1、 5G CYBERSECURITY Preparing a Secure Evolut��������ion to 5G Mike Bartock Jeff Cichonski Murugiah Souppaya National Institute of Standards and Technolog����y Draft February 2020 5G-securitynist.gov PROJECT DESCRIPTION The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of 1
2、 Standards and Technology (NIST), is a collaborative hub where industry organizations, 2 government agencies, a�������nd academic institutions work together to address businesses most 3 pressing cybersecurity challenges. Through this collaboration, the NCCoE develops modular, 4 easily adaptable example cyb
3、ersecurity solutions demonstrating how to apply standa������rds and 5 best practices by using commercially available technology. To learn more about the NCCoE, visit 6 http:/www.nccoe.nist.gov. To learn more about NIST, visit http:/www.nist.gov. 7 This document describes several security consid������erations as
4、 industry is preparing for a migration 8 to 5G technology. NCCoE cybersecurity team will develop approaches and proposed solutions in 9 collaboration with a Community of Interest, equipment vendors, and telecommunication 10 providers. 11 ABSTRA����CT 12 Cellular networks will be transitioning from 4G to
5、 5G, and 5G networks will provide increased 13 cybersecurity protections. This project will identify several �����5G use case scenarios and 14 demonstrate for each one how to strengthen the 5G architecture components to mitigate 15 identifi�������ed risks and meet industry sectors compliance requirements. The p
6、roject will 16 demonstrate how commercial and open sourc��������e products can leverage cybersecurity standards 17 and recommended practices for each of the 5G use case scenarios, as well as showcase how 5G 18 security features can be utilized. A phased approach will be employed to align with the 19 develop
7、ment pace of 5G technology and availability of commercial 5G technology. 20 This iterative approach will provide the flexibilit�����y to add to the project as the phases evolve to 21 take advantage of newly introduced security capabilities. This project will result in a freely 22 available NIST Cybersecu
8、rity Practice Guide. 23 KEYWORDS 24 3GPP; 4G; 5G; 5G Non-Standalone; 5G Standalone; cloud; cybersecurity; Long-Term Evolution 25 (��������LTE) 26 DISCLAIMER 27 Certain commercial entities, equipment, products, or materials may be identified in this 28 document to describe an experimental procedure or concep
9、t adequately. Such identification is 29 not intended to imply recommendation or endorse������ment by NIST or NCCoE, nor is it intended to 30 imply that the entities, equipment, products, or materials are necessarily the best available for 31 the purpose. 32 COMMENTS ON NCCOE DOCUMENT�����S 33 Organizations are
10、 encouraged to review all draft publications during public comment periods 34 and provide feedback. All publications from NISTs National Cybersecurity C�����enter of Excellence 35 are available at http:/www.nccoe.nist.gov. 36 Comments on this publication may be submitted to 5G-securitynist.gov 37 Public
11、comment period: February 21, 2020 to March 31, 2020 38 DRAFT Project Description: 5G Cybersecurity - Preparing a Secure Evolution �����to 5G 2 TABLE OF CONTENTS 39 1 Executive Summary .4 40 Purpose . 4 41 Scope . 4 42 Assumptions Security architecture”. 504 3GPP TS 23.501: “System Architecture for the 5G
12、 System”. 505 3GPP TS 33.501: “Security arch�������itecture and procedures for 5G system (Release 15)”. 506 3GPP TS 33.210: “3G security; Network Domain Security (NDS); IP network layer 507 security”. 508 ETSI GS NFV 002: “Network Functions Virtualisation (NFV); Architectural Framework�������”. 509 ETSI GS NFV-SE
13、C 009: “Network Functions Virtualisation (NFV); NFV Security; Report on 510 use cases and technical approaches for��� multi-layer host administration”. 511 ETSI GR NFV-SEC 016: “Network Functions Virtualisation (NFV); Security; Report ������on 512 location, timestamping of VNFs”. 513 NIST SP 800-53 Rev 4: “S
14、ecurity and Privacy Controls for Federal Information Systems 514 and Organizations” 515 NIST SP 800-187: “Guide to LTE Security” 516 NIST SP 1800-19: “Trusted Cloud: �����VMware Hybrid Cloud IaaS Environments” 517 NIST SP 1800-16: “Securing Web Transactions: Transport Layer Security (TLS) Server 518 Cert
15、ificate Management” 519 NIST SP 800-77 Rev 1: “Guide to IPsec VPNs” 520 NIST SP 800-52 Rev 2: “Guidelines for the Selection, Configuration, and Use of Transport 521 Layer Security (TLS) Implementa������tions” 522 DRAFT Project Description: 5G Cybersecurity - Preparing a Secure Evolution to 5G 16 NIST SP 8
16、00-124: “Guid������elines for Managing the Security of Mobile Devices in the 523 Enterprise” 524 Securing Web Transactions: TLS Server Certificate Management - 52�������5 https:/www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-management 526 NCCoE Mobile Device Security - https:/www.nccoe.nist.
