5G Security Requirements
10 June 2020, Wednesday
10:00am – 12:30pm
Preparation for 5G TCs Security
Mohd Fairuz Ismail
Security, Trust and Privacy Sub-Working Group
Let’s collaborate @ MTSFB! 2
▪ To establish 5G security guidelines and infrastructure requirements
▪ To provide all recommended technical performance & requirements
▪ To evaluate and measuring the effectiveness of security controls and E2E framework
▪ Benchmarking or rating the overall security posture of the organisation
OBJECTIVE
This Technical Code applies to Telecommunication Operators, Telecommunication Regulatory Bodies, Mobile
Technology Developers and/or Vertical Industries to use 5G for its vertical services.
▪ 5G Security Architecture
▪ 5G Security Standards and Recommendation
▪ 5G End-to-End (E2E) Framework & Control Classes
▪ 5G Security Infrastructure Guidelines
▪ 5G Performance and Technical Requirements
SCOPE
5G Security Requirements Technical Code
Let’s collaborate @ MTSFB!
Outlines
1
2
3
5G Security Overview
5G Security Guidelines and Infrastructure Requirements
5G Technical Performance and Requirements
3
45G Security Architecture (Security domains)
5 5G Security Control Classes And E2E Framework
65G Security Elements And Recommendations
7 5G Technical Feedback
8 Annex
Let’s collaborate @ MTSFB!
1 5G Security Overview
4
Let’s collaborate @ MTSFB!
5G Security Overview
5
In 5G, the security systems shall able to provide the following abilities:
Flexible enough tocater for the expecteddiversity of connecteddevices and systems
Provide the ability tomonitor their real-timestatus and traffic
Provide protectionagainst the main attackvectors.
5G network assets to be secured are as follow:
User Information SecurityNetwork Elements (NEs)
Security
Transport / Interface Security.
Let’s collaborate @ MTSFB!
2 5G Security Guidelines and Infrastructure Requirements
6
Let’s collaborate @ MTSFB!
5G Security GuidelinesPublic Key Infrastructure
This standard affects any vendor that is developing products, profiling applications or deploying security solutions that are based on Public-KeyInfrastructure (PKI) or Privilege Management Infrastructure (PMI). The standard is particularly applicable for services such as authentication,encryption and confidentiality, digital signatures, nonrepudiation, and authorization.
Cybersecurity Overview
Anyone developing products, profiling application security, or deploying security solutions across the enterprise, or public and privateorganizations, should read Recommendation ITU-T X.1205.
Security Architecture Systems End-to-End Communications
This recommendation is essential for any entity that is performing comprehensive network security assessment and planning.Recommendation ITU-T X.805 addresses the inherent complex security problems in 5G Networks with their division into layers and planes andelements and the need to have at hand a holistic security methodology to systematically engineer security for such systems.
Security Assertion Markup Language
SAML (Security Assertion Markup Language) is a standard that facilitates the exchange of security information among different organizations (with different security domains) to securely exchange authentication and authorization information.
Entity Authentication Assurance Framework
This work affects organizations that are developing products, profiling application security, or deploying security solutions that require authentication.
Let’s collaborate @ MTSFB!
5G Security GuidelinesCommon Alerting Protocol
Access Control Markup Language (XACML)
Information Security Management Guidelines for Telecommunications Organizations Based on ISO/IEC 27002
Interactive Gateway System for Countering Spam (Recommendation ITU-T X.1243)
Abstract Syntax Notation One (ASN.1)
Cybersecurity Information Exchange Framework
Many Integrated Public Alert and Warning Systems (IPAWS) are based on this protocol. This protocol touches millions of people on daily basis since it is the foundation for passing warning messages.
This standard plays an important role within organization to provide real time role based access control to protect access to all types of resources within any organization.
For the most part, ITU-T security-related Recommendations focus on the technical aspects of systems and networks. Additionally some aspects of personnel security are identified in Recommendation ITU-T X.1051.
Technology collaboration has been recognized as a key component in countering spam. Recommendation ITU-T X.1243 illustrates such a system and specifies a technical means for countering inter-domain spam.
Though initially used for specifying the email protocol within the Open Systems Interconnection environment, ASN.1 has since then been adopted for a wide range of other applications, as in network management, secure email, cellular telephony, air traffic control, and voice and video over the Internet.
The CYBEX Recommendations facilitate exchange of information across all stakeholders of cybersecurity.
Let’s collaborate @ MTSFB!
5G Security Infrastructure RequirementSecurity for Next Generation (NG) radio interface and radio access network (RAN)
RAN Security
Architectural aspects of the security for 5G system
Security Architecture
Security aspects related to management of security context and security keys.
Security Context and Key Management
Security of sensitive data handled within the 5G-UE
Security Within 5G-UE
Authorization of the UE to access the network and authorization of the network to serve the UE.
