From its inception, the expectations for 5G have been tremendously ambitious, ranging from energy efficiency to high IoT device density. At the same time, 5G is expected to deliver significantly higher data speeds with lower latencies than prior technology generations. Yet, no component of 5G has generated more excitement than network slicing. Network slicing allows communication service providers (CSP) to define end-to-end logical networks tailored to specific use cases or service requirements. Those logical networks share all or parts of the underlying infrastructure with other slices with diverse performance expectations. This shared infrastructure creates an environment in which operators must consider new potential threat vectors.
But first – what is the opportunity for network slicing?
Slicing enables unparalleled flexibility in terms of network design whereby, for the first time in wireless communications, the expected intent drives things such as the placement of applications in different parts of a network (e.g., far edge, edge, core data centers, public cloud) and how CSPs will allocate resources such as network capacity to each slice.
It’s worth noting here that network slicing can only be fully supported in the 5G Stand Alone (5G SA) mode of operation. It’s true that some forms of rudimentary slicing-like functionality can be offered in 4G via different Access Point Names (APNs), Quality of Service (QoS) settings, and other traffic steering mechanisms. However, none of those mechanisms provide the fully standardized capabilities of 5G Network Slicing, including end-to-end awareness of how a given user is utilizing the slice for a particular application and in a specific geographical footprint.
Another key facet of network slicing is that it accounts for the multiple domains within a CSP network, for example, Radio Access Network (RAN), Core Network, and Transport Network. When a slice of a given type with specific business requirements is created, those requirements are broken down into policies that apply to each sub-domain to ensure the end-to-end goals are met.
A 5G subscriber can be provisioned with access to one or many slices. For instance, the device and the network negotiate in real time the mapping of the subscriber traffic to the correct slice based on aspects such as service type (e.g., voice vs. data), application type (e.g., internet browsing vs. mission-critical push-to-talk), performance expectations (e.g., video streaming vs. V2X), and so on. The concept of a Service Level Agreement (SLA) or Service Level Objective (SLO) is an integral part of network slicing and defines the service expectations for each customer of the slice.
Increased flexibility almost invariably translates into added operational complexity, which is why network slicing depends on other enabling technologies like network function virtualization (NFV), cloud-native principles, and orchestration. Those technologies allow the separation of hardware and software, as well as the life cycle management of the network in an automated fashion. Service orchestration will react to real-time information collected from the network and take actions to ensure the SLAs/SLOs are satisfied optimally across an extraordinarily complex and diverse set of circumstances, such as cell congestion, mobility across radio access technologies, software upgrades, and so on.
Network Slicing: Security Considerations
Last December, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) published a new report (ESF Potential Threats to 5G Network Slicing (defense.gov)) focused on potential threats to 5G Network Slicing. According to the report, the most likely types of threats to occur in a 5G network slicing scenario are Denial of service attacks, Man-in-the-Middle (MitM) attacks, and Configuration attacks. Let’s take a deeper dive into each of these.
Denial of Service Attacks
Security has been a focal point for 3GPP in developing 5G specifications. As a result, the standards define security-centric applications such as the Service Communication Proxy (SCP) and the Security Edge Protection Proxy (SEPP) for the first time. The SEPP, in particular, helps protect the network at its edge where it interconnects with other 5G SA networks, for example, in roaming scenarios.
As with previous generations, 5G devices will fall back from Stand Alone (SA) mode of operation to Non-Stand Alone (NSA) and 4G for multiple reasons such as coverage, congestion, compatibility between device and network, and roaming scenarios. As such, delivering a secure network slicing-based solution requires an adequate security posture in the infrastructure, 4G network, and points of interconnect, as well as in internal policies and procedures. While 3GPP did not incorporate security by design in its 4G version of the specifications, CSPs can leverage Mobileum’s Multiprotocol Signaling Firewall to secure interfaces with external networks across multiple generations (2G, 3G, 4G, and 5G) and protocols (SS7, Diameter, GTP, HTTPS/SBI, SIP).
Man-in-the-Middle Attacks
3GPP introduced the concept of Subscription Concealed Identifier (SUCI) in the 5G specifications to ensure the Subscription Permanent Identity (SUPI, formerly IMSI in 2G/3G/4G) is never sent over the air in the clear. SUCI, therefore, mitigates MitM attacks triggered by the use of IMSI catchers. However, IMSI catchers are just one of many methods bad actors rely upon to obtain information for their victims. MitM attacks and subscriber impersonation often leverage security gaps in previous versions of protocols used for roaming and interconnect in order to obtain the private identity (IMSI) corresponding to a public identity (e.g., phone number or MISDN). Once again, Mobileum’s security portfolio can help detect and prevent such attacks. The Multiprotocol Signaling Firewall mentioned above can be complemented by our Voice and SMS Firewalls to mitigate or avoid negative impacts to the customer target of the attack and the network overall.
Configuration Attacks
As described in the report, “configuration attacks have a broad range of adverse effects on the confidentiality, integrity, and availability of a network slice.” In wireless networks, some of the assets are shared by multiple slices (like wireless spectrum) and will become scarce in certain situations. Therefore, it is critical to ensure the policies defined to control the access and SLA/SLO applicable to a given slice are verifiable, auditable, and enforceable.
Preventing configuration attacks requires strict policies by the CSP to ensure proper provisioning of the slice across many network nodes, functions, and interfaces in the network. Rules-based access controls to the network functions and cross-domain solutions are basic mechanisms to prevent configuration attacks. However, errors do occur. In a 5G network slicing environment, those errors can lead to traffic being placed in the wrong slice or devices not being granted access to a specific slice. The end result is that the customer does not get the expected quality of service from that slice. While this may be tolerable for best-effort services, the impact can be tremendous for slices providing mission-critical services where milliseconds matter. Thus, detecting those errors as soon as possible is critical to clearly identify where the error has been introduced in the network, how it can be investigated, root caused, and ultimately resolved. The Mobileum portfolio provides CSPs with multiple tools in this area:
In closing, addressing potential threats to 5G Network Slicing truly means utilizing all the tools in the toolbox; thinking about security as a combination of traditional defense techniques, strict policies, passive monitoring, active assurance, and a data analytics framework that can mash up together the disparate data collected from the multiple network functions and systems involved in delivering the end-to-end slice.