ENISA 5G Threat Landscape - Update

`
ENISA THREAT
LANDSCAPE FOR
5G NETWORKS
Updated threat assessment for the fifth generation of
mobile telecommunications networks (5G)
DECEMBER 2020
0
ENISA THREAT LANDSCAPE FOR 5G NETWORKS
December 2020
ABOUT ENISA
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge
sharing, capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s
infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More
information about ENISA and its work can be found at www.enisa.europa.eu.
EDITORS
Marco Barros Lourenço, Louis Marinos, Lampros Patseas - EU Agency for Cybersecurity
CONTACT
For contacting the authors please use [email protected]
For media enquiries about this paper, please use [email protected].
ACKNOWLEDGEMENTS
We would like to thank the ENISA contractor Andrei Hohan (ENERSEC), Adrian Anghel
(ENERSEC) for the desk-top analysis of open-source material and all members of the ENISA
ad-hoc 5G Expert Group, acting on an ad personam basis: Ioannis Askoxylakis, Pascal Bisson,
Jon France, Patrik Palm and Jean-Philippe Wary, for supporting the ENISA team in information
collection, knowledge transfer in the subject matter.
LEGAL NOTICE
Notice must be taken that this publication represents the views and interpretations of ENISA,
unless stated otherwise. This publication should not be construed to be a legal action of ENISA
or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This
publication does not necessarily represent state-of the-art and ENISA may update it from time
to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the
content of the external sources including external websites referenced in this publication. This
publication is intended for information purposes only. It must be accessible free of charge.
Neither ENISA nor any person acting on its behalf is responsible for the use that might be made
of the information contained in this publication.
COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2020
Reproduction is authorised provided the source is acknowledged.
For any use or reproduction of photos or other material that is not under the ENISA copyright,
permission must be sought directly from the copyright holders.
ISBN: 978-92-9204-445-9 - DOI: 10.2824/802229
1
December 2020
TABLE OF CONTENTS
1. INTRODUCTION 8
1.1 POLICY CONTEXT 9
1.2 SCOPE AND METHODOLOGY 10
1.3 TARGET AUDIENCE 13
1.4 STRUCTURE OF THE REPORT 14
2. 5G STAKEHOLDERS 15
2.1 STAKEHOLDERS MAPPING 15
3. 5G NETWORK DESIGN AND ARCHITECTURE 17

3.1 5G USE CASES 18
3.2 GENERIC 5G ARCHITECTURE 21
3.3 CORE NETWORK ARCHITECTURE (ZOOM-IN) 22
3.4 NETWORK SLICING (NS) (ZOOM-IN) 27
3.5 MANAGEMENT AND NETWORK ORCHESTRATOR (MANO) (ZOOM-IN) 32
3.6 RADIO ACCESS NETWORK (RAN) (ZOOM-IN) 32
3.7 NETWORK FUNCTION VIRTUALISATION (NFV) – MANO (ZOOM-IN) 36
3.8 SOFTWARE DEFINED NETWORK (SDN) (ZOOM-IN) 42
3.9 MULTI-ACCESS EDGE COMPUTING (MEC) (ZOOM-IN) 45
3.10 SECURITY ARCHITECTURE (SA) (ZOOM-IN) 50
3.11 5G PHYSICAL INFRASTRUCTURE (ZOOM-IN) 55
3.12 IMPLEMENTATION OPTIONS / MIGRATION PATHS ZOOM IN 57
3.13 PROCESS MAP 61
4. 5G VULNERABILITIES 70
4.1 VULNERABILITY ASSESSMENT METHOD AND SCOPE 70
4.2 VULNERABILITY GROUPS FOR CORE NETWORK 70
4.3 VULNERABILITY GROUPS FOR NETWORK SLICING 74
4.4 VULNERABILITY GROUPS FOR RADIO ACCESS NETWORK 76
4.5 VULNERABILITY GROUPS FOR NETWORK FUNCTION VIRTUALIZATION - MANO 78
4.6 VULNERABILITY GROUPS FOR SOFTWARE DEFINED NETWORKS 80
4.7 VULNERABILITY GROUPS FOR MULTI-ACCESS EDGE COMPUTING 82
4.8 VULNERABILITY GROUPS FOR SECURITY ARCHITECTURE 84
4.9 VULNERABILITY GROUPS FOR PHYSICAL INFRASTRUCTURE 84
4.10 VULNERABILITY GROUPS FOR IMPLEMENTATION OPTIONS 86
4.11 VULNERABILITY GROUPS FOR PROCESSES 88
5. ASSETS 93
5.1 ASSET CLASSIFICATION AND MAPPING 93
5.2 NEW ASSET CATEGORIES 94
5.3 ASSET CLASSIFICATION AND THE CIA TRIAD 100
2
December 2020
5.4 THE RELEVANCE OF ASSETS THROUGHOUT THE LIFECYCLE 100
6. 5G THREATS 102
6.1 TAXONOMY OF THREATS 102
6.2 THREAT MAP 102
7. THREAT AGENTS 118

8. RECOMMENDATIONS/ CONCLUSIONS 120
8.1 RECOMMENDATIONS 120
8.2 CONCLUSIONS 122
A ANNEX: ASSETS MAP 123

B ANNEX: THREAT TAXONOMY 124
C ANNEX: DETAILED VULNERABILITIES IN THE CORE
NETWORK 129
D ANNEX: DETAILED VULNERABILITIES IN NETWORK
SLICING 164
E ANNEX: DETAILED VULNERABILITIES IN THE RADIO
ACCESS NETWORK 169
F ANNEX: DETAILED VULNERABILITIES IN NETWORK
FUNCTION VIRTUALIZATION – MANO 189
G ANNEX: DETAILED VULNERABILITIES IN SOFTWARE
DEFINED NETWORKS 196
H ANNEX: DETAILED VULNERABILITIES IN MULTI-
ACCESS EDGE COMPUTING 199
I ANNEX: DETAILED VULNERABILITIES IN THE
PHYSICAL INFRASTRUCTURE 206
J ANNEX: DETAILED VULNERABILITIES IN
IMPLEMENTATION OPTIONS 213
K ANNEX: DETAILED VULNERABILITIES IN MNO
PROCESSES 220
L ANNEX: DETAILED VULNERABILITIES IN VENDOR
PROCESSES 243
M ANNEX: DETAILED VULNERABILITIES IN SECURITY
ASSURANCE PROCESSES 248
3
December 2020
LIST OF ACRONYMS AND

ABBREVIATIONS
ACRONYMS DESCRIPTION
3GPP 3rd Generation Partnership Project

3GPP TS 3GPP Technical Specification
3GPP TR 3GPP Technical Report
5GC 5G Core
5G-PPP 5G Infrastructure Public Private Partnership
AAA Authentication, Authorisation and Accounting
AF Application function
AKA Authentication and key agreement
AMF Access and mobility management function
API Application programming interface
ARLC Air radio link control
ARP Address resolution protocol
ARPF Authentication credential repository and processing function
AS Access stratum
AUSF Authentication server function
CAPIF Common API Framework
CGI Common Gateway Interface
CN Core network
COTS Commercial of the shelf
CSA Cloud Security Alliance
CSCF Call / Session Control Function
CSMF Communication service management function
CSP Communication Service Provider
CTI Cyber Threat Intelligence
CU Control unit (RAN)
DC Data Centre
DCSP Data Centre Providers
DDoS Distributed Denial of Service
DN Data network
DNS Domain Name System
DoS Denial of Service
DTLS Datagram Transport Layer Security
DU Distributed unit (RAN)
E2E End-to-end
EM Element management
EU European Union
eMBB Enhanced mobile broadband
eNB E-UTRAN Node B, also known as Evolved Node B
ECCG European Consumer Consultative Group
ENISA European Union Agency for Network and Information Security
EPC Evolved Packet Core
ESP Encapsulating Security Payload
eTOM enhanced Telecom Operation Map
4
December 2020
ETSI European Telecommunications Standards Institute
FOSS Free and Open Source Software
gNB Next generation Node B
GMLC Gateway Mobile Location Centre
GNP Generic Network Product
GSMA GSM Association
GTP GPRS Tunnelling Protocol
GTP-C GPRS Tunnelling Protocol Control
GTP-U GPRS Tunnelling Protocol User
HBRT Hardware-Based Root of Trust
HTTP Hypertext Transfer Protocol
IAB Integrated Access and Backhaul
IE Information Element
IEC International Electrotechnical Commission
IETF Internet Engineering Task Force
IIoT Industrial Internet of Things
IKEv2 Internet Key Exchange Protocol Version 2
IMSI International Mobile Subscriber Identity
IoT Internet of things
ITU International Telecommunications Unit
IP Internet protocol
IPsec IP Security
IPX IP Exchange Service
ISAC Information sharing and analysis centres
ISF NFVI-based Security Function
ISO International standards organisation
ITU International Telecommunication Union
IXP Internet Exchange Point
JSON JavaScript Object Notation
JWS JSON Web Signature
KPI Key Performance Indicators
LCM Life Cycle Management
LEA Law Enforcement Agency
LI Lawful Interception
LMF Localisation Management Function
LTE Long-Term Evolution
M2M Machine to Machine
MAC Media access control
MANO Management and orchestration
MEC Multi-access edge computing
MIMO Multi-input multi-output
MME Mobility Management Entity
mMTC massive Machine-Type Communication
MNO Mobile network operator
NAS Non access stratum
NCA National Certification Authorities
NCSC National cybersecurity coordinator/agency/centre
NEF Network exposure function
NESAS Network Equipment Security Assurance Scheme
NF Network function
NFVI Network function virtualisation infrastructure
5
December 2020
ng-eNB. Next generation - evolved Node B
NG RAN Next generation Radio Access Network
NIS Directive The Directive on security of network and information systems
NOP Network operator
NR New radio
NRA National Regulator
NRF Network repository function
NS Network slice
NSA Non-standalone
NSI Network slice instance
NSM NFV Security Manager
NSMF Network slice management function
NSSAAF Network Slice Specific Authentication and Authorisation Function
NSSAI Network Slice Selection Assistance Information
NSSF Network slice selection function
NSSI Network Slice Subnet Instance
NSSMF Network slice subnet management function
NSST Network Slice Subnet Template
NTC National 5G test centres
OAM Operation, Administration, and Management
O&M Operations & Maintenance
OS Operating system
OSS/BSS Operations Support System/Business Support System
PCF Policy control function
PDCP Packet data conversion protocol
PDU Protocol data unit
PLMN Public Land Mobile Network
PNF Physical Network Function
PSF Physical Security Function
QoS Quality of service
RACS Radio Capabilities Signalling
RAT Radio access technology
RES* Response (authentication response)
RFC Request for Comments
RRC Radio Resource Control
RU Radio Unit
SA Security architecture
SaaS Software as a Service
SBA Service-based architecture
SBI Service-based interface
SC Service customers
SCAS 3GPP Security Assurance Specifications
SCP Service Communication Proxy
SDAP Service data adaptation protocol
SDN Software defined network
SEAF Security anchor functionality
SECAM 3GPP Security Assurance Methodology
SEPP Security edge protection proxy
SFTP Secure File Transfer Protocol
SGW Serving gateway
SIDF Subscription identifier de-concealing function
6
December 2020
SLA Service level agreement
SMC Security Mode Command
SMF Session management function
SMS Short message service
SMSF SMS function
SP Service providers
SSA NFV security services agent
SSI Server Side Includes
SSH Secure Shell
SSP NFV security services provider
SUCI Subscription concealed identifier
SUPI Subscription Permanent Identifier
TCP Transmission Control Protocol
TEID Tunnel Endpoint Identifier
TLS Transport Layer Security
TPM Trusted platform module
TSN Time Sensitive Networking
UCMF UE radio Capability Management Function
UICC Universal Integrated Circuit Card
UDM Unified data management
UDR Unified data repository
UDSF Unstructured data storage function
UE User equipment
UP User Plane
UPF User plane function
URLLC Ultra-reliable low-latency communication
USIM Universal subscriber identity module
V2V Vehicle to vehicle protocol
V2X Vehicle to everything protocol
VISP Virtualisation infrastructure service providers
VIM Virtualised infrastructure manager
VM Virtual machine
VNF Virtualised Network Function
VNFD VNF descriptor
VNFM VNF manager
VNFI VNF Infrastructure
VSF Virtual Security Function
7
December 2020
1. INTRODUCTION
This report is an update of the ENISA 5G Threat Landscape, published in its first edition in
20191. This document is a major update of the previous edition. It encompasses all novelties
introduced, it captures developments in the 5G architecture and it summarizes information
found in standardisation documents related to 5G. Moreover, the vulnerability and threat
assessments found in this document introduce a significant advancement to the previous
edition, by providing more comprehensive information about the exposure of assets of the
updated 5G architecture.
Beyond these changes, some additional elements have been taken into account. Firstly,
implementation/migration options of a gradual migration to 5G from 4G have been taken into
account. Secondly, security issues of operational processes have been considered. These two
changes enlarge the scope of the assessment and include important parts for the enhancement
of operational security.
For all these elements, this report provides a vulnerability analysis, indicating how these
vulnerabilities can be exploited through cyberthreats and how this exploitation can be mitigated
through security controls. The assessed vulnerabilities are consolidated from various sources,
including main 5G standardisation documents and telecommunication best practices (3GPP,
ITU, ETSI, ISO, NIST and GSMA). A consolidation and mapping of cyberthreats used in these
standards has also been performed. Clearly, the complexity of 5G infrastructure and the
dependencies of assets, controls and threats is reflected in the complexity of the produced
information. ENISA would like to develop a tool-based version of this information, so that users
of the material can better navigate this complex information in a more efficient way than the
static, highly interlinked tables presented in this report. This task will be accounted for in the
near future.
The performed assessments in this report are based on specifications of 5G infrastructure, thus
potentially having a certain “distance” from actual implementations. Moreover, assessed
vulnerabilities have been extrapolated from experiences of weaknesses of technical
implementations of similar non-5G components. As such, they comprise rather hypothetical
assumptions that are to be validated on the basis of implementations. ENISA states in this
document the importance of bridging the gap between functional specifications and
implemented functions. As 5G implementation are proceeding, it is important to develop ways to
check the compliance of implementations towards the specified content and feedback
information to the specification efforts. Initially, the creation of implementation guidelines may
be a useful tool to assess the quality of implementations. In addition, security assurance
methods may be a good way to support developers and/or entities that will test the compliance
of implemented 5G functions.
A good method to overcome these limitations and at the same to further advance the quality of
this and other relevant material (ENISA, European Commission, Member States, 3GPP,
BEREC, etc.) is to use it within detailed 5G threat/risk assessments in a coordinated manner.
Besides validation of the produced information, such actions will contribute towards a more
secure 5G infrastructure and have as consequence the creation of a competitive advantage of
European stakeholders in the area of 5G. At the same time, it will increase efficiency of used
resources by avoiding duplication of efforts.
1
https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks, accessed October 2020.
8
December 2020
The authoring of this report has been performed exclusively by ENISA. It is based on Open
Source Intelligence (OSINT) collection of publicly available information. Following a desk-top
analysis of this material by an external contractor, an update of the 5G architecture has been
performed by ENISA, vulnerabilities have been collected and consolidated and threat exposure
has been assessed. Mitigation controls found in publicly available documents have been
associated to the identified exposure, leading to a reduction of attack surface. An ad-hock
expert group consisting of 5G experts has contributed on an ad-personam basis and has
supported the work of ENISA. Their contributions were towards information collection and
knowledge transfer in the subject matter. Their contributions has been considered and compiled
by ENISA using it as an input.
To better
For the time being, the material presented in this report aims at supporting various stakeholders
understand the
understanding the relevant vulnerabilities and cyberthreats resulting to an exposure of 5G cyber-threats
assets by exploiting the vulnerabilities. When requested, ENISA is in the position to support affecting 5G
stakeholders ‘drilling down’ the analysis further, by including granular details from the Networks, it is
components in focus, and examine the relevance of the assessed cyberthreats and the essential to know
efficiency of developed security measures. the vulnerabilities
and weaknesses
1.1 POLICY CONTEXT of assets,
In January 2020, the European Commission has issued a communication calling Member assessing thus
States to take steps to implement the set of measures recommended in the 5G toolbox 2,3. In their attack
June 2020, a “Report on Member States’ Progress in Implementing the EU Toolbox on 5G surface and how
Cybersecurity7” has been published NIS Cooperation Group with the objective to provide an it can be
overview of the state of play of the ongoing toolbox implementation process by Member States exploited by
as of June 2020. malicious actors.
The present report contributes to the implementation of 5G toolbox measures (SMs, TMs) and
supporting actions (SAs). Its main contribution is supporting action 9 (SA09), stating “Consider
the use of existing cooperation, coordination and information sharing mechanisms, including
actions and support by ENISA, notably through regular threat assessments”. Moreover, by
providing all details about vulnerabilities, threats, security requirements and mitigation controls,
this document builds the basis for performing technical risk assessments for various sub-
systems and components of the 5G architecture, by delivering input to identify the main
technical “risk factors” for 5G.
Since the adoption of the EU 5G Toolbox in January 2020 and the publication of Member States
progress report of the implementation June 20204, Member States had paid increasing attention
to the implementation of SM05 and SM06. The purpose of SM05 and SM06 is to ensure
resilience through diversity while addressing risk R4 at individual MNO level and national level.
However it is essential to recognize that the updated ENISA 5G Threat Landscape report has
not been revised to the extent that it can provide Member States with guidance on how to
implement SM05 and SM06. This is due to the fact that this report does not specify all relevant
assets in the 5G ecosystem supply chain (devices, cloud and network assets) and objective
criteria for key stakeholders to assess resilience and diversity in the context of SM06.
Furthermore, the current report does not provide a set of common mitigation methods to
proportionally apply across the 5G ecosystem and key stakeholders, at national (SM06 such as
issues of number of MNO, network sharing) or at individual network level (SM05).
Consequently, it is not possible from this report to make conclusions about how to consistently
and proportionally implement mitigations across EU. Within this report, supporting actions SA03
2
https://ec.europa.eu/digital-single-market/en/news/secure-5g-deployment-eu-implementing-eu-toolbox-communication-
commission, accessed October 2020.
3
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=64468, accessed October 2020.
4
https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1378, accessed November 2020.
9
December 2020
and SA04 are extensively covered (by numerous contributing to TM01, and TM02, as indicated
in the mapping found in the vulnerability assessment).
Moreover, in the new ENISA regulation, the need to analyse current and emerging risks is
expressed. In line with this role, ENISA regulation stipulates that: “the Agency should, in
cooperation with Member States and, as appropriate, with statistical bodies and others, collect
relevant information”5. More specifically, it is stated that it should “enable effective responses to
current and emerging network and information security risks and threats”6.
Therefore, the ENISA 5G Threat Landscape aims at contributing to the EU Cybersecurity

Strategy and more specifically, to ongoing policy initiatives related with the security of networks
and information systems; it streamlines and consolidates available information on cyber-threats
and their evolution, thus supporting EU and national risk assessment activities.
1.2 SCOPE AND METHODOLOGY

Unlike the conditions of previous year regarding the state-of-play of 5G developments, in 2020
several national, European and international developments have led to a clearer picture of 5G
infrastructure developments at various levels. The 5G specification has done significant
progress, implementation options and migration paths from 4G to 5G have been better clarified,
relevant operational processes for 5G infrastructure have been developed and taken up and
specialized 5G functions for verticals have been specified. Moreover, at the EU level, a 5G
toolbox7 has been developed and pilots towards 5G certification schemes are envisaged, in
preparation of potential requests to ENISA issued by the ECCG in the future.
This situation gives a far better visibility on the details of 5G infrastructures and is a better
starting point for updating the ENISA 5G Threat Landscape. Having regard to these
developments, the objectives, working methods and scope of this report are as follows:
 The material collected and processed within this report consists of open source
resources. It covers mainly the state-of-the art of the 5G specification work, white
papers and good practices. No concrete implementations of 5G functions from
vendors, operators, etc. have been considered or analysed for the purpose of this
report.
 The threat and vulnerability analysis performed is based on the extrapolation of

existing threats and vulnerabilities found in collected material. In this respect,
vulnerabilities referred in various processed documents have been “reverse-
engineered” based on their relevance to various components/assets; subsequently,
they have been grouped under the various zoom-ins and reflect the assessed
technical and operational weaknesses, as mentioned in the various standards/good
practices. It has to be noted that this is a pure desk-top exercise based on assumed
vulnerabilities and threats and is not funded by real incidents. Equivalently, threat
actors assumed in this report are rather hypothetical, as no known attacks to such
infrastructure do yet exist. For this reason, 5G attack vectors have not been taken into
account in this work.
5
https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=OJ:JOL_2013_165_R_0041_01&qid=1397226946093&from=EN, accessed November 2020.
6
https://www.enisa.europa.eu/publications/ed-speeches/towards-a-new-role-and-mandate-for-enisa-and-ecsm, accessed
October 2020.
7
https://ec.europa.eu/digital-single-market/en/news/cybersecurity-5g-networks-eu-toolbox-risk-mitigating-measures,
accessed October 2020.
10
December 2020
 The comprehensive architecture of 5G developed in the previous threat landscape

report8 has been updated to include novelties of the 3GPP specification. This work has
taken into account all details that have been available in the 5G specification work.
 Implementation options – migration paths from 4G to 5G infrastructures have been

covered.
 A process map has been developed showing the contribution of operational, life-cycle
and security assurance processes to the overall security of 5G infrastructures.
 A detailed technical and operational vulnerability analysis has been performed for the
components of the 5G architecture. This analysis takes into account the threats
exploiting those vulnerabilities and the controls reducing exposure to these threats, as
defined by international organisations (3GPP, ETSI, GSMA, ISO, ITU, NIST).
 Except from generic functions developed for verticals by 3GPP, no information about
verticals per se (e.g. Transportation, eHealth, Industrial Internet-of-things (IIoT), Smart
Environments, etc.) have been covered in this report. This is due to potential
complexity of those environments and the unavailability of information due to their
early specification, implementation and deployment stages of 5G verticals.
 Detailed information and security requirements for various functions and interfaces are
included in this report, mainly via the annexes detailing the assessed vulnerabilities.
They cover security requirements, mitigation controls, involved stakeholders and
references to related specifications and the EU toolbox measures. Moreover, the
threats used in various reports have been consolidated by means of the threat
taxonomy delivered in this report.
 The scope of this report is in line with work developed by ENISA, in particular, the 5G
Threat Landscape in its 2019 edition8, and it also coherent to ENISA deliverables in
the area of 5G Standardisation.
 The development of this report followed a ‘best-effort’ approach. The collected

information is not exhaustive but representative of the matters covered.
 To collect relevant technical material and available 5G knowledge, ENISA has

maintained an ad hoc expert group consisting of skilled individuals in the area of 5G.
The selection of experts has been made based on technical experience of the selected
individuals, acting ad personam. A member of the team is an active member (co-chair)
of the 3GPP security sub-group and has acted as an interface between ENISA and
3GPP. The selection has aimed at covering detailed technical 5G knowledge skills
from the most representative stakeholder types that are currently engaged in 5G
activities.
 The content of this report was restricted to components/matters found in relevant

open-source material covering the entire specification, security requirements and
research results related to 5G network functions (NFs). The presented material has
been put together by ENISA.
8
11
December 2020
 Issues regarding Law Enforcement Agencies (LEA) and Lawful Interception (LI) have
not been covered in this document, apart from a reference in the threat taxonomy and
few references found in 3GPP specifications, both kept for the shake of completeness.
 This report addresses in detail all technical aspects of 5G networks and related threats
emerging from the collected material (e.g. 3GPP specification, standards, good-
practices). It does not cover non-technical threats (i.e. geopolitical), such as threats
leading to regulatory risks or risks of interference from third countries through the
supply chain.
The method adopted for this study is in line with the methodology developed by ENISA for the
preparation of its annual Cyberthreat Landscape. According to this methodology, the process
requires an initial identification of relevant assets within the architecture before performing a
vulnerability and a threat assessment, which evaluates the different levels of asset exposure.
Finally, by assigning security controls to the exploitable vulnerabilities, it reduces the threat
surface of relevant assets.
The elements of cyberthreats and the relationship to risks are graphically depicted inFigure 1.
The report describes the different relationships between assets, threats and threat agents. In
future versions of this report, we will cover vulnerabilities and countermeasures (mitigation
measures/security controls).
Figure 1: Methodology adopted based on ISO 27005
Value
Owners
Wish to minimize
Countermeasures
Impose
That may
possess
That may be
reduced by
Reduce
Vulnerabilities
May be aware of
Leading
Attack vectors That
to
Based on
exploit Risks
(set of)
That increase
Threat agents Threats Assets
Give
Rise to To
Wish to abuse and/or may damage
Threats play a central role in a risk assessment, especially when considering the different
components of risks. The ISO 27005, a widely adopted risk management standard, defines that
risks emerge when: “Threats abuse vulnerabilities of assets to generate harm for the
organisation”9.
Following this methodology, we have identified assets, threats and threat agents. These
constitute the core of the 5G Threat Landscape presented in this report. Furthermore, the
identification and analysis of assets and cyber-threats are based on the study of specifications,
white papers and literature, without attempting any interpretation/evaluation of the assumptions
stated in these reports. It has to be noted, that the logical relationship between Threat Agents
9
https://www.iso.org/standard/75281.html, accessed October 2020.
12
December 2020
and Attack Vectors has not been implemented in this document for the reasons: a) the threat
agent profiles are still very rudimentary and b) attack vectors in the area of 5G are unknown,
while any assumptions on attack vectors based on specified functions (3GPP) would be
premature.
1.3 TARGET AUDIENCE

Main purpose of this report is to provide knowledge and information on 5G cybersecurity issues
to the relevant community. This information may be useful to a variety of target groups:
 Non-technical stakeholders such as policy-makers, regulators, law enforcement: this

target group may find this report useful to understand the current state of specification
work, the overall architecture of 5G, the emerging vulnerabilities and threats and
respective mitigation practices and measures. For example, the threat landscape
identified in this report may support policy actions in the areas of 5G networks, SDN,
NFV, cybersecurity, critical infrastructure protection, and other sectors/verticals that plan
to use the 5G Network.
 Experts working in the telecommunication sector, such as operators, vendors, and

service providers: this target group may find this report useful to carry out detailed threat
analyses and risk assessments in accordance with their particular needs and mandate
(e.g., protect a specific number of components based on asset impact analysis, respond
to specific vulnerabilities with customized mitigation measures among others).
 Businesses, consultants, product developers: this target group can draw valuable
conclusions from the developed analysis and material for their offerings (products,
services). This can have the form of demonstrating how vulnerabilities have been
eliminated by using developed defences, use of the material within customer projects, or
use the material as a benchmark for defining cybersecurity protection policies for such
infrastructures (e.g. for the development of verticals). Moreover, the developed material
can be used in developing security audits for 5G infrastructures.
 Experts in research and innovation: the presented material provides a detailed view on
security issues of 5G. This target group may use this material as basis for gap analysis,
as material to evaluate the impact of research and as source for innovation actions with
regard to the further development and implementation. Finally, this target group may use
this material as a useful resource for numerous academic activities, such as teaching,
research, support of scholars, etc.
Beyond these main target groups, some individual parts of the information provided in this
report may be useful to a further number of target groups. For example, the assessed
vulnerabilities – as a consolidation from various sources - may be a valuable resource for
standardisation work in order to check the completeness of already performed assessments.
Moreover, the provided material may be used within risk assessment within certification
activities, providing information about the threat exposure, as well threat actor motives and
objectives. Finally, both the 5G asset inventory and the 5G threat taxonomy can be used as-is
or further developed by any stakeholders in performing their own vulnerability, threat and risk
assessments.
13
December 2020
1.4 STRUCTURE OF THE REPORT

This report presents the results of the performed vulnerability and threat assessment work in
the following manner
 Chapter 2 presents the stakeholders having a role in all phases of 5G implementation,

covering specification, development, deployment, operation and supervision of the 5G
infrastructure. They constitute an essential part of the 5G ecosystem. The identified,
stakeholders carry the main responsibility for the implementation and management of
cybersecurity controls, thus being responsible for mitigating the threats identified in this
report.
 Chapter 3 presents the architectural framework of 5G technology by offering a generic

architecture. By means of ‘Zoom-ins’ it provides details of various components,
including introduced novelties and an overview of security considerations. These
details will contribute to the process of identifying the critical assets of the technology.
 Chapter 4 presents the results of the vulnerability assessment of for each zoom-in. It
presents vulnerability groups affecting the assets of each particular zoom-in. It
provides an overview of the detailed vulnerabilities presented in the annexes (Annexes
C-M) of this report. While this chapter provides an overview of vulnerability groups per
zoom-in, the detailed information embraces detailed vulnerabilities, associated with
threats, mitigation controls and references to corresponding collected material,
 Chapter 5 presents the 5G asset inventory. It consists of a collection of important

assets drawn for the components presented in the zoom-ins in the form of a mind map
available in Annex A. The assets inventory contains assets whose vulnerabilities have
been assessed in the previous chapter.
 Chapter 6 presents an overview of the assessed cyber-threats. Interrelated threats

have been grouped to form a taxonomy that is presented as a detailed mind map in
Annex B.
 Chapter 7 provides information on threat agents. It is a first approach towards the

assessment of potential motives emerging from the abuse/misuse of 5G assets.
 Chapter 8 provides recommendations and conclusions drawn from the threat analysis.
The detailed vulnerabilities, emerging security requirements, corresponding threat groups

exploring them, and mitigation controls are presented in the Annexes. The material used in the
analysis produced for this report, which is referenced in footnotes through URLs, was last
accessed on the day of publication of this study. The referenced material will help interested
readers to dive into further detail in the complexity of the 5G infrastructure when needed.
14
December 2020
2. 5G STAKEHOLDERS
2.1 STAKEHOLDERS MAPPING

The stakeholders of the 5G ecosystem have not considerably changed since the previous
edition of the 5G Threat Landscape. However, by going into some additional details, one could
amend the list of stakeholders to include some additional ones that will have a role in the 5G
ecosystem, firstly due to the inclusion of processes in the scope, and secondly by reaching a
degree of detail that may potentially motivate other stakeholders to take action in 5G.
Stakeholders will play different roles in the 5G ecosystem. Among other things, these entities
will be responsible for assuring the security of the network at different levels and in separate
layers. According to the 5G-PPP White Paper on the architecture,10 the list of stakeholder roles
in the 5G ecosystem is the following:
 Service customers (SC);

 Service providers (SP);
 Mobile Network Operators (MNO) also known as Network Operators (NOP);
 Virtualisation Infrastructure Service Providers (VISP) and
 Data Centre Providers (DCSP).
In the meantime, 5GPPP has issued a very comprehensive and detailed collection of 5G
stakeholders. The graph can be found here11. The provided stakeholder groups and the detail
list of organisation types provide the full picture of entities engaging in the 5G ecosystem,
including private, governmental and international organisations.
The major stakeholder roles remained the same as in the previous 5G Threat Landscape
edition. These were:
 Network infrastructure providers;

 National Regulators (NRAs);
 Information sharing and analysis centres (ISACs);
 National cybersecurity coordinators/agencies/centres (NCSCs);
 National 5G Test Centres (NTCs);
 National Certification Authorities (NCAs) and
 Competent EU institutions, European Commission Services, Agencies, Bodies,
Committees and Groups (including NIS-CG, ECCG, ECSO, ENISA and BEREC).
Interested readers that would like to revisit the role of the above stakeholders in the 5G
ecosystem, may revisit the previous 5G Threat Landscape edition8.
Some additional roles encountered in the collected material are worth mentioning at this point.
The importance of these roles has emerged through a better understanding of 5G
implementation and roll-out details on the one hand, but also from additional operational and
organisational needs w.r.t. 5G in shorter and longer term. These roles are:
 International standardisation bodies holding an obvious role in the development of

open, publicly available and traceable 5G standards;
10
https://5g-ppp.eu/wp-content/uploads/2020/02/5G-PPP-5G-Architecture-White-Paper_final.pdf, accessed October 2020.
11
https://5g-ppp.eu/revised-5g-ppp-stakeholders-picture-and-glossary/, accessed October 2020.
15
December 2020
 Accreditation bodies will be active in the assurance of security

capabilities/requirements of accredited entities (e.g. 5G test-labs, auditors, skills, etc.);
 Accredited 5G labs taking over testing and certification of 5G related components;
 Telco/5G related professional organisations/associations developing good practices for
5G cybersecurity policies at technical and organisational level;
 Audit organizations developing audit-guidelines for 5G infrastructures, services and
operation;
 Research organisations contributing to R&D tasks related with all kinds of innovation
actions in the areas related to 5G, including verticals and
 Open source organisations providing technological support and guidance in the
development of 5G functions and services.
When assuming these roles, the entities mentioned above should have different levels of
concern regarding 5G assets, among other things carrying responsibility for the risk mitigation
pertinent to the assets of concern. Although all above stakeholders do play a role in the 5G
ecosystem, their engagement emerges on a rather ad-hoc manner in current 5G activities.
When a more systematic description of activity-engagement is available, a more systematic role
mapping will be beneficial for a clearer assignment of responsibilities and a better coordination
of their actions.
16
December 2020
3. 5G NETWORK DESIGN AND

ARCHITECTURE
This chapter is an update of the 5G Architecture of the 2019 5G Threat Landscape report12.
Main source of the changes of the 5G architecture is progress made in the 3GPP specification
work as it is documented in the recent version (3GPP Release 16).
Just as in the 2019’s landscape, this chapter consists of a generic 5G architecture and provides
the details of individual key components by means of ‘Zoom-ins’, allowing further detailing of
their functionality and purpose. By doing so - besides the generic 5G architecture depicted - a
number of detailed views of particular components is being presented, namely: Core Network,
Management and Network Orchestrator (MANO), Radio Access Network (RAN), Network
Function Virtualisation (NFV), Software Defined Network (SDN), Multi-access Edge Computing
(MEC), User Equipment (UE), Security Architecture (SA) and 5G Physical Infrastructure
components. These zoom-ins have been adopted from the previous version of the 5G Threat
Landscape and have been updated according to the progress of the specification work.
In this year’s version, some additional zoom-ins have been developed, in particular a zoom-in
dedicated to implementation options and a zoom-in on processes. These zoom-ins capture
some additional elements adopted/developed during 2020 that capture i) the migration options
of 5G infrastructure and ii) a process map with the relevant processes for the procurement,
development and maintenance of 5G infrastructure. In contrast to the rest of the presented
zoom-ins, the process map consists solely of various processes. We have included this zoom-in
in the 5G architecture in order to ensure a unified way of addressing vulnerabilities and threats
for pertinent to matters related to processes.
An additional element introduced for each zoom-in are two sections, one describing the
novelties established in 2020, and a second presenting security considerations related to
components of each zoom-in. While the former provides a summary of the performed changes,
the latter establishes a “bridge” to the vulnerabilities chapter (see chapter 4).
Not all components of 5G architecture have undergone changes. For the sake of completeness,
however, unchanged components of the previous 5G Threat Landscape version are repeated in
this document. They are amended with the introduced changes (marked with blue text). This
redundancy has been introduced in order to make the presented content self-contained and
facilitate reading.
Just as in the 5G Threat Landscape of 2019, in order to deal with complexity both at the level of
the generic 5G architecture and individual zoom-ins, the details of the various interfaces and
protocols have not been considered. A short description of the purpose and functionality is
provided in a separate table for each individual component. A generic 5G architecture and the
corresponding zoom-ins facilitate the identification of assets presented in chapter 5.
12
17
December 2020
3.1 5G USE CASES

The 5G architecture supports the various use-cases of this infrastructure, as these have been
envisaged in the 3GPP specification. An understanding of these use-cases provides the context
of use for various supported functions and architectural decisions met within the 3GPP group.
The new release 16 introduces new concepts and changes to the technical specifications of 5G
mobile networks. The work of the various 3GPP working groups resulted in the completion of
the 5G NR specifications for standalone (SA) mode. An important feature of this release is to
leverage the LTE core network to support the expansion of the 5G Network. The release 16 is
all about incrementing enhancements for mobile broadband in various requirements such as
coverage, latency, capacity, mobility, power, reliability, ease of deployment, among others.
Another core improvement with release 16 is the support to new use cases.
This has led to an enrichment of use-cases. While the previous edition of the 5G specification
envisaged the use cases: i) Enhanced mobile broadband (eMBB), ii) Ultra-reliable low latency
communication (URLLC) and iii) Machine Type Communications (MTC), the current version
enlarges significantly the scope by taking into account some verticals. The table below provides
an overview of those verticals.
Table 1: 5G Deployment Scenarios
Deployment Scenarios
Intelligent transportation systems (ITS) and vehicle-to-anything (V2X) communications
One example of a mission-critical use case is the transport system. The use of the 5G Network to enhance
automotive safety is another focus area of release 16. It includes several enhancements in support to
cellular-vehicle-to-everything (C-V2X) communications and intelligent transportation systems (ITS). The
improvements in C-V2X specification include vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), and
vehicle-to-infrastructure (V2I) communications. These are all required to increase transport safety in the
current environment but also in the future implementation of autonomous driving. Intelligent transportation
systems are another major vertical focus area in release 16. This vertical area will provide a wide range of
transport and traffic-management use cases to the network.13
Industrial Internet of Things (IIoT) and ultra-reliable low latency communication (URLLC)
The IIOT is also a major vertical focus area of release 16. The introduction of 5G NR into IIoT use cases will
enable the research and innovation of a future wirelessly connected and reconfigurable factory. It creates an
opportunity to introduce IIoT to support factory automation, electrical power distribution and transportation. It
introduces important enhancements in network latency and reliability. The support for time-sensitive
networking (TSN) is also included in this release, where very accurate time synchronization is essential in
factory automation use IIoT.
Integrated access and backhaul (IAB)
To expand 5G NR mmWave network coverage the cost of new fibre optics backhaul installations is typically
high and a major challenge when deploying additional base stations. Release 16 eliminates the need for this
wired backhaul, since it introduces integrated access allowing a base station to provide both wireless access
for devices and wireless backhaul connectivity.
NR-Based access to unlicensed spectrum (NR-U)
Release 16 allows 5G Networks to operate in unlicensed spectrum that is the largest available. The existing
global 5 GHz and 6 GHz unlicensed band is used by Wi-Fi and LTE LAA and is attractive use case for
increasing data rates and capacity to the network. The specifications define two operation modes: NR-U
with an anchor in licensed-assisted (shared spectrum) and standalone NR-U with only unlicensed spectrum.
13
https://www.ericsson.com/en/reports-and-papers/ericsson-technology-review/articles/5g-nr-evolution, accessed October 2020.
18
December 2020
Besides these verticals, the new specification adds more than 20 standard technological
features, including a series of improvements for enhanced mobile broadband (eMBB) and
further vertical applications. These eMBB improvements cover Massive MIMO, cell interruption-
free handover, and remote interference suppression. Moreover, introduced additional
improvements may be considered as enablers that will enhance the efficiency of 5G for a series
of further applications. The table below provides a summary of those improvements/features.
Table 2: Additional 5G enabling features for all verticals
5G EFFICIENCY
Important enhancements in release 16 features can be found in the areas of multiple-input, multiple-output
(MIMO) and beamforming enhancements, dynamic spectrum sharing (DSS), dual connectivity (DC) and
carrier aggregation (CA), positioning and user equipment (UE) power saving. The most relevant 5G
efficiency improvements are as follows:
Interference mitigation
Release 16 introduces Remote Interference Mitigation (RIM) and Cross-Link Interference (CLI) features.
Base stations can communicate and coordinate (Via reference signals (RIM-RS) over-the-air or in
combination with backhaul signalling) mitigation of base station TDD DL-to-UL ducting interferences (to
indicate the presence of interference and whether enough mitigation is in place). With CLI, devices can
measure and report inter-/intra-cell interferences (Inter-cell: when devices have semi-static TDD scheduling,
Intra-cell: when devices support dynamic TDD) caused by neighbouring devices with different TDD
configurations.
MIMO Performance
Release 16 introduces MIMO enhancements including:

 enhanced beam handling;
 channel-state information (CSI) feedback;
 support for transmission to a single UE from multiple transmission points (multi-TRP)
 full-power transmission from multiple UE antennas in the uplink (UL).
Some of these enhancements are meant to increase the throughput of the network, reduce overhead,
and/or provide additional robustness.
High-precision positioning
With an increase in the number of use cases and applications requiring accurate outdoor and indoor
positioning, release 16 introduces various DL-based and UL-based positioning methods, to meet the
accuracy requirements for different use cases. The way it is operated, the network location server collects
and distributes information related to positioning of the user device (UE capabilities, assistance data,
measurements, position estimates, etc.) to the other entities involved in the positioning procedures. Single
and multi-cell positioning also brings precision geolocation in support of ITS/V2X communications and IIoT
applications (see use cases).
Power consumption
Another important aspect of release 16 is to further reduce device power consumption in user devices. For
example, the use of a wakeup signal (WUS), a low-power control channel to indicate activity or lack thereof
in the corresponding DRX (discontinuous reception) monitoring period. Others examples include optimized
low-power settings, efficient power controls, and overhead reduction, and more efficient power control
mechanisms. Smart new power-saving features help improve device battery autonomy even in high-use
applications14.
Dual connectivity and carrier aggregation (CA/DC)
Release 16 also reduces latency for CA/DC setup and activation to achieving higher data rates. In this
case, connectivity can be resumed after periods of inactivity. Furthermore, release 16 also introduces a
triggering of CSI reference signal transmissions in case of the aggregation of carriers with different
numerology.
14
https://www.qualcomm.com/news/onq/2020/07/07/propelling-5g-forward-closer-look-3gpp-release-16?, accessed October 2020.
19
December 2020
Mobility enhancements
Reduced interruption time 0ms handover enabled by dual active protocol stack with concurrent source/target
cell transmissions/reception. Improved mobility robustness Device-driven conditional handover for single
and dual connectivity, and fast handover failure recovery.
 Sub-7 GHz and mmWave;
 Both inter- and intra-frequency handovers;
 Beneficial to high-mobility use cases (e.g., train, aerial).
Enhanced ultra-reliable, low-latency communication (eURLLC)
An important Work Item in Release 16 was aimed at enhancing support for ultra-high reliability and low-
latency communications. The main features introduced by this work item include enhancements in the 5G
Core network mechanisms, physical layer enhancements for 5G New Radio and support of New Radio
Industrial Internet of Things Mechanisms to increase reliability include a redundant transmission mechanism,
enhanced QoS monitoring and RAN support for higher layer multi-connectivity15. Mechanisms to reduce
latency and to guarantee session continuity were also introduced in the 5G Core functions and supported by
enhancements in the physical layer specification of the 5G New Radio. Finally, enhancements aimed
specifically at industrial IoT scenarios include accurate reference timing delivery, scheduling enhancements
and improved handling of Time Sensitive Communication data.
Self-Organised Network (SON)
Release 16 enhances SON with the concept of mobility robust optimization (MRO), mobility load balancing
(MLB), and RACH optimization. Specifying device reporting needed to enhance network configurations and
inter-node information exchange (e.g., enhancements to interfaces like N2, and Xn).
Concluding this section, we would like to present the planned evolution of 5G 3GPP
specification. 5G specifications are in continuous development by the 3rd Generation
Partnership Project (3GPP). Since last year’s report, the current 5G specification is Release 16,
which reached specification freeze in July 2020, with items related to Radio Access Network
due for finalisation in December 2020. The timeline of specification development is presented
below16:
Figure 2: Timeline of 3GPP specification versions
It is considered as meaningful to plan prospective versions of the 5G Threat Landscape in order

to accommodate updates introduced by newer versions of the specification (e.g. end of 2021,
covering Release 17 Stage One, and end 2022 covering Release 17 Stage Two).
15
3GPP TR 21.916 V0.5.0 (2020-07) Technical Report 3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; Release 16 Description; Summary of Rel-16 Work Items (Release 16) -
https://www.3gpp.org/ftp/Specs/archive/21_series/21.916, accessed October 2020.
16
https://www.3gpp.org/release-16, accessed October 2020.
20
December 2020
3.2 GENERIC 5G ARCHITECTURE

In this section, we present the evolvement of the 5G architecture as resulted from the
specification updates of 3GPP Release 1627. Within this chapter, the complete architecture is
being presented, whereas novelties are marked through blue coloured text in the tables
detailing the zoom-in components. Updates have been implemented either at the level of
descriptions, or as new components introduced by the 3GPP specification Release 16. At the
level of zoom-ins, a special section describes in more details the rational and functions behind
the introduced novelties. A further section describes the security considerations relating to each
zoom-in.
Just as in the previous version of the 5G TL, the generic 5G architecture is presented through
its main components depicted as labelled boxes. These boxes have been arranged based on
layers, depicting their functional role in the 5G architecture (i.e. virtualisation layer and physical
infrastructure layer). This architecture aims at providing an overview of the main groups of
foreseen 5G functionality and is a consolidation of components/functions found in the analysed
material (e.g. 14, 19, 24, 25, 26, 27, 28).
Specifically in 5G, the architecture was designed in a way that connectivity and services can be
supported, enabling techniques such as Network Function Virtualisation (NFV), Network Slicing
(NS) and Software Defined Networking (SDN), Slicing, etc. This service-based architecture
meets multiple functional and performance requirements built upon new use cases.
The generic 5G architecture presents an overview of the various components that are further
detailed and depicted through specific ‘Zoom-ins’ in forthcoming sections. It is worth mentioning
that for the Transport and OSS components, no ‘Zoom-in’ was developed. However, they have
been included in the generic 5G architecture for consistency reasons, and relations with OSS
are detailed in the corresponding zoom-ins for NVF and Network Slicing Management.
Also, as an evolution from the first version of the architecture, in this version relevant processes
are taken into account, as MNO, Vendor and Assurance processes are consequential for the
overall security of the 5G Network. The 5G generic or high-level technical architecture is
depicted in the following figure.
Figure 3: Generic 5G Architecture
21
December 2020
3.3 CORE NETWORK ARCHITECTURE (ZOOM-IN)

One of the most important innovations in the 5G architecture is the complete virtualisation of the
Core network. As an example, the ‘softwarisation’ of network functions will enable easier
portability and higher flexibility of networking systems and services (Control-User Plane
Separation, CUPS). The Software Defined Network (SDN) abstracts low-level network
functionalities to simplify network management. Network Function Virtualisation (NFV) provides
the enabling technology for placing various network functions in different network components
on the basis of performance needs/requirements; and eliminates the need for function-or
service-specific hardware. SDN and NFV, complementing each other, improve the network
elasticity, simplify network control and management, break the barrier of vendor-specific or
proprietary solutions, and are thus considered as highly important for future networks. These
novel network technologies and concepts that rely heavily on ‘softwarisation’ and virtualisation
of network functions will introduce new and complex threats. The core network is the central
part of the 5G infrastructure and enables all functions related to multi-access technologies. Its
main purpose is to deliver services over all kinds of networks (wireless, fixed, converged) .
All in all, in the new specification Core Network has been amended with some new functions
and few components, while the overall structure remained almost unchanged. The majority of
added functions are related to localization issues and implementation of location services. In the
figure presented below, these new functions have been added. At the same time, slicing has
been omitted in the Core Network zoom-in, as it is included in a specialized zoom-in later in this
chapter. The Core network has been defined by 3GPP and its structure is as follows:
Figure 4: Core network architecture Zoom-in
22
December 2020
The description of the elements of 5G Core network are as follows:
Element Short description
Access and Mobility (As defined in 3GPP TS23.501 Section 6.2.117)

Management function
(AMF) AMF may include the following functionalities:
 Termination of RAN CP interface;
 Termination of NAS, NAS ciphering and integrity protection;
 Registration management;
 Connection management;
 Reachability management;
 Mobility Management;Provide transport for SM messages between UE and SMF;
 Transparent proxy for routing SM messages;
 Access Authentication;
 Access Authorisation.
 Provide transport for SMS messages between UE and SMSF;
 Security Anchor Functionality;
 Location Services management for regulatory services;
 Provide transport for Location Services messages between UE and LMF as well
as between RAN and LMF;
 EPS Bearer ID allocation for interworking with EPS; UE mobility event notification;
 Support for Control / User Plane Cellular IoT (CIoT) optimisation;
 Support for Network Slice Specific Authentication and Authorisation.
Session Management (As defined in 3GPP TS23.501 section 6.2.2)

function (SMF)
SMF may include the following functionalities:
 Session Management; UE IP address allocation & management (DHCPv4 and v6
(server and client) functions);
 Respond to Address Resolution Protocol (ARP) requests and / or IPv6 Neighbour
Solicitation requests;
 Selection and control of UP function, including controlling the UPF to proxy ARP
or IPv6 Neighbour Discovery;
 Selection and control of UP function;
 Configures traffic steering at UPF to route traffic to proper destination;
 Termination of interfaces towards Policy control functions;Charging data collection
and support of charging interfaces;
 Control and coordination of charging data collection at UPF;
 Termination of Session Management parts of NAS messages;
 Downlink Data Notification;
 Determine Session and Service Continuity mode of a session.
 Support for Control Plane CIoT Optimisation
 Support of header compression;
 Provisioning of external parameters (Expected UE Behaviour parameters or
Network Configuration parameters);
 Support Proxy-CSCF discovery for IP Multimedia Subsystem (IMS) services;
 Roaming functionality;
 Handle local enforcement to apply QoS SLAs (VPLMN);
 Charging data collection and charging interface (VPLMN);
 Lawful intercept (in VPLMN for SM events and interface to LI System);
 Support for interaction with external DN for transport of signalling for PDU Session
authentication/authorisation by external DN;
 Instructs UPF and NG-RAN to perform redundant transmission on N3/N9
interfaces.
(NOTE: Not all of the functionalities are required to be supported in an instance of a
Network Slice. In addition to the functionalities of the SMF described above, the SMF
may include policy related functionalities as described in clause 6.2.2 in TS 23.503 18)
17
3GPP TS 23.501 V16.6.0 (2020-09) Technical Specification 3rd Generation Partnership Project; Technical Specification
Group Services and System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),
https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-g40.zip ,accessed October 2020.
18
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3334, accessed October
2020.
23
December 2020
User plane function UPF supports:

(UPF)  Packet routing & forwarding;
 Packet inspection;
 QoS handling;
 Lawful intercept (UP collection);
 Traffic usage reporting;
 It acts as external PDU session point of interconnect to Data Network (DN);
 Is an anchor point for intra- & inter-RAT mobility;
 Functionality to respond to Address Resolution Protocol (ARP) requests and / or
IPv6 Neighbour Solicitation requests based on local cache information for the
Ethernet PDUs;
 Time sensitive Networking (TSN) Translator functionality;
 High latency communication, see clause;
 Access Traffic Steering, Switching and Splitting (ATSSS) functionality to steer the
Multi Access PDU Session traffic;
 Inter PLMN UP Security (IPUPS) functionality.
Policy Control Function PCF supports:

(PCF)  Unified policy framework;
 Policy rules to CP functions and
 Access subscription information for policy decisions in UDR.
Network Exposure NEF supports:

