Presented by:

© ETSI

ETSI Security Week 2020 goes virtual!

Bengt Sahlin, EricssonTomasz Osko, OrangeDavid Soldani, Huawei

Deploying 5G SecurelySecurity Challenges and Regulatory Aspects

ETSISecurity

Week 2020

Monday 8 June3pm

5G Deployment

Tuesday 9 June

3pm CET

SSP: The New Smart Secure Platform - A High Level Introduction

4.45pm

SSP: The New Smart Secure Platform - The Technical Realisation

Wednesday 10 June10.30am

Insight into the First Steps of the Cybersecurity Act Reality

3pm

5G Security for Verticals

Thursday 11 June10.00am

Consumer IoT Security Standards

11.30am

Consumer IoT Security –Certification Schemes

3pm

ETSI Standardization in Advanced Cryptography

Monday 15 June

3pm

SKINNY LATTE: Scalable Hierarchical Identity Based Encryption over Lattices

Tuesday 16 June3pm5G Security Evolution

Wednesday 17 June10.30am

5G Network Certification

Thursday 18 June10.00am

Security Challenges and Regulatory Aspects

3pm

Fully Homomorphic Encryption

Friday 19 June

10.30am

Industry Applications and Use Cases for Advance Cryptography

Deploying 5G Securely

Cybersecurity Act –one year on

Smart Secure Platform

Even more advanced Cryptography

scheduled in CEST

© ETSI ETSI Security Week 2020 goes virtual

Security Challenges and Regulatory AspectsModerated by Bengt Sahlin, Ericsson

Security Challenges in 5G Multi-access Edge ComputingTomasz Osko, Orange

How to Improve the Security of Business and Communities and Ensure Future Prosperity in a CountryDavid Soldani, Huawei

Security Challenges in 5G Multi-Access Edge Computing

18 June 2020

Tomasz Ośko

Orange Polska, Warsaw, Poland

INSPIRE-5Gplus Project

▪ 5G MEC context

▪ MEC Assets versus Threats

▪ Extended attack surface

▪ Security controls, management & orchestration

▪ Main 5G MEC challenges

▪ MEC security services

▪ Work in progress in INSPIRE-5GPlus

▪ Summary

Contents

The triangle of 5G applications (source: https://www.etsi.org/images/articles/Future-IMT.png)

5G usage scenarios

MEC

Edge computing in telecommunications networks

is a technical enabler for demanding 5G KPIs, reflecting needs of Verticals.

5G

MECMEC mMTC URLLC

eMBB

MEC

MEC in context of 5G challenges

MEC Assets versus Threats

Field

Domain

Solu

tions d

ivers

ity

Cloud

Domain

# Devices

Clients

Verticals

# Networks

Distributed

Data Centers

Cloud

Computing

Virtualization

MEC Multi-

access Edge

Computing

Distributed

software

Applications

Technolo

gy c

hanges

Architecture changes

Solu

tions d

ivers

ity Div

ers

ity o

f solu

tions

Devices density

Interworking

Private

Public

Hybrid

PaaS

IaaS

SaaS

Interoperability

MEC Host

MEC Platform

MEC Apps CI/CD

… MEC …

Data volumes

Accesses, Transport Networks, 5GC, Internet

Operator Multi-access, Multi-domain, Multilayer Network

Local Area Data Network

Far Edge Near Edge

E2E service changes

Extended attack surface

… MEC …

Tenants DC Tenants DC

Field

Domain

Solu

tions d

ivers

ity

Cloud

Domain

Security

Measure

s &

Contr

ols

Multilayer security

Solu

tions d

ivers

ity

Cybers

ecurity

cert

ific

ation

Isolation

AAA

O&M

IaaS

SaaS

Trusted

Integration

MEC Hosts

MEC Platform

MEC Apps SecDevOps

Context

… MEC …

# Devices

Clients

Verticals

# Networks

Distributed

Data Centers

Cloud

Computing

Virtualization

MEC Multi-

access Edge

Computing

Distributed

software

Applications

# Networks

Distributed

Data CentersAccesses, Transport Networks, 5GC, Internet

Operator Multi-access, Multi-domain, Multilayer Network

Local Area Data Network

Far Edge Near Edge

Safe hosting

Safe service

Multi-domain security management & E2E security orchestration

Safe hosting

Safe service

Safe Data

Safe platform Safe platform

Safe

infrastructure

Safe

infrastructure

Safe operations

Security controls, management & orchestration

PaaS

Tenants DC Tenants DC

Main 5G MEC challenges

Ensure management procedures and security services that allow Verticals to meet respective, specific regulatory requirements (e.g. isolation).

