 14 and release 15 is the use of a new waveform to
support the higher carrier frequencies and bandwidth, and with release 16 comes changes to
the core and RAN to minimize latency to support the additional usage scenarios, as well as fixed wireless convergence, unlicensed spectrum, multi-connectivity, multicast-broadcast services,
satellite access, etc.
From a carrier perspective, the ability to host many more connections with just an upgrade to existing infrastructure is very important – replacement of infrastructure is an unacceptable cost.
Carriers are already starting to introduce virtualised infrastructure, and release 15 – LTE-
Advanced Evolution with its new radio, together known as 5G – continues with more virtualization of the core network infrastructure, meaning that expensive proprietary
components can be replaced with much more cost effective commodity systems. The RAN segment, however, is typically not virtualized because hardware-level performance continues to
be a defining characteristic for 5G RAN success.
6
1.3 Multi-service Networks
Traditional 3G and 4G carrier solutions have used a three layer infrastructure of management,
control, and user plane which delivers network services and applications, as described the ITU
X.8051 standard. With the evolution to 5G, a new architecture is possible in which the key focus
is on providing multiple virtual networks to deliver heterogeneous end-to-end services each
with its own network characteristics and its own set of X.805 planes. This is exactly the architecture required to support the future demands of sensors, smart cities, smart transport,
and so on with their individual network characteristics. While initial deployments of the 5G
radio access network (5G RAN) will run on 4G core solutions, the full 5G RAN and core with its network service-defined characteristics will eventually become the target architecture.
In order to deliver an integrated set of
heterogeneous network services, the 5G protocol supports virtual network
functionality (VNF) which can be
orchestrated through software defined
networking (SDN) to create virtual
networks in the network function layer. These will use the physical resources in
the traditional transmission and core
segments of the network infrastructure layer. This is shown in Figure 3. These
resources will form dedicated business driven logical networks within the core,
otherwise known as network slices,
which are able to multiplex through
throughout the core to provide the edge-to-edge service for the user. The three capabilities of
mMTC, URLLC, and eMBB define the first three forms of network slice. The detailed
specifications for slicing have been, and are continuing to be, developed by more than a dozen standards bodies, concurrently with the evolution of LTE by 3GPP. Huawei is a leading
contributor to those standards.
VFN/SDN concepts shift how an operator designs, develops, manages and delivers products and
services to achieve technological and operational efficiencies. These benefits are aimed at
fundamentally redefining the cost structure and operational processes, enabling the rapid
development of flexible, on-demand services and maintaining a competitive position. Operators
are starting to use some of these functions already in their 4G networks, but the opportunity for
their use increases dramatically with 5G.
Huawei has developed an ICT functional converged reference architecture for 5G which
incorporates edge-to-edge network slicing and security, decoupling of the RAN and core, functional decomposition which separates the central and distributed units of the radio access
network and separates the control and data plane in the core, and delivers agile and automated
operation. This enables integration of not only cellular but also WiFi and Ethernet communications to deliver further efficiencies for operators.
1 ITU Recommendation X.805 Security architecture for systems providing end-to-end communications
Figure 3: 5G Architecture
7
1.4 5G Mode
There are two modes of deployment for a 5G RAN. The first is what is known as Non-Stand
Alone (NSA) mode and works concurrently with a 4G network. In this mode, the 5G RAN
handles the device traffic and forwards its data plane directly to an existing 4G evolved packet
core (ePC). The control plane traffic, however, is handed off to a 4G RAN baseband unit (BBU)
which sends it on to the core.
The second form of deployment is known as Stand Alone (SA) mode. In this mode, the network
has a 5G core which enables the additional capability of slicing. The 5G RAN in this case delivers
both data and control plane traffic to the network edge. There is no requirement for support from an existing 4G network.
While eMBB deployments can be usefully supported by NSA mode, the demands of mMTC and
particularly URLLC will eventually drive the evolution to a 5G core in order to get the benefits of
slicing. The cost advantages of a cloud-based core may also drive a carrier to deploy SDN
features even in the 4G core.
1.5 Access-Core Separation
The 3GPP standards provide full separation between the access network and the core. This is
the case currently with 4G, where connection from a 4G RAN to the core is via a security
gateway. In NSA mode, the 5G RAN site will send its data to the core via the security gateway,
but will interface to an existing 4G radio site for control plane traffic. The NSA 5G RAN is fully separated from the core. With the evolution to SA mode, the 5G RAN will connect to the core
through a security gateway, exactly as 4G does now. These scenarios are shown in Figure 4.
Figure 4: Deployment Scenarios
Importantly, the 5G RAN does not become part of the network slice. Rather, the network slice terminates at the network edge, and connects to the 5G RAN through a standard interface
which translates the network slice identifier value (called the NSSAI) into a standard 4G Quality
of Service (QoS) value. This means that the 5G RAN in either mode can operate in exactly the same way as the 4G RAN operates, i.e. with exactly the same RAN-core interfaces.
8
2. 5G-RAN Threat Model
2.1 Cyber Attack
The evolution of technology over the last two decades has been rapid, particularly in the
telecommunications field. Simple internet services and bulletin boards have evolved into the
World Wide Web, sophisticated cloud technologies and the internet of things. Increasingly,
digital innovation and smart cities are the keys to prosperity and a nation’s success in the
technological world. At the same time there has been a substantial increase in cyber attacks, with more sophisticated attack techniques being discovered and used every day. The early
focus for amateur hackers on viruses and worms has evolved to more sophisticated system exploitation and use of backdoors by nation states.
The attack surface for most business and government systems through to the late 1990s was
quite small, and cyber fraud was the most prevalent concern. Networks were often not connected to the internet, or did so only briefly for regular up- and downloads of mail. Browsing
was typically done using a standalone workstation. However, the vast majority of networks are
now connected all the time, and the adoption of web technologies means the attack surface has grown dramatically.
One form of cyber attack is viruses, malware which is inserted into a computer system via a USB stick, is sent via email, or sits on a web site and infects any unsuspecting visitor. This form of
attack continues to be successful with increasingly sophisticated targeting of users. The scale of
these attacks is significant, with the estimated 170,000 ransomware attacks in 2017 being
double that of 2016.
Another cause of cyber attack is remote network exploitation, taking advantage of weaknesses
in software and system configurations to gain unauthorised entry. The scale of this can be seen
by looking at sites such as ExploitDB2, which as at the time of writing had about 40,000 exploits
registered. This class of attack is practiced by script kiddies, by hackers, organised crime and
state sponsored agents. And it’s not just adversaries – as evidenced by the Belgacom3 case,
attacks can even come from friendly nations.
A further problem with cyber is just carelessness – as was the case recently when a USB stick was found with, amongst other things, the security measures used to protect the British Queen4
and confidential child protection documents were blowing around the street5. Reports of these
kind of events are published regularly, and represent the tip of the iceberg for this category of cybersecurity issue.
Nation-state subversion of technology is a form of cyber attack which has received much
publicity recently. Much of the public information on how this kind of attack works has come
2 https://www.exploit-db.com/
3 Gallagher [2014] Gallagher R, Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest
Telco, https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/
4 https://www.databreaches.net/terror-threat-as-unencrypted-heathrow-airport-security-files-found-dumped-in-the-
street/
5 https://www.databreaches.net/confidential-child-protection-documents-found-blowing-around-in-a-leicester-street/
9
from US activities documented in the WikiLeaks material, but it can be reasonably expected that
a number of nations indulge in similar activities.