17、gov/projects/building-527 blocks/mobile-device-security 528 CSRIC VII, WG 2, Managing Security Risk in the Transition to 5G - 529 https:/www.fcc.gov/about-fcc/advisory-committees/communications-security-530 reliability-and-interoperability-council-vii 531 CSRIC VII, WG 2, Mana����ging Security Risk in E
18、merging 5G Implementations 532 CSRIC VI, WG 3, Network Reliability and Security Risk ����Reduction 533 CSRIC V, WG 10, Legacy Systems and Services Risk Reduction 534 ATIS Technical Report, “5G Secur�����ity Requirements (ATIS 1000077)” 535 5 SECURITY CONTROL MAP 536 This table maps the characteristics of the
19、 commercial products that the NCCoE will apply to this 537 cybersecurity challenge to the applicable standards and best practices described in the 538 Framework for Improving Critical Infrastructure Cybersecuri����ty, and to other NIST activities.������ This 539 exercise is meant to demonstrate the real-world
20、 applicability of standards and best practices but 540 does not imply that products with these characteristics will meet an industrys requirements for 541 regulatory approval or accreditation. 542 Table 5-1 List o�������f NIST SP 800-53 Revision 4 Controls Addressed by Solution 543 ID Control Description A
21、ccess Control (AC) AC-3 Access Enforcement AC-4 Information Flow Enforcement AC-17 Remote Access AC-20 Use of External Information Systems Audit and Accountability (AU) AU-2 Audit Events AU-3 Content of Audit �������Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-6 ���Audit R
22、eview, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information AU-10 Non-Repudiation DRAFT Project Description: 5G Cybersecurity - Preparing a Secure Evolution to 5G 17 ID Control Description AU-11 Audit R����ecord Retention AU-12 Audit Ge
23、neration Security Assessment and Authorization (CA) CA-7 Continuous Monitoring Configuration Management (CM) CM-3 Configuration Change Control CM-4 Security Impact Analysis CM-8 Information System Compon�������ent Inventory CM-9 Co�����nfiguration Management Plan CM-10 Software Usage Restrictions Identification
24、 and Authentication (IA) IA-2 Identification and Authentication (Organizational Users) IA-3 Device Identification and Authentication IA-4 Identifier Management IA-5 Authenticator Management IA-7 Cryptographic Module Authentication Maintenance (MA) MA-2 Controlled Main������tenance MA-3����� Maintenance Tools M
25、A-4 No����nlocal Maintenance MA-5 Maintenance Personnel MA-6 Timely Maintenance Risk Assessment (RA) RA-3 Risk Assessment RA-5 Vulnerability Scanning System and Services Acquisition (SA) SA-18 Tamper Resistance and Detection System and Communications Protection (SC) SC-2 Application Partitioning SC-3 Se
26、curity Function Isolation SC-7 Boundary Protection SC-8 Transmission Confidentiality and Integrity SC-12 Cryptographic Key Establishment and Management SC-13 Cryptographic Protection S�������C-15 Collaborative Computing Devices DRAFT Project Description: 5G Cybersecurity - Preparing a Secure Evolution to 5
27、G 18 ID Contr����ol Description SC-16 Transmission of Security Attributes SC-28 Protection of Information at Rest System and Information Integrity (SI) SI-2 Flaw Remediation SI-4 Information System Monitoring SI-7 Software, Firmware, and Information Integrity Table 5-2 List of NIST Cybersecurity Framewo
28、rk Subcategories Addressed by Solution 544 Cyber- security Framewor�������k Subcategory Identifier Cybersecurity Framework Subcategory Name Identify (ID) ID.AM-2 Software platforms and applications within the organization are inventoried. Protect (PR) PR.AC-1 Identities and credentials are issued, managed,
29、 verified, revoked, and audited for authorized devices, users and processes. PR.AC-3 Remote access is managed. PR.AC-5 Network integrity is protected (e.g., n�������etwork segregation, network segmentation). PR.AC-6 Identities are pro�����ofed and bound to credentials and asserted in interactions. PR.AC-7 Users
30、, devices, and othe�����r assets a�������re authenticated (e.g., single-factor, multifactor) commensurate with the risk of the privacy risks and other organizational risks). PR.DS-1 Data-at-rest is protected. PR.DS-2 Data-in-transit is protected. PR.DS-3 Assets are formally managed throughout removal, transfers
��������31、, and disposition. PR.DS-6 Integrity checking mechanisms are used to verify software, firmware, and information integrity. PR.����IP-3 Configuration change control processes are in place. PR.IP-4 Backups of information are conducted, maintained, and tested. PR.IP-9 Response plans (Incident Response and
32、Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. PR.IP-12 A vulnerability management �������plan is developed and implemented. PR.MA-1 Maintenance and repair of organizational a��������ssets are performed and logged, with approved and controlled tools. DRA
