起飛的5g網路與資安挑戰 · networks in a globally digitalized world,” prague 5g security...
TRANSCRIPT
起飛的5G網路與資安挑戰
Dr. Yeali S. Sun (孫雅麗), Commissioner
Taiwan National Communications Commission (NCC)全國資安大會, August 12, 2020
Outline
• 5G developments in Taiwan
• 5G Security Issues
• Concluding remarks
2YLSUN 2020
5G Developments in Taiwan
5G 第一階段頻譜釋照結果
YLSUN 2020 4
R16
R15
eMBB增強行動寬頻
URLLC超可靠低延遲通訊
5G: 標準制訂
mMTC大規模機器通訊
目標:「拓展」5G
支持垂直場域邁向
數位轉型下智能化
生產、製造與運作
的模式;達到數位
國家、數位經濟與
數位社會的目標。
從NSA架構轉移到
SA架構; 真正5G網
路的建設與部署,
速度會加快。YLSUN 2020 5
• R15 規範主要侧重於eMBB 應用。eMBB主要是消費者市場;
這對於拉升Average Return per User (ARPU) 動能有限。
• R16 侧重於 URLLC
Source: 3GPP
5G Security: The battle is just on …
The Prague Proposals
(布拉格宣言)
The Chairman Statement on Cyber Security of
Communication Networks in a Globally Digitalized World
Prague 5G Security Conference 2019
Communication
• Communication is almost playing a role in every aspect of our lives.
• It increases our dependency and vulnerabilities.
• 5G networks and future communication technologies willtransform the way we communicate and the way we live substantially.
Security of 5G networks is crucial for national security, economic security and other national interests and global stability.
The architecture and functions of 5G networks must be underpinned by an appropriate level of security.
8
The Chair Recognizes Existence of perspectives:
Cyber security NOT only a technical issue
Both technical and NON-TECHNICAL nature of cyber threats
Possible serious effects of 5G networks disruption
Nation-wide approach
Proper risk assessment essential
Broad nature of security measures
No universal solutions
Ensuring security while supporting INNOVATION
Security costs money
Supply chain security
9
National Policy: “Digital Nation, Smart Island”
10
Digital Nation, Innovative Economic Development Program(DIGI+ 2017-2025)
To accelerate Industrial Innovation and Economic Prosperity
5G
Constructing a beneficial infrastructure for digital innovation
5+2 產業
5G Security: Challenges
• 5G is designed to enable and accommodate a variety of new services.
Software-based architecture in 5G networks (including radio access network (RAN) and core network)
Network Function Softwarization
• The use of software defined network (SDN), network function virtualization (NFV), network slicing, edge computing, etc.
• Embraces NEW computing and networking technologies
• Need to ensure that IT technology products and the information systems that the 5G network and services rely on are sufficiently trustworthy.
11YLSUN 2020
5G Security
Q1: What specific national strategy, policies and legal
framework are necessary for 5G networks or
communication networks in general to ensure a
high level of cyber security and resilience?
12YLSUN 2020
5G Policy in Taiwan
• Chinese-made equipment was banned in 4G networks,
so will be for 5G.
• Every 5G network operator is required to submit a 5G
network security protection plan along with the
network deployment in the business plan.
Security by Design
YLSUN 2020 13
5G Network Protection Plan
• Directed by
• The Telecommunications Management Act (電信管理法): July 1, 2020.
• The Regulations for Administration of Mobile Broadband Businesses (行動
寬頻業務管理規則)(Article 40)
Legal binding:
• 5G Network Protection Plan (5G網路資通安全維護計畫)is subject to review and approval by NCC.
• NCC may order the nominated bidder to change the content of the plan during the review whenever necessary.
• The operator shall act according to the plan.
• Whenever there is any change to content of the plan the operator shallspecify the reason and report it to NCC for approval.
14YLSUN 2020
5G Network Protection Plan
• Different from 3G and 4G eras, this is the first time that a nominated
bidder is required to submit such a document.
• Seventeen matters are specified to be included in the document.
• Our tactics
It is a self describing document.
Develop and publish a Reference Framework to help operators befocused and address all the important cybersecurity issues.
It serves as a guidance for the 5G mobile network operator to better
understand, manage, and reduce the cybersecurity risks.
NCC WORKS with operators to secure 5G networks and services
15YLSUN 2020
5G Network Protection Plan: Reference Framework
• The framework is based on several existing standards, guidelines, and
practices.
• NIST Cybersecurity Framework (CSF), version 1.1, April 2018.
• “The Prague Proposals The Chairman Statement on cyber security of communication networks in a globally digitalized world,” Prague 5G Security Conference, May 2019.
• “EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks,” Report, October 2019.
• “3GPP 5G Security,” August 6, 2018.
• Specially, for each matter, a number of important issues are listed that
must be addressed in the document.
• The regulator (NCC) will conduct security audits.