Authorization
Authentication framework, identifiers, and credentials, authentication methods
Authentication
Security aspects related to the protection of subscribers’ personal information, e.g. identifiers, location, data, etc
Subscription Privacy
Security aspects related to the network slicing concept such as service access, network function sharing and isolation
Network Slicing Security
Security of the 5G connectivity over relays
Relay Security
Security of the signalling protocols in the network domain such as authentication, integrity, and availability
Network Domain Security
Presentation of security information to a user of a UE, and management of security configuration by a user or a UE.
Security Visibility and Configurability
Security aspects of provisioning 3GPP credential(s) on equipment that will access the 5G system.
Credential Provisioning
Security aspects related to the interworking and migration scenarios between radio technologies and possible core network concepts.
Interworking and Migration
Procedures on handling huge number of IoT UEs that sends small amount of data sporadically that moves from one location to another
Small Data
Security of for broadcast services that will be used in verticals, for example MCPTT, Critical Communication, V2X, and massive MTC
Broadcast/ Multicast security
Security aspects related to management plane and deployment scenarios
Management Security
Cryptographic algorithms to be used for security mechanisms and protocols within 5G system
Cryptographic Algorithms
Security aspects related to physical security of the network elements, such as ease of physical access.
Physical Security
Let’s collaborate @ MTSFB!
3 5G Technical Performance and Requirements
10
Let’s collaborate @ MTSFB!
5G Minimum Technical PerformanceEnergy Efficiency
• The capability of a RIT/SRIT to minimize the radio access network energy consumption in relation to the traffic capacity provided.
• Energy efficiency of the network and the device can relate to the support for the following two aspects:a) Efficient data transmission in a loaded
case;b) Low energy consumption when there is
no data.
• This requirement is defined for the purpose of evaluation in the eMBB usage scenario.
User Plane Latency
• 4 ms for eMBB
• 1 ms for URLLC.
Mobility Interruption Time
• Shortest time duration supported by the system where a user terminal cannot exchange user plane packets with any base station during transitions.
• This requirement is defined for the purpose of evaluation in the eMBB and URLLC.
• Mobility interruption time is 0 ms.
Mobility
• Stationary: 0 km/h
• Pedestrian: 0 km/h to 10 km/h
• Vehicular: 10 km/h to 120 km/h
• High speed vehicular: 120 km/h to 500 km/h.
Bandwidth
The maximum aggregated system bandwidth. The bandwidth may be supported by single or multiple radio frequency (RF) carriers:
Connection density
• The total number of devices fulfilling a specific quality of service (QoS) per unit area (per km2).
• Used in evaluation for mMTC usage scenario
• Connection density is 1 000 000 devices per km2.
Reliability
• It relates to the capability of transmitting a given amount of traffic within a predetermined time duration with high success probability.
• This requirement is defined for the purpose of evaluation in the URLLC usage scenario.
Control Plane Latency
• 20 ms (encouraged to consider 10ms for this parameter)
Let’s collaborate @ MTSFB!
5G Minimum Technical Performance Specifications
Use Case Category Downlink Uplink
Peak Data Rate 20 Gbps 10Gbps
Peak spectral efficiency 30 bit/s/Hz 15 bit/s/Hz.
User experienced data rate 100 Mbps 50 Mbps
5th percentile user spectral efficiency
Indoor Hotspot – eMBB 0.3 bit/s/Hz 0.21 bit/s/Hz
Dense Urban – eMBBB 0.225 bit/s/Hz 0.15 bit/s/Hz
Rural – eMBB 0.12 bit/s/Hz 0.045 bit/s/Hz
Average spectral efficiency
Indoor Hotspot – eMBB 9 bit/s/Hz/TRxP 6.75 bit/s/Hz/TRxP
Dense Urban – eMBB 7.8 bit/s/Hz/TRxP 5.4 bit/s/Hz/TRxP
Rural – eMBB 3.3 bit/s/Hz/TRxP 1.6 bit/s/Hz/TRxP
Mobility Classes
Test environments for eMBB
Indoor Hotspot – eMBB Dense Urban – eMBB Rural – eMBB
Mobility classes supported Stationary, pedestrian Stationary, pedestrian, vehicular (up to 30km/ h)
Pedestrian, vehicular, high speed vehicular
Let’s collaborate @ MTSFB!
5G Use Case Category Minimum Performance Specifications
5G use case category minimum performance specifications.
Let’s collaborate @ MTSFB!
4 5G Security Architecture (Security Domains)
14
Let’s collaborate @ MTSFB!
