The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released guidance on the security risks associated with 5G network slicing and mitigation strategies.
The document explains that “a network slice is an end-to-end logical network that provides specific network capabilities and characteristics to fit a user’s needs” and that it can run on the same physical network with other slices, albeit users are authenticated for a network area only.
Spanning physical components of a network – including computing, storage, and infrastructure – network slicing provides component virtualization and enables data and security isolation by restricting user authentication to specific network areas.
“It is important to note that network slicing components can span multiple operators, so interoperability, security, and robustness become important challenges to address. From a security standpoint, the resources of one network slice should be isolated from other network slices to ensure confidentiality, integrity, and availability,” the guidance reads.
The architecture relies on a network-as-a-service (NaaS) model, where infrastructure-as-a-service is combined with network and security services, to improve the efficiency and resilience of 5G infrastructure. Mobile network operators need to use management and network orchestration (MANO) systems to create end-to-end network slices and operate them, the three agencies say.
According to the Enduring Security Framework (ESF), network slicing adds complexity to the network and improper management of network slices could allow threat actors to access data in other network slices or deny access to it.
The NSA, CISA, and ODNI mention denial-of-service (DoS), man-in-the-middle (MitM), and configuration attacks as representing three high-severity risks to network slicing, as they can impact the availability, confidentiality, and integrity of a network slice.
The agencies also note that one potential risk to network slicing is Network Function Virtualization (NFV), which is in fact fundamental to network slicing, as it eliminates the need for purpose-built hardware – allowing the use of cloud-based servers instead. NFV also moves network functions out into the cloud, optimizes performance, and increases monitoring and logging options.
Medium-severity risks include saturation attacks, user identity theft, penetration attacks, TCP level attacks, IP spoofing, session replay attacks, International Mobile Subscriber Identity (IMSI) caching attacks, NAS signaling storms, and traffic bursts by IoT.
Expected to play a pivotal role in autonomous vehicles and other emerging technologies, network slicing is prone to IMSI caching attacks, where threat actors could expose an autonomous vehicle’s geolocation, along with information about the cargo and traffic routes.
“From here, the actor can launch a DoS attack on the network signaling plane to cause disruptions between the autonomous vehicle and its authorized controller. Assuming the malicious actor has access to the subscriber identity, the actor can also separately launch a configuration attack to tamper with the security features and virtual network function (VNF) policies,” the three agencies note.
Proper management and continuous monitoring, the NSA, CISA, and ODNI say, are essential to network slice security and should both be applied at four logical layers, namely Network Slice Subnet Management Function (NSSMF), Network Slice Management Function (NSMF), Communication Service Management Function (CSMF), and the Capability Exposure Platform, which offers standard application programming interfaces and a self-management portal.
“In addition to proper network slice management, continual monitoring is crucial in detecting malicious activity. Mobile network monitoring and security tools often focus on network performance, fraud detection, revenue assurance, or device behavior that impacts network performance and not on detecting adversarial malicious activity,” the guidance reads.
More advanced mitigations include the adoption of a zero trust architecture, multi-layer security, cross-domain solutions, post-quantum cryptography, and isolation, including multi-factor authentication, access control, advanced encryption, sandboxes, virtual machines, or hardware and physical isolation.
“Although network slicing is not solely unique to 5G, it is a critical component because 5G specifications call for network slicing as a fundamental component and therefore require network operators to adopt security practices that can mitigate threats like those described in this paper, DoS, MitM attacks, and configuration attacks,” the NSA, CISA, and ODNI note.