ENISA, the European Union Agency for Cybersecurity has published its Threat Landscape for 5G Networks report, assessing the threats related to the fifth generation of mobile telecommunications networks (5G). 

This report complements the EU Member States report on EU-wide risk assessments on 5G security released in October 2019.

According to the report, ‘the technological changes introduced by 5G will increase the overall attack surface and the number of potential entry points for attackers:

  • Enhanced functionality at the edge of the network and a less centralised architecture than in previous generations of mobile networks means that some functions of the core networks may be integrated in other parts of the networks making the corresponding equipment more sensitive (e.g. base stations or MANO functions);
  • the increased part of software in 5G equipment leads to increased risks linked to software development and update processes, creates new risks of configuration errors, and gives a more important role in the security analysis to the choices made by each mobile network operator in the deployment phase of the network.

These new technological features will give greater significance to the reliance of mobile network operators on third-party suppliers and to their role in the 5G supply chain.

This will, in turn, increase the number of attacks paths that could be exploited by threat actors, in particular non-EU state or state-backed actors, because of their capabilities (intent and resources) to perform attacks against EU Member States telecommunications networks, as well as the potential severity of the impact of such attacks.

In this context of increased exposure to attacks facilitated by third-party suppliers, the individual risk profile of suppliers will become particularly important, in particular where a supplier has a significant presence within networks or areas:

  • A major dependency on a single supplier increases the exposure to and consequences of a potential failure of this supplier. It also aggravates the potential consequences of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
  • If some of the new use cases envisioned for 5G come to fruition, 5G networks will end up being an important part of the supply chain of many critical IT applications, and as such not only confidentiality and privacy requirements will be impacted, but also the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.

Together, these challenges create a new security paradigm, making it necessary to reassess the current policy and security framework applicable to the sector and its ecosystem and essential for Member States to take the necessary mitigating measures.

This requires identifying potential gaps in existing frameworks and enforcement mechanisms, ranging from the implementation of cybersecurity legislation, the supervisory role of public authorities, and the respective obligations and liability of operators and suppliers.

In order to address the above-described risks and to make full use of potential security opportunities linked to the 5G technology, various types of measures may be considered. Among these measures, some of them are already in place, at least partially. This concerns in particular security requirements applicable to previous generations of mobile networks and which remain valid for the future deployment of 5G networks. 

In addition, for many of the identified risks, particularly those affecting the core or access levels, contingency approaches have been defined through standardisation by 3GPP.

However, the fundamental differences in how 5G operates also means that the current security measures as deployed on 4G networks might not be wholly effective or sufficiently comprehensive to mitigate the identified security risks. Furthermore, the nature and characteristics of some of these risks makes it necessary to determine if they may be addressed through technical measures alone.

The assessment of these measures will be undertaken in the subsequent phase of the implementation of the Commission Recommendation. This will lead to the identification of a toolbox of appropriate, effective and proportionate possible risk management measures to mitigate cybersecurity risks identified by Member States within this process.

Consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc.’

You can read the full report here: https://ec.europa.eu/digital-single-market/en/news/enisa-publishes-threat-landscape-5g-networks