5G 3GPP Security Architecture
User Application Provider Application
ME
USIM
3GPP AN
Non-3GPP AN
SN
HE
IV
I
III
I
I
I
III
I
I
V
II
Home Stratum/ Serving Stratum
Application Stratum
Transport Stratum
I – Network access security
IV – Application domain security
II – Network domain security III – User domain security
VI – Visibility and configurability of security
V – Service based architecture (SBA) domain security
Let’s collaborate @ MTSFB!
5G 3GPP Security Architecture
Source: 3GPP TS 33.501 v16.1.0 – Security architecture and procedures for 5G system
Security Domains Description
Network Access Security - Allows a UE to authenticate and access services in 3GPP and non-3GPP network securely- Protect the network against attacks on the radio interfaces- Provides security context delivery from serving network (SN) to access network (AN) for the access security.
Network Domain Security - Allow network nodes to safely and securely exchange signaling data and user plane data.
User Domain Security - Ensure a secured user access to mobile equipment.
Application Domain Security - Allows applications in the user domain and in the provider domain to securely exchange messages between each other.
Service Based Architecture (SBA) Security
- Allows network functions of the SBA architecture to securely communicate within the serving network domain and with other network domains.
Visibility and Configurability of Security
- Allows the user to be informed whether a security feature is in operation or not.
Let’s collaborate @ MTSFB!
5G Security Architecture Planes
ME AN SN HN
Security Function Management ID Management
Vertical Service Provider
Security Slicing ControlE2E Security Slicing Management
Application Server
Application Security
Network Access Security
Secondary Authentication
Network Access Security
Authentication and Key Agreement
Network Domain Security
E2E Slicing
Security Plane for User Data
Security Plane for Management System
Security Plane for Control Signaling
Remote ID managementFundamental security function
Service-oriented security function
SBA security
Security function management Security isolation between slice
Security event control and security intelligence sharing
Security capability exposure
Let’s collaborate @ MTSFB!
5G Security Architecture Planes
The security architecture design implement 3 security planes, which are:
Security Plane For Management System
This plane will carry out service-orientedsecurity function orchestration such asmodifications and deployment of securityfunctions and security protection mechanismsalong with orchestration of network securityfunctions within slices. It also performsidentity management.
Security Plane For User Data
This plane will enforce a service-orienteddifferentiated security protection, where thesecurity protection mechanism of the userplane is tailored according to security policiesrequired by various services.
Security Plane For Control Signalling
This plane allows a flexible deployment of thenetwork security function can be based on theservice-based architecture and virtualisationtechnology, as well as supports scalableauthentication mechanism and remote identitymanagement, such as tiered identitymanagement mechanisms.
The security architecture design also implemented 2 security mechanisms, which are:
Slicing Management Security Mechanism Slicing Management Security Mechanism
- Slicing security as a Service (SsaaS) which will enable operators toprovide customised security packages for vertical industries.
- Slicing lifecycle security which will ensure security in slice design,configuration, activation, operation and termination phases.
- Intelligent slicing security Operations and Maintenance (O&M).
Security events control and security intelligence sharing center schedulesand coordinates security components in order to implement intelligencesharing and security policy control between carriers’ networks and verticalindustries based on security events.
Let’s collaborate @ MTSFB!
5 5G Security Control Classes and E2E Framework
19
Let’s collaborate @ MTSFB!
5G E2E Security Framework
The 5G E2E security framework, when defined using the 5G 3GPP security architecture layout
Let’s collaborate @ MTSFB!
5G E2E Security Framework
The 5G E2E security framework, when defined using the 5G security architecture planes layout
Let’s collaborate @ MTSFB!
5G E2E Security Framework
5G E2E security framework, when defined using the security control layer and classes
Let’s collaborate @ MTSFB!
5G Security Planes & Layers
End User Security Plane
Protection of activities that ensures the efficient delivery of control and signaling information, services and applications across the 5G network.
Control Security Plane
Protection of the operation, administration, maintenance and provisioning of network elements, transmission facilities, back-office systems and data centers.
Management Security Plane
Protection of end user data flow, along with the usage and access service provider’s network by customers.
5G Security Planes
Application Security Layer
Protection of services, such as basic transport and connectivity for Internet access and value added services such as QoS, VPN and location services, that are provided by service providers to their customers.
Infrastructure Security Layer
Protection of the network transmission facilities and individual network elements.
Service Security Layer
Protection of network based applications such as email, file transport and web browsing applications that are accessed by the service providers’ customers.
5G Security Layers
Source: ITU-T Recommendation X.805 – Security architecture for systems providing end-to-end communications
Let’s collaborate @ MTSFB!
5G Security Control Classes
Access Control
Ensures only authorized user ordevices are allowed to performadministrative and/ or managementactivities.
Authentication
Ensure that the user or deviceperforming administrative and/ ormanagement activities is a verifiedidentity.
Non-Repudiation
Provides a record identifying user ordevice performing administrativeand/ or management activity, asevidence.
