5G RAN Security

Introduction

5G is not just about faster, bigger, or better. It’s about enabling a diverse new set of services and use cases affecting nearly every aspect of our lives. But to live up to their potential, 5G-enabled applications must be delivered securely.
For example, 5G will enable Massive Internet of Things (MIoT) applications such as the traffic sensors and Vehicle-to-Infrastructure (V2I) services that are the foundation for smart cities. It’s critical that hackers can’t access that data, hijack IoT devices, or disrupt the services with Distributed Denial of Service (DDoS) attacks.

With 5G, mobile takes that Security focus to another level with a wide variety of new, advanced safeguards as It is the first mobile architecture designed to support multiple, specific use cases, each with their own unique cybersecurity requirements. In the enterprise IT world, network segmentation is a common, proven way to mitigate security risks.

In addition to the new opportunities and capabilities, 5G creates new cybersecurity considerations. Its use of the cloud and edge computing, and convergence of mobile and traditional IT networks, create new attack vectors. So the question now is how 5G provides a new set of visibility and control elements to help operators protect their networks, business partners, and customers?

5G Security Architecture

3GPP defines the overall 5G security architecture as below

5G Security Architecture

This includes many network architectural elements and concepts such as:

• Network access security (I), which is the set of security features that enables a UE to authenticate and access services via the network securely, including the 3GPP access and non-3GPP access, and in particular to protect against attacks on the radio interfaces. In addition, it includes the security context delivery from SN to UE for the access security.
• Network domain security (II), which is the set of security features that enables network nodes to securely exchange signalling data, user plane data.
• User domain security (III), which is the set of security features that secures the user access to mobile equipment.
• Application domain security (IV), which is the set of security features that enables applications in the user domain and in the provider domain to exchange messages securely.
• SBA domain security (V), which is the set of security features about the SBA security. These include the network element registration, discovery and authorization security aspects, and also the protection for the service-based interfaces.
• Visibility and configurability of security (VI), which is the set of features that enables the user to be informed whether a security feature is in operation.

Security in 5G RAN deployments

The separation of RAN and core is critical to the evolution of 5G networks because gNBs terminate the encryption of user data, except when it is encrypted externally and is beyond the control of an operator’s 5G network.

Currently, we do not have any standard rules or guidelines for the separation of RAN and core functions, and the 3GPP standards are largely flexible; however, the actual separation of RAN and core functions depends on the 5G use cases in question as well as the commercial strategy of the operator dictating the specific network deployment situation. In addition, technical developments and initiatives, such as distributed RAN, split RAN, O-RAN and CPRI/eCPRI consortiums, also fragment and distribute the deployment of RAN functions, entailing a number of security implications.

5G RAN Security

Security in 5G networks is standardized where user data  is decrypted and encrypted in different functions within the  network. User data is (in most cases) encrypted in transit (over the network) but processed in cleartext in many functions.
The air interface is encrypted (and integrity protected) between the device and the gNB (5G base station). From the gNB over the backhaul network to the core network (normally via an edge router), the 3GPP defined IP security framework is used to protect the integrity and confidentiality of the user plane and control plane between the device, the gNB and the core network.

5G RAN Security (Ericsson)

In a 5G (and 4G) network, NAS (Non-Access Stratum) signaling is encrypted between the device and the core network. Moreover, both the control plane (Radio Resource Control, signaling between the device and RAN regarding radio configuration) and the user plane are encrypted and integrity protected between the device and the gNB (or a base station called eNB in the 4G case),  meaning that all user  data  is available unencrypted in the gNB(or eNB) . In many cases, user data can be encrypted at the application level, but this is not guaranteed by 3GPP 5G standards and is out of operator control.

Security in future RAN deployments

In 5G,  The ongoing development to separate the gNB in different functions is essentially aimed at deploying gNB functions in different ways. The 3GPP TS 38.401 specifies the possibility of a distributed gNB with a CU and DUs as below

3GPP distributed gNB (3GPP)

The DU  and CU are functions in the 3GPP-standardized 5G RAN. So, contrary to previous deployment conventions in 4G and earlier generations, in 5G, these RAN functions can be placed in different physical sites in an actual deployment of RAN, depending on the use case. This  enables RAN function distribution over different physical sites and, subsequently,   allows a breakout of RAN functions to support low-latency use cases as well as flexible implementations.

With the lower layer split, the termination point for encryption the CU function, which terminates PDCP on the network side. With this split, the RU and the DU are not able to access (that is, decrypt) the user plane and control plane, meaning that the RU and the DU are not as critical as the CU when it comes to the integrity and confidentiality of user data or the signaling.

Still, both the RU and the DU can affect the availability of mobile network access.