起飛的 5G 網路與資安挑戰 Dr. Yeali S. Sun ( 孫雅麗) , Commissioner Taiwan National Communications Commission (NCC) 全國資安大會 , August 12, 2020
Outline • 5G developments in Taiwan • 5G Security Issues • Concluding remarks YLSUN 2020 2
5G Developments in Taiwan
5G 第一階段頻譜釋照結果 YLSUN 2020 4
R15 規範主要侧重於 eMBB 應用。 eMBB 主要是消費者市場; 5G: 標準制訂 • 這對於拉升 Average Return per User (ARPU) 動能有限。 R16 侧重於 URLLC • 目標: 「拓展」 5G URLLC R16 超可靠低延遲通訊 支持 垂直場域 邁向 數位轉型 下 智能化 mMTC 生產、製造與運作 大規模機器通訊 的模式 ;達到數位 eMBB 國家、數位經濟與 增強行動寬頻 數位社會的目標。 R15 從 NSA 架構轉移到 SA 架構 ; 真正 5G 網 路的建設與部署 , 速度會加快。 Source: 3GPP YLSUN 2020 5
5G Security: The battle is just on …
The Prague Proposals ( 布拉格宣言) The Chairman Statement on Cyber Security of Communication Networks in a Globally Digitalized World Prague 5G Security Conference 2019
Communication • Communication is almost playing a role in every aspect of our lives. • It increases our dependency and vulnerabilities . • 5G networks and future communication technologies will transform the way we communicate and the way we live substantially. Security of 5G networks is crucial for national security, economic security and other national interests and global stability. The architecture and functions of 5G networks must be underpinned by an appropriate level of security . 8
The Chair Recognizes Existence of perspectives: Cyber security NOT only a Broad nature of security technical issue measures Both technical and NON- No universal solutions TECHNICAL nature of cyber Ensuring security while threats supporting INNOVATION Possible serious effects of Security costs money 5G networks disruption Supply chain security Nation-wide approach Proper risk assessment essential 9
National Policy : “Digital Nation, Smart Island” Digital Nation, Innovative Economic Development Program ( DIGI+ 2017-2025) To accelerate Industrial Innovation and Economic Prosperity 5+2 產業 5G Constructing a beneficial infrastructure for digital innovation 10
5G Security: Challenges • 5G is designed to enable and accommodate a variety of new servi ces. Software-based architecture in 5G networks (including radio access network (RAN) and core network) Network Function Softwarization • The use of software defined network (SDN), network function virtualization (NFV), network slicing, edge computing, etc. • Embraces NEW computing and networking technologies • Need to ensure that IT technology products and the information systems that the 5G network and services rely on are sufficiently trustworthy . YLSUN 2020 11
5G Security Q1 : What specific national strategy , policies and legal framework are necessary for 5G networks or communication networks in general to ensure a high level of cyber security and resilience ? YLSUN 2020 12
5G Policy in Taiwan Chinese-made equipment was banned in 4G networks, • so will be for 5G. Every 5G network operator is required to submit a 5G • network security protection plan along with the network deployment in the business plan. Security by Design YLSUN 2020 13
5G Network Protection Plan • Directed by • The Telecommunications Management Act ( 電信管理法 ): July 1, 2020. • The Regulations for Administration of Mobile Broadband Businesses (行動 寬頻業務管理規則) (Article 40) Legal binding: 5G Network Protection Plan (5G 網路資通安全維護計畫) is subject to • review and approval by NCC. NCC may order the nominated bidder to change the content of the plan • during the review whenever necessary. The operator shall act according to the plan. • Whenever there is any change to content of the plan the operator shall • specify the reason and report it to NCC for approval . YLSUN 2020 14
5G Network Protection Plan Different from 3G and 4G eras, this is the first time that a nominated • bidder is required to submit such a document. Seventeen matters are specified to be included in the document. • Our tactics • It is a self describing document. Develop and publish a Reference Framework to help operators be focused and address all the important cybersecurity issues . It serves as a guidance for the 5G mobile network operator to better understand, manage, and reduce the cybersecurity risks . NCC WORKS with operators to secure 5G networks and services YLSUN 2020 15
