Tackling 5G security with threat modelling
We are currently at the cusp of a rollout of the next generation system to underpin mobile communications, with test beds, trials and spectrum auctions underway. The 5th generation wireless system (5G) aims to bring significant performance gains to the market. This includes better network reach and coverage, faster communication speed (as high as 20 gigabits per second) and overall improved (or rather pervasive) availability, specifically to cater for the unrelenting exponential growth in the number of mobile and IoT devices. 5G will certainly facilitate the adoption of home automation, smart Building Management Systems (BMS) and more broadly, smart cities.
As such, our expected reliance on 5G for most aspects of modern life means that 5G will be part of the Critical National Infrastructure (CNI). High assurance is therefore required for the security of 5G, with particular emphasis on availability.
Is 5G secure?
5G is a concept rather than a specific technology; it is a set of high-level goals around increased speed and pervasiveness for mobile networks. There are no specific, prescribed security requirements for 5G and no new protocols have been engineered from security requirements. 5G builds on newer technologies such as software-defined networking (SDN) and network functions virtualisation (NFV), leveraging cloud technologies where possible. As the security of these new technologies and functions is not within 5G’s remit, 5G security relates to the secure design, architecture, build, configuration and maintenance of all relevant technologies and components that underpin 5G.
The reality is that 5G will also be built upon existing, older generation systems. Global telecommunication systems are known to be collections of older technologies, built on top of or interlinked with each other for various reasons, such as requirements for legacy support, the speed of rollouts or critical legacy functions that cannot be easily turned off or decommissioned without copious planning. 5G will be no different.
5G networks will connect to and/or tunnel over legacy systems (eg. 4G, 3G, 2G, GPRS, SS7) during its rollout and transition to newer technologies. As the phasing out of older technologies will be a long process, 5G will be relying on these older, possibly less secure, technologies for some time. This, in addition to the security challenges created by new technologies such as virtualisation and cloud, means that 5G security is a vast topic. Specific tools and methods are required to help understand the associated threats, risks and mitigations that are needed for 5G security assurance. The complexity in securing 5G is certainly not to be underestimated.
The telecoms threat modelling template
As strong proponents of threat modelling, and following in the successful footsteps of our Automotive Threat Modelling Template , we are currently in development of a telecoms threat modelling template at NCC Group, to be used with the Microsoft Threat Modelling Tool 2016 .
The STRIDE  approach has proved to be an effective way to highlight and categorise threats and the Microsoft Threat Modelling Tool 2016 provides a way to use data flow diagrams (DFDs) to identify threats in the design (or existing architecture) of a telecoms network.
Our threat model includes various stencils and entities, categorised by the system or technology to which they are most relevant. For example, the IP Multimedia Subsystem (IMS) has a number of different architectural components, as shown in figure 1.
Figure 1. Example IMS architectural components
Also within the IMS is a number of different named interfaces, so these can be defined on a DFD between IMS components by using an IMS data flow object, as shown in figure 2.
Figure 2. Granular IMS interface definition for data flows and interconnections
By categorising telecoms network components by type or technology, as shown in figure 3, this allows us to clearly see on DFDs which parts of the network are legacy and where critical interconnects between old and new elements will exist.
Figure 3. Telecoms components classified by technology or subsystem type
We also maintain a list of customer equipment that might typically form an entry point into the telecoms network, as shown in figure 4.
Figure 4. Example customer equipment that could provide entry into telecoms network
Given that interconnectivity is key to availability within telecoms, we capture a number of properties about these interconnects, including the physical connection type (wired or wireless), and whether connections are authenticated or encrypted. Once our DFDs are defined for 5G networks (or their sub-components) then we can review these properties and locales to understand various security risks, such as where data confidentiality or interception capabilities might lie or where spoofing might be achieved.
Figure 5 is a high-level (and fairly contrived for demonstration purposes) DFD showing the interconnectivity and system boundaries between different technologies that might comprise a telecoms system.
Figure 5. Example DFD of a telecoms network with defined subsystem zones and trust boundaries
Our next steps with this model are to tweak and refine it, with most of the remaining work relating to the definition of various threats against the myriad of components that might comprise a telecoms network (including 5G and legacy). This will include 5G-specific threats, such as the manipulation of granular provisioning, service slice theft, International Mobile Subscriber Identity (IMSI) catching attacks and signalling storms to name but a few.
Our plan is to eventually release a version of our threat modelling template as open source. This is to aid others in the secure design of 5G systems and to help model threats in existing, mixed-mode, interconnected telecoms systems so that suitable controls or risk mitigation strategies can be devised. In addition to design, it is anticipated that this threat model template will allow for the prioritisation of testing activities to be performed on key parts of telecoms networks.
While initially developed with 5G security in mind, this model also lends itself to broader security work related to the telecoms environment, such as threat intelligence led vulnerability assessments, which were covered in the cyber vulnerability testing section of Ofcom’s update to guidance on network and service security, published in December 2017 . This type of assessment requires an understanding of operational network environments and the threats posed to them in order to identify and prioritise those areas most in need of an in-depth review.
Engaging with NCC Group
For more information on threat modelling, whether in general or specific to telecoms, please do contact us directly to discuss your requirements on firstname.lastname@example.org.
Published date:  23 March 2018
Written by:  Matt Lewis