Function (NEF)  Exposure of capabilities and events;
 Secure provision of information from external application to 3GPP network;
 Translation of internal/external information;
 NEF may also support a 5GLAN Group Management Function: The 5GLAN Group
Management Function in the NEF may store the 5GLAN group information in the
UDR via UDM as described in TS 23.50219;
 Exposure of analytics;
 Support of Non-IP Data Delivery;
 When UE is capable of switching between EPC and 5GC, an SCEF+NEF is used
for service exposure.
Network Repository NRF supports service discovery function and maintains NF profile and available NF
Function (NRF) instances.
 Supports Proxy-CSCF discovery for IP Multimedia Subsystem (IMS) services;
 Supports Service Communication Proxy (SCP) discovery, and maintains SCP
profile of available SCP instances;
 Notifies about registered/updated/ deregistered NF and SCP instances, and
maintains the health status of NFs and SCP.
Unified Data UDM supports:

Management (UDM)  Generation of Authentication and Key Agreement (AKA) credentials;
 User identification handling;
 Access authorisation;
 Subscription management;
 5GLAN group management handling;
 Support of external parameter provisioning.
Authentication Server AUF supports authentication for 3GPP access and untrusted non-3GPP access.
Function (AUSF)
Application Function AF interacts with the Core network in order to provide services, for example to support
(AF) the following:
 Application influence on traffic routing;
 Accessing Network Exposure Function;
 Interacting with the Policy framework for policy control.
 Interactions of the IP Multimedia Subsystem (IMS) with the 5G Core
19
Group Services and System Aspects; Procedures for the 5G System (5GS); Stage 2 (Release 16),
https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-g40.zip, accessed October 2020.
24
December 2020
Unified Data Repository UDR supports the following functionality:

(UDR)  Storage and retrieval of subscription data by the UDM;
 Storage and retrieval of policy data by the PCF;
 Storage and retrieval of structured data for exposure;
 Application data (including Packet Flow Descriptions (PFDs) for application detection;
 AF request information for multiple UEs), by the NEF.
(See also 3GPP TS23.501 section 6.2.11)

 Storage and retrieval of NF Group ID corresponding to subscriber identifier (e.g.
IMPI, IMPU, SUPI);
Unstructured Data The UDSF is an optional function that supports Storage and retrieval of information as
Storage Function (UDSF) unstructured data by any NF.
Network Slice Selection The NSSF offers services to the AMF and NSSF in a different PLMN via the Nnssf
Function (NSSF) service based interface (see 3GPP TS 23.501and 3GPP TS 23.502).
Gateway Mobile Location The GMLC contains functionality required to support Location Services (LCS). In one
Centre (GMLC)20 PLMN, there may be more than one GMLC.
A GMLC is the first node an external LCS client accesses in a PLMN. AFs and NFs may
access GMLC directly or via NEF.
After performing authorisation of an external LCS Client or AF and verifying target UE
privacy, a GMLC forwards a location request to either a serving AMF or to a GMLC in
another PLMN in the case of a roaming UE.
Localisation The LMF manages the overall co-ordination and scheduling of resources required for
Management Function the location of a UE that is registered with or accessing 5GCN. It also calculates or
(LMF) verifies a final location and any velocity estimate and may estimate the achieved
accuracy. The LMF receives location requests for a target UE from the serving AMF
using the Nlmf interface. The LMF interacts with the UE in order to exchange location
information applicable to UE assisted and UE based position methods and interacts
with the NG-RAN, N3IWF or TNAN in order to obtain location information.
Service Communication An NF service is one type of capability exposed by an NF (NF Service Producer) to
Proxy (SCP) other authorized NF (NF Service Consumer) through a service-based interface NF
services may communicate directly, or indirectly via an SCP.
As defined in 3GPP TS 23.501, Clause 6.2.19, the Service Communication Proxy (SCP)
includes one or more of the following functionalities:
 Indirect Communication;
 Delegated Discovery;
 Message forwarding and routing to destination NF/NF service;
 Message forwarding and routing to a next hop SCP;
 Communication security (e.g. authorisation of the NF Service Consumer to access
the NF Service Producer API), load balancing, monitoring, overload control, etc.
UE radio Capability The UCMF is used for storage of dictionary entries corresponding to either PLMN-
Management Function assigned or Manufacturer-assigned UE Radio Capability IDs.
(UCMF)
An AMF may subscribe with the UCMF to obtain from the UCMF new values of UE
Radio Capability ID that the UCMF assigns for the purpose of caching them locally.
Network Slice Specific The Network Slice Specific Authentication and Authorisation Function (NSSAAF) offers
Authentication and support for Network Slice-Specific Authentication and Authorisation as specified in TS
Authorisation Function 23.502 with an Authentication, Authorisation and Access Server (AAA-S).
(NSSAAF)
Nausf, Nnrf, Nudm, Nnef, These are service-based interfaces exhibited by 5G Core Control-plane functions.
Namf, Nmssf, Nsmf,
Npcf, Naf, Nlmf, Ngmlc,
Nssaaf, Nucmf
N1 Reference point between the UE and the AMF.
N2 Reference point between the RAN and the AMF.
N3 Reference point between the RAN and the UPF.
N6 Reference point between the UPF and a Data Network.
20
Group Services and System Aspects; 5G System (5GS) Location Services (LCS); Stage 2 (Release 16),
25
December 2020
3.3.1 ELEMENTS OF NOVELTY IN RELEASE 16

The new features and enhancements brought by release 16 of the GPP specification, presented
in the section Generic Architecture are reflected in updates and additions to the 5G Core
functions, as highlighted in the detailed table above. The most important enhancements and
their impact on the 5G Core are presented below:
New functions are added to the 5G Core toolset, to support Network-Slice Specific
Authentication (NSSAAF), Location Services (GMLC), and enhancements to existing functions’
specification support use-cases such as cellular IoT Support, Ultra-reliable low latency
architecture, 5G LAN services, Time Sensitive Networking for Industrial IoT, Vehicle to
everything.
A significant enhancement for the Service Based Architecture is the enablement of indirect
communication and delegated discovery through the Service Communication Proxy. This
increases flexibility, allowing communication between Network Functions via Network
Repository Function (NRF) and Service Communication Proxy (SCP).
Enhancements in the network analytics exposure features is an important enabler for Network
Automation in the 5G system.
Another feature provided is Radio Capabilities Signalling (RACS) Optimization via optimized
signalling of UE Radio capabilities by introducing mapping of RACS ID to UE Radio Capability
in the network. The mapping between RACS ID to UE Radio capabilities will be stored in the
new Network Function UE (radio) Capability Management Function (UCMF) and cached in the
AMF and gNB.
The network slicing function is improved beyond network-slice specific authentication with
enhanced SMF/AMF topologies and with interworking support with the Evolved Packet System,
in view of the Non Standalone (NSA) deployments.
3.3.2 SECURITY CONSIDERATIONS

The specification of 5G Core network functions were developed as to close known
vulnerabilities in existing network. The effort is ongoing; for instance, the most recent version of
the 5G architecture specification21 further enhances the closing of a known User Plane Integrity
Protection vulnerability, by adding new requirements for the UE to support User Plane Integrity
Protection at full-rate. . The full set of security mechanisms in the 5G system is presented in the
Security Architecture section.
However, the 5G core functions rely on an underlying infrastructure of hardware, software and
processes that come with their security threats and vulnerabilities. In the NFV and SDN zoom-
ins we will address the relevant security considerations related to virtualisation, softwarisation
and associated management and orchestration mechanisms. In the Processes map section, we
discuss the relevant security considerations.
Apart from these, the following general security considerations apply:
Service-based architecture
The 5G Core functions is meant to be largely composed of applications running on general-

purpose hardware that communicate through application programming interfaces (APIs). The
21
Group Services and System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),
26
December 2020
integrity of the software, especially from open-source locations and the overall software supply
chain, is an area of vulnerability. As services can be created, destroyed, and communicate with
each other dynamically, systems must be properly authenticated and communications protected
in order to prevent unauthorized execution of functions or access to data22.
Affected components: Service-based interfaces
Failure to meet General Security Assurance Requirements
The security assured by the 5G Core functions and the security of the 5G Core itself is built
upon the permanent update of Security Assurance Requirements for critical network
components such as UDM, AUSF, SEPP, NRF, NEF, SMF, AMF and UPF.
However, a security update gap between new security requirements and deployment of
updated versions of network functions in operational systems will unavoidably exist. There are
two major factors in reducing this gap: a) vendors’ responsiveness in issuing and validating new
versions of the network functions that address the updated requirements, and b) timeliness and
effectiveness of MNO processes to update operational systems to recently released and SCAS-
evaluated versions.
Affected components: UDM, AUSF, SEPP, NRF, NEF, SMF, AMF, UPF.
IP Based Protocol stack
5GC moves to an IP based protocol stack, allowing interoperability with a wider number of
services and technologies in the future. The following protocols, schemas and processes will be
adopted in 5GC:
 HTTP/2 and JSON as application layer and serialization protocols, replacing Diameter
over the S6a reference point
 TLS as an additional layer of protection providing encrypted communication between
all network functions (NF) inside a public land mobile network (PLMN)
 TCP as the transport layer protocol
 RESTful framework with OpenAPI 3.0.3 as the Interface Definition Language (IDL).
As these protocols are used in the wider IT industry it will likely lead to a shorter vulnerability to
exploitation timeline, and higher impact of vulnerabilities within these protocols. Vulnerability
reporting schemes will have to manage the increased scope of these protocols. Once located
the time to patch for vulnerabilities should be short.
Affected components: All functions
3.4 NETWORK SLICING (NS) (ZOOM-IN)

One of 5G’s key features will be the opportunity for network slicing23: enables the flexible and
efficient creation of specialized end-to-end logical networks on top of shared network
infrastructure. Network slicing belongs to the category of virtualization networking paradigm,
together with Software-Defined Networking (SDN) and Network Function Virtualization (NFV).
22
Security considerations for the 5G era, 5G Americas, July 2020, https://www.5gamericas.org/wp-
content/uploads/2020/07/Security-Considerations-for-the-5G-Era-2020-WP-Lossless.pdf accessed October 2020.
23
https://www.sdxcentral.com/5g/definitions/5g-network-slicing/, accessed October 2020.
27
December 2020
Network slicing can take advantage of SDN and NFV, but it can be seen as an independent
technology24.
5G system is expected to be able to provide optimized support for a variety of different

communication services, different traffic loads, and different end user communities25. A clear
benefit of 5G network slicing for operators will be the ability to tailor the functionalities and
allocation of network resources to specific customers and particular market segments.
In this update of the 5G architecture, we include in this zoom-in all interrelated slicing functions
that are located within the scope of other zoom-ins. This decision has been made in order to
have in a single picture all relevant slicing components and functions, providing thus an
integrated view.
Communication between autonomous cars, for instance, requires minimal latency (the lag time
it takes for a signal to travel), but not necessarily high throughput (the amount of data a network
can process per second) while a use-case such as augmented reality will require more
bandwidth.
Network Slicing components are presented in relation to the impacted elements of the network
architecture, as depicted in the various ‘Zoom-ins’. This cross-reference/mapping is an
alternative means for describing slice functions of 5G. The dependency of slices with the
various components of the 5G generic architecture is shown in the figure below:
Figure 5: Network slicing architecture Zoom-in
24
R. F. Olimid and G. Nencioni, "5G Network Slicing: A Security Overview," in IEEE Access, vol. 8, pp. 99999-100009,
2020, doi: 10.1109/ACCESS.2020.2997702, accessed October 2020.
25
3GPP TS 28.530 V16.2.0 (2020-07) 3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; Management and orchestration; Concepts, use cases and requirements (Release 16),
28
December 2020
The elements of the 3GPP Slicing Management System are as follows:
Service Instance Layer The Service Instance Layer represents the services (end-user service or business
(Communication Services) services) which are to be supported. Each Communication Service is represented by a
Service Instance.
Typically services can be provided by the network operator or by 3rd parties. In line
with this, a Service Instance can either represent an operator service or a 3rd party
provided service.26.
Communication Service This function is responsible for translating the communication service related
Management Function requirement to network slice related requirements.
(CSMF)
The CSMF communicates with the Network Slice Management Function (NSMF).
Network Slice Management This function is responsible for the management (including lifecycle) of NSIs. It derives
Function (NSMF) network slice subnet related requirements from the network slice related requirements.
NSMF communicates with the NSSMF and the CSMF.
Network Slice Subnet This function is responsible for management and orchestration of Network Slice
Management Function Subnet Instances.
(NSSMF)
Network Slice Instance (NSI) The Network Slice is a logical network that provides specific network capabilities and
network characteristics. The Network Slice Instance is a representation of a set of
network functions and the associated resources (e.g. compute, storage and
networking resources) supporting network slice.27.
Network Slice Subnet The network slice subnet represents a group of network functions (including their
Instance (NSSI) corresponding resources) that form part or complete constituents of a network slice.
The grouping of the network functions allows the management of each group of
network functions to be conducted independently of the network slice.
Network Functions (NF) A network slice instance (NSI) contains Network Functions, including the Core
Network Control Plane and User Plane Network Functions in the Home Network and
Core Network Functions the Access Functions in the serving network28.
(CNF)
Release 16 of the 3GPP specification includes improved interworking with the LTE
Access Network Functions
Evolved Packet Core (EPC).
(gNB)
NFV MANO NFV MANO includes NFV Orchestrator (NFVO), VNF manager (VNFM) and
Virtualised infrastructure manager (VIM).
Element Management The Element Management is responsible for FCAPS management of network
System (EMS) functions used in the network slice instance.
Operations Support System OSS functions provide management and orchestration of systems including legacy
(OSS) ones and may have full end-to-end visibility of services provided by legacy network
functions in an operator's network.
Resources layer Network functions will run as software components on top of hardware infrastructure.
Virtualization enables an elastic, automated environment where network, compute and
storage services can expand, or contract as needed. Many resources can now be
hosted as software services and dynamically instantiated in different network
segments.
Management Functions The management of the 3GPP network is provided by management services.
Service Based Interface Management Services offer their services via standardized service interfaces
(SBI) composed of individually specified components.
Os-Ma-nfvo The Os-Ma-nfvo reference point can be used for the interaction between 3GPP slicing
related management functions and NFV-MANO.
To properly interface with NFV-MANO, the NSMF and/or NSSMF consume the NFV
MANO interface, exposed in the Os-Ma-nfvo , Ve-Vnfm-em and Ve-Vnfm-vnf
reference points (last two not displayed in the Figure due to graphical limitations).
26
Services and System Aspects; Study on Architecture for Next Generation System (Release 14), accessed October 2020.
27
3GPP TS 23.501 V16.5.1 (2020-08), 3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),
28
System Aspects; System architecture for the 5G System (5GS); Stage 2 (Release 16),
29
December 2020
3.4.1 ELEMENTS OF NOVELTY

In release 16 of the 3GPP specification, the network slicing function is improved with the
following features:
- Enhancement of interworking between LTE Evolved Packet Core (EPC) and 5G Core to
manage mobility of User Equipment and its allocated Network Slice between networks
- A newly introduced Network Slice Specific Authentication and Authorisation (NSSAA)
mechanism that enables separate authentication and authorisation per Network Slice.
The trigger of NSSAA is based on subscription information from UDM and operator
policy and may be performed when UE indicates support for the feature.29
Security-as-a-Service
Network slices are used to deploy services at the multi-access edge across a distributed cloud
infrastructure. Network slices can be configured based upon the service-type (eMBB, mMTC,
URLLC), customer, and application to provide the required latency, bandwidth, QoS, and
security. While slices provide inherent security through segmentation, slices can also be used to
provide additional security protection and security services specific to the use case and
customer requirements.
However, although realisation of Security-as-a-Service (SECaaS) offerings is feasible technically,

it would rest ultimately with the Mobile Network Operator (MNO) to include such services in the
offer, depending on its service strategy, market context, and in relation to vertical use-cases.
Related component(s): Communication Services
End-to-end security
Network slices are end-to-end logical networks, so it is natural to aim for end-to-end security.
The concept of end-to end security is closely connected to the concepts of isolation and
orchestration. Moreover, it is dependent on the business model and on the associated trust
model.30
Release 16 introduces the mechanism of Network Slice Specific Authorisation Identifier that
enables network-slice-specific authentication and authorisation mechanisms to complement
network-side authentication mechanisms.
Related component(s): Network Slice Instance
Resource isolation
One of key expectations of network slicing is resources isolation. Each slice may be perceived
as isolated set of resources configured through the network environment and providing defined
set of functions. Level and strength of isolation may vary depending on requirements and usage
scenarios for slicing.31
29
3GPP TR 21.916 V0.5.0 (2020-07) 3rd Generation Partnership Project; Technical Specification Group Services and
ystem Aspects; Release 16 Description; Summary of Rel-16 Work Items, (Release 16),
https://www.3gpp.org/ftp/Specs/archive/21_series/21.916/, accessed October 2020.
30
R. F. Olimid and G. Nencioni, "5G Network Slicing: A Security Overview," in IEEE Access, vol. 8, pp. 99999-100009,
2020, doi: 10.1109/ACCESS.2020.2997702, accessed October 2020.
31
Z. Kotulski et al., "On end-to-end approach for slice isolation in 5G networks. Fundamental challenges," 2017 Federated
Conference on Computer Science and Information Systems (FedCSIS), Prague, 2017, pp. 783-792, doi:
10.15439/2017F228, accessed October 2020.
30
December 2020
The isolation of the slices can be considered in at least four areas:
 Isolation of traffic: the network slices should ensure that data flow of one slice does
not move to another.
 Isolation of bandwidth: slices should not utilize any bandwidth assigned to other
slices.
 Isolation of processing: while all virtual slices use the same physical resources,
independent processing of packets is required.
 Isolation of storage: data related to a slice should be stored separately from data used
by another slice32
Related component(s): Network Slice Instance, Shared Resources
Secure Management and Orchestration
The architecture of the network slice MANO is challenging from a business model perspective
because of the variety of scenarios with different actors, multi-domain environments, and
several layers of imbricated tenants, which can play different roles and have different rights.
Technically, this means high complexity and flexibility, which bring in higher security risks.
3GPP defines requirements for management services’ security that include use of secure
communication protocols for protection of interactions at the management service interfaces
and authorisation of management service requests33, but it is to be noted the most recent 3GPP
specifications are yet to be implemented.
Another relevant issue is management of network-slice-specific log information to support post-

incident analysis. Such information may include proof of transit, remote attestation, as well as
data to support root cause analysis.
Related component(s): NSMF, NFV-MANO, Os-Ma-NFVO, SBI
Trust Model
In 5G three role models are envisaged for stakeholders.
1) The MNO owns and manages both the access and core network.
2) An MNO owns and manages the core network, the access network is shared among
multiple operators (i.e., RAN sharing).
3) Only part of the network is owned and/or managed by the MNO, with other parts being
owned and/or managed by a 3rd party.
The 3GPP appropriate APIs and management functions are needed to support this extended 3rd
party access and control of capabilities provided by the MNO, and to do so in a secure manner.
The 3rd party has increasing control over the network capabilities that support its service.
However, this control is limited to what is allowed by the MNO through the provided APIs. 34
Related component(s): SBIs, Os-Ma-nfvo
32
Gutz, A Story, C Schlesinger, N Foster, inProc.1st Workshop on Hot Topicsin Software Defined Networks. Splendid
isolation: a slice abstraction for software-defined networks, (2012), pp. 79–
84.https://doi.org/10.1145/2X00000.342441.2342458, accessed October 2020.
33
System Aspects; Security architecture and procedures for 5G system,
34
3GPP TR 22.830 V16.1.0 (2018-12) 3rd Generation Partnership Project; Technical Specification Group Services and
System Aspects; Feasibility Study on Business Role Models for Network Slicing (Release 16),
31
December 2020
3.5 MANAGEMENT AND NETWORK ORCHESTRATOR (MANO) (ZOOM-IN)

Management and Network Orchestration (MANO) is not further maintained in the current
version of the 5G architecture as a stand-alone zoom in. Rather, it has been integrated with the
NFV zoom in. This is because the functions used for are covered completely in the NFV zoom-
in (see section Error! Reference source not found.).
3.6 RADIO ACCESS NETWORK (RAN) (ZOOM-IN)

5G New Radio (NR) is the standard the 5G wireless air interface. 5G New Radio is set to deliver
faster and more responsive mobile broadband services and to extend mobile technology to
connect and support a multitude of new industries.
The baseline architecture described by 5G-PPP referring 3GPP Release 16 specifications on

NG-RAN identifies as a main innovation the split of the F1 interface into Centralized Unit (CU)
and Distributed Unit (DU), with a Service Data Adaptation Protocol (SDAP). The SDAP
architecture includes a Packet Data Conversion Protocol (PDCP) located in the CU and an Air
Radio Link Control (ARLC) located in the DU. Release 16 adds integrated access and
backhaul (IAB) to the 5G toolkit. IAB allows base stations to provide both wireless access for
devices and wireless backhaul connectivity, which can replace temporarily or permanently wired
backhauls.
Another key aspect of the NG-RAN is the ability to provide small-cell coverage to multiple
operators “as-a-service” in two-tier architecture. These tiers are in support of the previously
mentioned 5G use cases providing low latency services and high processing power. The
structure of the RAN architecture is depicted in the following figure35:
Figure 6: RAN architecture Zoom-in
35
3GPP TS 38.401 V16.2.0 (2020-07), Technical Specification 3rd Generation Partnership Project; Technical Specification
Group Radio Access Network; NG-RAN; Architecture description (Release 16),
32
December 2020
The elements of the RAN architecture are as follows:
User Equipment (UE) Allows a user access to network services. The User Equipment is subdivided into the
UICC domain and the ME (Mobile Equipment) Domain. The ME Domain can further be
subdivided into one or more Mobile Termination (MT) and Terminal Equipment (TE)
components showing the connectivity between multiple functional groups.
gNB Next generation Node/Base Station is a node providing NR user plane and control plane
protocol terminations towards the UE, and connected via the NG interface to the 5GC.
gNB Distributed Unit (gNB- gNB-DUa logical node hosting RLC, MAC and PHY layers of the gNB or en-gNB, and its
DU) operation is partly controlled by gNB-CU. One gNB-DU supports one or multiple cells.
One cell is supported by only one gNB-DU. The gNB-DU terminates the F1 interface
connected with the gNB-CU.
gNB Central Unit (gNB-CU) gNB-Central Unit (CU) is a logical node hosting RRC, SDAP and PDCP protocols of the
gNB or RRC and PDCP protocols of the en-gNB that controls the operation of one or
more gNB-DUs. The gNB-CU terminates the F1 interface connected with the gNB-DU.
Xn Xn is a network interface between NG-RAN nodes; 3GPP TS 38.42036 specifies Xn

interface general aspects and principles.
NG interface The gNBs are connected by means of the NG interfaces to the 5G Core, more
specifically to the AMF (Access and Mobility Management Function) by means of the
NG-C interface and to the UPF (User Plane Function) by means of the NG-U interface.
NR Uu The New Radio Unified Air Interface (NR-Uu) is the radio interface between the mobile
and the radio access network.
IAB Donor gNB that provides network access to UEs via a network of backhaul and access links 37.
IAB Node RAN node that supports New Radio access links to UEs and New Radio backhaul links
to parent nodes and child nodes. The IAB-node does not support backhauling via LTE.
Non Access Stratum (NAS) NAS is a functional layer in the protocol stack between UE and Core Network. (NAS)
protocol for 5G System (defined in 3GPP TS 24.501).
Access Stratum (AS) AS is a functional layer in the protocol stack between UE and RAN responsible for
transporting data over the wireless connection and managing radio resources.
F1 The F1 interface provides means for interconnecting a gNB-CU and a gNB-DU of a gNB
within an NG-RAN, or for interconnecting a gNB-CU and a gNB-DU of an en-gNB within
an E-UTRAN.
It facilitates that a gNB-CU and a gNB-DU supplied by different manufacturers can work
seamlessly38.

While a significant part of the Release 16 enhancements involve the 5G-RAN to a certain
extent, the following enhancements brought by Release 16 of the 3GPP specification are
directly relevant for the 5G-RAN:
36
3GPP TS 38.420 V16.0.0 (2020-07), Technical Specification, 3rd Generation Partnership Project; Technical Specification Group Radio Access
Network; NG-RAN; Xn general aspects and principles (Release 16), https://www.3gpp.org/ftp/Specs/archive/38_series/38.420, accessed October 2020.
37 3GPP TS 38.300 V16.2.0 (2020-07), Technical Specification, 3rd Generation Partnership Project; Technical Specification Group Radio Access
Network; NR; NR and NG-RAN Overall Description; Stage 2 (Release 16), https://www.3gpp.org/ftp/Specs/archive/38_series/38.300/ , accessed
October 2020
38
Group Radio Access Network; NG-RAN; F1 general aspects and principles (Release 16),
33
December 2020
Integrated access and backhaul (IAB)
One of the major 5G challenges for operators looking to expand network coverage is the cost of
deploying base stations. The limited range of mmWave signals for fiber-optics backhaul
installations to service these base stations can make mmWave deployment cost intensive. IAB
addresses directly this issue. IAB base stations provide both wireless access for devices and
wireless backhaul connectivity, thus eliminating the need for wired backhauls. Operators may
resort to these capabilities to speed up densification, and install fiber to increase backhaul
capacity at a later time, as demand increases.
Multiple-input and multiple-output (MIMO) enhancements
MIMO multiplies a radio link’s capacity by using multiple transmission and multiple receiving
antennas. Multi-user multiple-input and multiple-output (MU-MIMO) enhancements include
support for multiple transmission and reception points (multi-TRP) and improved multi-beam
management for enhanced link reliability. Improvements also aim at reducing peak-to-average
power ratio, and improved coverage at the network’s edge.
Simplified Random Access Procedure
Release 16 introduces a simplified random access procedure. This reduces the number of
interactions between the UE and network during the connection setup and connection resume,
thereby enabling a lower control plane latency. In case of connected mode, a small amount of
data can be sent via 2-step RACH procedure thus also enabling a lower latency for UL UP data
for connected mode UEs.
Private network support for NG-RAN
The second Release 16 project aimed at expanding 5G’s reach beyond traditional public mobile
networks involves improved support in the system architecture for private networks. Private
networks utilize dedicated base stations that are independently managed, implement
customized security and privacy controls, and deliver optimizations for local applications, such
as low latency or data flow control. Private networks are directly aimed at new use cases such
as industrial IoT.
UE Power Saving
UE battery life is an important aspect of the user’s experience. The study of the Rel-16 UE
power saving had shown substantial power saving gain comparing to considered Rel-15 NR
features. The work item of UE power saving in NR includes the power saving techniques, such
as DRX adaptation, cross-slot scheduling, and maximum MIMO layer adaptation in
CONNECTED state, fast transition out of CONNECTED state, and reduced RRM (Radio
Resource Management) measurements in idle/inactive states39.
NR-Based Access to Unlicensed spectrum
To expand 5G’s reach, 3GPP completed two projects in Release 16 that are key for new
vertical use cases. One of them is 5G NR-U, that allows 5G to operate in unlicensed spectrum.
It defines two operation modes, anchored NR-U requiring an anchor in licensed or shared
spectrum and standalone NR-U that utilizes only unlicensed spectrum.
39
Services and System Aspects; Release 16 Description; Summary of Rel-16 Work Items (Release
16),https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-g40.zip , accessed October 2020.
34
December 2020
Time sensitive networking (TSN)
As part of the effort for 5G to support new Industry 4.0 use cases such as factory automation,
5G RAN Release 16 added support for TSN integration that can ensure time-deterministic
delivery of data packets.
Precision geolocation
3GPP support location service features, to allow new and innovative location-based services to
be developed. 5G specifications make possible to identify and report the current location of the
user’s terminal and to make the information available to the user, ME, network operator, service
provider, value added service providers and for PLMN internal operations40 Enhancements in
high-precision positioning brought by 5G NR Release 16, meet accuracy targets of 3 meters
indoors and 10 meters outdoors.

In recent years, a large body of literature has revealed numerous security and privacy issues in
4G mobile networks. Most of the published attacks at the 4G RAN layer involve Rogue Base
Stations (RBSs) or IMSI catchers to target individual user(s) during the UE’s initial attach
procedure to the network or paging attacks using the IMSI paging feature. In such attacks, the
information obtained on IMSIs may be used later for other types of attacks41.
5G NR technologies address and close known IMSI threats, but new functionalities in the
Release 16 also bring security considerations that are subject to open studies:
Security of Ultra-Reliable Low-Latency Communication (URLLC)
URLLC needs to support both high reliability and low latency. In order to ensure the high
reliability, redundant transmission in 5GS is supported on multiple user plane data paths.
Accordingly, the applicable security mechanisms for supporting redundant transmission cover
all aspect of the communication, including PDU session establishment, handover etc. As for the
low latency aspect, the other important requirements for URLLC include QoS Monitoring to
assist URLLC service and optimization for handover procedure. The security considerations in
this case are covered as well. Additional security aspects are related to control plane and user
plane optimizations for ensuring the high reliability and reducing latency 42.
Related components: gNB, interfaces: Uu, F1, Xn
Security of NR Integrated Access and Backhaul
A study is underway at 3GPP to identify potential security threats and vulnerabilities that are
applicable to the new IAB architecture43. Key security issues include Topology Discovery and
Masquerading, IAB Node Authentication to prevent connection of false IAB-node and
manipulation of Radio Link Failure recovery and security of F1 interface.
40
Group Services and System Aspects; Location Services (LCS); Service description; Stage 1 (Release 16)
41
Rupprecht, David & Dabrowski, Adrian & Holz, Thorsten & Weippl, Edgar & Pöpper, Christina. (2017). On Security
Research Towards Future Mobile Network Generations. IEEE Communications Surveys & Tutorials. PP.
10.1109/COMST.2018.2820728, accessed October 2020
42
Services and System Aspects; Study on the security of Ultra-Reliable Low-Latency Communication (URLLC) for the 5G
System (5GS) (Release 16) https://www.3gpp.org/ftp/Specs/archive/33_series/33.825 , accessed October 2020
43
Services and System Aspects; Study on Security for NR Integrated Access and Backhaul; (Release 16)
35
December 2020
Related components: IAB Donor, IAB UE, F1 interface
Vulnerability to Radio Jamming Attacks
As any wireless cellular networks, 5G networks are built upon open sharing in which the
communication medium is the free frequency space making them prone to interference. This
weakness can be used by some adversary nodes to cause intentional interference and hinder
legitimate user’s communication over specific wireless channels. 5G improves resilience
against jamming attacks over the 4G LTE, but remains vulnerable to customised attacks.
Massive MIMO deployment may be vulnerable to jamming attacks 44. Jamming attacks are a
special concern for mission-critical applications.
Related components: Uu
Security of 5G RAN is built upon the permanent update of Security Assurance Requirements for
critical network components such as gNB.
However, a security update gap between new security requirements and deployment of
updated versions of network functions in operational systems will unavoidably exist. There are
two major factors in reducing this gap: a) vendors’ responsiveness in issuing and validating new
versions of the network functions that address the updated requirements, and b) timeliness and
effectiveness of MNO processes to update operational systems to recently released and SCAS-
evaluated versions.
Affected components: gNB
3.7 NETWORK FUNCTION VIRTUALISATION (NFV) – MANO (ZOOM-IN)

NFV introduces a new concept for service providers to accelerate the deployment of new
network services in support of their revenue and growth plans. It translates to the use of
standard IT virtualisation technologies applied to the deployment of Network Functions, aiming
at a faster provision of new network services. With this, several providers formed the NFV ISG
under the European Telecommunications Standards Institute (ETSI). The foundation of NFV’s
basic requirements and architecture resulted from the work produced by ETSI NFV ISG 4546.
Although 5G networks will be very different compared to its predecessors in some regards (e.g.
through the use of virtualisation and support for diverse and critical non-telecom-oriented
services), they still share similarities and will reuse and extend existing concepts that have
proved successful and are widely adopted.
The NFV has a tight interaction with Virtual Network Functions (VNF), MANO and OSS/BSS
and security management components. The NFV ‘Zoom-in’ presented in Figure 7 refers to all
relevant Core Network and Access Network Functions, as defined by the 3GPP specification
and outlined in their respective zoom-ins.
The structure of NFV has remained almost unchanged. The updates of NFV introduced,
constitute an evolution of previous specifications and concentrate mainly in the adaptation of
functions virtualization to various requirements dictated by the needs of various components. At
44
Y. Arjoune and S. Faruque, "Smart Jamming Attacks in 5G New Radio: A Review," 2020 10th Annual Computing and
Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2020, pp. 1010-1015, doi:
10.1109/CCWC47524.2020.9031175, accessed October 2020.
45
https://www.etsi.org/technologies/nfv, accessed October 2020.
46
https://www.sdxcentral.com/networking/nfv, accessed October 2020.
36
December 2020
the same time, they contain provisions to adapt NFV to recent cloud, software, and
virtualization techniques, novel management architectural styles and operationalization aspects.
Also, the 3GPP Network Slicing Management system consumes management interfaces
provided by NFV MANO for purposes such as Network Slice Lifecycle Management (LCM),
Virtual Network Function LCM, Performance, Fault and Configuration Management. The structure
of NFV architecture and its interfaces to related components is shown in the following figure.
Figure 7: NFV architecture Zoom-in
The elements of the NFV architecture are as follows:
Operations Support OSS/BSS functions provide management and orchestration of systems including
System/Business Support legacy ones and may have full end-to-end visibility of services provided by legacy
System (OSS/BSS) network functions in an operator's network.
Processes covered by OSS/BSS include: Network Management, Service delivery /
fulfilment / assurance, Customer Relationship management and Billing.
Virtualised Network A VNF is a virtualisation of a network function in a legacy non-virtualised network.

Function (VNF) ETSI GS NFV 001 provides a list of use cases and examples of target network
functions (NFs) for virtualisation. Functional behaviour and state of a NF are largely
independent of whether the NF is virtualised or not. The functional behaviour and the
external operational interfaces of a Physical Network Function (PNF) and a VNF are
expected to be the same.
All Core and Access Network functions in the 5G system are potential subjects of
virtualisation, in certain implementation scenarios.
Element Management The Element Management is responsible for:

(EM)
 Configuration for the network functions provided by the VNF.
 Fault management for the network functions provided by the VNF.
 Accounting for the usage of VNF functions.
 Collecting performance measurement results for the functions provided by the VNF.
 Security management for the VNF functions.
37
December 2020
NFV Infrastructure (NFVI) The NFV Infrastructure is the totality of all hardware and software components which
build up the environment in which VNFs are deployed, managed and executed. The
NFV Infrastructure can span across several locations, i.e. places where NFVI-PoPs
are operated. The network providing connectivity between these locations is regarded
to be part of the NFV Infrastructure. From the VNF's perspective, the virtualisation
layer and the hardware resources look like a single entity providing the VNF with
desired virtualised resources.
Hardware Resources In NFV, the physical hardware resources include computing, storage and network that
provide processing, storage and connectivity to VNFs through the virtualisation layer
(e.g. hypervisor). Computing hardware is assumed to be COTS as opposed to
purpose-built hardware. Storage resources can be differentiated between shared
network attached storage (NAS) and storage that resides on the server itself.
Computing and storage resources are commonly pooled. Network resources are
comprised of switching functions, e.g. routers, and wired or wireless links.
Virtualisation Layer and The virtualisation layer abstracts the hardware resources and decouples the VNF
Virtualised Resources software from the underlying hardware, thus ensuring a hardware independent
lifecycle for the VNFs. In short, the virtualisation layer is responsible for: •Abstracting
and logically partitioning physical resources, commonly as a hardware abstraction
layer. •Enabling the software that implements the VNF to use the underlying
virtualised infrastructure. •Providing virtualised resources to the VNF, so that the latter
can be executed.
Virtualised Infrastructure From NFV's point of view, virtualised infrastructure management comprises the
Manager functionalities that are used to control and manage the interaction of a VNF with
computing, storage and network resources under its authority, as well as their
virtualisation. According to the list of hardware resources specified in the architecture,
the Virtualised Infrastructure Manager performs resource and operations
management.Multiple Virtualised Infrastructure Manager instances may be deployed.
NFV Orchestrator The NFV Orchestrator is in charge of the orchestration and management of NFV
infrastructure and software resources, and realizing network services on NFVI.
VNF Manager VNF Manager is responsible for VNF lifecycle management (e.g. instantiation, update,
query, scaling, and termination). Multiple VNF Managers may be deployed; a VNF
Manager may be deployed for each VNF, or a VNF Manager may serve multiple
VNFs.
Os-Ma-nfvo This reference point is used for exchanges between OSS/BSS and NFV Orchestrator,
and supports the following:
• Network Service Descriptor and VNF package management;
• Network Service instance lifecycle management;
• VNF lifecycle management;
• Policy management and/or enforcement for Network Service instances, VNF
instances and NFVI resources;
• Querying relevant Network Service instance and VNF instance information from
the OSS/BSS;
• Forwarding of events, accounting and usage records and performance
measurement results regarding Network Service instances, VNF instances, and
NFVI resources to OSS/BSS, as well as and information about the associations
between those instances and NFVI resources.
Ve-Vnfm-em This reference point is used for exchanges between EM and VNF Manager, and
supports the following:
VNF instantiation / VNF instance query / VNF instance update / VNF instance scaling
out-in, and up-down / VNF instance termination / Forwarding of configuration and
events from the EM to the VNFM / Forwarding of configuration and events regarding
the VNF from the VNFM to the EM.
NOTE: This reference point is only used if the EM is aware of virtualisation.
Ve-Vnfm-vnf This reference point is used for exchanges between VNF and VNF Manager, and
supports the following:
VNF instantiation / VNF instance query / VNF instance update / VNF instance scaling
out-in, and up-down / VNF instance termination / Forwarding of configuration and
38
December 2020

events from the VNF to the VNFM / Forwarding of configuration and events regarding
VNF, from the VNFM to the VNF / Verification that the VNF is still alive/functional.
NFVI - Virtualised This reference point is used for: Specific assignment of virtualised resources in
Infrastructure Manager response to resource allocation requests / Forwarding of virtualised resources state
(Nf-Vi) information / Hardware resource configuration and state information (e.g. events)
exchange.
NFV Security Manager NSM is the logical functional block for overall security management, e.g. on the behalf
(NSM) of network services. In cooperation with MANO blocks dedicated to managing the
virtualised network, the policy driven NSM is specialized to manage the security on a
network service over its entire lifecycle. It covers the following functionalities:
• Security Policy Planning designs and optimizes security policies for specific
targets of protection (e.g. network services);
• Security Policy Enforcement & Validation automates the deployment and
supports lifecycle management of security functions as defined in the design
phase, then configure security policies on the security functions. In addition,
during lifetime of a network service, the validation and re-
configuration/remediation of associated security policies is supported, also in
automated manner;
• NFVI Security Manager (ISM) – see below.
NFVI Security Manager NFVI Security Manager is the logical function dedicated to security management in
(ISM) NFVI layer. It builds and manages the security in NFVI to support NSM requests for
managing security of network services in higher layer.
Security Element SEM refers to Element Manager managing Security Functions.

Manager (SEM)
Virtual Security Function This element is a special type of VNF running on top of NFVI with tailored security
(VSF) functionality (e.g. firewall, IDS/IPS, virtualised security monitoring functions like vFEP,
vTap). VSFs are mainly required to protect the other VNFs, which constitute a network
service. VSF is managed by either dedicated VNFM or generic VNFM with respect to
its lifecycle.
NFVI-based Security This element is a security function provided by the NFV Infrastructure. It includes
Function (ISF) virtualised security appliances or software security features (e.g. hypervisor-based
firewalls) and hardware-based security appliances/modules/features (e.g. Hardware
Security Modules, Crypto Accelerators, or Trusted Platform Modules).
Physical Security This element is a conventionally realized security function in the physical part of the
Function (PSF) hybrid network. Even if a telco network is virtualised, additional PSFs are still needed,
for instance to protect the NFV infrastructure (and inherently, the Network Services
running on top) as a whole. PSF is part of the non-virtualised traditional network and
not maintained by the NFVI provider, hence it is managed by the SEM instead of the
VIM.
NFVI - Virtualised This reference point is used for: specific assignment of virtualised resources in
Infrastructure Manager response to resource allocation requests / Forwarding of virtualised resources state
(NF-Vi) information / Hardware resource configuration and state information (e.g. events)
exchange.
3.7.1 ELEMENTS OF NOVELTY (RELEASE 4)

The ETSI Industry Specification Group for Network Functions Virtualisation (NFV) has started working in
2019 on its next specification release, known as Release 4. Release 4 addresses several issues in the
following technical areas: the evolution of the NFV framework to support the most recent cloud, software,
and virtualization techniques; novel management architectural styles and operationalization aspects,
leveraging virtualization characteristics to simplify deployments; and increased support for automation. 47
47
https://www.etsi.org/newsroom/press-releases/1652-2019-10-etsi-nfv-release-4-empowers-orchestration-and-cloud-
enabled-deployments, accessed October 2020
39
December 2020
Key areas of focus for the NFV Release 4 include48:
 NFVI evolution, focusing on enhancements to support lightweight virtualization technologies such

as OS containers, optimizing NFV Infrastructure (NFVI) abstraction for reducing the coupling of
VNFs to infrastructure
 Enhancing NFV automation and capabilities, covering aspects such as: improving life-cycle
management and orchestration, the simplification of VNF and NS management aspects
leveraging virtualization, and handling advances in autonomous networking
 Evolving the NFV-MANO (Management and Orchestration) framework, focusing primarily on
optimizing internal NFV-MANO capability exposure and usage, and on enhanced reliability and
availability
 Accompanying operationalization aspects which include: the simplification of NFV to ease
development and deployment of sustainable NFV based solutions, verification and certification
procedures and mechanisms, and operationalization, integration and use of NFV with other
management and network frameworks
 In addition to the above technical areas, several security hardening aspects of NFV and other
small specific technical enhancements necessary to maximize the impact of virtualization and
future NFV deployments are also expected to be part of the work programme
The "Release 4 Definition" lists all the new features proposed for the Release 4. Among other features that
had not been fully completed in the previous Release and have been carried over into Release 4, the list of
new features includes:
 Network connectivity integration and operational for NFV

 NFV-MANO automation and autonomous networks
 NFV enhancements for 5G
 Multi-tenancy enhancements for NFV-MANO
 Service-based architecture (SBA) for NFV-MANO
 VNF generic management functions, and
 Continuous VNF integration
However, the current network architecture of the operators differs in critical points from the envisioned
ETSI NFV architecture. Even if NFV technologies have proven successful technologies in the IT industry,
some adaption is needed to accommodate the special needs of the telecommunications industry.
Currently, traditional network functions are coupled with underlying dedicated hardware, which are vendor
proprietary. Network virtualization migration from traditional network functions to the ETSI NFV architecture
involves restructuring infrastructure, service functions, and operation and maintenance (O&M)49.
Further consideration is needed for allocation of resources for critical infrastructure services. Sharing of
such resources may not be allowed by national regulators for considerations of availability, response time
and confidentiality.
Similarly, NFV functions part of Release 4, such as Multi-tenancy enhancements for NFV-MANO or
Continuous VNF integration, will face adoption hurdles because of national certification and authorisation
schemes.
48
NFV Release 4 Definition v0.2.0 (2020-07)
https://docbox.etsi.org/ISG/NFV/Open/Other/ReleaseDocumentation/NFV(20)000160_NFV_Release_4_Definition_v0_2_0.
pdf, accessed October 2020.
49
https://www.gsma.com/futurenetworks/5g/migration-from-physical-to-virtual-network-functions-best-practices-and-
lessons-learned/, accessed October 2020.
40
December 2020
Virtualization
NFV benefits from the inherent security protection brought by the virtualization layer50. The security threats
associated with VNFs are the combination of the security threats on physical networking and on
virtualization technologies. VNFs run over virtual resources such as VMs and cross-contamination for
shared hardware resources is possible, in particular MNO should carefully investigate risks to operate VNF
categorized as critical with others VNF on the same physical resources. Virtualization brings with it some
new attack surface with known vulnerabilities in virtualization environments. If hypervisor is compromised,
other vulnerabilities can arise exponentially. There are potential security issues associated with NFVI,
considering some potential attack scenarios such as VM escape attack, attack on hypervisor management
interface, denial of service (DoS), DNS amplification attack.
A 3GPP Study51 considers the consequences of virtualisation on 3GPP architectures, in order to identify
threats and subsequent security requirements. To adequate security in virtualised deployments, the
underlying infrastructure needs to provide minimum security capabilities in a standardised form which can
be requested and or consumed at the 3GPP layer.
Related component(s): VIM, Virtualisation Layer, NFVI
Management Interfaces / APIs
One of the security challenges is to define the standard interface in the ETSI NFV architecture. New APIs
introduce new threat vectors. Standardisation of interfaces will address security from design phase.
Management Interfaces / APIs must have safeguards in place to avoid being manipulated in unintended
ways to cause disruption. Security challenges are related to Web/API vulnerabilities, Account compromise,
Privileged User Access, Unauthorized access, Unauthorized data/packet, Inspection / Modification of data,
compromise of MANO components. Improper enforcement of security policies, or improper updating policy
rules and data access procedures, allowing attackers to gain access to the NFV MANO module and further
perform unauthorized control for all operations.
Related component(s): Os-Ma-nfvo, Ve-Vnfm-em, Ve-Vnfm-vnf
Localisation of functions
Attacks aiming to place and migrate workload outside the legal boundaries were not possible using
traditional infrastructure. Using NFV, violation of regulatory policies and laws becomes possible by moving
one VNF from a legal location to another illegal location, because there is no mechanism to enforce geo-
restrictions.
Related component(s): NFVO, VNFM, VIM
50
Security Considerations for the 5G Era – July 2020 https://www.5gamericas.org/wp-content/uploads/2020/07/Security-
Considerations-for-the-5G-Era-2020-WP-Lossless.pdf, accessed October 2020.
51
Services and System Aspects; Security Aspects; Study on Security Impacts of Virtualisation (Release 16), accessed
October 2020.
41
December 2020
3.8 SOFTWARE DEFINED NETWORK (SDN) (ZOOM-IN)

5G will be driven by the influence of software on network functions, known as software defined network
(SDN) and network function virtualisation (NFV). The key concept that underpins SDNs is the logical
centralisation of network control functions by decoupling the control and packet-forwarding functionality of
the network. While SDN separates the control and forwarding planes, NFV primarily focuses on optimizing
the network services themselves. NFV complements this vision through the virtualisation of these
functionalities based on recent advances in general server and enterprise IT virtualisation. In this
document, the provisions regarding SDN threats are the ones described in the ENISA Thematic Landscape
SDN/5G52.
As previously mentioned, the fundamental concept of SDN relies on decoupling of the control
and packet forwarding functionality of the network. In classic networks, these two functionalities
were the responsibility of the forwarding devices of the network. In SDN, these two
functionalities have been separated into two functionality planes: the control plane and the data
plane. The separation of these two functionality planes in SDNs has two significant
consequences:
a) it reduces the difficulty in the configuration and alteration of the control functions of the
network, as this functionality has no longer the responsibility of the forwarding devices
of the network that tend to have proprietary implementations (e.g., operating systems),
and
b) it enables the implementation of more consistent control policies through fewer and
uniformly accessible controllers.
The typical SDN architecture, as described by the Open Networking Foundation 53, is shown in
the following figure.
Figure 7: SDN architecture Zoom-in
52
ENISA Threat Landscape and Good Practice Guide for Software Defined Networks/5G
https://www.enisa.europa.eu/publications/sdn-threat-landscape/at_download/fullReport, accessed October 2020.
42
December 2020
The elements of the SDN architecture are as follows:
SDN controller SDN Controller: The SDN Controller is a logically centralized entity in charge of:
• Translating the requirements from the SDN Application layer down to the SDN
Resources and
• Providing the SDN Applications with an abstract view of the network (which may
include statistics and events).
SDN controller is the “brain” of SDN network. An SDN controller manages flow control to
the switches/routers ‘below’ (via southbound APIs) and the applications and business logic
‘above’ (via northbound APIs) to deploy intelligent networks54.
SDN Application SDN Applications are programs that explicitly, directly, and programmatically communicate
their network requirements and desired network behaviour to the SDN Controller. Multiple
case scenarios might be envisioned, for the position of the SDN applications in the NFV
architectural framework, such as:
• The network hardware might be a physical appliance talking to an SDN controller, or a
complete solution including multiple SDN components, such as SDN controller + SDN
application for instance;
• The VIM might be an application interfacing with an SDN controller in the NFVI - for
instance OpenStack Neutron as a VIM interfacing with an SDN controller in the NFVI;
• The SDN application might be a VNF talking to an SDN controller, being virtualised or
not. For instance, a PCRF VNF might talk to an SDN controller for some policy
management for traffic steering;
• The SDN application might be an element manager interfacing with an SDN controller
to collect some metrics or configure some parameters;
• The SDN application might be an application interfacing with an SDN controller for
instance in the OSS-BSS for tenant SDN service definitions.
SDN resources Multiple scenarios might be envisaged for the actual location of SDN resources:
• physical switch or router;
• virtual switch or router;
• e-switch, software based SDN enabled switch in a server NIC;
• switch or router as a Virtual network function (VNF).
Northbound Interface SDN Northbound Interfaces are interfaces between SDN Applications and SDN Controllers
and typically provide abstract network views and enable direct expression of network
behaviour and requirements. This may occur at any level of abstraction (latitude) and across
different sets of functionalities (longitude). One value of SDN lies in the expectation that
these interfaces are implemented in an open, vendor-neutral and interoperable way55.
Southbound Interface The SDN Southbound Interface is the interface defined between an SDN Controller and an
SDN Data-path, which provides at least:
• programmatic control of all forwarding operations;
• capabilities advertisement;
• statistics reporting, and
• event notification.
One value of SDN lies in the expectation that the Southbound Interface is implemented in an
open, vendor-neutral and interoperable way.
Eastbound-Westbound This interface is implemented by the different controllers of the SDN and is used to facilitate
Interface communications between them (Controller – Controller interface).
Control Plane (CP) The plane responsible for the control functionality of the network. Part of the network that is
assigned to control one or more SDN resources. CP instructs network devices how to treat
and forward packets. The Control Plane (CP) communicates with Data Plane (DP) of
devices using a control plane Southbound Interface (SBI).
Data Plane (DP) or The plane responsible for the data forwarding functionality of the network. The functionality
Forwarding Plane (FP) of this plane is realized through a set of physical network devices (network elements).
54
https://www.sdxcentral.com/networking/sdn/definitions/what-is-sdn-controller/, accessed October 2020.
55
SDN Architecture Overview https://www.opennetworking.org/wp-content/uploads/2013/02/SDN-architecture-overview-
1.0.pdf, accessed October 2020.
43
December 2020

