5G Dr. Yeali S. Sun ( , Commissioner Taiwan National - - PowerPoint PPT Presentation

起飛的5G網路與資安挑戰

• Dr. Yeali S. Sun (孫雅麗）, Commissioner

Taiwan National Communications Commission (NCC)

全國資安大會, August 12, 2020

Outline

• 5G developments in Taiwan
• 5G Security Issues
• Concluding remarks

2 YLSUN 2020

5G Developments in Taiwan

5G 第一階段頻譜釋照結果

YLSUN 2020 4

R16 R15

eMBB 增強行動寬頻 URLLC 超可靠低延遲通訊

5G: 標準制訂

mMTC 大規模機器通訊

 目標：「拓展」5G 支持垂直場域邁向 數位轉型下智能化 生產、製造與運作 的模式；達到數位 國家、數位經濟與 數位社會的目標。  從NSA架構轉移到 SA架構; 真正5G網 路的建設與部署， 速度會加快。

YLSUN 2020 5

• R15 規範主要侧重於eMBB 應用。eMBB主要是消費者市場；

這對於拉升Average Return per User (ARPU) 動能有限。

• R16 侧重於 URLLC

Source: 3GPP

5G Security: The battle is just on …

The Prague Proposals (布拉格宣言）

The Chairman Statement on Cyber Security of Communication Networks in a Globally Digitalized World

Prague 5G Security Conference 2019

Communication

• Communication is almost playing a role in every aspect of our lives.
• It increases our dependency and vulnerabilities.
• 5G networks and future communication technologies will

transform the way we communicate and the way we live substantially.

• Security of 5G networks is crucial for national security, economic

security and other national interests and global stability.

• The architecture and functions of 5G networks must be

underpinned by an appropriate level of security.

8

The Chair Recognizes Existence of perspectives:

 Cyber security NOT only a

technical issue

 Both technical and NON-

TECHNICAL nature of cyber threats

 Possible serious effects of

5G networks disruption

 Nation-wide approach  Proper risk assessment

essential



Broad nature of security measures



No universal solutions



Ensuring security while supporting INNOVATION



Security costs money



Supply chain security

9

National Policy: “Digital Nation, Smart Island”

10

Digital Nation, Innovative Economic Development Program（DIGI+ 2017-2025) To accelerate Industrial Innovation and Economic Prosperity

5G

Constructing a beneficial infrastructure for digital innovation

5+2 產業

5G Security: Challenges

• 5G is designed to enable and accommodate a variety of new

services.

• Software-based architecture in 5G networks (including radio

access network (RAN) and core network)

• Network Function Softwarization
• The use of software defined network (SDN), network function virtualization

(NFV), network slicing, edge computing, etc.

• Embraces NEW computing and networking technologies
• Need to ensure that IT technology products and the information systems

that the 5G network and services rely on are sufficiently trustworthy.

11 YLSUN 2020

5G Security

Q1: What specific national strategy, policies and legal framework are necessary for 5G networks or communication networks in general to ensure a high level of cyber security and resilience?

12 YLSUN 2020

5G Policy in Taiwan

• Chinese-made equipment was banned in 4G networks,

so will be for 5G.

• Every 5G network operator is required to submit a 5G

network security protection plan along with the network deployment in the business plan.

• Security by Design

YLSUN 2020 13

5G Network Protection Plan

• Directed by
• The Telecommunications Management Act (電信管理法): July 1, 2020.
• The Regulations for Administration of Mobile Broadband Businesses （行動

寬頻業務管理規則）(Article 40)

• Legal binding:
• 5G Network Protection Plan (5G網路資通安全維護計畫）is subject to

review and approval by NCC.

• NCC may order the nominated bidder to change the content of the plan

during the review whenever necessary.

• The operator shall act according to the plan.
• Whenever there is any change to content of the plan the operator shall

specify the reason and report it to NCC for approval.

14 YLSUN 2020

5G Network Protection Plan

• Different from 3G and 4G eras, this is the first time that a nominated

bidder is required to submit such a document.

• Seventeen matters are specified to be included in the document.
• Our tactics
• It is a self describing document.
• Develop and publish a Reference Framework to help operators be

focused and address all the important cybersecurity issues.

• It serves as a guidance for the 5G mobile network operator to better

understand, manage, and reduce the cybersecurity risks.

• NCC WORKS with operators to secure 5G networks and services

15 YLSUN 2020

5G Network Protection Plan: Reference Framework

• The framework is based on several existing standards, guidelines, and

practices.

• NIST Cybersecurity Framework (CSF), version 1.1, April 2018.
• “The Prague Proposals The Chairman Statement on cyber security of communication

networks in a globally digitalized world,” Prague 5G Security Conference, May 2019.

• “EU Coordinated Risk Assessment of the Cybersecurity of 5G Networks,” Report, October

2019.

• “3GPP 5G Security,” August 6, 2018.
• Specially, for each matter, a number of important issues are listed that

must be addressed in the document.