5G Network Protection Plan: Reference Framework • The framework is based on several existing standards, guidelines, and practices. NIST Cybersecurity Framework (CSF), version 1.1, April 2018. • “The Prague Proposals The Chairman Statement on cyber security of communication • networks in a globally digitalized world,” Prague 5G Security Conference, May 2019. “EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks ,” Report, October • 2019. “3GPP 5G Security,” August 6, 2018. • • Specially, for each matter, a number of important issues are listed that must be addressed in the document. • The regulator (NCC) will conduct security audits. • To evaluate network operator’s cyber security policies, procedures, and the operating effectiveness. YLSUN 2020 16
5G Security • 確保 5G 網路安全、可靠、具韌性:政策、目標、核心 業務、範圍、安全維護程序與流程 • Incident response • Dedicated 5G security office and personnel Governance • 制度面、管理面、 • Security assurance of 技術面 Trusted Integration product design, HW/SW of Cybersecurity development, operation and & Supply with Operations 5G maintenance Chain Security • Products with inbuilt defense • Supply chain security (visibility) Secure Secure Operati Network on& • End-to-end Mgmt. • Security architecture (control plane • Security measures & user plane) (prevent, detect, protect, recovery) • Secure deployment YLSUN 2020 17
Reference Framework: Security Requirements Identify Secure, Reliable & 1 Policy & Goals Recover 2 Core Business & Significance Resilient 3 Scope of Protection Notification, Incident Response, and 10 4 Cybersecurity Executive Organization Cybersecurity Exercises 5 Dedicated Personnel and Budget Allocation Cybersecurity Threat Intelligence 11 6 Chief Security Officer Evaluation and Response Identification of Information and Communications NIST 7 Systems (including Equipment in Compliance with ITU or Cybersecurity 3GPP Regulations Framework Respond 8 Cybersecurity Risk Assessment 12 Outsourcing Management Notification, Incident Response, and 10 17 Formal Certification of Cybersecurity Management Cybersecurity Exercises Cybersecurity Threat Intelligence 11 Evaluation and Response Protect 9 Cybersecurity Protect and Control Measures Performance Evaluation of Personnel with Job Assignment Detect 13 Involved 5G Security The Detect and Protect Measures ( Including the Continual Improvement and Review of 5G Network 15 14 architecture, defense in-depth and timetable ) Protection Plan Security Measures for Subscriber Data Protection in terms 16 of Collection, Storage, Process and Use YLSUN 2020 18
Eight Important 5G Security Issues Secure Software Development Quality Control ( 安全軟體開發品質控管) 1) Software Update Management (軟體更新管理) 2) Supply Chain Security Management (供應鏈安全管理) 3) Integration of Cybersecurity measures with Network Operations 4) (ICT+OT) (資安落實於 OT ) Cybersecurity Capability Building (資安能力的建立) 5) Multi-access Edge Computing (邊緣運算) 6) Privacy (隱私保護) 7) Signal interference – a form of DoS (訊號干擾) 8) YLSUN 2020 19
Issue #1: Secure Software Design & Development Quality Control ( 安全軟體開發品質控管) • Security by design • Network Function Softwarization in 5G The use of SDN, NFV, network slicing, edge computing, etc. • Employing ICT technology products and the information systems in 5G networks and services. • • For software vendors: “secure assurance of software design & development process, and quality control ” Hardening Guideline Secure Coding 1 2 3 4 5 Risk Assessment Vulnerability Vulnerability Privacy Impact Analysis Watch Source: Ericsson Assessment YLSUN 2020 20
Issue #2: Software Update Management (軟體更新管理) During operations For a 5G network operator: “secure assurance of software update process ” e.g., patch distribution policy • distinguishing major vs. minor patch ? • under attacks or major vulnerability discovery, do patching in real-time? • zero-day attack? • performing laboratory test before distribution? ( 軟體安全測試的能力與能量 ) • Standard operating procedures ( SOP ) ( 制度;作業效率 ( timeliness) 、品質 ( 執行程序及人員管控)和一致性 ( uniformity) ) YLSUN 2020 21
Recommend
More recommend
