Agency officials identified a lack of guiding standards for determining and mitigating risk from certain implementations of the technology and advised agencies to proceed with caution, employing penetration tests accordingly.
Officials from the Cybersecurity and Infrastructure Security Agency and the Defense Department are pointing to a path for agencies’ authorization of fifth-generation networking projects while reporting blindspots for assessing the security risks associated with certain ways of incorporating the technology into government systems.
The agencies demonstrated, in a sample “5G Security Evaluation Process Investigation,” released Thursday, how agencies can use the National Institute of Standards and Technology’s Risk Management Framework in conjunction with various tools, including those crafted by industry, toward authorizing 5G projects as security standards for the technology are still being developed.
In a blog post accompanying the release, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agencies are “excited to introduce a proposed five-step 5G security evaluation process that is derived from research and security analyses.”
“This process allows agencies to conduct the Prepare step of the National Institute of Standards and Technology’s Risk Management Framework (RMF) for system authorization,” he said, noting, “The jointly proposed process, was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies. It identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant methodologies to conduct cybersecurity assessments of 5G systems.”
A gap, as defined in the document, occurs “where a security requirement exists without assessment guidance, policy, or organization to verify its effectiveness for government operations.” A gap can also occur when a security requirement is believed to exist for mitigating a threat, but no formal requirement has been established.”
The authors of the document suggested implementers will encounter more gaps as the leading standards development organization for next generation networking technology—The Third Generation Partnership Project—and others like the European Telecommunications Standards Institute, and the [Open Radio Access Network] Alliance continue to identify new threats and work on security specifications.
A particularly challenging part of the process described by CISA and DOD, with the help of those from NIST and the MITRE Corporation, relates to establishing the boundary for assessment toward an authorization, especially given complicated considerations for securing the Radio Access Networks of 5G systems.
“Depending on the system assessment boundary and configuration, the 5G RAN infrastructure may include infrastructure elements from one or more geographical locations and involve a variety of network switch/router, base station, and access point/cell site equipment and software,” the document reads. “If the RAN segments adopt an open, disaggregated RAN solution, additional Tier 1 vendors (and their component hardware and/or software products) would be involved in this security evaluation step as compared to a traditional RAN solution. The level of interoperability and penetration testing would likely increase as would the identification and mitigation of potential open RAN attack vectors.”
The document pointed to the usefulness of a software bill of materials for evaluating risk, even in a private 5G network, which was used in the scenario described.
“The example private 5G network involves an on-premises RAN segment with RAN slicing to support multiple tenant applications,” the officials wrote on determining appropriate assessment boundaries. “All hardware and software components, including cloud/edge platforms and internal and external system interfaces, are subject to the threat and security capability analyses. Certain security conditions and assurance requirements may call for a broader investigation, potentially involving Tier 2 (and beyond) vendors and proof of integrity accompanying each software bill of materials.”
For ‘network slicing,’ the technique used to create segmentation within a 5G network’s “core,” security evaluators would be wise to conduct additional testing, including for supply-chain threats, officials said.
“Essential functions provided by the 5G Core include authentication and authorization of users, data connectivity, mobility management, subscriber data management, and policy management and controls,” they wrote. “Depending on the operator’s network slicing implementation … further testing is prudent since network slicing is a new technology and its threat vectors are not yet fully understood.”