• The regulator (NCC) will conduct security audits.
• To evaluate network operator’s cyber security policies, procedures, and the
• perating effectiveness.

16 YLSUN 2020

5G Security

17

• 確保5G網路安全、可靠、具韌性：政策、目標、核心

業務、範圍、安全維護程序與流程

• Incident response
• Dedicated 5G security office and personnel
• Security assurance of

product design, development, operation and maintenance

• Products with inbuilt defense
• Supply chain security (visibility)
• Security architecture
• Security measures

(prevent, detect, protect, recovery)

• Secure deployment

Trusted HW/SW & Supply Chain Secure Network Secure Operati

• n&

Mgmt. Governance

Integration

• f Cybersecurity

with Operations

• 制度面、管理面、

技術面

5G Security

• End-to-end

(control plane & user plane)

YLSUN 2020

Reference Framework: Security Requirements

18

Protect

9 Cybersecurity Protect and Control Measures 13 Performance Evaluation of Personnel with Job Assignment Involved 5G Security 14 Continual Improvement and Review of 5G Network Protection Plan 16 Security Measures for Subscriber Data Protection in terms

• f Collection, Storage, Process and Use

Identify

1 Policy & Goals 2 Core Business & Significance 3 Scope of Protection 4 Cybersecurity Executive Organization 5 Dedicated Personnel and Budget Allocation 6 Chief Security Officer 7 Identification of Information and Communications Systems (including Equipment in Compliance with ITU or 3GPP Regulations 8 Cybersecurity Risk Assessment 12 Outsourcing Management 17 Formal Certification of Cybersecurity Management

Recover

10 Notification, Incident Response, and Cybersecurity Exercises 11 Cybersecurity Threat Intelligence Evaluation and Response

Respond

10 Notification, Incident Response, and Cybersecurity Exercises 11 Cybersecurity Threat Intelligence Evaluation and Response

Detect

15 The Detect and Protect Measures （Including the architecture, defense in-depth and timetable）

Secure, Reliable & Resilient

NIST Cybersecurity Framework

YLSUN 2020

Eight Important 5G Security Issues

1)

Secure Software Development Quality Control (安全軟體開發品質控管）

2)

Software Update Management （軟體更新管理）

3)

Supply Chain Security Management （供應鏈安全管理）

4)

Integration of Cybersecurity measures with Network Operations (ICT+OT) （資安落實於OT）

5)

Cybersecurity Capability Building （資安能力的建立）

6)

Multi-access Edge Computing （邊緣運算）

7)

Privacy （隱私保護）

8)

Signal interference – a form of DoS （訊號干擾）

YLSUN 2020 19

Issue #1: Secure Software Design & Development Quality Control (安全軟體開發品質控管）

• Security by design
• Network Function Softwarization in 5G
• The use of SDN, NFV, network slicing, edge computing, etc.
• Employing ICT technology products and the information systems in 5G networks and services.
• For software vendors: “secure assurance of software design & development

process, and quality control”

20 YLSUN 2020

1 2 3 4 5

Risk Assessment Privacy Impact Assessment Secure Coding Vulnerability Analysis Vulnerability Watch Hardening Guideline

Source: Ericsson

Issue #2: Software Update Management （軟體更新管理）

During operations

• For a 5G network operator: “secure assurance of software

update process”

• e.g., patch distribution policy
• distinguishing major vs. minor patch？
• under attacks or major vulnerability discovery, do patching in real-time?
• zero-day attack?
• performing laboratory test before distribution? （軟體安全測試的能力與能量）
• Standard operating procedures （SOP）(制度；作業效率

（timeliness)、品質 (執行程序及人員管控）和一致性 （uniformity)）

YLSUN 2020 21

Issue #3: Supply Chain Security Management （供應鏈安全管理）(1/2)

• Hardware focuses: (1) minimizing disruption; and (2) ensuring product quality
• Software - relative ease to be modified  raising greater risks and attacks
• Focuses: (1) minimizing opportunities for unauthorized changes; (2) establishing and

maintaining supply chain visibility, not only for security but for regulatory compliance.

 Ban of Chinese-made equipment; world wide trend.  How about the elements inside including software?

 Network function softwarization: complex systems consisting of a number of components

from chips, processors, firmware, OS, libraries, to various software modules including open source software

YLSUN 2020 22

Software com in China

Gov. project

• Gov. funded

institute Software com

subcontract subcontract subcontract

Issue #3: Supply Chain Security Management （供應鏈安全管理）(2/2)

Q2: How can 5G network operators establish and maintain supply chain visibility, both for security and regulatory compliance?

• knowing the origin and composition of the software and hardware

components

• knowing the resilience and dependability of the vendors
• Evaluating and monitoring a supplier’s ability to produce systems

(including coding practices, technical capability to conduct appropriate reviews, and management of its software supply chain risks)

• Risk assessment of software acquisition lifecycle: initialization,

development, configuration/deployment, operations/maintenance, and disposal.

