NSA, CISA, Add Original Equipment Manufacturers to Audience for 5G Security Guidance


The agencies got specific about who is responsible for what in a four-part series on securing the inherently cloud-based environments.

Federal cybersecurity agencies addressed original equipment manufacturers of networking gear and stressed the importance of establishing trust through the hardware level in their latest guidance on securing the largely virtualized computing architectures that are expected to reign in the future.

“Moving up from the hardware device level, ensuring the integrity of the container stack (worker nodes, Kubernetes cluster and containers) is critical for preventing attacks and denying cyber actors the ability to persist,” reads guidance issued by the National Security Agency and the Cybersecurity and Infrastructure Security Agency Thursday.

The document on ensuring the integrity of cloud infrastructure and resources—such as image files referred to as containers because they carry all the code necessary to run an application—is the final installment of a four-part series the agencies produced on 5G security.

Other publications in the series dealt with detecting and preventing lateral movement across networks, effectively isolating network resources and protecting data while in-transit, in-use and at-rest

Throughout the series, NSA and CISA detail mitigations for complex cloud environments where multiple tenants can share threats and the responsibility for various security procedures can be hazy across end users, application developers, and other service providers. 

To address this, “the audience for each set of recommendations will be identified throughout the series, providing a layered approach to building hardened 5G cloud deployments,” the agencies said.

The first three publications recommend actions for cloud providers, mobile network operators, and customers. The fourth document does not address customers, and adds original equipment manufacturers. OEMs include companies like CISCO, and others that are less rarely heard of as they function further down in the supply chain. 

But as the last year has shown, adversaries have been pursuing attacks through foundational suppliers given the larger impact they can have. And NSA and CISA are highlighting ways to establish a provable trust chain that starts with firmware—software that comes embedded in hardware. 

“Servers, storage, and network devices form the cloud infrastructure platform on which the cloud native 5G core is deployed,” the agencies wrote. “Existing mitigations of threats against the nodes are often rooted in firmware or software, making them vulnerable to the same attack strategies. For example, if the firmware can be successfully exploited, then the firmware-based security controls can most likely be circumvented in the same fashion.”

The guidance points to the National Institute of Standards and Technology’s Special Publication 800-193 as one resource with specific controls describing how to establish “a method where each software module in a system boot process is required to measure the next module before transitioning control,” up through the technology stack, for example. 

One key will be to ensure that the firmware is updatable, the agencies said, adding that “network designers and operators should pick devices which provide NIST SP 800-193 guided protection, detection and recovery of all rootkit-able firmware.”

The 5G security series emerged from the Enduring Security Framework. The group includes representatives from the information and communications technology industry as well as defense industrial base companies and the government.