Data Confidentiality
Protects the network device, devicelink and sensitive data fromunauthorized viewing.
Data Integrity
Protection of configuration andadministrative data againstunauthorized modification, deletion,creation and replication.
Availability
Ensure that the management ofnetwork devices andcommunication links are not denied.
Privacy
Ensures that information that can beused to identify users/ devices arenot visible to unauthorized users/devices.
Communication Security
Ensures that the managementinformation only flows between thenecessary devices andcommunication links without beingintercepted.
Let’s collaborate @ MTSFB!
5G Security Control Layers & Classes
Service Security Layer
Infrastructure Security Layer
Security Layers
Application Security Layer
End user plane
Control plane
Management plane
Vulnerabilities
Acc
ess
Contr
ol
Auth
entica
tion
Non
-repudia
tion
Dat
a C
on
fid
en
tial
ity
Com
munic
atio
n S
ecu
rity
Dat
a In
tegrity
Ava
ilabili
ty
Priva
cy
Attack &
Threats
Security Control Classes
Let’s collaborate @ MTSFB!
5G E2E Security FrameworkCategory Elements Security Control Security Threats
End Users
Physical - Secured hardware - Security accreditation scheme (SAS) of UICC/ eSIM
- Device tampering
Technical - Subscriber device identifiers and credentials
- Authentication/ authorization key agreement (AKA)
- Security negotiation, key hierarchy
- Trust model between telco network, vertical service network and user
- Hybrid authentication management with either/ both network provider and service provider
- EAP-AKA’ and 5G-AKA authentication for attach procedure
- Malware- TFTP MitM attacks- Bots DDoS- Firmware hacks- User identity theft
Administration - Enhanced subscriber privacy - Concealment of subscriber identity via SUCI - Privacy breach
NR RAN
Physical - Secured hardware - Implementation of physical security measures at RAN site (security fence, CCTV, physical locks etc)
- Device tampering- Damage to RAN network elements
Technical - Cryptographic algorithms- Air interface jamming
protection- Fronthaul and backhaul
security
- Detection mechanism for DDoS attacks (e.g. threshold based detection of RRC requests)
- Quantum key distribution for signaling encryption
- Anti-jamming mobile offloading mechanisms- IPSec tunnel security for transport links
- MitM attack- Jamming- IMSI catching- Flooding attacks- Rogue nodes- Signaling fraud- Signaling storm
Administration - Secured user access - User access control - Unauthorized access- Data/ information exfiltration
Let’s collaborate @ MTSFB!
5G E2E Security Framework
Category Elements Security Control Security Threats
Edge Network
Physical - Secured hardware - Implementation of physical security measures for MEC elements (anti-theft, anti-damage, access control etc)
- Device tampering- Damage to MEC elements
Technical - NFV/ SDN security- Network slicing security- MEC security- Cloud security- Fronthaul and backhaul
security
- Resource isolation and multi layer isolation (zoning isolation)
- Security isolation mechanism and policy- Software defined segmentation- Encryption of sensitive security assets- IPSec tunnel security for transport links
- DDoS & DoS attacks- CP/UP sniffing- MEC backhaul sniff- MEC server vulnerability- Slice/ resource theft- Rogue MEC gateway- API vulnerability exploit- Side channel attack- Roaming partner vulnerabilities- Signaling fraud
Administration - Secured user access - User access control - Improper access control- Data/ information exfiltration
Let’s collaborate @ MTSFB!
5G E2E Security Framework
Category Elements Security Control Security Threats
Core Network
Physical - Secured hardware - Implementation of physical security measures for core elements (anti-theft, anti-damage, access control etc)
- Device tampering- Damage to core elements
Technical - NFV/ SDN security- Network slicing security- Cloud security- SBA security- Fronthaul and backhaul
security- Inter-networking security- Network capability exposure
security
- Resource isolation and multi layer isolation (zoning isolation)
- Security isolation mechanism and policy- Software defined segmentation- Authentication framework for SBA using
OAuth 2.0- Authentication and transport protection
between functions using TLS- Usage of security edge protection proxy
(SEPP) for interconnection security- Securing east-west traffic
- DDoS & DoS attacks- CP/UP sniffing- Slice/ resource theft- API vulnerability exploit- Side channel attack- Roaming partner vulnerabilities- Signaling fraud
Administration - Secured user access - User access control - Improper access control- Data/ information exfiltration
Let’s collaborate @ MTSFB!