Software-defined network (SDN) radically changes the network architecture by decoupling the
network logic from the underlying forwarding devices. This architectural change rejuvenates the
network-layer granting centralized management and programmability of the networks. From a
security perspective, SDN separates security concerns into control and data plane, and this
architectural re-composition brings up exciting opportunities and challenges. The overall
perception is that SDN capabilities will ultimately result in improved security. However, in its raw
form, SDN could potentially make networks more vulnerable to attacks and harder to protect.
Although nothing comes without risks or trade-offs, when it comes to security and SDN clearly
the security benefits of SDN outweigh security risks56.
Control Plane
SDN provides a logically centralized control plane to the network. The controller of the network
maintains a global view of the network and programs forwarding devices as per the policies
defined at the application layer. While initially controllers were developed as single devices,
recently there has been a shift of trend to distributed controllers with the goal of adjusting to
scalability and reliability requirements of real-world scenarios. In this case, each set of
forwarding devices is assigned to a specific instance of controllers and the controllers, follow a
Master/Slave deployment model.
Control Plane attack refers to the case where an attacker may deduce the forwarding policy of
the network just by analysing the performance metrics of a forwarding device. For example, an
input buffer may be used to identify rules, and by analysing the packet processing times, an
attacker could identify the forwarding policy.
Related component(s): Control Plane, SDN controller
Data Plane
The data plane is composed of networking equipment such as switches and routers specialized
in packet forwarding.
However, unlike traditional networks, these are just simple forwarding elements with no
embedded intelligence to take autonomous decisions. These devices communicate through
standard OpenFlow interfaces with the controller - which ensures configuration and
communication compatibility and interoperability among different devices.
A Protocol Attack refers to attacks targeting the data plane of an SDN by exploiting network
protocol vulnerabilities in the forwarding devices .
A Device Attack refers to all those attacks, where the adversary aims to exploit software or
hardware vulnerabilities of an SDN-capable switch to compromise SDN’s data plane. In this
case, an attacker may target software bugs (e.g., firmware attacks) or hardware features (e.g.,
TCAM memory) of a forwarding device.
Related component(s): Data Plane, SDN resources
56
The Security Benefits Behind the Software Defined Network https://businessinsights.bitdefender.com/security-benefits-
software-defined-network, accessed October 2020.
44
December 2020
Programmable Interfaces (APIs)/ SDN Programming languages
There the attacks against the Southbound API of an SDN include: Interaction, Eavesdrop,
Availability and TCP-attacks. While with an Eavesdrop Attack, the attacker aims to learn about
information exchanged between the control and data plane as part of a larger attack plot, in an
Manipulation Attack the attacker’s goal is to corrupt the network behaviour by modifying the
messages being exchanged. The Availability Attack refers to Denial of Service (DoS) attacks,
where the Southbound API is flooded with requests causing the network policy implementation
to fail. Attackers can infer flow rules in SDN from probing packets by evaluating the delay time
from probing packets and classifying them into classes. Knowing the reactive rules, attackers
can launch DoS attacks by sending numerous rule-matched packets which trigger packet-in
packets to overburden the controller.
Similar to SDN’s Southbound API, the Northbound API is susceptible to Interception, Eavesdrop
and Availability.
Attacks. While the nature of both attacks is similar, there are a few key differences:
 An attacker targeting the Northbound API requires higher-level of access to the system
and is potentially sitting on the application plane. There may be cases that the
applications do not run on the same device and in that case the attack complexity may
be reduced as to Southbound API.
 The impacts of a compromised Northbound API are potentially larger given that
information exchanged between the control and application plane affect network-wide
policies. Unlike Southbound API, where OpenFlow is adopted as the standard, the
Northbound API lacks any standardization. Specifically, each controller has different
specifications for the Northbound API, and this leads to insecure developments57.
Another issue that needs to be looked at is the potential exposure caused by SDN programming
languages (e.g. P4 Programming Protocol-independent Packet Processors), used to
dynamically reconfigure the network. The use of these extremely dynamic and event-based
languages increases the attack surface. Although these languages have not been considered in
the current document, it is proposed to perform a detailed analysis of their misuse potential in
prospective, more detailed threat assessments.
Related component(s): Northbound Interfaces, Southbound Interfaces, Eastbound-Westbound

Interface
Virtualization
There are threats related to the underlying IT infrastructure used for virtualising network
operations, like: Virtualised host abuse, Data-Centre threats, Network Virtualization bypassing.
Related component(s): Control Plane, Data Plane
3.9 MULTI-ACCESS EDGE COMPUTING (MEC) (ZOOM-IN)

Multi-access Edge Computing (MEC) stands for the provision of cloud computing capabilities at
the edge of the network, that is, for high bandwidth, low latency end-user applications. MEC is
located in the logical vicinity of base stations through authorised third parties willing to offer
processing and storage capabilities to subscribers of the 5G network. MEC is a novel approach
57
Software-Defined Network (SDN) Data Plane Security: Issues, Solutions and Future Directions
https://arxiv.org/pdf/1804.00262.pdf, accessed October 2020.
45
December 2020
in the 5G ecosystem that enhances mobile user experience by covering services that, in
previous generations, were using the run-time of end-user devices.
MEC provides a new ecosystem and value chain. Operators can open their Radio Access
Network (RAN) edge to authorized third-parties, allowing them to flexibly and rapidly deploy
innovative applications and services towards mobile subscribers, enterprises and vertical
segments.
Multi-access Edge Computing will enable new vertical business segments and services for
consumers and enterprise customers. Use cases include:
 video analytics;
 location services;
 Internet-of-Things (IoT);
 augmented reality;
 optimized local content distribution and
 data caching.
It is expected that MEC is going to emerge following the evolution of application services and
verticals and will be one of the main drivers for a wider coverage and penetration of 5G
Networks.
Besides offering these services, MEC takes an important role in the 5G infrastructure. It
possesses orchestration functions, interacts with the 5G policy component and supports
lifecycle matters of the offered applications.
By deploying various services and caching content at the network edge, Mobile core networks
are alleviated of further congestion and can efficiently serve local purposes. The structure of
MEC and its elements is shown in the figure below:
Figure 8: MEC architecture Zoom-in
46
December 2020
The elements of MEC are as follows:
Customer facing service The customer facing service portal allows operators' third-party customers (e.g.
(CFS) portal commercial enterprises) to select and order a set of MEC applications that meet
their particular needs, and to receive back service level information from the
provisioned applications.
Device application Device applications as defined in the present document are applications in the
device (e.g. UE, laptop with internet connectivity) that have the capability to interact
with the MEC system via a user application lifecycle management proxy.
Application Client(s) Application Client is the application resident in the UE performing the client function.
Edge Enabler Client (EEC) Edge Enabler Client (EEC) provides supporting functions needed for Application
Client(s).
Functionalities of Edge Enabler Client are:
• retrieval and provisioning of configuration information to enable the exchange
of Application Data Traffic with the EAS;
• discovery of EAS available in the Edge Data Network.
Edge Configuration Server Edge Configuration Server (ECS) provides supporting functions needed for the
(ECS) Edge Enabler Client to connect with an EES. Functionalities of ECS are:
• Provisioning of Edge configuration information to the Edge Enabler Client.
The Edge configuration information includes the following:
o the information for the EEC to connect to the EES (e.g. service area
information applicable to LADN); and
o the information for establishing a connection with EES (such as URI).
User application lifecycle The user application lifecycle management proxy allows device applications to
management (LCM) proxy request on-boarding, instantiation, termination of user applications and when
supported, relocation of user applications in and out of the MEC system. It also
allows informing the device applications about the state of the user applications.
The user application lifecycle management proxy authorizes requests from device
applications in the device and interacts with the OSS and the multi-access edge
orchestrator for further processing of these requests.
Multi-access edge The multi-access edge orchestrator is the core functionality in MEC system level
orchestrator management, responsible for the following functions: maintaining an overall view of
the MEC system; on-boarding of application packages; selecting appropriate MEC
host(s) for application instantiation; triggering application instantiation and
termination; triggering application relocation as needed when supported.
MEC host MEC host is an entity that contains a MEC platform and a virtualisation
infrastructure which provides compute, storage, and network resources, for the
purpose of running MEC applications.
Virtualisation infrastructure It provides compute, storage, and network resources for the MEC applications. The
virtualisation infrastructure includes a data plane that executes the traffic rules
received by the MEC platform, and routes the traffic among applications, services,
DNS server/proxy, 3GPP network, other access networks, local networks and
external networks.
MEC platform It is the collection of essential functionalities required to run MEC applications on a
particular virtualisation infrastructure and enable them to provide and consume MEC
services. The MEC platform can also provide services.
47
December 2020
Edge Enabler Server (EES) Edge Enabler Server (EES) provides supporting functions needed for EAS and
EEC. Functionalities of EES are:
• provisioning of configuration information to EEC, enabling exchange of
application data traffic with the EAS;
• supporting the functionalities of API invoker and API exposing function58 as
specified in 3GPP TS 23.222;
• interacting with 3GPP Core Network for accessing the capabilities of network
functions either directly (e.g. via PCF) or indirectly (e.g. via
SCEF/NEF/SCEF+NEF);
• support the functionalities of application context transfer;
• supports external exposure of 3GPP network capabilities to the EAS over
EES interface.
MEC applications MEC applications are instantiated on the virtualisation infrastructure of the MEC
host, based on configuration or requests validated by the MEC management.
Edge Application Server Edge Application Server (EAS) is the application server resident in the Edge Data
(EAS) Network, performing the server functions. The Edge Application Server may
consume the 3GPP Core Network capabilities: invoke 3GPP Core Network function
APIs directly, invoke 3GPP Core Network capabilities through the EES or invoke the
3GPP Core Network capability through the capability exposure functions (i.e. SCEF
or NEF).
MEC service It is a service provided via the MEC platform either by the MEC platform itself or by
a MEC application.
Service registry In MEC, the services produced by the MEC applications are registered in the
service registry of the MEC platform – as opposed to the network functions and the
services they produce which are registered in the Network Resource Function
(NRF).
Application Data Traffic Data traffic between the application installed on the User Equipment (UE) and the
application server (EAS / MEC App).
MEC host level management It handles the management of the MEC specific functionality of a particular MEC
host and the applications running on it. Is comprised of the MEC platform manager
and the virtualisation infrastructure manager.
MEC platform manager The MEC platform manager is responsible for the following functions:
• Managing the life cycle of applications including informing the multi-access
edge orchestrator of relevant application related events;
• Providing element management functions to the MEC platform and
• Managing the application rules and requirements.
The MEC platform manager also receives virtualised resources fault reports and
performance measurements from the virtualisation infrastructure manager for further
processing.
Virtualisation infrastructure The functionality provided by the virtualisation infrastructure manager in this ‘Zoom-
manager in’ overlaps generally with the functionality provided by the VIM described in the
NFV ‘Zoom-in’.

ETSI ISG MEC and 3GPP have both worked on their own architectures for edge computing
within the boundaries of their different scopes. Their common purpose is to create an open and
standardized IT service environment for hosting and supporting third-party applications in edge
environments. Synergized Mobile Edge Cloud Architecture59 provides common practices to
58
3GPP TS 23.222 – Functional architecture and information flows to support Common API Framework for 3GPP
Northbound APIs (Release 16), https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-g40.zip, accessed
October 2020.
59
ETSI White Paper #36 - Harmonizing standards for edge computing - A synergized architecture leveraging ETSI ISG
MEC and 3GPP specifications, 1st edition – July 2020, accessed October 2020.
48
December 2020
developers such that they can create a single application software module running on common
edge environments.
At the heart of the ETSI ISG MEC and 3GPP SA6 architectures lie the MEC Platform/Edge
Enabler Server and the MEC Applications/Edge Application Servers respectively. There is a
great degree of synergy in the two architectures on these aspects, and in the information
carried between these functional entities. ETSI GR MEC 031 will provide solution proposals and
recommendations for MEC integration into 3GPP 5G system. On the other hand, 3GPP TS
23.558 Architecture for enabling Edge Applications (Release 17) provides application layer
architecture and related procedures for enabling edge applications over 3GPP networks.
Virtualization and containerization
Cloud computing will leverage on multiple virtualized systems in order to optimize available
resources and deliver on its proposed benefits. Cloud native MEC provides inherent security
protection due to the isolation and containerization.
 Each container performs a dedicated function, enhancing behaviour profiling and

anomaly detection.
 Isolation of containers prevents spread of malware and viruses.
 Decomposed software provides efficient software version updates and security patches.
 Compute services in cloud-native applications are designed to be ephemeral, reducing
the attack surface.
 Resiliency is gained with increased speed to start a container and horizontal scale to
dynamically respond to threats.
 Segmentation with network slicing separates traffic and isolates compute resources.
However, cloud native MEC architecture is exposed to a number of threats 60:
 The uses of open source code, more interfaces, and new APIs introduce new threat vectors.
 Shared hardware resources can result in cross-contamination.
 Vulnerabilities in the shared host platform, Container-as-a-Service (CaaS) and Platform-as-
a-Service (PaaS) can impact the container security.
 Containers requiring elevated privileges can cause security risk to both host as well as other
tenant containers.
 Dependency upon central orchestration introduces a new threat vector.
 High data volume and sessions increase risk from an attack.
 Applications running in a micro-service architecture are as vulnerable to the same
attacks as traditional applications.
Related component(s): Virtualisation infrastructure, MEC host, MEC applications
Physical security
Improper physical and environmental security of edge computing facilities can lead to
destruction of edge computing facilities, unauthorised access at system level as an entry point
to all hosted resources, theft of data on local storage.
60
Security Considerations for the 5G Era – July 2020 https://www.5gamericas.org/wp-content/uploads/2020/07/Security-
Considerations-for-the-5G-Era-2020-WP-Lossless.pdf, accessed October 2020.
49
December 2020
Edge computing facilities are, by their nature, seated in locations distributed geographically and
this makes the physical security measures lower than a centralized Data Centre.
Related component(s): MEC Host
Application-Programming Interfaces (APIs)
Edge Applications facilitate communication between application clients and applications deployed
at the edge. The architecture enables the CAPIF (Common API Framework) to be leveraged as a
standardized means of providing and accessing APIs in the Edge Cloud. The main purpose of
CAPIF is to have a unified north bound API framework across several 3GPP functions.
Application Programming Interface (API) Security is the design, processes, and systems that
keep a web-based API responding to requests, securely processing data and functioning as
intended. Like any software, APIs can be compromised and data can be stolen. Since APIs serve
as conduits that reveal applications for third-party integration, they are susceptible to attacks.
Related component(s): 3GPP SA6 interfaces, ETSI MEC interfaces
Regulatory issues
In European countries there is specific legislation on the implementation of the NIS directive 61
The goal is to protect critical infrastructure that ensure national security. A critical service should
be operated in an area with a security level compatible to this criticality.
If an operator operates in a MEC environment a regulated critical service, it will have to

demonstrate that its environment is compatible with the regulation imposed by the critical
service in the particular country of operation. Physical and logical resources should not be
shared with components which have not the same criticality. This constraint requires the right
level of isolation around the service to prevent regulation pollution to its own components and
infrastructures. A simple solution can be the complete segregation of physical resources
between the operator's MEC functions and the 3rd party ones.
Related component(s): Virtualisation infrastructure, MEC host, MEC Platform.
3.10 SECURITY ARCHITECTURE (SA) (ZOOM-IN)

The 5G security architecture consists of various network functions (NF) and components that are
responsible for securing end-to-end communications, providing authentication functions and
various other security functions. The 5G security architecture consists of components that are part
of various other architectures (“Zoom-ins” in terms of this report), acting thus in a horizontal
manner across all other architectures. In particular, security functions are securing the access of
users within the radio access network (RAN), they cover security functions in the core network
and perimeter entities (edge computing) and they provide security functions in the Network
Function Virtualization. Finally, a set of elements is covering security management functions,
audit and analytics.
The 5G security architecture is defined in 3GPP technical specification 62 as spanning

complementary different domains.
61
The Directive on security of network and information systems (NIS Directive) https://ec.europa.eu/digital-single-
market/en/network-and-information-security-nis-directive, accessed October 2020.
62
3GPP TS 33.501 V16.4.0 (2020-09) Security architecture and procedures for 5G system (Release 16)
50
December 2020
 Network access security (I): the set of security features that enable a UE to authenticate
and access services via the network securely, including the 3GPP access and Non-
3GPP access, and in particularly, to protect against attacks on the (radio) interfaces. In
addition, it includes the security context delivery from SN to AN for the access security.
 Network domain security (II): the set of security features that enable network nodes to
securely exchange signalling data and user plane data.
 User domain security (III): the set of security features that secure the user access to
mobile equipment.
 Application domain security (IV): the set of security features that enable applications in
the user domain and in the provider domain to exchange messages securely.
Application domain security is not in the scope of the present analysis.
 SBA domain security (V): the set of security features that enables network functions of
the SBA architecture to securely communicate within the serving network domain and
with other network domains. Such features include network function registration,
discovery, and authorisation security aspects, as well as the protection for the service-
based interfaces.
 Visibility and configurability of security (VI): the set of features that enable the user to
be informed whether a security feature is in operation or not.
The detailed structure of the 5G security architecture is shown in the following figure.
Figure 9: 5G Security architecture Zoom-in
51
December 2020
The elements of the 5G security architecture are as follows:
Mobile Equipment (ME) ME stands for all kinds of mobile equipment that can be connected to the 5G
network. ME can be sensors, IoT components, connected autonomous systems,
eHealth devices, etc.
Universal Subscriber Identity USIM is the SIM card of 5G.It is a platform for securing access and communication
Module (USIM) in 5G. It is the only security module mentioned in 3GPP specification.
5G Node Base Station Central Some security requirements for gNB-CU have been formulated by 3GPPP. Though
Unit (gNB-CU) not a security element per se, these requirements increase the security properties
of gNB and – when implemented - are considered to be relevant to the security
architecture.
Non-3GPP Access Network Security for non-3GPP access to the 5G Core network is achieved by a procedure
using IKEv2 as defined in RFC 7296 to set up one or more IPsec ESP security
associations. The role of IKE initiator (or client) is taken by the UE, and the role of
IKE responder (or server) is taken by the N3IW.
Non-3GPP access Inter- This Network Function is responsible for interworking between untrusted non-3GPP
Working Function (N3IWF) networks and the 5G Core. As such, the N3IWF supports both N2 and N3 based
connectivity to the core, whilst supporting IPsec connectivity towards the device.
Access and Mobility The Core Access and Mobility Management Function is part of the 3GPP 5G
Management Function (AMF) Architecture. Its primary tasks include registration Management, Connection
Management, Reachability Management, Mobility Management and various
function relating to security and access management and authorisation.
Security Anchor Function The SEAF will create for the primary authentication a unified anchor key KSEAF
(SEAF) (common for all accesses) that can be used by the UE and the serving network to
protect the subsequent communication63.
Authentication server The Authentication server function (AUSF) shall handle authentication requests for
function (AUSF) both, 3GPP access and non-3GPP access. The AUSF shall provide SUPI to the
VPLMN (Core Network / Serving Network) only after authentication confirmation if
authentication request with SUCI was sent by VPLMN. The AUSF shall inform the
UDM that a successful or unsuccessful authentication of a subscriber has occurred.
Authentication credential ARPF selects an authentication method based on subscriber identity and
Repository and Processing configured policy and computes the authentication data and keying materials
Function (ARPF)
User Data Management (UDM) Unified data management (UDM) manages network user data in a single,
Function centralized element. UDM is similar to the 4G network's home subscriber service
(HSS) but is cloud-native and designed for 5G specifically.
The SIDF is responsible for de-concealment of the Subscription Concealed
Identifier (SUCI) and shall fulfil the following requirements:
• The SIDF shall be a service offered by UDM;
• The SIDF shall resolve the SUPI from the SUCI based on the protection
scheme used to generate the SUCI.
Unstructured Data Repository Repository for management of unstructured data, designed to manage massive and
(UDR) various types of unstructured data including text, image, audio and video.
Security Edge Protection The 5G System architecture introduces a Security Edge Protection Proxy (SEPP)
Proxy (SEPP) as the entity sitting at the perimeter of the mobile network. The SEPP shall act as a
non-transparent proxy node.
63
https://www.researchgate.net/profile/Andreas_Kunz2/publication/319527681_Overview_of_5G_security_in_3GPP/links/59b
116d80f7e9b37434a8248/Overview-of-5G-security-in-3GPP.pdf, accessed October 2020.
52
December 2020
Network Slice Specific The Network Slice Specific Authentication and Authorisation Function (NSSAAF)
Authentication and supports the following functionality:
Authorisation Function
(NSSAAF) • Support for Network Slice-Specific Authentication and Authorisation as
specified in TS 23.502 64with a AAA Server (AAA-S).
AAA-S In the optional-to-use Network slice-specific authentication and authorisation, an

AAA server (AAA-S) may be owned by an external 3rd party enterprise.
AAA-P In the above-mentioned scenario, if the AAA-S belongs to a third party, the
NSSAAF may contact the AAA-S via an AAA proxy. The NSSAA Function and the
AAA-P may be co-located.
EAP-ID Network slice-specific authentication and authorisation uses a User ID and

credentials, different from the 3GPP subscription credentials (e.g. SUPI and
credentials used for PLMN access) and takes place after the primary authentication65.
NFV Security Services Agent The NFV SSA exists in both the NFVI domain and in VNF domain. NFV SSA in
(SSA) VNF domain may exist as a separate VSF, or within a VNF. The NFV SSA is
responsible for securely receiving the Security Monitoring policy and implementing
the same.
NFV Security Controller (SC) The NFV SC may interface with other security systems (e.g. Security Analytics),
security databases and other policy engines. The NFV SC orchestrates system wide
security policies. The NFV SC acts as a trusted 3rd party that resides independently.
An NFV SC manages NFV SSAs (like VSFs) to keep them in a consistent state
according to the policy specified. SC also facilitates secure bootstrapping of SSAs
(like VSFs), managing instances of SSAs, secure pairing up with SSA's VNFMs and
EMs, personalize the SSAs, policy management, integrity assertion, credential
management, facilitate clustering of multiple SSAs into a distributed appliance,
monitoring of SSAs for failure and remediation.
NFV Security Services The NFV SSP is comprised within the VIM and VNFM, and is responsible for
Provider (SSP) security monitoring policy orchestration received from the Security Controller (NFV
SC) and interacting with the various VIM/VNFM components to implement the
policy across various systems comprising the NFVI/VNF. Furthermore, NFV SSP is
also responsible for receiving the telemetry data from various NFV SSAs, and
optionally making some analysis based on this data.
NFV Security Monitoring The NFV SecM-DB is a secure database consisting of security data used for
Database deploying NFV system wide Security Monitoring. This includes Security Monitoring
policy and configurations, security credentials for facilitating secure
communications between the various Security Monitoring components, and
credentials for secure storage of telemetry, including tenant-specific security
policies.
SA/VSF Catalogue Database The NFV VSF-VNF-CAT is a repository for Security Services Agents like the Virtual
(VSF-NVNF-CAT) Security Functions (VSF) VNFs. The catalogue has capability to add and remove SSAs
(VSF) packages and/or images, and also includes a VSF VNFD (VNF Descriptor)
containing meta data and information about that VSF VNF. Once the SSA (VSF)
package or instance is added to the catalogue, it becomes available for orchestration.
Audit DB The NFV AUD-DB is a secure database consisting of security audit information.
Security Monitoring Analytics The Security Monitoring Analytics system securely receives Security Monitoring
System telemetry from across the NFV systems, including the MANO and all the NFVIs that
may be geographically distributed. The analytics system applies advanced machine
learning techniques on the telemetry to perform advanced detection of security
anomalies and emerging threats in the system. This system also can trigger
remediation actions through the NFV SC.
64
Group Services and System Aspects; Procedures for the 5G System (5GS); Stage 2 (Release 16),
65
Group Services and System Aspects; Security architecture and procedures for 5G system (Release 16),
53
December 2020
Subscription Concealed A one-time use subscription identifier, which contains the Scheme-Output, and
Identifier (SUCI) additional non-concealed information needed for home network routing and
protection scheme usage.
Subscription Permanent In 5G, all subscribers will be allocated a globally unique 5G SUPI. Example SUPI
Identifier (SUPI) formats include the IMSI and NAI (Network Access Identifier)
Authentication Vector A vector consisting of RAND, authentication Token (AUTN) and Hash eXpected
RESponse (HXRES).
Anchor Key The security key KSEAF provided during authentication and used for derivation of
subsequent security keys.
Key Hierarchy Hierarchy of cryptographic key derived from Anchor Key, (as defined in ETSI TS
133 50166 section 6.2.). It includes the following keys: KAUSF, KSEAF, KAMF,
KNASint, KNASenc, KN3IWF, KgNB, KRRCint, KRRCenc, KUPint and KUPenc.

While many new features in Release 16 contribute to increased security, the relevant addition at
the level of Security Functions is the enhanced support for Network Slice-Specific
Authentication and Authorisation. The feature allows the use of a User Identifier independent of
existing identifiers relating to a 3GPP subscription or UE, for Network Slice-Specific
Authentication and Authorisation. For such Network Slice Specific Identifiers, the AMF invokes
an EAP-based Network Slice-Specific authentication procedure in which the AUSF exchanges
AAA protocol messages with a potentially external AAA Server (AAA-S) via an optional AAA
Proxy (AAA-P) to authenticate and authorize a UE for the network slice. Depending on the
result of the procedure a UE is either authorized for a network slice, re-allocated to a different
one or deregistered.67.
Other relevant security aspects of enhancing the 5G system include:
 Security for enhanced Service Based Architecture

 Security for User Plane Gateway Function for Inter-PLMN Security
 Security aspects of Enhanced Network Slicing
 Security for NR Integrated Access and Backhaul
 Security aspects of Service Enabler Architecture Layer for Verticals
 Security of evolution of Cellular IoT security for the 5G System
 3GPP profiles for cryptographic algorithms and security protocols
Last but not least, Release 16 of 5G specifications include updated versions of the 5G Security
Assurance Specifications (SCAS). SCAS provide an extensive description of the security
requirements (including test cases) to demonstrate compliance of the network product with the
security requirements defined by 3GPP. SCAS are continuously developed to embed solutions
to disclosed vulnerabilities and ensure the security of 5G system’s critical components, and of
the 5G system as a whole.
66
https://www.etsi.org/deliver/etsi_ts/133500_133599/133501/15.01.00_60/ts_133501v150100p.pdf, accessed October
2020
67
Services and System Aspects; Release 16 Description; Summary of Rel-16 Work Items (Release 16),
54
December 2020
The following SCAS requirements have been updated to reflect changes proposed by Release 16:
TS 33.512 - Access and Mobility management Function (AMF)
TS 33.514 - Unified Data Management (UDM)
TS 33.515 - Session Management Function (SMF)
TS 33.516 - Authentication Server Function (AUSF)
TS 33.517 - Security Edge Protection Proxy (SEPP)
TS 33.520 - Non-3GPP Inter-Working Function (N3IWF)

No security considerations have been developed for this zoom-in. This is due to the fact that all
security consideration covered in the rest of the zoom-ins constitute the entire set of security
considerations, underlying thus its horizontal nature of security. Hence, it is considered that they
cover this topic in an exhaustive manner and there is no need to be repeated in this section.
3.11 5G PHYSICAL INFRASTRUCTURE (ZOOM-IN)

One of the most relevant aspects in the transition from previous generations of mobile
telecommunications into 5G is the fact that part of the network functions, previously performed
by physical appliances, are now executed by software that virtualizes the functionality of
physical components. Additionally, some of these physical components were mostly proprietary
and incompatible with other solutions but with 5G, the network software can run in any
commercial-of-the-shelf (COTS) hardware, allowing the operators to have more independence
from manufacturers and share physical infrastructures among various tenants and applications.
This significant change will allow great scalability, quicker deployments, cost efficiency and
integration between different components of the network. On the other hand, the virtualisation of
physical infrastructure components increases significantly the impact of failures: a shared
physical component will serve multiple functions (e.g. virtual functions, slicing, user equipment
functions, etc.), playing thus a significant role in the service provisioning chain.
Nonetheless, the physical 5G architecture is going to remain exposed to more generic threats
that are pertinent to physical components, such as damage/theft, sabotage, natural disasters,
outages, failures and malfunctions, just to name the most important ones. While in previous
mobile networks such failures had a more “restricted” influence in service provisioning, with the
5G virtualisation failures of physical components may have an amplified impact, typical to
shared resources. This fact increases the criticality of 5G physical infrastructure components,
as multiple services are going to depend on them. The 5G physical infrastructure is depicted in
the following the figure.
55
December 2020
Figure 10: 5G physical infrastructure Zoom-in

While 5G Release 16 does not bring any novelties to the physical infrastructure per se, a series
of enhancements referred to in other sections of the document will impact the physical
infrastructure and associated security considerations:
 Integrated Access and Backhaul, eliminates the need for wired backhaul connection,
allowing a speedier densification of the wireless network.
 Improved support for non-public networks (NPN) will lead to an increase in deployment
scenarios that involve private networks that utilize dedicated small cell base stations)
that are independently managed to deliver locally-optimized applications. Further detail
is given in section the 5G RAN zoom-in (see section Error! Reference source not f
ound.).
Impact of virtualisation
Software Defined Networking (SDN) and Network Function Virtualization (NFV) allow
disconnection of software execution from specific physical hardware and provide for better
resilience and latency. SDN offers flexibility how to configure the routing paths between
dynamically configured virtualized network functions.
It should be noted, that container technology generates a bigger attack surface against systems
(e.g. via supported APIs, and through intrinsically less security functions, by being a technology
at initial maturity levels). However, softwarisation and virtualization of functions may increase
availability and integrity requirements for shared physical resources, some of them placed in
remote locations. Physical security controls for such resources should be commensurate with
their respective importance.
Affected components: Central DC, Local DC
56
December 2020
General Physical security considerations
Physical security considerations valid for previous generations of mobile networks still apply.
They focus around two general objectives: ensuring appropriate environmental conditions for
equipment operations and protection of perimeters hosting sensitive assets.
Special consideration must be given to equipment located in third party premises or otherwise
remote facilities rooms. These should be protected using a risk-calibrated set of physical and
environmental controls aimed to assure access control, monitoring, continuity of operations and
protection against environmental disasters. Failure to do so may lead to unauthorised access,
destruction of assets and impairment of operations.
Related components: Local DC, gNB-DU, gNB-CU
Threats to edge cloud computing resources
The deployment of Edge Cloud computing resources at the edge of the network, in data centres
or data rooms with significantly less physical control and protection than the central data
centres expose important computing resources to physical security threats, which can lead to
service compromise or even an access path to central resources.
Affected components: Edge DC
Vulnerability of air interface to jamming attacks
As any wireless cellular networks, 5G networks are built upon open sharing over specific
frequencies, making them prone to interference. This weakness can be used by some
adversary nodes/equipment to cause intentional interference and hinder legitimate user’s
communication over the spectrum of wireless channels dedicated to this technology. 5G
improves resilience against jamming attacks over the 4G LTE, but remains vulnerable to
customised attacks68. Jamming attacks are a particular concern for mission-critical applications.
Related components: Base stations
3.12 IMPLEMENTATION OPTIONS / MIGRATION PATHS ZOOM IN

5G can be deployed in different deployment options, where SA (standalone) options consist of
only one generation of radio access technology and NSA options consist of two generations of
radio access technologies (4G LTE and 5G). The early deployments will be adopting either non-
standalone option 3 or standalone option 2 as the standardisation of these two options have
already been completed69.
Non-standalone option 3 is where radio access network is composed of eNBs (eNode Bs) as
the master node and gNBs (gNode Bs) as the secondary node. The radio access network is
connected to EPC (Evolved Packet Core). The NSA option 3, as it leverages existing 4G
deployment, can be brought to market quickly with minor modification to the 4G network. This
option also supports legacy 4G devices and the 5G devices only need to support NR (New
Radio) protocols so device can also be developed quickly.
On the other hand, NSA option 3 does not introduce 5GC and therefore may not be optimised
for new 5G use cases beyond mobile broadband. In addition, depending on how 5G devices are
68
Y. Arjoune and S. Faruque, "Smart Jamming Attacks in 5G New Radio: A Review," 2020 10th Annual Computing and
Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2020, pp. 1010-1015, doi:
10.1109/CCWC47524.2020.9031175, accessed October 2020.
69
GSMA - 5G Implementation Guidelines: NSA Option 3, February 2020 https://www.gsma.com/futurenetworks/wp-
content/uploads/2019/03/5G-Implementation-Guidelines-NSA-Option-3-v2.1.pdf, accessed October 2020.
57
December 2020
developed, the EPC may need to be retained longer than in the case of having EPS (Evolved
Packet System) for 4G alone (instead of supporting NSA Option 3).
Standalone option 2 is where radio access network consists of only gNBs (gNode Bs) and
connects to 5GC (5G Core), and the 5GC interworks with EPC. SA option 2 has no impact on
LTE radio and can fully support all 5G use cases by enabling network slicing via cloud native
service-based architecture. On the other hand, this option requires both NR and 5GC, making
time-to-market slower and deployment cost higher than that of NSA option 3. Furthermore, the
devices would need to support NR and core network protocols so it would take more time to
develop devices.
Finally, as the standalone 5G System would need to interwork with EPS to ensure service
continuity depending on coverage, the interworking between EPC and 5GC may be necessary.
Figure 11: Implementation options / Migration Paths
The elements of the Option 3 Non-standalone architecture are:
EPC Evolved Packet Core (EPC) is a framework for providing converged voice and data on a
4G Long-Term Evolution (LTE) network.
2G and 3G network architectures process and switch voice and data through two separate
sub-domains: circuit-switched (CS) for voice and packet-switched (PS) for data. Evolved
Packet Core unifies voice and data on an Internet Protocol (IP) service architecture and
voice is treated as just another IP application.
EPC+ Evolved Packet Core (EPC) is the LTE Core Network.

In order to support the Non-standalone deployments with LTE and NR technologies, the
core network will need to undergo a series of improvements – hence the EPC+
designation. Envisaged improvements include increasing the bandwidth of the S1-U
interface to meet the LTE/NSA transmission requirements.
There are two typical scenarios for EPC upgrade to support 5G deployment.
Scenario A:
• Physical EPC is upgraded to support NSA;
• Capacity expansion is based on physical EPC.
58
December 2020

Scenario B:
• Build a new virtualized EPC network to support NSA independently;
• Interoperability is made between the new virtualized EPC and the physical EPC;
• Capacity expansion is based on the virtualized EPC.
At the time of this analysis, priority is given to Scenario B, which can be smoothly evolved
to the target network through the expansion of virtualized EPC.
5G Core Network (5GC) The core network is the central part of the 5G infrastructure and enables all functions
related to multi-access technologies - see 5G Core Network zoom-in.
En-gNB En-gNB is a node providing NR user plane and control plane protocol terminations
towards the UE, and acting as Secondary Node in EN-DC.
En-gNB is a gNB that supports legacy E-UTRAN interface.
MeNB (Master node) The LTE eNB is referred to as the MeNB to indicate that it is the ‘Master’ (M) base station
controlling the ‘Secondary’ (S) 5G NR base station.
In MR-DC (Multi-Radio Dual Connectivity), the radio access node that provides the control
plane connection to the core network. It may be a Master eNB (in EN-DC), a Master ng-
eNB (in NGEN-DC) or a Master gNB (in NR-DC and NE-DC).
X2 Interface X2 is an interface for the interconnection of two E-UTRAN NodeB (eNB) components and
an E-UTRAN NodeB (eNB) and an E-UTRAN gNodeB (en-gNB) within the Evolved
Universal Terrestrial Radio Access Network (E-UTRAN) architecture. It is specified in the
3GPP 36.42x series of technical specifications.
The X2 interface provides capability to support radio interface mobility and Dual
Connectivity either between eNBs or between eNBs and en-gNBs of UEs having a
connection with E-UTRAN.
The list of functions on the X2 interface is the following:
• Intra LTE-Access-System Mobility Support for ECM-CONNECTED UE;
• Load Management;
• Inter-cell Interference Coordination;
• General X2 management and error handling functions;
• Application level data exchange between eNBs
• Trace functions;
• Data exchange for self-optimisation;
• E-UTRA-NR Dual Connectivity (EN-DC).
S1 Interface S1 interface for the interconnection of the evolved NodeB (eNB) component of the
Evolved Universal Terrestrial Radio Access Network (E-UTRAN) to the Core Network
(CN) of the Evolved Packet System (EPS). It is specified in the 3GPP 36.41x series of
technical specifications.
The S1 interface supports:
• procedures to establish, maintain and release E-UTRAN Radio Access Bearers;
• procedures to perform intra-LTE handover and inter-RAT handover;
• the separation of each UE on the protocol level for user specific signalling
management;
• the transfer of NAS signalling messages between UE and EPC;
• location services by transferring requests from the EPC to E-UTRAN, and
location information from E-UTRAN to EPC;
• mechanisms for resource reservation for packet data streams.
MME Mobility Management Entity (MME) is the key control-node for the LTE access-network. It
is responsible for idle mode User Equipment (UE) paging and tagging procedure including
retransmissions. It is involved in the bearer activation/deactivation process and is also
responsible for choosing the Serving Gateway for a UE at the initial attach and at time of
intra-LTE handover involving Core Network (CN) node relocation. It is responsible for
authenticating the user (by interacting with the Home Subscriber Server). The Non Access
Stratum (NAS) signalling terminates at the MME and it is also responsible for generation
and allocation of temporary identities to UEs. It checks the authorisation of the UE to
camp on the service provider's Public Land Mobile Network (PLMN) and enforces UE
roaming restrictions.
59
December 2020
SGW The Serving Gateway (SGW) routes and forwards user data packets, while also acting as
the mobility anchor for the user plane during inter-eNodeB handovers and as the anchor
for mobility between LTE and other 3GPP technologies (terminating S4 interface and
relaying the traffic between 2G/3G systems and Packet Data Network Gateway). For idle
state User Equipment, the Serving Gateway terminates the downlink data path and
triggers paging when downlink data arrives for the User Equipment. It manages and
stores UE contexts, e.g. parameters of the IP bearer service, network internal routing
information.
User Equipment (UE) User equipment is any device used by users to communicate within the 5G infrastructure.
Besides a SIM, user equipment may be home appliances of any kind (e.g. computer, IoT
devices, etc.).
Risks related to legacy technologies
LTE networks and 5G NSA networks based on LTE core networks will continue to operate in
the operators’ networks for years to come. Early 5G commercial launches are leveraging
3GPP’s Non-Standalone 5G specifications, meaning these early 5G NSA networks are required
to use the LTE control plane protocols and the LTE Evolved Packet Core (EPC) network. Initial
5G NSA launches will deliver only Enhanced Mobile Broadband (eMBB) service so, any LTE
threats and vulnerabilities will also exist in the 5G NSA network.
Even after the operators upgrade their cell sites with 5G radios (gNBs) using the NSA
architecture, some of these 5G NSA cell sites may operate as 5G NSA sites for years after
Standalone 5G networks are operational. NSA architectures are expected to live alongside
each other for a considerable period, so a series of legacy risks will remain active 70.
Affected components: EPC, eNB
INTER-RAT (Radio Access Technologies) Handover
3GPP has specified interworking that allows 5GC network functions to support interfaces to an
EPC. Handover attempts to NR connected to 5GC from 4G LTE will occur, with active data
sessions at risk of disruption if a roaming agreement exists for 4G, but not for 5G between
PLMN’s. The MME can prevent such handover attempts by including RAT and Core Network
Type restrictions in the Handover Restriction List to E-UTRAN71.
Roaming
5G NSA roaming is essentially 4G roaming because NSA uses the EPC for all Core Network
functions. From a security perspective, a 5G NSA roaming connection introduces no new
protection, since it continues to use Diameter, SIP/VoLTE and possibly SS7. Diameter and SS7
are vulnerable to eavesdropping including voice calls, reading text messages, and tracking
phones. Note: This consideration is also relevant for 5G SA, as there will be a need for roaming
agreements with non-5G networks, hence Diameter and SS7 attacks will still apply.
70
A 5G AMERICAS White Paper – Security considerations for the 5G Era, June2020 https://www.5gamericas.org/wp-
content/uploads/2020/07/Security-Considerations-for-the-5G-Era-FINAL-Word.docx, accessed October 2020
71
GSMA - 5G Roaming Guidelines, May 2020 https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v2.0-1.pdf ,
60
December 2020
For 5G SA the roaming flows will be considerably different, as HTTP/2 and JavaScript Object
Notation (JSON) will be used versus the legacy Diameter protocol. Voice over New Radio
(VoNR) will replace VoLTE in the 5G network and Security Edge Protection Proxy (SEPP) will
establish a secure, encrypted connection with the roaming partner’s SEPP72.
As regards inter-operators Roaming, the following considerations need to be taken into account:
- Authentication confirmation between 5G SA-Networks must be activated in order to

address the voice&sms eavesdropping, as well as the tracking threats. But whether or
not authentication confirmation will be activated/enforced depends on multiple
parameters.
- According to 33.501, SUPI “should” be encrypted while ME attaches in roaming scenario,
but there are exceptions to this rule, which may become the norm if care is not taken.
Affected components: EPC, eNB.

Note: In roaming, components and procedures not specified by 3GPP play a role, for example
those involved with CDR (Calling Data Record) exchange, such as NRTRDE (Near Real Time
Roaming Data Exchange), SS7 Firewalls and SMS Firewalls.
The security assured by the EPC / 5G Core functions and the security of the Core Network itself
is built upon the permanent update of Security Assurance Requirements for critical network
components.
Failure the ensure that early-deployed systems or sub-systems comply with updated security
assurance requirements may lead to unsubstantiated trust in the security offered by the 5G
system as a whole.
3.13 PROCESS MAP

Telecommunication network security is more than a sum of technical specifications. Security is
built and maintained by security-relevant processes, in four major areas:
- Standardization: operators, vendors and other stake-holders set standards for how
networks around the globe will work together. This also includes how best to protect
networks and users against malicious actors.
- Network design: vendors design, develop and implement the agreed standards for
functional network elements and systems only, and warrant that they have a complete
control and responsibility over the whole delivered systems, which play a crucial part in
making the end network product both functional and secure.
- Network configuration: at the deployment phase, networks are configured for a
targeted security level, which is key to setting security parameters and further
strengthening the security and resilience of the network.
- Network deployment and operation: the operational processes which allow networks to
function and deliver targeted levels of security are highly dependent on the deployment
and operations of the network itself.73
While all stakeholders are relevant to ensure that security is embedded in the 5G System,
design, implementation and operation, two stakeholders are of particular relevance to the
72
A 5G AMERICAS White Paper – Security considerations for the 5G Era, June2020 https://www.5gamericas.org/wp-
content/uploads/2020/07/Security-Considerations-for-the-5G-Era-FINAL-Word.docx, accessed October 2020.
73
A guide to 5G network securityericsson.com; Conceptualizing security in mobile communication networks – how does 5G
fit in?: Ericsson AB 2018; https://www.ericsson.com/48fcab/assets/local/news/2018/10201291-
04_gir_report_broschure_dec2018_webb_181212.pdf, accessed October 2020.
61
December 2020
cybersecurity of 5G network. On the one hand, mobile network operators (MNO) have a central,
decision-making role, giving them leverage on the overall secure operation of their networks,
and on the other hand, telecom equipment manufacturers, who are responsible for the provision
of software and hardware required to operate networks and liable for any Trojan or uncontrolled
piece of software delivered to MNO74.
To reflect this, in this section we highlight MNO and Vendor lifecycle processes and the
associated security considerations, along with Security Assurance processes that span across
several relevant stakeholder groups.
3.13.1 MNO Lifecycle Processes

MNO Lifecycle processes are aligned with eTOM – enhanced Telecom Operation Map75, and
include all actions necessary to Design, Build and Operate the 5G Network. eTOM makes
available a standard structure, terminology and classification scheme for describing
business processes and their constituent building blocks.76
Of increased importance for the Secure Design, Implementation and Operation of the 5G
System are the Resource and Supply Chain Development, Management and Operation
Processes, as well as the Enterprise Risk management Processes.
An overview of the MNO processes most critical to 5G system’s security over the Design, Build,
Operate phases is presented in the figure below:
Figure 12: MNO Lifecycle processes
74
EU coordinated risk assessment of the cybersecurity of 5G networks Report 9 October2019,
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=62132, accessed October 2020.
75 http://casewise.tmforum.org/evolve/statics/frameworx/#cwtype=index&cwview=index_diagrams_etom_start, accessed
November 2020.
76
M.3050 : Enhanced Telecom Operations Map (eTOM) – An eTOM primer, https://www.itu.int/rec/T-REC-M.3050-200702-
I!Sup4/en, accessed November 2020
62
December 2020
The description of MNO lifecycle processes in correlation with eTOM – enhanced Telecom
Operation Map77 is presented below:
Process Short description of the process
Resource capability delivery This category of processes coordinate and enact deployment of new technologies.
These processes ensure that network and associated resources are deployed in
timely and compliant manner.
This is why well-functioning of these processes is critical to coordinate major system
changes such as transition to 5G
Resource development and This category of processes encompasses all processes in the Build phase charged
retirement with development of new technologies and the associated resource types. These
processes are also tasked with the initial decision to acquire external resources,
therefore due needs to be taken to provide necessary controls that take into account
all relevant risks. Last but not least, retirement or removal of certain technologies
and associated resource types, are relevant in the context of transition to new
technologies such as 5G.
Support Resource Support & Readiness processes are to ensure that appropriate resources are
management and operation available and ready to support the Operation Phase processes.
- Support & Readiness
Key responsibilities of these processes that directly impact security of the 5G
System include: operations readiness testing and acceptance, Vulnerability
Management, Threat Assessments, Risk Assessment and Mitigation and Secure
Configuration Activities
Resource provisioning Resource Provisioning process deal with allocation, installation, configuration,
activation and testing of resources.
Key responsibilities of these processes that directly impact security of the 5G
System include: verification of resource availability; allocation of resources to
requests from other processes such as incident recovery, vulnerability management
or security function capability; configuration management, and; activation of
resources and updating of resource inventory.
Resource Trouble Resource Trouble Management processes are tasked with the management of
Management undesired behaviour of specific resources, hence they are key for timely and
effective management of security events. .
Resource data collection & Resource Data Collection & Distribution category of processes encompasses
distribution technical monitoring of resource and service instances and monitoring of enterprise
processes to support to resource and service instances.
Results of monitoring processes provide key input for other processes such as
configuration management, performance management, security management.
Resource Performance Resource Performance Management processes use information received from
Management monitoring processes to analyse, control and report on the performance of specific
resources, in order to maintain operational objectives such as service quality and
security. Performance management processes should interface with other process
classes such as Resource Trouble Management, Service Quality Management or
Security Management.
Party Tender Management Party Tender Management processes manage the entire tender lifecycle, from
development of tender documents to tender decision-making.
These processes are key for 5GS compliance and security, as due care should be
taken to include all relevant requirements in tender documents and ensure
adequateness of suppliers to risk classes of purchased products or services..
Party Offering Development Party Offering Development & Retirement manage the on-boarding and off-boarding
& Retirement of product specifications and thus are critical to ensure an adequate level of security
at component and system level.
77
http://casewise.tmforum.org/evolve/statics/frameworx/#cwtype=index&cwview=index_frameworx_processes, accessed
November 2020.
63
December 2020
Process Short description of the process
Party Agreement Party Agreement Management manages all aspects of agreements with suppliers
Management and partners, from initiation to completion, to enable delivery of business and
technical capabilities required by the 5G system.
Party Support Management processes to engage parties who own and manage infrastructure,
provide infrastructure capabilities, or otherwise provide value to the operator.
Necessary facilities need to be in place to provide for interaction with parties in
delivering products and/or services necessary for the operation of the 5G system.
Party Interaction Interaction management deals with logging partners/supplier interaction, notification
Management of interacting parties and matters such as communication channels and
authentication/authorisation. These processes are key to ensure service level and
security at all phases of the 5GS, but also an important element in preventing
unauthorised dissemination of sensitive data.
Party Problem Handling Tasked with timely and effective resolution of all problems related to the
supplier/partner. It includes the entire problem lifecycle, from problem
communication, management, to closure and reporting
Party Performance Along with resource performance management, this process provides key input to
Management manage performance of key activities and resources outsourced to external
providers.
Business Continuity Development of strategies, policies, plans, organizational roles, responsibilities and
Management procedures for ensuring continuation of business processes and activities in the
event of serious and/or sustained interruption.
The relevant component of BCM for the 5G system are:
 Infrastructure recovery planning which provides for recovery and backup
procedures for all key infrastructure capabilities;
 Serious incident management planning which defines the operational
procedures and escalation criteria for operational and security incidents.
Note: BCM practices might encompass ITIL Service continuity management.
Fraud Management The general objective of the Fraud Management is prevention, detection and
response to fraud risk, fraudulent activities and actors.
The relevance of Fraud management processes for this document is given by the
fact that they encompass interaction with Law Enforcement Agencies (LEA).
Enterprise risk audit Enterprise Risk Audit Management proactively works with the business to
management understand, assess, and report on risk. This category of processes provide
assurance to senior management that the processes and controls to mitigate risk are
effective and conform to reference standards. This process is relevant as the
migration to 5G will expose the MNO to novel risks which must be correctly
identified, evaluated and managed
Insurance management Insurance management processes identify areas and activities within the enterprise
where risk aspects are insurable and analyse the cost/benefits of undertaking
specific insurance. This process is relevant as the migration to 5G will expose the
MNO to novel risks, or may impact the operator’s exposure to currently insured risks.
Regulatory management Regulatory Management processes ensure that the enterprise complies with all
applicable regulations. This might be sector-specific (telecommunications), or
general, e.g. NIS Directive and subsequent national legislation. The relevant
requirements must be fed in to the design and operation processes
Security Management Security management processes as per ISO 27011 / ITU X.1051, including Incident
Management.
64
December 2020
3.13.2 VENDOR DEVELOPMENT AND PRODUCT LIFE CYCLE PROCESSES

Vendor Development and Product Lifecycle processes covers all aspects potentially impacting
a Network Product’s lifetime, including it being planned, designed, implemented, delivered,
updated, and eventually ramped down.
For new Network Products and any modifications of Network Products, the Product
Development phases are executed in a cyclical fashion, starting again from the beginning once
finished for the previous Network Product release78.
These processes must meet a clear set of security objectives and requirements to ensure that
network products meet the baseline security criteria and capabilities necessary as building
blocks for the overall security of the 5G network.
In addition, the network products themselves must meet baseline security criteria, tailored to
their product class. These criteria are defined by 3GPP in the Security Assurance Specifications
(SCASs) series of Technical Specification. Specific use cases and deployment scenarios may
request additional security requirements, as defined by operators or regulators.
An objective assessment process that the network products and the processes at their origin
meet baseline criteria is paramount for building trust in the 5G network, hence an important
input for any procurement decisions.
The GSMA Network Equipment Security Assurance Scheme (NESAS)79 and 3GPP Security
Assurance Methodology (SECAM)80 provide the blueprint for such an evaluation process and
reference criteria. While the allocation of responsibilities among the actors of an assurance
scheme might vary, the activities and their flow should be always based on the principles of
independence, objectivity, competence. The vendor and product lifecycle processes are
presented below:
Figure 13: Vendor and product lifecycle processes
78
FS.16 – NESAS Development and Lifecycle Security Requirements v.1.1, GSMA, 20 July 2020,
https://www.gsma.com/security/wp-content/uploads/2020/09/FS.16-NESAS-Development-and-Lifecycle-Security-
Requirements-v1.1.pdf, accessed October 2020.
79
FS.16 – NESAS Development and Lifecycle Security Requirements v.1.1, GSMA, 20 July 2020,
https://www.gsma.com/security/wp-content/uploads/2020/09/FS.16-NESAS-Development-and-Lifecycle-Security-
Requirements-v1.1.pdf, accessed October 2020.
80
3GPP TR 33.818 V0.7.0 (2020-05), Technical Report, 3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; Security Assurance Methodology (SECAM); and Security Assurance Specification (SCAS);
for 3GPP virtualized network products (Release 16), https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-
g40.zip, accessed October 2020.
65
December 2020
The description of the Vendor and product lifecycle processes is presented below.
Process Sub-processes
Planning In case of a completely new Network Product, the requirements for the first Release
are planned. In the case of a new version of an existing Network Product, the
requirements for the changes to be introduced by the next release are planned based
on updated functional requirements as well as bug and vulnerability reports received
against prior versions, if applicable.
Design The implementation of the planned requirements for the Release is planned in detail.
Implementation The planned requirements are implemented as per the design.
Testing and Verification The fulfilment of the requirements by the implementation is verified. If the verification
fails, the relevant requirement usually goes back to the “Implementation” phase. This
phase also contains the security related testing and verification activities.
Release The decision to release a given revision of a tested and verified implementation.
Manufacturing In this phase, the development Release is converted into a deliverable Network
Product. In the case of pure software delivery, this is the delivery of the Release to the
provisioning process.
Delivery The delivery of the manufactured Network Product.
Product development All the phases described above.

