etsi security week 2020 goes virtual!...– security management framework that follows the etsi zero...
TRANSCRIPT
Presented by:
© ETSI
ETSI Security Week 2020 goes virtual!
Bengt Sahlin, EricssonTomasz Osko, OrangeDavid Soldani, Huawei
Deploying 5G SecurelySecurity Challenges and Regulatory Aspects
ETSISecurity
Week 2020
Monday 8 June3pm
5G Deployment
Tuesday 9 June
3pm CET
SSP: The New Smart Secure Platform - A High Level Introduction
4.45pm
SSP: The New Smart Secure Platform - The Technical Realisation
Wednesday 10 June10.30am
Insight into the First Steps of the Cybersecurity Act Reality
3pm
5G Security for Verticals
Thursday 11 June10.00am
Consumer IoT Security Standards
11.30am
Consumer IoT Security –Certification Schemes
3pm
ETSI Standardization in Advanced Cryptography
Monday 15 June
3pm
SKINNY LATTE: Scalable Hierarchical Identity Based Encryption over Lattices
Tuesday 16 June3pm5G Security Evolution
Wednesday 17 June10.30am
5G Network Certification
Thursday 18 June10.00am
Security Challenges and Regulatory Aspects
3pm
Fully Homomorphic Encryption
Friday 19 June
10.30am
Industry Applications and Use Cases for Advance Cryptography
Deploying 5G Securely
Cybersecurity Act –one year on
Smart Secure Platform
Even more advanced Cryptography
scheduled in CEST
© ETSI ETSI Security Week 2020 goes virtual
Security Challenges and Regulatory AspectsModerated by Bengt Sahlin, Ericsson
Security Challenges in 5G Multi-access Edge ComputingTomasz Osko, Orange
How to Improve the Security of Business and Communities and Ensure Future Prosperity in a CountryDavid Soldani, Huawei
Security Challenges in 5G Multi-Access Edge Computing
18 June 2020
Tomasz Ośko
Orange Polska, Warsaw, Poland
INSPIRE-5Gplus Project
▪ 5G MEC context
▪ MEC Assets versus Threats
▪ Extended attack surface
▪ Security controls, management & orchestration
▪ Main 5G MEC challenges
▪ MEC security services
▪ Work in progress in INSPIRE-5GPlus
▪ Summary
Contents
The triangle of 5G applications (source: https://www.etsi.org/images/articles/Future-IMT.png)
5G usage scenarios
MEC
Edge computing in telecommunications networks
is a technical enabler for demanding 5G KPIs, reflecting needs of Verticals.
5G
MECMEC mMTC URLLC
eMBB
MEC
MEC in context of 5G challenges
MEC Assets versus Threats
Field
Domain
Solu
tions d
ivers
ity
Cloud
Domain
# Devices
Clients
Verticals
# Networks
Distributed
Data Centers
Cloud
Computing
Virtualization
MEC Multi-
access Edge
Computing
Distributed
software
Applications
Technolo
gy c
hanges
Architecture changes
Solu
tions d
ivers
ity Div
ers
ity o
f solu
tions
Devices density
Interworking
Private
Public
Hybrid
PaaS
IaaS
SaaS
Interoperability
MEC Host
MEC Platform
MEC Apps CI/CD
… MEC …
Data volumes
Accesses, Transport Networks, 5GC, Internet
Operator Multi-access, Multi-domain, Multilayer Network
Local Area Data Network
Far Edge Near Edge
E2E service changes
Extended attack surface
… MEC …
Tenants DC Tenants DC
Field
Domain
Solu
tions d
ivers
ity
Cloud
Domain
Security
Measure
s &
Contr
ols
Multilayer security
Solu
tions d
ivers
ity
Cybers
ecurity
cert
ific
ation
Isolation
AAA
O&M
IaaS
SaaS
Trusted
Integration
MEC Hosts
MEC Platform
MEC Apps SecDevOps
Context
… MEC …
# Devices
Clients
Verticals
# Networks
Distributed
Data Centers
Cloud
Computing
Virtualization
MEC Multi-
access Edge
Computing
Distributed
software
Applications
# Networks
Distributed
Data CentersAccesses, Transport Networks, 5GC, Internet
Operator Multi-access, Multi-domain, Multilayer Network
Local Area Data Network
Far Edge Near Edge
Safe hosting
Safe service
Multi-domain security management & E2E security orchestration
Safe hosting
Safe service
Safe Data
Safe platform Safe platform
Safe
infrastructure
Safe
infrastructure
Safe operations
Security controls, management & orchestration
PaaS
Tenants DC Tenants DC
Main 5G MEC challenges
Ensure management procedures and security services that allow Verticals to meet respective, specific regulatory requirements (e.g. isolation).