The publication by Edward Snowden in 2013 of a number of documents taken from NSA detailed
and made available to a broader set of threat actors a vast amount of sophisticated nation-state
malware. More were made available when a full library of attacks was accidentally left on a target and then found by Russian hackers6. Many of these attack techniques focused on
networking equipment. It also indicated the depth of compromise of the US technology companies. It includes evidence that NSA payed $10M to RSA for the introduction of a
deliberately compromised Dual Elliptic Curve algorithm7. The documents also indicate that the
US has been conducting widespread surveillance in the US and globally, and the lack of integrity
of US technology is now considered to be an advanced and persistent threat in both Europe and
around the world. As a result, in October 2015 the European Union declared that the US was no
longer a safe harbour for private data8. In 2016, a further leak of NSA malware demonstrated how the NSA exploits security systems made by US manufacturers9. This kind of subversion can
take place through government compromise of vendors, remote attack on deployed equipment,
or may be achieved by interference in the supply chain.
Ironically, the US has accused Chinese manufacturers, and in particular ZTE and Huawei, of
spying for the Chinese Government, but there has been no evidence - ever - that this is the case.
The threat of cyber attack has grown sufficiently high as to now become a key Board level
concern for many companies including the telecommunications sector, and the serious issues
reflected in the Snowden leaks have added further pressure to comprehensively address the threat of cyber attack. As 5G emerges into the mainstream and becomes the fabric of a nation’s
digital environment, operators need to ensure they have built their networks with the most
secure technologies available.
Not all cyber attacks are relevant to 5G-RAN, and there are some technology specific attacks which are not covered above. Fortunately, there is guidance available on the specific threats to networks, and the threats to LTE in particular have been published in the NIST Publication SP800-187: Guide to LTE Security. We can use this guidance to inform the threat risk assessment for 5G-RAN.
2.2 Threat Actors
There are many potential attackers that could be considered in the context of the risks to 5G-
RAN. However, for the purposes of this paper, the two main actors we will consider are state
sponsored agents and individual hackers. The outcomes an attacker may desire from attacking
a 5G RAN are: to gain access to information passing through the 5G-RAN; to gain access into the
core from the 5G-RAN; to gain access to an end-point device from the 5G-RAN; to cause
6 https://thehackernews.com/2016/09/nsa-hacking-tool-exploits.html
7 https://www.reuters.com/article/us-usa-security-nsa-rsa/exclusive-nsa-infiltrated-rsa-security-more-deeply-than-thought-study-idUSBREA2U0TY20140331
8 https://theintercept.com/2015/10/06/top-european-court-rules-that-nsa-spying-makes-u-s-unsafe-for-data/
9 https://www.forbes.com/sites/thomasbrewster/2016/08/19/cisco-nsa-vpn-hack-shadow-brokers-leak/#17529bfc5277
10
disruption or a denial of service to the 5G-RAN segment; and to use a 5G-RAN element as a relay
for attacks to an external target. While arguably less relevant to the 5G-RAN, another actor we
will consider in the context of 5G RAN is the subverted insider.
2.3 5G RAN Threat Inventory
In our White Paper: 5G RAN and the Cybersecurity Framework, we provided an initial threat inventory for the 5G RAN. This is shown in Table 1 below.
Table 1: 5G RAN Threat Inventory
# Threat Description Threat Actor Control
T.01 Physical Attack An intruder into a site gains physical access to the network element to cause damage
Individual, Activist
Fence, CCTV, Locks
T.02 An intruder into a site attempts to gain electronic access to the network element and hence into the network
Activist Fence, CCTV, Locks, Access Control, Authentication, Hardening
T.03 An intruder into the exchange attempts to gain electronic access to the EMS
Activist
T.04 Abuse of Privilege
A service management engineer abuses the legitimate access he/she has to the EMS
Individual, Nation State
Vetting, Access Controls
T.05 Interception An attacker intercepts the airlink individual, Media
Encryption
T.06 An attacker intercepts the fronthaul Individual Encryption, Ducting
T.07 An attacker intercepts the backhaul Individual
T.08 Denial of Service
An attacker jams the airlink signal Individual, Activist
Out of scope
T.09 Rogue Base Station
An attacker stands up a rogue base station Individual, Activist
Out of scope
T.10 Electronic Attack
An attacker penetrates into the 5G RAN through an end-user device
individual, Activist
Techniques not currently known
T.11 An attacker penetrates the supply chain Nation State Supply Chain Security
T.12 An attacker penetrates the EMS from the core Nation State, Criminal, Public
Hardening
Evaluation
Intrusion Monitoring
Anomaly Monitoring
T.13 An attacker penetrates network element from the core
T.14 The EMS initiates malicious behaviour Nation State Supply Chain Security
Hardening
Evaluation
Intrusion Monitoring
Anomaly Monitoring
T.15 A network element initiates malicious behaviour
Physical threats are managed by site protective security such as exchange buildings, perimeter fences, and CCTV. Interception of the 5G airlink is essentially the same as for 4G, with improvements in the confidentiality algorithm key length to make any brute force attack even more difficult. AES256 is a recognised standard option. Fronthaul is DWDM fibre optic, and
11
would be ducted between sites and exchanges. Backhaul would also likely be ducted, and interception can be further mitigated using IPSec, again a standard and recognised approach using the AES algorithm. Jamming and rogue base stations are both known attacks which affect the use of any cellular network but are not attacks on the network itself, and so they are out of scope for this paper.
A key threat at the forefront of the minds of security agencies is the insider threat. This involves
a person with legitimate and possibly privileged access who for idealistic, financial, or coercion
reasons abuses the access they have. The drivers for such abuse of privilege apply equally to
Australians, Americans and other nationalities – this is not an issue of ethnicity. Insiders may
abuse their privileges in order to extract information, insert malware, or to cause a denial of
service. The insider threat has given rise to a variety of countermeasures such as security
vetting, polygraphs, continuous monitoring of people, and other such mechanisms. These
countermeasures have been traditionally limited to the classified domain but unfortunately
have proved to be less than fully effective, with well-known examples such as Edward Snowden
and Bradley/Chelsea Manning demonstrating this. Lesser known examples include Larry Wu-Tai
Chin who worked as an officer in US intelligence for 35 years and Peter Lee who was employed
at Los Alamos National Laboratories, both of whom were found stealing classified information.
Clearly there is evidence that there is a real insider threat in the government domain. There may
be a relevant risk that network design teams, network operations staff, or some vendor service
teams are being targeted for subversion. There has been no evidence – ever – of Huawei service
engineers being subverted. Nevertheless, for completeness, we will include this class of actor in
the threat model.
Electronic attack is more complex and can be achieved in a number of different ways. Establishing a beachhead in an accessible part of the network is a well-established hacking strategy for mounting attacks further into the network as shown in Figure 5. The actions characterising these further attacks would be the same whatever the method used to establish the beachhead, and it would not be evident other than through forensic analysis how the beachhead was established.
Figure 5: Threat Model
Intrusion via the core would in all likelihood occur as a result of an attacker gaining access to the core via the operator’s enterprise network, due to inadequate protection at the enterprise
12
perimeter and between these networks. This is the most likely method of gaining access to a carrier network and there are many examples of this happening.
There is one more method of entry which should be mentioned – unauthorised access via the service management channel through hacking the operator’s jumphost, use of pilfered credentials, or use of legitimate credentials for unauthorised purposes. This form of access should be fully controlled by the carrier outside of the RAN, but is included in the threat model for completeness.
A number of actions may occur as a result of a compromised EMS. The compromised EMS could attempt a second stage attack upstream to the core through the northbound interface. It could use its management plane functionality to disrupt the network element operation. It could just cease working and cause a management plane denial of service.