33、FT Project Description: 5G Cybersecurity - Preparing a Secure Ev������olution to 5G 19 Cyber- security Framework Subcategory Identifier Cybersecurity Framework Subcategory Name PR.PT-1 Aud�����it/log records are determined, documented, implemented, and reviewed in accordance with policy. PR.PT-4 Communications
34、 and control networks are protected. Detect (DE) DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed. DE.AE������-2 Detected events are analyzed to understand attack targets and methods. DE.AE-3 Event data are collected and correlated from mult
35、iple sources and sensors. DE.AE-4 Impact of events is determined. DE.AE-5 Incident alert thresholds are established. DE.CM-1 The �������network is monitored to detect potential cybersecurity events. DE.CM-7 Mon���itoring for unauthorized personnel, connections, devices, and software is performed. DRAFT Projec
36、t Description: 5G Cybersecurity - Preparing a Secure Evolution to 5G 20 APPENDIX A: REFERENCES 545 1 3rd Generation Partnership Project (3GPP), 3GPP TS 23.501 System architecture for the 546 5G System (5GS); Stage 2 (Release 16), December 2�������019 547 http:/www.3gpp.org/ft�������p/Specs/archive/23_series/23.50
37、1/23501-g30.zip 548 2 3rd Genera������tion Partnership Project (3GPP), 3GPP TS 33.501 Security architecture and 549 procedures for 5G system (Release 16), December 2019 550 http:/www.3gpp.org/ft�������p/Specs/archive/33_series/33.501/33501-g10.zip 551 3 3rd Generation Partnership Project (3GPP), 3GPP TS 33.210 N
38、etwork Domain Security 552 (NDS); IP network layer security (Release 16), June 2019 553 http:/www.3gpp.org/ftp/Specs/archive/33_series/33.210/33210-g20.zip 554 4 National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-555 187, Guide t������o LTE Security, December 2017 htt
39、ps:/doi.org/10.6028/NIST.SP.800-187 556 5 National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 557 1800-19, Trusted Cloud: VMware Hybrid Cloud IaaS Environments, Novembe����r 2018 558 https:/www.nccoe.nist.gov/sites/default/files/library/sp1800/tc-hybrid-nist-sp1800-559 1
40、9b-preliminary-draft.pdf 560 6 National Cybersecurity Center of Excellence (NCCoE), Trusted Cloud Projects 561 https:/www.nccoe.nist.gov/projects/building-blocks/trusted-cloud 562 DRAFT Project Description:���� 5G Cybersecurity - Preparing a Secure Evolution to 5G 21 APPENDIX B: ACRONYMS 563 Selected ac
41、ronyms and abbreviations use����d in this paper are defined below. 564 2G 2nd Generation 565 3G 3rd Generation 566 3GPP 3rd Generation Partn��������ership Program 567 4G 4th Generation 568 5G 5th Generation 569 API Application Programming Interface 570 CIoT Cellular Internet of Things 571 CNF Containerized Netw
42、ork Function 572 CSRIC Communications Security, Reliability and Interoperability Council 573 CU Centralized Unit 574 DNSSEC Domain Name System Security Extensions 575 DU Distributed Unit 576 EAP Extensible Authentication Protocol 577 eNodeB Evolved Node B 578 EPC Evolved Packet Core 5������79 FCC Federal
43、Communications Commission 580 gNodeB Next Generation Node B 581 GPRS General Packet Radio Service 582 GRC Governance Risk & Compliance 583 GTP GPRS Tunneling Protocol 584 GTP-��������C GPRS Tunneling Protocol control 585 GTP-U GPRS Tunneling Protocol user data tunneling 586 HSS Home Subscriber Server 587 Ia
44、aS Infrastructure as a Service 588 IMSI International Mobile Subscriber Identity 5��������89 IoT Internet of Things 590 IP Internet Protocol 591 IPsec Internet Protocol Security 592 JOSE JavaScript Object Signing and Encryption 593 DRAFT Project Description: 5G Cybersecurity - Preparing a Secure Evolution t
45、o 5������G 22 LTE Long-Term Evolution 594 NCCoE National Cybersecurity Center of Excellence 595 NDS/IP Network Domain Security/Internet Protocol 596 NF Network Function 597 NFV Network Functions Virtualisatio������n 598 NIST National Institute of Standards and Technology 599 NR New Radio 600 NSA 5G Non Standalo
46、ne 601 PLMN Public Land Mobile Network 602 RAN Radio Access Network 603 RAT Radio Access Technology 604 RF Radio Frequency ������605 RFI Request for Information 606 RFP Request for Proposal 607 SA 5G Standalone 608 SAE System Architecture Evolution 609 SBA Service-Based Architecture 610 SDN Software Defin
47、ed Networking 611 SEG Security Gateway 612 SEPP Security Edge Protection Proxy 613 SIEM Security Information and Event Management 614 SMS Short Message Service 615 TCP Transmission Control Protocol 616 TLS Transport Layer Security 617 TR Technical Report 618 TS Tech��������nical Specification 619 UE User Equipment 620 UICC Universal Integrated Circuit Card 621 UMTS Universal Mobile Telecommunications System 622 USIM Universal Subscriber Identity Module 623 V2X Vehicle-to-Everyth
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