process
First Commercial The Network Product starts its commercial lifetime by means of a first Release to be
Introduction accepted for use in live commercial networks. Before that, earlier Releases may have
been tested in test environments.
Update The Network Product is updated by means of either a minor or a major Release. This
phase is usually a cycle of such Releases.
Minor Release A minor Release fixes vulnerabilities and other bugs found in earlier versions. It
commonly introduces not more than minor feature enhancements and architectural
changes.
Major Release A major Release fixes vulnerabilities and other bugs found in earlier versions. It may
introduce major feature enhancements and architectural changes.
End Of Life No updates for the Network Product are supplied anymore. As this process occurs
after contractual and regulatory requirements to maintain the Network Product have
ceased, this commonly marks the end of a Network Product’s lifetime.
3.13.3 SECURITY ASSURANCE PROCESSES

The operator can use as support for its purchasing decision the results of security conformity
assessments integral to the Security Assurance Methodology, as defined by 3GPP33.916
Technical Specification81.
The SECAM process provides the blueprint for any security assurance scheme such as product
certification and vendor accreditation, and covers the following tasks:
81
3GPP TR 33.916 V16.0.0(2020-07) Technical Report 3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; Security Assurance Methodology (SCAS) for 3GPP network products (Release 16),
66
December 2020
 Vendor network product development and network product lifecycle management

process assurance compliance (assessing if the method used to develop the products
is compliant with the Vendor network product development and network product
lifecycle management process assurance requirements).
 Security Compliance Testing (assessing if requested security requirements are
correctly implemented in a network product). This includes Vulnerability Testing
(running of a set of FOSS/COTS tools on external interfaces of the Network product).
The ultimate output of the SECAM evaluation is:
 An evaluation report demonstrating compliance of the network product with the 3GPP
security assurance specifications;
 Evidence to demonstrate to the test laboratory that the accredited vendor product and
development lifecycle processes have been complied with for the network product;
 Evidence that the actors performing the evaluation tasks are accredited by the SECAM
Accreditation Body.
The operator examines the evaluation reports together with the evidence that the actors
performing the evaluation tasks have been accredited by the SECAM Accreditation Body.
Note: while the actors and distribution of tasks and responsibilities among actors may vary in
different Assurance schemes, the general processes and sequence of tasks will stay generally
unchanged, provided that criteria for impartiality and competence of actors that perform
assessment tasks are maintained. The security assurance activities are presented below.
Figure 14: Security assurance activities
67
December 2020
The description of the security assurance activities is presented below.
Activity Description
Accreditation Formal recognition by an accreditation body that a conformity assessment body is

impartial and competent to carry out specific tests or types of assessments.
The Accreditation Body defines requirements and processes for:
 vendor network product development and network product lifecycle
management processes accreditation;
 test laboratory (vendor owned or third party) accreditation, and
 dispute resolution.
Product development Vendor network product development and network product lifecycle management
process processes assurance requirements as well as related evaluation activities generic to all
network product classes are defined by the Accreditation Body. In the SECAM scheme,
the requirements are defined in the NESAS Security Assurance Requirements, but
various conformity assessment schemes may define different criteria.
Lifecycle management consists of establishing discipline and control in the updates of
network product during its development and maintenance. Lifecycle management
controls are important during normal improvement of network product as well as for
vulnerability/security flaw remediation (documentation used to track vulnerability/security
flaw, remediation procedure with relation to corrective actions for each identified
vulnerability/security flaw…).
The Vendor network product development and network product lifecycle management
processes assessment covers a vendor's engineering processes and does not
necessarily apply only to a single network product. This means that the results of one
assessment may apply to more than one network product. Vendors can submit their
generic network product development and network product lifecycle management
processes or a subset of them for auditing and accreditation.
Security compliance testing Evaluation process step used to describe activities for checking the compliance of a
network product with applicable Security Assurance Specifications (SCAS).
Vulnerability testing The process of running security tools against a network product.
Vulnerability testing is defined by the use of Free and Open Source Software (FOSS)
and Commercial off-the-shelf (COTS) security testing tools on the external interfaces of
the network product, as well as manual testing procedures for specific attack scenarios.
Operator procurement The operator examines the network product, the security compliance testing, including
decision the vulnerability testing analysis reports, the self-declaration as well as the optional
evidence of accreditation from the SECAM Accreditation Body for the actors performing
the evaluation task and decides if the results are sufficient according to its internal
policies. In particular, the operator can perform a sample of the security compliance
testing and vulnerability testing, based on the delivered test procedures.
Audit During an audit, the processes will be evaluated and their application on development
activities in practice will be verified. An accreditation will be awarded, if the requirements
are met.
The accreditation processes consist of:
 assessing the skills of the vendor‘s or third-party test laboratories in conducting
an evaluation for conformance to Security Assurance requirements for a given
network product class or range of classes, and
 assessing the compliance to Test methodology (for security compliance testing
and vulnerability testing laboratories).
Monitoring The Accreditation Body monitors different kinds of accredited actors within the scheme:
 Vendors development and product lifecycle processes, which are expected to
comply with the Security Assurance requirements and
 Test laboratories (for security compliance testing and vulnerability testing),
which are expected to comply with the Test Methodology and skills
requirements.
68
December 2020
Activity Description
Standardisation 5G security issues are addressed in the work undertaken by standards bodies, notably
within the workgroup on Service and System Aspects 3 (SA3) of the 3rd Generation
Partnership Project (3GPP). Other relevant standardisation bodies include ETSI and
GSMA.
Development of standards continuously evolve security specifications, taking into
account ongoing research on security threats and vulnerabilities.
Responsible disclosure Vulnerability Disclosure of security vulnerabilities is a well-established process which

allows stakeholders such as security researchers to report details of security
vulnerabilities in products and services.
Vulnerability Disclosure Programmes, such as the GSMA Coordinated Vulnerability
Disclosure (CVD) programme provide a framework that sets clear expectations for
constructive engagement by all parties to remediate or mitigate notified vulnerabilities.82
Results of vulnerability disclosure processes are an important input for standardization
work, as security requirements are evolving to respond to identified vulnerabilities.
82
GSM Association FS.23-GSMA Coordinated Vulnerability Disclosure Program, Version 3.016 July 2020,
https://www.gsma.com/security/wp-content/uploads/2020/07/FS.23-v3.0.pdf , accessed September 2020
69
December 2020
4. 5G VULNERABILITIES
4.1 VULNERABILITY ASSESSMENT METHOD AND SCOPE

This chapter provides the vulnerability assessment for the components of the 5G architecture.
The chapter is structured according to the various zoom-ins: for each zoom-in, a set of
vulnerabilities for all related components is being presented. These vulnerabilities detail the
security considerations formulated for each zoom-in.
Due to the large number of vulnerabilities, and in order to facilitate readability, in this chapter we
introduce vulnerability groups for the components of each zoom-in. The detailed vulnerabilities
of each zoom-in are presented in a corresponding annex. While in the following sections a short
description of vulnerability groups with highlights of the assessed weaknesses are presented,
the annexes provide all details of each individual vulnerability, such as: detailed description,
associated assets, threats exploiting the vulnerability, security controls to remove/reduce the
exploitation surface, stakeholder responsible for the implementation of controls, as well as
references to relevant sources.
For the sake of completeness of vulnerability assessment, some vulnerability groups that apply
to multiple assets throughout several zoom-ins, are repeated in all relevant zoom-ins. This
redundancy has been introduced in order to have a complete picture of the vulnerabilities at
zoom-in level. Examples of such vulnerabilities are: virtualization vulnerabilities, vulnerabilities
emerging from weak hardening of software, logging vulnerabilities, etc.
Each of the following sections is dedicate to a zoom-in. Besides the vulnerability groups
applying to the assets of the zoom-in, it provides a reference to the cyberthreats that may lead
to an exploitation, to the relevant measure foreseen in the Toolbox, as well as to references in
relevant literature.
As regards the target groups of vulnerability assessment, the vulnerability groups presented in
this chapter targets technical experts willing to have an overview of weaknesses of various
technical components included in a zoom-in. This information can be used as a check-list in
order to scrutinize the development of technical and organisation security measures and/or
assess future actions to assess the priorities in the implementation of measures (e.g. depending
on the current status of implementation of 5G functions).
The detailed vulnerabilities found in the annexes target technical experts working in the
implementation of threat mitigation. It may be useful for checking the implementation status,
planning/prioritizing implementation of security protection measures, assessing protection gaps,
scoping of certification activities, etc.
4.2 VULNERABILITY GROUPS FOR CORE NETWORK

In the security considerations of core network, we have identified the following areas of
vulnerabilities:
Service-based architecture: weaknesses are related with the protection of open source APIs, in
particular with their integrity, authentication and protection for the data (in transit and stored).
Security update gap between new security requirements and deployment of updated versions of
network functions in operational systems. Two major factors are relevant for this gap: a)
vendors’ responsiveness in issuing and validating new versions of the network functions that
70
December 2020
address the updated requirements, and b) timeliness and effectiveness of MNO processes to
update (e.g. UDM, AUSF, SEPP, NRF, NEF, SMF, AMF and UPF).
IP Based Protocol stack: the use of widely used IP protocols will lead to a shorted vulnerability
exposure time and high impact of vulnerability disclosure.
Besides these areas of vulnerability, virtualization vulnerabilities are also applicable, as well as
generic vulnerabilities related to soft- and hardware maintenance and hardening. The table
below provides a more exhaustive view on vulnerabilities of core network components.
Relevant toolbox Threat

Name Description
measures categories83
Vulnerabilities in Relevant vulnerabilities in AMF implementation TM02, TM09 NAA-EXPL,

implementation of include: NAA-ESH,
AMF security NAA-AAA,
functionalities • Incorrect implementation of authentication and NAA-DBLT,
key agreement procedure; NAA-IFAS,
• Incorrect implementation of security mode NAA-AIL
command procedure;
• Incorrect implementation of mechanisms for
intra-RAT mobility;
• Incorrect implementation of procedure for 5G-
GUTI allocation;
• Incorrect implementation of invalid or
unacceptable UE security capabilities handling.
Vulnerabilities in Relevant vulnerabilities in UPF implementation TM02, TM09 NAA-EXPL,

implementation of include: NAA-AAA,
UPF security NAA-DBLT,
functionalities • Incorrect user plane data protection; NAA-IFAS,
• Incorrect implementation of signalling data NAA-AIL
protection;
• Failure to assign unique TEID for a session.
Vulnerabilities in Relevant vulnerabilities in UDM implementation TM02, TM09 NAA-EXPL,

UDM security NAA-AAA,
functionalities • Incorrect implementation of synchronisation NAA-DBLT,
failure handling; NAA-IFAS,
• Incorrect implementation of protection SUCI NAA-AIL, EIH
de-concealment;
• Incorrect implementation of authentication
status handling by UDM.
Vulnerabilities in Relevant vulnerabilities in SMF implementation TM02, TM09 NAA-EXPL,

SMF security NAA-AAA,
functionalities • implementation of user plane security policy NAA-DBLT,
handling; NAA-IFAS
• Incorrect implementation of user plane security
policy checking;
• Incorrect implementation of unique Charging ID
assignment.
Vulnerabilities in Relevant vulnerabilities in SEPP implementation TM02, TM09 NAA-EXPL,

SEPP security NAA-AAA,
functionalities • Incorrect implementation of e2e core network NAA-DBLT,
interconnection security; NAA-IFAS,
• Incorrect implementation of cryptographic NAA-AIL
material handling;
• Handling of cryptographic material beyond
connection-specific scope
• Incorrect implementation of protection policies
mismatch handling.
83
To identify each threat category, use the taxonomy available in
Table of Annex B.
71
December 2020

Name Description
Vulnerabilities in Relevant vulnerabilities in NEF implementation TM02, TM09 NAA-EXPL,

NEF security NAA-AAA,
functionalities • No authentication on application function; NAA-DBLT,
• No Authorisation on northbound APIs. NAA-MND
Vulnerabilities in Relevant vulnerabilities in NRF implementation TM02, TM09 NAA-EXPL,

NRF security NAA-AAA,
functionalities • No slice specific authorisation for NF discovery NAA-DBLT,
NAA-MND
SBA/SBI Service-Based-Interfaces of network functions TM01, TM02, TM09 NAA-EXPL,

vulnerabilities of should provide adequate protection of access and of NAA-AIL,
5G Core data in transit. Relevant vulnerabilities include: NAA-AAA,
components NAA-DBLT,
• Improper transport layer protection, and NAA-MND
improper authentication mechanisms;
• Vulnerable authorisation mechanisms on
service access.
Improper Adequate security controls are needed for protecting TM01, TM02, TM09 NAA-DBLT,
protection of Data sensitive data stored, processed and transferred by NAA-IFAS,
and Information of 5G Core functions. Relevant vulnerabilities include: NAA-CSVS,
5G Core NAA-ESH
components • Disclosure of confidential system internal data
to users and administrators;
• Improper protection of data and information in
storage;
transfer;
• Failure to log access to personal data.
Improper Adequate security controls are needed for upholding TM01, TM02, TM07, NAA-EXPL,
protection of availability and integrity of 5G Core functions. TM09 NAA-ESH,
availability and Relevant vulnerabilities include: NAA-MSH
integrity of 5G
Core components • Improper handling of overload situations;
• Unrestricted boot memory devices;
• Weaknesses in processing of unexpected
input;
• Lack of / improper mechanisms for Network
Product software package integrity validation.
Vulnerable System functions should not be used without TM01, TM02, TM09 NAA-DoS,
mechanisms for appropriate authentication and authorisation and NAA-AAA,
authentication and authorisation checks. Relevant vulnerabilities NAA-DBLT,
authorisation of include: NAA-CSVS
5G Core
components • Improper authentication policy;
• Insecure / insufficient authentication attributes;
• Insecure password policy;
• Insecure authentication mechanisms to
management / maintenance interfaces;
• Failure to block consecutive failed login
attempts;
• Insecure authorisation and access control
mechanisms.
Improper session Systems should provide adequate mechanisms for TM01, TM02, TM09 NAA-AAA,
protection user session protection. Relevant vulnerabilities NAA-IFAS,
mechanisms of 5G include: NAA-DBLT
Core components
• Lack of logout function;
• Lack of inactivity timeout mechanisms.
72
December 2020

Name Description
Insufficient or Adequate mechanisms for collection and processing TM01, TM02, TM05, NAA-{all}, UD,
improper of security events should be in place. Relevant TM09 FM
monitoring vulnerabilities include:
mechanisms of 5G
Core components • Insufficient / inadequate logging of security
events;
• Logs not transferred to centralized storage;
• Improper protection of security event log files.
Vulnerabilities in Operating systems supporting 5G Core components TM01, TM02, TM09 NAA-MAL,
Operating should provide a safe and stable environment for 5G NAA-DoS,
Systems Functions. Relevant vulnerabilities include: NAA-ARA,
supporting 5G NAA-AAA,
Core components • Improper / insufficient mechanisms to protect NAA-ESH,
availability and integrity; NAA-MSH,
• Improper authentication and authorisation NAA-UANI,
mechanisms. NAA-DBLT,
FM
Vulnerabilities in Web servers serving functional and management TM01, TM02, TM09 NAA-MAL,
Web Servers services should provide adequate protection. NAA-DoS,
supporting 5G Relevant vulnerabilities include: NAA-ARA,
Core components NAA-AAA,
• Failure to encrypt communication between NAA-ESH,
Web client and Web server; NAA-MSH,
• Failure to log webserver activity; NAA-UANI,
• Improper HTTP User sessions protection; NAA-DBLT,
• Improper validation of HTTP input. FM
Vulnerabilities of The components of 5G Core may be implemented TM01, TM02, TM09 NAA-MAL,
network devices on dedicated network devices, which must be NAA-DoS,
running 5G Core adequately protected. Relevant vulnerabilities NAA-ARA,
components include: NAA-AAA,
NAA-ESH,
• Improper mechanisms for data and information NAA-MSH,
protection; NAA-UANI,
• Improper mechanisms for protecting availability NAA-MND,
and integrity. FM
Improper All 5G components, including the network functions TM01, TM02, TM07, NAA-MAL,
hardening of 5G in service-based architecture, should be hardened in TM09 NAA-DoS,
Core components order to reduce their respective surface of NAA-ARA,
vulnerability. Relevant vulnerabilities include: NAA-AAA,
NAA-ESH,
• Unnecessary or insecure services / protocols; NAA-MSH,
• Unrestricted reachability of services; NAA-UANI,
• Presence of unused software / functions / NAA-MND,
components; NAA-DBLT,
• Unrestricted remote login for privileged users; FM
• Excessive file-system authorisation privileges;
• Vulnerable OS configuration;
• Vulnerable Web server configuration;
• Improper separation of traffic;
• Improper hardening of 5G Core components.
Virtualisation Vulnerabilities in the virtualisation layer may lead to TM04 NAA-AVM,

vulnerabilities of risks such as unauthorised access to functions and UD, FM
relevant core data Virtualisation vulnerabilities include:
components
• Vulnerabilities in virtualisation of OS layer;
• Container vulnerabilities;
• Vulnerabilities in function virtualization.
73
December 2020

Name Description
Physical and Improper physical security of 5G Core Components TM07 PA, FM, OUT,
environmental infrastructure may impact the overall security and DIS
vulnerabilities of performance of the system. Relevant vulnerabilities
relevant core include:
components
• Improper physical security of Data-Centres /
Telecommunication equipment room;
• Improper isolation of physical secure perimeter
between tenants;
• Improper environmental protection controls;
• Inadequate / defective security devices.
A detailed list of core network vulnerabilities can be found in the Annex (see C Annex).
4.3 VULNERABILITY GROUPS FOR NETWORK SLICING

In the security considerations of network slicing, we have identified the following areas of
vulnerabilities:
Security-as-a-Service: While slices provide inherent security through segmentation, slices can
also be used to provide additional security protection and security services specific to the use
case and customer requirements. The implementation of slice security for use cases would rest
ultimately with the Mobile Network Operator (MNO) to include such services in the offer,
depending on its service strategy, market context, and in relation to vertical use-cases. This
might the source of vulnerabilities, to be checked for each particular implementation.
Resource isolation: While network slicing offers the ability of isolation to be used in various
scenarios, the proper isolation technique has to be suited to the use case at hand. Security
requirements of the particular use case will be an important element of consideration for the
selection of proper isolation mechanisms.
Secure Management and Orchestration: The architecture of the network slice MANO is
challenging from a business model perspective. This high complexity and flexibility, which bring
in higher security risks. Due to not finalized 3GPP specifications of authorisation of service
management requests, implementation weaknesses may arise.
Trust Model: The building of trust to MNO capabilities for the various 5G operation models has
to be based of the specified APIs. It needs to be assessed, if these APIs are sufficient for all
three defined operation models and how implementation will use them, in order to avoid
vulnerabilities in the management functions.
generic vulnerabilities related to soft- and hardware maintenance and hardening. The following
table provides a more exhaustive view on vulnerabilities of network slicing components.
74
December 2020

Name Description
measures categories
Vulnerabilities in Vulnerabilities in network segment negotiation TM01, TM02, NAA-EXPL,

implementation of procedures need to be secured in a standardized TM05 NAA-AAA
NS security way to prevent malicious attacks, e.g. man-in-the-
functionalities middle (MitM) attacks that could modify and
downgrade slice capabilities.
Service Based Network Slicing Management interface should be TM02, TM05 NAA-EXPL,
Vulnerabilities in secured so that only authorized parties can create, NAA-AIL,
Network Slicing alter, and delete network slice instances. If a NAA-AAA,
Management malicious party gained access to an insecure NAA-DBLT,
management interface, or if it could replay or modify NAA-MND
a valid message, then it would be able to spoof a
genuine network manager to compromise slice
security.
Improper Adequate security controls are needed to protect TM02, TM05, NAA-AIL,
protection of Data sensitive data stored, processed and transferred by TM07 NAA-MSH,
and Information NSI. Relevant vulnerabilities include: NAA-DBLT
• Improper protection of Network Slice Instance
supervision / reporting data;
• Lack of / ineffective tamper-proofing of Network
Slice Subnet Template (NSST).
Vulnerable System functions should not be used without TM02, TM05 NAA-AAA,
mechanisms for appropriate authentication and authorisation and NAA-ARA
authentication and authorisation checks. Relevant vulnerabilities
authorisation in include:
Network Slicing
Management • Improper slice-specific authentication
mechanisms;
• Lack of protection of NSSAI and home control;
• Lack of protection of the User ID and credentials.
Improper All 5G components, including the network functions TM01, TM02, NAA-MAL,
hardening of in service-based architecture, should be hardened in TM07, TM09 NAA-DoS,
network slicing order to reduce their respective surface of NAA-ARA,
components vulnerability. Relevant vulnerabilities include: NAA-AAA,
NAA-ESH,
components; NAA-DBLT,
• Unrestricted remote login for privileged users; FM, UD
• Vulnerable OS configuration;
• Vulnerable Web server configuration;
• Improper separation of traffic.
Virtualisation Vulnerabilities in the virtualisation layer may lead to TM04 NAA-AVM,

vulnerabilities of risks such as unauthorised access to functions and UD, FM
relevant network data Virtualisation vulnerabilities include:
slicing
components • Vulnerabilities in virtualisation of OS layer;
Insufficient or Adequate mechanisms for collection and processing TM02, TM05 NAA-{all}; UD,
improper of security events should be in place. Relevant FM
monitoring vulnerabilities include:
mechanism of
Network Slice • Insufficient / inadequate logging and auditing
Instance (NSI) across NSI lifecycle;
• Improper protection of security event log files;
• Improper isolation of monitoring capabilities and
data;
• Improper or insufficient end-to-end monitoring
capabilities for NSI.
A detailed list of network slicing vulnerabilities can be found in the Annex (see D Annex).
75
December 2020
4.4 VULNERABILITY GROUPS FOR RADIO ACCESS NETWORK

In the security considerations of radio access network, we have identified the following areas of
vulnerabilities:
Security of Ultra-Reliable Low-Latency Communication (URLLC): weaknesses in the

implementation of QoS may impact low-latency requirements. Optimization issues of control
and user plane will affect reliability and low latency of communications.
Vulnerability to Radio Jamming Attacks: an inherent weakness of wireless cellular

communications is the free frequency space that allows for intentional or unintentional
interferences. They can impact access of legitimate users and cause resilience issues in parts
of the network.
Failure to meet General Security Assurance Requirements: a set of weaknesses will arise
through the update requirements of various elements of RAN due to implementation of
migration steps and the ability of early-deployed systems to comply with specification updates
regarding security functions.
Optional nature of security controls for F1 interface: the optionality of security controls for this
protocol may lead to security weaknesses in its implementation.
below provides a more exhaustive view on vulnerabilities of remote access network
components.

Name Description
measures categories
Incorrect Relevant vulnerabilities in gNB implementation TM02, TM09 NAA-AIL, NAA-

implementation of include: AAA, NAA-
gNB security UANI, NAA-SS,
functions • Improper Ciphering and integrity checks of RRC- NAA-MND
signalling;
• Failure to ensure control plane data confidentiality
protection over N2/Xn interface;
• Improper ciphering of User data between UE and
gNB;
• Improper integrity protection and verification of
user data;
• Missing or improper replay protection
mechanisms;
• Lack of /improper mechanisms for prevention of
bidding down at Xn-handover;
• Improper Prevention of Key Reuse;
• Improper mechanisms to enforce security policy.
Improper protection Adequate security controls are needed for protecting TM01, TM02, TM09 NAA-AIL, NAA-
of Data and sensitive data stored, processed and transferred by MSH, NAA-
Information of gNB gNB components. Relevant vulnerabilities include: DBLT
Components
• Inadvertent disclosure of confidential system
internal data;
storage;
transfer.
76
December 2020

Name Description
measures categories
Improper protection Adequate security controls are needed for upholding TM01, TM02, TM09 NAA-DoS, NAA-
of availability and availability and integrity of gNB functions. Relevant MSH, NAA-
integrity of gNB vulnerabilities include: DBLT, UD
functionality
• Improper handling of overload situations;
• Unrestricted boot memory devices;
• Weaknesses in processing of unexpected input;
• Lack of / improper mechanisms for software
package integrity validation.
Vulnerable System functions should not be used without TM01, TM02, TM09 NAA-DoS, NAA-
mechanisms for appropriate authentication and authorisation and AAA, NAA-ARA,
authentication and authorisation checks. Relevant vulnerabilities NAA-DBLT
authorisation of gNB include:
components
• Improper authentication policy;
• Insecure / insufficient authentication attributes,
mechanisms and procedures;
mechanisms.
Improper session Management interfaces and systems should provide TM01, TM02, TM09 NAA-AAA,
protection adequate mechanisms for user session protection. NAA-ARA,
mechanisms of gNB Relevant vulnerabilities include: NAA-IFAS,
components NAA-DBLT
• Lack of logout function;
• Lack of inactivity timeout mechanisms.
Insufficient or Adequate mechanisms for collection and processing TM01, TM02, TM09 NAA-{all}, UD,
improper monitoring of security events should be in place. Relevant FM
mechanisms of gNB vulnerabilities include:
components
• Insufficient / inadequate logging of security
events;
Vulnerabilities in Operating systems supporting gNB Components TM01, TM02, TM09 NAA-MAL,
Operating Systems should provide a safe and stable environment for 5G NAA-DoS, NAA-
supporting gNB Functions. Relevant vulnerabilities include: ARA, NAA-AAA,
components NAA-ESH,
• Improper / insufficient mechanisms to protect NAA-MSH,
availability and integrity; NAA-UANI,
• Improper authentication and authorisation NAA-DBLT, FM
mechanisms.
Vulnerabilities in Web servers serving functional and management TM01, TM02, TM09 NAA-MAL,
Web Servers services should provide adequate protection. NAA-DoS, NAA-
supporting gNB Relevant vulnerabilities include: ARA, NAA-AAA,
components NAA-ESH,
• Lack of or improper encryption of communication; NAA-MSH,
• Failure to log webserver activity; NAA-UANI,
NAA-DBLT, FM
• Improper HTTP User sessions protection;
• Improper validation of HTTP input.
Vulnerabilities of The components of gNB may be implemented on TM01, TM02, TM09 NAA-MAL,
network devices dedicated network devices, which must be NAA-DoS, NAA-
running gNB adequately protected. Relevant vulnerabilities ARA, NAA-AAA,
components include: NAA-ESH,
NAA-MSH,
• Improper mechanisms for data and information NAA-UANI,
protection; NAA-MND, FM
• Improper mechanisms for protecting availability
and integrity.
77
December 2020

Name Description
measures categories
Improper hardening All 5G components should be hardened in order to TM01, TM02, TM07, NAA-MAL,
of gNB components reduce their respective surface of vulnerability. TM09 NAA-DoS, NAA-
Relevant vulnerabilities include: ARA, NAA-AAA,
NAA-ESH,
components; NAA-DBLT, FM,
• Unrestricted remote login for privileged users; UD
• Vulnerable configuration of O.S. / Web server;
• Improper separation of traffic.
Virtualisation Vulnerabilities in the virtualisation layer may lead to TM04 NAA-AVM, FM

vulnerabilities of risks such as unauthorised access to functions and
relevant gNB data. Virtualisation vulnerabilities include:
components
• Vulnerabilities in virtualisation of OS layer;
Physical and Improper physical security of gNB Components TM07 PA, FM, OUT,
environmental infrastructure may impact the overall security and DIS
vulnerabilities of performance of the system. Relevant vulnerabilities
relevant gNB may include:
components
• Improper physical security of telecommunications
equipment rooms and equipment sited in partners’
or users’ premises;
• Improper physical security of physically isolated
operation areas;
Vulnerability to As any wireless cellular networks, 5G networks are TM01 NAA-DoS

Radio Jamming prone to radio interference. This inherent weakness
Attacks can be used by adversary nodes to cause intentional
interference and hinder legitimate user’s
communication over specific wireless channels.
Jamming attacks are a special concern for mission-
critical applications.
A detailed list of radio access network vulnerabilities can be found in the Annex (see E Annex).
4.5 VULNERABILITY GROUPS FOR NETWORK FUNCTION

VIRTUALIZATION - MANO
In the security considerations of NFV - MANO, we have identified the following areas of
vulnerabilities:
Management Interfaces / APIs: when developing management interfaces for the virtual
functions, incomplete implementation of NVF security functions may lead to weaknesses related
to access, storage and interception of network management data.
Localisation of functions: while physical functions of previous mobile networks have not allowed
for mobility of functions, the introduced virtualization may lead to moving virtualized functions
outside their original location, notably outside the perimeter of protecting measures/policies.
generic vulnerabilities related to soft- and hardware maintenance and hardening. The following
table provides a more exhaustive view on vulnerabilities of network function virtualization /
MANO components.
78
December 2020
Relevant
Threat
Name Description toolbox
categories
measures
Service Based Service-Based-Interfaces of network functions TM04 NAA-EXPL,

Vulnerabilities of should provide adequate protection of access and of NAA-AIL, NAA-
NFV components data in transit. Relevant vulnerabilities include: AAA, NAA-
DBLT, NAA-
• Improper transport layer protection for data MND, EIH
transferred over internal interfaces to MANO;
• Vulnerable authorisation mechanisms on
authorisation server / resource server;
• Improper message and session integrity checks
on internal interfaces;
• Vulnerabilities in legacy PNF;
• Improper verification of identity and location of
transmitting party on internal interfaces.
Improper protection Adequate security controls are needed for protecting TM04 NAA-AIL, NAA-
of Data and sensitive data stored, processed and transferred by MSH, NAA-
Information of NFV NFV. Relevant vulnerabilities include: DBLT
components
• Inability to provide proof of integrity of the data
stores used for VM images;
• Lack of encryption of control plane data;
storage;
transfer.
Improper hardening All NFV components, should be hardened in order to TM04 NAA-MAL,
of NFV components reduce their respective surface of vulnerability. NAA-DoS, NAA-
Hardening requirements must ensure that all the ARA, NAA-AAA,
default configurations (including operating system NAA-ESH,
software, firmware and applications) are NAA-MSH,
appropriately set. Relevant vulnerabilities include: NAA-UANI,
NAA-MND,
• Unnecessary or insecure services / protocols; NAA-DBLT, FM,
• Unrestricted reachability of services; UD
• Presence of unused software / functions /
components;
• Unrestricted remote login for privileged users;
• Improper separation of traffic;
• Improper patch management process;
• Misconfiguration;
• No mechanism to enforce geo-restrictions;
• Vulnerabilities of NTP (VNF clock);
• Improper hardening of MANO interfaces utilizing
Service-Based Interfaces (SBI).
Virtualisation Vulnerabilities in the virtualisation layer may lead to TM04, TM07 NAA-AVM, FM
platform risks such as unauthorised access to functions and
vulnerabilities for data Virtualisation vulnerabilities include:
VNF
• Inadequate access privileges in virtualized
environments;
• Improper key management system for encrypted
virtual components;
• Lack of mechanisms for ensuring a Hardware-
Based Root of Trust (HBRT);
• Vulnerabilities in cloud technology used for NFV
implementation;
• Hypervisor vulnerabilities conduct to cross-
contamination of shared resources.
79
December 2020
Relevant
Threat
categories
measures
Physical security Improper physical security of NFVI may impact the TM04, TM06 PA, FM, OUT,
and environmental overall security and performance of the system. DIS
vulnerabilities of Relevant vulnerabilities include:
NFVI
• Improper physical security of telecommunications
equipment rooms;
• Improper physical security of physically isolated
operation areas;
Vulnerable NFV Management and Orchestration should not be TM03, TM04 NAA-AAA, NAA-
mechanisms for used without appropriate authentication and ARA, NAA-
authentication and authorisation and authorisation checks. Relevant MSH, NAA-
authorisation of NFV vulnerabilities include: UANI, NAA-
Management AVM
• Improper authentication policy, such as
unauthenticated access to system functions, use
of generic accounts;
• Insecure / insufficient authentication attributes,
such as failure to protect accounts by at least one
authentication attribute, active predefined
authentication attributes;
• Failure to block consecutive failed login attempts;
mechanisms.
Insufficient or Adequate mechanisms for collection and processing TM01, TM05 NAA, FM, UD
improper monitoring of security events should be in place. Relevant
mechanisms of NFV vulnerabilities include:
• Insufficient / inadequate logging of security events
for MANO and NFVI;
A detailed list of network function virtualization - MANO vulnerabilities can be found in the
Annex (see F Annex).
4.6 VULNERABILITY GROUPS FOR SOFTWARE DEFINED NETWORKS

In the security considerations software defined networks, we have identified the following areas
of vulnerabilities:
Control Plane: Recent practices to shift from single device controllers to distributed controllers,
opens doors to control plane attacks. Such attacks are based on input buffer analysis to identify
forwarding policy and eventually perform manipulations based on the analysis results.
Data Plane: As SDN data planes are just simple forwarding elements with no embedded
intelligence, they may become targets of protocol attacks, exploiting protocol vulnerabilities in
the forwarding devices.
Programmable Interfaces (APIs): The Southbound API may be misused for a series of attacks.
These attacks are based on inferred flow rules in SDN through packet probing. Knowing the
reactive rules, attackers can launch DoS attacks by sending numerous rule-matched packets
which trigger packet-in packets to overburden the controller.
80
December 2020
below provides a more exhaustive view on vulnerabilities of software defined networks
components.

Name Description
measures categories
Vulnerabilities in Lack of functionality in the SDN control layer to TM01 NAA-MND, UD,
implementation of support preventing flow rules confliction in order to FM
SDN security avoid mandatory network policies from being
functionalities bypassed.
SBA/SBI Service-Based-Interfaces of network functions TM01 NAA-EXPL,

vulnerabilities of should provide adequate protection of access and of NAA-AIL, NAA-
SDN components data in transit. Relevant vulnerabilities include AAA, NAA-
improper transport layer protection, improper DBLT, NAA-
authentication / authorisation mechanism for SDN MND
controller, inadequate security of configuration data
(including security policies and QoS policies) while
being transported from SDN applications to the SDN
controller over the application-control interface.
Vulnerable SDN controller should not be used without TM01, TM03 NAA-AAA, NAA-
mechanisms for appropriate authentication and authorisation checks. ARA, NAA-
authentication and Relevant vulnerabilities are related to improper MSH, NAA-
authorisation of authentication and/or authorisation mechanism for UANI
SDN components SDN controller or defective implementations of these
mechanisms.
Improper hardening All SDN components, should be hardened in order to TM01, TM07 NAA-MAL,
of SDN components reduce their respective surface of vulnerability. NAA-DoS, NAA-
Relevant vulnerabilities include: ARA, NAA-AAA,
NAA-ESH,
• Operating system vulnerabilities; NAA-MSH,
• Software vulnerabilities of SDN controller; NAA-UANI,
• Improper cryptographic key management NAA-MND,
mechanisms or use of weak algorithms; NAA-DBLT, FM,
• Lack of, or improper DoS protection mechanisms. UD
Insufficient or Improper monitoring of SDN controller may lead to TM05 NAA-{all}, FM,
improper monitoring attacks or failures going undetected and therefore UD
mechanisms of SDN not mitigated. Improper hardware monitoring may
components compromise network security or bring down the SDN
network.
Virtualisation Vulnerabilities in the virtualisation layer may lead to TM01, TM07 NAA-AVM, FM
vulnerabilities of risks such as unauthorised access to SDN
relevant SDN resources. Cloud solutions used for SDN
components implementation may lead to vulnerabilities specific to
cloud technology.
Physical security Improper physical security of SDN may impact the TM06 PA, FM, OUT,
vulnerabilities of overall security and performance of the system. DIS
SDN Relevant vulnerabilities may include unprotected
Data Centre Interconnection channels, improper
physical secure perimeter or isolation between
tenants.
A detailed list of software defined networks vulnerabilities can be found in the Annex
(see G Annex).
81
December 2020
4.7 VULNERABILITY GROUPS FOR MULTI-ACCESS EDGE COMPUTING

In the security considerations of multi-access edge computing, we have identified the following
areas of vulnerabilities:
Virtualization and containerization: Being based on virtualization and containerization, MEC

may be vulnerable to a number of threats emerging from these technologies. Examples are:
possible contamination of shared hardware resources, abuse of privilege elevation
vulnerabilities of containers with higher levels of privileges, dependencies to central
orchestration functions, high data and session volumes that can be subject of attacks, use of
open-source APIs.
Physical security: flaws in physical security of MEC hardware may render such infrastructures
vulnerable to physical attack. Given the fact of higher geographical distribution of such
infrastructures, keeping a uniform level of physical security will be a challenge.
Application-Programming Interfaces (APIs): Though a dedicated architecture (CAPIF) is

proposed to cope with access to APIs, it has to be ensured that these provisions are followed
during API design and implementation phases. As being exposed to user access, usually such
APIs are subject to multiple attacks.
Regulatory issues: European regulation (NIS-Directive), foresees an isolation of physical and

logical components of critical services from services with low criticality. The implementation of
requirement in MEC may lead to vulnerabilities of low criticality services, as they are going to be
operated in a security domain with less security functions.
The table below provides a more exhaustive view on vulnerabilities of MEC components.

Name Description
measures categories
NAA-DoS, NAA-
Vulnerabilities in AIL,NAA-LIFA,
Relevant vulnerabilities in MEC implementation
implementation of NAA-DBLT,
include improper for collection, secure storage and TM01, TM02
MEC security NAA-ARA, NAA-
transmission of charging-related information.
functionalities MSH, NAA-SHE,
NAA-IFAS
Service-Based-Interfaces of network functions should

provide adequate protection of access and of data in
NAA-EXPL,
Vulnerabilities in the transit. Relevant vulnerabilities include improper
NAA-AIL, NAA-
Service-Based implementation of MEC / CAPIF APIs, improper
TM01, TM03 AAA, NAA-
Interfaces of MEC transport layer protection for data transferred over
DBLT, NAA-
components internal interfaces and improper verification of identity
MND EIH, FM
and access control to authorized mobile edge
applications.
Adequate security controls are needed for protecting

Improper protection sensitive data stored, processed and transferred by
MEC applications. NAA-AIL, NAA-
of Data and
TM01, TM03 MSH, NAA-
Information of MEC The mobile edge platform shall only provide a mobile DBLT
components edge application with the information for which the
application is authorized.
82
December 2020

Name Description
measures categories
NAA-MAL,
Operating systems supporting MEC Host should NAA-DoS,
provide a safe and stable environment for MEC NAA-ARA,
Vulnerabilities in Applications. Relevant vulnerabilities include: NAA-AAA,
Operating Systems
• Improper / insufficient mechanisms to protect TM01, TM07 NAA-ESH,
supporting MEC
availability and integrity; NAA-MSH,
components
• Improper authentication and authorisation NAA-UANI,
mechanisms. NAA-DBLT,
FM
All MEC components, should be hardened in order to

reduce their respective surface of vulnerability.
Hardening requirements must ensure that all the
default configurations (including operating system NAA-MAL,
software, firmware and applications) are appropriately NAA-DoS,
set. Relevant vulnerabilities include: NAA-ARA,
• Unnecessary or insecure services / protocols; NAA-AAA,
Improper hardening • Unrestricted reachability of services NAA-ESH,
TM01, TM07
of MEC components • Presence of unused software / functions / NAA-MSH,
components; NAA-UANI,
• Unrestricted remote login for privileged users; NAA-MND,
• Excessive file system Authorisation privileges; NAA-DBLT,
• Improper separation of traffic; FM, UD
• Improper patch management process
• Misconfiguration;
• Lack of or improper DDoS Protection mechanism.
NAA-EXPL,
Vulnerabilities in MEC Applications may be used as an NAA-ARA,
Software entry point for attacks aiming at exploiting other MEC NAA-AAA,
vulnerabilities in components or internal interfaces. Relevant TM01, TM02 NAA-ESH,
MEC applications vulnerabilities include unauthorized access to data, NAA-DBLT
elevation of privileges or cloud intrusion.
Vulnerabilities in the virtualization platform include

Vulnerabilities of the
inadequate isolation of resources in operating system / NAA-AVM,
MEC virtualization TM01, TM02
container layers and vulnerabilities specific to cloud FM
platform
technologies widely used in MEC implementations.
Improper physical security of MEC host may impact

the overall security and performance of the system.
Physical security Relevant vulnerabilities include:
and environmental • Improper physical and environmental security of PA, FM, OUT,
TM06
vulnerabilities of edge computing facilities; DIS
MEC hosts • Improper security monitoring of edge computing
facilities;
• Insecure service environment.
MEC authentication functions – LCM Proxy and MEC

Orchestrator – should not be used without appropriate
authentication and authorisation and authorisation
checks. Relevant vulnerabilities include:
• Improper authentication policy, such as
unauthenticated access to system functions, use of
Vulnerable generic accounts; NAA-AAA,
mechanisms for • Insecure / insufficient authentication attributes, such NAA-ARA,
authentication and as failure to protect accounts by at least one TM01, TM03
NAA-DoS,
authorisation of authentication attribute, active predefined NAA-DBLT
MEC components authentication attributes;
• Failure to block consecutive failed login attempts;
mechanisms.
83
December 2020

Name Description
measures categories
Adequate mechanisms for collection and processing of

security events should be in place. Relevant
Insufficient or vulnerabilities include:
improper monitoring NAA-{all}, FM,
• Insufficient / inadequate logging of security events TM01, TM05
mechanisms of MEC UD
components for MEC App and MEC host;
A detailed list of multi-access edge computing vulnerabilities can be found in the Annex (see H
Annex).
4.8 VULNERABILITY GROUPS FOR SECURITY ARCHITECTURE

Given the fact that vulnerabilities in all zoom-ins cover security issues of the 5G architecture in
a horizontal manner, no additional security vulnerabilities have been developed for the
components of the security zoom-in. Hence, it can be considered that the entire set of
vulnerabilities assessed for all other zoom-ins cover the full set of security vulnerabilities.
4.9 VULNERABILITY GROUPS FOR PHYSICAL INFRASTRUCTURE

In the security considerations of physical infrastructure, we have identified some areas of
vulnerabilities. Given the fact that the physical infrastructure is the common basis for the
implementation of all other zoom-ins, the assessed physical vulnerabilities are derived by the
vulnerabilities of all zoom-ins by means of their relevance to the physical components. Hence,
the vulnerabilities below draw consequences of the vulnerabilities mentioned in other zoom-ins,
by concentrating on their physical aspects:
Impact of virtualisation: The physical measures/controls will need to be derived by and be

complementary to weaknesses encountered by the implementation of functions in containerized
and virtualized environments (see also vulnerabilities of MEC in section 4.7 above). This will
mainly impact physical availability measures for the concerned functions.
General physical security considerations: General physical measures need to be developed

based on vulnerabilities and resulting risk-exposure that are related to the operational needs,
supply chain of various components (delivery, operation, implementation, maintenance) and
criticality of services. Given the large number of roles involved in 5G infrastructures, the
identification of physical vulnerabilities requires a holistic approach.
Threats to edge cloud computing resources: attack surface reduction of MEC services will rely
on physical measures taken for the relevant components (see also vulnerabilities in section 4.7
above).
Vulnerability of wireless frequencies to jamming attacks: as a high number of wireless

connections are involved in the communication within the 5G infrastructure, both in the public
and non-public domain, physical measures for the reduction of impact of jamming attacks need
to be taken into account, especially on availability of communication channels.
The following table provides a more exhaustive view on vulnerabilities of physical infrastructure.
84
December 2020

Name Description
measures categories
Improper physical Communication centres should provide a full set of TM06 PA, DIS, OUT,
security of physical and environmental controls aimed to assure NAA-CSVS
communication access control, monitoring, continuity of operations
centres and protection against environmental disasters. Failure
to do so may lead to unauthorised access, destruction
of assets and impairment of operations.
Improper physical Telecom equipment rooms should provide a risk- TM06, TM11 PA, DIS, OUT,
security of calibrated set of physical and environmental controls NAA-CSVS
telecommunications aimed to assure access control, monitoring, continuity
equipment room of operations and protection against environmental
disasters. Failure to do so may lead to unauthorised
access, destruction of assets and impairment of
operations.
Improper physical Remote equipment facilities should provide a set of TM06, TM11 PA, DIS, OUT,
security of physical and environmental controls aimed to assure FM, NAA-
physically isolated access control, monitoring, continuity of operations CSVS
operation areas and protection against environmental disasters, taking
into account its remoteness and lack of human
presence. Failure to do so may lead to unauthorised
access, destruction of assets and impairment of
operations.
Improper physical Equipment located in third party facilities rooms should TM06, TM11 PA, DIS, OUT,
security of be protected using a risk-calibrated set of physical and NAA-CSVS
equipment sited in environmental controls aimed to assure access
other carrier's or control, monitoring, continuity of operations and
partner's premises protection against environmental disasters. Failure to
do so may lead to unauthorised access, destruction of
assets and impairment of operations.
Vulnerability to Wireless cellular networks are inherently vulnerable to NAA-DoS

Radio Jamming interference. This weakness can be used to cause
Attacks intentional interference and hinder legitimate user’s
communication over specific wireless channels. 5G
improves resilience against jamming attacks over the
4G LTE, but remains vulnerable to customised attacks.
Jamming attacks are a special concern for mission-
critical applications, in particular for their availability.
Vulnerabilities Softwarisation and virtualization of functions only TM04, TM06 NAA-AVM, FM

related to increase availability and integrity requirements for
virtualisation shared physical resources, some of them placed in
technologies remote locations. Relevant vulnerabilities include:
• Improper protection of access to physical
interfaces;
• Shared resource contamination;
• Vulnerable mechanisms for Hardware-Based Root
of Trust (HBRT);
• Hypervisor vulnerabilities conduct to cross-
contamination of shared resources;
• Improper availability arrangements for hardware
infrastructure.
A detailed list of physical infrastructure vulnerabilities can be found in the Annex

(see I Annex).
85
December 2020
4.10 VULNERABILITY GROUPS FOR IMPLEMENTATION OPTIONS

In the security considerations of 5G implementation options – migration paths, we have
identified the following areas of vulnerabilities:
Risks related to legacy technologies: these risks materialize through exploitation of

vulnerabilities that are concerned with mismatches of functionalities of non-standalone 5G
networks (NSA) to the current specifications. An example hereto are the use of the LTE Evolved
Packet Core (EPC) and the LTE control panel. In this way, for NSA 5G networks, threats and
vulnerabilities of the LTE technology will persist.
Roaming: during migration, 4G roaming is being used for 5G. This roaming does not include the
new 5G security functions, while maintaining Diameter, SIP/VoLTE and possibly SS7. These
protocols are vulnerable to eavesdropping and tracking.
Security update gap between new security requirements and deployment of updated versions of
network functions in operational systems. Two major factors are relevant for this gap: a)
vendors’ responsiveness in issuing and validating new versions of the network functions that
address the updated requirements, and b) timeliness and effectiveness of MNO processes to
update. This may lead to vulnerabilities in operational NSA 5G infrastructures.
Besides these areas of vulnerability, virtualization vulnerabilities are also applicable to

implementation options. The table below provides a more exhaustive view on vulnerabilities of
components used within 5G implementation options.