There could be a number of actions that occur as a result of a compromised element. The element could attempt a second stage attack upstream to the EMS through the management plane, or upstream to the core through its control or user planes. In the case of NSA mode, the element could also attempt attacks on the associated 4G element through its control plane. It could close down to achieve a limited denial of service, and it could potentially attempt to penetrate backwards through to attempt a denial of service on the radio segment or compromise a connected User Equipment (UE) device.
Note that the threat of a compromised vendor – suggested by some as a new and scary problem
that cannot be fixed – is nothing more than one vector into a network. The problem is no
different to many other problems which operators have been managing for the last decade or
so, and for which the 3GPP security features are designed.
The threat model is no different to the kind of threat model that operators currently use to
identify risks in their networks. The same issues exist in 3G, 4G, and fixed line networks and are
the issues that the X.805 security architecture is designed to address. The attacks that can take
place in the 5G RAN are no different to the forms of attack that beset every business using a
wireless network or being connected to the internet, and in fact are less concerning as the
controls around carrier networks are much greater than those around enterprise networks.
13
3. 5G-RAN Risk Management
3.1 Risk Management
Risk is a term which is used mainly to describe the chance of an adverse outcome, caused by a
threat being realised. Risks are inherent in doing business, be that as an SME, a Corporate or
even a government. Every business decision involves at a minimum determining the risk of
doing nothing or taking action, and may involve determining the risk of different courses of
action. This could be an industry decision on whether to open a new store – what is the risk it will fail; it may be a corporate decision to make an acquisition – what is the risk it will not be
profitable; and it may be a geopolitical decision to impose sanctions or tariffs – what is the risk of a punitive response.
Risk management is a well-defined process documented in the ISO 31000: Risk Management
standard. The purpose of risk management is to provide a sound basis for decisions on whether risks are acceptable and, if necessary, to determine how they
can be reliably dealt with. Good risk management enables
confident and balanced decision making, on a consistent and reliable basis. A simplified version of the ISO 31000 approach
to risk is shown in Figure 6.
The start point for any risk management exercise is to establish
the context in which the risk management is being carried out,
in particular ensuring that there is a strong understanding of
the value of the associated business outcomes. While the
simple way of describing the risk context is to document
impact and likelihood tables, it can best be done using a
disciplined and enterprise-wide approach such as that
provided by the Sherwood Applied Business Security Architecture (SABSA)10. Taking an
enterprise wide approach to risk management avoids making blinkered risk decisions outside of
the broader context, as such decisions may introduce far greater consequences than those
being mitigated – not the most desirable outcome for any organisation.
Risk assessment is where risks are identified, analysed and their impact evaluated. This is often
achieved through workshops or interviews, and requires a good understanding of the business
processes and what events might occur which could impact on business outcomes. It is here that the threat actors need to be defined and their motivation and opportunity established, to
determine the likelihood of the threat. It is here also that the business impact of any such
threat needs to be defined, and by considering both likelihood and impact to assess the risk
level.
An important part of risk evaluation is establishing the priority for risk treatment. There is little
point in spending inordinate resources putting in place controls to mitigate a threat with a
negligible level of risk – it is much more sensible to address the highest risks first.
Having established the risk level, risk treatment requires that a decision be made on how to manage the risk – stop doing that line of business and avoid the risk; accept the risk; or mitigate
10 https://sabsa.org/
Figure 6: Risk Management
14
the risk by applying controls so that the likelihood of it happening or its impact are sufficiently
reduced. There are other approaches – insurance is a form of risk transfer for instance – but we can focus on just risk acceptance and mitigation for the purposes of a 5G-RAN assessment.
3.2 Risk Context
The context for risk in the 5G-RAN is primarily the delivery of business outcomes for the
operator. The use of a formal framework such as that provided by SABSA provides a disciplined way in which to address the security requirements of part or all of a carrier’s network
operations. For this paper, the context is the secure, reliability, and cost-effectiveness of a
carrier’s 5G services.
With telecommunications networks being considered by most nations as part of their critical
national infrastructure, governments have looked to exercise various options within their Public-
Private Partnership arrangements for addressing national security concerns. A full review of options for the public-private partnership arrangements is provided in the paper by Shore and
Zeadally11.
Australia is one of the countries grappling with this issue, and provides a good case study for its
complexities. Australia already has a framework for managing security in government, the
Protective Security Policy Framework, or PSPF. It has an overarching policy statement saying:
managing protective security risks proportionately and effectively enables government entities to
provide the necessary protection of the Government’s people, information and assets. The PSPF consists of four sections: Governance, Personnel, Physical, and Information Security. All together it
has 36 control objectives. This has been in place for many years and is a mature policy instrument.
The PSPF, in its Governance section, references ISO31000 as its risk management standard.
Specifically, the GOV-6 control objective states that:
Agencies must adopt a risk management approach to cover all areas of protective security activity across their
organisation, in accordance with the Australian Standards AS/NZS ISO 31000:2009 Risk management—
Principles and guidelines and HB 167: 2006 Security risk management.
This guidance flows on from the PSPF into the Australian public-private partnership arrangements for
the national telecommunications infrastructure through reforms to the Telecommunications Act.
The explanatory document to these reforms states that:
The regulatory framework is intended to promote a risk informed approach to managing national security risks
of espionage, sabotage and foreign interference across telecommunications providers. For this reason, the
national security obligation will apply to all C/CSPs [carriers/carrier service providers]. This will ensure that
responsibility for managing national security risks to telecommunications infrastructure is more equitably
managed across the industry. The approach is risk managed by requiring C/CSPs to “do their best” to manage
the risk of unauthorised interference and access, which intends to impose a reasonableness test having regard
to the particular circumstances of a C/CSP.
A carrier is obliged, therefore, to do its best to not only assess the business risk associated with
running its networks, but also to take into account the national security risk and factor that into any risk treatment plan. This is not easy for either carriers or the Government, as the outcomes for the
carrier and for Government of any decision may be diametrically opposed. Finding the right balance will be a difficult and ongoing challenge. It is further complicated by the fact that Government will
often not be willing to share the information which leads to its national security risk assessment, or
11 Internet & Policy Journal, “An Assured Public-Private Partnership Model for Cybersecurity”, April 2011.
15
may have wider undeclared geopolitical objectives. Nevertheless, some balance between business
and national security risks must be realised if carriers are to have a viable business in the 5G future.
3.3 Identifying the Risks
The threat model in Figure 5 can be shown in Table 2 as the set of threats together with their
associated risks, in preparation for risk analysis. This table focuses on electronic attack.
Table 2: 5G-RAN Threat Analysis
Threat Event Threat Actor Risk Risk Description
Intrusion via end user device
Nation state R.01 A highly resourced and skilled attacker could gain access to the 5G-RAN via a technical attack from the mobile device
Intrusion via the Supply Chain
Nation state R.02 A vendor may allow a nation state to insert backdoors in their equipment through hardware implant, software implant, or use of weak algorithms and protocols
R.03 A highly resourced attacker could gain physical access to the supply chain and interfere with equipment en route to the operator
Penetration via the core
Individual
Nation state
R.04 A remote attacker may gain access from the internet to the operator’s enterprise network, stage into the carrier network core, and then into the RAN EMS or element
Unauthorised EMS access via Service Management
Individual
Nation state
R.05 A remote attacker could gain access to the EMS via the service management channel, or a carrier or vendor employee may abuse their authorised access to the EMS
Unauthorised EMS access via a compromised element
Individual
Nation state
R.06 An insider attacker on an element may gain access to the EMS via its internal management plane
Element attack from the EMS
Individual
Nation state
R.07 An attacker having compromised the EMS could use its functionality to reconfigure or power down elements
Northbound attack from the EMS
Individual
Nation state
R.08 An attacker having compromised the EMS could mount an attack on the core via the EMS northbound interface
DoS from the EMS
Individual
Nation state
R.09 An attacker having compromised the EMS could damage its files or power it down to cause a management plane denial of service
Data access on an element
Individual
Nation state
R.10 An attacker having compromised an element could gain access to data being transmitted through it.