5G E2E Security Framework
Category Elements Security Control Security Threats
Application/ Services
Physical - Secured hardware - Implementation of physical security measures for network elements (anti-theft, anti-damage, access control etc)
- Physically secured IoT endpoints
- Device tampering- Damage to network elements
Technical - Vertical industries applications- Nb-IoT- STIR/ SHAKEN
- Securing 3rd party application interfaces- Enforcing cloud security policies- Enforcing API security- Root of trust for IoT endpoints
- API vulnerabilities- Application server vulnerabilities- Application vulnerability exploits- DDoS & DoS attacks- Hacking of IoT endpoints- Spam calls
Administration - Secured user access - User access control - Improper access control- Data/ information exfiltration
Let’s collaborate @ MTSFB!
5G E2E Security Framework
Category Elements Security Control Security Threats
Operations
Physical - Secured hardware - Implementation of physical security measures for network elements (anti-theft, anti-damage, access control etc)
- Device tampering- Damage to network elements
Technical - NIST’s IPDRR (identify, protect, detect, response and recover) framework
- System security monitoring, auditing and traceability
- System integrity protection via secure boot
- DDoS & DoS attacks- MitM- Hacking
Administration - Change management- Business continuity- Incident management- Operation resiliency- Secured user access
- Privacy procedures for handling user data during network O & M routines
- Enforcement of security rules for O & M tasks
- Enforce in house/ 3rd party audit- User access control
- Privacy breach- Improper access control- Vulnerable network and systems- Data/ information exfiltration
Let’s collaborate @ MTSFB!
6 5G Security Elements and Recommendations
31
Let’s collaborate @ MTSFB!
5G Security Elements Severity
Category of Network Function/ Elements
Example of Key Elements Description Severity
Core network functions - User equipment authentication, roaming and session management functions
- User equipment data transport functions- Access policy management - Registration and authorization of network services - Storage of end-user and network data Link with third-party
mobile networks Exposure of core network functions to external applications
- Attribution of end-user devices to network slices
Threat affecting the core network will affect the entire network’s confidentiality, integrity and availability, in addition to potential sensitive data leakage, as sensitive data are being transmitted through the core network components.
Critical
NFV management and network orchestration (MANO) Many high important functions such as core access and control functions, lawful interceptions, security and cryptographic functions are located in this area. Attacks in this area will affect functions necessary to operate the 5G network.
Critical
Management systems and supporting services (other than MANO)
- Security management systems- Billing and other support systems such as network
performance
Despite not carrying network traffic, any threat attacks to this area can put the entire network at risk to sabotage and malicious attacks disrupting the entire 5G network function.
High
Criteria for evaluating 5G security elements severity :1) Type of impact – compromised confidentiality, integrity and/or availability of network2) Scale of impact – number of affected users, service downtime, number of nodes affected and etc.
Let’s collaborate @ MTSFB!
5G Security Elements Severity
Category of Network Function/ Elements
Example of Key Elements Description Severity
Radio access network (RAN) - Base stations Some network functions, which are considered less sensitive in the traditional network, will become more sensitive in the 5G network due to handling user data or performing smart and sensitive function. With the introduction of MEC, more sensitive network functions are physically moved from the core network to be closer to the edge network.
Medium
Transport and transmission functions - Low-level network equipment (routers, switches, etc.)- Filtering equipment (e.g. firewalls, IPS)
The assessment of the sensitivity of the transport and transmission functions depends various factors, such as their role in the transmission network.
High
Internetwork exchanges - IP networks external to MNO premises - Network services provided by third parties
The assessment of the sensitivity of the internetwork exchanges depends various factors, such as their interconnection role between various network operators.
High
Source: NIS Corporation Group – EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks
Let’s collaborate @ MTSFB!
5G Security NIST RecommendationIdentify
Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the businesscontext, the resources that support critical functions, and the related cybersecurity risks allows an organization to focus and prioritize its efforts, consistentwith its risk management strategy and business needs.
Protect
Outline the appropriate safeguards to ensure delivery of critical infrastructure services, and supports the ability to limit or contain the impact of a potential cybersecurityevent.
Detect
Define the appropriate activities to identify the occurrence of a cybersecurity event, allowing a timely discovery ofcybersecurity events.
Respond
Outline the activities to take action regarding a detected cybersecurity incident and supports the ability to contain the impact of a potential cybersecurity incident.
Recover
Identify the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident, and support timely recovery to normal operations to reduce the impact from a cybersecurity incident.
Let’s collaborate @ MTSFB!
7 5G Technical Feedbacks
35
Let’s collaborate @ MTSFB!
5G Security Requirement FeedbacksFeedback Topic Celcom CSM
Comments/ Suggestion on Technical Code Proposed
Scope
- Versioning and control are required for the 5G Security Technical Code documentation.
- Apply relevant and verified security technical requirement from Global Key Standardization Bodies and industry forums involved in 5G. for various criteria (e.g. business case, network design, architecture etc)
- Classification and categorization of various 5G security area of concern.
- Identification and investigation of level of 5G network exposure scenarios.