Name Description
measures categories
Vulnerabilities of Vulnerabilities inherited from the LTE system include: TM05 NAA-AIL, NAA-
legacy technologies SGN, EIH
• Lack of integrity protection of over-the-air User
Plane traffic;
• Exposure of international mobile subscriber
identities (IMSI) over the air;
• Weaker cryptographic algorithms.
Improper The updated requirements for LTE critical components TM02 NAA-{all}, EIH,
implementation of involved in Non-standalone implementations include UD, FM
updated security security controls for known vulnerabilities and allow
functions interoperability by the 5G Components. Failure to meet
assurance specification as defined in the Security
Assurance Specification for critical components leave
open vulnerabilities. The affected components are:
• Vulnerabilities in MME implementation;
• Vulnerabilities in evolved Node B (eNB)
implementation.
86
December 2020

Name Description
measures categories
Vulnerabilities in the Similar to 5G Core functions, the security of EPC+ TM01, TM02 NAA-{all}, EIH,
technical baseline of functions relies on a secure technical baseline. FM, UD
EPC+ functions Vulnerabilities relevant for 5G Core functions as
detailed in the respective section apply similarly.
Relevant vulnerabilities include:
 Improper protection of Data and Information of
EPC+ components;
 Improper protection of availability and integrity of
EPC+ components;
 Vulnerable mechanisms for authentication and
authorisation of EPC+ components;
 Improper session protection mechanisms of
EPC+ components;
 Insufficient or improper monitoring mechanisms
of EPC+ components;
 Vulnerabilities in Operating Systems supporting
EPC+ components;
 Vulnerabilities in Web Servers supporting EPC+
components;
 Vulnerabilities of network devices running EPC+
components;
 Improper hardening of EPC+ components.
5G New Radio Vulnerabilities for 5G New Radio components are TM02 See section
Vulnerabilities referred in the 5G RAN Vulnerabilities section. above
SBA/SBI Service-Based-Interfaces are a common feature of 4G TM01 NAA-EXPL,

vulnerabilities of and 5G NR components. Relevant vulnerabilities NAA-AIL, NAA-
components include: AAA, NAA-
DBLT, NAA-
 Improper transport layer protection, such as MND EIH, FM
incorrect TLS profile and improper
authentication mechanisms;
 Vulnerable authorisation mechanisms on service
access.
Detailed information is presented in the 5G Core
Section.
Virtualisation One of the main implementation scenarios focuses on TM04 NAA-AVM, FM

Vulnerabilities building a new virtualized EPC network to support the
Non-Standalone implementation. In this scenario,
virtualization vulnerabilities are highly relevant.
Virtualisation vulnerabilities are detailed in Section
NFV and 5G Core.
LTE Roaming 5G NSA roaming is essentially 4G roaming. From a TM01, TM02, NAA-AIL, NAA-
vulnerabilities security perspective, a 5G NSA roaming connection TM05 SGN, EIH
introduces no new protections since it continues to use
Diameter, SIP/VoLTE and possibly SS7. Relevant
vulnerabilities may include:
 Improper protection of Data and Information of
EPC+ components;
 SS7 Vulnerabilities;
 Diameter vulnerabilities;
 VoLTE vulnerabilities84.
A detailed list of implementation options – migration path vulnerabilities can be found in the
Annex (see J Annex).
84
David Rupprecht and Katharina Kohls and Thorsten Holz and Christina Popper, Call Me Maybe: Eavesdropping
Encrypted LTE Calls With ReVoLTE, 29th USENIX Security Symposium Proceedings, 2020. isbn 978-1-939133-17-5,
pages 73-88, accessed October 2020.
87
December 2020
4.11 VULNERABILITY GROUPS FOR PROCESSES

In this section we develop a set to vulnerabilities/weaknesses that arise from the absence of
processes pertinent to life-cycle maintenance of systems and applications of the entire 5G
infrastructure. As mentioned in section 3.13, the processes considered are MNO life-cycle
processes, vendor development and product life-cycle, as well as security assurance.
Though we have not developed any security considerations in section 3.13 – as we did for the
3GPP specified components - in the discussion below we enlist weaknesses that may arise
from the absence of maintenance processes for life-cycle considerations regarding the entire
5G infrastructure.
4.11.1 MNO processes

Security of the 5G System is achieved and maintained by upholding security objectives across
the entire lifecycle of the system, in particular from the side of Mobile Network Operator (MNO).
In this section, we have identified operational process weaknesses that can directly impact the
security of the 5G System. As a reference model for operational processes, we used the eTOM
Business Framework85 which defines comprehensive, industry-agreed, multi-layered view of the
key business processes in the Telecommunications sector. Any other process framework could
be used for this purpose.
Relevant
Threat
categories
measures
Improper Resource Process weaknesses that may directly impact the TM01, TM09, NAA-CSVS,
Capability Delivery security of 5G system include: TM10 NAA-AIL, NAA-
Processes DBLT, EIH, PA,
 Improper processes to map and analyse UD, FM, OUT,
resource requirements; DIS
 Failure to adapt resource support and
operations;
 Inability to capture resource capability shortfalls;
 Improper Resource Capabilities design and
management of delivery;
 Improper management of Handover to Resource
Operations.
Improper Party Process weaknesses that may directly impact the TM08, TM09, NAA-CSVS,
Tender Management security of 5G system include: TM10 NAA-AIL, NAA-
Processes DBLT, EIH, PA,
 Inadequate definition of sourcing requirements; UD, FM, OUT,
 Improper process to determine Potential DIS
Suppliers/Partners;
 Inadequate management of the Tender Process.
Improper Resource Process weaknesses that may directly impact the TM01 NAA-CSVS,
Development & security of 5G system include: NAA-AIL, NAA-
Retirement DBLT, EIH, PA,
Processes  Improper control of Detailed Resource UD, FM, OUT,
Specifications development; DIS
 Inadequate coordination of resource
development;
 Improper management of resource deployment;
 Improper storage media sanitisation;
 Improper management of resource exit.
85
http://casewise.tmforum.org/evolve/statics/frameworx/#cwtype=index&cwview=home, accessed November 2020.
88
December 2020
Relevant
Threat
categories
measures
Improper Resource Process weaknesses that may directly impact the TM01 NAA-CSVS,
management and security of 5G system include: NAA-AIL, NAA-
operation Support & DBLT, EIH, PA,
Readiness  Improper processes to support resource UD, FM, OUT,
processes provisioning; DIS
 Improper processes to support resource
performance management;
 Improper processes to support resource trouble
management;
 Improper management of resource inventory.
Improper Party Process weaknesses that may directly impact the TM08 NAA-CSVS,
Agreement security of 5G system include: NAA-AIL, NAA-
processes DBLT, EIH, PA,
 Insufficient / improper definition of relevant UD, FM, OUT,
operational and security clauses in agreements DIS
with suppliers and partners;
 Improper management of contract variations.
Improper Party Process weaknesses that directly impact the security TM01 NAA-CSVS,
Support processes of 5G system include: EIH, PA, UD,
FM, OUT, DIS
 Improper processes to support Party Requisition
Management;
 Support Party Performance Management;
 Support Party Interface Management.
Improper resource Process weaknesses that directly impact the security TM01, TM02 NAA-CSVS,
provisioning of 5G system include: NAA-AIL, NAA-
processes DBLT, EIH, PA,
 Improper processes for resource allocation and UD, FM, OUT,
installation; DIS
 Improper / obsolete processes to Configure &
Activate Resources;
 Improper tracking & management of resource
provisioning.
Resource Trouble Process weaknesses that directly impact the security TM05 NAA-CSVS,
Management of 5G system include: NAA-AIL, NAA-
DBLT, EIH, PA,
 Improper survey and analysis of resource UD, FM, OUT,
trouble; DIS
 Improper processes for localisation of resource
trouble;
 Improper processes for correction and resolution
of resource trouble.
Resource data Process weaknesses that directly impact the security TM05 NAA-CSVS,
collection & of 5G system include: NAA-AIL, NAA-
distribution DBLT, EIH, PA,
 Improper processing of management and UD, FM, OUT,
Security Information & Data; DIS
 Inadequate processes for audit of Management
and Security Data Collection & Distribution.
Resource Process weaknesses that directly impact the security TM05 UD, FM, OUT
Performance of 5G system include:
Management
 Improper monitoring of resource performance;
 Improper processes for controlling resource
performance.
89
December 2020
Relevant
Threat
categories
measures
Party Interaction Process weaknesses that directly impact the security TM05 NAA-CSVS,
Management of 5G system include improper Tracking, Management NAA-AIL, NAA-
and Handling of Interaction with suppliers and DBLT, EIH, PA,
partners. UD, FM, OUT,
DIS
Party Problem Process weaknesses that directly impact the security TM05 UD, FM, OUT
Handling of 5G system include improper processes to Receive,
Assess and Track problems related to relevant
Suppliers/Partners, as well as failure to capture trends
in problems related to third-parties.
Party Performance Process weaknesses that directly impact the security TM05 NAA-CSVS,
Management of 5G system include improper processes to Monitor & UD, FM, OUT
Control Supplier/Partner Performance and to track &
manage party performance resolution.
Party Inventory Process weaknesses that directly impact the security TM05 NAA-CSVS,
Management of 5G system include improper processes for manage NAA-AIL, NAA-
S/P Inventory Repository and to manage and DBLT, EIH, PA,
administer S/P Inventory. UD, FM, OUT,
DIS
Business Continuity Process weaknesses that directly impact the security TM11 OUT, DIS
Management of 5G system include failure to update and adapt
Business Continuity plans, Infrastructure Recovery
plans and Incident Management plans.
Fraud Management Process weaknesses that directly impact the security TM05 NAA-IFAS,
of 5G system include failure to adapt fraud LEG
management policies and controls.
Regulatory Process weaknesses that directly impact the security TM05 LEG
Management of 5G system include failure to identify and comply
with updated compliance requirements
Insurance Process weaknesses that directly impact the security TM05, TM11 NAA-CSVS,
Management of 5G system include failure to identify insurable risks. EIH, PA, UD,
FM, OUT, DIS,
LEG
Security Failure to adapt security management processes to TM05, TM11 NAA, EIH, PA,
Management new technologies, business models and associated UD, FM, OUT,
risks will directly impact the security of the 5G System. DIS, LEG
A detailed list of vulnerabilities emerging from improper operational processes at the level of
mobile network operator can be found in the Annex (see K Annex).
4.11.2 Vendor, development and product life-cycle processes

Vendor Development and Product Lifecycle covers all aspects potentially impacting a Network
Product’s lifetime. Vulnerabilities in vendor development and product lifecycle processes impact
directly the security of 5G system components. While some vulnerabilities are directly
connected to a specific phase in the Product Lifecycle, other process vulnerabilities are relevant
for the entire Development and Product lifecycles.
90
December 2020

Name Description
measures categories
Design Phase Failure to apply security architectural and security TM08 NAA-EXPL,
Vulnerabilities design principles and follow them throughout the entire UD, FM
development lifecycle leads to structural security
problems that imperil the security of the components
and of the 5G system.
Implementation Relevant implementation phase vulnerabilities include: TM08 NAA-CSVS,

Phase UD, FM
 Ineffective code governance and improper code
Vulnerabilities
review;
 Vulnerabilities in Build process and environment.
Testing Phase The relevant vulnerability in the testing phase refers to TM08 NAA-EXPL,
Vulnerabilities lack of or improper security testing. This in turn leaves NAA-DBLT,
the network products exposed to vulnerabilities and UD, FM
unexpected and unspecified behaviour.
Release Phase Relevant release phase vulnerabilities include: TM08 NAA-EXPL,

Vulnerabilities NAA-DBLT,
 Improper verification of software integrity;
UD, FM
 Ambiguous software release identifiers;
 Inaccurate / obsolete documentation.
Operation Phase Relevant operation phase vulnerabilities include: TM08, TM11 NAA-EXPL,
Vulnerabilities NAA-DBLT,
 Failure to provide a security contact;
NAA-EXPL,
 Insufficient vulnerability awareness;
NAA-DBLT,
 Ineffective vulnerability remedy process;
UD, FM
 Unreliable communication of software fixes.
Vulnerabilities The following vulnerabilities impact the security of TM11 NAA-EXPL,

relevant for the network product across its entire development and NAA-DBLT,
entire lifecycle product lifecycle: NAA-EXPL,
NAA-DBLT,
 Improper version control system;
UD, FM
 Improper change management process;
 Insufficient security education and awareness of
staff;
 Ineffective Information Security Management
System.
A detailed list of vulnerabilities emerging from improper vendor, product, development life-cycle
processes can be found in the Annex (see L Annex).
4.11.3 Security assurance processes

A solid and objective assessment process can contribute towards identification baseline
security requirements to be met for network products and the implemented processes. This is
an additional dimension to technological and operational security mitigation controls,
contributing towards the assurance of their implementation levels.
Following conclusions of the Toolbox, security assurance processes can only help mitigate
certain risks to a limited extent given the constant need to update products and systems-
making it impossible to create ‘trust’ through these mechanisms only. Hence, assurance
91
December 2020
processes and related measures need to be seen in combination to implementation of technical

and operational ones.
In this context, a series of vulnerabilities must be taken into consideration when assessing the
fitness for purpose of a security assurance scheme for 5G Systems:

Name Description
measures categories
Standardisation Agreed-upon and recognized standards are TM02, SA03, SA04 NAA-{all}, UD,
vulnerabilities paramount for ensuring a security baseline. Potential FM
vulnerabilities include:
 Obsolescence of standards;
 Alignment of standards;
 Missing security requirements reference for
verticals.
Accreditation Accreditation provides trust in the results of conformity TM09, TM10, SA05 NAA-{all}, UD,
vulnerabilities and security assessment results. Potential FM, LEG
vulnerabilities include:
 Recognition of accreditation scheme;
 No alignment with internationally recognized
standards for accreditation and conformity
assessment;
 Lack of control by regulatory and supervisory
bodies.
Conformity Security assessment activities and their results need TM09, TM10, NAA-{all}, UD,
Assessment to be trustworthy, relevant and sufficient for meeting SA05, SA06 FM, LEG
vulnerabilities the overall security objectives and regulatory
requirements. Potential vulnerabilities include:
 Not appropriate to address risks stemming from
non-technical risks related to the supplier’s risk
profile;
 No common reference for security requirements
for Mobile Network Operators;
 No security evaluation of the operational
environment;
 Insufficient assurance of environmental
assumptions;
 Certification overhead and relevance;
 No assessment scheme for evaluation of
virtualized products;
 Insufficient security assurance level;
 Re-use of evidence created by conformity
assessment bodies.
A detailed list of vulnerabilities emerging from the absence of an effective security assurance
process can be found in the Annex (see M Annex).
92
December 2020
5. ASSETS
5.1 ASSET CLASSIFICATION AND MAPPING

One critical and initial step in any threat assessment is to identify and classify the most sensitive
assets that, if compromised, may pose a certain level of risk to an individual or organisation.
These activities are part of the asset security domain that focus on collecting and handling the
information required to define the model and a strategy to protect the attribute and value it
represents. In the 5G context, the monetisation of asset attributes such as network slicing,
cloud and Edge computing are in the centre of the value concept of this new generation of
mobile communications.
The 5G architecture considers four main areas that includes user equipment, radio access
network, core network and data network. In this report, we cover two main areas which are the
most significant on 5G evolution: the core network and radio access. We leave user equipment
and data network for future analysis. In the context of this report, we consider various asset
categories that relate to critical components or entities in a 5G network. These components and
entities are of a heterogeneous nature and require differentiated asset security strategies from
owners and/or stakeholders. For example, the interoperability, multi-level and seamless usage
may result in unauthorised and opportunistic access to the network.
We also identify differentiated roles assumed by various actors (presented in chapter2.1

above2.1 of this report), in the definition and implementation of these asset security strategies.
These however, may change in importance, sensitivity and relevance over time, depending on
the product or service lifecycle stage. Each mapped asset may expose certain vulnerabilities or
weaknesses during the lifecycle that if exploited may pose a threat to the confidentiality,
integrity and availability (CIA triad) of systems and data transmitted of parts or the entire 5G
network.
The scope of this document is not to report on a specific asset inventory but to direct the reader
on where to look when conducting such exercises. The responsibility of mapping the sensitive
assets of network relays with the operator since it depends on the technology used, network
product implemented, processes adopted, type of organisations and the services offered. A
mapping of assets and the CIA Triad is presented Table 3.
In the first version of the ENISA Threat Landscape Report for 5G Networks (ETL5G), we
prepared a categorisation of assets based on a high-level architecture presented in the
document. We also review the importance and relevance of these assets to the CIA triad
properties. The categorisations considered a specific definition of assets based on a GNP
(Generic Network Product) class description. A GNP is a class of network products that
implement a common set of 3GPP-defined functionalities for a particular component. According
to 3GPP, the critical assets of GNP to be protected are:
 User account data and credentials (e.g. passwords);
 Log data;
 Configuration data, e.g. GNP's IP address, ports, VPN ID, Management Objects (e.g.
user group, command group) etc.
 Operating System (OS), i.e. the files that make up the OS and its processes (code and
data);
93
December 2020
 GNP Application;
 Sufficient processing capacity: that processing powers are not consumed close to
limits;
 Hardware, e.g. mainframe, board, power supply unit etc.
 The interfaces of GNP to be protected and which are within SECAM scope: for
example
o Console interface, for local access: local interface on MME
o OAM interface, for remote access: interface between MME and OAM system
o GNP Software: binary code or executable code
All the above critical assets from release 15 of the 3GPP Security Assurance Specification
(SCAS) fit in the asset categories defined in the first edition of the ETL5G.
In this edition, we update the asset categorisations based on new requirements introduced by
release 16 of the 3GPP technical specifications and the new 5G use cases. We classified the
sensitive assets considering the stages of the implementation lifecycle using the eTOM –
enhanced Telecom Operation Map 86 as a guide. We assume that certain assets gain a
particular importance or sensitiveness during different stages of the GNP lifecycle. We also
update the information about stakeholders from the previous edition and correlate it with the
new asset categorisation.
5.2 NEW ASSET CATEGORIES

The following 5G asset categories derive from the high-level architecture presented in chapter
3.2 of this report and classification based on release 16 of the 3GPP technical specifications.
The high number of sensitive assets identified from the architecture resulted in a complex and
large diagram, making it difficult to read and display in this report. We use part of the diagram to
depict each asset group. The diagram is structured using asset groups according to their
exposure to threats. By taking into account the role of assets in maintaining the security-related
properties of confidentiality, availability and integrity (known as CIA triad), an initial assessment
of their importance has been developed. In doing so, the emphasis has been given to asset
groups responsible for maintaining the overall security and availability of the 5G infrastructure
and that are known targets of cyber-attacks.
This new categorisation introduces new groups at the lower or more detailed level of the asset
classification, deriving from the requirements of release 16. Another important aspect is the
definition of a high-level classification introducing main categories. These main categories,
depicted in Figure 15, include components and entities from management & orchestration,
network products, protocols, data, interconnections, services, processes and organisation. The
main advantage of having this new upper level is to allow the possibility to define different asset
security strategies depending on the characteristics of each asset group. The assets in these
groups share important characteristics such as type of vulnerabilities, stakeholders and
controls. These characteristics change quite substantially and require differentiated approaches
in the asset security strategy. A complete diagram of the asset map is present in Figure in
Annex A.
86
http://casewise.tmforum.org/evolve/statics/frameworx/#cwtype=index&cwview=home, accessed November 2020.
94
December 2020
Figure 15: Main categories of 5G network assets
Network Products: This main category includes network planes, functions and elements.
These derive into multiple asset groups that could be found in the previous asset mapping like
core functions, physical infrastructure, security, software-defined networking (SDN), among
others. The main category is a core part of the 5G architecture and one of the most critical in
any 5G asset mapping.
Figure 16: 5G Asset groups from the Network Products category
95
December 2020
Figure 16 depicts the second, third and fourth level groups of the Network Products asset
category. However, not all levels are displayed; hence, we present the full diagram at ENISA
website87 using an interactive tool to explore the inwards of the different asset categories.
Management and orchestration: This main category includes the management of network
functions, network slicing, operations support system, network/element (EMS/NMS) and SDN
Controller. Figure 17 depicts the different asset groups of MANO.
MANO is the most vital part of the 5G infrastructure since is responsible for controlling the entire
set of network functions, their virtualisation and entire software lifecycle related hereto. The
main parts of MANO are the Network Function Virtualisation (NFV) orchestrator, the Virtual
Network Function (VNF) manager, and the virtualised infrastructure manager. Given its
important role, MANO is going to be exposed to numerous attacks with potential major impact
on the entire managed 5G infrastructure environment. The assets of MANO are also depicted in
detail in the corresponding ‘Zoom-in’ in the 5G architecture chapter 3.5.
Figure 17: Asset groups from the Management & Orchestration category
Protocols: This main category of 5G assets include IP and cellular stack. ENISA reviewed the
legacy protocols SS7 and Diameter in a study conducted in 201888. Early generations of mobile
networks such as 2G and 3G rely on these protocols that still contain many critical
vulnerabilities yet to be resolved. 5G networks will need to support SS7 and Diameter for the
foreseeable future (decades) in order to maintain global connectivity (roaming). Figure 18
depicts the various groups of assets associated with protocols typically implemented in a 5G
Network.
Figure 18: Asset groups from the Protocols category
Interconnections: This main category of 5G assets include home/visitor PLMN, security Edge
Protection Proxy (SEPP), packet data network gateway (PGW), N3IWF - Non-3GPP
87
https://www.enersec.net/Asset_MM/ accessed October 2020.
88
https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g, accessed October 2020.
96
December 2020
Interworking, trusted non-3GPP Gateway Function (TNGF), wireline Access Gateway Function
(W-AGF) and trusted WLAN Interworking Function (TWIF) asset groups. Figure 19 depicts the
various assets groups associated with interconnections that could be implemented in a 5G
Network.
Figure 19: Asset groups from the Interconnections category
Data: This main category of 5G assets include user, application, system, network, SDN and
security data. This asset group includes the entire data catalogue required in any 5G operation
combined with used data. Though not necessarily exhaustive at this stage of the analysis, this
asset group covers information related to: user data, system and configuration data, security-
related data, network data (configuration, edge, logs, API-data, SDN-data, etc.). It is expected
that 5G data such as user, security and configuration information will be subject to cyber-
attacks with the aim to breach them. Main motives are monetisation and unnoticed access to
the network.
Figure 20: Asset groups from the data category
Services: This main of 5G assets include the use cases, multi-edge computing (MEC) and cloud
service asset groups. These services are directly related with the asset monetisation model of a
5G Network and consequently represents part of the value generated that needs to be protected.
In this version of the 5GTL we review assets that support the value generation model but not the
97
December 2020
model itself. These were already covered by ENISA in previous work (cloud computing,
autonomous vehicles, IIOT89) or are part of recommendations for future research work.
Figure 21: Asset groups from the Services category
Processes: This main category of 5G assets include the MNO and the product development
lifecycle processes. All these processes are vital in a secure and reliable implementation of a
5G Network.
Figure 22: Asset groups from the Processes category
89
https://www.enisa.europa.eu/publications accessed October 2020.
98
December 2020
Organisation: This main category of 5G assets include time, legal, policy, business support
systems (BSS) and human assets.
Many components in this asset category were also included in the previous mapping. For
example, human assets are considered an important group since humans represent all
individuals involved in the operation and use of the 5G network. Time for example plays a
significant role in many time-dependent functions. With release 16 and the introduction of
mission-critical uses cases requiring constant time synchronisation (e.g. ITS, V2X, IIoT and
URLLC), this asset plays an even more important role in a 5G Network.
Figure 23: Asset groups from the Organisation category
99
December 2020
5.3 ASSET CLASSIFICATION AND THE CIA TRIAD

In the following table, we provide the relevance of the identified asset groups with regard to the CIA
triad.
Table 3: Relevance of asset groups to the maintenance of CIA properties
Asset C CIA Triad
Confidentiality Integrity Availability
Management &
● ● ●
orchestration
Network products ● ● ●
Protocols ● ●
Data ● ● ●
Interconnections ● ● ●
Services ● ● ●
Processes ● ● ●
Organisation ● ● ●
Legend:
Very high relevance of asset group to maintain the property: ●
High relevance of asset group to maintain the property: ●
Medium relevance of asset group to maintain the property: ●
Low relevance of asset group to maintain the property: ●
Very low relevance of asset group to maintain the property: ●
The assignment of these security properties has been performed at the level of asset groups. We
recommend performance of this exercise in higher detail, depending on the focus of prospective
threat assessments. In this case, to achieve a more precise mapping, users of this document
should obtain a more accurate internal evaluation of these properties.
Concluding this chapter, it is worth mentioning that due to its complexity and the early stage of 5G
networks (development, deployment, specification) the asset mapping is an ongoing task that will
need some time to reach a mature stage. This is due to a variety of reasons/issues regarding the
parameters of current 5G activities (narrow time windows for the creation of reports, resource
issues, knowledge transfer, vendor’s enrolment, etc.). These challenges will be sufficiently
managed in future assessment of 5G threats.
5.4 THE RELEVANCE OF ASSETS THROUGHOUT THE LIFECYCLE

The following table presents the relevance of the identified asset groups with regard to the 5G
network lifecycle.
100
December 2020
Table 4: Relevance of asset categories throughout the 5G network lifecyle
Asset
Lifecycle process (eTOM)
category
Operation
Operations (fulfilment and
Design Build support &
assurance)
readiness
Network The technical The network The testing Management plane, control
products requirements and planes, functions capabilities for plane, user plane, 5G core
specifications of the and elements physical functions, 5G RAN functions,
network infrastructure, legacy / non-standalone, service-
SDN and based architecture, security
Network functions, network function
functions virtualisation (NFV), physical
infrastructure, virtualisation
infrastructure, software defined
networking (SDN) and security
functions.
Management The infrastructure and Virtualisation User rights NFV MANO, network slicing
& virtualisation related (build) management, management, operations support
orchestration requirements components such service system (OSS), network/element
as scripts, programmability, management system (EMS/NMS)
templates and E2E service and SDN controller
schemas inventory and
federation
management.
Protocols Protocols requirements Protocol N/A IP and cellular stack

configuration data
Data The technical, security, The technical and Test and User data, application data,
legal, processual and security application data system data, network data, SDN
business data configuration data data and security data
generated.
Inter- The interconnection The Testing Home/visitor PLMN, security

connections requirements between interconnection interfaces Edge protection proxy (SEPP),
technologies, services APIs and between packet data network gateway
and operators proprietary technical (PGW), N3IWF - Non-3GPP
interfaces infrastructures, interworking, trusted non-3GPP
operators and gateway function (TNGF),
with providers wireline access gateway function
and customers. (W-AGF), trusted WLAN
interworking function (TWIF)
Services The use cases Cloud and tenant Use cases and Use cases, multi edge computing
requirements, (Verticals configuration verticals testing (MEC) and cloud computing
including on premises with vendors,
and cloud requirement operators and
customers
Processes The product design and Product Security MNO lifecycle processes, vendor
procurements development and assurance and development and product
requirements. Vendor security auditing, product lifecycle processes, security
review data. Risk and implementation road mapping. assurance processes
threat assessments
Organisation The legal aspects Organisational Time, policies Business support systems,
related with the data and human and human organisational data,
procurement of network assets assets synchronisation systems and
product including policy monitoring systems
tender specifications,
budget, contracts, laws
and regulations
101
December 2020
6. 5G THREATS
In the first edition of the threat landscape for 5G Networks, we identified and described multiple
threat types distributed by asset categories from the network architecture (core, access and
edge), traditional IP-based threats, insecure legacy 2/3/4G generations and the ones introduced
by the virtualisation technology. To complement the analysis, we added the potential impact
and information about the affected assets. We used ENISA threat taxonomy to group these
threats in one common list. In this edition, we continued reviewing the threat landscape by
updating the information from the previous edition and added new elements to the analysis. In
summary, we:
1. reviewed the network architecture based on the specifications defined in release 16 for
a generic network product (GNP);
2. reviewed the asset map based on the revised architecture and product lifecycle;
3. added information about vulnerabilities;
4. made a correlation between sensitive assets and vulnerabilities to look for exploitation
opportunities;
5. used STRIDE90 model to structure the information about threats and;
6. prepared a list combining all the information available about threats, including the ones
from the previous edition and other sources such as 3GPP and GSMA.
As previously mentioned, we used the STRIDE model to structure information about threats.
According to ISO 2700191, a threat can be defined as “the potential cause of an incident that
may result in a breach of information security or compromise business operations.”. In the
context of this report, we collected information about various potential causes of an incident
during the design, build, operation support & readiness and operations (fulfilment and
assurance) of a 5G Network structured in 6 main categories (spoofing identity, tampering,
repudiation, information disclosure, denial of service and elevation of privilege).
6.1 TAXONOMY OF THREATS

With the proliferation of methods, taxonomies and models, it is imperative to establish a
common understanding of the different terms used to describe the threat landscape. It should
start with the categorization of important elements such as assets, vulnerabilities and threats.
For example, the adoption of a common taxonomy in 5G security will help improving
communication among the various stakeholders in policymaking, regulation, product
development, system implementation and operation. For that purpose, ENISA presents a threat
taxonomy in Table 5 Annex B.
6.2 THREAT MAP

At this stage, we have completed the security risk management triangle with information about
assets, vulnerabilities and threats. Conducting a more detailed assessment for a particular
context and use case, it will be possible to complete the entire model. In this revision of the
threat map, we structured the information from the previous edition of this report and generic
threats from 3GPP security assurance specification (SCAS) using the STRIDE model.
90
https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN,
91
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/laws-regulation/rm-ra-
standards/iso-iec-standard-27001, accessed October 2020/
102
December 2020
Threat Type Threats Potential Impact Affected Assets
Nefarious Activity/ Manipulation of network configuration/data forging - Information integrity - SDN, NFV, MANO
Abuse of assets (NAA) - Routing tables manipulation - Information destruction - RAN, RAT
- CORE configuration data tampering - Service unavailability - System configuration data
- DNS manipulation - Network configuration data
- Manipulation of access network and radio technology configuration data - Security configuration data
- Exploitation of misconfigured or poorly configured systems/networks - Business services
- Registration of malicious network functions
- Security data tampering (cryptography keys, security policies, access rules,
etc,).
- Network implementation data tampering
- Operating system (OS) services tampering
Exploitation of software, hardware vulnerabilities - Information integrity - SDN, NFV, MANO, RAN,
- Zero-day exploits - Information destruction RAT, MEC, API
- Physical infrastructure
- Abuse of edge open application programming interfaces (APIs) - Service unavailability
- Application programming interface (API) exploitation - Business applications
- Software tampering - Security controls
- Cloud, virtualisation
- System execution hijack
- Subscribers’ data
- Application data
- Security data
- Network data
- Business services
Denial of service (DoS) - Service unavailability - SDN, NFV
- Distributed denial of service (DDoS) - Outage - RAN, RAT
- Flooding of core network components - MEC
- Flooding of base stations - CLOUD
- Amplification attacks - Network services
- MAC layer attacks - Business services
- Jamming the network radio
- Jamming device radio interface
- Jamming base station radio interface
- Edge node overload
- Authentication traffic spikes
Remote access exploitation - System integrity - RAT, SDN, NFV, MANO,
- intra-RAT mobility mechanism hijack - Data confidentiality CLOUD
- Intra-RAT
- RAT session hijack
103
December 2020
Malicious code/software - Service unavailability - Data network

- Injection attacks (SQL, XSS) - Information integrity - Business applications
- Rootkits - Information destruction - Security controls
- Rogueware - Other software asset integrity - Cloud, virtualisation
- Worms/trojan - Other software asset - Subscribers’ data
- Botnet destruction - Application data
- Ransomware - Security data
- Malicious network functions - Network data
- Malware attacks on network products - Business services
- Malware attacks on business applications - Network services
Abuse of remote access to the network - Information integrity - SDN, NFV, RAN, RAT
- Abuse on external remote services to network products (e.g. VPN) - System integrity - Intra-RAT
- Information confidentiality - Subscribers’ data
- Initial unauthorised access - Application data
- Persistence - Security data
- Network data
Abuse of information leakage - Information integrity - Data storage/ repository
- Theft and/or leakage from network traffic - Information destruction - Subscribers’ data
- Theft and/or leakage of data from cloud computing - Information confidentiality - Cryptographic keys
- Abuse on security data from audit tools - Monitoring data
- Theft/breach of security keys - User subscription profile
data
- Unauthorised access to user plane data
- Unauthorised access to signalling data - User plane data
- Signalling data
Abuse of authentication - Information integrity - Security data
- Authentication traffic spikes - Information destruction - Network service
- Abuse of user authentication/authorisation data by third parties’ personnel - Service unavailability - Network functions
- Abuse of the application management function (AMF) authentication and key - Initial unauthorised access - Subscribers’ data
agreement procedure - Persistence - Application data
- Abuse the credentials of existing accounts - Security data
- Network data
Lawful interception function abuse - Information integrity - Subscribers’ data
- Information destruction - User subscription profile
data
104
December 2020
Manipulation of hardware and software - Service unavailability - Cloud data centre

equipment
- Manipulation of hardware equipment - Information integrity
- Manipulation of the network resources orchestrator - Information destruction - User equipment
- Memory scraping - Radio access/units
- Light data centres
- Side channels attacks
- Fake access network node - SDN, MANO, NF,
- False or rogue MEC gateway - RAN, RAT
- Virtualisation
- UICC format exploitation
- UE compromising - Subscribers’ data
- Unacceptable UE security capabilities - Network services
- Software backdoor
Data breach, leak, theft and manipulation of information - Information integrity - Subscribers’ data
- Network product log tampering - Information destruction - Subscriber geo locations
- File Write Permission Abuse - Information confidentiality - Financial data
- Ownership file misuse - Commercial data, IP
- Breach of customer data - Configuration data
- Theft of personal data - Service data
- Network data
Unauthorised activities/network intrusions - Information integrity - User equipment
- IMSI catching attacks - System integrity - Network services
- Lateral movement - Business services
- Brute force
- Port knocking
Identity fraud/account or service - Service unavailability - User subscription profile
- Identity theft - Information destruction data
- Identity spoofing - Information integrity
- IP spoofing
- MAC spoofing
Spectrum sensing - Service unavailability - RAT
- Radio access units
105
December 2020
Compromised supply chain, vendor and service providers - Service unavailability - SDN, NFV, MANO, RAN,
RAT, MEC, API
- Abuse on third parties’ personnel access to MNO’s facilities - Information integrity
- Network product development tools tampering - Information destruction - Physical infrastructure
- Network product configuration tools tampering - Initial unauthorised access - Business applications
- Security controls
- Network product source code tampering
- Manipulation of network product updates - Cloud, virtualisation
- Network services
- Business services
Abuse of virtualisation mechanisms - Service unavailability - Virtualisation
- Network virtualisation bypassing - Information integrity - MANO
- Virtualised host abuse - Information destruction - Cloud
- Virtual machine manipulation - Network services
- Data centre threats - Business services
- Cloud container image implant
- Cloud container image backdoor
- Abuse of cloud computational resources
Signalling threats - Service unavailability - RAT
- Signalling storms - Information integrity - Radio access units
- Signalling fraud - Information destruction - Protocols
- Network services
- Business services
Traffic Tampering - - RAT
- SDN, NFV, MANO
Eavesdropping/ Nation state espionage - Information integrity - Subscribers’ data

Interception/ Hijacking - Information confidentiality - Subscriber geo locations
(EIH)
Corporate espionage - Information integrity - Financial data
- Information confidentiality - Commercial data
- IP
Traffic sniffing - Information integrity - Data traffic

- Subscriber geo location
106
December 2020
Manipulation of network traffic, network reconnaissance and information - Information integrity - Data traffic
gathering
- Radio network traffic manipulation - Subscriber geo locations
- Malicious diversion of traffic
- Traffic redirecting
- Abuse of roaming interconnections
Man in the middle/ Session hijacking - Information integrity - Data traffic

- Session hijacking via rogue base station - Information confidentiality - Subscribers’ data
- Downgrade attacks via rogue base station - Subscriber geo locations
Interception of information - Information integrity - Data traffic
- Data eavesdropping via compromised small cell - Information confidentiality - Subscribers’ data
- Air interface eavesdropping - Subscriber geo locations
- Device and identity tracking via rogue base station
- Eavesdropping on unencrypted message content
Physical Attacks (PA) Sabotage of network infrastructure (radio access, edge servers, etc.) - Service unavailability - Radio access units
- Hardware additions - Information destruction - ICT equipment
- Information integrity - Light data centre
- Initial unauthorised access - Cloud data centre
- Network services
- Business services
Vandalism of network infrastructure (radio access, edge servers, etc.) - Service unavailability - Radio access units
- Information destruction - ICT equipment
- Cloud data centre
- Network services
- Business services
Theft of physical assets - Service unavailability - Radio access units

- Cloud data centre
- Network services
- Business services
107
December 2020
Terrorist attack against network infrastructure - Service unavailability - Radio access units
- Cloud data centre
- Network services
- Business services
Fraud by MNO employees - Service unavailability - Radio access units
- Information integrity - Light data center
- Cloud data center
- Network services
- Business services
Unauthorised physical access to based stations in shared locations - Service unavailability - RAT
- Information destruction - Radio access units
- Information integrity - Network services
- Business services
Unintentional damages Misconfigured or poorly configured systems/networks - Service unavailability - Management processes
(accidental) (UD) - Information integrity - Policies
- Legal
- Human assets
- SDN, NFV, MANO, API
- RAN, RAT, MEC
- Business applications
- Security controls
Inadequate designs and planning or lack of adaption - Service unavailability - Management processes
- Outdated system or network from the lack of update or patch management - Information integrity - Policies
- Errors from the lack of configuration change management - Human assets
- Poorly design network and system architecture - SDN, NFV, MANO, RAN,
RAT, MEC, API
- Security controls
108
December 2020
Erroneous use or administration of the network, systems and devices - Service unavailability - Management processes
- Information integrity - Policies
- Human assets
- SDN, NFV, MANO, RAN,
RAT, MEC, UE, API
- Security controls
Information leakage/sharing due to human error - Information integrity - Data storage/repository
- Information confidentiality - Management processes
- Policies
- Legal
- Human assets
- Application data
- Security data
- Network data
Data loss from unintentional deletion - Information integrity - Management processes
- Information confidentiality - Policies
- Human assets
Failures or Malfunctions Failure of the network, devices or systems - Service unavailability - Cloud data centre
(FM) - Information destruction - User equipment
- Information integrity - RAT, Radio unit
- Light data centre
- Application data
- Security data
- Network data
Failure or disruption of communication link - Service unavailability - Cloud data centre

- Information destruction - Network services
- Information integrity - Business services
109
December 2020
Failure or disruption of main power supply - Service unavailability - Cloud data centre
Failure or disruption from service providers (supply chain) - Service unavailability - Network services
- Information destruction - Business services
- Information integrity
Malfunction of equipment (devices or systems) - Service unavailability - Radio access units

- Cloud data centre
- Network services
- Business services
Outages (OUT) Loss of resources - Service unavailability - Human assets

- Human resources - Information destruction - Legal
- Physical resources - Information integrity - Network services
- Business services
Support services - Service unavailability - Human assets

- Information destruction - Management processes
- Information integrity - Policies
- Legal
- Network services
- Business services
Data network (access) - Service unavailability - Cloud data centre
Interfering radiation - Service unavailability - CORE, RAN, MANO, UE

- Cloud data centre
- Network services
- Business services
110
December 2020
Disasters (DIS) Natural disasters - Service unavailability - Radio access units

- Earthquakes - Information destruction - ICT equipment
- Landslides - Information integrity - Light data centre
- Cloud data centre
- Network services
- Business services
Environmental disaster - Service unavailability - Radio access units
- Floods, storms - Information destruction - ICT equipment
- Pollution, dust, corrosion - Information integrity - Light data centre
- Fires, heavy winds - Cloud data centre
- Unfavourable climatic conditions - Network services
- Business services
Legal (LEG) Breach of service level agreement (SLA) - Service unavailability - Network services
Breach of legislation - Service unavailability - Network services
Failure to meet contractual requirements and/or legislation - Service unavailability - Network services
111
December 2020
In the following table we provide a mapping between the ENISA 5G threat taxonomy and the vulnerabilities/threats identified by 3GPP.
This mapping establishes the correspondence between the threats assigned to the assessed vulnerabilities.
Spoofing Identity Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
NEFARIOUS ACTIVITY/ ABUSE OF ASSETS (NAA)
Malicious Code or SW Malware · Software Tampering Malware Over-Privileged

(NAA-MAL) · Log Tampering Processes/Services
Exploitation of flaws in · Default Accounts · Software Tampering · Lack of User Activity · Poor Key Generation · Compromised/ · Misuse by Authorized Users
the architecture, · Weak Password · Ownership File Misuse Trace · Poor Key Management Misbehaving User · Over-Privileged
design and Policies · External Device Boot · Weak Cryptographic Equipment Processes/Services
configuration of the · Malware · Log Tampering Algorithms · Implementation · Folder Write Permission
network. (NAA-EXPLO) · Eavesdropping · OAM Traffic · Insecure Data Storage Flaw Abuse
Tampering · System Fingerprinting · Insecure Network · Root-Owned File Write
· File Write Permission · Malware Services Permission Abuse
Abuse · Insecure Default · High-Privileged Files
· User Session Configuration · Insecure Network Services
Tampering · File/ Directory Read · Elevation of Privilege via
Permissions Misuse Unnecessary Network
· Insecure Network Services Services
· Unnecessary Services
· Unnecessary Applications
· Eavesdropping
· Security threat caused by
lack of GNP traffic isolation.
Denial of Service · Software Tampering · File/ Directory Read · Compromised/ · High-Privileged Files
(NAA-DoS) · File Write Permission Permissions Misuse Misbehaving User
Abuse Equipment
· Implementation
Flaw
· Insecure Network
Services
· Human Error
112
December 2020
Abuse of information · Malware · Software Tampering · Poor Key Generation

leakage (NAA-AIL) · Eavesdropping · Ownership File Misuse · Weak Cryptographic
Algorithms
· Insecure Data Storage
· System Fingerprinting
· Malware
· Personal Identification
Information Violation
· Insecure Default
Configuration
· File/ Directory Read
Permissions Misuse
· Insecure Network Services
· Log Disclosure
· Eavesdropping
Abuse of remote · Direct Root Access · Unnecessary Services · Elevation of Privilege via
access to the network. Unnecessary Network
(NAA-ARA) Services
Exploitation of · Software Tampering · Lack of User Activity · System Fingerprinting · Compromised/ · Insecure Network Services
software, and/or · External Device Boot Trace · Unnecessary Applications Misbehaving User · Elevation of Privilege via
hardware · File Write Permission · Poor Key Generation Equipment Unnecessary Network
vulnerabilities. (NAA- Abuse · Insecure Default · Implementation Services
ESHV) · User Session Configuration Flaw
Tampering · Unnecessary Services · Insecure Network
Services
· Human Error
113
December 2020
Abuse of · Default Accounts · OAM Traffic · Lack of User Activity · Poor Key Generation · Misuse by Authorized Users
authentication (NAA- · Weak Password Tampering Trace · Poor Key Management · Over-Privileged
AA) Policies · File Write Permission · Weak Cryptographic Processes/Services
· Password Peek Abuse Algorithms · Folder Write Permission
· Direct Root Access · Insecure Data Storage Abuse
· IP Spoofing · Insecure Default · Root-Owned File Write
Configuration Permission Abuse
· File/ Directory Read · High-Privileged Files
Permissions Misuse · Insecure Network Services
· Unnecessary Applications · Elevation of Privilege via
Unnecessary Network
Services
Lawful interception · File Write Permission · Insecure Default · Folder Write Permission
function abuse (NAA- Abuse Configuration Abuse
LIFA) · Unnecessary Applications · Root-Owned File Write
Permission Abuse
Manipulation of · Default Accounts · Software Tampering · Lack of User Activity · Insecure Default · Compromised/ · Insecure Network Services
hardware and software · IP Spoofing · External Device Boot Trace Configuration Misbehaving User · Elevation of Privilege via
(NAA-MSH) · Malware · File Write Permission · Unnecessary Applications Equipment Unnecessary Network
Abuse · Implementation Services
· User Session Flaw
Tampering · Insecure Network
Services
· Human Error
114
December 2020
Data, breach, leak, · Default Accounts · OAM Traffic · Lack of User Activity · Poor Key Generation · Folder Write Permission
theft and manipulation · Weak Password Tampering Trace · Poor Key Management Abuse
of information (NAA- Policies · Weak Cryptographic · Root-Owned File Write
DBLT) · Password Peek Algorithms Permission Abuse
· Malware · Insecure Data Storage · Insecure Network Services
· Eavesdropping · Malware · Elevation of Privilege via
· Personal Identification Unnecessary Network
Information Violation Services
· Insecure Default
Configuration
· File/ Directory Read
Permissions Misuse
· Insecure Network Services
· Log Disclosure
· Eavesdropping
Unauthorised · Default Accounts · Personal Identification · Compromised/ · Misuse by Authorized Users

activities/network · Weak Password Information Violation Misbehaving User · Insecure Network Services
intrusions (NAA-UANI) Policies · Insecure Network Services Equipment · Elevation of Privilege via
· Password Peek · Unnecessary Services · Insecure Network Unnecessary Network
· Direct Root Access · Eavesdropping Services Services
· IP Spoofing · Human Error
· Malware
· Eavesdropping
Identity fraud/account · Default Accounts · Lack of User Activity · System Fingerprinting · Compromised/ · Misuse by Authorized Users
or service (NAA-IFAS) · Weak Password Trace · Malware Misbehaving User · Folder Write Permission
Policies · Insecure Network Services Equipment Abuse
· Password Peek · Unnecessary Services · Insecure Network · Over-Privileged
· Direct Root Access Services Processes/Services
· IP Spoofing · Human Error · Insecure Network Services
· Malware · Elevation of Privilege via
· Eavesdropping Unnecessary Network
Services
115
December 2020
Spectrum sensing · Compromised/

(NAA-SS) Misbehaving User
Equipment
· Implementation
Flaw
· Insecure Network
Services
· Human Error
Compromised supply · Direct Root Access · External Device Boot · Lack of User Activity · Unnecessary Applications · Human Error · Elevation of Privilege via
chain, vendor and Trace · Unnecessary Services Unnecessary Network
service providers Services
(NAA-CSVS)
Abuse of virtualization
mechanisms (NAA-
AVM)
Signalling threats · Insecure Default · Compromised/

(NAA-ST) Configuration Misbehaving User
· Security threat caused by Equipment
Manipulation of · Default Accounts · Insecure Default · Compromised/

network · Weak Password Configuration Misbehaving User
configuration/data Policies · Personal Identification Equipment
forging. (NAA-MND) · Password Peek Information Violation · Insecure Network
· Direct Root Access · Insecure Network Services Services
· Eavesdropping · Unnecessary Services · Human Error
· Eavesdropping
EAVESDROPPING/ INTERCEPTION/ HIJACKING (EIH)
Eavesdropping/ · Eavesdropping · Insecure Default

interception/ hijacking Configuration
(EIH-EV) · Eavesdropping
lack of GNP traffic isolation
116
December 2020
PHYSICAL ATTACKS (PA)
PHYSICAL ATTACKS · Software Tampering · File/ Directory Read · Folder Write Permission
(PA-1) · Ownership File Misuse Permissions Misuse Abuse
· External Device Boot · Security threat caused by · High-Privileged Files
· Log Tampering lack of GNP traffic isolation.
· OAM Traffic
Tampering
· File Write Permission
Abuse
· User Session
Tampering
117
December 2020
7. THREAT AGENTS
The assessed threat agents engaged in attacks of 5G infrastructures remain identical to the
previous edition of the 5G Threat Landscape8. This is due to the fact that there are no insights
about malicious activities targeting 5G infrastructures. Main reasons for this are:
 Due to the early stages of 5G deployments, no incidents of attacks to 5G

infrastructures have been identified during 2020;
 The threat agent assessment is based on hypothetical attacks;
 The current threat landscape is done at the level of specifications. Real attacks will
happen against implementations. This will influence modus operandi;
 As business processes that will run of 5G infrastructures are still unknown, it is difficult
to assess threat actor motives other than the obvious state-sponsored interventions.
There are no indications about the most frequent threat of cybercrime.
These points make clear that as the next generation of Mobile Networks (5G) are being
deployed, existing threat agent profiles will develop towards a new set of capabilities and
motives. Nonetheless, without any analysis of specific implementations of 5G infrastructures
and business processes running on these infrastructures, a threat agent assessment can be
performed only at a generic hypothetical level.
Given this the complexity of 5G infrastructures and the ambiguity regarding 5G related attack
vectors, it is expected that the following facts will influence the attacker profile:
 A whole set of new vulnerabilities related to individual 5G deployments will expand the
attack surface, exposure, number and nature of critical assets.
 New tools/methods to exploit those vulnerabilities will be developed.
 New motives/ impacted targets are going to be observed due to the interconnected
verticals/applications.
 Existing threat agent groups may be expanded with ones that have an interest in novel
malicious objectives emerging from the upcoming 5G use-cases.
These facts may cause an unprecedented shift of capabilities and objectives of existing threat
agent groups in ways that have not been seen in the past.
Having regard to the above mentioned facts, in the current 5G Threat Landscape, we stick to
the threat agent groups assessed in the previous edition taking into account the following threat
agent groups:
 Cyber criminals
 Insider (own, third parties)
 Nation states
 Hacktivists
 Cyber-fighters
 Cyber-terrorists
 Corporations
 Script kiddies
Interested readers should revisit the previous 5G Threat Landscape edition8 to find the
descriptions and motives of these threat agent groups.
118
December 2020
For the sake of completeness, we provide below a mapping between threat agents and cyber-
threats used in this report.
Table 5: Involvement of threat agents in cyberthreats92
Cyber- Nation Cyber- Cyber- Script-

Insiders Hacktivists Corporations
criminals States warriors terrorists kiddies
Nefarious
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
activity/Abuse
Eavesdropping/
Interception/ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Hijacking
Disasters ✓ ✓ ✓
Unintentional
✓ ✓ ✓ ✓ ✓
Damage
Outages ✓ ✓ ✓ ✓ ✓ ✓
Failures/
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
malfunctions
Legal ✓ ✓ ✓ ✓ ✓ ✓ ✓
Physical
✓ ✓ ✓ ✓ ✓ ✓ ✓
attacks
Legend:
Primary group for threat: ✓
Secondary group for threat: ✓
92
It is worth mentioning that the involvement is indicative and at a high level of abstraction (i.e. threat categories). Given
the detailed vulnerability analysis presented in this document (see Annexes C-M), it is possible to infer the potential
engagement of these threat agent groups in exploitation campaigns. In this way, a detailed threat agent profiling can be
performed. This task has not been performed in this report. However, it will be subject of prospective ENISA activities in
detailed threat/risk assessments.
119
December 2020
8. RECOMMENDATIONS/
CONCLUSIONS
8.1 RECOMMENDATIONS
Based on the assets, threats and the state-of-play of current developments, the following
recommendations/courses of actions can be made for various stakeholders of the 5G
ecosystem:
Recommended courses of action at EU level (e.g. Member States, European Commission

and ENISA)
 It is essential that the EU continues to facilitate the definition of common security standards
across for 5G Networks and its use cases by supporting further cooperation and
information sharing among Member States.
 The existing EU 5G observatory93 is a very useful/important resource for dissemination of

content related to 5G, in support of activities of EU 5G Stakeholders. It covers
developments in various areas of 5G, such as status of 5G deployments, relevant MS-
actions, market uptakes, economic aspects of 5G infrastructure development, etc. Besides
this information offering, it is recommended to collect cybersecurity-related market
information, such as the status of specifications, and certification activities, more
systematically, through the appropriate mechanism or forum.
 Relevant work of stakeholders (e.g. Member States, MNOs, etc.) regarding prioritisation of
implementation, service criticality assessments, security requirements, etc. should be
consolidated and made available to the 5G community. This could be one of the tasks of
the 5G observatory mentioned above.
 It is important to deliver developed CTI in a form that can be more easily utilised by
interested stakeholders. A possible way to achieve this can be by means of a 5G CTI
repository offering querying facilities based on various criteria (i.e. such as threat exposure,
vulnerabilities per asset type, threats per attacker type, mapping of roles and assets, etc.).
 In orchestration with the above-mentioned recommendations, critical 5G services should be

identified and implemented. Main objective of this action is could be to develop a security
assurance scheme that could drive certifications on 5G equipment, software and
processes. In all cases, a risk-based approach should be followed. CTI provided within this
report should be adapted where necessary and taken into account within the risk
assessment and the evaluation of attacker potential.
 As the proliferation of AI algorithms has reached components used in the 5G ecosystem, it

is proposed to assess the threat exposure such functions throughout the components of
the entire 5G ecosystem (devices, EPROMs, software, sensors, actuators, etc.). This
activity overlaps with current ENISA work on an AI Threat Landscape, whereas a more
deep assessment w.r.t. 5G could be done in prospective versions of the 5G Threat
Landscape, when more information about such functions will be available.
 Through the performed threat analysis, it has been recognised that some work needs to be
done in the area of 5G threat agent profiling and in the identification of possible attack
vectors. Given the rudimentary information available for both topics and the level of
93
https://5gobservatory.eu, accessed November 2020.
120
December 2020
available information processed (mainly specification level), at this point of time a profiling
would be premature. Nonetheless, this work is considered as a priority for future versions
of the 5G Threat Landscape, given the availability of more information on both threat
agents and attack vectors.
Recommendations for 5G market stakeholders (e.g. vendors, MNOs, Operators of

Services, Standardisation Bodies, 5G Test Labs, etc.)
 More detailed mappings of asset/role responsibilities and vulnerabilities/threats could

enhance the utilisation of the produced CTI. This process could be steered by means of
identified priorities and asset criticalities assessed via market analysis, stakeholder surveys
and 5G rollout activities of MNOs.
 A detailed cap analysis for the protection of various 5G assets needs to be performed.
Besides organisational issues, such a gap analysis will be needed for
migration/implementation options.
 The specification of 5G provides a solid basis for the security of the entire system.
Nonetheless, the final security level will heavily depend on implementation/coding
practices. The development of good practices/guidelines for the secure implementation of
network functions is an important step towards maintaining the security level of the
specification in the resulting code-base. Such guidelines do not yet exist.
 The terminology used in various published 5G documents (specifications, standardisation

documentation, research projects, etc.) needs to be consolidated. This will facilitate
homogeneity in references to important security concepts (e.g. threats, vulnerabilities,
impact, responsibilities, stakeholders, etc.) and will contribute to an elevation of
understanding and utilization of the produced material.
 Some operational, general-purpose process models and frameworks do exist in the area of
telecommunication. They cover network management, vendor and security assurance
processes. Though making up a very good starting point for 5G infrastructures, they might
entail gaps w.r.t. specialised 5G operational issues. It is proposed to perform a systematic
gap analysis of these frameworks to test their 5G adequacy and fill the identified gaps.
Recommendations for national competent bodies in the area of 5G cybersecurity (e.g.