Side attack on a 4G BBU
Individual
Nation state
R.11 An attacker having compromised a Non-Stand Alone 5G BBU could mount an attack on the associated 4G BBU via its control plane
Element attack on the core
Individual
Nation state
R.12 An attacker having compromised an element could mount an attack on the core via the user plane (and in the case of a Stand Alone 5G-RAN the control and management planes also)
Element DoS Individual
Nation state
R.13 An attacker having compromised an element could misconfigure or close down the element to cause a limited denial of user plane service
Attack on a connected device
Individual
Nation state
R.14 An attacker having compromised an element could mount an attack on a connected device
16
3.4 Risk Analysis
Having identified a set of risks, the next stage of risk assessment is to analyse them. In doing
this, we will take into account the controls that exist in the 3GPP standard and that can be
assumed to be in place in a properly configured network. We have not attempted to do
detailed calculations of likelihood and impact, as these would require the risk context tables of a
specific operator and would be in the specific national context. However, the risk commentary provides guidance for an operator to do such an analysis based on an assessed “average use
case” controls and impact scenario.
The risk analysis is shown in Table 3.
Table 3: 5G-RAN Risk Analysis
Risk Risk Description Discussion Risk
R.01 A highly resourced and skilled attacker could gain access to the 5G-RAN via a technical attack from the mobile device
No known attacks of device-side penetration have been documented, so this is at this stage a speculative risk. The 3GPP standards maintain strong separation of user and control traffic within the cellular chipsets, so an attack would require a purpose built EU device and for the attacker to be in the proximity of the base station.
In the absence of any evidence of known attacks, this is a low risk.
R.02 A vendor may allow a nation state to insert backdoors in their equipment through hardware implant, software implant, or use of weak algorithms and protocols
This is controlled through Common Criteria security evaluation and strict change control of the network. Some nations have extended Common Criteria assessment to use pre-defined Protection Profiles to ensure the desired level of security functionality.
This is a medium risk.
In extreme cases where there are concerns which go beyond those able to be mitigated under Common Criteria evaluations, deep government inspection of products at the source code and hardware schematics can be used for enhanced assurance. This can be further enhanced with network probes in the 5G-RAN feeding data to an independent trusted anomaly detection system. This ensures ongoing operational assurance to detect any issues in the access domain.
This is a low risk.
R.03 A highly resourced attacker could gain physical access to the supply chain and interfere with equipment en route to the operator
This typically requires physical access to equipment. It is controlled through supply chain security with strong verification of software integrity.
This is a low risk.
R.04 A remote attacker may gain access from the internet to the operator’s enterprise network, stage into the carrier network core, and
This is a relatively commonplace attack for a network operator. Enterprise network controls may be breached, enabling both remote attacks on poor perimeter defences and internal attacks through web- or email-borne malware. Having enterprise
This is a high risk for many operators, managed through standard enterprise security.
17
then into the RAN EMS or element
gateways into the carrier network provides an access path into the EMS, and possibly directly into the core components and network elements. Out of band access to the carrier network will often be a useful vector for unauthorised access.
R.05 An attacker could gain access to the EMS via the service management channel
This is an obvious point of entry for a remote attack and one which is subject to strong security controls. The EMS is a hardened device. Access is typically controlled through the use of jump hosts with two factor authentication. Access may be available only when there is an active trouble ticket, and sessions may be recorded. There is little chance that a remote attacker would be successful.
An insider attack from an authorised operator or service engineer would not be stopped by access controls, by definition. There are other countermeasures which can be used. Police checks ensures people with criminal histories are not employed in these positions, but does not address subsequent subversion. The integrity of any configuration changes, software patches or upgrades loaded through the service management channel can be verified in accordance with supply chain security processes, and security assessed prior to change approval. Sessions may be recorded.
This is a medium risk.
If there is a serious threat some additional controls can be applied, but these need to be applied to both the carrier and the vendor. The financial subversion of people is not related to ethnicity, so the additional controls need to be applied to all personnel. These measures will improve security, but the additional cost of having such measures in place may result in other risks rising. They should be applied with justified proportionality.
The additional countermeasures are: (a) two-person control of changes can be applied where the risk justifies this; (b) a security vetting programme can be implemented instead of police checks.
This is a low risk.
R.06 An insider attacker on an element may gain access to the EMS via its internal management plane
This attack could come from a vendor service engineer or from a carrier network operator. Good network management will ensure that is kept up to date with patches. Access may be available only when there is an active trouble ticket, and sessions may be recorded. The EMS is access controlled, and it is hardened.. An attack from an element should not be able to penetrate.
This is a low risk.
18
R.07 An attacker having compromised the EMS could use its functionality to reconfigure or power down elements
If an attacker gains control of the EMS, they have full control of the set of elements it manages. This is typically a very small part of the overall network.
This is a medium risk.
R.08 An attacker having compromised the EMS could mount an attack on the core via the EMS northbound interface
This is an obvious attack channel and one that exists now with 4G. Any traffic being sent to the core northbound from the EMS will have to go via a Security Gateway. This is a strongly hardened device which is designed to ensure only valid user traffic can pass through.
This is a low risk.
R.09 An attacker having compromised the EMS could misconfigure or power it down to cause a management plane denial of service
If an attacker gains control of the EMS, they have full control of the set of elements it manages. This is typically a very small part of the overall network.
This is a medium risk.
R.10 An attacker having compromised an element could gain access to data being transmitted through it.
The radio elements will only see 3GPP airlink protected traffic, and so have no access to plaintext data.
The backhaul routers will only see IPSec traffic and so have no access to plaintext data.
The baseband unit would have access to the plaintext data after 3GPP decryption and before IPSec encryption.
This is a medium risk limited to a compromised baseband unit
R.11 An attacker having compromised a Non-Stand Alone 5G BBU could mount an attack on the associated 4G BBU via its control or management plane
The new 3GPP 5G-RAN protocols for connecting the 5G BBU to the 4G BBU incorporate full security controls, and so ensure that an attack cannot be mounted through this vector.
This is a low risk.
R.12 An attacker having compromised an element could mount an attack on the core via the user plane (and in the case of a Stand Alone 5G-RAN the control plane also)
This is another obvious attack channel. Any attack on the user plane would have to be inserted within the IPSec stream, and so can only be done prior to IPSec being applied. The connection between the 5G-RAN and the core is protected by a Security Gateway. This is a strongly hardened device which is designed to ensure only valid user traffic can pass through.
In Stand Alone mode an attack could be mounted through the control plane, but again would be protected by the Security Gateway – a standard design requirement.
This is a low risk.
R.13 An attacker having compromised an element could damage the configuration of the element or power down to cause a limited denial of user plane service
If an attacker gains control of an element, they will likely be able to achieve full control. However, attacking it would affect just this element and would have the same impact as the device suffering a software or hardware failure.
This is a low risk.