Operate sensitive data, 3rd party apps on proper level of security, as a trusted entity.

Guarantee safe MEC infrastructure and components - defined responsibility between

tenants.

Coexistence

Cooperation

Trust

5G

MEC

Apps

More protection with edge security applications

▪ Control communication, data processing, and data flows exchanged between the devices, applications and cloud.

▪ Security Services on-demand.• Deliver „probe on-demand” services

for Verticals.• Deliver on-demand data processing

services for Verticals.• Extend Verticals’ security services

with edge applications.

▪ Introduction of new security enablers and capabilities.

Devices

Cloud

MEC

MECEquipment

Equipment

Applications

Applications

MEC security services

▪ The challenge is to derive universal, resource preserving security features and security

management framework to protect, among others, MEC applications and services using them.

▪ In the context of INSPIRE-5GPlus there has been four fields identified in which the project will focus

to enhance security beyond 5G, taking into account MEC.

– Security management framework that follows the ETSI Zero touch network and Service Management (ZSM).

– Trusted Execution Environment (TEE) to elevate integrity and confidentiality to software and data of any type.

– Artificial Intelligence (AI) and Machine Learning (ML) to empower key security functions.

– Dynamical liability chains and distributed security to provide dynamic security optimization and placement.

▪ To meet the challenging performance and security level requirements of the various 5G usage

scenarios (i.e. eMBB, URLLC, mMTC), a consolidated and integrated approach is needed in order

to prepare the next move towards smart end-to-end security for future connected systems that will

serve a plethora of vertical domains and applications across various market sectors provisioned

through logical and self-contained network slices (supported by platforms) running on multiple

administrative domains and for which the level of security offered would be a key acceptance factor.

Work in progress in INSPIRE-5GPlus

▪ Provisioning of multilayer security, multi-domain security management & E2E security

orchestration.

▪ Open opportunity to grow with MEC that is the best way to deliver better availability

and more safely to the clients and enterprises.

▪ Comprehend the opportunity through cooperation, seize the chance thanks

cooperation in terms of technology and business development, security and stability.

Summary

DziękujęThanks

tomasz.osko@orange.com

This work has been done with the support of

INSPIRE-5Gplus Project

Grant Agreement No.: 871808

Research and Innovation action

Call Topic: ICT-20-2019-2020: 5G Long Term Evolution

16

Dr. David Soldani• CTO and CSO Huawei (Australia)

• CSO Office Huawei (ASIA Pacific)

• Adj. Professor, UNSW (Australia)

ETSI Security Week Webinar:

Security Challenges and Regulatory Aspects, 18/06/2020https://www.rcrwireless.com/20200416/5g/huawei-cto-5g-securiuty-standards

How to Improve the Security of

Business and Communities and Ensure

Future Prosperity in a Country

17

Biography – Dr. David Soldani~25 years active in ICT field

• Future wireless, network, cybersecurity, artificial intelligence, IoT and multimedia technologies

• 500+ successful projects for 2G, 3G, 4G and 5G systems and services

• 1000+ quality deliverables

~10 Years: Huawei Technologies

• 2020-Present: Chairman of IMDA 5G Task Force (Singapore)

• 2018-Present: CTO & CSO Huawei (Australia). CSO Office – Huawei (ASIA Pacific Region)

• 2009-2016: Head of Central Research Institute and VP Strategic Research and Innovation in Europe

~15 Years: Nokia

• 2016-2018: Head of 5G Technology, e2e, global

• 1997-2009: R&D Director, Finland; and Network Planning Manager, Italy

~ 2 Years: Italian Military Navy

• Officer at Italian Institute of Telecommunications and Electronics, Livorno, Italy

Qualification• 2018-Present: Adjunct Professor at University of New South Wales (UNSW), Faculty of Engineering, Australia

• 2014-18: Industry Professor at University of Technology Sydney, Australia; Visiting Professor at University of Surrey, UK

• 2002-2006: Doctor of Science (D.Sc.) degree in Technology with distinction from Helsinki University of Technology (TKK), Finland