• To evaluate network operator’s cyber security policies, procedures, and the
operating effectiveness.
16YLSUN 2020
5G Security
17
• 確保5G網路安全、可靠、具韌性:政策、目標、核心業務、範圍、安全維護程序與流程
• Incident response
• Dedicated 5G security office and personnel
• Security assurance of
product design,
development, operation and
maintenance
• Products with inbuilt defense
• Supply chain security (visibility)
• Security architecture
• Security measures
(prevent, detect,
protect, recovery)
• Secure deployment
Trusted
HW/SW
& Supply
Chain
Secure
Network
Secure
Operati
on&
Mgmt.
Governance
Integration
of Cybersecurity
with Operations
• 制度面、管理面、技術面
5G
Security
• End-to-end
(control plane
& user plane)
YLSUN 2020
Reference Framework: Security Requirements
18
Protect9 Cybersecurity Protect and Control Measures
13Performance Evaluation of Personnel with Job Assignment Involved 5G Security
14Continual Improvement and Review of 5G Network Protection Plan
16Security Measures for Subscriber Data Protection in terms of Collection, Storage, Process and Use
Identify1 Policy & Goals
2 Core Business & Significance
3 Scope of Protection
4 Cybersecurity Executive Organization
5 Dedicated Personnel and Budget Allocation
6 Chief Security Officer
7Identification of Information and Communications Systems (including Equipment in Compliance with ITU or 3GPP Regulations
8 Cybersecurity Risk Assessment
12 Outsourcing Management
17 Formal Certification of Cybersecurity Management
Recover
10Notification, Incident Response, and Cybersecurity Exercises
11Cybersecurity Threat Intelligence Evaluation and Response
Respond
10Notification, Incident Response, and Cybersecurity Exercises
11Cybersecurity Threat Intelligence Evaluation and Response
Detect
15The Detect and Protect Measures (Including the architecture, defense in-depth and timetable)
Secure, Reliable &Resilient
NIST
Cybersecurity
Framework
YLSUN 2020
Eight Important 5G Security Issues
1) Secure Software Development Quality Control (安全軟體開發品質控管)
2) Software Update Management (軟體更新管理)
3) Supply Chain Security Management (供應鏈安全管理)
4) Integration of Cybersecurity measures with Network Operations
(ICT+OT) (資安落實於OT)
5) Cybersecurity Capability Building (資安能力的建立)
6) Multi-access Edge Computing (邊緣運算)
7) Privacy (隱私保護)
8) Signal interference – a form of DoS (訊號干擾)
YLSUN 2020 19
Issue #1: Secure Software Design & Development
Quality Control (安全軟體開發品質控管)
• Security by design
• Network Function Softwarization in 5G
• The use of SDN, NFV, network slicing, edge computing, etc.
• Employing ICT technology products and the information systems in 5G networks and services.
• For software vendors: “secure assurance of software design & development
process, and quality control”
20YLSUN 2020
1 2 3 4 5
Risk Assessment Privacy Impact
Assessment
Secure Coding
VulnerabilityAnalysis
VulnerabilityWatch
Hardening Guideline
Source: Ericsson
Issue #2: Software Update Management(軟體更新管理)
During operations
For a 5G network operator: “secure assurance of software update process”
e.g., patch distribution policy
• distinguishing major vs. minor patch?
• under attacks or major vulnerability discovery, do patching in real-time?
• zero-day attack?
• performing laboratory test before distribution? (軟體安全測試的能力與能量)
• Standard operating procedures (SOP)(制度;作業效率
(timeliness)、品質 (執行程序及人員管控)和一致性 (uniformity))
YLSUN 2020 21
Issue #3: Supply Chain Security Management
(供應鏈安全管理)(1/2)
• Hardware focuses: (1) minimizing disruption; and (2) ensuring product quality
• Software - relative ease to be modified raising greater risks and attacks
Focuses: (1) minimizing opportunities for unauthorized changes; (2) establishing and maintaining supply chain visibility, not only for security but for regulatory compliance.
Ban of Chinese-made equipment; world wide trend.
How about the elements inside including software?
Network function softwarization: complex systems consisting of a number of components from chips, processors, firmware, OS, libraries, to various software modules including open source software
YLSUN 2020 22
Software com
in China
Gov.
project
Gov. funded
instituteSoftware com
subcontractsubcontractsubcontract
Issue #3: Supply Chain Security Management
(供應鏈安全管理)(2/2)
Q2: How can 5G network operators establish and maintain supply
chain visibility, both for security and regulatory compliance?
• knowing the origin and composition of the software and hardware
components
• knowing the resilience and dependability of the vendors
• Evaluating and monitoring a supplier’s ability to produce systems
(including coding practices, technical capability to conduct appropriate
reviews, and management of its software supply chain risks)
• Risk assessment of software acquisition lifecycle: initialization,
development, configuration/deployment, operations/maintenance, and
disposal.