19
R.14 An attacker having compromised an element could mount an attack on a connected device
While there has been no evidence of such attacks, they are a speculative risk. This is a complicated way to attack an end device when a mobile application attack would be much easier, and with 5G the attacker would have no visibility of any specific user or device information so the attack could not be targeted.
This is a low risk.
The risk table above is a general use case assessment that it will need to be instantiated for any
specific network deployment with details of the network configuration, particularly around
service management, and the quality of enterprise security management.
One point to note is that there is a strong binding between a vendor’s EMS and its network
elements. The interface for element management is not defined other than at a high level by
3GPP, and it is left to the vendors to develop their own low level protocols.
3.5 Risk Evaluation
The specific risk evaluation will rely on the final risk levels for the operator, but there are some
key messages from the risk analysis:
the issue of vendor compromise is not a new problem, it’s one that network operators have been dealing with for many years;
the impact of vendor compromise is the same as any other cybersecurity exploitation, and its one that network operators have been managing for many years;
the risk of an insider subversion is one that applies equally to carrier design and operations staff and service engineers regardless of ethnicity, and is an area which carriers need to address in the context of their situation;
the key risks to a secure and resilient network are (a) stopping unauthorised remote access to the EMS and (b) enterprise security management, both of which have been the focus for carriers for decades.
In the 4G scenario, BBUs are able to communicate with each other. The introduction in the
Non-Stand Alone mode of 5G-RAN of a side interface (the Xn channel) between the 4G and the
5G BBUs is just a further extension of this inter-BBU channel, the security of which is fully
described in the 3GPP standards.
3.6 Risk Treatment
The risks as shown in Table 3 are mostly mitigated through the designed-in security of the 3GPP
standards, and through the existing carrier security programmes.
Regardless of whether the network has a 4G or a 5G RAN, one of the priority areas for risk
treatment is the operator’s enterprise security controls, and the gateway controls between the carrier network and the enterprise network. The second priority would be to ensure strong
access control at the EMS, to avoid unauthorised access from inside the RAN domain as well as
remotely via the service management interface. The security needed is the same irresp[ective of whether it’s for 4G or 5G.
20
The risk of a compromised baseband unit being able to intercept plaintext data can be
addressed through a focused assessment of its internal routing path between the airlink and the IPSec channels. In general, network trust and the issue of latent malicious code in nodes has
been a research topic for more than 20 years, and a summary of such research is provided in
Section 4.
In terms of the risk of compromised equipment coming from vendors, this can be adequately
controlled through the existing approaches to product evaluation and supply chain security. However, for those nations which require additional controls there are two clear options for risk
treatment of risk R.02:
risk management: deep evaluation of products to achieve design assurance, and independent operational monitoring of the 5G-RAN domain. The full evaluation approach for increased assurance is discussed in Section 5.
risk refusal: banning certain technologies, essentially a move to technology balkanization. This issue is further discussed in Section 6.
3.7 Conclusion
The introduction of a Huawei 5G-RAN does not introduce any fundamental new risks, and in
particular the issue of vendor compromise is one which has been known and addressed by operators for many years. There has no evidence that supports this threat is anything other than
speculative.
There are some updates to protocols used in 4G, but these have been studied and made secure
by 3GPP as part of the standards making process. In addition, the security of 5G has been
enhanced over that in 4G, correcting some known weaknesses in 4G. The 5G RAN deployed by
Huawei uses dedicated hardware and is fully isolated from the core.
Governments consider the insider threat for those agencies involved with classified work to be
sufficiently high as to warrant extreme countermeasures such as security vetting, two-man
operations, and continuous monitoring of staff. These countermeasures have proved to be less
than fully effective. Carriers need to determine the extent to which security is required to
counter the insider threat and apply effective countermeasures.
There are some clear and present threats to all nations’ network infrastructures, and the focus
needs to be on the high threats – not speculative ones.
Carriers and Governments should be confident that the evolution to 5G will bring no significant new security risks, but instead will result in a more secure network infrastructure and an
increased economic benefit.
21
4. 5G-RAN Isolation
4.1 What is Isolation?
Traditionally, networks would have strong perimeter defence, but once inside the network an
attacker would find little to inhibit his or her movement throughout the network. This has
changed of recent times as the vulnerability of networks has become better understood, and
network segregation is now a key requirement in a number of controls standards as described
under PR.AC-5 in the Cybersecurity Framework.
The core of a network contains many components that affect the operation of the network as a
whole, and this gives rise to concerns about the risks associated with access to the core of national telecommunications infrastructures. In the event an adversary wishes to disable the
national telecommunications infrastructure, this could be achieved by gaining control of the
core.
Since the introduction of 4G technologies, some governments have required that certain
technologies can be used in the access domain, but that they should not be used in the core.
Others have taken an approach of ensuring that the network is multivendor, providing defence in depth through different technologies in the access and the core. Whichever approach has
been adopted, RAN and core separation remains a requirement as the 4G network evolves with the launch of 5G.
4.2 5G-RAN NSA Isolation
In a network there are no physical walls or doors with locks, and so seeing and trusting the
isolation of the access from the core can be difficult. However, an inspection of the interfaces
and protocols used can verify that the RAN domain is indeed isolated. To show this we’ll use the
Huawei 5G RAN Non Stand Alone components, as shown in Figure 7.
Figure 7: RAN Elements
Here we can see clearly the boundary around the 5G-RAN, with two exit points: the northbound
exit from the EMS, and the 5G control and data plane traffic. Note that the 4G and 5G baseband
functionality can be served in three ways: two different model BBUs, the 4G BBU3900 and the
22
5G BBU5900 series; two variants of the BBU5900 series; or as single BBU5900 series device
containing both 4G and 5G functionality. Regardless, the logical perspective is that of a 4G and a
5G BBU with a control channel interconnect.
The new radio antenna can be passive, in which case it is deployed with a radio unit, or it can be
an integrated active antenna which essentially has RRU functionality built in. It can connect
through fronthaul DWDM to the BBU units or it can connect directly if the BBU is co-located at
site.
The radio and baseband elements can be deployed as one unit at the site, or up to (practically)
ten radio elements at remote sites can fronthaul back to the exchange to connect to the
baseband unit. The routing is typically done using optical transmission, for example the OSN
series of Huawei DWDM devices.
Once processed through the baseband unit, the traffic is sent to the evolved packet core
through a backhaul router, shown here as the Huawei CX600. This would connect to an
aggregation router such as the Huawei CX16, in front of a third party security gateway. This
security gateway is outside of the 5G-RAN and managed as part of the core boundary.
4.3 5G-RAN SA Isolation
While initial deployments will be likely done in Non Stand Alone mode, networks are expected
over the next 5 years to evolve to Stand Alone operation. As for NSA mode, an inspection of the
interfaces and protocols used can verify that the RAN domain remains isolated, as shown in
Figure 8. This is a simpler model than NSA mode as it does not require the separate pathway
through the 4G BBU, and it retains equivalent isolation.
Figure 8: RAN Elements
4.4 EMS Northbound Interface
The EMS northbound interface exists to enable the EMS to be queried by the carrier NMS, and
to send back various data to the carrier NMS. The main functions it supports are fault
management with alarms, performance management, configuration management, and RAN
23
inventory. Performance management includes call history record (CHR) signalling data that is
generated by devices during calls. CHR data collection is optional but facilitates network
optimization analysis. The EMS provides a security interface also should external authentication
be required, and this can be used to upload log records from the RAN domain for secure
storage. The position of the northbound interface is shown in Figure 9.