• 1989-1994: Laura Vecchio Ordinamento in Electronic Engineering with magna cum laude from Università degli Studi di Firenze, Italy

18

The “Flag of Origin” is not critical a element of cybersecurity

Route cause categories

• 66% (90% in UK) System failures: hardware

failures (36%) and software bugs (29%)

• 17% human errors

• The country of origin of suppliers not among main causes for concern in how attacks are carried out... [UK NCSC]

• The “Flag of origin” for Telco equipment is not the critical element in determining cyber security [UK ISC]

• 9% Natural phenomena

• 4% malicious actions: 2/3

Denial of Service (DoS)

attacks, and the rest are

mainly damage to physical

infrastructure

19

EU coordinated risk assessment 5G cybersecurityhttps://eu2019.fi/en/article/-/asset_publisher/member-states-publish-a-report-on-eu-coordinated-risk-assessment-of-5g-networks-security

This document follows the approach set out in the ISO/IEC: 27005 risk

assessment methodology, and reflects the assessment of a set of parameters:

the main types of threats posed to 5G networks,

the main threat actors,

the main assets and their degree of sensitivity,

the main vulnerabilities,

the main risks and related scenarios.

• Conclusions based on capabilities (resources) and intention/attempt (motivation)

• Integrity and availability of 5G is the major concerns, on top of the existing

confidentiality and privacy requirements

• Most critical 5G assets: Core Network Functions, NFV MANO

20

What is GSMA NESAS / 3GPP SCAS?

The Network Equipment Security Assurance Scheme (NESAS),

jointly defined by 3GPP and GSMA, provides an industry-wide

security assurance framework to facilitate improvements in

security levels across the mobile industry

NESAS defines security requirements and an assessment

framework for secure product development and product lifecycle

processes; and security evaluation schemes for network

equipment, using 3GPP defined security test cases, i.e. 3GPP

SCAS – Security Assurance Specifications

It is an industry defined voluntary scheme through which vendors subject their product development and

lifecycle processes, and network equipment, to a comprehensive security audit and testing against the

currently active NESAS release and its security requirements

21

NESAS Is Widely Supported in Industry

Specifications

NESAS 1.0 Released

Security Authority

Global communications

& collaboration

NESAS 2.0

Vendors

Ericsson, Nokia and

Huawei openly support

NESAS as a 5G unified

cybersecurity certification

foundation

Auditors & Lab

2 European audit firms

selected by GSMA

10+ carriers support

10 global tier-1 carriers request

NESAS before deployment (5 in EU)

Carriers

• https://www.gsma.com/security/nesas-security-auditors/

• https://www.gsma.com/security/nesas-security-test-laboratories/

10+ Test Labs* (mainly in Europe)

are being accredited by ILAC

member accreditation bodies

(*) Security test laboratories – that are deemed by an International Laboratory Accreditation Cooperation (ILAC) member accreditation body to

have been ISO 17025 accredited and NESAS requirements – will be considered to have achieved NESAS accreditation satisfied.

22

GSMA and 3GPP Roles and Responsibilities

GSMA defines and maintains the NESAS specifications which cover assessment of the

Vendor Development and Product Lifecycle processes, NESAS Security Test Laboratory

accreditation, and security evaluation of network equipment.

The GSMA also defines a dispute resolution process and governs the overall scheme.

3GPP defines security requirements and test cases for network equipment

implementing one or more 3GPP network functions – specified in Security Assurance

Specifications (SCAS): 3GPP TS 33.X

Roles of GSMA in NESAS

Roles of 3GPP in NESAS

Reference https://www.gsma.com/security/network-equipment-security-assurance-scheme/

23

The NESAS approach consists of the following steps:

1. Equipment Vendors define and apply secure design, development,

implementation, and product maintenance processes;

2. Equipment Vendors assess and claim conformance of these

processes with the NESAS defined security requirements;

3. Equipment Vendors demonstrate these processes to independent

auditors that GSMA has selected;

4. Level of security of network equipment is tested and documented;

5. Tests are conducted by accredited test laboratories against 3GPP

SA3 defined security requirements ➔ Evaluation report may be

forwarded to purchasing operators.

