Details of the 5G security assessment process

Officials from the Agency for Cybersecurity and Infrastructure Security and the Department of Defense point the way to allowing agencies to fifth-generation network projects, reporting blind spots to assess security risks associated with certain ways of introducing technology into government systems.

The agency demonstrated on the sample «A study of the 5G security assessment process”Published May 26, on how agencies can use the National Institute of Standards and Technology’s risk management framework in conjunction with a variety of tools, including those developed by industry, to authorize 5G projects as security standards for technology are still being developed.

У blog post Accompanied by the release, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agencies were “delighted to present the proposed five-step 5G security assessment process, which stems from security research and analysis.”

“This process allows agencies to conduct a phase of preparation of the National Institute of Standards and Technology’s Risk Management Framework (RMF) to authorize the system,” he said, noting, “The jointly proposed process was designed to address gaps in existing safety assessment guidelines. and standards resulting from new features and services in 5G technology. It identifies important threat structures, 5G security measures, industry security specifications, federal security guidelines, and appropriate methodologies for conducting 5G cybersecurity assessments. ”

A gap, as defined in the paper, arises “when a security requirement exists without an assessment guide, policy, or organization to verify its effectiveness for government operations”. A gap can also occur if it is believed that a security requirement exists to mitigate the threat, but no formal requirements have been established. ”

The authors of the document suggested that the implementers would face major gaps as a leading organization for the development of standards for next-generation network technologies – The Third Generation Partnership Project – and others such as the European Telecommunications Standards Institute and [Open Radio Access Network] The Alliance continues to identify new threats and work on security specifications.

A particularly complex part of the process described by CISA and the US Department of Defense, with the help of NIST staff and MITER, involves setting boundaries for evaluation toward authorization, especially given the complex considerations of providing 5G radio access networks.

“Depending on the boundaries and configuration of the system, a 5G RAN infrastructure may include infrastructure elements from one or more geographic locations and include multiple network switches / routers, base stations and hardware and access point / weaving software,” the statement said. document. reads. “If RAN segments adopt an open, disaggregated RAN solution, additional Tier 1 vendors (and their hardware and / or software components) will be involved in this phase of security assessment compared to a traditional RAN solution. The level of compatibility and penetration testing is likely to increase, as will the detection and mitigation of potential open RAN attack vectors. ”

The paper pointed to the usefulness of the software list of materials for risk assessment, even in the private 5G network used in the described scenario.

“The example of a private 5G network includes a local RAN segment with RAN slicing to support multiple tenant applications,” officials wrote in defining the appropriate assessment limits. “All hardware and software components, including cloud / frontier platforms and internal and external system interfaces, are subject to security threat and capability analysis. Certain security conditions and warranty requirements may require more investigation, potentially involving Level 2 (and beyond) vendors and evidence of the integrity that accompanies each statement of software. ”

For “network slicing,” the technique used to create segmentation in the “core” of the 5G network, security assessors would be wise to conduct additional testing. including for supply chain threatsofficials said.

“Key features provided by 5G Core include user authentication and authorization, data connectivity, mobility management, subscriber data management, and policy management and control,” they wrote. “Depending on the implementation of the operator’s network … further testing should be reasonable, because cutting the network is a new technology, and the vectors of its threats are not yet fully understood.”

Source link