Operate sensitive data, 3rd party apps on proper level of security, as a trusted entity.
Guarantee safe MEC infrastructure and components - defined responsibility between
tenants.
Coexistence
Cooperation
Trust
5G
MEC
Apps
More protection with edge security applications
▪ Control communication, data processing, and data flows exchanged between the devices, applications and cloud.
▪ Security Services on-demand.• Deliver „probe on-demand” services
for Verticals.• Deliver on-demand data processing
services for Verticals.• Extend Verticals’ security services
with edge applications.
▪ Introduction of new security enablers and capabilities.
Devices
Cloud
MEC
MECEquipment
Equipment
Applications
Applications
MEC security services
▪ The challenge is to derive universal, resource preserving security features and security
management framework to protect, among others, MEC applications and services using them.
▪ In the context of INSPIRE-5GPlus there has been four fields identified in which the project will focus
to enhance security beyond 5G, taking into account MEC.
– Security management framework that follows the ETSI Zero touch network and Service Management (ZSM).
– Trusted Execution Environment (TEE) to elevate integrity and confidentiality to software and data of any type.
– Artificial Intelligence (AI) and Machine Learning (ML) to empower key security functions.
– Dynamical liability chains and distributed security to provide dynamic security optimization and placement.
▪ To meet the challenging performance and security level requirements of the various 5G usage
scenarios (i.e. eMBB, URLLC, mMTC), a consolidated and integrated approach is needed in order
to prepare the next move towards smart end-to-end security for future connected systems that will
serve a plethora of vertical domains and applications across various market sectors provisioned
through logical and self-contained network slices (supported by platforms) running on multiple
administrative domains and for which the level of security offered would be a key acceptance factor.
Work in progress in INSPIRE-5GPlus
▪ Provisioning of multilayer security, multi-domain security management & E2E security
orchestration.
▪ Open opportunity to grow with MEC that is the best way to deliver better availability
and more safely to the clients and enterprises.
▪ Comprehend the opportunity through cooperation, seize the chance thanks
cooperation in terms of technology and business development, security and stability.
Summary
DziękujęThanks
This work has been done with the support of
INSPIRE-5Gplus Project
Grant Agreement No.: 871808
Research and Innovation action
Call Topic: ICT-20-2019-2020: 5G Long Term Evolution
16
Dr. David Soldani• CTO and CSO Huawei (Australia)
• CSO Office Huawei (ASIA Pacific)
• Adj. Professor, UNSW (Australia)
ETSI Security Week Webinar:
Security Challenges and Regulatory Aspects, 18/06/2020https://www.rcrwireless.com/20200416/5g/huawei-cto-5g-securiuty-standards
How to Improve the Security of
Business and Communities and Ensure
Future Prosperity in a Country
17
Biography – Dr. David Soldani~25 years active in ICT field
• Future wireless, network, cybersecurity, artificial intelligence, IoT and multimedia technologies
• 500+ successful projects for 2G, 3G, 4G and 5G systems and services
• 1000+ quality deliverables
~10 Years: Huawei Technologies
• 2020-Present: Chairman of IMDA 5G Task Force (Singapore)
• 2018-Present: CTO & CSO Huawei (Australia). CSO Office – Huawei (ASIA Pacific Region)
• 2009-2016: Head of Central Research Institute and VP Strategic Research and Innovation in Europe
~15 Years: Nokia
• 2016-2018: Head of 5G Technology, e2e, global
• 1997-2009: R&D Director, Finland; and Network Planning Manager, Italy
~ 2 Years: Italian Military Navy
• Officer at Italian Institute of Telecommunications and Electronics, Livorno, Italy
Qualification• 2018-Present: Adjunct Professor at University of New South Wales (UNSW), Faculty of Engineering, Australia
• 2014-18: Industry Professor at University of Technology Sydney, Australia; Visiting Professor at University of Surrey, UK
• 2002-2006: Doctor of Science (D.Sc.) degree in Technology with distinction from Helsinki University of Technology (TKK), Finland
• 1989-1994: Laura Vecchio Ordinamento in Electronic Engineering with magna cum laude from Università degli Studi di Firenze, Italy
