20
5G Providing the Secure Platform for Digitalization of Enterprises and Society Mats Nilsson, Group Function Technology 2019-04-23
5G Providing the Secure Platform for Digitalization of Enterprises and Society
Mats Nilsson, Group Function Technology
2019-04-23
PA1 | 2019-06-05 | | Page 2
2G 3G 4G 5G1G
70-80’s 80-90’s 90-00’s 00-10’s 10-20’s
4th Industrial Revolution powered by 5G
Ericsson Mobility Report June 2016
10-100XConnected Devices
10XBattery Life
5XLower Latency
1000XMobile Data Volumes
10-100XEnd-user Data Rates
Enriched Broadband Communications
Critical Machine Type Communications
Massive Machine Type Communications
Inudstrial IoT - Ericsson Canada Update | Ericsson Confidential | March 2017
PA1 | 2019-06-05 | | Page 3
What is 5G?
A common network platform supporting multiple industries and use cases
END-USER
DATA RATES
10-100x
MOBILE DATA
VOLUMES
1000x
LOWER
LATENCY
5x
MORE
DEVICES
100x
DEVICE COST
REDUCTION
Cost
YEARS
BATTERY LIFE
10+
BETTER
COVERAGE
+20dB
PA1 | 2019-06-05 | | Page 4
Use case evolution
Multi-standard networkCat-M1/NB-IoTCloud optimized network
Gigabit LTE (TDD, FDD, LAA)Massive MIMO Dynamic service orchestration
5G NRLocal deploymentReal time machine learning/AI
Screens
everywhere
Augmented
reality surgery
AR
On demand
informationSelf-Drive Ambulance
Technologies
On the road to 5G 5G experienceCurrent
Connected
doctors
and patients
Integrated, Seamless
everywhere
Asset
management
Integrated Seamless,
everywhere
Smart locks
Surveillance cameras
Connected sensorsMachine intelligence
Logistics
Healthcare
Building automation
Remote Experts
Transport
AI
New toolsAR
Real-time information
Monitoring and
medication e-care
Flow management
and remote supervision
Automated facility
management
PA1 | 2019-06-05 | | Page 5
5G for Enterprises and Society
— Inherent security capabilities
— Network slices, meaning on the same physical infrastructure (nationwide network) isolated logical partitions for e.g. safety, defense, ambulances, remote healthcare, traffic safety, utility control, etc can be provided.
— Similarly for enterprises supporting processes e.g. in supply, production, delivery and life cycle operations
— Build on ability to drive outstanding security and scale for the evolving use cases (as for 2G-4G)
— Reuse existing ecosystem and expand towards providing capabilities for Enterprises and Society
PA1 | 2019-06-05 | | Page 6
PA1 | 2019-06-05 | | Page 7
Global sitesDevices / Local NW
National sitesDistributed sitesAccess sites
Our 5G architecture
Transport
Management & Monetization
Mobile
Fixed Cloud infrastructure
Access, Mobility, Network applications
Application cloud
Mobile
Fixed
PA1 | 2019-06-05 | | Page 8
Network slicing to enable 5G use cases
PA1 | 2019-06-05 | | Page 9
Ever evolvingsecurity threats
Critical infrastructureconcerns
DevSecOpsaccelerating cycles
Increasing regulatory requirements (e.g. GDPR)
Distributed Cloud -specific challenges
Billions of new devices
Society and Enterprises going digital – Facing new Challenges – Tackled by 5G
PA1 | 2019-06-05 | | Page 10
5G’s built-in security provides new properties for enabling mission critical use cases
Privacy
Resilience
Communication security
Security assurance
Identity management
5G’s built in security is designed to protect mission critical infrastructure for new use cases
5G builds on proven 4G security for MBB, and introduces new properties to secure new use cases
Customizable deployments: Sensitive functions deployed in secure locations
Network slicing: Isolating groups of network functions from other groups
SBA principles: Enables independent isolation of functions during failures
Encryption: Signaling & user plane traffic encrypted and integrity protected
Automatic recovery: Recovery from malicious security algorithm mismatches
New authentication framework: Flexible choosing of authentication method
Location identification of authentication: Mitigation of potential fraud
State-of-the-art encryption: Mutual authentication between device & NW
Protection of subscriber identifiers: Protection against eavesdropping (using IMSI catchers) & active attacks
Detect false base stations: Configurable actions can be taken if detected
3GPP security requirements: Requirements for e.g. penetration testing in accordance with international cybersecurity regulations
Auditing infrastructure: Audits of vendors’ development & testing processes
Resistance against failures, catastrophes,
and cyberattacks
Security for devices and its own infrastructure
Identifying and authenticating
subscribers
Protection of subscriber identifying information
Network equipment meets 3GPP security
requirements
Innovation & ecosystems
Next gen connectivity to enable new use cases
Security properties for critical infrastructure
PA1 | 2019-06-05 | | Page 11
— The 5G NR (New Radio) access supports NEW service category called URLLC (ultra-reliable low latency communications) which is ideal for industrial control, critical infrastructure and public safety applications.