NRAs, NCSCs, National 5G Test Centres, etc.)
 With guidance from current 5G deployments (including migration options), more exhaustive
gap analysis on various areas of cybersecurity measures, should be performed. This
information will contribute to the advancement of current cybersecurity practices. The
delivered CTI of this report can serve as key input towards a risk and threat based
approach.
While the above may be advisable future actions for various stakeholder groups, ENISA
envisages an involvement in the following actions e.g. on behalf/on request of EU, MS
 It is important to deliver developed CTI in a form that can be more easily utilised by
interested stakeholders. A possible way to achieve this can be by means of a 5G CTI
repository offering querying facilities based on various criteria (i.e. such as threat exposure,
vulnerabilities per asset type, threats per attacker type, mapping of roles and assets, etc.).
 Fostering the use of the released CTI within implementation projects and establishment of
feedback will be an important element for the improvement of the presented material and
enhancement of 5G technical and operational cybersecurity.
 Performance of risk assessments for specific parts of the 5G infrastructure will lead to
better utilisation of the information delivered in the present report and will reveal areas of
improvement of the provided analysis. A pilot on a security assurance scheme for
121
December 2020
certification of identification service is planned by ENISA for the coming semester.

Information from the present report will flow into this activity during the risk assessment
phase.
 Besides integrating feedback from implementations, processes and detailed assessments,

prospective versions of the 5G threat landscape need to be linked to planned versions of
5G specification activities, in particular regarding the work of 3GPP group.
8.2 CONCLUSIONS
Having reached a good degree of comprehensiveness and detail within this version of the 5G
Threat Landscape, it is proposed to put the focus on utilization within upcoming activities at EU
level, Member States and MNOs. By means of the identified recommendations, this objective
can be achieved. Just as in the previous edition of the 5G Threat Landscape, it will be important
to use this material in various stakeholder activities, identify current and future developments
and try to accommodate those in future versions of the present report.
Such activities, if performed in a coordinated manner, will speed up implementation of

measures developed by various actors (i.e. EU toolbox measures, specified security measures,
development of 5G good practices for operation and security assurance).
ENISA will continue engaging within cybersecurity activities of 5G. Coordination with EU-wide
activities will be key to the success of this attempt.
Future ENISA actions on this matter will be agreed upon, mandated and coordinated with
European Commission and Member States (NIS CG SG on 5G) as deemed necessary.
122
December 2020
A ANNEX: ASSETS MAP
Figure 24: 5G Asset Mind Map (FULL)
A full diagram of the Asset Mapping will be made available at ENISA website94.
94
https://www.enersec.net/Asset_MM/ accessed October 2020.
123
December 2020
B ANNEX: THREAT TAXONOMY
The references presented in Table 5 will help the reader relating ENISA Threat Taxonomy with the vulnerabilities presented in Annexes from C to M.
These references result from the intersection between ENISA and ITU threat Taxonomies.
ENISA Threat Taxonomy Categories are the following:
 Nefarious activity/abuse (NAA): This threat category is defined as “intended actions that target ICT systems, infrastructure, and networks by
means of malicious acts with the aim to either steal, alter, or destroy a specified target”.
 Eavesdropping/Interception/ Hijacking (EIH): This threat category is defined as “actions aiming to listen, interrupt, or seize control of a third
party communication without consent”.
 Physical attacks (PA): This threat category is defined as “actions which aim to destroy, expose, alter, disable, steal or gain unauthorised
access to physical assets such as infrastructure, hardware, or interconnection”.
 Damage (DAM): This threat category is defined as intentional actions aimed at causing “destruction, harm, or injury of property or persons
and results in a failure or reduction in usefulness”.
 Unintentional Damage (UD): This threat category is defined as unintentional actions aimed at causing “destruction, harm, or injury of
property or persons and results in a failure or reduction in usefulness”.
 Failures or malfunctions (FM): This threat category is defined as “Partial or full insufficient functioning of an asset (hardware or software)”.
 Outages (OUT): This threat category is defined as “unexpected disruptions of service or decrease in quality falling below a required level“.
 Disaster (DIS): This threat category is defined as “a sudden accident or a natural catastrophe that causes great damage or loss of life”.
 Legal (LEG): This threat category is defined as “legal actions of third parties (contracting or otherwise), in order to prohibit actions or
compensate for loss based on applicable law”.
124
December 2020
Figure 25: 5G Threat Taxonomy Categories
125
December 2020
Table 5: ENISA and ITU Threat Taxonomies
THREAT TAXONOMY DETAILED (ITU)
THEFT, REMOVAL OR
DESTRUCTION OF CORRUPTION OR
LOSS OF DISCLOSURE OF INTERRUPTION OF
ENISA THREAT TAXONOMY INFORMATION AND MODIFICATION OF
INFORMATION AND INFORMATION SERVICES.
OTHER RESOURCES INFORMATION
OTHER RESOURCES
Nefarious Activity/ Abuse of assets (NAA)
Malicious Code or SW (NAA-MAL) NAA-MAL1 NAA-MAL2 NAA-MAL3 NAA-MAL4 NAA-MAL5
Exploitation of flaws in the architecture, design and configuration

NAA-EXPLO2 NAA-EXPLO3 NAA-EXPLO4 NAA-EXPLO5
of the network. (NAA-EXPLO)
Denial of Service (NAA-DoS) NAA-DoS1 NAA-DoS5
Abuse of information leakage (NAA-AIL) NAA-AIL3 NAA-AIL4
Abuse of remote access to the network. (NAA-ARA) NAA-ARA1 NAA-ARA2 NAA-ARA3 NAA-ARA4 NAA-ARA5
Exploitation of software, and/or hardware vulnerabilities. (NAA-

NAA-ESHV1 NAA-ESHV2 NAA-ESHV3 NAA-ESHV4 NAA-ESHV5
ESHV)
Abuse of authentication (NAA-AA) NAA-AA1 NAA-AA2 NAA-AA3 NAA-AA4 NAA-AA5
Lawful interception function abuse (NAA-LIFA) NAA-LIFA5
Manipulation of hardware and software (NAA-MSH) NAA-MSH1 NAA-MSH2 NAA-MSH3 NAA-MSH4 NAA-MSH5
Data, breach, leak, theft and manipulation of information (NAA-

NAA-DBLT2 NAA-DBLT3 NAA-DBLT4
DBLT)
Unauthorised activities/network intrusions (NAA-UANI) NAA-UANI1 NAA-UANI2 NAA-UANI3 NAA-UANI4 NAA-UANI5
Identity fraud/account or service (NAA-IFAS) NAA-IFAS1 NAA-IFAS2 NAA-IFAS3 NAA-IFAS4 NAA-IFAS5
Spectrum sensing (NAA-SS) NAA-SS5
Compromised supply chain, vendor and service providers (NAA-

NAA-CSVS4 NAA-CSVS5
CSVS)
126
December 2020
Abuse of virtualization mechanisms (NAA-AVM)
Signalling threats (NAA-ST) NAA-ST5
Manipulation of network configuration/data forging. (NAA-MND) NAA-MND1 NAA-MND2 NAA-MND5
Eavesdropping/ Interception Hijacking (EIH) EIH4
Physical Attacks (PA) PA1 PA3 PA5
Unintentional damages (accidental) (UD) UD1 UD2 UD3 UD4
Failures or Malfunctions (FM) FM1 FM2 FM5
Outages (OUT) OUT
Disasters (DIS) DIS
Legal (LEG) LEG
127
December 2020
Figure 26: 5G Threat Taxonomy

Injection attacks (SQL, XSS)
Virus
Malware Malicious code or

Distributed denial of service (DDoS) software
Nation state espionage
Flooding of Core network components Rootkits
Eavesdropping/ Corporate espionage
Flooding of base stations Rogueware Interception/ Hijacking Radio network traffic manipulation
Traffic sniffing
Radio interference Worms/trojans Malicious diversion of traffic
Manipulation of network traffic, network
Jamming the radio frequency
Ransomware reconnaissance and information gathering Traffic redirecting
Amplification attacks
Edge node overload Exploitation of flaws in the architecture, design and configuration of the network Man in the middle/ Session hijacking Abuse of roaming interconnections
Denial of service
Theft and/or leakage from network traffic Landslides
Floods
Natural disasters
Theft and/or leakage of data from cloud computing Abuse of Information Leakage Earthquakes Storms
Environmental
Disasters disasters Unfavorable climatic conditions
Abuse on security data from audit tools
Abuse of remote access to the network Fires
Theft/breach of security keys Misconfigured or poorly configured systems/networks Pollution, dust, corrosion
Zero-day exploits
Exploitation of software, and/or Unintentional
Abuse of edge open application programming interfaces (APIs) damages Inadequate designs and planning or lack of adaption
hardware vulnerabilities Heavy winds
(accidental)
Erroneous use or administration of the network, systems and devices
Application programming interface (API) exploitation
Authentication traffic spikes Information leakage/sharing due to human error

Manipulation of hardware equipment Abuse of authentication
Abuse of user authentication/authorization data by third parties personnel Data loss from unintentional deletion
Manipulation of the network
resources orchestrator Lawful interception function abuse Support services
Manipulation of hardware and software
Memory scraping Loss of human or physical resources
MAC spoofing Data breach, leak, theft and manipulation of information

Outages Data Network access
Side channels attacks Lateral movement

Unauthorised activities/network intrusions Power supply
Fake access network node IMSI catching attacks Nefarious activity/
abuse of assets Failure or disruption of communication links
False or rogue MEC gateway Identity spoofing
Threat Failures/
malfunctions Failure or disruption of main power supply
Identity fraud/account or service
UICC format exploitation Identity theft Failure of the network, devices or systems
Spectrum sensing
User equipment compromising Failure or disruption from service providers (supply chain)
Threat from third parties personnel accessing MNO s facilities Compromised supply chain, vendor and service providers
Breach of legislation
Network virtualisation bypassing Legal Failure to meet contractual requirements and/or legislation
Virtualised host abuse Abuse of virtualization mechanisms Breach of service level agreement (SLA)
Virtual machine manipulation

Signalling storms Sabotage of network infrastructure (radio access, edge servers, etc.)
Data center threats
Signalling threats
Physical attacks
Abuse of cloud computational resources Signalling fraud Vandalism of network infrastructure (radio access, edge servers, etc.)
Theft of assets
Manipulation of access network and radio technology configuration data
Manipulation of network
configuration/data forging Terrorist attack against network infrastructure
Exploitation of misconfigured or poorly configured systems/networks
Falsification of configuration data Fraud by MNO employees
DNS manipulation Unauthorized physical access to based stations in shared locations
Routing tables manipulation
Registration of malicious network functions
128
December 2020
C ANNEX: DETAILED VULNERABILITIES IN

THE CORE NETWORK
Associated Threats
Name of Security Requirements /Description of
Description Assets Security Controls (Threat Stakeholder Source Ref
Vulnerability security controls
Category Taxonomy)
Improper protection of Service Based Interfaces
Improper Use of TLS profiles forbidden in TS all Network TS 33.501 / 13.1 All network functions shall support TLS. Information Vendor, 3GPP TS
transport layer 33.310 for NF mutual authentication and Function Protection at the Network functions shall support both Disclosure, SECAM 33.117
protection of NF transport layer protection. May lead (NF) within network or server-side and client-side certificates. Rogue base Accreditation 3GPP TS
service-based to sensitive information/data being the 5G Core transport layer The TLS profile shall follow the profile station Body, 33.310
interfaces (SBI) disclosed and eventually tampered. (5GC) TS 33.501 / 13.3 given in clause 6.2 of TS 33.210 with the NAAx, EIH4 Accredited 3GPP TR
utilizing Authentication and restriction that it shall be compliant with Test Lab 33.926
Service- static authorisation the profile given by HTTP/2 as defined in 4.2.2.2.2
Based RFC 7540. TLS shall be used for transport
Interfaces protection within a PLMN unless network
(SBI) security is provided by other means.
NRF and NF shall authenticate each other
during discovery, registration, and access
token request. If the PLMN uses protection
at the transport layer, authentication
provided by the transport layer protection
solution shall be used for mutual
authentication of the NRF and NF.
129
December 2020
Associated Threats
Category Taxonomy)
Incorrect There are the following threats if the all Network TS 33.501 13.4.1. The authorisation framework uses the Elevation of Vendor, 3GPP TS
Verification of generic NF cannot correctly verify the Function OAuth 2.0 based OAuth 2.0 framework as specified in RFC Privilege, SECAM 33.117
Access Tokens access tokens: (NF) within authorisation of 6749. Access tokens shall be JSON Web Information Accreditation 4.2.2.2.3,
- An access token may be tampered so the 5G Core Network Function Tokens as described in RFC 7519 and are Disclosure, Body, 4.2.2.2.4
that an attacker can arbitrarily access (5GC) service access secured with digital signatures or Message Denial of Accredited
any services from any NF service utilizing Authentication Codes (MAC) based on Service. Test Lab
providers within the same PLMN or in Service- JSON Web Signature (JWS) as described NAAx, EIH4
different PLMNs, which leads to Based in RFC 7515.
elevation of privilege and consequently Interfaces
information disclosure. (SBI)
- An access token may be tampered so
that an attacker can block service
access by replacing the granted
services/NF service providers with
unavailable services/NF service
providers, which leads to denial of
service.
Vulnerabilities in implementation of AMF security functionalities
Incorrect If the gNB does not send the UE 5G gNB, AMF TS 33.501/6.7.3.1 The AMF shall verify that the UE's 5G Tampering Vendor, 3GPP TS
implementation security capabilities, the AMF cannot Xn-handover security capabilities received from the Data, SECAM 33.511
of bidding verify 5G security capabilities are the target gNB are the same as the UE's 5G Information Accreditation 3GPP TS
down same as the UE security capabilities that security capabilities that the AMF has Disclosure, Body, 33.512
prevention at the AMF has stored, the attacker may locally stored. If there is a mismatch, the Denial of Accredited 4.2.2.1.14
Xn-handover force the system to accept a weaker AMF shall send its locally stored 5G Service. Test Lab 4.2.2.4
security algorithm than the system is security capabilities of the UE to the target
allowed, forcing the system into a gNB in the Path-Switch Acknowledge NAAx, EIH4
lowered security level making the message. The AMF shall support logging
system easily attacked and/or capabilities for this event and may take
compromised additional measures, such as raising an
alarm
Incorrect If SMC does not include the complete AMF TS 33.512/ AMF shall support replay protection of Tampering of Vendor, TS 33.512
implementation initial NAS message if either requested 4.2.2.3.1 Replay NAS signalling messages between UE Data, SECAM 4.2.2.3.1
of NAS by the AMF or the UE sent the initial protection of NAS and AMF on N1 interface." as specified in Information Accreditation
signalling NAS message unprotected, the UE can signalling TS 33.501 [2], clause 5.5.1. Disclosure Body,
messages force the system to reduce the security messages Accredited
replay level by using weaker security NAAx, EIH4 Test Lab
protection algorithms or turning security off, making
the system easily attacked and/or
compromised
130
December 2020
Associated Threats
Category Taxonomy)
Incorrect If NAS NULL integrity protection is used AMF TS 33.117 / 5.5.2 NIA0 shall be disabled in AMF in the Elevation of Vendor, 3GPP TS
implementation outside of emergency call scenarios, an Signalling data deployments where support of Privilege SECAM 33.512
of attacker can initiate unauthenticated integrity unauthenticated emergency session is not Accreditation 4.2.2.3
cryptographic non-emergency calls a regulatory requirement." as specified in NAAx, EIH4 Body,
protection for TS 33.501 [2], clause 5.5.2 Accredited
NAS signalling Test Lab
messages
Incorrect If the highest priority NAS integrity AMF TS 33.501, 6.7.1 To establish the NAS security context, the Tampering of Vendor, 3GPP TS
implementation protection is not selected by the new Procedures for AMF shall choose one NAS ciphering Data, SECAM 33.512
of procedures AMF in AMF change, the new AMF NAS algorithm algorithm and one NAS integrity protection Information Accreditation 4.2.2.5
for NAS could end up using a weaker algorithm selection algorithm. The AMF shall then initiate a Disclosure Body,
Algorithm forcing the system into a lowered NAS security mode command procedure Accredited
selection security level making thee system easily and include the chosen algorithm and UE NAAx, EIH4 Test Lab
attacked and/or compromised security capabilities (to detect modification
of the UE security capabilities by an
attacker) in the message to the UE. The
AMF shall select the NAS algorithm which
have the highest priority according to the
ordered list.
Incorrect A flawed AMF implementation accepting AMF TS 24.501/ If the REGISTRATION REQUEST Tampering of Vendor, 3GPP TS
implementation insecure or invalid UE security 5.5.1.2.8 Abnormal message is received with invalid or Data, SECAM 33.512
of invalid or capabilities may put User Plane and Cases on the unacceptable UE security capabilities (e.g. Information Accreditation 4.2.2.6
unacceptable Control Plane traffic at risk, without the network side no 5GS encryption algorithms (all bits Disclosure Body,
UE security operator being aware of it. If NULL zero), no 5GS integrity algorithms (all bits Accredited
capabilities ciphering algorithm and/or NULL zero), mandatory 5GS encryption NAAx, EIH4 Test Lab
handling integrity protection algorithm of the UE algorithms not supported or mandatory
security capabilities is accepted by the 5GS integrity algorithms not supported,
AMF, all the subsequent NAS, RRC, and etc.), the AMF shall return a
UP messages will not be confidentiality REGISTRATION REJECT message."
and/or integrity protected. The attacker
can easily intercept or tamper control
plane data and the user plane data. This
can result in information disclosure as
well as tampering of data.
131
December 2020
Associated Threats
Category Taxonomy)
Incorrect If a malicious UE initiates a registration AMF/SEAF, TS 33.501 6.1.3.2. Handling of RES* verification failure in the Denial of Vendor, 3GPP TS
implementation request using a SUCI and this request is AUSF Authentication SEAF or in the AUSF is defined in detail in Service SECAM 33.512
of RES* followed by primary authentication in procedure for 5G sub-clause 6.1.3.2.2 Accreditation 3GPP TS
verification which an incorrect RES* is sent to the AKA NAA5 Body, 33.516
failure handling network, then the RES* verification will Accredited 4.2.2.1.2
fail. In this case, if the RES* verification Test Lab
failure is not handled correctly, e.g.,
AMF/SEAF does not reject the
registration request directly, or initiates a
new authentication procedure with the
UE, this would result in waste of system
resources.
Incorrect The Security Anchor Function should AMF/SEAF; TS 33.501 6.1.3.3. The Security Anchor Function should Denial of Vendor, 3GPP TS
implementation handle authentication failure message USIM; UDM Handling of handle authentication failure message with Service (TR SECAM 33.512
of with synchronisation failure (AUTS) from synchronization synchronisation failure (AUTS) from the 33.926 K.2.2.1., Accreditation 3GPP TS
synchronisatio the UE, as to prevent possible failure or MAC UE, as to prevent possible exploitation TR 33.926 Body, 33.514
n failure exploitation from denial of service / failure from denial of service / resource E.2.2.2) Accredited 4.2.2.1.
handling resource exhaustion attacks / incidents. exhaustion attacks / incidents. Test Lab
Complementary procedures have to be Complementary procedures have to be NAA5
performed at USIM level. performed at USIM level.
Synchronization failure handling and/or
Storing of authentication status of UE by
UDM could conduct to access denial to
resources
132
December 2020
Associated Threats
Category Taxonomy)
Vulnerabilities in implementation of UPF security functionalities
Inconsistent TEID, as part of the CN Tunnel UPF TS Allocation and release of CN Tunnel Info is Tampering. Vendor, 3GPP 33.513
allocation of information, is used by the UPF and 23.501/5.8.2.3.1 performed when a new PDU Session is (33.926/L.2.4, SECAM 3GPP 33.515
Tunnel gNB/ng-eNB for user plane routing. The TS 29.281 / 5.1 established or released. This functionality J.2.2.2) Accreditation 4.2.2.6
Endpoint failure to guarantee the uniqueness of TS 23.060 /14.6 is supported either by SMF or UPF, based Body, 4.2.2.1.2.
Identifier the TEID for a PDU session interrupts on operator’s configuration on the SMF as NAA2, NAA3 Accredited
the routing of user traffic. It also specified in TS 23.501, clause 5.8.2.3.1. Test Lab
interrupts charging. If multiple PDU Tunnel Endpoint Identifier (TEID): This
sessions were to share the same TEID field unambiguously identifies a tunnel
at the same time, the counts for the endpoint in the receiving GTP U protocol
network usage of a single PDU session entity. The receiving end side of a GTP
will be in fact the counts for the network tunnel locally assigns the TEID value the
usage of multiple sessions, creating transmitting side has to use as specified in
charging errors. TS 29.281, clause 5.1.
The TEID is a unique identifier within one
IP address of a logical node." As specified
in TS 23.060, clause 14.6
Improper It is required that user Plane Security User Plane TS23.501, 5.10.3 It is required that user Plane Security Tampering Vendor, 3GPP TS
allocation of Policy from UDM takes precedence over Data Policy from UDM takes precedence over data, SECAM 33.515
security policy locally configured User Plane Security locally configured User Plane Security Information Accreditation 4.2.2.1.1
determined by Policy in SMF. If SMF fails to comply Policy in SMF. If SMF fails to comply with Disclosure (TR Body,
SMF with the requirement, user plane security the requirement, user plane security may 33.926 / J.2.2.1) Accredited
may be degraded. For example, if the be degraded. For example, if the UP Test Lab
UP security policy from the UDM security policy from the UDM mandates NAA2, NAA3,
mandates the ciphering and integrity the ciphering and integrity protection of the NAA4
protection of the user plane data, but no user plane data, but no protection is
protection is indicated in the local UP indicated in the local UP security policy at
security policy at the SMF, and the local the SMF, and the local UP security policy
UP security policy takes the priority, then takes the priority, then the user plane data
the user plane data will be sent over the will be sent over the air without any
air without any protection. protection.
133
December 2020
Associated Threats
Category Taxonomy)
Incorrect It is required that the SMF verifies that User Plane TS 33.501/6.6.1 The SMF must provide UP security policy Tampering Vendor, 3GPP TS
implementation the UP security policy received from the Data for a PDU session to the ng-eNB/gNB data, SECAM 33.515
of user plane ng-eNB/gNB is the same as that stored during the PDU session establishment Information Accreditation 4.2.2.1.3
data protection locally at the SMF. If the SMF fails to procedure. disclosure (TR Body,
check, security degradation of UP traffic In particular, The SMF shall verify that the 33.926/ J.2.2.4) Accredited
may occur. For example, if the UP UE's UP security policy received from the Test Lab
security policy received from the ng- target ng-eNB/gNB is the same as the NAA2, NAA3,
eNB/gNB indicates no security UE's UP security policy that the SMF has NAA4
protection, while the local policy locally stored. If there is a mismatch, the
mandates the opposite, and SMF uses SMF shall send its locally stored UE's UP
the received UP security policy without security policy of the corresponding PDU
validation, then the user plane data will sessions to the target gNB. Failure to do
be unprotected so may result in manipulation of UP
Security policy and compromise of data
Vulnerabilities in implementation of UDM security functionalities
Incorrect If the SUPI in the UE and the SUPI UDM TS 33.501/5.8.2. The SIDF is responsible for de- Denial of Vendor, 3GPP TS
implementation retrieved from Subscriber privacy concealment of the SUCI - The SIDF shall Service SECAM 33.514
of SUCI de- Nudm_Authentication_Get Response related be a service offered by UDM. (33.926/E.2.2.1) Accreditation 4.2.1.1
concealment message are not the same, the AMF key requirements to - The SIDF shall resolve the SUPI from the Body,
generated based on the SUPI in the UE UDM and SIDF SUCI based on the protection scheme NAA5 Accredited
is also not the same as the AMF key used to generate the SUCI. Test Lab
generated in the AMF/SEAF. As a result The Home Network Private Key used for
the subsequent NAS SMC procedure subscriber privacy shall be protected from
will always fail. Hence, UE will never be physical attacks in the UDM.
able to use the services provided by the The UDM shall hold the Home Network
serving AMF Public Key Identifier(s) for the
private/public key pair(s) used for
subscriber privacy.
The algorithm used for subscriber privacy
shall be executed in the secure
environment of the UDM.
134
December 2020
Associated Threats
Category Taxonomy)
Incorrect If the UDM does not store the UDM TS 33.501 / When 3GPP credentials are used in above Denial of Vendor, 3GPP TS
implementation authentication status of a UE, the 5G 6.1.4.1a Linking cases, the result of the authentication Service SECAM 33.514
of handling of network cannot support the increased authentication procedure is reported to the UDM. (33.926/E.2.2.3) Accreditation 4.2.2.2
authentication home control, which is useful in confirmation to The feature of increased home control is Body,
status by UDM preventing certain types of fraud, e.g. Nudm_UECM_Re useful in preventing certain types of fraud, NAA5 Accredited
fraudulent Nudm_UECM_Registration gistration e.g. fraudulent Nudm_UECM_Registration Test Lab
Request sending a malicious AMF for procedure from Request for registering the subscriber's
registering the malicious AMF in UDM AMF serving AMF in UDM that are not actually
that is not actually present in the visited present in the visited network. But an
network. Without the authentication authentication protocol by itself cannot
status in the UDM, or if the stored provide protection against such fraud. The
authentication status is incorrect, the authentication result needs to be linked to
Nudm_UECM_Registration Request subsequent procedures, e.g. the
sent from malicious AMF may be Nudm_UECM_Registration procedure
accepted. from the AMF in some way to achieve the
desired protection.
Incorrect The Security Anchor Function should AMF/SEAF; TS 33.501 6.1.3.3. The Security Anchor Function should Denial of Vendor, 3GPP TS
implementation handle authentication failure message USIM; UDM Handling of handle authentication failure message with Service (TR SECAM 33.512
of handling of with synchronisation failure (AUTS) from synchronization synchronisation failure (AUTS) from the 33.926 K.2.2.1., Accreditation 3GPP TS
synchronisatio the UE, as to prevent possible failure or MAC UE, as to prevent possible exploitation TR 33.926 Body, 33.514
n failure exploitation from denial of service / failure from denial of service / resource E.2.2.2) Accredited 4.2.2.1.
resource exhaustion attacks / incidents. exhaustion attacks / incidents. Test Lab
Complementary procedures have to be Complementary procedures have to be NAA5
performed at USIM level. performed at USIM level.
Synchronization failure handling and/or
Storing of authentication status of UE by
UDM could conduct to access denial to
resources
135
December 2020
Associated Threats
Category Taxonomy)
Vulnerabilities in implementation of SMF security functionalities
Incorrect It is required that user Plane Security SMF TS23.501, 5.10.3 It is required that user Plane Security Tampering Vendor, 3GPP TS
implementation Policy from UDM takes precedence over Policy from UDM takes precedence over data, SECAM 33.515
of checking of locally configured User Plane Security locally configured User Plane Security Information Accreditation 4.2.2.1.1
user plane Policy in SMF. If SMF fails to comply Policy in SMF. If SMF fails to comply with Disclosure (TR Body,
security policy with the requirement, user plane security the requirement, user plane security may 33.926 / J.2.2.1) Accredited
by SMF may be degraded. For example, if the be degraded. For example, if the UP Test Lab
UP security policy from the UDM security policy from the UDM mandates NAA2, NAA3,
mandates the ciphering and integrity the ciphering and integrity protection of the NAA4
protection of the user plane data, but no user plane data, but no protection is
protection is indicated in the local UP indicated in the local UP security policy at
security policy at the SMF, and the local the SMF, and the local UP security policy
UP security policy takes the priority, then takes the priority, then the user plane data
the user plane data will be sent over the will be sent over the air without any
air without any protection. protection.
Incorrect It is required that the SMF verifies that SMF TS 33.501/6.6.1 The SMF must provide UP security policy Tampering Vendor, 3GPP TS
implementation the UP security policy received from the for a PDU session to the ng-eNB/gNB data, SECAM 33.515
of handling of ng-eNB/gNB is the same as that stored during the PDU session establishment Information Accreditation 4.2.2.1.3
user plane locally at the SMF. If the SMF fails to procedure. disclosure (TR Body,
security policy check, security degradation of UP traffic In particular, The SMF shall verify that the 33.926/ J.2.2.4) Accredited
by SMF may occur. For example, if the UP UE's UP security policy received from the Test Lab
security policy received from the ng- target ng-eNB/gNB is the same as the NAA2, NAA3,
eNB/gNB indicates no security UE's UP security policy that the SMF has NAA4
protection, while the local policy locally stored. If there is a mismatch, the
mandates the opposite, and SMF uses SMF shall send its locally stored UE's UP
the received UP security policy without security policy of the corresponding PDU
validation, then the user plane data will sessions to the target gNB. Failure to do
be unprotected so may result in manipulation of UP
Security policy and compromise of data
136
December 2020
Associated Threats
Category Taxonomy)
Failure to At the SMF if more than one PDU SMF; TS 32.255/5.1 Requirements for handling of charging Tampering Vendor, 3GPP TS
assign unique session were to share the same Charging data, including identifiers by the SMF are data, SECAM 33.515
Charging ID for charging ID, the charging information for data defined in TS 32.255. / Clause 5.1. Information Accreditation 4.2.2.1.4
a session a PDU session would be wrongly disclosure (TR Body,
correlated, creating charging errors. 33.926/J.2.2.3) Accredited
Test Lab
NAA2, NAA3,
NAA4
Vulnerabilities in implementation of SEPP security functionalities
Incorrect Incorrect / incomplete implementation of SEPP, IPX TS 33.501 5.9.3 3GPP TS 33.501 clause 5.9.3. defines Denial of Vendor, 3GPP TS
implementation requirements for E2E interconnection Requirements for security requirements for E2E Service, SECAM 33.517
of e2e core between core network functions, as e2e core network interconnection between core network, Spoofing Accreditation 4.2.2.1
network defined in 3GPP TS 33.501 clause interconnection requirements to be covered generally by identity, Body,
interconnectio 5.9.3. open confidentiality, integrity and security the SEPP. Tampering of Accredited
n security availability risk to all data passed across Data, Test Lab
requirements networks and to unprotected access to Information
network functions Disclosure
NAA2, NAA3,
NAA4
137
December 2020
Associated Threats
Category Taxonomy)
Incorrect There are the following risks if SEPP TS 33.501 / 5.9.3.2 The SEPP shall protect application layer Denial of Vendor, 3GPP TS
handling of cryptographic material of peer SEPPs Requirements for control plane messages between two NFs Service, SECAM 33.517
cryptographic and cryptographic material of IPX Security Edge belonging to different PLMNs that use the Spoofing Accreditation 4.2.2.2
material of peer providers are not clearly differentiated Protection Proxy N32 interface to communicate with each identity, Body,
SEPPs and IPX and misused: (SEPP) other. The SEPP shall perform mutual Tampering of Accredited
providers - The SEPP using the wrong authentication and negotiation of cipher Data, Test Lab
cryptographic material will lead to the suites with the SEPP in the roaming Information
failure of N32-c TLS connection network. The SEPP shall handle key Disclosure
establishment with the peer SEPP; or management aspects that involve setting
lead to rejecting genuine N32-f JSON up the required cryptographic keys needed NAA2, NAA3,
patches from an authentic intermediate for securing messages on the N32 NAA4
IPX provider. This can result in service interface between two SEPPs.
interruption as well as waste of system
resources.
- The SEPP will wrongly accept forged
N32-f JSON patches signed by a peer
SEPP, which maliciously impersonates
an intermediate IPX provider. This can
result in service data tampering as well
as waste of system resources.
- The SEPP will wrongly establish N32-c
TLS connection with an intermediate IPX
entity, which maliciously impersonates a
peer SEPP. This can result in
information disclosure as well as waste
of system resources.
- Threatened Asset: SEPP Application,
N32-c, N32-f, Application layer security
data, Sufficient Processing Capacity
138
December 2020
Associated Threats
Category Taxonomy)
Incorrect There are following risks if the SEPP SEPP TS 33.501 / 5.9.3.2 The SEPP shall protect application layer Denial of Vendor, 3GPP TS
implementation authenticates N32-f message Requirements for control plane messages between two NFs Service, SECAM 33.517
of modifications using the cryptographic Security Edge belonging to different PLMNs that use the Tampering of Accreditation 4.2.2.3
cryptographic material from an IPX provider which was Protection Proxy N32 interface to communicate with each Data, Body,
material not exchanged as part of the IPX (SEPP) other. The SEPP shall perform mutual Information Accredited
handling security information list via the related authentication and negotiation of cipher Disclosure Test Lab
beyond N32-c connection: suites with the SEPP in the roaming
connection- - The SEPP using the wrong network. The SEPP shall handle key NAA2, NAA3,
specific scope cryptographic material will lead to failed management aspects that involve setting NAA4
authentication of N32-f message up the required cryptographic keys needed
modifications signed by the authentic for securing messages on the N32
IPX provider, who is a part of the related interface between two SEPPs.
N32-c connection. This can result in
service interruption as well as waste of
system resources.
- The SEPP will wrongly accept N32-f
JSON patches signed by an IPX
provider, who is a part of a different
N32-c connection. This can result in
service data tampering as well as waste
of system resources.
- Threatened Asset: SEPP Application,
N32-c, N32-f, Sufficient Processing
Capacity
Incorrect Wrong handling of serving PLMN ID SEPP TS 33.501/13.2.4.7 The receiving SEPP shall verify that the Denial of Vendor, 3GPP TS
implementation mismatch could affect the authentication Message PLMN-ID contained in the incoming N32-f Service, SECAM 33.517
of handling of process giving unauthorized access to verification by the message matches the PLMN-ID in the Information Accreditation 4.2.2.4
serving PLMN an attacker receiving SEPP related N32-f context" as specified in TS Disclosure, Body,
ID mismatch TS 33.501/13.4.1.2 33.501 , clause 13.2.4.7. Spoofing Accredited
Service access The pSEPP shall check that the serving Identity Test Lab
authorisation in PLMN ID of subject claim in the access
roaming scenarios token matches the remote PLMN ID NAA2, NAA3,
corresponding to the N32-f context Id in NAA4
the N32 message as specified in TS
33.501 , clause 13.4.1.2.
139
December 2020
Associated Threats
Category Taxonomy)
Failure to Failure to replace confidential IEs with SEPP TS If there is any attribute value that requires Information Vendor, 3GPP TS
replace NULL in original N32-f message may 33.501/13.2.4.3.1. encryption, the value shall be replaced by Disclosure. SECAM 33.517
confidential IEs lead to exposure of confidential IEs in 1 null. The SEPP shall calculate a JSON Accreditation 4.2.2.5
with NULL in N32-f message clearTextEncapsul patch document, NAA4, EIH4 Body,
original N32-f atedMessage dataToIntegrityProtectAndCipher (clause Accredited
message 13.2.4.3.2), that replaces any nulls with Test Lab
the required values.
Incorrect there are the following risks if the SEPP SEPP, TS 33.501/13.2.3.6 When a SEPP receives a data-type Information Vendor, 3GPP TS
implementation cannot detect the mismatch between the Protection Precedence of encryption or modification policy on N32-c Disclosure. SECAM 33.517
of handling for policies received on N32-c connection Policies policies in the as specified in clause 13.2.2.2, it shall Tampering of Accreditation 4.2.2.6
protection from a specific roaming partner and the SEPP compare it to the one that has been Data, Denial of Body,
policies policies manually configured on it for this manually configured for this specific Service Accredited
mismatch specific roaming partner and IPX roaming partner and IPX provider. If a Test Lab
provider: mismatch occurs for one of the two NAA2, NAA3,
- The policies received on N32-c policies, the SEPP shall perform one of NAA4, NAA5
connection from a peer SEPP could be the following actions, according to
tampered by an attacker, which is operator policy: a) Send the error
however not detected. Or the policies message <TBD> to the peer SEPP; b)
manually configured on the SEPP could Create a local warning
be misconfigured, which is however not
detected.
a) If Data-type encryption policies are
tampered or misconfigured, the IEs on
N32-f which shall be encrypted may be
disclosed due to policy tampering. This
can result in information disclosure.
b) If Modification policies are tampered
or misconfigured, the IEs on N32-f which
cannot be modified/added/removed by
IPX provider may be tampered. This can
result in tampering of data.
- As the data-type encryption policies in
the two partner SEPPs are not equal, a
consistent ciphering of IEs on N32-f
cannot be enforced.
Failure to Use of weak JWS algorithm instead of SEPP TS 33.501/13.2.4.9 SEPPs and IPXs shall follow the JWS Information Vendor, 3GPP TS
comply with specific algorithm JWS profile profile as defined in TS 33.210 [3] with the Disclosure. SECAM 33.517
JWS profile restriction restriction that they shall only use ES256 Accreditation 4.2.2.7
restriction algorithm NAA4, EIH4 Body,
Accredited
Test Lab
140
December 2020
Associated Threats
Category Taxonomy)
Misplacement Basic validation rules fail to be applied SEPP TS 33.501/13.2.3.4 The following basic validation rule shall Information Vendor, 3GPP TS
of encrypted irrespective of the policy exchanged Modification policy always be applied irrespective of the policy Disclosure. SECAM 33.517
IEs in JSON between two roaming partners for N32 application exchanged between two roaming partners: Accreditation 4.2.2.8
object by IPX layer solution IEs requiring encryption shall not be NAA4, EIH4 Body,
TS 33.501/13.2.4.1 inserted at a different location in the JSON Accredited
N32-f connection object. - as specified in TS 33.501, clause Test Lab
between SEPPs 13.2.3.4.
A SEPP shall verify that an intermediate
IPX has not moved or copied an encrypted
IE to a location that would be reflected
from the producer NF in an IE without
encryption - as specified in TS 33.501,
clause 13.2.4.1.
Vulnerabilities in implementation of NRF security functionalities
No slice If NF discovery authorisation for specific NRF, NF TS 33.501 / 5.9.2.1 NRF shall be able to ensure that NF Information Vendor, 3GPP TS
specific slice is not supported by the NRF, the profile of TS 23.502 / 4.17.4. Discovery and registration requests are Disclosure, SECAM 33.518
authorisation NF instance in one slice can discover available NF authorized - as specified in TS 33.501, Elevation of Accreditation 4.2.2.2.1
for NF NF instances belonging to other slices. instances clause 5.9.2.1. privilege (TR Body,
discovery This can result in reduced assurance The NRF authorizes the 33.926 / Accredited
level of slice data isolation, making the Nnrf_NFDiscovery_Request. Based on the H.2.2.1) Test Lab
system easily attacked as well as profile of the expected NF/NF service and
wasting resource the type of the NF service consumer, the NAA2, NAA3,
NRF determines whether the NF service NAA4
consumer is allowed to discover the
expected NF instance(s). If the expected
NF instance(s) or NF service instance(s)
are deployed in a certain network slice,
NRF authorizes the discovery request
according to the discovery configuration of
the Network Slice, e.g. the expected NF
instance(s) are only discoverable by the
NF in the same network slice - as
specified in TS 23.502, clause 4.17.4.
141
December 2020
Associated Threats
Category Taxonomy)
Vulnerabilities in implementation of NEF security functionalities
No If the authentication of the Application NEF TS 33.501/5.9.2.3 - Integrity protection, replay protection and Information Vendor, 3GPP TS
authentication Function is not supported, the NEF security confidentiality protection for Disclosure, SECAM 33.519
on application application function without legal requirements communication between the NEF and tampering Accreditation 4.2.2.1.1
function certificates, or pre-shared key could be Application Function (33.926/I.2.2.1) Body,
able to establish a TLS connection with - Mutual authentication between the NEF Accredited
the NEF. The data stored in the NEF and Application Function NAA2, NAA3, Test Lab
may be exposed to an attacker - Internal 5G Core information such as NAA4
DNN, S-NSSAI etc., shall not be sent
outside the 3GPP operator domain.
- SUPI shall not be sent outside the 3GPP
operator domain by NEF
The NEF shall be able to determine
whether the Application Function is
authorized to interact with the relevant
Network Functions..
No A malicious AF without OAuth-based NEF TS 33.501/12.4 Network Entity. The NEF shall authorize Elevation of Vendor, 3GPP TS
Authorisation authorisation or with an incorrect access Authorisation of the requests from Application Function Privilege, SECAM 33.519
on northbound token may invoke the NEF services Application using OAuth-based authorisation Information Accreditation 4.2.2.1.2
APIs arbitrarily. For example, an attacker may Function’s mechanism, the specific authorisation Disclosure Body,
invoke the Nnef_EventExposure requests mechanisms shall follow the provisions (33.926/I.2.2.2) Accredited
Subscriber service provide by the NEF given in RFC 6749 Test Lab
without authorisation. The Event data NAA2, NAA3,
related with this subscribe will be leaked NAA4
to the attacker.
142
December 2020
Associated Threats
Category Taxonomy)
Improper protection of Data and Information of 5G Core components
System Presence of active system function(s) UPF; AMF; TS 33.117 / When the system is not under Elevation of Vendor, 3GPP TS
functions that reveal confidential system internal UDM; SMF; 4.2.3.2.2 maintenance, there shall be no system Privilege, SECAM 33.117
revealing data in the clear to users and AUSF; Protecting data function that reveals confidential system Information Accreditation 3GPP TS
confidential administrators. Such functions could be, SEPP; NRF; and information – internal data in the clear to users and Disclosure, Body, 33.511-519
data for example, local or remote OAM CLI or NEF Confidential administrators. Such functions could be, Tampering Accredited 4.2.3.2.2
GUI, logging messages, alarms, System Internal for example, local or remote OAM CLI or Test Lab
configuration file exports etc. Data GUI, logging messages, alarms, NAA2, NAA3,
Confidential system internal data configuration file exports etc. Confidential NAA4
contains authentication data (i.e. PINs, system internal data contains
cryptographic keys, passwords, cookies) authentication data (i.e. PINs,
as well as system internal data that is cryptographic keys, passwords, cookies)
not required for systems administration as well as system internal data that is not
and could be of advantage to attackers required for systems administration and
(i.e. stack traces in error messages). could be of advantage to attackers (i.e.
stack traces in error messages).
Improper For sensitive data in (persistent or UPF; gNB; TS 33.117 / For sensitive data in (persistent or Elevation of Vendor, 3GPP TS
protection of temporary) storage read access rights AMF; UDM; 4.2.3.2.3 temporary) storage read access rights Privilege, SECAM 33.117
data and shall be restricted. Files of a system that SMF; AUSF; Protecting data shall be restricted. Files of a system that Information Accreditation 3GPP TS
information in are needed for the functionality shall be SEPP; NRF; and information in are needed for the functionality shall be Disclosure, Body, 33.511-519
storage protected against manipulation. NEF storage protected against manipulation. Tampering Accredited 4.2.3.2.3
In addition, the following rules apply for: Test Lab
- Systems that need access to NAA2, NAA3,
identification and authentication data in NAA4
the clear, e.g. in order to perform an
authentication. Such systems shall not
store this data in the clear, but scramble
or encrypt it by implementation-specific
means.
- Systems that do not need access to
sensitive data (e.g. user passwords) in
the clear. Such systems shall hash this
sensitive data
- Stored files on the network product:
examples for protection against
manipulation are the use of checksum or
cryptographic methods.]
143
December 2020
Associated Threats
Category Taxonomy)
Lack of or The transmission of data is done without UPF/User TS 33.117 / Usage of cryptographically protected Spoofing, Vendor, 3GPP TS
improper proper protection (industry standard Data; 4.2.3.2.4 network protocols is required. The Information SECAM 33.117
cryptographic network protocols with sufficient security UPF/Signalli Protecting data transmission of data with a need of disclosure Accreditation 3GPP TS
protection of measures and industry accepted ng Data; and information in protection shall use industry standard Body, 33.511-519
data in transfer cryptographic algorithms), as defined in gNB; AMF; transfer network protocols with sufficient security NAA3, NAA4, Accredited 4.2.3.2.4
TS33.310/33.210 UDM; SMF; measures and industry accepted EIH4 Test Lab
AUSF; algorithms. In particular, a protocol version
SEPP; NRF; without known vulnerabilities or a secure
NEF alternative shall be used.
No traceability In some cases, access to personal data UPF; gNB; TS 33.117 / In some cases, access to personal data in Information Vendor, 3GPP TS
of access to in clear text might be required. If such AMF; UDM; 4.2.3.2.5 Logging clear text might be required. If such disclosure SECAM 33.117
personal data access is required, access to this data SMF; AUSF; access to personal access is required, access to this data Accreditation 3GPP TS
shall be logged, and the log shall contain SEPP; NRF; data shall be logged, and the log shall contain NAA4, LEG Body, 33.511-519
who accessed what data without NEF who accessed what data without revealing Accredited 4.2.3.2.5
revealing personal data in clear text. personal data in clear text. When for Test Lab
When for practical purposes such practical purposes such logging is not
logging is not available, a coarser grain available, a coarser grain logging is
logging is allowed. allowed.
In some cases, the personal data stored In some cases, the personal data stored in
in the log files may allow the direct the log files may allow the direct
identification of a subscriber. In such identification of a subscriber. In such
cases, the revealed personal information cases, the revealed personal information
may not expose the subscriber to any may not expose the subscriber to any kind
kind of privacy violation of privacy violation.
144
December 2020
Associated Threats
Category Taxonomy)
Improper protection of availability and integrity of 5G Core components
Failure to Overload situation could appear in the UPF; gNB; TS 33.117 / The system shall provide security Denial of Vendor, 3GPP TS
address case of DoS attack or increased traffic. AMF; UDM; 4.2.3.3.1 System measures to deal with overload situations service attacks SECAM 33.117
overload Lack to deal with such events affects SMF; AUSF; handling during which may occur as a result of a denial of Accreditation 3GPP TS
situation availability of information or security SEPP; NRF; overload situations service attack or during periods of NAA5, UD5 Body, 33.511-519
functionalities NEF TS 33.117 increased traffic. In particular, partial or Accredited 4.2.3.3.1,
/4.2.3.3.3 System complete impairment of system availability Test Lab 4.2.3.3.3
handling during shall be avoided.
excessive overload In the situation where the security
situations measures are no longer sufficient., it shall
be ensured that the system cannot reach
an undefined and thus potentially insecure
state. In an extreme case this means that
a controlled system shutdown is preferable
to uncontrolled failure of the security
functions and thus loss of system
protection.
Boot from The network product can boot only from UPF; gNB; TS 33.117 / The network product can boot only from Denial of Vendor, 3GPP TS
unauthorized the memory devices intended for this AMF; UDM; 4.2.3.3.2 Boot from the memory devices intended for this Service, SECAM 33.117
memory purpose SMF; AUSF; intended memory purpose Spoofing Accreditation 3GPP TS
devices SEPP; NRF; devices only identity, Body, 33.511-519
NEF Tampering of Accredited 4.2.3.3.2
Data, Test Lab
Information
Disclosure
NAAx
145
December 2020
Associated Threats
Category Taxonomy)
Improper During transmission of data to a system UPF; gNB; TS 33.117 / During transmission of data to a system it Denial of Vendor, 3GPP TS
handling of it is necessary to validate input to the AMF; UDM; 4.2.3.3.4 System is necessary to validate input to the Service, SECAM 33.117
unexpected network product before processing. This SMF; AUSF; robustness against network product before processing. This Spoofing Accreditation 3GPP TS
input includes all data which is sent to the SEPP; NRF; unexpected input includes all data which is sent to the identity, Body, 33.511-519
system. Examples of this are user input, NEF system. Examples of this are user input, Tampering of Accredited 4.2.3.3.4
values in arrays and content in values in arrays and content in protocols. Data, Test Lab
protocols. The following typical Information
implementation errors shall be avoided: Disclosure
- No validation on the lengths of
transferred data NAAx
- Incorrect assumptions about data
formats
- No validation that received data
complies with the specification
- Insufficient handling of protocol errors
in received data
- Insufficient restriction on recursion
when parsing complex data formats
- White listing or escaping for inputs
outside the values margin
Insufficient Lack of software package integrity could UPF; gNB; TS 33.117 / 1) Software package integrity shall be Denial of Vendor, 3GPP TS
assurance of affect CIA of data, services, hardware AMF; UDM; 4.2.3.3.5 Network validated in the installation/upgrade stage; Service, SECAM 33.117
software and policies during installation or SMF; AUSF; Product software 2) Network product shall support software Spoofing Accreditation 3GPP TS
package upgrade phases for the envisioned SEPP; NRF; package integrity package integrity validation via identity, Body, 33.511-519
integrity product/system. Missing information NEF validation cryptographic means, e.g. digital Tampering of Accredited 4.2.3.3.5
regarding software package integrity signature. To this end, the network product Data, Test Lab
checks, including details of how the has a list of public keys or certificates of Information
integrity check is carried out. Missing authorised software sources, and uses the Disclosure
authentication and access control keys to verify that the software update is
mechanisms for software package originated from only these sources; 3) NAAx
installation. Tampered software shall not be executed
or installed if integrity check fails; 4) A
security mechanism is required to
guarantee that only authorized individuals
can initiate and deploy a software update,
and modify the list mentioned in bullet 2.
146
December 2020
Associated Threats
Category Taxonomy)
Vulnerable mechanisms for authentication and authorisation of 5G Core components
Unauthenticated The usage of a system function without UPF; gNB; TS 33.117 / The usage of a system function without Denial of Vendor, 3GPP TS
access to successful authentication on basis of the AMF; UDM; 4.2.3.4.1.1 System successful authentication on basis of the Service, SECAM 33.117
system user identity and at least one SMF; AUSF; functions shall not user identity and at least one Spoofing Accreditation 3GPP TS
functions authentication attribute (e.g. password, SEPP; NRF; be used without authentication attribute (e.g. password, identity, Body, 33.511-519
certificate) opens the opportunity of NEF successful certificate) shall be prevented. System Tampering of Accredited 4.2.3.4.1.1
exploitation and limits accountability. authentication and functions comprise, for example network Data, Test Lab
This includes M2M communication authorisation. services (like SSH, SFTP, Web services), Information
local access via a management console, Disclosure
local usage of operating system and
applications. This requirement shall also NAAx
be applied to accounts that are only used
for communication between systems. An
exception to the authentication and
authorisation requirement are functions for
public use such as those for a Web server
on the Internet, via which information is
made available to the public
Improper Depending of information sensitivity UPF; gNB; TS 33.117 / The usage of a system function without Denial of Vendor, 3GPP TS
authentication different level of strong authentication AMF; UDM; 4.2.3.4.1.2 successful authentication on basis of the Service, SECAM 33.117
mechanisms mechanisms are required. Fail to identify SMF; AUSF; Accounts shall user identity and at least one Spoofing Accreditation 3GPP TS
the proper correspondence between SEPP; NRF; allow authentication attribute (e.g. password, identity, Body, 33.511-519
levels of protection and authentication NEF unambiguous certificate) shall be prevented. Tampering of Accredited 4.2.3.4.1.2,
mechanisms implemented creates the identification of the The various user and machine accounts Data, Test Lab 4.2.3.4.2.1
possibility to allow unauthorized entities user on a system shall be protected from Information 4.2.3.4.3.
to access unallocated resources TS 33.117 / misuse. To this end, an authentication Disclosure
4.2.3.4.2.1 attribute is typically used, which, when
Account protection combined with the user name, enables NAAx
by at least one unambiguous authentication and
authentication identification of the authorized user.
attribute
147
December 2020
Associated Threats
Category Taxonomy)
Predefined/ All predefined or default accounts and/or UPF; gNB; TS 33.117 / All predefined or default accounts shall be Denial of Vendor, 3GPP TS
default or default authentication attributes shall AMF; UDM; 4.2.3.4.2.2 deleted or disabled. Should this measure Service, SECAM 33.117
accounts be deleted or disabled SMF; AUSF; Predefined not be possible the accounts shall be Spoofing Accreditation 3GPP TS
and/or SEPP; NRF; accounts shall be locked for remote login. identity, Body, 33.511-519
authentication NEF deleted or disabled Preconfigured authentication attributes Tampering of Accredited 4.2.3.4.2.2
attributes TS 33.117 / shall be changed by automatically forcing Data, Test Lab 4.2.3.4.2.3
4.2.3.4.2.3 a user to change it on 1st time login to the Information
Predefined or system or the vendor provides instructions Disclosure
default on how to manually change it
authentication NAAx
attributes shall be
deleted or disabled
Weak or A password policy shall address the UPF; gNB; TS 33.117 / Password policy requirements include Denial of Vendor, 3GPP TS
missing password structure, password change, AMF; UDM; 4.2.3.4.3 requirements regarding Password Service, SECAM 33.117
password hiding password display capabilities, SMF; AUSF; Password policy complexity, password change, Protection Spoofing Accreditation 3GPP TS
policy consecutive failed login attempts. A SEPP; NRF; against brute force and dictionary attacks, identity, Body, 33.511-519
week password structure and/or a long NEF hiding password display Tampering of Accredited 4.2.3.4.3.
validity password period could lead to a Data, Test Lab
successful brute force attack. Password Information
display is vulnerable to eavesdropping Disclosure
attack. Password policy is a security NAAx
policy component.
Lack of mutual The network product management shall UPF; gNB; TS 33.117 / The network product management shall Denial of Vendor, 3GPP TS
authentication support mutual authentication AMF; UDM; 4.2.3.4.4.1 support mutual authentication Service, SECAM 33.117
of entities for mechanisms, the mutual authentication SMF; AUSF; Authentication on mechanisms, the mutual authentication Spoofing Accreditation 3GPP TS
management mechanism can rely on the protocol SEPP; NRF; Network Product mechanism can rely on the protocol used identity, Body, 33.511-519
interfaces used for the interface itself or other NEF Management and for the interface itself or other means. Tampering of Accredited 4.2.3.4.4.1
means Maintenance Data, Test Lab
interfaces Information
Disclosure,
Operator Error
NAAx, Udx
148
December 2020
Associated Threats
Category Taxonomy)
Improper The authorisations for accounts and UPF; gNB; TS 33.117 / The authorisations for accounts and Denial of Vendor, 3GPP TS
authorisation applications shall be reduced to the AMF; UDM; 4.2.3.4.6 applications shall be reduced to the Service, SECAM 33.117
and access minimum required for the tasks they SMF; AUSF; Authorisation and minimum required for the tasks they have Spoofing Accreditation 3GPP TS
control policy have to perform. SEPP; NRF; access control to perform. identity, Body, 33.511-519
NEF Authorisations to a system shall be Tampering of Accredited 4.2.3.4.6
restricted to a level in which a user can Data, Test Lab
only access data and use functions that he Information
needs in the course of his work. Disclosure,
Alongside access to data, execution of Operator Error
applications and components shall also NAAx, Udx
take place with rights that are as low as
possible. Applications should not be
executed with administrator or system
rights.
Improper session protection mechanisms of 5G Core components
Improper / The system shall have a function that UPF; gNB; TS 33.117 / 4.2.3.5 The system shall have a function that Denial of Vendor, 3GPP TS
missing allows a signed in user to logout at any AMF; UDM; Protecting allows a signed in user to logout at any Service, SECAM 33.117
functionality time. All processes under the logged in SMF; AUSF; sessions time. All processes under the logged in Spoofing Accreditation 3GPP TS
for session user ID shall be terminated on log out. A SEPP; NRF; user ID shall be terminated on log out. The identity, Body, 33.511-519
protection permanent exposed session increases NEF network product shall be able to continue Tampering of Accredited 4.2.3.5.
the vulnerability of the system as an to operate without interactive sessions. Data, Test Lab
entry point for unauthorized person. An OAM user interactive session shall be Information
OAM user interactive session shall be terminated automatically after a specified Disclosure,
terminated automatically after a period of inactivity. It shall be possible to Operator Error
specified period of inactivity. It shall be configure an inactivity time-out period
possible to configure an inactivity time- NAAx, Udx"
out period
149
December 2020
Associated Threats
Category Taxonomy)
Insufficient or improper monitoring mechanisms of 5G Core components
Lack of or lack of security events logged together UPF; gNB; TS 33.117 / Security events shall be logged together Denial of Vendor, 3GPP TS
improper with a unique system reference (e.g. AMF; UDM; 4.2.3.6.1 Security with a unique system reference (e.g. host Service, SECAM 33.117
security event host name, IP or MAC address) and the SMF; AUSF; event logging name, IP or MAC address) and the exact Spoofing Accreditation 3GPP TS
logging exact time the incident occurred do not SEPP; NRF; time the incident occurred. For each identity, Body, 33.511-519
allow a correct and rapid audit in case of NEF security event, the log entry shall include Tampering of Accredited 4.2.3.6.1
security incident occurrence. Security user name and/or timestamp and/or Data, Test Lab
restauration is delayed. performed action and/or result and/or Information
length of session and/or values exceeded Disclosure,
and/or value reached. Operator Error
IETF RFC 3871, section 2.11.10 specifies
the minimum set of security events. NAAx, Udx"
Vulnerabilities in Operating Systems supporting 5G Core components
Improper / Security event logs should be forwarded UPF; gNB; TS 33.117 / Log functions should upload securely of Denial of Vendor, 3GPP TS
missing or uploaded to a central location or AMF; UDM; 4.2.3.6.2 Log log files to a central location or to an Service, SECAM 33.117
controls for external systems. Security event log files SMF; AUSF; transfer to external system for the Network Product Spoofing Accreditation 3GPP TS
protection of shall be protected in storage and SEPP; NRF; centralized storage that is logging. Secure transport protocols identity, Body, 33.511-519
security event transfer states, too. Availability and NEF TS 33.117 / shall be used. Tampering of Accredited 4.2.3.6.2
log files integrity of security event log files could 4.2.3.6.3 The security event log shall be access Data, Test Lab 4.2.3.6.3
conduct to delays, wrong audit results, Protection of controlled (file access rights) so only Information
delays in security restauration, threats security event log privileged users have access to the log Disclosure,
persistence. files files. Operator Error
NAAx, Udx
Improper Growing or dynamic content (e.g. log UPF; gNB; TS 33.117 / Growing or dynamic content (e.g. log files, Denial of Vendor, 3GPP TS
handling of files, uploads) could influence system AMF; UDM; 4.2.4.1.1.1 uploads) shall not influence system service attacks, SECAM 33.117
growing functions. A file system that reaches its SMF; AUSF; Handling of functions. A file system that reaches its equipment / Accreditation 3GPP TS
content by file maximum capacity could stop a system SEPP; NRF; growing content maximum capacity shall not stop a system software errors, Body, 33.511-519
system from operating properly. NEF from operating properly. Therefore, growing Accredited 4.2.4.1.1.1
countermeasures shall be taken such as dynamic Test Lab
usage of dedicated file systems, separated content
from main system functions, or quotas, or NAA5, UD5,
at least a file system monitoring to ensure FM5
that this scenario is avoided.
150
December 2020
Associated Threats
Category Taxonomy)
Processing of Processing of ICMPv4 and ICMPv6 UPF; gNB; TS 33.117 / Processing of ICMPv4 and ICMPv6 Denial of Vendor, 3GPP TS
ICMP packets packets which are not required for AMF; UDM; 4.2.4.1.1.2 packets which are not required for service attacks, SECAM 33.117
not required for operation shall be disabled on the SMF; AUSF; Processing of operation shall be disabled on the network equipment / Accreditation 3GPP TS
operation network product. In particular, there are SEPP; NRF; ICMPv4 and product. In particular, there are certain software errors, Body, 33.511-519
certain types of ICMP4 and ICMPv6 that NEF ICMPv6 packets types of ICMP4 and ICMPv6 that are not misconfiguratio Accredited 4.2.4.1.1.2
are not used in most networks, but used in most networks, but represent a ns Test Lab
represent a risk. risk. Permitted, forbidden and optional NAA5, UD5,
ICMP packets are detailed in TS 33.117 FM5
clause 4.2.4.1.1.2
Processing of IP packets with unnecessary options or UPF; gNB; TS 33.117 / IP packets with unnecessary options or Denial of Vendor, 3GPP TS
IP packets with extension headers could be used by AMF; UDM; 4.2.4.1.1.3 IP extension headers shall not be processed. Service, SECAM 33.117
unnecessary attackers to get unauthorized access to SMF; AUSF; packets with IP options and extension headers (e.g. Spoofing Accreditation 3GPP TS
options or system resources. SEPP; NRF; unnecessary source routing) are only required in identity, Body, 33.511-519
extensions NEF options or exceptional cases. So, all packets with Tampering of Accredited 4.2.4.1.1.3
extension headers enabled IP options or extension headers Data, Test Lab
shall not be shall be filtered. Information
processed Disclosure
NAAx
Privilege Authenticated Privilege Escalation UPF; gNB; TS 33.117 / There shall not be a privilege escalation Privilege Vendor, 3GPP TS
Escalation allowed without re-authentication could AMF; UDM; 4.2.4.1.2.1 method in interactive sessions (CLI or escalation SECAM 33.117
allowed permit to an authorized user to gain SMF; AUSF; Authenticated GUI) which allows a user to gain NAA3 Accreditation 3GPP TS
without re- unallocated higher rights to resources, SEPP; NRF; Privilege administrator/root privileges from another Body, 33.511-519
authentication violating security policy NEF Escalation only user account without re-authentication. Accredited 4.2.4.1.2.1
Implementation example: Disable insecure Test Lab
privilege escalation methods so that users
are required to (re-)login directly into the
account with the required permissions.
Recurrent UIDs Each system account in UNIX shall have UPF; gNB; TS 33.117 / Each system account in UNIX shall have a Authorisation Vendor, 3GPP TS
for UNIX a unique UID, to provide for system AMF; UDM; 4.2.4.2.2 System unique UID. The term 'UNIX' includes all attacks SECAM 33.117
System account accountability SMF; AUSF; account major derivatives, including Linux. NAA3 Accreditation 3GPP TS
accounts SEPP; NRF; identification Body, 33.511-519
NEF Accredited 4.2.4.2.2
Test Lab
151
December 2020
Associated Threats
Category Taxonomy)
Vulnerabilities in Web Servers supporting 5G Core components
Unsecure Https The communication between Web client UPF; gNB; TS 33.117 / 4.2.5.1 The communication between Web client Spoofing Vendor, 3GPP TS
connection to and Web server shall be protected using AMF; UDM; HTTPS and Web server shall be protected using identity, SECAM 33.117
web servers TLS. TLS profile should be defined in SMF; AUSF; TLS. Cipher suites with NULL encryption Tampering of Accreditation 3GPP TS
compliance Annex E of TS 33.310, with SEPP; NRF; shall not be supported Data, Body, 33.511-519
the following additional requirement: NEF Information Accredited 4.2.5.1
cipher suites with NULL encryption shall Disclosure Test Lab
not be supported NAA2, NAA3,
NAA4, EIH4
Lack of / When logging information lacks UPF; gNB; TS 33.117 / 4.2.5.2 Access to the webserver shall be logged. Denial of Vendor, 3GPP TS
improper completeness, integrity or timeliness it is AMF; UDM; Webserver logging The web server log shall contain the Service, SECAM 33.117
logging of impossible to detect, analyse and SMF; AUSF; following information: Access timestamp / Spoofing Accreditation 3GPP TS
access to the respond to system faults and relevant SEPP; NRF; Source (IP address) / (Optional) Account identity, Body, 33.511-519
webserver security events. NEF (if known) / (Optional) Attempted login Tampering of Accredited 4.2.5.2
name (if the associated account does not Data, Test Lab
exist) / Relevant fields in http request. The Information
URL should be included whenever Disclosure
possible / Status code of web server NAAx
response
Lack of / Improper session protection UPF; gNB; TS 33.117 / 4.2.5.3 To protect user sessions the Network Session Vendor, 3GPP TS
improper http mechanisms may lead to session AMF; UDM; HTTP User Product shall support the following session hijacking SECAM 33.117
user session hijacking, disclosure of confidential SMF; AUSF; sessions ID and session cookie requirements: NAA3 Accreditation 3GPP TS
protection information, including authentication SEPP; NRF; 1. The session ID shall uniquely identify Body, 33.511-519
attributes NEF the user and distinguish the session from Accredited 4.2.5.3
all other active sessions. Test Lab
2. The session ID shall be unpredictable.
3. The session ID shall not contain
sensitive information in clear text (e.g.
account number, social security, etc.).
4. In addition to the Session Idle Timeout,
the Network Product shall automatically
terminate sessions after a configurable
maximum lifetime 5. Session ID's shall be
regenerated for each new session (e.g.
each time a user logs in).
6. The session ID shall not be reused or
renewed in subsequent sessions.
7. The Network Product shall not use
persistent cookies to manage sessions but
only session cookies. This means that
152
December 2020
Associated Threats
Category Taxonomy)
neither the "expire" nor the "max-age"
attribute shall be set in the cookies.
8. Where session cookies are used the
attribute 'HttpOnly' shall be set to true.
'domain' attribute shall be set to ensure
that the cookie can only be sent to the
specified domain.
'path' attribute shall be set to ensure that
the cookie can only be sent to the
specified directory or sub-directory.
11. The Network Product shall not accept
session identifiers from GET/POST
variables.
12. The Network Product shall be
configured to only accept server generated
session ID's.
Improper The Network Product shall have a UPF; gNB; TS 33.117 / 4.2.5.4 The Network Product shall validate, filter, Injection, cross- Vendor, 3GPP TS
validation of mechanism in place to ensure that web AMF; UDM; HTTP input escape, and encode user-controllable site scripting SECAM 33.117
HTTP input application inputs are not vulnerable to SMF; AUSF; validation input before it is placed in output that is NAA3 Accreditation 3GPP TS
command injection or cross-site scripting SEPP; NRF; used as a web page that is served to other Body, 33.511-519
attacks. NEF users. Accredited 4.2.5.4
Test Lab
Vulnerabilities of network devices running 5G Core components
Lack of packet Lack of, or improper mechanisms to filter UPF; gNB; TS 33.117 / The Network Product shall provide a Denial of Vendor, 3GPP TS
filtering incoming IP packets on any IP interface AMF; UDM; 4.2.6.2.1 Packet mechanism to filter incoming IP packets service, packet SECAM 33.117
functionality according to defined and manageable SMF; AUSF; filtering on any IP interface, as defined in RFC flooding Accreditation 3GPP TS
rules leaves the network device SEPP; NRF; 3871 and TS 33.117 clause 4.2.6.2.1 NAA5, FM5 Body, 33.511-519
vulnerable to denial-of-service attacks, NEF Accredited 4.2.6.2.1
service degradation or attack aimed at Test Lab
leading the device to an exception state.
153
December 2020
Associated Threats
Category Taxonomy)
Lack of If a network device does not have the UPF; gNB; TS 33.117 / All incoming packets, from other network Malware, Vendor, 3GPP TS
robustness capability to detect and drop by AMF; UDM; 4.2.6.2.2 Interface element, that are manipulated or differing denial-of- SECAM 33.117
against incoming packets, from other network SMF; AUSF; robustness the norm shall be detected as invalid and service, packet Accreditation 3GPP TS
unexpected element, that are manipulated or SEPP; NRF; requirements be discarded. The process shall not be flood Body, 33.511-519
input differing the norm, it can lead to an NEF affecting the performance of the network NAA5, FM5 Accredited 4.2.6.2.2
impairment of availability. device. This robustness shall be just as Test Lab
effective for a great mass of invalid
packets as for individual or a small number
of packets.
Improper or In the absence of an effective GTP-C UPF; gNB; TS 33.117 / For each message of a GTP-C-based Authorisation Vendor, 3GPP TS
absent GTP-C filtering mechanisms, the network device AMF; UDM; 4.2.6.2.3 GTP-C protocol, it shall be possible to check attacks, man-in- SECAM 33.117
Filtering is vulnerable to Border gateway SMF; AUSF; Filtering whether the sender of this message is the-middle Accreditation 3GPP TS
bandwidth saturation or GTP flood. SEPP; NRF; authorized to send a message pertaining attacks Body, 33.511-519
NEF to this protocol. NAA2, NAA3, Accredited 4.2.6.2.3
At least the following actions should be NAA4 Test Lab
supported when the check is satisfied:
Discard: the matching message is
discarded /Accept: the matching message
is accepted./ Account: the matching
message is accounted for, i.e. a counter
for the rule is incremented.
Improper or In the absence of effective GTP-U UPF; gNB; TS 33.117 / For each message of a GTP-U-based Authorisation Vendor, 3GPP TS
absent GTPU filtering mechanisms, the network is AMF; UDM; 4.2.6.2.4 GTP-U protocol, it shall be possible to check attacks, man-in- SECAM 33.117
Filtering exposed to malformed GTP packets, SMF; AUSF; Filtering whether the sender of this message is the-middle Accreditation 3GPP TS
denial of service attacks, and out-of- SEPP; NRF; authorized to send a message pertaining attacks Body, 33.511-519
state GTP messages, and also vectors NEF to this protocol. NAA2, NAA3, Accredited 4.2.6.2.4
such as spoofed IP packets. NAA4 Test Lab
Improper hardening of 5G Core components
Unnecessary Should the network product run protocol UPF; gNB; TS 33.117 / 4.3.2.1 The network product shall only run Denial of Vendor, 3GPP TS
or insecure handlers and services which are not AMF; UDM; No unnecessary or protocol handlers and services which are Service, SECAM 33.117
services / needed for its operation, or which have SMF; AUSF; insecure services / needed for its operation, and which do not Spoofing Accreditation 3GPP TS
protocols known security vulnerabilities, they may SEPP; NRF; protocols have any known security vulnerabilities. identity, Body, 33.511-519
be manipulated to gain unauthorized NEF Tampering of Accredited 4.3.2.1
access to the system, impair its Data, Test Lab
availability or other forms of Information
manipulation. Disclosure,
Software errors
NAAx, FMx
154
December 2020
Associated Threats
Category Taxonomy)
Unrestricted The network product shall restrict the UPF; gNB; TS 33.117 / 4.3.2.2 The network product shall restrict the Denial of Vendor, 3GPP TS
reachability of reachability of services so that they can AMF; UDM; Restricted reachability of services so that they can Service, SECAM 33.117
services only be reached on interfaces where SMF; AUSF; reachability of only be reached on interfaces where their Spoofing Accreditation 3GPP TS
their usage is required. The absence of SEPP; NRF; services usage is required. On interfaces were identity, Body, 33.511-519
appropriate mechanisms expose the NEF services are active, the reachability should Tampering of Accredited 4.3.2.2
services to risk of exploitation of known be limited to legitimate communication Data, Test Lab
or unknown vulnerabilities by malicious peers. This limitation shall be realized on Information
parties or technical faults. the network product itself (without Disclosure
measures (e.g. firewall) at network side) NAAx
according to the requirement detailed in
clause 4.2.6.2.1 Packet Filtering.
Unused Unused software components or parts of UPF; gNB; TS 33.117 / 4.3.2.3 Unused software components or parts of Denial of Vendor, 3GPP TS
software software which are not needed for AMF; UDM; No unused software which are not needed for Service, SECAM 33.117
components operation or functionality of the network SMF; AUSF; software operation or functionality of the network Spoofing Accreditation 3GPP TS
product create an unnecessary attack SEPP; NRF; product shall not be installed or shall be identity, Body, 33.511-519
surface. Such unused software NEF deleted after installation. This includes Tampering of Accredited 4.3.2.3
components have a high susceptibility of also parts of a software, which will be Data, Test Lab
falling outside patching and vulnerability installed as examples but typically not be Information
management processes and therefore used (e.g. default web pages, example Disclosure
are increasingly exposed to malicious databases, test data). NAAx
attacks and technical faults.
Unused During installation of software and UPF; gNB; TS 33.117 / 4.3.2.4 During installation of software and Denial of Vendor, 3GPP TS
software or hardware often functions will be AMF; UDM; No unused hardware often functions will be activated Service, SECAM 33.117
hardware activated that are not required for SMF; AUSF; functions that are not required for operation or Spoofing Accreditation 3GPP TS
functions operation or function of the system. SEPP; NRF; function of the system. If unused functions identity, Body, 33.511-519
Such hardware and software functions NEF of software cannot be deleted or de- Tampering of Accredited 4.3.2.4
increase the IT attack surface and their installed individually, such functions shall Data, Test Lab
exposure is increased by their be deactivated in the configuration of the Information
susceptibility of falling outside access network product permanently. Disclosure
control policies. Also, hardware functions which are not NAAx
required for operation or function of the
system (e.g. unused interfaces) shall be
permanently deactivated. Permanently
means that they shall not be reactivated
again after network product reboot.
155
December 2020
Associated Threats
Category Taxonomy)
Unsupported Unsupported components incur a high UPF; gNB; TS 33.117 / 4.3.2.5 The network product shall not contain Denial of Vendor, 3GPP TS
components risk of unmitigated vulnerabilities that AMF; UDM; No unsupported software and hardware components that Service, SECAM 33.117
can be exploited by malicious actors or SMF; AUSF; components are no longer supported by their vendor, Spoofing Accreditation 3GPP TS
technical faults. SEPP; NRF; producer or developer, such as identity, Body, 33.511-519
NEF components that have reached end-of-life Tampering of Accredited 4.3.2.5
or end-of-support. Excluded are Data, Test Lab
components that have a special support Information
contract. This contract shall guarantee the Disclosure,
correction of vulnerabilities over Component
components' lifetime. malfunctions
NAAx, FMx
Remote login Unrestricted remote login for privileged UPF; gNB; TS 33.117 / 4.3.2.6 Description: Direct login as root or Authorisation Vendor, 3GPP TS
of privileged users expose the network element to AMF; UDM; Remote login equivalent highest privileged user shall be attacks, SECAM 33.117
users increased risk of unauthorized access SMF; AUSF; restrictions for limited to the system console only. Root elevation of Accreditation 3GPP TS
and manipulation. SEPP; NRF; privileged users user will not be allowed to login to the privilege Body, 33.511-519
NEF system remotely. NAAx Accredited 4.3.2.6
Test Lab
Excessive file In the presence of excessive files stem UPF; gNB; TS 33.117 / 4.3.2.7 The system shall be designed to ensure Unauthorised / Vendor, 3GPP TS
system authorisation privileges, application and AMF; UDM; file system that only users that are authorized to erroneous data SECAM 33.117
Authorisation configuration data is exposed to risks of SMF; AUSF; Authorisation modify files, data, directories or file element Accreditation 3GPP TS
privileges unauthorised disclosure, tampering, or SEPP; NRF; privileges systems have the necessary privileges to modification / Body, 33.511-519
destruction. NEF do so. deletion Accredited 4.3.2.7
NAA1, NAA2, Test Lab
NAA3, UD1,
UD2
Lack of IP address spoofing involving the use of UPF; gNB; TS 33.117 / Systems shall not process IP packets if Packet flood Vendor, 3GPP TS
protection a trusted IP address can be used by AMF; UDM; 4.3.3.1.1 IP- their source address is not reachable via NAA5 SECAM 33.117
against IP- network intruders to overcome network SMF; AUSF; Source address the incoming interface. Accreditation 3GPP TS
Source security measures, such as SEPP; NRF; spoofing mitigation Body, 33.511-519
address authentication based on IP addresses. NEF Accredited 4.3.3.1.1
spoofing IP address spoofing is most frequently Test Lab
used in denial-of-service attacks, where
the objective is to flood the target with
an overwhelming volume of traffic, and
the attacker does not care about
receiving responses to the attack
packets.
156
December 2020
Associated Threats
Category Taxonomy)
Unneeded Kernel based network functions not UPF; gNB; TS 33.117 / Kernel based network functions not Exploitation of Vendor, 3GPP TS
kernel network needed for the operation of the network AMF; UDM; 4.3.3.1.2 needed for the operation of the network vulnerable SECAM 33.117
functions element offer an unnecessary attack SMF; AUSF; Minimized kernel element shall be deactivated kernel functions Accreditation 3GPP TS
surface. Particularly vulnerable services SEPP; NRF; network functions NAAx Body, 33.511-519
are: IP Packet Forwarding between NEF Accredited 4.3.3.1.2
different interfaces of the same Test Lab
equipment, Proxy ARP (resource
exhaustion attacks and man-in-the-
middle attacks), Directed broadcast
(Smurf, Denial of Service attack), IPv4
Multicast handling (smurf and fraggle
attacks), gratuitous ARP messages
(ARP Cache Poisoning attack)
automatic Automatic launch of removable media UPF; gNB; TS 33.117 / The network product shall not Malware, Vendor, 3GPP TS
launch of provides a potential vector for AMF; UDM; 4.3.3.1.3 No automatically launch any application when bypassing of SECAM 33.117
removable unauthorized or malicious payloads SMF; AUSF; automatic launch removable media device such as CD-, security Accreditation 3GPP TS
media SEPP; NRF; of removable DVD-, USB-Sticks or USB-Storage drive is controls, Body, 33.511-519
NEF media connected. If the operating system running Accredited 4.3.3.1.3
supports an automatic launch, it shall be unauthorised Test Lab
deactivated unless it is required to support operating
availability requirements. system
NAAx
No SYN Flood A SYN flood is a form of denial-of- UPF; gNB; TS 33.117 / The network product shall support a Syn Flood Vendor, 3GPP TS
Prevention service attack in which an attacker AMF; UDM; 4.3.3.1.4 SYN mechanism to prevent Syn Flood attacks attacks SECAM 33.117
sends a succession of SYN requests to SMF; AUSF; Flood Prevention ; (e.g. implement the TCP Syn Cookie NAA5 Accreditation 3GPP TS
a target's system in an attempt to SEPP; NRF; RFC 4987 technique in the TCP stack by setting Body, 33.511-519
consume enough server resources to NEF net.ipv4.tcp_syncookies = 1 in the linux Accredited 4.3.3.1.4
make the system unresponsive to sysctl.conf file). This feature shall be Test Lab
legitimate traffic enabled by default.
No protection In information security and UPF; gNB; TS 33.117 / The system shall support mechanisms for Buffer overflow Vendor, 3GPP TS
against buffer programming, a buffer overflow, or AMF; UDM; 4.3.3.1.5 buffer overflow protection. Documentation attacks SECAM 33.117
overflows buffer overrun, is an anomaly where a SMF; AUSF; Protection from which describes these buffer overflow NAA2, NAA3 Accreditation 3GPP TS
program, while writing data to a buffer, SEPP; NRF; buffer overflows mechanisms and also how to check that Body, 33.511-519
overruns the buffer's boundary and NEF they have been enabled and/or Accredited 4.3.3.1.5
overwrites adjacent memory locations. implemented shall be provided. Test Lab
Buffers are areas of memory set aside to

