5G Cybersecurity (Preliminary Draft)

Bartock, Michael; Cichonski, Jeffrey; Souppaya, Murugiah; Dey, Surajit; Grayeli, Parisa; Mulugeta, Blaine; Sharma, Sanjeev; Teague, Chuck; Scarfone, Karen; Righi, Stefano; Ramalingam, Muthukkumaran; Rhea, Paul; Santharam, Madhan; Mosley, Rich; Ungureanu, Bogdan; Patel, Jitendra; Wan, Tao; Romness, Peter; Hyatt, Matthew; Lebel, Leo; Carroll, Dan; Orrin, Steve; Brown, Leland; Zhou, Yong; Piggott, Corey; Jones, Michael; Yeh, Michael; Atkinson, Gary; Eustace, Dan; Wenger, Bryan; Morgan, Sean; Balmakhtar, Marouane; Schumacher, Gregory

SP 1800-33 (Draft)

5G Cybersecurity (Preliminary Draft)

Date Published: April 25, 2022
Comments Due: June 27, 2022 (public comment period is CLOSED)
Email Questions to: 5G-security@nist.gov

Planning Note (4/25/2022): The comment period for Volume B: Approach, Architecture, and Security Characteristics, is open through 6/27/22. This preliminary draft is stable but has some gaps in its content that will be addressed in the next draft.

Author(s)

Michael Bartock (NIST), Jeffrey Cichonski (NIST), Murugiah Souppaya (NIST), Surajit Dey (MITRE), Parisa Grayeli (MITRE), Blaine Mulugeta (MITRE), Sanjeev Sharma (MITRE), Chuck Teague (MITRE), Karen Scarfone (Scarfone Cybersecurity), Stefano Righi (AMI), Muthukkumaran Ramalingam (AMI), Paul Rhea (AMI), Madhan Santharam (AMI), Rich Mosley (AT&T), Bogdan Ungureanu (AT&T), Jitendra Patel (AT&T), Tao Wan (CableLabs), Peter Romness (Cisco), Matthew Hyatt (Cisco), Leo Lebel (Cisco), Dan Carroll (Dell Technologies), Steve Orrin (Intel), Leland Brown (Intel), Yong Zhou (Keysight Technologies), Corey Piggott (Keysight Technologies), Michael Jones (Keysight Technologies), Michael Yeh (MiTAC Computing), Gary Atkinson (Nokia/Nokia Bell Labs), Dan Eustace (Nokia/Nokia Bell Labs), Bryan Wenger (Palo Alto Networks), Sean Morgan (Palo Alto Networks), Marouane Balmakhtar (T-Mobile), Gregory Schumacher (T-Mobile)

Announcement

NIST’s National Cybersecurity Center of Excellence (NCCoE) has published portions of a preliminary draft practice guide, “5G Cybersecurity,” and is seeking the public's comments on the contents. Our proposed solution contains approaches that organizations can use to better secure 5G networks through a combination of 5G security features and third-party security controls. We also demonstrate how commercial tools can build a 5G standalone network that operates on—and uses—a trusted, secure, cloud-native hosting infrastructure. We also demonstrate how to strengthen a 5G network’s supporting IT infrastructure to make it more resistant to cyber attacks.

Abstract

Organizations face significant challenges in transitioning from 4G to 5G usage, particularly the need to safeguard new 5G-using technologies at the same time that 5G development, deployment, and usage are evolving. Some aspects of securing 5G components and usage lack standards and guidance, making it more challenging for 5G network operators and users to know what needs to be done and how it can be accomplished. To address these challenges, the NCCoE is collaborating with technology providers to develop example solution approaches for securing 5G networks. This NIST Cybersecurity Practice Guide explains how a combination of 5G security features and third-party security controls can be used to implement the security capabilities organizations need to safeguard their 5G network usage.

Keywords

5G; cybersecurity; cloud security; hardware root of trust (HRoT); network function containerization; network function virtualization); privacy; secure boot; Service Based Architecture (SBA); trusted compute

Control Families

None selected

Documentation

Publication:
SP 1800-33B (Prelim. Draft)

Supplemental Material:
Project homepage (web)
SP 1800-33A (Prelim. Draft) (pdf)

Document History:
04/25/22: SP 1800-33 (Draft)

Topics

Security and Privacy
general security & privacy; roots of trust

Technologies
cloud & virtualization; mobile; networks

Applications
communications & wireless

Sectors
telecommunications