NESAS/SCAS High Level Process

The NESAS has 2 main parts:

1. Assessment of the security related to the Development and Product Lifecycle Processes; (By Selected Auditors: ATSEC/NCC Group)

2. Security evaluation of network equipment by test laboratory. (By Accredited Test Labs: i.e. Draka, Brightsight)

NESAS High Level Overview

24

Keep NESAS Evolving as a Solid Security Assurance Basis

Planned：

1) Penetration Test

2) Cryptographic analysis

3) Software engineering

Comments on

NESAS Evolution

GSMA NESAS Official：

”NESAS is designed to be improved

iteratively. All the lessons learnt from the application of NESAS

will be considered and reflected in future

releases”

TUVIT 3GPP Keynote：

We believe NESAS will further evolve to fulfill

the high level requirement.

TUVIT commented

EU Cybersecurity Act (CSA) Security Assurance Level

NESAS1.0

NESAS2.0

By 2020.12 (E)

Substantial

High

Basic

Level Assumed Attacker Evaluator

Basic - By self-assessment allowed

Substantial Limited skills and resources By third party evaluation

High Significant skills and resources By national cybersecurity

certification authority

25

Details on Evolution of NESAS from 1.0 to 2.0

Based on the requirements from EU CSA, NIS-CG, etc., NESAS enhances accordingly.

NESAS 2.0 Penetration test Cryptographic analysis Software engineering capability

Industry

Benchmarking

1, BSZ

2, CSPN

3, CPA

4, CC AVA (bypassing, tampering, direct

attack, monitor, misuse )

5, MSDL/BSIMM/OWASP SAMM

1, BSI TR 02102

2, ANSSI RGS_B series

3, NCSC CPA

4. NIST FIPS140-2，NIST SP800-90A

5. NDcPP (ISO19790:2012, NIST SP800-90A)

1, NCSC Secure development and deployment

2, MSDL

3, BSIMM

4, OWASP SAMM

5, NIST standards

6, ISO standards

EU CSA, Article 52 (2019.04):

“A European cybersecurity certificate that

refers to assurance level ‘high’ shall

provide assurance … an assessment of their

resistance to skilled attackers, using

penetration testing”

EU Regulatory Authority interview:“In general, it’s a good thing, however, mainly

focus on security policy compliancy, lack of

penetration test and crypto analysis, and

without participation of government authorities,

could be basic security requirements”

NIS-CG, 5G Risk Assessment (2019.10):1. Software engineering processes and

vulnerability management

2. Source code and software engineering

process

3. Quality network components

4. Software development processes

26

NESAS vs. CC: General Comparison

⚫ NESAS, defined for mobile network security, fully demonstrates the characteristics of mobile communication services (such as air

interfaces and NAS signaling) in terms of threat analysis and modeling, and significantly simplify the CC&PP processes – Featuring

short accreditation/evaluation time and low cost, they also meet the development needs of new technologies, such as cloud,

digitization, and software-defined everything

⚫ CC/PP is intended for the IT industry and defines no equipment test specifications for mobile communication in PP – It covers the

general R&D process and lifecycle management audit, but lack of specialty on telecommunication such as 5G, also suffering

complicated accreditation, long period, and high cost

PP: Protection Profile; CC: Common Criteria

Accreditation/

Evaluation SystemNESAS CC

Organization owner GSMA/3GPP CCRA (Common Criteria Recognition Arrangement)

Standards scope & completeness Audit/Evaluation report (Not certificate) 1~7 EALs (Evaluation Assurance Levels)

Standards progress NESAS/SCAS standard/specifications (2019.10) CC released years ago, operated maturely

Number of accredited labs &

auditing companiesSeveral labs and 2 auditing companies now About 77 labs globally

Operators' recognition High Low

Telecommunication Assurance Only one professional standard N/A

Process & TTM Simple processes & 3-6 months Complex processes & 12-18 months (EAL4+)

27

NESAS 1.0 vs. CC (EAL4) : Technical ComparisonNESAS Product Development & Lifecycle Audit CC Product Development & Lifecycle Audit