hold data, often while moving it from one
section of a program to another, or
between programs. Buffer overflows can
157
December 2020
Associated Threats
Category Taxonomy)
often be triggered by malformed inputs;
if one assumes all inputs will be smaller
than a certain size and the buffer is
created to be that size, then an
anomalous transaction that produces
more data could cause it to write past
the end of the buffer. If this overwrites
adjacent data or executable code, this
may result in erratic program behaviour,
including memory access errors,
incorrect results, and crashes.
Exploiting the behaviour of a buffer
overflow is a well-known security exploit.
By sending in data designed to cause a
buffer overflow, it is possible to write into
memory areas known to hold executable
code and replace it with malicious code,
or to selectively overwrite data
pertaining to the program's state,
therefore causing behaviour that was not
intended by the original programmer.
Buffers are widespread in operating
system (OS) code, so it is possible to
make attacks that perform privilege
escalation and gain unlimited access to
the computer's resources.
No/improper In the absence of effective external file UPF; gNB; TS 33.117 / If normal users are allowed to mount Malware, Vendor, 3GPP TS
external file systems mount restrictions, the system AMF; UDM; 4.3.3.1.6 External external file systems (attached locally or bypassing of SECAM 33.117
system mount is exposed to privilege escalation and SMF; AUSF; file system mount via the network), OS-level restrictions shall security Accreditation 3GPP TS
restrictions excessive access permissions due to SEPP; NRF; restrictions be set properly in order to prevent controls, Body, 33.511-519
the contents of the mounted file NEF privilege escalation or extended access running Accredited 4.3.3.1.6
systems. permissions due to the contents of the unauthorised Test Lab
mounted file systems. operating
system
NAAx
158
December 2020
Associated Threats
Category Taxonomy)
Directory Web servers can be configured to UPF; gNB; TS 33.117 / Directory listings (indexing) / "Directory Scanning of Vendor, 3GPP TS
listings automatically list the contents of AMF; UDM; 4.3.4.10 No browsing" shall be deactivated. vulnerable SECAM 33.117
directories that do not have an index SMF; AUSF; directory listings resources Accreditation 3GPP TS
page present. This can aid an attacker SEPP; NRF; NAA4 Body, 33.511-519
by enabling them to quickly identify the NEF Accredited 4.3.4.10
resources at a given path, and proceed Test Lab
directly to analysing and attacking those
resources. It particularly increases the
exposure of sensitive files within the
directory that are not intended to be
accessible to users, such as temporary
files and crash dumps.
Web server The HTTP headers sent by the remote UPF; gNB; TS 33.117 / The HTTP header shall not include Exploitation of Vendor, 3GPP TS
information in web server disclose information that can AMF; UDM; 4.3.4.11 Web information on the version of the web vulnerable SECAM 33.117
HTTP headers aid an attacker, such as the server SMF; AUSF; server information server and the modules/add-ons used. components Accreditation 3GPP TS
version and languages used by the web SEPP; NRF; in HTTP headers NAAx Body, 33.511-519
server. NEF Accredited 4.3.4.11
Test Lab
Web server The error page sent by the web server UPF; gNB; TS 33.117 / User-defined error pages shall not include Exploitation of Vendor, 3GPP TS
information in discloses information that can aid an AMF; UDM; 4.3.4.12 Web version information about the web server vulnerable SECAM 33.117
error pages attacker, such as the server version, SMF; AUSF; server information and the modules/add-ons used. Error components Accreditation 3GPP TS
modules/add-ons used or information SEPP; NRF; in error pages messages shall not include internal NAAx Body, 33.511-519
revealing inner workings such as internal NEF information such as internal server names, Accredited 4.3.4.12
server names, error codes, etc. error codes, etc. Default error pages of the Test Lab
web server shall be replaced by error
pages defined by the vendor.
Unused file Unused File type- or script-mappings UPF; gNB; TS 33.117 / File type- or script-mappings that are not Code injection Vendor, 3GPP TS
type- or script- can be used in attacks based on delivery AMF; UDM; 4.3.4.13 Minimized required shall be deleted, e.g. php, phtml, NAAx SECAM 33.117
mappings of malicious payloads, such as code- SMF; AUSF; file type mappings js, sh, csh, bin, exe, pl, vbe, vbs Accreditation 3GPP TS
injection attacks. SEPP; NRF; Body, 33.511-519
NEF Accredited 4.3.4.13
Test Lab
159
December 2020
Associated Threats
Category Taxonomy)
Unrestricted Improperly restricted file access rights UPF; gNB; TS 33.117 / Restrictive access rights shall be assigned Direct access to Vendor, 3GPP TS
access to files may lead to unauthorized delivery of AMF; UDM; 4.3.4.14 Restricted to all files which are directly or indirectly restricted data SECAM 33.117
files which are not meant to be SMF; AUSF; file access (e.g. via links or in virtual directories) in the from public Accreditation 3GPP TS
delivered, and to path traversal attacks. SEPP; NRF; web server's document directory. In domain Body, 33.511-519
NEF particular, the web server shall not be able NAA4 Accredited 4.3.4.14
to access files which are not meant to be Test Lab
delivered.
Execution Improper restriction of execute rights UPF; gNB; TS 33.117 / If CGI or other scripting technology is Code injection Vendor, 3GPP TS
rights outside may lead to Remote Command AMF; UDM; 4.3.4.15 Execute used, only the CGI/Scripting directory is NAAx SECAM 33.117
CGI/Scripting Execution by unauthorized delivery of SMF; AUSF; rights exclusive for configured with execute rights. Other Accreditation 3GPP TS
directory malicious payload through various SEPP; NRF; CGI/Scripting directories used or meant for web content Body, 33.511-519
vectors. NEF directory do not have execute rights Accredited 4.3.4.15
Test Lab
System If the web server runs under privileged UPF; gNB; TS 33.117 /4.3.4.2 No web server processes shall run with Elevation of Vendor, 3GPP TS
privileges for accounts, web server compromise AMF; UDM; No system system privileges. This is best achieved if privileges SECAM 33.117
web server caused by malicious action or technical SMF; AUSF; privileges for web the web server runs under an account that NAA2, NAA3, Accreditation 3GPP TS
processes fault has an increased chance to SEPP; NRF; server has minimum privileges. If a process is NAA4 Body, 33.511-519
compromise the host operating system's NEF started by a user with system privileges, Accredited 4.3.4.2
integrity and availability. execution shall be transferred to a different Test Lab
user without system privileges after the
start.
Active and Unused http methods provide an UPF; gNB; TS 33.117 / 4.3.4.3 HTTP methods that are not required shall Abuse of Vendor, 3GPP TS
unused HTTP unnecessary attack surface that can AMF; UDM; No unused HTTP be deactivated. Standard requests to web unused SECAM 33.117
methods lead to security compromise of the SMF; AUSF; methods servers only use GET, HEAD, and POST. vulnerable Accreditation 3GPP TS
system SEPP; NRF; If other methods are required, they shall methods Body, 33.511-519
NEF not introduce security leaks such as NAA2, NAA3, Accredited 4.3.4.3
TRACK or TRACE. NAA4 Test Lab
Unused web Unused server addons provide an UPF; gNB; TS 33.117 / 4.3.4.4 All optional add-ons and components of Code injection Vendor, 3GPP TS
server addons unnecessary attack surface that can AMF; UDM; No unused add- the web server shall be deactivated if they NAA2, NAA3, SECAM 33.117
lead to security compromise of the SMF; AUSF; ons are not required. In particular, CGI or other NAA4 Accreditation 3GPP TS
system SEPP; NRF; scripting components, Server Side Body, 33.511-519
NEF Includes (SSI), and WebDAV shall be Accredited 4.3.4.4
deactivated if they are not required. Test Lab
160
December 2020
Associated Threats
Category Taxonomy)
Access to CGI and other server-side scripting UPF; gNB; TS 33.117 / 4.3.4.5 If CGI (Common Gateway Interface) or Code injection Vendor, 3GPP TS
compiler, specifications provide opportunities to AMF; UDM; No compiler, other scripting technology is used, the CGI NAA2, NAA3, SECAM 33.117
interpreter, or read files, acquire shell access, and SMF; AUSF; interpreter, or shell directory - or other corresponding scripting NAA4 Accreditation 3GPP TS
shell via CGI or corrupt file systems on server machines SEPP; NRF; via CGI or other directory - shall not include compilers or Body, 33.511-519
other server- and their attached hosts. Means of NEF server-side interpreters (e.g. PERL interpreter, PHP Accredited 4.3.4.5
side scripting gaining access include: exploiting scripting interpreter/compiler, Tcl Test Lab
assumptions of the script, exploiting interpreter/compiler or operating system
weaknesses in the server environment, shells).
and exploiting weaknesses in other
programs and system calls. Presence in
the scripting directory of compilers,
interpreters or operating system shells
renders the system particularly
vulnerable.
Common In upload is permitted in the UPF; gNB; TS 33.117 / 4.3.4.6 If CGI or other scripting technology is Code injection Vendor, 3GPP TS
directory for CGI/Scripting, the system is vulnerable AMF; UDM; No CGI or other used, the associated CGI/script directory NAA2, NAA3, SECAM 33.117
uploads and to code injection / shell upload attacks. SMF; AUSF; scripting for shall not be used for uploads. NAA4 Accreditation 3GPP TS
CGI/Scripting SEPP; NRF; uploads Body, 33.511-519
NEF Accredited 4.3.4.6
Test Lab
Execution of SSIs are directives present on Web UPF; gNB; TS 33.117 / 4.3.4.7 If Server Side Includes (SSI) is active, the Code injection Vendor, 3GPP TS
system applications used to feed an HTML page AMF; UDM; No execution of execution of system commands shall be NAA2, NAA3, SECAM 33.117
commands with dynamic contents. The Server-Side SMF; AUSF; system commands deactivated. NAA4 Accreditation 3GPP TS
with server Includes attack allows the exploitation of SEPP; NRF; with SSI Body, 33.511-519
side includes a web application by injecting scripts in NEF Accredited 4.3.4.7
(SSI) HTML pages or executing arbitrary Test Lab
codes remotely. It can be exploited
through manipulation of SSI in use in the
application or force its use through user
input fields.
Excessive / Improper setting of access rights for web UPF; gNB; TS 33.117 / 4.3.4.8 Access rights for web server configuration Manipulation of Vendor, 3GPP TS
improper server configuration files may lead to AMF; UDM; Access rights for files shall only be granted to the owner of server SECAM 33.117
access rights unauthorized disclosure or modification SMF; AUSF; web server the web server process or to a user with configuration Accreditation 3GPP TS
for web server of configuration information. SEPP; NRF; configuration system privileges. Implementation files Body, 33.511-519
configuration NEF example: Delete "read" and "write" access NAA2, NAA3 Accredited 4.3.4.8
files rights for "others." Only grant "write" Test Lab
access to the user who configures the web
server
161
December 2020
Associated Threats
Category Taxonomy)
Presence of Presence of default content may UPF; gNB; TS 33.117 / 4.3.4.9 Default content (examples, help files, Abuse of Vendor, 3GPP TS
default content disclose information on the web server AMF; UDM; No default content documentation, aliases) that is provided vulnerable SECAM 33.117
version, add-ons and configuration or SMF; AUSF; with the standard installation of the web content, Accreditation 3GPP TS
information/file structure, and thus SEPP; NRF; server shall be removed. collection of Body, 33.511-519
facilitate information gathering for a NEF system Accredited 4.3.4.9
malicious party. Also, default content information Test Lab
may include known vulnerabilities (such NAA2, NAA3,
as the case of IIS Default Page). NAA4
Inadequate Unsegregated traffic belonging to O&M; TS 33.117 / 4.3.5.1 The network product shall support physical Lateral Vendor, 3GPP TS
traffic different planes (data, control, control Traffic Separation or logical separation of traffic belonging to movement, SECAM 33.117
separation of management) increases the risk that plane; UPF; RFC 3871 / 2.3.5. different network domains. For example, elevation of Accreditation 3GPP TS
traffic unauthorized individuals will be able to gNB; AMF; Support Separate O&M traffic and control plane traffic belong privileges, Body, 33.511-519
belonging to observe management traffic and/or UDM; SMF; Management to different network domains. See RFC eavesdropping Accredited 4.3.5.1
different compromise the device. AUSF; Plane IP Interfaces 3871 [3] for further information. NAA2, NAA3, Test Lab
network SEPP; NRF; NAA4, EIH4
domains NEF
Code execution Execution of JavaScript or any other Network TS 33.117 / 4.3.6.2 Parsers used by Network Functions (NF) Code injection Vendor, 3GPP TS
or inclusion of code contained in JSON objects Function No code execution shall not execute JavaScript or any other NAA2, NAA3, SECAM 33.117
external received on Service Based Interfaces (NF); or inclusion of code contained in JSON objects received NAA4 Accreditation 3GPP TS
resources by (SBI) expose the system to execution of 5G Core external resources on Service Based Interfaces (SBI). Body, 33.512-519
JSON parsers malicious code delivered over the SBI. (5GC); by JSON parsers Further, these parsers shall not include Accredited 4.3.6.2
Service- any resources external to the received Test Lab
Based JSON object itself, such as files from the
Interfaces NF’s file system or other resources loaded
(SBI); UPF; externally
AMF; UDM,
SMF; AUSF;
SEPP; NRF;
NEF
162
December 2020
Associated Threats
Category Taxonomy)
JSON Parser For data structures where values are Network TS 33.117 / 4.3.6.3 For data structures where values are Software error Vendor, 3GPP TS
not robust accessible using names (sometimes Function Validation of the accessible using names (sometimes FMx SECAM 33.117
referred to as keys), e.g. a JSON object, (NF); unique key values referred to as keys), e.g. a JSON object, Accreditation 3GPP TS
if the names/keys are not unique and 5G Core in IEs. the name shall be unique. The occurrence Body, 33.512-519
duplicated names/keys occur within (5GC); TS 33.117 / 4.3.6.4 of the same name (or key) twice within Accredited 4.3.6.3,
such a structure, it can result in Service- Validation of the such a structure shall be an error and the Test Lab 4.3.6.4
inconsistent values for that names (or Based IEs limits. message shall be rejected
keys), which leads to Denial of Service. Interfaces The valid format and range of values for
- If the format and range of values for (SBI); UPF; each IE, when applicable, shall be defined
the IEs in API messages are not AMF; UDM, unambiguously.
implemented as required (e.g. when the SMF; AUSF;
number of leaf IEs exceeds the SEPP; NRF;
maximum number or when the size of NEF
the JSON body of any HTTP request
exceed the maximum size), security
vulnerabilities may be introduced such
as buffer overflow flow, which may lead
to Denial of Service.
163
December 2020
D ANNEX: DETAILED VULNERABILITIES IN

NETWORK SLICING
Associated Security Source

Name of Security Requirements /Description Threats (Threat
Description Assets Stakeholder Ref/Code
Vulnerability Controls of security controls Taxonomy)
Category Spec
Service Based Vulnerabilities in Network Slicing Management
Unsecured This management interface will need to be Service Secure A communication service customer shall Attackers may gain MNO, CSP 3GPP TR
management secured so that only authorized parties Based configuration of be authenticated by the network before access to capabilities for 33.811 V15.0.0
exposure can create, alter, and delete network slice Interfaces, Management accessing to the slice management the network management 4.1.1.
interface instances. Without secure protection, an OS-Ma-NFVi Exposure Interface interface. without authorisation.
attacker could: A communication service customer shall Attackers may create
authenticate the network before network slice instances
accessing to the slice management requiring significant
- use charged for services in an interface. network resources or a
unauthorized way The slice management interface shall large number of network
- create a network slice instance to deny only be accessed by authorized slice instances to
services to or track customers who expect communication service customers. exhaust the network
to use a specific network instance The management capabilities that a resources and potentially
- deny services to customers using an communication service customer is bring down the network.
existing slice instance by modifying slice allowed to use are defined by the Attackers may also
services HPLMN. modify the configuration
- perform a man-in-the-middle attack by The slice management interface shall of other customers’ slice
modifying a slice instance to reroute the be designed securely to ensure that instances to fail their
traffic maliciously security features cannot be bypassed. SLA. Attackers could
- deny services by deleting a slice instance It shall be possible to integrity protect replay management
the slice management interface messages causing
messages. repeated management
It shall be possible to confidentiality operations (e.g. creating
protect the slice management interface duplicated network
messages. slices) and false charging
It shall be possible to protect the slice etc.
management interface messages NAA2, NAA3, NAA4
against replay attacks.
164
December 2020

Category Spec
Improper protection of Data and Information
Improper During the operation phase of Network Encryption, The result of supervision/reporting An attacker can tamper MNO, CSP 3GPP TR
protection of management aspects of a Network Slice Slice integrity verification should be integrity protected. the result of 33.811 V15.0.0
Network Slice Instance, supervision and performance Instance The supervision and reporting data may supervision/reporting to 4.2.1.
Instance reporting (e.g. for KPI monitoring) are be confidentiality protected. cause a modification of
supervision / included. NSI modification can be an NSI. This may cause
reporting data triggered by the result of consumption of network
supervision/reporting, so protecting the resource or changes to a
integrity of the result of the running slice instance.
supervision/reporting data is important. A An attacker can
tampered result may cause an eavesdrop the
unnecessary or improper NSI modification transmission of
action such as creation or modification of supervision and reporting
NSI constituents. data and extract
If supervision and reporting data is not sensitive information that
protected by encryption, an attacker may can be used to execute
be able to extract sensitive information attacks of running
such as topology. network slice instances.
Lack of / A network Slice Subnet Template (NSST) Network Integrity protection The network slice subnet template Attackers can tamper MNO, CSP 3GPP TR
ineffective is used during on-boarding and creation of Slice Subnet of NSST should be integrity protected network slice subnet 33.811 V15.0.0
tamper- a slice instance. The template describes Instance The management system should verify template during on- 4.3.1.
proofing of the structure (i.e. contained components the correctness and source of the boarding, transmission,
Network Slice and connectivity between them) and network slice subnet template. and storage. Based on a
Subnet configuration of the network slice subnet, The network slice subnet template tampered NSST, a slice
Template as well as network capability and other should be confidentiality protected instance may not be
(NSST) artifacts necessary to provision an during transmission and in storage. created correctly or
instance based on the template. To detect successfully.
a tampered template which could create a Attackers can get
compromised NSI, the integrity of template sensitive information
should be protected. The correctness and about NSIs if NSSTs can
source of template should also be verified. be read in clear text
The confidentiality of an NSST should be during transmission and
protected to prevent attackers getting in storage - later to be
sensitive information such as topology and used to attack a running
configuration about the running NSI. NSI.
NAA2, NAA3, NAA4
165
December 2020

Category Spec
Vulnerabilities in implementation of NS security functionalities
Insecure The services or network slice Network Protection of The negotiation procedure shall be Man-in-the middle (MitM) MNO, CSP 3GPP TR
procedure for characteristics include radio access Slice negotiation authenticated attacks to modify and 33.811 V15.0.0
capability technology, bandwidth, latency, reliability, Instance procedure The negotiation procedure shall be downgrade the slice 4.4.1.
negotiation guaranteed/non-guaranteed QoS, security integrity, replay and confidentiality using capabilities
level etc. It should be possible for these TLS (recommended TLS 1.2 or TLS NAA2, NAA3, NAA4
items to be securely negotiable in a 1.3)
standardized way. If the network slice Access to the network management
negotiation procedures are not secured in interface shall be authorised using
a standardized way, the slice management OAuth 2.0
may be subject to malicious attacks, e.g.
man-in-the middle (MitM) attacks to modify
and downgrade the slice capabilities.
Vulnerable mechanisms for authentication and authorisation in Network Slicing Management
Improper slice- Access control to Network Slices may Network Additional Configure Network Slice to perform Unauthorized access to MNO, CSP 3GPP TR
authentication require additional authorisation and Slice authentication access authentication and authorisation NSI, DoS for legitimate 33.813 V16.0.0
mechanisms authentication different from the 3GPP Instance mechanism in addition to primary authentication. users 6.2
SUPI. This will take place after the primary Perform the additional authentication NAAx
authentication which is still required after primary authentication using
between the UE and the 5GS for PLMN credentials other than credentials used
access authorisation and authentication. If for primary authentication used for
Slice specific authentication is not 3GPP access.
performed, unauthorized UEs may access
the Slice which those UEs are not entitled
to access. The unauthorized UEs may
consume resources of the Network Slice
and they may cause DoS to legitimate
UEs.
Lack of Without confidentiality or integrity NSSAAI Secure Protect the security of the User ID and Unauthorized access to MNO, CSP 3GPP TR
protection of protection of the User ID and authentication credentials in UE storage, transition and User ID, theft of access 33.813 V16.0.0
NSSAI and corresponding credentials, sensitive mechanisms network storage. credentials 6.5
home control information may leak, and user data may Protect the security of the interaction NAAx
be obtained by attackers. between the 3rd party entities and the
network functions performing slice
authorisation and authentication.
Interaction between the network
functions performing slice authorisation
and authentication and the related MNO
NFs such as AMF, SMF or NSSF
166
December 2020

Category Spec
Lack of Network Slice Selection Assistance NSSAAI Protect S-NSSAI 5G system shall provide confidentiality Man-in-the middle (MitM) MNO, CSP 3GPP TR
protection of Information (NSSAI) may contain sensitive during protection for NSSAI transmission: attacks may disrupt the 33.813 V16.0.0
the User ID and information that causes privacy concerns transmission - Cryptographic key available from an services, leak of NSSAI 6.7
credentials when transmitted in clear. earlier authentication run, NAAx
If a Single – Network Slice Selection - Use of existing NAS or AS security
Assistance Information (S-NSSAI) is sent contexts.
in the clear text during the Radio Resource
Control (RRC) connection establishment
procedure, then the user privacy is lost.
A non-compliant serving PLMN may
transmit NSSAI in clear, leading to a leak
of NSSAI.
Insufficient or improper monitoring mechanism of Network Slice Instance (NSI)
Insufficient / Security must be enforced in all phases of Network Security event Appropriate logging and auditing Create fake slices. MNO, CSP 5G Network
inadequate the NSI lifecycle because a vulnerability in Slice logging mechanisms should be implemented Delete/deactivate slices. Slicing: A
logging and one phase can introduce vulnerabilities in Instance throughout the slice life cycle. Expose/change the Security
auditing across other phases. Without proper Real-time analysis of security events to configuration of the Overview95
NSI lifecycle monetarization of all phases, security immediately detect any attempted network slice.
events remain undetected attack. DoS/consume resources
and network functions.
Slice life-cycle includes: 1) Preparation (NAAx, FMx)
phase; 2) Installation, Configuration,
and Activation phase; 3) Run-time
phase; 4) Decommissioning phase.
Improper Logs and audit trails can assist in Network Protection of log Establish policies and procedures for Logs that are secured MNO, CSP NIST 800-92
protection of detecting security violations, performance Slice information log management. improperly in storage or
security event problems, and flaws. It is important that Managemen Logs must be protected from breaches in transit might be
log files audit records are available and complete. t of their confidentiality and integrity. susceptible to intentional
For this reason, protection is required for and unintentional
all security events. alteration and
destruction. (NAAx, FMx)
95
R. F. Olimid and G. Nencioni, "5G Network Slicing: A Security Overview," in IEEE Access, vol. 8, pp. 99999-100009, 2020, doi: 10.1109/ACCESS.2020.2997702, accessed October 2020.
167
December 2020