— Even greater resilience against failures and attacks can be obtained by NEW deployment option where a single base station can be deployed as two split units, called a central unit and a distributed unit.
— The resilience of the 5G system also stems from NEW multi connectivity features and strong mobility support that it shares with previous generation 3GPP networks, which ensures continuous secure connectivity for devices when current radio conditions become unsuitable or moving from one location to another.
Resilience
3GPP TS 38.401
PA1 | 2019-06-05 | | Page 12
— The 5G core network architecture itself is designed around NEW resilience concepts, e.g., compute-storage separation. The 5G system supports "stateless" network functions, where the "compute" resource is decoupled from the "storage" resource.
— The NEW feature called network slicing enables isolating groups of network functions from other functions. An operator may isolate low-priority IoT devices on a separate slice to ensure that these will not interfere with other users (say of public safety organization) should a problem occur with large quantities of IoT devices.
— Further, the NEW architecture principles of SBA (service based architecture) make use of software and cloud-based technologies that enables creating network functions that can easily be scaled depending on traffic load, and can be independently replaced, restarted, or isolated when failing or under attack.
Resilience contd..
PA1 | 2019-06-05 | | Page 13
For full digital sovereignty1, holistic security solution and a secure underlying network is key
5G’s built-in security provides new properties for enabling mission critical use cases
5G system Rest of operating environment
› Over-the-top encryption is not sufficient - a holistic view is needed
› A system’s security is only as strong as its weakest part -the security of the underlying network is crucial
› For a secure society and economy, sufficient cybersecurity for civilian infrastructure & devices needs to be ensured
1) Digital sovereignty = enabling users to freely and independently decide which data can be gathered, distributed, used and saved about them
Communications network
5G access network, 5G core network
Platforms
Application platforms, cloud / edge computing platforms
Devices
Smartphones, IoT sensors, machines, vehicles etc.
Applications
Applications, content, services
Ma
na
ge
me
nt
& O
rch
est
rati
on
› 5G ensures security for the communications network through e.g. user authentication, traffic encryption, network resilience, and managing mobility and overload situations
› 5G provides a sophisticated end-to-end security management solution with scale
› Individual ’add ons’ can never compensate for lack of a system-holistic security solution
+Innovation & ecosystems
Next gen connectivity to enable new use cases
Security properties for critical infrastructure
To get scale you need standards… for automation
Chipsets &
Technology
Modules
DevicesIPSO smart obj.
LWM2M
CoAP
UDP/IP
NB-IoTSTA
ND
AR
DIZ
AT
ION
Standardization – The engine for scale
Ericsson Industry Analyst Day | © Ericsson AB 2018 | #EIAF | 2018-01-24 | Page 14
Vendor ecosystems
Applications /
Enterprises
PA1 | 2019-06-05 | | Page 15
ID Federation
ID provisioning flow
Connect ID bootstrapLWM2M
bootstrapLWM2M manage
Claim of ownership
Managed connectivity
Unmanaged connectivity
ID Technologies
ID and Slicing providing secure operations
PA1 | 2019-06-05 | | Page 16
PA1 | 2019-06-05 | | Page 17
Four aspects of security of live telecommunication networks
Operations- Secure operational procedures, e.g. segregation of duties, use of least privilege and logging- Management of security functions, vulnerability mgmt. and detection of attacks- Response and recovery after breach
Deployment process- Solid network design with security and resilience in mind- Operator specific configuration of security parameters, hardening
Vendor product development process- Secure hardware and software components- Secure development processes- Version control and secure software update
Telecommunications standardization process- Secure protocols, algorithms, storage
PA1 | 2019-06-05 | | Page 18
Security Assurance Standards
GSMA
Network Product Vendor
Audit Company Accreditation Body
accredits accredits
Test Laboratory
Network Product
builds evaluates
3GPP SA3
defines
de
fine
s
Evaluation Report
writes
Mobile Network Operator
› 3GPP SA3 defines SCAS = SeCurity Assurance Specifications containing security requirements and test cases› GSMA NESAS defines security assurance requirements on vendors development process, and the scheme for accreditation of vendors’ dev process, test
labs.› Vendors are responsible for adapting their development process, building the product according to SCAS and providing Evaluated product + report
PA1 | 2019-06-05 | | Page 19
Summary
— 5G with its intrinsic capabilities have a unique potential for the secure digitalization platform:
— Intrinsic network security
— Security in device interfaces, adding usual application level security resting on technology (e.g. Trusted computing, slicing etc) and business logic gives security by design and scale end-to-end
— Security functionality set from the beginning to match the use cases in scale (billions) and time (decades)