- Identification of security requirement sources to be considered in developing the technical security requirements (risks, legal requirements and business requirements)
- Security threats needs to be added into the documentation. The threats are mapped to the security controls proposed, so that all the threats can be mitigated by the proposed controls.
- For network encryption defined in the documentation, it is recommended to refer to the the “AKSA MySEAL’ guidelines proposed by MySEAL.
Clause 5: Security Architecture or Security
Controls
- The 5G Security Technical Code documentation is expected to have various versions to cover additional 5G security requirements and updates.
- To protect key assets, 18 security areas having threats and risks that require attention and countermeasures are proposed.
- Security control is to be included in the documentation as it is more suitable to be discussed in Malaysian environment.
Sub-Clause 5: Domains or Classes
- Security domain is to be included as it is more suitable to be implemented in the telco sites, and security classes can be listed under the sub-security domain.
Let’s collaborate @ MTSFB!
5G Security Requirement FeedbacksFeedback Topic Maxis NACSA TM
Comments/ Suggestion on Technical Code
Proposed Scope
- Security handling details, such as detailed list of threats and vulnerabilities, along with incident handling/ threat mitigation.
- Technical code documentation is required to cover the following security areas:
a) Network domain security - service based architecture (SBA) or network slicing
b) Data protection algorithm
c) Network element security
d) Device security
e) Identity management
- Requirements for establishing, implementing, maintaining and enhancing of information and network security management system that is applicable to all types of organization has to be covered in the documentation.
- Technical code documentation must cover the following areas as well:
a) System infrastructure requirements
b) Minimum installation guidelines and standards
c) Minimum technical and performance specifications for the service.
- Include measurement of security controls, for example additional latency due to security inspection, processing, handshaking, cryptography workload etc.
Clause 5: Security Architecture or
Security Controls
- Security control is to be included in the documentation as it allows operators to have a detailed baseline on relevant security risks, along with standard countermeasures based on the controls specified to minimize data loss/ leakage and service interruption.
- Security control is to be included in the documentation as it allows the implementation of a comprehensive organization’s risk management process.
- The security control category is to be further classified into physical, technical and administration elements.
- Security architecture per domain is to be included as the content security has to be end-to-end for visualization, and it must cover the security requirement for NSA and SA architectures for 5G network.
Sub-Clause 5: Domains or Classes
- Security domains as it will help operators to identify the needed security features in each listed domains. This would help in defining of rules for users, processes, systems, and services that apply to activity within the domains.
- Security classes is to be included in order to address all the basic criteria for an efficient data security plan as a baseline.
- Security domain is to be included as it iterates all the requirement for security controls for each domains..
Let’s collaborate @ MTSFB!
Acknowledgements
38
Members of the Application Security Sub Working Group
Mr Azlan Mohamed Ghazali (Chairman) KPMG Management & Risk Consulting Sdn Bhd
Mr Mohd Fairuz Ismail (Vice Chairman) KPMG Management & Risk Consulting Sdn Bhd
Ms Norkhadhra Nawawi/
Mr Ahmad Syazilie Shamsuddin (Secretariat)
Malaysian Technical Standards Forum Bhd
Mr Sazali Musa/
Mr Zef Zalmi Mohamed
Celcom Axiata Berhad
Mr Ahmad Dahari Jarno/
Mr Farhan Arif Mohamad/
Mr Muhammad Ashraff Ruzaidi/
Ms Norahana Salimin/
Mr Shahrin Baharom
CyberSecurity Malaysia
Mr Mohd Edymainoe Mohd Noh/
Mr Syahril Hafiz Abu Hassan/
Mr Wong Chup Woh
Maxis Bhd
Mr Ahmad Fairuz Mohamed Noor/
Ms Azleyna Ariffin/
Ms Siti Hajar Roslan
National Cyber Security Agency
Mr Muhamad Hasyimi Shaharuddin/
Mr Shahril Azwar Abas
Telekom Malaysia Berhad
Let’s collaborate @ MTSFB!
8 Annex 1: Robocall Security Issues and STIR/ SHAKEN Framework Recommendation
39
Let’s collaborate @ MTSFB!
Robocalls Statistics in 2019Analyzing this year’s data, we can see that Malaysia is the market that receives thebiggest percentage of scam calls in the world. Today, 63% of the top spam calls inMalaysia are of fraudulent nature. Fake insurance and debt collecting calls are thenormal scam calls. ‘Astro’ and ‘Macau’ scam has been flooding the market in therecent year.
Lately, there has been scammers pretending to be calling from local post deliveryservices that a package is stuck somewhere and that they need you to pay before theycan release it. Over the past 12 months Malaysia has seen a 24% increase of spamcalls, going from 6.7 spam calls/month to 8.3. The study was conducted from Jan 1 toOct 31.
Let’s collaborate @ MTSFB!
