Huawei’s recommendations for operators’ security best practices for 5G

By Syed Jawad Imam Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa – For operators’ 5G security, the security and resilience of their networks need to be enhanced, network data and basic user data need to be protected, and network security capabilities need to be open to meet vertical industries’ security requirements. Huawei recommends some methods for operators to ensure the 5G network security.

Build and operate secure and resilient networks:

Operators can build secure and resilient networks by establishing a defense in depth system through security planning, design, deployment, and operations and identifying and controlling key risks in live network services through the IPDRR methodology, with the support of suppliers’ product security capabilities and in accordance with industry standards and best practices, such as 3GPP specifications, NIST CSF, and GSMA 5G Cybersecurity Knowledge Base.

• Operators build a comprehensive 5G network protection system through security planning, design, and

1. Management plane protection: Operators build an independent management plane network, isolate it from the Internet, perform security zone division, and deploy security protection measures such as firewalls, intrusion detection, and data leakage prevention. The bastion host, multi-factor authentication, and zero trust solutions are used for O&M access control, and all O&M activities are logged and audited.
2. Signaling plane protection: To protect the signaling plane between networks, operators use devices such as the SEPP and signaling firewall to screen and monitor incoming and outgoing signaling. To protect intra-network signaling, they plan security zones on the signaling plane, provide inter-domain protection and slice signaling protection, and protect the APIs for network capability openness.
3. User plane protection: Operators protect the security of 5G user-plane NFs, such as the MEC and UPF, and provide network-layer encryption and integrity protection to safeguard user data transmission.
4. Cloud infrastructure protection: Operators protect the cloud platform, cloud-based virtual resources, virtual networks, and container environments, and leverage cloud capabilities, such as cloud services as well as rapid iteration and evolution, to improve security protection capabilities.

• Operators build the security operations platform and system for efficient and intelligent operations.

1. Build a security situational awareness and security operations center: Operators build comprehensive security situational awareness for 5G networks; use cloud, big data, artificial intelligence (AI), and machine learning technologies to improve the automation and intelligence of security operations; and speed up risk discovery, identification, and closed-loop handling to improve the efficiency of security operations.
2. Build a security operations and O&M management system: Operators build a comprehensive security O&M management process, involving triggers by service tickets, prior approval, minimum access permissions, operation monitoring, regular risk assessment, and audit by the operator or a third party. They enhance the standardization, automation, and intelligence of the security operations process. They also strengthen the exchange, sharing, and integration of threat intelligence and vulnerability information with external organizations such as industry organizations and suppliers.

Enhance data security protection:

Operators can provide communication channel encryption for users’ application-layer data. They should protect network data and basic user data throughout the lifecycle to prevent data breaches. Application providers provide end-to-end encryption for application-layer data. When users’ application-layer data, such as online payment/shopping data, is transmitted on operators’ networks, network nodes cannot parse the data, and the data is invisible to operators and equipment vendors.

Open network security capabilities:

Operators build a network security capability openness platform to open up security capabilities, such as authentication, network encryption, and anti-DDoS, to meet vertical industries’ security requirements. Network security needs to continuously evolve in order to address new potential security risks coming from the open Internet and the development of new services. In-house or third-party security audit, or both, should be encouraged as a best practice for empowering mobile networks (not limited to 5G only). Operators need to be alert and always one step ahead of possible security threats.