YLSUN 2020 23

Issue #4: Integration of Cybersecurity Measures with Network Operations & Maintenance （資安 落實於OT）

• Integration of cybersecurity policy, procedures, measures and

implementations with network operations & maintenance.  制度面 （例如 SOPs）、管理面 （人員）、技術面

• Coordinate and align cybersecurity roles and responsibilities

with internal roles and external partners, as well as network

• perations.

YLSUN 2020 24

Issue #5: Cybersecurity Capability Building （資安能力的建立）

YLSUN 2020 25

Operations & Mgmt.

 Network Operator  5G equipment, systems, database & apps.

Product Providers

• Operators largely rely on product

vendors

• to provide information of the security

design, architecture, and implementation of hardware/firmware/software of the product.

• Operators must have the capability

to conduct security assurance test and evaluation

• to ensure the security and resilience of

the entire network elements and

• verall service provisioning operations.
• NCC will conduct security audits for

5G network operators.

Authority Agency

 National Comm. Commission

Issue #6: Multi-access Edge Computing (MEC)

• To support services with low-latency requirement

such as real-time AR/VR applications, network

• perator might allow third-party service providers to

place their equipment, systems, or software running in

• perator’s data center.
• Raise additional risks and threats to the network (from

closed  “open” environment)

YLSUN 2020 26

Issue #7: Privacy （隱私保護）

YLSUN 2020 27

Concerns of

• Unauthorized collection of data from the network

about who is doing what

• Surveillance by adversaries
• Human rights violations and abuses
• Third-party data use (e.g., advertisements,

microtargeting) etc.

 5G is an enabling technology of new services.  It is Transformational ! (數 位轉型）

• “The technology will

spawn an intelligent ecosystem of connected devices, harvesting massive amounts of data that will change the way we live and work.”

Networks (5G)

Source: Ericsson

Issue #8: Signal Interference – a form of DoS

Subscriber database Control plane functions 5G service User plane gateway

Non-public Network (defined premises)

5G for Industry 4.0 and Factory Automation

URLLC - 低延遲、高 可靠性 (Time-sensitive Communications)

Source：5G-ACIA

推動5G垂直應用場域實證、法規調適與網路資安之防 護研析計畫藍圖

29

• 5G SA
• 5G

MEC

• 5G端到

端(控制 面控制 信令與 用戶面 資料傳 輸)

• 5G與

低軌道 衛星通 訊匯流

• 1. 法規整備：研析國際5G資通安全政策、法規、作為 (國際組織、政府、行動

業者）

• 2. 5G網路資通安全維護計畫 入法（整體、未來5年建設）（ Security by

Design）

3.監理能量與能力：建置可驗證符合通傳法規之網路資通安全檢測實驗室

• 第五代

行動通 信系統 資通安 全維護 計畫參 考框架

• 行動

寬頻 系統 審驗 技術 規範

確保我國 5G網路之 安全、可 靠，且具 韌性

• 電信

管理 法

• 資安

管理 法

• 5G

NSA

• 5G共頻

共網

• 5G專網
• 5G

Wire- Wireless Conver- gence (WWC)

資通 安全 管理

• 4. 完備5G網路相關資安法規

2019 2020 2021 2022 2023 2024

 兩個目標對象

• 5G網路業者
• 第三方服務提供者

 兩大平台

• 建置5G「安全軟體整合開發暨運作程序

（DevSecOps）」

• 「軟體系統」資通安全分析及檢測平台

國家級通訊領域軟體安全實驗室

30

 4大聚焦議題

• 5G網路相關軟體系統與應用程式之安全性
• 5G網路軟體部署及更新之安全管理
• 安全可信賴的5G網路供應鏈管理
• 用戶隱私保護之政策、制度、技術和防護措施

 3大產出

• 5G網路軟體系統及營運安全管理之參考

框架、指引文件與機制

• 協助網路業者及5G服務提供者建立資安

能量與能力

• 提供檢測及驗證服務

 實務培訓

5G 資安：NCC 定位

• 國家資安鐵三角
• 八大關鍵基礎設施之一
• 行動通訊網路：5大業者（中華、遠傳、台哥大、台灣之星、亞太）；

固網 （backhaul)

• 「確保台灣5G網路之安全、可靠與具強韌性」

 政策、法規、監理、技術規範、審驗、檢驗、稽核

• 前瞻作為
• 透過推動、協助、輔導，確保業者建置安全、可靠且具韌性的網路
• 輔導、協助5G產業 (網路、應用服務）發展

31

Concluding Remarks

• The battle is just on …
• NCC as an oversight agency took the initiative to put 5G security into

regulation.

• 5G Network Protection Plan, Reference Frameworks (addressing important

security issues, especially software security, update security, supply chain security, integration of cybersecurity with operations, governance, privacy, etc.)

• Cybersecurity capability building is imperative for network operators,

service providers and regulatory government agency.

• Regulatory Requirements vs. Standard Best Practices vs. Security

Norms

32 YLSUN 2020

Thank you. 