Figure 9: EMS Interfaces
The full interface details for both the north and southbound interfaces of the iManager U2000
EMS are shown in Figure 10. For the 5G RAN, only the LTE southbound interface will be used.
Figure 10: EMS Interface Details
The carrier’s NMS can query fault, performance, configuration, inventory and security data on
the EMS. The fault interface runs either through the Corba mechanism, through streaming asci,
via SNMP, or through file exchange. Performance and configuration data is provided either
through Corba or file exchange, or through a command line interface from the NMS. Security
interfaces include Corba, LDAP, and RADIUS.
The Corba interface is fully 3GPP compliant and MML ITU-T compliant. LDAP/RADIUS interfaces
are standard but are not required if local accounts are used. SNMP is fully compatible with
SNMPv1, v2, or v3. File transfer uses SFTP.
24
5. Network Trust
5.1 Research into Element Compromise
Trust has long been a research topic for internet-based systems. In 1994, Stephen Marsh
published his PhD thesis on formalising trust as a computational concept12 and noted that the
formalism presented in this thesis would allow nodes in such networks to reason with and about
trust, but also would allow network managers another means of assessing their networks – a
remarkable insight into what is now seen as a critical problem. Marsh defines basic, general, and situational trust and includes such concepts as blind trust, optimistic trust which will never
decrease, pessimistic trust which will never increase, and distrust where past actions influence current trust. Marsh argues that the concepts of blind trust and permanent distrust should be
discarded as they do not belong in a rational decision making system. Situational trust reflects
the idea that different agents may calculate trust for the same entity differently, depending on their situation – and this may change as the situation changes. Marsh introduces the idea of
utility where an agent seeks to maximize the utility of a node for economic benefit, a far sighted
view of how trust needs to be balanced with economic gain. An interesting view from Marsh is
that trust is not transitive, contrary to the views of later researchers. Marsh notes the problems
that can occur in real world trust: trust is a subjective phenomenon and humans ‘use’ trust in a
fashion ‘clouded’ by emotions, wants, needs, and so forth; that there is a need to assess the
rationality of agents making trust decisions and there is no a priori reason to assume agents are
always rational. However, he does provides rules that a rational trusting entity, human or automated, should follow and provides a formal trust model in terms of calculating situational
trust and co-operation thresholds.
In 2009 Grandison and Sloman13 published a survey of trust in internet applications. In their paper they explore the properties of trust relationships and note that trust is never absolute but
operates within limits, a property we see often in financial delegations. They also note that trust is asymmetrical – the extent to which A trusts B is often not the same as the extent to which B
trusts A. Trust may or may not be transitive, so that A may be trusted by B, and B is trusted by
C, so C may trust A to the extent of its trust of B and B’s trust of A. They also report earlier work
by Josang14 which reflects an Opinion Model of trust based on belief systems, using a measure
triplet consisting of the extent of belief, disbelief, and ignorance which together sum to the
whole. Grandison and Sloman present a number of trust scenarios. The first is a model of a trustor who trusts a trustee to access resources that he/she owns or controls, and the second is
a trustor who trusts a trustee to provide a service. The research covers certification based
transitive trust and delegations. More importantly, it covers the issue of infrastructure trust, i.e.
the trust in the workstation being used, the local network, and the network servers. In this
context the authors refer to the early Trusted Computing Base (TCB) concepts of the US Department of Defence Orange Book. Their conclusion in surveying trust as it relates to the
12 Formalising Trust as a Computational Concept, PhD Thesis, University of Stirling, https://www.nr.no/~abie/Papers/TR133.pdf
13 Grandison T and Sloman M, A Survey of Trust in Internet Applications, January 2000, IEEE Communications Surveys
& Tutorials 3(4):2-16
14 Josang A, Prospectives for Modelling Trust in Information Security, Springer-Verlag, 1997
25
internet is that trust is the belief that an entity will act dependably, securely, and reliably within
a specified context, and that trust can change over time. Trust management, then, is how information can be collected to make trust decisions. These concepts are as relevant today as
when published in 2000.
In 2011, Saadi et al15 proposed a trust meta-model to enable heterogeneous trust management systems to interoperate using mediators, allowing the development of composite trust models.
Their model relates to technical aspects of stakeholder trust within different system models, but the meta-model can be widely applied to the more generic issues of trust. Their model consists
of three elements: trust roles, abstract representations of stakeholder behaviour; trust relations
between stakeholders in the model; and trust assessment to compute the trustworthiness of
stakeholders. The model includes direct and indirect trust relationships, with indirect trust
reflecting the transitive trust concept referred to by Grandison and Sloman but also including
the concept of reputation based trust. Trust assessment involves trust metrics and trust operations. Their work involves the formal specification of a mediator process consisting of
mediator roles and operations.
Jaydep Sen16 has proposed a framework for distributed trust management in mobile ad-hoc
networks. This framework approaches the problem from the perspective of key distribution and
misbehaviour detection. Nodes in the network are considered to be cooperative, malicious, or
selfish and detection of uncooperative behaviour can be calculated using node-based reputation
scores. Sen notes that external methods of preventing attack cannot be used when a node may
be compromised, as it is operating within the security envelope provided by network encryption. In the proposed trust scheme, every node in the network monitors the behaviour of
its neighbours, and if any abnormal action is detected, it invokes an algorithm to determine
whether the suspected node is indeed malicious. This requires a network node design which
incorporates a monitor module, reputation collector/maintainer/formatter/ propagator
module, and an alarm raiser module. The framework is designed to handle a range of
behaviours such as dropping adverse feedback, selective broadcast and packet dropping, and
tampering. This is a key focus for ongoing research into advanced network security.
5.2 Byzantine Behaviour
An area that has seen significant research is that of managing trust in mobile ad-hoc networks,
with the particular focus on byzantine attacks against packet forwarding. A byzantine attack is
one in which one or more nodes in a network may exhibit malicious behaviour. Zouridaki et al17
propose a Hermes scheme and improvements to its robustness to Byzantine attacks. Their
Hermes network scheme combines first-hand information on neighbour node behaviour, and
second-hand reputational information passed from other nodes. Their improvements include a
punishment policy to discourage selfish behaviour. The trust measurement assesses the number of correctly forwarded packets relative to the number of incorrectly forwarded packets
15 https://hal.inria.fr/inria-00617629
16 Sen J. A Distributed Trust Management Framework for Detecting Malicious Packet Dropping Nodes in a Mobile Ad-
hoc Network. International Journal of Network Security & Its Applications, Vol 2 No 4 October 2010.
17 Zouridaki C, Mark BL, Hejmo M. Byzantine Robust Trust Establishment for Mobile Ad-hoc Networks, Telecommunications Systems, 2007
26
and has an associated confidence factor. Hermes includes the concept of opinion, to generalize
the idea of trustworthiness to non-neighbouring nodes. Han et al18 propose a gossip based mechanism for information exchange which is robust against Byzantine attacks for denying and
faking messages (a message denying attack is sometimes called a black hole attack). Their
research indicates that with relatively few rounds of gossip, the mechanism is robust in the presence of Byzantine attacks. Goyal and Singh19 provide a comparative analysis of Byzantine
attacks and prevention methods. Byzantine attacks in mesh networks, reporting the classification of attack types and identifying some key papers. A Geetha and Sreenath20 also
survey Byzantine attacks on the routing protocols used in mobile ad-hoc networks. They
identify a number of Byzantine attacks including black hole, sinkhole, wormhole, gray, flood rushing, selfish and overlay network attacks. They identify a range of mitigations including trust
based, incentive based, cryptography based, and analytical approaches.