YLSUN 2020 23
Issue #4: Integration of Cybersecurity Measures with Network Operations & Maintenance (資安落實於OT)
• Integration of cybersecurity policy, procedures, measures and
implementations with network operations & maintenance.
制度面 (例如 SOPs)、管理面 (人員)、技術面
• Coordinate and align cybersecurity roles and responsibilities
with internal roles and external partners, as well as network
operations.
YLSUN 2020 24
Issue #5: Cybersecurity Capability Building
(資安能力的建立)
YLSUN 2020 25
Operations
&
Mgmt. Network Operator
5G equipment, systems, database
& apps.
Product
Providers
• Operators largely rely on product vendors
to provide information of the security design, architecture, and implementation of hardware/firmware/software of the product.
• Operators must have the capabilityto conduct security assurance test and evaluation
to ensure the security and resilience of the entire network elements and overall service provisioning operations.
• NCC will conduct security audits for 5G network operators.
Authority
Agency
National Comm.
Commission
Issue #6: Multi-access Edge Computing (MEC)
• To support services with low-latency requirement
such as real-time AR/VR applications, network
operator might allow third-party service providers to
place their equipment, systems, or software running in
operator’s data center.
Raise additional risks and threats to the network (from
closed “open” environment)
YLSUN 2020 26
Issue #7: Privacy(隱私保護)
YLSUN 2020 27
Concerns of
• Unauthorized collection of data from the network
about who is doing what
• Surveillance by adversaries
• Human rights violations and abuses
• Third-party data use (e.g., advertisements,
microtargeting)
etc.
5G is an enabling
technology of new
services.
It is Transformational ! (數
位轉型)
• “The technology will
spawn an intelligent
ecosystem of connected
devices, harvesting
massive amounts of data
that will change the way
we live and work.”
Networks
(5G)
Source: Ericsson
Issue #8: Signal Interference – a form of DoS
Subscriber database
Control plane
functions
5G service
User plane gateway
Non-public Network
(defined premises)
5G for Industry 4.0 and Factory Automation
URLLC - 低延遲、高可靠性
(Time-sensitive
Communications)
Source:5G-ACIA
推動5G垂直應用場域實證、法規調適與網路資安之防護研析計畫藍圖
29
• 5G SA
• 5G MEC
• 5G端到端(控制面控制信令與用戶面資料傳輸)
• 5G與低軌道衛星通訊匯流
1. 法規整備:研析國際5G資通安全政策、法規、作為 (國際組織、政府、行動業者)
2. 5G網路資通安全維護計畫 入法(整體、未來5年建設)( Security by Design)
3.監理能量與能力:建置可驗證符合通傳法規之網路資通安全檢測實驗室
• 第五代行動通信系統資通安全維護計畫參考框架
• 行動寬頻系統審驗技術規範
確保我國
5G網路之
安全、可
靠,且具
韌性
• 電信管理法
• 資安管理法
• 5G NSA
• 5G共頻共網
• 5G專網
• 5G Wire-Wireless Conver-gence(WWC)
資通
安全
管理
4. 完備5G網路相關資安法規
2019 2020 2021 2022 2023 2024
兩個目標對象
• 5G網路業者
• 第三方服務提供者
兩大平台
• 建置5G「安全軟體整合開發暨運作程序(DevSecOps)」
• 「軟體系統」資通安全分析及檢測平台
國家級通訊領域軟體安全實驗室
30
4大聚焦議題
• 5G網路相關軟體系統與應用程式之安全性
• 5G網路軟體部署及更新之安全管理
• 安全可信賴的5G網路供應鏈管理
• 用戶隱私保護之政策、制度、技術和防護措施
3大產出• 5G網路軟體系統及營運安全管理之參考
框架、指引文件與機制
• 協助網路業者及5G服務提供者建立資安
能量與能力
• 提供檢測及驗證服務
實務培訓
5G 資安:NCC 定位
• 國家資安鐵三角
• 八大關鍵基礎設施之一
• 行動通訊網路:5大業者(中華、遠傳、台哥大、台灣之星、亞太);固網 (backhaul)
• 「確保台灣5G網路之安全、可靠與具強韌性」
政策、法規、監理、技術規範、審驗、檢驗、稽核
• 前瞻作為
• 透過推動、協助、輔導,確保業者建置安全、可靠且具韌性的網路
• 輔導、協助5G產業 (網路、應用服務)發展
31
Concluding Remarks
• The battle is just on …
• NCC as an oversight agency took the initiative to put 5G security into regulation.
• 5G Network Protection Plan, Reference Frameworks (addressing important security issues, especially software security, update security, supply chain security, integration of cybersecurity with operations, governance, privacy, etc.)
• Cybersecurity capability building is imperative for network operators, service providers and regulatory government agency.
• Regulatory Requirements vs. Standard Best Practices vs. Security Norms
32YLSUN 2020
Thank you.