The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released new guidance on July 17 that provides recommendations to protect against threats to 5G standalone network slicing.
“Network slicing is poised to become a key technology feature within 5G, so it is imperative we understand potential security threats to 5G network slicing,” the agencies said.
The guidance, titled 5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance, was created by the Enduring Security Framework (ESF) – a public-private group that the NSA and CISA lead – after the group looked into the weaknesses of network slicing, which allows 5G providers to divide their networks into several virtual networks.
“While there are standards defining specifications for how operators build their 5G networks, currently network slice specifications requirements are insufficient and need to evolve for the development, implementation, and maintenance of security for network slicing,” the agencies said.
The guidance warns that 5G networks being utilized in network slicing formats can be targets for specialized attacks, including tampering of slice-specific data usage and misconfiguring of slice-specific information.
The guidance suggests protecting against these attacks by utilizing some of the following mitigation techniques:
- Using network slice-specific authentication and authorization by leveraging a Network Slice-Specific Authentication and Authorization (NSSAA) to protect against unauthorized access;
- Employing a dedicated intermediate certificate authority (ICA) that is used for life-cycle management of the certificates issued to the network functions (NF) belonging to a particular slice;
- Employing an authorization server to provide attribute and role-based access control (RBAC) of humans and machines to perform per slice configuration, fault, and performance management.
- Ensuring that slice-specific logging can also be performed; and
- Employing a security vault to provide confidentiality and integrity of all sensitive and security data.
The guidance also makes key recommendations for cloud hardening mitigation which includes employing cloud identity and access management (IAM) features to ensure that only authenticated authorized administrators can change, as well as configuring storage supporting the 5G system to use access control, integrity assurance and encryption.