5.3 Industry Observations
More informal concepts around zero trust have been published by industry, and example being
the Palo Alto zero trust approach21. This approach to network security has gained popularity
since the US House of Representatives Committee on Oversight and Government Reform issued
a report which recommended that the US Government takes a zero trust approach to its network security22. Zero Trust in this context is a data-centric network design that puts micro-
perimeters around specific data or assets to allow more-granular rules can be enforced. Zero
Trust networks solve the "flat network" problem that helps attackers move undetected inside
corporate networks so they can find and exfiltrate sensitive data, and is often implemented
using network segmentation.
18 Han K, Ravindran B, Jensen ED. Byzantine-Tolerant Point-to-Point Information Propagation in Untrustworthy and
Unreliable Networks. https://pdfs.semanticscholar.org/27ce/ be214e7f37e59691c4e256d317828784c409.pdf
19 http://www.ijeast.com/papers/54-58,Tesma109,IJEAST.pdf
20 http://iieng.org/images/proceedings_pdf/AE0116013.pdf
21 Palo Alto, Getting Started With a Zero Trust Approach to Network Security, 2014.
22 Chaffetz J, Adopting a Zero Trust Cyber Model in Government, 19 Sep 2016. https://oversight.house.gov/op-ed/adopting-zero-trust-cyber-model-government/
27
6. Security Evaluation
6.1 Early Approaches
Governments from an early stage have used product evaluation to address security concerns
with their use of technology. In the 1960s, the US Department of Defense introduced a set of
trusted systems criteria in what was known as the Trusted Computing Security Evaluation
Criteria (TCSEC), more commonly known as the Orange Book. Systems could be evaluated
against the criteria to achieve trusted system levels from the entry-level C2 trust through to a rigorous A1 standard. At each level, a set of functionality was specified together with the level
of assurance which was required. At each level there was more security functionality specified and more assurance required. Microsoft NT 4.0 was an example of a commercial product which
was evaluated and achieved the C2 standard.
The UK Government did not recognise the TCSEC scheme, and instead introduced an alternative scheme called the IT Security Evaluation Criteria (ITSEC) which decoupled security functionality
from its level of assurance. A product could be submitted for an ITSEC evaluation with vendor-
specified functionality, and evaluated to a specific level of assurance. Products evaluations would reference the evaluation level, for example E2.
Eventually, in the late 1990s, the Orange Book and ITSec approaches merged into a single set of criteria recognised by the US, UK, Canada, Australia and New Zealand. This scheme, known as
the Common Criteria, is now recognized by 28 countries as the means of approving equipment
for use by governments in their national infrastructure. The scheme accepts vendor specified
functionality and evaluates products to a specific level of assurance, as did the ITSEC. The
evaluation levels are known as EAL1-7.
Figure 11 shows the development paths of the security standards and evaluation criteria.
Figure 11: Cybersecurity Standards and Evaluation Criteria
While governments were looking at how to manage the security of technologies that they use, industry was developing its own security standards. This started with the original UK
Department of Trade and Industry code of practice PD0003, developed by a working group of
some of the UK’s major companies. This was eventually recognized and republished as the British Standard BS7799. It was subsequently accepted by the International Standards
Organisation as ISO17799, and has evolved into what is now known as ISO27000: Code of
Practice for Information Security Management System.
28
In the US, the US National Institute of Standards and Technology (NIST) developed and
published a security controls standard for Government agencies called Special Publication (SP) 800-53: Security and Privacy Controls for Federal Systems and Organisations. Was aimed at
helping agencies adopted commercial IT equipment and understand how to manage it safely,
using controls that were not dissimilar to those in what was at the time ISO17799.
6.2 The Emergence of Cybersecurity
As connectivity has become ubiquitous, the risk of cyber attack has grown substantially and the
information security management system and controls provided by ISO27000 and SP800-53
have failed to adequately protect governments and businesses. The increasing deployment of web technology has introduced many different protocols for managing information and
interconnectivity, and has enabled many new attack vectors. At the same time, the emergence
of smart phones with full computing capabilities has added yet more new technologies, new attack vectors, and new security mechanisms. Cloud computing and agile development add to
the canvas to make it quite a different picture to the one that inspired the development of the
early security standards.
Consequently, the US National Institute for Standards and Technology (NIST) has developed and
published the Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework). This Framework has been widely adopted. Other schemes such as the UK Cyber
Essentials have been proposed, but have not achieved global recognition.
The NIST Cybersecurity Framework takes an attack-centric view of security, providing a control framework to address all stages of a cyber attack across the five categories of identity and
access management, preventative controls, detective controls, incident response, and recovery.
It does not define a new set of controls, but shows how existing controls from ISO27000, SP800-
53, and other sources can be applied to mitigate cybersecurity risks. The Cybersecurity
Framework is now widely recognised as being the definitive standard against which contemporary technology should be evaluated.
6.3 Common Criteria Evaluation Scheme
While governments originally had their own evaluation teams and carried out evaluations within
government, this has proved to be unsustainable. Governments subsequently began to take
responsibility only for managing their evaluation scheme, and evaluation became a commercial
activity under government oversight. Products passing the evaluation were then issued a
certificate and added to the list of Common Criteria evaluated products.
Each country manages its own approach to commercial evaluation. For example, in Australia
and New Zealand, a joint Australasian Information Security Evaluation Programme was
established, with AISEP representation from both countries. Within this programme, a number of Australasian Information Security Evaluation Facilities, or AISEFs, were accredited to do
evaluation work. The AISEP programme continues today as Australia and New Zealand’s Common Criteria evaluation scheme.
The Common Criteria scheme has always had provision for a pre-defined set of functionality to
be used, rather than vendors having to develop their own set. These predefined Protection Profiles meant that products from different vendors could be compared against a common
target of evaluation, and that governments could establish demand-side security functionality.
29
Protection Profiles may be recognised at the national level, or may be a collaborative profile
recognised by a number of countries. Of particular note, the Network Device collaborative Protection Profile, NDcPP, has been published in the US and is recognised by Australia. It has
yet to gain any more widespread acceptance. Nevertheless, it is increasingly being promoted in
the US and Australia as the standard required for wired network devices used in government and national infrastructure.
Despite the AISEP scheme having operated for 20 years, the vast majority of government and national infrastructure equipment has not been evaluated to Common Criteria standards. The
AISEP is used for guidance only, and few departments or agencies are prepared to limit their
technology choice to what the listed evaluated products. Nevertheless, Huawei has recognised
the value to customers of having products evaluated within the Common Criteria scheme, and
has submitted many of its products for evaluation, including the 4G eNodeB, and will submit the
5G gNodeB.
6.4 Huawei Deep Evaluation
Huawei has for many years recognised the importance of cybersecurity. When it first established
its formal cybersecurity programme, a programme focused on delivering secure products and
services to its customers, it noted:
Huawei is willing to work with all governments, customers and partners through various
channels to jointly cope with cyber security threats and challenges from cyber security.
Huawei will set up regional security certification centers if necessary. These certification
centers will be made highly transparent to local governments and customers, and Huawei
will allow its products to be inspected by people authorized by local governments to ensure
the security of Huawei’s products and delivery service.
Huawei has built an independent capability called the Independent Cyber Security Lab (ICSL) in
China, and this is made available for customers or their representatives to carry out security
evaluations in an evaluation lab and where support from experienced and knowledgeable engineers is readily at hand. This is suitable for many governments.
