Cybersecurity And The EU's Regime For 5G Networks

According to the EU Coordinated Risk Assessment of 5G Networks Security, published this month, the cybersecurity of 5G networks is an essential requirement to protect EU members economies and societies and to enable the full potential of the important opportunities they will bring.  
 
It is also crucial for ensuring the strategic autonomy of the European Union. But what exactly are 5G Networks? The definition is provided in the EU Commission Recommendation Cybersecurity of 5G network:
 
“5G networks mean a set of all relevant network infrastructure elements for mobile and wireless communications technology used for connectivity and value-added services with advanced performance characteristics such as very high data rates and capacity, low latency communications, ultra-high reliability, or supporting a high number of connected devices. These may include legacy networks elements based on previous generations of mobile and wireless communications technology such as 4G or 3G. 5G networks should be understood to include all relevant parts of the network”.
 
With worldwide 5G revenues estimated at €225 billion in 2025, It could include a ‘diverse range of services essential for the functioning of the internal market as well as for the maintenance and operation of vital societal and economic functions – such as energy, transport, banking, and health, as well as industrial control systems. The organisation of democratic processes, such as elections, is also expected to rely more and more on digital infrastructure and 5G networks’.
 
5G networks embody several new technological features, these incldude: 
 
Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies. This will represent a major shift from traditional network architecture as functions will no longer be built on specialised hardware and software. Instead, functionality and differentiation will take place in the software. From a security perspective, this may bring certain benefits by allowing for facilitated updating and patching of vulnerabilities;
 
Network slicing. This will make it possible to support to a high degree the separation of different service layers on the same physical network, thus increasing the possibilities to offer differentiated services over the whole network.
 
● Mobile Edge Computing. Which allows the network to steer traffic to computing resources and third-party services close to the end-user, thus ensuring low response times. Enhanced functionality at the edge of the network and a less centralized architecture than in previous generations of mobile network.
 
According to the section1.16 of the European report, these new features will bring numerous new security challenges. In particular, they will give additional prominence to the complexity of the telecoms supply chain in the security analysis, with various existing or new players, such as integrators, service providers or software vendors, becoming even more involved in the configuration and management of key parts of the network.
 
At the same time, 5G technologies and standards could improve security compared to previous generations of mobile networks, due to several new security functions, such as stricter authentication processes in the radio interface (section 1.18).
 
These new security features will however not all be activated by default in the network equipment and their implementation will greatly depend upon how the operators deploy and manage their networks.
 
The EU report also approaches the deployment of 5G networks is taking place in a complex global cybersecurity threat landscape, notably characterised by an increase in supply-chain attacks. Overall, threats considered most relevant are the principal traditional categories of threats: these concerns are related to the compromise of confidentiality, availability and integrity (section 2.3).
 
More specifically, a number of threat scenarios targeting 5G networks were found to be particularly concerning:
 
● Local or global 5G network disruption (Availability)
 
● Spying of traffic/data in the 5G network infrastructure (Confidentiality)
 
● Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality)
 
● Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
 
The EU report has a detailed  analysis showing potential vulnerabilities related to hardware, software, processes and policies,  supplier-specific vulnerabilities, risk scenarios related to insufficient security measures and to the 5G supply chain.
 
From the end-user perspective and the companies risk’s concerns, the most important part of the report is related to the existing mitigating measures/security baseline, which means that in EU level we are speaking about EU telecoms legislation and in the NIS Directive.
 
Under the EU telecommunications framework, obligations can be imposed on telecommunication operators by the relevant Member State(s) in which it is providing service. On the other hand, the NIS Directive requires operators of essential services in other fields (energy, finance, healthcare, transport, water, etc.) to take appropriate security measures and to notify serious incidents to the relevant national authority. The NIS Directive also foresees coordination between Member States in case of cross-border risks and incidents. 
 
Other relevant frameworks at EU and national level include data protection and privacy rules (in particular the General Data Protection Regulation and e-Privacy Directive) as well as requirements applicable to critical infrastructures. In addition, various security measures may already be applied by mobile network operators, for instance: technical measures (e.g. encryption, authentication, automation, anomaly detection) or process-related measures (e.g. vulnerability management, incident and response planning, user-privilege management, disaster recovery planning). Finally, from a standardisation perspective, 3GPP SA3 has addressed several 5G security-related concerns, advocating, inter alia, end-to-end encryption. However, the work carried out within these bodies does not deal with security concerns related to the deployment and configuration of the technology.
 
The cybersecurity new era is coming. 5G networks increase the technological quality of the internet and at the same time, open new vulnerabilities. Cybercriminals, hackers and different sorts of attacks will push regulatory and compliance measures for the centre of the EU Member States and companies agenda of priorities. 
 
Joao Paro is a regulatory consultant at Compliance and Risks  
 
You Might Also Read:
 
The EU's New Cybersecurity Certification Framework:
 
A Cyber Compliance Economy:
 
 
« Lost Russian Cyber Spies Return
Just A Normal Day At The Office For Huawei »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

Niagara Networks

Niagara Networks

Niagara Networks is a Network Visibility industry leader, with emphasis in 1/10/40/100 Gigabit systems and mission-critical IT and security appliances.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

Adzuna

Adzuna

Adzuna is a search engine for job ads used by over 10 million visitors per month that aims to list every job everywhere, including thousands of vacancies in Cybersecurity.

Corsha

Corsha

Corsha is on a mission to simplify API security and allow enterprises to embrace modernization, complex deployments, and hybrid environments with confidence.

SecureWorx

SecureWorx

SecureWorx are a secure multi-cloud MSP, a provider of advanced IT security services and an independent cyber security advisory.

Kyndryl

Kyndryl

Kyndryl has a comprehensive portfolio that leverages hybrid cloud solutions, business resiliency, and network services to help optimize your IT workloads and transformations.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

BlueCat Networks

BlueCat Networks

BlueCat is the Adaptive DNS company. Our mission is to help the world’s largest organizations thrive on network complexity, from the edge to the core.

IONOS

IONOS

IONOS is a leading provider of cloud infrastructure, cloud services, and hosting with more than 8.5 million customers contracts.

Quod Orbis

Quod Orbis

Quod Orbis are a fast-growing, innovative company providing market-leading expertise in cyber security and Continuous Controls Monitoring (CCM).

Archer Technologies

Archer Technologies

Archer helps organizations manage risk in the digital era—uniting stakeholders, integrating technologies and transforming risk into reward.

Cyber Explorers

Cyber Explorers

Cyber Explorers is a fun, free and interactive learning platform for future digital superstars. An exciting addition to UK curriculum delivery or after school activities.

Theori

Theori

Theori tackles the most difficult cybersecurity challenges from an attacker’s perspective and conquers them as the best strategic security experts.