Cybersecurity And The EU's Regime For 5G Networks

According to the EU Coordinated Risk Assessment of 5G Networks Security, published this month, the cybersecurity of 5G networks is an essential requirement to protect EU members economies and societies and to enable the full potential of the important opportunities they will bring.  
 
It is also crucial for ensuring the strategic autonomy of the European Union. But what exactly are 5G Networks? The definition is provided in the EU Commission Recommendation Cybersecurity of 5G network:
 
“5G networks mean a set of all relevant network infrastructure elements for mobile and wireless communications technology used for connectivity and value-added services with advanced performance characteristics such as very high data rates and capacity, low latency communications, ultra-high reliability, or supporting a high number of connected devices. These may include legacy networks elements based on previous generations of mobile and wireless communications technology such as 4G or 3G. 5G networks should be understood to include all relevant parts of the network”.
 
With worldwide 5G revenues estimated at €225 billion in 2025, It could include a ‘diverse range of services essential for the functioning of the internal market as well as for the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organisation of democratic processes, such as elections, is also expected to rely more and more on digital infrastructure and 5G networks’.
 
5G networks embody several new technological features, these incldude: 
 
Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies. This will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software. From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities;
 
Network slicing. This will make it possible to support to a high degree the separation of different service layers on the same physical network, thus increasing the possibilities to offer differentiated services over the whole network.
 
● Mobile Edge Computing. Which allows the network to steer traffic to computing resources and third-party services close to the end-user, thus ensuring low response times. Enhanced functionality at the edge of the network and a less centralized architecture than in previous generations of mobile network.
 
According to the section1.16 of the European report, these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
 
At the same time, 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions, such as stricter authentication processes in the radio interface (section 1.18).
 
These new security features will however not all be activated by default in the network equipment and their implementation will greatly depend upon how the operators deploy and manage their networks.
 
The EU report also approaches the deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the principal traditional categories of threats: these concerns are related to the compromise of confidentiality, availability and integrity (section 2.3).
 
More specifically, a number of threat scenarios targeting 5G networks were found to be particularly concerning:
 
● Local or global 5G network disruption (Availability)
 
● Spying of traffic/data in the 5G network infrastructure (Confidentiality)
 
● Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality)
 
● Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
 
The EU report has a detailed  analysis showing potential vulnerabilities related to hardware, software, processes and policies,  supplier-specific vulnerabilities, risk scenarios related to insufficient security measures and to the 5G supply chain.
 
From the end-user perspective and the companies risk’s concerns, the most important part of the report is related to the existing mitigating measures/security baseline, which means that in EU level we are speaking about EU telecoms legislation and in the NIS Directive.
 
Under the EU telecommunications framework, obligations can be imposed on telecommunication operators by the relevant Member State(s) in which it is providing service. On the other hand, the NIS Directive requires operators of essential services in other fields (energy, finance, healthcare, transport, water, etc.) to take appropriate security measures and to notify serious incidents to the relevant national authority. The NIS Directive also foresees coordination between Member States in case of cross-border risks and incidents. 
 
Other relevant frameworks at EU and national level include data protection and privacy rules (in particular the General Data Protection Regulation and e-Privacy Directive) as well as requirements applicable to critical infrastructures. In addition, various security measures may already be applied by mobile network operators, for instance: technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning). Finally, from a standardisation perspective, 3GPP SA3 has addressed several 5G security-related concerns, advocating, inter alia, end-to-end encryption. However, the work carried out within these bodies does not deal with security concerns related to the deployment and configuration of the technology.
 
The cybersecurity new era is coming. 5G networks increase the technological quality of the internet and at the same time, open new vulnerabilities. Cybercriminals, hackers and different sorts of attacks will push regulatory and compliance measures for the centre of the EU Member States and companies agenda of priorities. 
 
Joao Paro is a regulatory consultant at Compliance and Risks  
 
You Might Also Read:
 
The EU's New Cybersecurity Certification Framework:
 
A Cyber Compliance Economy:
 
 
« Lost Russian Cyber Spies Return
Just A Normal Day At The Office For Huawei »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

Join this webinar to learn how the cloud threat landscape is evolving and organizations are deploying more advanced and capable security controls at scale.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Fredda Stanza

Fredda Stanza

Fredda Stanza specialize in Information Security and Forensics Consulting.

National Association of Software and Services Companies (NASSCOM)

National Association of Software and Services Companies (NASSCOM)

NASSCOM is a trade association of Indian Information Technology and Business Process Outsourcing industry. Areas of activity include cyber security.

National Intelligence Service (NIS) - South Korea

National Intelligence Service (NIS) - South Korea

The NIS oversees policy on cyber security in South Korea by formulating and coordinating the execution of such policy and devising necessary schemes and guidelines.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

C3.ai

C3.ai

The C3 AI Suite supports configurable, pre-built, high value AI applications for predictive maintenance, fraud detection, anti-money laundering, sensor network health and more.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

Silicon Cloud International

Silicon Cloud International

Silicon Cloud is a high performance and secure cloud computing platform for engineering and scientific applications.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

Red Sky Alliance

Red Sky Alliance

Red Sky Alliance (Wapack Labs Corp) is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

Prevasio

Prevasio

Prevasio is a next-gen Cloud Security Posture Management (CSPM) with a built-in Vulnerability and Anti-Malware Scan for Containers.

Cyber Chasse

Cyber Chasse

Cyber Chasse is an IT consulting and staffing company offering a full range of cybersecurity solutions, contract staffing services and online training courses.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.

IBM Security

IBM Security

IBM manufactures and markets computer hardware, middleware and software, and offers hosting and consulting services in areas ranging from mainframe computers to nanotechnology.

Marlink

Marlink

Marlink smartly integrates hybrid, future-ready network solutions so you can benefit from the best available connectivity and IT to accelerate your digitalisation and empower your remote operations.