Huawei provides a great deal of the UK national infrastructure, and in order to provide HMG
with assurance that its national infrastructure was secure, Huawei demonstrated its willingness
to work with HMG by establishing the Huawei Cybersecurity Evaluation Centre, or HCSEC. This
facility is operationally independent from Headquarters and is staffed by local security-cleared
employees to enable any classified security concerns of HMG or the UK customers to be
addressed. The focus of the UK CSEC team is on using credible and auditable local operational
processes to evaluate all aspects of Huawei products, from design to solution supply, while
providing continuous improvement of Huawei processes and procedures in the delivery of
products to the UK market.
The HCSEC was set up in 2010, and each year Huawei invests approximately £4M to cover all HCSEC operational costs. The Director HCSEC is appointed by Huawei after consultation with HMG and has the full authority to manage the HCSEC including finance, procurement, HR (recruitment, employee’s promotion, salary, bonus, performance, job certification and qualification etc). Huawei does not have any influence over the internal evaluation processes.
The HCSEC is designed with two zones, a restricted zone, where only cleared people can operate and an unrestricted zone. The selection and prioritisation of the work, the methods, tools and
30
techniques used to undertake the evaluation are all under the control of the UK CSEC staff and are not visible to Huawei. The HCSEC will provide the evaluation report directly to the customer to avoid any suggestion of tampering by Huawei.
The Canadian Security Assessment Lab (CSAL) operates in a similar way, but evaluation is
outsourced to a number of 3rd parties rather than managed within the facility. These third
parties are selected at the discretion of the operator and the Canadian Government, and are
security cleared. The CSAL is a secure facility with an evaluator restricted zone and a Huawei restricted zone, which allows access to source code whilst protecting Huawei IP, and evaluations
are carried out remotely. Again, all costs of running the facility are borne by Huawei.
Additional Huawei evaluation centres are being deployed around the world to support those
governments that have adopted a risk mitigation approach to improving the security of their
telecommunications infrastructure.
A key issue to be addressed in any evaluation centre is that of ensuring binary equivalence, so
that the binary and source code under evaluation can be shown to be the same code that is
running in the network. This is a challenging technical requirement, but it is fundamental to the effectiveness and relevance of any deep evaluation.
6.5 Continuous Security Quality Improvement
There have been no security concerns related to malicious software identified through either
the UK or Canadian evaluations. However, a number of recommendations have been made to
Huawei regarding improvements to its source code and software design. These have been taken
into account in Huawei’s ongoing product improvement and development programme.
An unexpected benefit from running the evaluation centres has been to introduce a comprehensive security quality improvement programme, benefiting all governments which use
Huawei equipment in their national critical infrastructure. Huawei 4G RAN equipment is now arguably the most secure part of any network, and this will continue with the introduction of
5G.
31
7. Technology Balkanization
7.1 Equipment Tampering
Despite the fact that evidence has been found of US tampering with vendor equipment over a
period of many years, and that supply chain security has been in place in most carriers for more
than a decade, this is now being highlighted as a new threat which requires technology bans.
Ironically, the US and Australia have both been very vocal in this regard. Also ironically, this
continues a theme of retreat from globalisation which started in 2013 with calls for balkanization of the internet – a call resisted at that time by the US and Australia.
It is worth exploring this issue in more depth, because there are some very significant consequences for taking the balkanization path as the option for risk mitigation.
7.2 Security Agency Access to Equipment
A particular focus in the discussion on equipment tampering has been the legislation in various
countries, and the extent to which it enables governments to compel private industry to install
backdoors or malicious code in their products.
Government backdoors in some US products have been disclosed, but this is as a result of
industry collaboration with security agencies rather than as a result of any legal imperative. There has been no evidence of any Chinese product having a government backdoor, and legal
opinion on Chinese Intelligence Law23 confirms that the Chinese government can use to compel
its industry.
The risk of a government backdoor in a product is therefore a case by case consideration based
on the company culture and government relationship.
7.3 Technology Balkanization
In October 2013, as a result of the Snowden revelations, Brazilian President Dilma Rouseff announced plans to create a "walled-off, national Intranet". This rang alarm bells around the
world and raised the possibility that other nations would also erect barriers and reject a global
internet. The result was a substantial amount of cyber diplomacy led by the UK and US to
ensure that a global internet remained viable.
The rejection of the US as a safe harbour for data, the evidence of subversion of technology by
the US, and the rejection of Chinese telecommunications companies in the US despite a lack of evidence of any wrongdoing, is a concerning sign that the threat of internet balkanization has
been overtaken by a much stronger threat of technology balkanization. In a world where products are increasingly built using a global supply chain, this spells disaster. The effect of
demand-side technology balkanization can be seen in the US sanctions on technology supply to
ZTE, which have all but destroyed the company. As companies lose the ability to source global components their products will become more expensive or cease to be viable. As companies
23 Declaration of Jihong Chen and Jianwei Fang, Exhibit E Before the Federal Communications Commission May 27,
2018
32
lose a global market and are limited to a domestic or bloc sales market, their growth and
capability to innovate will be capped.
The current arguments being put forward, without evidence, that Chinese technology is a
national security risk fails to acknowledge one salient point – even what is currently considered
acceptable technology is now built in China. If the Chinese Government can force a Chinese vendor to compromise their technology, then they can just as easily force a Chinese
manufacturer to compromise the products they are manufacturing. Technology balkanization driven by a single-minded national security agenda will result in a nation having less choice of
technologies, reduced national growth, and if taken up globally will stifle any serious technology
innovation.
In the event a class of technology is blocked, there may need to be some alternative source. This
is the case in the US for semiconductors24. Semiconductor foundries have a limited life after
which new foundries have to be built to support the more advanced chipsets. The current level
of US ownership of fabrication facilities is about 13%, and the projection for establishing new
semiconductor foundries is such that the US may lose its semiconductor industry completely. The cost of investing in fabrication is significant, with an advanced foundry costing around $15B
and likely to increase year on year. Given the increasing number of fabrication plants elsewhere,
the market for the US is shrinking and building a new plant may not be economically viable for
industry. Having access to secure semiconductor technology is important for Defense, and a key
strategy for the DARPA SPADE programme is identifying ways to disaggregate trust and enable
co-existence. The same issue faces the US in the case of networks, where the most advanced networks are coming out of China, and in banning them the US is forced to adopt more
expensive and less advanced network technology.
7.4 Rejecting Risk Management
The decision by the US and China to block each other’s telecommunications technologies is a rejection of a risk-balanced approach and is instead the first step down the path to technology
balkanization. Australia is debating whether to join the technology balkanization movement,
but has much less national capability and is therefore at much greater risk as it pursues this
strategy. The UK, Canada and New Zealand have all elected to take the risk mitigation path.
Most of the rest of the world is happy with globalisation.
Banning technology firms, however, is just the first step. If the US and Australian strategy of
banning Chinese products is in fact about security - and there is no guarantee that this is the
case - then it will achieve nothing if it does not flow on to all Chinese manufactured
technologies.
Re-establishing a national programme of manufacturing in the US would have some benefit in
creating jobs, at the cost of more expensive technology. This may be an acceptable compromise and is a strategy for addressing trade imbalance, global technology influence, and information
dominance.
China is a key player in this debate as it is rapidly emerging as a country of world class
technologists with the scale culture to be a global leader in advanced technology. Its
Universities are first class and its technology products are first class, and China is open for
24 http://www.ndia.org/divisions/working-groups/tmejwg
33
business. Huawei is an example of the western style businesses that are now emerging from
China, and there will be very many more. Some countries may not be ready for a smart China, but “smart China” will emerge regardless as the source of many of the future’s new
technologies. Nations in denial will be left behind.