STIR/ SHAKEN FrameworkSTIR (Secure Telephone Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) are standards designed to enable service providers to cryptographically sign calls in the SIP (Session Initiation Protocol) header, to help validate incoming calls and to indicate whether a fraud is occurring.
With STIR/ SHAKEN standards, SIP headers will contain a level of confidence indicator from the originating service provider to signal whether the party originating the call has the right to use the number via the attestation field, which is based on PASSporT (Personal Assertion Token) attestation claim:
• Full Attestation - The service provider has authenticated the calling party, and the calling party is authorized to use the calling number
• Partial Attestation - The service provider has authenticated the call’s origination (e.g., a known customer) but cannot verify whether the call’s source is authorized to use the calling number.
• Gateway Attestation - The service provider has authenticated the source from which it received the call but cannot authenticate the call source.
Originating Service Provider
Authentication Service
Certificate Repository
Terminating Service Provider
Verification Service
1
SIP INVITE
SIP INVITE2 3SIP INVITE
+ SIP
Identity Header
SIP INVITE +
SIP Identity Header
4
SIP INVITE +
SIP Identity Header
5
• Obtains digital certificate with the public key
• Decodes the SIP Identity Header
• Verification of originating call
6
7 Verification results from (6)
8
SIP INVITE(call completion)
SIP Identity Header:• PASSporT header• PASSporT payload• PassporT signature• Encryption algorithm• Location certificate of
respiratory
STIR/ SHAKEN Call Flow
Let’s collaborate @ MTSFB!
Case Study: TRACED Act (USA)In order to combat the rampant robocalls issues in USA, on December 30th 2019, the President of the United States of America signed the Pallone – Thune TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act, which enforces the following policies and actions in summary:
1. Extends FCC’s statute of limitations on robocall offenses and increases potential fines
2. Requires an FCC rulemaking helping protect consumers from spam calls and texts (this is already underway)
3. Requires annual FCC report on robocall enforcement and allows for it to formally recommend legislation
4. Requires adoption on a reasonable timeline of the STIR/SHAKEN framework for preventing call spoofing
5. Prevents carriers from charging for the above service, and shields them from liability for reasonable mistakes
6. Requires the attorney general to convene an interagency task force to look at prosecution of offenders
7. Opens the door to Justice Department prosecution of offenders
8. Establishes a handful of specific cutouts and studies to make sure the rules work and interested parties are giving feedback
Let’s collaborate @ MTSFB!
8 Annex 2: ITU Standards - Security Key Area
43
Let’s collaborate @ MTSFB!
ITU Standards - Security Key AreaNo Security key area ITU standards Descriptions
1 Public Key Infrastructure (PKI)
ITU-T X.509, Information technology -Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks
a) Provides a security framework for both PKI and Privilege ManagementInfrastructure (PMI).
b) Used for services such as authentication, encryption and confidentiality,digital signatures, nonrepudiation, and authorisation.
c) Applicable to any vendors providing security solutions, profiling andproducts that are based on PKI and PMI.
d) Defines the framework for both PKI and PMI, which includes infrastructuremodels, certificate and Certificate Revocation Lists (CVL) syntax definitions,directory schema object definitions and certificate path processingprocedures.
2 Cybersecurity overview ITU-T X.1205, Overview of cybersecurity
a) Applicable to any party involved in providing security solutions, profiling andproducts for various organisations.
b) Provides insight on various cybersecurity threats from an organisationalpoint of view across various network layers, along with threatcountermeasures, network protection principles and risk managementstrategies and techniques.
3Security architecture for systems providing E2E communications
ITU X.805
NOTE: Further details, please referClause 7.
a) Required for any party that is performing comprehensive network securityassessment and planning.
b) Addresses complex security problems in Next Generation Networks withtheir division into layers and planes and elements and the need to have athand a holistic security methodology to systematically engineer security forsuch systems.
c) Provides a comprehensive, multi-layered, E2E network security frameworkacross 8 security dimensions in order to combat network security threatsand to achieve E2E security.
Let’s collaborate @ MTSFB! 45
No Security key area ITU standards Descriptions
4Security Assertion Makeup
Language (SAML)ITU-T X.1141, Security Assertion Markup Language (SAML 2.0)
a) Extensible Markup Language (XML) based framework used tofacilitate the exchange of security information among differentorganisations with different security domain.
b) Ensure a secured exchange of authentication and authorisationinformation.
Enables Single Sign On (SSO) capabilities, where organisations can share information about user identities and access privileges in a safe, secure and
standardised manner.
5Entity authentication assurance framework
ITU-T X.1254, Entity authentication assurance framework
a) Affects organisations that are provides security-based products,profiling application and security solutions that requires authentication.
b) 4 levels of entity authentication assurance are defined along with thecriteria and threats for each of the four levels.
c) Provides guidance concerning control technologies to be used tomitigate the threats.
d) Provides guidance for mapping the 4 levels of assurance to otherauthentication assurance schemas and for exchanging the results ofauthentication based on the four levels of assurance.