18
The “Flag of Origin” is not critical a element of cybersecurity
Route cause categories
• 66% (90% in UK) System failures: hardware
failures (36%) and software bugs (29%)
• 17% human errors
• The country of origin of suppliers not among main causes for concern in how attacks are carried out... [UK NCSC]
• The “Flag of origin” for Telco equipment is not the critical element in determining cyber security [UK ISC]
• 9% Natural phenomena
• 4% malicious actions: 2/3
Denial of Service (DoS)
attacks, and the rest are
mainly damage to physical
infrastructure
19
EU coordinated risk assessment 5G cybersecurityhttps://eu2019.fi/en/article/-/asset_publisher/member-states-publish-a-report-on-eu-coordinated-risk-assessment-of-5g-networks-security
This document follows the approach set out in the ISO/IEC: 27005 risk
assessment methodology, and reflects the assessment of a set of parameters:
the main types of threats posed to 5G networks,
the main threat actors,
the main assets and their degree of sensitivity,
the main vulnerabilities,
the main risks and related scenarios.
• Conclusions based on capabilities (resources) and intention/attempt (motivation)
• Integrity and availability of 5G is the major concerns, on top of the existing
confidentiality and privacy requirements
• Most critical 5G assets: Core Network Functions, NFV MANO
20
What is GSMA NESAS / 3GPP SCAS?
The Network Equipment Security Assurance Scheme (NESAS),
jointly defined by 3GPP and GSMA, provides an industry-wide
security assurance framework to facilitate improvements in
security levels across the mobile industry
NESAS defines security requirements and an assessment
framework for secure product development and product lifecycle
processes; and security evaluation schemes for network
equipment, using 3GPP defined security test cases, i.e. 3GPP
SCAS – Security Assurance Specifications
It is an industry defined voluntary scheme through which vendors subject their product development and
lifecycle processes, and network equipment, to a comprehensive security audit and testing against the
currently active NESAS release and its security requirements
21
NESAS Is Widely Supported in Industry
Specifications
NESAS 1.0 Released
Security Authority
Global communications
& collaboration
NESAS 2.0
Vendors
Ericsson, Nokia and
Huawei openly support
NESAS as a 5G unified
cybersecurity certification
foundation
Auditors & Lab
2 European audit firms
selected by GSMA
10+ carriers support
10 global tier-1 carriers request
NESAS before deployment (5 in EU)
Carriers
• https://www.gsma.com/security/nesas-security-auditors/
• https://www.gsma.com/security/nesas-security-test-laboratories/
10+ Test Labs* (mainly in Europe)
are being accredited by ILAC
member accreditation bodies
(*) Security test laboratories – that are deemed by an International Laboratory Accreditation Cooperation (ILAC) member accreditation body to
have been ISO 17025 accredited and NESAS requirements – will be considered to have achieved NESAS accreditation satisfied.
22
GSMA and 3GPP Roles and Responsibilities
GSMA defines and maintains the NESAS specifications which cover assessment of the
Vendor Development and Product Lifecycle processes, NESAS Security Test Laboratory
accreditation, and security evaluation of network equipment.
The GSMA also defines a dispute resolution process and governs the overall scheme.
3GPP defines security requirements and test cases for network equipment
implementing one or more 3GPP network functions – specified in Security Assurance
Specifications (SCAS): 3GPP TS 33.X
Roles of GSMA in NESAS
Roles of 3GPP in NESAS
Reference https://www.gsma.com/security/network-equipment-security-assurance-scheme/
23
The NESAS approach consists of the following steps:
1. Equipment Vendors define and apply secure design, development,
implementation, and product maintenance processes;
2. Equipment Vendors assess and claim conformance of these
processes with the NESAS defined security requirements;
3. Equipment Vendors demonstrate these processes to independent
auditors that GSMA has selected;
4. Level of security of network equipment is tested and documented;
5. Tests are conducted by accredited test laboratories against 3GPP
SA3 defined security requirements ➔ Evaluation report may be
forwarded to purchasing operators.