1 Security by design ADV_ARC/FSP/HLD/LLD/ST √

2 Version control system ALC_CMC (on-site audit) √

3 Change tracking ALC_CMC (on-site audit) √

4 Source code review - ╳

5 Security testing ATE_COV/DPT/FUN √

6 Staff education - ╳

7 Vulnerability remedy process ALC_FLR (Flaw Remediation) √

8 Vulnerability remedy independence - ╳

9 Information security management ALC_DVS (Developer Security) √

10 Automated build process ALC_CMC (on-site audit) √

11 Build environment control ALC_CMC (on-site audit) √

12 Vulnerability information management - ╳

13 Software integrity protection ALC_DEL (Delivery with DS) √

14 Unique software release identifier ALC_CMC (CI Identification) √

15 Security fix communication - ╳

16 Documentation accuracy ALC_CMC (on-site audit) √

17 Security point of contact - ╳

18 Source code governance ALC_CMC (on-site audit) √

19 Continuous improvement ALC_CMC (on-site audit) √

20 Security documentation AGD_OPE/PRE √

Test Contents of equipment evaluation test SCAS CC

SCT (security

compliance

test)

Sensitive info. storage, transfer, protection during access to

system, privacy protection (FDP/FCS/FPR)√ √

System overflow, secure start-up, robustness of data input,

software integrity (FRU/FPT)√ √

Authentication (credential/password), token policy, account

lock, principle of least authority (FIA)√ √

Log out, overtime auto protection (FTA) √ √

Security log, logrotate, log access authorization (FAU) √ √

Admin account, user account, IP/ICMP Process (FIA) √ √

https, web server log, session ID, input examination √ √

Message filtering, robustness of protocol, GTP-C/U filtering √ √

Security enhancement of baseline requirement √ ╳

OS Security enhancement √ ╳

Webserver Security enhancement √ ╳

Management/User plane separation (FDP/FPT) √ √

FCS (cryptographic algorithm implementation check,

random number generator, etc.)╳ √

BVT (basic

vulnerability

test)

Port scan √ √

Known vulnerability scan √ √

Robust test for interface protocol √ √

EVA

(enhanced

vulnerability

analysis)

Penetration test ╳ √

Source code scan ╳ √

For Development Audit, NESAS > CC For evaluation test method, NESAS < CChowever, CC not focused on 5G

28

Huawei Cyber Security Transparency Center is to Serve as an Open,

Transparent and Collaborative Exchange Platform with Key Stakeholders

Banbury, UK

Brussels, Belgium

Bonn, Germany

Dubai, UAE

Shenzhen,China

Toronto, Canada

Global Hub

Regional Hub HCSTC Brussels：Communication, Innovation and Verification

https://youtu.be/yMBu5bvfTPM

29

How to improve the security of business and communities

and ensure the future prosperity of a country?https://www-file.huawei.com/-/media/corporate/PDF/News/huawei-technologies-australia-submission-to-the-department-of-home-affairs.pdf

1. Reduce the risk of national dependency on any one supplier, regardless their country

of origin, to improve 5G and fibre networks resilience

2. Ensure more competitive, sustainable and diverse Telecoms supply chain, to drive

higher quality, innovation, and more investments in Cybersecurity

3. Define network security and resilience requirements on 5G and fibre networks;

contribute to unified standards; identify toolbox of appropriate, effective risk

management measures; and enforce tailored and risk-based certification schemes

4. Ensure effective assurance testing for equipment, systems and software and support

specific evaluation arrangements. (The assessment and evaluation of products from

different vendors shall be the same, as their supply chain has the same level of risk.)

5. Develop industrial capacity in terms of software development, equipment

manufacturing, laboratory testing, conformity evaluation, etc., looking at end-to-end

cybersecurity system assurance; new architecture and business models; tools for risk

mitigation and transparency, and greater interoperability and more open interfaces;

and share results, in closed loop (3.)

Copyright©2018 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without

limitation, statements regarding the future financial and operating results, future product

portfolio, new technology, etc. There are a number of factors that could cause actual

results and developments to differ materially from those expressed or implied in the

predictive statements. Therefore, such information is provided for reference purpose

only and constitutes neither an offer nor an acceptance. Huawei may change the

information at any time without notice.

Thank You.

https://www.youtube.com/watch?v=Ejppq9ft37k

© ETSI ETSI Security Week 2020 goes virtual

Questions & Answers

© ETSI ETSI Security Week 2020 goes virtual

This was the last webinar in the thread Deploying 5G Securely.

You may also listen to all past webinars available from www.etsi.org/etsisecurityweek

© ETSI ETSI Security Week 2020 goes virtual

Thank you for joining this webinar !

Find the full‘ETSI Security Week 2020 goes virtual’

programme at

www.etsi.org/etsisecurityweek