How to conduct a watertight risk assessment for 5G networks

By 2025, 5G networks are expected to cover a third of the world’s population. As the global footprint of 5G expands, so does the associated security risk. While the underlying security capabilities of 5G are superior to those of previous generations, they are not without limitations.

Retail customers use public networks with limited security liability, but most organizations using 5G (typically for manufacturing and operations) will need to build a private network or use a hybrid public/private model that is built to meet their specific requirements. The complexity of such an ecosystem makes risk assessment an essential part of implementing security for 5G.

In the previous blog, we looked at the challenges associated with 5G deployment architectures and why risk assessment must be holistic in nature, covering both the horizontal and vertical axes of the network. Here, we take a closer look at what it takes to conduct a full risk assessment.

Essential steps for a robust risk assessment

A thorough risk assessment ensures full coverage of the 5G network. It has to be comprehensive and end-to-end, with a full understanding of the people, processes, and technology risks, while adhering to the necessary frameworks, such as NIST, the ISA/IEC 62443 standard, and MITRE FiGHT

At Capgemini, we follow these three essential steps as with any risk assessment :

 1. Discovery

The discovery phase aims to gather all necessary information about the 5G environment, its assets, the number of and types of devices, and the use cases deployed, along with the organization’s risk appetite and existing security policies.

2. Assessment

Once all the necessary information has been collected, the assessment phase evaluates security controls and policies that are pertinent to the 5G network. Every identified gap is assigned a risk score, and reports and visual aids are created to clearly communicate these findings.

 3. Reporting

After the assessment, a complete view of the current maturity level and the risk scores are reported, and supporting recommendations are presented to enhance the security posture.

Our approach to 5G risk assessment is divided into two key parts, one covering the technical controls and the other covering managerial and operational controls:

• Technical controls: This part of the assessment addresses the technical controls implemented in a 5G network spanning its various components that include the endpoints, mobile edge computing (MEC), radio access network (RAN), core, and other functional elements like NFV and network slicing. For each of these components, the assessment is further classified into several sub-categories. For instance, the sub-categories for which an endpoint is assessed include its access control, network security, supplier security, physical security, and asset management. Such an approach to sub-categorization is especially useful when assessing functional elements. For example, network slicing in 5G is a key functional element that enables the delivery of meaningful guarantees for network coverage, performance, capacity, or even security. Slicing essentially divides the underlying physical network infrastructure into multiple virtual networks to cater to a specific quality of service (QoS), such as low latency for real-time applications, high bandwidth for multimedia streaming, and ultra-reliability for critical communications. While this adds significant value to a network and is expected to provide monetization opportunities, each slice requires specific security requirements to protect against attack vectors relevant to itself. Our risk assessment approach covers the following sub-categories for slicing:
  – security for the installation and configuration of a slice
  – security during the slice preparation phase
  – security during the slice run phase, security for the slice decommissioning phase
  – inter- and intra-slice security
  – slice interface security
  
• Management & operational controls: This part of the assessment covers risks primarily related to governance, human resource management, incident management, operation management, monitoring audit and testing, and threat awareness. This means asking those non-technical but critical questions such as:
  – Has a potential dependency on a single supplier of 5G equipment been considered?
  – Have personnel with access to critical or sensitive components of 5G networks been security-vetted?
  – Are there documented plans in place in case of a disaster affecting the ongoing operation of the 5G network?

Some of the key advantages of this risk assessment include ensuring these qualities:

• Standards: It brings together the recommendations and guidance from various organizations, such as ENISA, ETSI, IETF, ITU-T, ISO, ORAN, OWASP, NIST, and GDPR.
• Deployment model: It addresses security risk for various non-public network (NPN) deployment models, including stand-alone deployment and public network integrated deployment.
• End-to-end capabilites: It covers the entire operational technology (OT) and Internet of Things (IoT) ecosystem that sits on top of the 5G network. This includes security concerning manufacturers, suppliers, telco operators, edge, OT, and IoT devices.
• Compliance: It is compliant to industry-accepted standards (e.g., IEC 62443) to facilitate auditing and certification. It incorporates functional and operational requirements for different security levels such as SL1, SL2, and SL3.
• Comprehensive Coverage: It provides full comprehensive coverage for technical and non-technical risks while at the same time covering the entire 5G architecture from edge devices, RAN, core, MEC, cloud, and to the applications.

Ongoing monitoring and compliance

A sound risk assessment is the start of any security journey. After the assessment and the deployment of various security controls, it is crucial to establish an ongoing process for monitoring and responding to security events in the 5G network. Continuous monitoring allows organizations to detect and respond to any security incident promptly, maintaining a robust security posture – the next blog in the series will consider how to deliver such a monitoring program for 5G networks. Stay tuned.

Contact Capgemini today to find out about 5G security.