NESAS/SCAS High Level Process
The NESAS has 2 main parts:
1. Assessment of the security related to the Development and Product Lifecycle Processes; (By Selected Auditors: ATSEC/NCC Group)
2. Security evaluation of network equipment by test laboratory. (By Accredited Test Labs: i.e. Draka, Brightsight)
NESAS High Level Overview
24
Keep NESAS Evolving as a Solid Security Assurance Basis
Planned:
1) Penetration Test
2) Cryptographic analysis
3) Software engineering
Comments on
NESAS Evolution
GSMA NESAS Official:
”NESAS is designed to be improved
iteratively. All the lessons learnt from the application of NESAS
will be considered and reflected in future
releases”
TUVIT 3GPP Keynote:
We believe NESAS will further evolve to fulfill
the high level requirement.
TUVIT commented
EU Cybersecurity Act (CSA) Security Assurance Level
NESAS1.0
NESAS2.0
By 2020.12 (E)
Substantial
High
Basic
Level Assumed Attacker Evaluator
Basic - By self-assessment allowed
Substantial Limited skills and resources By third party evaluation
High Significant skills and resources By national cybersecurity
certification authority
25
Details on Evolution of NESAS from 1.0 to 2.0
Based on the requirements from EU CSA, NIS-CG, etc., NESAS enhances accordingly.
NESAS 2.0 Penetration test Cryptographic analysis Software engineering capability
Industry
Benchmarking
1, BSZ
2, CSPN
3, CPA
4, CC AVA (bypassing, tampering, direct
attack, monitor, misuse )
5, MSDL/BSIMM/OWASP SAMM
1, BSI TR 02102
2, ANSSI RGS_B series
3, NCSC CPA
4. NIST FIPS140-2,NIST SP800-90A
5. NDcPP (ISO19790:2012, NIST SP800-90A)
1, NCSC Secure development and deployment
2, MSDL
3, BSIMM
4, OWASP SAMM
5, NIST standards
6, ISO standards
EU CSA, Article 52 (2019.04):
“A European cybersecurity certificate that
refers to assurance level ‘high’ shall
provide assurance … an assessment of their
resistance to skilled attackers, using
penetration testing”
EU Regulatory Authority interview:“In general, it’s a good thing, however, mainly
focus on security policy compliancy, lack of
penetration test and crypto analysis, and
without participation of government authorities,
could be basic security requirements”
NIS-CG, 5G Risk Assessment (2019.10):1. Software engineering processes and
vulnerability management
2. Source code and software engineering
process
3. Quality network components
4. Software development processes
26
NESAS vs. CC: General Comparison
⚫ NESAS, defined for mobile network security, fully demonstrates the characteristics of mobile communication services (such as air
interfaces and NAS signaling) in terms of threat analysis and modeling, and significantly simplify the CC&PP processes – Featuring
short accreditation/evaluation time and low cost, they also meet the development needs of new technologies, such as cloud,
digitization, and software-defined everything
⚫ CC/PP is intended for the IT industry and defines no equipment test specifications for mobile communication in PP – It covers the
general R&D process and lifecycle management audit, but lack of specialty on telecommunication such as 5G, also suffering
complicated accreditation, long period, and high cost
PP: Protection Profile; CC: Common Criteria
Accreditation/
Evaluation SystemNESAS CC
Organization owner GSMA/3GPP CCRA (Common Criteria Recognition Arrangement)
Standards scope & completeness Audit/Evaluation report (Not certificate) 1~7 EALs (Evaluation Assurance Levels)
Standards progress NESAS/SCAS standard/specifications (2019.10) CC released years ago, operated maturely
Number of accredited labs &
auditing companiesSeveral labs and 2 auditing companies now About 77 labs globally
Operators' recognition High Low
Telecommunication Assurance Only one professional standard N/A
Process & TTM Simple processes & 3-6 months Complex processes & 12-18 months (EAL4+)
27
NESAS 1.0 vs. CC (EAL4) : Technical ComparisonNESAS Product Development & Lifecycle Audit CC Product Development & Lifecycle Audit
1 Security by design ADV_ARC/FSP/HLD/LLD/ST √
2 Version control system ALC_CMC (on-site audit) √
3 Change tracking ALC_CMC (on-site audit) √
4 Source code review - ╳
5 Security testing ATE_COV/DPT/FUN √
6 Staff education - ╳
7 Vulnerability remedy process ALC_FLR (Flaw Remediation) √
8 Vulnerability remedy independence - ╳
9 Information security management ALC_DVS (Developer Security) √