6Common Alerting Protocol (CAP)
ITU-T X.1303, Common alerting protocol (CAP 1.1)
a) Affects Integrated Public Alert and Warning Systems (IPAWS), as theyare based on CAP.
b) Exchange all-hazard emergency alerts and public warnings over allkinds of networks.
c) Allows a consistent warning message to be disseminatedsimultaneously over many different warning systems.
d) Increase warning effectiveness while simplifying the alerting task.
ITU Standards - Security Key Area
Let’s collaborate @ MTSFB! 46
No Security key area ITU standards Descriptions
7Access Control MarkupLanguage (ACML)
ITU-T X.1142, eXtensible Access Control Markup Language (XACML 2.0)
a) Covers the eXtensible Access Control Markup Language (XACML).
b) XACML defines an attribute-based access control policy language,architecture and a processing model.
c) Describes how access requests are evaluated according to some rulesdefined in an enterprise policy.
d) Plays important role within an organisation to provide real time Role-BasedAccess Control (RBAC) to protect access to all types of resources withinany organisation.
ITU-T X.1144, eXtensible Access Control Markup Language (XACML) 3.0
ITU Standards - Security Key Area
Let’s collaborate @ MTSFB! 47
No Security key area ITU standards Descriptions
8
Information security management guidelines for telecommunications organisations based on ISO/IEC 27002
ITU-T X.1051, Information technology -Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
a) General principles for initiating, implementing, maintaining and improvinginformation security management in telecommunications organisations.
b) Provides an implementation baseline for information security managementto help ensure the confidentiality, integrity and availability oftelecommunications facilities and services.
c) Covers several areas in the telecommunication sector such as:
i) information security policies;
ii) organisation of information security;
iii) asset management;
iv) access control;
v) cryptography;
vi) physical and environmental security;
vii) operations security;
viii) communications security;
ix) systems acquisition, development and maintenance;
x) supplier relationships;
xi) information security incident management;
xii) information security aspects of business continuity management;and
xiii) compliance.
d) Addresses several security concerns such as protection of informationfrom unauthorised disclosure, controlled installation and use oftelecommunication facilities and provision of authorise access totelecommunication facilities when necessary.
ITU Standards - Security Key Area
Let’s collaborate @ MTSFB! 48
No Security key area ITU standards Descriptions
9Interactive gateway system for countering spam
ITU-T X.1243, Interactive gateway system for countering spam
a) Enables spam notification among different domains and prevents spamtraffic from passing from one domain to another.
b) Specifies the architecture for the gateway system and describes basicentities, protocols and functions of the system.
c) Specifies mechanisms for spam detection, information sharing andspecific actions for countering spam.
10Abstract Syntax Notation One (ASN.1)
Abstract Syntax Notation One (ASN.1) specific recommendations:
ITU-T X.680 - X.683 and ISO/IEC 8824, Information technology - Abstract Syntax Notation One (ASN.1)
a) Used for a wide range of other applications, such as networkmanagement, secure email, cellular telephony, air traffic control, and voiceand video over the Internet.
b) Covers various aspects such as the definition of data types and values,Basic Encoding Rules (BER) and Packet Encoding Rules (PER).
c) Applies to various data types under the ASN.1 notation and rules forencoding ASN.1 data value using XML.
ITU Standards - Security Key Area
Let’s collaborate @ MTSFB! 49
No Security key area ITU standards Descriptions
11Cybersecurity Information Exchange (CYBEX) framework
ITU-T X.1500, Overview of cybersecurity information exchange
a) Consists of a basic exchange framework with the following extensiblefunctions which are as follows:
i) structuring cybersecurity information for exchange purposes;
ii) identifying and discovering cybersecurity information and entities;
iii) requesting and responding with cybersecurity information;
iv) exchanging cybersecurity information; and
v) enabling assured cybersecurity information exchange.
a) Creates a common global means for cybersecurity entities to exchangecybersecurity information.
b) Allows cybersecurity information to be exchanged between variousorganisations for enhanced cybersecurity and infrastructure protection,as well as accomplishing the principal functions performed by cybersecurity teams.
ITU-T X.1520, Common vulnerabilities and exposures
ITU-T X.1521, Common vulnerability scoring system
ITU-T X.1524, Common weakness enumeration
ITU-T X.1525, Common weakness scoring system
ITU-T X.1526, Language for the open definition of vulnerabilities and for the assessment of a system state
ITU-T X.1528, Common platform enumeration
ITU-T X.1546, Malware attribute enumeration and
characterization
ITU Standards - Security Key Area
50