10 Automated build process ALC_CMC (on-site audit) √
11 Build environment control ALC_CMC (on-site audit) √
12 Vulnerability information management - ╳
13 Software integrity protection ALC_DEL (Delivery with DS) √
14 Unique software release identifier ALC_CMC (CI Identification) √
15 Security fix communication - ╳
16 Documentation accuracy ALC_CMC (on-site audit) √
17 Security point of contact - ╳
18 Source code governance ALC_CMC (on-site audit) √
19 Continuous improvement ALC_CMC (on-site audit) √
20 Security documentation AGD_OPE/PRE √
Test Contents of equipment evaluation test SCAS CC
SCT (security
compliance
test)
Sensitive info. storage, transfer, protection during access to
system, privacy protection (FDP/FCS/FPR)√ √
System overflow, secure start-up, robustness of data input,
software integrity (FRU/FPT)√ √
Authentication (credential/password), token policy, account
lock, principle of least authority (FIA)√ √
Log out, overtime auto protection (FTA) √ √
Security log, logrotate, log access authorization (FAU) √ √
Admin account, user account, IP/ICMP Process (FIA) √ √
https, web server log, session ID, input examination √ √
Message filtering, robustness of protocol, GTP-C/U filtering √ √
Security enhancement of baseline requirement √ ╳
OS Security enhancement √ ╳
Webserver Security enhancement √ ╳
Management/User plane separation (FDP/FPT) √ √
FCS (cryptographic algorithm implementation check,
random number generator, etc.)╳ √
BVT (basic
vulnerability
test)
Port scan √ √
Known vulnerability scan √ √
Robust test for interface protocol √ √
EVA
(enhanced
vulnerability
analysis)
Penetration test ╳ √
Source code scan ╳ √
For Development Audit, NESAS > CC For evaluation test method, NESAS < CChowever, CC not focused on 5G
28
Huawei Cyber Security Transparency Center is to Serve as an Open,
Transparent and Collaborative Exchange Platform with Key Stakeholders
Banbury, UK
Brussels, Belgium
Bonn, Germany
Dubai, UAE
Shenzhen,China
Toronto, Canada
Global Hub
Regional Hub HCSTC Brussels:Communication, Innovation and Verification
https://youtu.be/yMBu5bvfTPM
29
How to improve the security of business and communities
and ensure the future prosperity of a country?https://www-file.huawei.com/-/media/corporate/PDF/News/huawei-technologies-australia-submission-to-the-department-of-home-affairs.pdf
1. Reduce the risk of national dependency on any one supplier, regardless their country
of origin, to improve 5G and fibre networks resilience
2. Ensure more competitive, sustainable and diverse Telecoms supply chain, to drive
higher quality, innovation, and more investments in Cybersecurity
3. Define network security and resilience requirements on 5G and fibre networks;
contribute to unified standards; identify toolbox of appropriate, effective risk
management measures; and enforce tailored and risk-based certification schemes
4. Ensure effective assurance testing for equipment, systems and software and support
specific evaluation arrangements. (The assessment and evaluation of products from
different vendors shall be the same, as their supply chain has the same level of risk.)
5. Develop industrial capacity in terms of software development, equipment
manufacturing, laboratory testing, conformity evaluation, etc., looking at end-to-end
cybersecurity system assurance; new architecture and business models; tools for risk
mitigation and transparency, and greater interoperability and more open interfaces;
and share results, in closed loop (3.)
Copyright©2018 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without
limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual
results and developments to differ materially from those expressed or implied in the
predictive statements. Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei may change the
information at any time without notice.
Thank You.
https://www.youtube.com/watch?v=Ejppq9ft37k
© ETSI ETSI Security Week 2020 goes virtual
Questions & Answers
© ETSI ETSI Security Week 2020 goes virtual
This was the last webinar in the thread Deploying 5G Securely.
You may also listen to all past webinars available from www.etsi.org/etsisecurityweek
© ETSI ETSI Security Week 2020 goes virtual
Thank you for joining this webinar !
Find the full‘ETSI Security Week 2020 goes virtual’
programme at
www.etsi.org/etsisecurityweek