Category Spec
Improper A correct level of isolation must be Network Isolation of data Proper isolation between distinct slices Unauthorized access, MNO, CSP 5G Network
isolation of implemented among the services and Slice in the slice manager and restriction to leakage of shared Slicing: A
monitoring between the slice and the consuming Instance perform changes on parameters shared parameters, sensitive Security
capabilities services. among slices belonging to different data transmitted between Overview
and data Security is one dimension of isolation, tenants. Strong authentication and the slices. (NAAx, FMx)
together with performance and access control procedures must be in
dependability. Isolation must be place. If a 5G customer device is
considered from different perspectives: allowed to simultaneously attach to
isolation between network slices, isolation multiple slices, isolation of data should
between network functions, isolation be possible at the customer device too.
between users, isolation of data. The
measurement of isolation remains an open
problem.
Improper or The concept of end-to end security is Network End-to-end Slices are end-to-end logical networks, Availability of the service, MNO, CSP 5G Network
insufficient closely connected to the concepts of Slice monitoring so end-to-end security should be sensitive data Slicing: A
end-to-end isolation and orchestration. Without end- Instance considered. All resources and network transmitted between the Security
monitoring to-end security monitoring, it is not functions consumed by a slice should slices. (NAAx, FMx) Overview
capabilities for possible to ensure adequate protection of be monitored.
NSI the service provided by the network slice.
All communication (e.g., between the slice
and the resource layer, the slice and the
slice manager, the sub-slices of a slice,
the customer device and the access point
in the network) should use adequate
mechanisms to assure the target security
level.
Insufficient / Security must be enforced in all phases Network Security event Appropriate logging and auditing Create fake slices. MNO, CSP 5G Network
inadequate because a vulnerability in one phase can Slice logging mechanisms should be implemented Delete/deactivate slices. Slicing: A
logging and introduce vulnerabilities in other phases. Instance throughout the slice life cycle. Expose/change the Security
auditing across Slice life-cycle include: 1) Preparation Real-time analysis of security events to configuration of the Overview
NSI lifecycle phase; 2) 2) Installation, Configuration, immediately detect any attempted network slice.
and Activation phase; 3) Run-time phase; attack. DoS/consume resources
4) Decommissioning phase. Without and network functions.
proper monetarization of all phases, (NAAx, FMx)
security events remain undetected
168
December 2020
E ANNEX: DETAILED VULNERABILITIES IN

THE RADIO ACCESS NETWORK
Associated
Name of Security Requirements /Description of Threats (Threat
Description Assets Security Controls Stakeholder Source Ref
Vulnerability security controls Taxonomy)
Category
Improper implementation of gNB security functions
Improper RRC-signalling data sent between UE gNB, UE TS 33.501/5.3.2 The gNB shall implement the following Tampering data, Vendor, 3GPP TS
Ciphering of and gNB over the NG RAN is not User data and ciphering algorithms: Information SECAM 33.511,
RRC-signalling encrypted or encrypted using a non- signalling data - NEA0, 128-NEA1, 128-NEA2, 128- Disclosure, Accreditation 4.2.2.1.6
compliant ciphering algorithm confidentiality NEA3 Denial of Service Body,
(NAAx) Accredited
Test Lab
Failure to If the gNB does not provide gNB, N2/Xn TS 33.501/9.2 and In order to protect the reference points, it Tampering data, Vendor, 3GPP TS
ensure control confidentiality protection for control interface 9.4 Security is required to implement IPsec ESP and Information SECAM 33.511,
plane data plane packets on the N2/Xn reference mechanisms for N2 IKEv2 certificates-based authentication. Disclosure, Accreditation 4.2.2.1.16
confidentiality points, then the control plane packets and Xn interfaces IPsec is mandatory to implement on the Denial of Service Body,
protection over sent between gNBs (e.g. inter-gNB gNB and the ng-eNB. In addition to Accredited
N2/Xn interface handover) and from gNB to AMF (e.g. IPsec, DTLS shall be supported to (NAAx) Test Lab
handover on AMF change) can be provide integrity protection, replay
intercepted and/or modified and the gNB protection and confidentiality protection.
can be compromised by attackers to
prevent service to legitimate users (e.g.
Handover failure) or to perform
masquerading by making use of the
legitimate users’ UE identifiers to gain
access to the network.
Improper If the gNB does not provide integrity gNB TS 33.501/5.3.3 The gNB shall support integrity protection Tampering data, Vendor, 3GPP TS
mechanisms to protection for control plane packets, they User data and and replay protection of RRC-signalling. Denial of SECAM 33.511,
protect RRC risk being exposed and/or modified. The signalling data Service, Rogue Accreditation 4.2.2.1.1
signalling data intruder manipulations on control plane integrity base station Body,
integrity packets can lead to denial of service to Accredited
legitimate users. (NAAx, EIH4) Test Lab
169
December 2020
Associated
Category
RRC integrity Failure in RRC integrity check affects gNB, UE TS 33.501/6.5.1 RRC integrity protection shall be Tampering data, Vendor, 3GPP TS
check failure the data/message exchange between RRC integrity provided by the PDCP layer between UE Denial of SECAM 33.511,
gNB and UE mechanisms and gNB and no layers below PDCP Service, Rogue Accreditation 4.2.2.1.4
shall be integrity protected. Replay base station Body,
protection shall be activated when (NAAx) Accredited
integrity protection is activated. Full Test Lab
mechanism is described in TS
33.501/6.5.1 RRC integrity mechanisms
Failure to The integrity and replay-protection of gNB TS 33.501/9.2 and In order to protect the reference points, it Tampering data, Vendor, 3GPP TS
ensure control transport of control plane data and user 9.4 Security is required to implement IPsec ESP and Denial of SECAM 33.511,
plane data data over N2/Xn could be affected mechanisms for N2 IKEv2 certificates-based authentication. Service. (NAAx, Accreditation 4.2.2.1.17
integrity and Xn interfaces IPsec is mandatory to implement on the EIH4) Body,
protection over gNB and the ng-eNB. In addition to Accredited
N2/Xn interface IPsec, DTLS shall be supported to Test Lab
provide integrity protection, replay
protection and confidentiality protection.
Improper or gNB must provide replay protection by gNB, UE TS 33.501/5.3.3 The gNB shall support integrity protection Tampering data, Vendor, 3GPP TS
missing replay dropping/ignoring replayed packets. If User data and and replay protection of RRC-signalling Denial of Service SECAM 33.511,
protection of the gNB does not provide adequate signalling data (NAA2, NAA5) Accreditation 4.2.2.1.9
RRC-signalling integrity protection for RRC packets on, integrity Body,
the control plane packets risk being Accredited
exposed and modified. The intruder Test Lab
manipulations on control plane packets
can lead to denial of service to legitimate
users.
Improper User data sent between UE and gNB gNB TS 33.501/5.3.2 The gNB shall activate ciphering of user Tampering data, Vendor, 3GPP TS
ciphering of over the NG RAN is not encrypted or User data and data based on the security policy sent by Information SECAM 33.511,
User data encrypted using a non-compliant signalling data the SMF. Disclosure Accreditation 4.2.2.1.7
between UE and ciphering algorithm confidentiality The gNB shall implement the following (NAA2, NAA3, Body,
gNB ciphering algorithms: NAA4) Accredited
- NEA0, 128-NEA1, 128-NEA2, 128- Test Lab
NEA3
Improper If the gNB does not handle integrity gNB TS 33.501/5.3.3 The gNB shall implement the following Information Vendor, 3GPP TS
integrity protection for user plane packets for the User data and ciphering algorithms: Disclosure, SECAM 33.511,
protection of NG RA interface then all the signalling data - NEA0, 128-NEA1, 128-NEA2, 128- Rogue base Accreditation 4.2.2.1.2
user data uplink/downlink user plane packets can integrity NEA3 station (NAAx, Body,
between the UE be attacked and/or manipulated by EIH4) Accredited
and the gNB intruders to launch Denial of Service Test Lab
attack.
170
December 2020
Associated
Category
User plane Failure to ensure proper managing of gNB, UE TS 33.501/6.6.4 UP If the gNB or the UE receives a PDCP Tampering data, Vendor, 3GPP TS
integrity check PDCP PDU with faulty or missing MAC-I integrity PDU which fails integrity check with Denial of SECAM 33.511,
failure mechanisms faulty or missing MAC-I after the start of Service. Accreditation 4.2.2.1.5
integrity protection, the PDU shall be Body,
discarded (NAAx) Accredited
Test Lab
Missing of gNB must provide replay protection by gNB, UE TS 33.501/5.3.3 The gNB shall support integrity protection Tampering data, Vendor, 3GPP TS
improper replay dropping/ignoring replayed packets. If User data and and replay protection of user data Denial of Service SECAM 33.511,
protection the gNB does not provide such signalling data between the UE and the gNB. (NAA2, NAA5) Accreditation 4.2.2.1.8
mechanisms of protection for user plane packets user integrity Body,
user data over plane packets can be manipulated by Accredited
NG RAN intruders to launch Denial of Service Test Lab
interface attack.
Improper If AS does not use the highest priority gNB TS 33.501/6.7.3. Each gNB/ng-eNB shall be configured Tampering data, Vendor, 3GPP TS
procedures for algorithm to protect AS layer, i.e. RRC Procedures for AS via network management with lists of Information SECAM 33.511,
AS algorithm and PDCP, data on the AS layer risks algorithm selection algorithms which are allowed for usage. Disclosure, Accreditation 4.2.2.1.12, 15
selection being exposed and/or modified, or denial When AS security context is to be Denial of Service Body,
of service. established in the gNB/ng-eNB, the AMF (NAAx, EIH4) Accredited
shall send the UE 5G security Test Lab
capabilities to the gNB/ng-eNB. The
gNB/ng-eNB shall choose the ciphering
algorithm which has the highest priority
from its configured list and is also
present in the UE 5G security
capabilities.
Lack of If the gNB does not send the UE 5G gNB, AMF TS 33.501/6.7.3.1 The AMF shall verify that the UE's 5G Tampering Data, Vendor, 3GPP TS
/improper security capabilities, the AMF cannot Xn-handover security capabilities received from the Information SECAM 33.511,
mechanisms for verify 5G security capabilities are the target gNB are the same as the UE's 5G Disclosure, Accreditation 4.2.2.1.4
prevention of same as the UE security capabilities that security capabilities that the AMF has Denial of Body,
bidding down at the AMF has stored, the attacker (e.g. locally stored. If there is a mismatch, the Service. Accredited
Xn-handover gNB) may force the system to accept a AMF shall send its locally stored 5G Test Lab
weaker security algorithm than the security capabilities of the UE to the
system is allowed forcing the system target gNB in the Path-Switch
into a lowered security level making the Acknowledge message. The AMF shall
system easily attacked and/or support logging capabilities for this event
compromised and may take additional measures, such
as raising an alarm
171
December 2020
Associated
Category
Failure to If AS keys are not refreshed by the gNB gNB TS 33.501/6.9.4. Key change on-the-fly consists of key Information Vendor, 3GPP TS
refresh keys by when PDCP COUNTs is about to be re- Key-change-on-the- refresh or key re-keying. Complete Disclosure SECAM 33.511,
gNB used with the same Radio Bearer fly requirements are described in TS (NAA4, EIH4) Accreditation 4.2.2.1.13
identity and with the same KgNB, key 33.501/6.9.4. Body,
stream reuse is possible. This can result Accredited
in information disclosure of AS signalling Test Lab
and user plane data.
Failure to Failure to update key at the gNB on Dual gNB TS 33.501 / When executing the procedure for adding Information Vendor, 3GPP TS
update key at Connectivity may lead to key stream 6.10.2.1 subsequent radio bearer(s) to the same Disclosure SECAM 33.511,
the gNB on Dual reuse. This can result in information SN, the MN shall, for each new radio Accreditation
Connectivity disclosure of AS signalling and user bearer, assign a radio bearer identity that (NAA4, EIH4) Body, 3GPP TS
plane data. has not previously been used since the Accredited 33.512
last KSN change. If the MN cannot Test Lab 84.2.2.1.8
allocate an unused radio bearer identity
for a new radio bearer in the SN, due to
radio bearer identity space exhaustion,
the MN shall increment the SN Counter
and compute a fresh KSN, and then shall
perform a SN Modification procedure to
update the KSN"
Failure to apply If gNB does not apply security controls gNB TS 33.501/5.3.2 The gNB shall activate ciphering of user Tampering data, Vendor, 3GPP TS
SMF-sent based on security policy provided by User data and data based on the security policy sent by Information SECAM 33.511,
ciphering and SMF, this can lead to no security or signalling data the SMF. Disclosure, Accreditation 4.2.2.1.4
integrity policy reduced security provided to the UE confidentiality Denial of Service Body,
user plane TS 33.501/5.3.3 Accredited
User data and (NAAx, EIH4) Test Lab
signalling data
integrity
172
December 2020
Associated
Category
Improper protection of Data and Information of gNB Components
System Presence of active system function(s) gNB TS 33.117 / When the system is not under Elevation of Vendor, 3GPP TS
functions that reveal confidential system internal 4.2.3.2.2 Protecting maintenance, there shall be no system Privilege, SECAM 33.117
revealing data in the clear to users and data and function that reveals confidential system Information Accreditation 3GPP TS
confidential administrators. Such functions could be, information – internal data in the clear to users and Disclosure, Body, 33.511-519
data for example, local or remote OAM CLI or Confidential System administrators. Such functions could be, Tampering Accredited 4.2.3.2.2
GUI, logging messages, alarms, Internal Data for example, local or remote OAM CLI or NAA2, NAA3, Test Lab
configuration file exports etc. GUI, logging messages, alarms, NAA4
Confidential system internal data configuration file exports etc. Confidential
contains authentication data (i.e. PINs, system internal data contains
cryptographic keys, passwords, cookies) authentication data (i.e. PINs,
as well as system internal data that is cryptographic keys, passwords, cookies)
not required for systems administration as well as system internal data that is not
and could be of advantage to attackers required for systems administration and
(i.e. stack traces in error messages). could be of advantage to attackers (i.e.
stack traces in error messages).
Improper For sensitive data in (persistent or gNB TS 33.117 / For sensitive data in (persistent or Elevation of Vendor, 3GPP TS
protection of temporary) storage read access rights 4.2.3.2.3 Protecting temporary) storage read access rights Privilege, SECAM 33.117
data and shall be restricted. Files of a system that data and shall be restricted. Files of a system that Information Accreditation 3GPP TS
information in are needed for the functionality shall be information in are needed for the functionality shall be Disclosure, Body, 33.511-519
storage protected against manipulation. storage protected against manipulation. Tampering Accredited 4.2.3.2.3
In addition, the following rules apply for: NAA2, NAA3, Test Lab
- Systems that need access to NAA4
identification and authentication data in
the clear, e.g. in order to perform an
authentication. Such systems shall not
store this data in the clear, but scramble
or encrypt it by implementation-specific
means.
- Systems that do not need access to
sensitive data (e.g. user passwords) in
the clear. Such systems shall hash this
sensitive data
- Stored files on the network product:
examples for protection against
manipulation are the use of checksum or
cryptographic methods.]
173
December 2020
Associated
Category
Lack of or The transmission of data is done without gNB TS 33.117 / Usage of cryptographically protected Spoofing, Vendor, 3GPP TS
improper proper protection (industry standard 4.2.3.2.4 Protecting network protocols is required. The Information SECAM 33.117
cryptographic network protocols with sufficient security data and transmission of data with a need of disclosure Accreditation 3GPP TS
protection of measures and industry accepted information in protection shall use industry standard NAA3, NAA4, Body, 33.511-519
data in transfer cryptographic algorithms), as defined in transfer network protocols with sufficient security EIH4 Accredited 4.2.3.2.4
TS33.310/33.210 measures and industry accepted Test Lab
algorithms. In particular, a protocol
version without known vulnerabilities or a
secure alternative shall be used.
No traceability In some cases, access to personal data gNB TS 33.117 / In some cases, access to personal data Information Vendor, 3GPP TS
of access to in clear text might be required. If such 4.2.3.2.5 Logging in clear text might be required. If such disclosure SECAM 33.117
personal data access is required, access to this data access to personal access is required, access to this data NAA4, LEG Accreditation 3GPP TS
shall be logged, and the log shall contain data shall be logged, and the log shall contain Body, 33.511-519
who accessed what data without who accessed what data without Accredited 4.2.3.2.5
revealing personal data in clear text. revealing personal data in clear text. Test Lab
When for practical purposes such When for practical purposes such logging
logging is not available, a coarser grain is not available, a coarser grain logging is
logging is allowed. allowed.
In some cases, the personal data stored In some cases, the personal data stored
in the log files may allow the direct in the log files may allow the direct
identification of a subscriber. In such identification of a subscriber. In such
cases, the revealed personal information cases, the revealed personal information
may not expose the subscriber to any may not expose the subscriber to any
kind of privacy violation kind of privacy violation.
Improper protection of availability and integrity of gNB Components
Failure to Overload situation could appear in the gNB TS 33.117 / The system shall provide security Denial of service Vendor, 3GPP TS
address case of DoS attack or increased traffic. 4.2.3.3.1 System measures to deal with overload situations attacks SECAM 33.117
overload Lack to deal with such events affects handling during which may occur as a result of a denial of NAA5, UD5 Accreditation 3GPP TS
situation availability of information or security overload situations service attack or during periods of Body, 33.511-519
functionalities TS 33.117 increased traffic. In particular, partial or Accredited 4.2.3.3.1,
/4.2.3.3.3 System complete impairment of system Test Lab 4.2.3.3.3
handling during availability shall be avoided.
excessive overload In the situation where the security
situations measures are no longer sufficient., it
shall be ensured that the system cannot
reach an undefined and thus potentially
insecure state. In an extreme case this
means that a controlled system
shutdown is preferable to uncontrolled
failure of the security functions and thus
loss of system protection.
174
December 2020
Associated
Category
Boot from The network product can boot only from gNB TS 33.117 / The network product can boot only from Denial of Vendor, 3GPP TS
unauthorized the memory devices intended for this 4.2.3.3.2 Boot from the memory devices intended for this Service, SECAM 33.117
memory purpose intended memory purpose Spoofing identity, Accreditation 3GPP TS
devices devices only Tampering of Body, 33.511-519
Data, Information Accredited 4.2.3.3.2
Disclosure Test Lab
(NAAx)
Improper The following typical implementation gNB TS 33.117 / During transmission of data to a system it Denial of Vendor, 3GPP TS
handling of errors open relevant vulnerabilities: 4.2.3.3.4 System is necessary to validate input to the Service, SECAM 33.117
unexpected - No validation on the lengths of robustness against network product before processing. This Spoofing identity, Accreditation 3GPP TS
input transferred data unexpected input includes all data which is sent to the Tampering of Body, 33.511-519
- Incorrect assumptions about data system. Examples of this are user input, Data, Information Accredited 4.2.3.3.4
formats values in arrays and content in protocols. Disclosure Test Lab
- No validation that received data (NAAx)
complies with the specification
- Insufficient handling of protocol errors
in received data
- Insufficient restriction on recursion
when parsing complex data formats
- White listing or escaping for inputs
outside the values margin
Insufficient Lack of software package integrity could gNB TS 33.117 / 1) Software package integrity shall be Denial of Vendor, 3GPP TS
assurance of affect CIA of data, services, hardware 4.2.3.3.5 Network validated in the installation/upgrade Service, SECAM 33.117
software and policies during installation or Product software stage; 2) Network product shall support Spoofing identity, Accreditation 3GPP TS
package upgrade phases for the envisioned package integrity software package integrity validation via Tampering of Body, 33.511-519
integrity product/system. Missing information validation cryptographic means, e.g. digital Data, Information Accredited 4.2.3.3.5
regarding software package integrity signature. To this end, the network Disclosure Test Lab
checks, including details of how the product has a list of public keys or NAAx
integrity check is carried out. Missing certificates of authorised software
authentication and access control sources, and uses the keys to verify that
mechanisms for software package the software update is originated from
installation. only these sources; 3) Tampered
software shall not be executed or
installed if integrity check fails; 4) A
security mechanism is required to
guarantee that only authorized
individuals can initiate and deploy a
software update, and modify the list
mentioned in bullet 2.
175
December 2020
Associated
Category
Vulnerable mechanisms for authentication and authorisation of gNB Components
Unauthenticated The usage of a system function without gNB TS 33.117 / The usage of a system function without Denial of Vendor, 3GPP TS
access to successful authentication on basis of the 4.2.3.4.1.1 System successful authentication on basis of the Service, SECAM 33.117
system user identity and at least one functions shall not user identity and at least one Spoofing identity, Accreditation 3GPP TS
functions authentication attribute (e.g. password, be used without authentication attribute (e.g. password, Tampering of Body, 33.511-519
certificate) opens the opportunity of successful certificate) shall be prevented. System Data, Information Accredited 4.2.3.4.1.1
exploitation and limits accountability. authentication and functions comprise, for example network Disclosure Test Lab
This includes M2M communication authorisation. services (like SSH, SFTP, Web NAAx
services), local access via a
management console, local usage of
operating system and applications.
Improper Depending of information sensitivity gNB TS 33.117 / The usage of a system function without Denial of Vendor, 3GPP TS
authentication different level of strong authentication 4.2.3.4.1.2 successful authentication on basis of the Service, SECAM 33.117
mechanisms mechanisms are required. Fail to identify Accounts shall user identity and at least one Spoofing identity, Accreditation 3GPP TS
the proper correspondence between allow unambiguous authentication attribute (e.g. password, Tampering of Body, 33.511-519
levels of protection and authentication identification of the certificate) shall be prevented. Data, Information Accredited 4.2.3.4.1.2,
mechanisms implemented creates the user The various user and machine accounts Disclosure Test Lab 4.2.3.4.2.1
possibility to allow unauthorized entities TS 33.117 / on a system shall be protected from NAAx 4.2.3.4.3.
to access unallocated resources 4.2.3.4.2.1 Account misuse. To this end, an authentication
protection by at attribute is typically used, which, when
least one combined with the user name, enables
authentication unambiguous authentication and
attribute identification of the authorized user.
Predefined/ All predefined or default accounts and/or gNB TS 33.117 / All predefined or default accounts shall Denial of Vendor, 3GPP TS
default or default authentication attributes shall 4.2.3.4.2.2 be deleted or disabled. Should this Service, SECAM 33.117
accounts and/or be deleted or disabled Predefined measure not be possible the accounts Spoofing identity, Accreditation 3GPP TS
authentication accounts shall be shall be locked for remote login. Tampering of Body, 33.511-519
attributes deleted or disabled Preconfigured authentication attributes Data, Information Accredited 4.2.3.4.2.2
TS 33.117 / shall be changed by automatically forcing Disclosure Test Lab 4.2.3.4.2.3
4.2.3.4.2.3 a user to change it on 1st time login to NAAx
Predefined or the system or the vendor provides
default instructions on how to manually change it
authentication
attributes shall be
deleted or disabled
176
December 2020
Associated
Category
Weak or A password policy shall address the gNB TS 33.117 / Password policy requirements include Denial of Vendor, 3GPP TS
missing password structure, password change, 4.2.3.4.3 Password requirements regarding Password Service, SECAM 33.117
password policy hiding password display capabilities, policy complexity, password change, Protection Spoofing identity, Accreditation 3GPP TS
consecutive failed login attempts. A against brute force and dictionary Tampering of Body, 33.511-519
week password structure and/or a long attacks, hiding password display Data, Information Accredited 4.2.3.4.3.
validity password period could lead to a Disclosure Test Lab
successful brute force attack. Password NAAx
display is vulnerable to eavesdropping
attack. Password policy is a security
policy component.
Lack of mutual The network product management shall gNB TS 33.117 / The network product management shall Denial of Vendor, 3GPP TS
authentication support mutual authentication 4.2.3.4.4.1 support mutual authentication Service, SECAM 33.117
of entities for mechanisms, the mutual authentication Authentication on mechanisms, the mutual authentication Spoofing identity, Accreditation 3GPP TS
management mechanism can rely on the protocol Network Product mechanism can rely on the protocol used Tampering of Body, 33.511-519
interfaces used for the interface itself or other Management and for the interface itself or other means. Data, Information Accredited 4.2.3.4.4.1
means Maintenance Disclosure, Test Lab
interfaces Operator Error
NAAx, Udx
Improper The authorisations for accounts and gNB TS 33.117 / The authorisations for accounts and Denial of Vendor, 3GPP TS
authorisation applications shall be reduced to the 4.2.3.4.6 applications shall be reduced to the Service, SECAM 33.117
and access minimum required for the tasks they Authorisation and minimum required for the tasks they have Spoofing identity, Accreditation 3GPP TS
control policy have to perform. access control to perform. Tampering of Body, 33.511-519
Authorisations to a system shall be Data, Information Accredited 4.2.3.4.6
restricted to a level in which a user can Disclosure, Test Lab
only access data and use functions that Operator Error
he needs in the course of his work. NAAx, Udx
Alongside access to data, execution of
applications and components shall also
rights.
177
December 2020
Associated
Category
Improper session protection mechanisms of gNB Components
Improper / The system should have a function that gNB TS 33.117 / 4.2.3.5 The system shall have a function that Denial of Vendor, 3GPP TS
missing allows a signed in user to logout at any Protecting sessions allows a signed in user to logout at any Service, SECAM 33.117
functionality for time. All processes under the logged in time. All processes under the logged in Spoofing identity, Accreditation 3GPP TS
session user ID should be terminated on log out. user ID shall be terminated on log out. Tampering of Body, 33.511-519
protection A permanently exposed session The network product shall be able to Data, Information Accredited 4.2.3.5.
increases the vulnerability of the system continue to operate without interactive Disclosure, Test Lab
as an entry point for unauthorized sessions. Operator Error
person. OAM user interactive session An OAM user interactive session shall be NAAx, Udx
should be terminated automatically after terminated automatically after a specified
a specified period of inactivity. It shall be period of inactivity. It shall be possible to
possible to configure an inactivity time- configure an inactivity time-out period
out period
Insufficient or improper monitoring mechanisms of gNB Components
lack of security lack of security events logged together gNB TS 33.117 / Security events shall be logged together Denial of Vendor, 3GPP TS
event logging with a unique system reference (e.g. 4.2.3.6.1 Security with a unique system reference (e.g. host Service, SECAM 33.117
host name, IP or MAC address) and the event logging name, IP or MAC address) and the exact Spoofing identity, Accreditation 3GPP TS
exact time the incident occurred do not time the incident occurred. For each Tampering of Body, 33.511-519
allow a correct and rapid audit in case of security event, the log entry shall include Data, Information Accredited 4.2.3.6.1
security incident occurrence. Security user name and/or timestamp and/or Disclosure, Test Lab
restauration is delayed. performed action and/or result and/or Operator Error
length of session and/or values NAAx, Udx
exceeded and/or value reached.
IETF RFC 3871, section 2.11.10
specifies the minimum set of security
events.
Vulnerabilities in Operating Systems supporting gNB Components
Improper / Security event logs should be forwarded gNB TS 33.117 / Log functions should upload securely of Denial of Vendor, 3GPP TS
missing or uploaded to a central location or 4.2.3.6.2 Log log files to a central location or to an Service, SECAM 33.117
controls for external systems. Security event log files transfer to external system for the Network Product Spoofing identity, Accreditation 3GPP TS
protection of shall be protected in storage and centralized storage that is logging. Secure transport Tampering of Body, 33.511-519
security event transfer states, too. Availability and TS 33.117 / protocols shall be used. Data, Information Accredited 4.2.3.6.2
log files integrity of security event log files could 4.2.3.6.3 Protection The security event log shall be access Disclosure, Test Lab 4.2.3.6.3
conduct to delays, wrong audit results, of security event log controlled (file access rights) so only Operator Error
delays in security restauration, threats files privileged users have access to the log NAAx, Udx
persistence. files.
178
December 2020
Associated
Category
Improper Growing or dynamic content (e.g. log gNB TS 33.117 / Growing or dynamic content (e.g. log Denial of service Vendor, 3GPP TS
handling of files, uploads) could influence system 4.2.4.1.1.1 Handling files, uploads) shall not influence system attacks, SECAM 33.117
growing content functions. A file system that reaches its of growing content functions. A file system that reaches its equipment / Accreditation 3GPP TS
by file system maximum capacity could stop a system maximum capacity shall not stop a software errors, Body, 33.511-519
from operating properly. system from operating properly. growing dynamic Accredited 4.2.4.1.1.1
Therefore, countermeasures shall be content Test Lab
taken such as usage of dedicated NAA5, UD5, FM5
filesystems, separated from main system
functions, or quotas, or at least a file
system monitoring to ensure that this
scenario is avoided.
Processing of Processing of ICMPv4 and ICMPv6 gNB TS 33.117 / Processing of ICMPv4 and ICMPv6 Denial of service Vendor, 3GPP TS
ICMP packets packets which are not required for 4.2.4.1.1.2 packets which are not required for attacks, SECAM 33.117
not required for operation shall be disabled on the Processing of operation shall be disabled on the equipment / Accreditation 3GPP TS
operation network product. In particular, there are ICMPv4 and network product. In particular, there are software errors, Body, 33.511-519
certain types of ICMP4 and ICMPv6 that ICMPv6 packets certain types of ICMP4 and ICMPv6 that misconfigurations Accredited 4.2.4.1.1.2
are not used in most networks, but TS 33.511 / are not used in most networks, but NAA5, UD5, FM5 Test Lab
represent a risk. 4.2.4.1.1.2 represent a risk. Permitted, forbidden
Processing of and optional ICMP packets are detailed
ICMPv4 and in TS 33.117 clause 4.2.4.1.1.2, with the
ICMPv6 packets specific additions in TS 33.511: Echo
Reply can be sent by default and, in case
of remote base station auto deployment,
Router Advertisement can be processed
Processing of IP IP packets with unnecessary options or gNB TS 33.117 / IP packets with unnecessary options or Denial of Vendor, 3GPP TS
packets with extension headers could be used by 4.2.4.1.1.2 extension headers shall not be Service, SECAM 33.117
unnecessary attackers to get unauthorized access to Processing of processed. IP options and extension Spoofing identity, Accreditation 3GPP TS
options or system resources. ICMPv4 and headers (e.g. source routing) are only Tampering of Body, 33.511-519
extensions ICMPv6 packets required in exceptional cases. So, all Data, Information Accredited 4.2.4.1.1.3
packets with enabled IP options or Disclosure Test Lab
extension headers shall be filtered. NAAx
Privilege Authenticated Privilege Escalation gNB TS 33.117 / There shall not be a privilege escalation Privilege Vendor, 3GPP TS
Escalation allowed without re-authentication could 4.2.4.1.2.1 method in interactive sessions (CLI or escalation SECAM 33.117
allowed without permit to an authorized user to gain Authenticated GUI) which allows a user to gain NAA3 Accreditation 3GPP TS
re- unallocated higher rights to resources, Privilege Escalation administrator/root privileges from another Body, 33.511-519
authentication violating security policy only user account without re-authentication. Accredited 4.2.4.1.2.1
Implementation example: Disable Test Lab
insecure privilege escalation methods so
that users are required to (re-)login
directly into the account with the required
permissions.
179
December 2020
Associated
Category
Recurrent UIDs Each system account in UNIX shall have gNB TS 33.117 / Each system account in UNIX shall have Authorisation Vendor, 3GPP TS
for UNIX System a unique UID, to provide for system 4.2.4.2.2 System a unique UID. The term 'UNIX' includes attacks SECAM 33.117
accounts account accountability account all major derivatives, including Linux. NAA3 Accreditation 3GPP TS
identification Body, 33.511-519
Accredited 4.2.4.2.2
Test Lab
Vulnerabilities in Web Servers supporting gNB Components
Unsecure Https The communication between Web client gNB TS 33.117 / 4.2.5.1 The communication between Web client Spoofing identity, Vendor, 3GPP TS
connection to and Web server shall be protected using HTTPS and Web server shall be protected using Tampering of SECAM 33.117
web servers TLS. TLS profile should be defined in TLS. Cipher suites with NULL encryption Data, Information Accreditation 3GPP TS
compliance Annex E of TS 33.310, with shall not be supported Disclosure Body, 33.511-519
the following additional requirement: NAA2, NAA3, Accredited 4.2.5.1
cipher suites with NULL encryption shall NAA4, EIH4 Test Lab
not be supported
Lack of / When logging information lacks gNB TS 33.117 / 4.2.5.2 Access to the webserver shall be logged. Denial of Vendor, 3GPP TS
improper completeness, integrity or timeliness it is Webserver logging The web server log shall contain the Service, SECAM 33.117
logging of impossible to detect, analyse and following information: Access timestamp / Spoofing identity, Accreditation 3GPP TS
access to the respond to system faults and relevant Source (IP address) / (Optional) Account Tampering of Body, 33.511-519
webserver security events. (if known) / (Optional) Attempted login Data, Information Accredited 4.2.5.2
name (if the associated account does not Disclosure Test Lab
exist) / Relevant fields in http request. NAAx
The URL should be included whenever
possible / Status code of web server
response
Lack of / Improper session protection gNB TS 33.117 / 4.2.5.3 To protect user sessions the Network Session hijacking Vendor, 3GPP TS
improper http mechanisms may lead to session HTTP User Product shall support comprehensive NAA3 SECAM 33.117
user session hijacking, disclosure of confidential sessions session ID and session cookie protection Accreditation 3GPP TS
protection information, including authentication mechanisms Body, 33.511-519
attributes Accredited 4.2.5.3
Test Lab
Improper The Network Product shall have a gNB TS 33.117 / 4.2.5.4 The Network Product shall validate, filter, Injection, cross- Vendor, 3GPP TS
validation of mechanism in place to ensure that web HTTP input escape, and encode user-controllable site scripting SECAM 33.117
HTTP input application inputs are not vulnerable to validation input before it is placed in output that is NAA3 Accreditation 3GPP TS
command injection or cross-site scripting used as a web page that is served to Body, 33.511-519
attacks. other users. Accredited 4.2.5.4
Test Lab
180
December 2020
Associated
Category
Vulnerabilities of network devices running gNB Components
Lack of packet Lack of, or improper mechanisms to filter gNB TS 33.117 / The Network Product shall provide a Denial of service, Vendor, 3GPP TS
filtering incoming IP packets on any IP interface 4.2.6.2.1 Packet mechanism to filter incoming IP packets packet flooding SECAM 33.117
functionality according to defined and manageable filtering on any IP interface, as defined in RFC NAA5, FM5 Accreditation 3GPP TS
rules leaves the network device 3871 and TS 33.117 clause 4.2.6.2.1 Body, 33.511-519
vulnerable to denial-of-service attacks, Accredited 4.2.6.2.1
service degradation or attack aimed at Test Lab
leading the device to an exception state.
Lack of If a network device does not have the gNB TS 33.117 / All incoming packets, from other network Malware, denial- Vendor, 3GPP TS
robustness capability to detect and drop by 4.2.6.2.2 Interface element, that are manipulated or differing of-service, SECAM 33.117
against incoming packets, from other network robustness the norm shall be detected as invalid and packet flood Accreditation 3GPP TS
unexpected element, that are manipulated or requirements be discarded. The process shall not be NAA5, FM5 Body, 33.511-519
input differing the norm, it can lead to an affecting the performance of the network Accredited 4.2.6.2.2
impairment of availability. device. This robustness shall be just as Test Lab
effective for a great mass of invalid
packets as for individual or a small
number of packets.
Improper or In the absence of effective GTP-U gNB TS 33.117 / For each message of a GTP-U-based Authorisation Vendor, 3GPP TS
absent GTPU filtering mechanisms, the network is 4.2.6.2.4 GTP-U protocol, it shall be possible to check attacks, man-in- SECAM 33.117
Filtering exposed to malformed GTP packets, Filtering whether the sender of this message is the-middle Accreditation 3GPP TS
denial of service attacks, and out-of- authorized to send a message pertaining attacks Body, 33.511-519
state GTP messages, and also vectors to this protocol. NAA2, NAA3, Accredited 4.2.6.2.4
such as spoofed IP packets. NAA4 Test Lab
Improper hardening of gNB Components
Unnecessary or Should the network product run protocol gNB TS 33.117 / 4.3.2.1 The network product shall only run Denial of Vendor, 3GPP TS
insecure handlers and services which are not No unnecessary or protocol handlers and services which are Service, SECAM 33.117
services / needed for its operation, or which have insecure services / needed for its operation, and which do Spoofing identity, Accreditation 3GPP TS
protocols known security vulnerabilities, they may protocols not have any known security Tampering of Body, 33.511-519
be manipulated to gain unauthorized vulnerabilities. Data, Information Accredited 4.3.2.1
access to the system, impair its Disclosure, Test Lab
availability or other forms of Software errors
manipulation. NAAx, FMx
181
December 2020
Associated
Category
Unrestricted The network product shall restrict the gNB TS 33.117 / 4.3.2.2 The network product shall restrict the Denial of Vendor, 3GPP TS
reachability of reachability of services so that they can Restricted reachability of services so that they can Service, SECAM 33.117
services only be reached on interfaces where reachability of only be reached on interfaces where their Spoofing identity, Accreditation 3GPP TS
their usage is required. The absence of services usage is required. On interfaces were Tampering of Body, 33.511-519
appropriate mechanisms expose the services are active, the reachability Data, Information Accredited 4.3.2.2
services to risk of exploitation of known should be limited to legitimate Disclosure Test Lab
or unknown vulnerabilities by malicious communication peers. This limitation NAAx
parties or technical faults. shall be realized on the network product
itself (without measures (e.g. firewall) at
network side) according to the
requirement detailed in clause 4.2.6.2.1
Packet Filtering.
Unused Unused software components or parts of gNB TS 33.117 / 4.3.2.3 Unused software components or parts of Denial of Vendor, 3GPP TS
software software which are not needed for No unused software software which are not needed for Service, SECAM 33.117
components operation or functionality of the network operation or functionality of the network Spoofing identity, Accreditation 3GPP TS
product create an unnecessary attack product shall not be installed or shall be Tampering of Body, 33.511-519
surface. Such unused software deleted after installation. This includes Data, Information Accredited 4.3.2.3
components have a high susceptibility of also parts of a software, which will be Disclosure Test Lab
falling outside patching and vulnerability installed as examples but typically not be NAAx
management processes and therefore used (e.g. default web pages, example
are increasingly exposed to malicious databases, test data).
attacks and technical faults.
Unused During installation of software and gNB TS 33.117 / 4.3.2.4 During installation of software and Denial of Vendor, 3GPP TS
software or hardware functions that are not required No unused hardware often functions will be activated Service, SECAM 33.117
hardware for operation or function of the system functions that are not required for operation or Spoofing identity, Accreditation 3GPP TS
functions will be often activated. Such hardware function of the system. If unused Tampering of Body, 33.511-519
and software functions increase the IT functions of software cannot be deleted Data, Information Accredited 4.3.2.4
attack surface and their exposure is or deinstalled individually, such functions Disclosure Test Lab
increased by their susceptibility of falling shall be deactivated in the configuration NAAx
outside access control policies. of the network product permanently.
Also, hardware functions which are not
required for operation or function of the
system (e.g. unused interfaces) shall be
permanently deactivated. Permanently
means that they shall not be reactivated
again after network product reboot.
182
December 2020
Associated
Category
Unsupported Unsupported components incur a high gNB TS 33.117 / 4.3.2.5 The network product shall not contain Denial of Vendor, 3GPP TS
components risk of unmitigated vulnerabilities that No unsupported software and hardware components that Service, SECAM 33.117
can be exploited by malicious actors or components are no longer supported by their vendor, Spoofing identity, Accreditation 3GPP TS
technical faults. producer or developer, such as Tampering of Body, 33.511-519
components that have reached end-of- Data, Information Accredited 4.3.2.5
life or end-of-support. Excluded are Disclosure, Test Lab
components that have a special support Component
contract. This contract shall guarantee malfunctions
the correction of vulnerabilities over NAAx, FMx
components' lifetime.
Remote login of Unrestricted remote login for privileged gNB TS 33.117 / 4.3.2.6 Description: Direct login as root or Authorisation Vendor, 3GPP TS
privileged users users expose the network element to Remote login equivalent highest privileged user shall attacks, elevation SECAM 33.117
increased risk of unauthorized access restrictions for be limited to the system console only. of privilege Accreditation 3GPP TS
and manipulation. privileged users Root user will not be allowed to login to NAAx Body, 33.511-519
the system remotely. Accredited 4.3.2.6
Test Lab
Excessive file In the presence of excessive file system gNB TS 33.117 / 4.3.2.7 The system shall be designed to ensure Unauthorised / Vendor, 3GPP TS
system authorisation privileges, application and file system that only users that are authorized to erroneous data SECAM 33.117
Authorisation configuration data is exposed to risks of Authorisation modify files, data, directories or file element Accreditation 3GPP TS
privileges unauthorised disclosure, tampering, or privileges systems have the necessary privileges to modification / Body, 33.511-519
destruction. do so. deletion Accredited 4.3.2.7
NAA1, NAA2, Test Lab
NAA3, UD1, UD2
Lack of IP address spoofing involving the use of gNB TS 33.117 / Systems shall not process IP packets if Packet flood Vendor, 3GPP TS
protection a trusted IP address can be used by 4.3.3.1.1 IP-Source their source address is not reachable via NAA5 SECAM 33.117
against IP- network intruders to overcome network address spoofing the incoming interface. Accreditation 3GPP TS
Source address security measures, such as mitigation Body, 33.511-519
spoofing authentication based on IP addresses. Accredited 4.3.3.1.1
IP address spoofing is most frequently Test Lab
used in denial-of-service attacks, where
the objective is to flood the target with
an overwhelming volume of traffic, and
the attacker does not care about
receiving responses to the attack
packets.
183
December 2020
Associated
Category
Unneeded Kernel based network functions not gNB TS 33.117 / Kernel based network functions not Exploitation of Vendor, 3GPP TS
kernel network needed for the operation of the network 4.3.3.1.2 Minimized needed for the operation of the network vulnerable kernel SECAM 33.117
functions element offer an unnecessary attack kernel network element shall be deactivated functions Accreditation 3GPP TS
surface. Particularly vulnerable services functions NAAx Body, 33.511-519
are: IP Packet Forwarding between Accredited 4.3.3.1.2
different interfaces of the same Test Lab
equipment, Proxy ARP (resource
exhaustion attacks and man-in-the-
middle attacks), Directed broadcast
(Smurf, Denial of Service attack), IPv4
Multicast handling (smurf and fraggle
attacks), gratuitous ARP messages
(ARP Cache Poisoning attack)
automatic Automatic launch of removable media gNB TS 33.117 / The network product shall not Malware, Vendor, 3GPP TS
launch of provides a potential vector for 4.3.3.1.3 No automatically launch any application bypassing of SECAM 33.117
removable unauthorized or malicious payloads automatic launch of when removable media device such as security controls, Accreditation 3GPP TS
media removable media CD-, DVD-, USB-Sticks or USB-Storage running Body, 33.511-519
drive is connected. If the operating unauthorised Accredited 4.3.3.1.3
system supports an automatic launch, it operating system Test Lab
shall be deactivated unless it is required NAAx
to support availability requirements.
No SYN Flood A SYN flood is a form of denial-of- gNB TS 33.117 / The network product shall support a Syn Flood Vendor, 3GPP TS
Prevention service attack in which an attacker 4.3.3.1.4 SYN mechanism to prevent Syn Flood attacks attacks SECAM 33.117
sends a succession of SYN requests to Flood Prevention ; (e.g. implement the TCP Syn Cookie NAA5 Accreditation 3GPP TS
a target's system in an attempt to RFC 4987 technique in the TCP stack by setting Body, 33.511-519
consume enough server resources to net.ipv4.tcp_syncookies = 1 in the linux Accredited 4.3.3.1.4
make the system unresponsive to sysctl.conf file). This feature shall be Test Lab
legitimate traffic enabled by default.
184
December 2020
Associated
Category
No protection Exploiting the behaviour of a buffer gNB TS 33.117 / The system shall support mechanisms Buffer overflow Vendor, 3GPP TS
against buffer overflow is a well-known security exploit. 4.3.3.1.5 Protection for buffer overflow protection. attacks SECAM 33.117
overflows By sending in data designed to cause a from buffer Documentation which describes these NAA2, NAA3 Accreditation 3GPP TS
buffer overflow, it is possible to write into overflows buffer overflow mechanisms and also Body, 33.511-519
memory areas known to hold executable how to check that they have been Accredited 4.3.3.1.5
code and replace it with malicious code, enabled and/or implemented shall be Test Lab
or to selectively overwrite data provided.
pertaining to the program's state,
therefore causing behaviour that was not
intended by the original programmer.
Buffers are widespread in operating
system (OS) code, so it is possible to
make attacks that perform privilege
escalation and gain unlimited access to
the computer's resources.
No/improper In the absence of effective external file gNB TS 33.117 / If normal users are allowed to mount Malware, Vendor, 3GPP TS
external file systems mount restrictions, the system 4.3.3.1.6 External external file systems (attached locally or bypassing of SECAM 33.117
system mount is exposed to privilege escalation and file system mount via the network), OS-level restrictions security controls, Accreditation 3GPP TS
restrictions excessive access permissions due to restrictions shall be set properly in order to prevent unauthorised Body, 33.511-519
the contents of the mounted file privilege escalation or extended access operating system Accredited 4.3.3.1.6
systems. permissions due to the contents of the NAAx Test Lab
mounted file systems.
Directory Web servers can be configured to gNB TS 33.117 / Directory listings (indexing) / "Directory Scanning of Vendor, 3GPP TS
listings automatically list the contents of 4.3.4.10 No browsing" shall be deactivated. vulnerable SECAM 33.117
directories that do not have an index directory listings resources Accreditation 3GPP TS
page present. This can aid an attacker NAA4 Body, 33.511-519
by enabling them to quickly identify the Accredited 4.3.4.10
resources at a given path, and proceed Test Lab
directly to analysing and attacking those
resources. It particularly increases the
exposure of sensitive files within the
directory that are not intended to be
accessible to users, such as temporary
files and crash dumps.
Web server The HTTP headers sent by the remote gNB TS 33.117 / The HTTP header shall not include Exploitation of Vendor, 3GPP TS
information in web server disclose information that can 4.3.4.11 Web information on the version of the web vulnerable SECAM 33.117
HTTP headers aid an attacker, such as the server server information server and the modules/add-ons used. components Accreditation 3GPP TS
version and languages used by the web in HTTP headers NAAx Body, 33.511-519
server. Accredited 4.3.4.11
Test Lab
185
December 2020
Associated
Category
Web server The error page sent by the web server gNB TS 33.117 / User-defined error pages shall not Exploitation of Vendor, 3GPP TS
information in discloses information that can aid an 4.3.4.12 Web include version information about the vulnerable SECAM 33.117
error pages attacker, such as the server version, server information web server and the modules/add-ons components Accreditation 3GPP TS
modules/add-ons used or information in error pages used. Error messages shall not include NAAx Body, 33.511-519
revealing inner workings such as internal internal information such as internal Accredited 4.3.4.12
server names, error codes, etc. server names, error codes, etc. Default Test Lab
error pages of the web server shall be
replaced by error pages defined by the
vendor.
Unused file Unused File type- or script-mappings gNB TS 33.117 / File type- or script-mappings that are not Code injection Vendor, 3GPP TS
type- or script- can be used in attacks based on delivery 4.3.4.13 Minimized required shall be deleted, e.g. php, NAAx SECAM 33.117
mappings of malicious payloads, such as code- file type mappings phtml, js, sh, csh, bin, exe, pl, vbe, vbs Accreditation 3GPP TS
injection attacks. Body, 33.511-519
Accredited 4.3.4.13
Test Lab
Unrestricted Improperly restricted file access rights gNB TS 33.117 / Restrictive access rights shall be Direct access to Vendor, 3GPP TS
access to files may lead to unauthorized delivery of 4.3.4.14 Restricted assigned to all files which are directly or restricted data SECAM 33.117
files which are not meant to be file access indirectly (e.g. via links or in virtual from public Accreditation 3GPP TS
delivered, and to path traversal attacks. directories) in the web server's document domain Body, 33.511-519
directory. In particular, the web server NAA4 Accredited 4.3.4.14
shall not be able to access files which Test Lab
are not meant to be delivered.
Execution rights Improper restriction of execute rights gNB TS 33.117 / If CGI or other scripting technology is Code injection Vendor, 3GPP TS
outside may lead to Remote Command 4.3.4.15 Execute used, only the CGI/Scripting directory is NAAx SECAM 33.117
CGI/Scripting Execution by unauthorized delivery of rights exclusive for configured with execute rights. Other Accreditation 3GPP TS
directory malicious payload through various CGI/Scripting directories used or meant for web Body, 33.511-519
vectors. directory content do not have execute rights Accredited 4.3.4.15
Test Lab
System If the web server runs under privileged gNB TS 33.117 /4.3.4.2 No web server processes shall run with Elevation of Vendor, 3GPP TS
privileges for accounts, web server compromise No system system privileges. This is best achieved if privileges SECAM 33.117
web server caused by malicious action or technical privileges for web the web server runs under an account NAA2, NAA3, Accreditation 3GPP TS
processes fault has an increased chance to server that has minimum privileges. If a process NAA4 Body, 33.511-519
compromise the host operating system's is started by a user with system Accredited 4.3.4.2
integrity and availability. privileges, execution shall be transferred Test Lab
to a different user without system
privileges after the start.
186
December 2020
Associated
Category
Active and Unused http methods provide an gNB TS 33.117 / 4.3.4.3 HTTP methods that are not required shall Abuse of unused Vendor, 3GPP TS
unused HTTP unnecessary attack surface that can No unused HTTP be deactivated. Standard requests to vulnerable SECAM 33.117
methods lead to security compromise of the methods web servers only use GET, HEAD, and methods Accreditation 3GPP TS
system POST. If other methods are required, NAA2, NAA3, Body, 33.511-519
they shall not introduce security leaks NAA4 Accredited 4.3.4.3
such as TRACK or TRACE. Test Lab
Unused web Unused server add-ons provide an gNB TS 33.117 / 4.3.4.4 All optional add-ons and components of Code injection Vendor, 3GPP TS
server add-ons unnecessary attack surface that can No unused add-ons the web server shall be deactivated if NAA2, NAA3, SECAM 33.117
lead to security compromise of the they are not required. In particular, CGI NAA4 Accreditation 3GPP TS
system or other scripting components, Server Body, 33.511-519
Side Includes (SSI), and WebDAV shall Accredited 4.3.4.4
be deactivated if they are not required. Test Lab
Access to CGI and other server-side scripting gNB TS 33.117 / 4.3.4.5 If CGI (Common Gateway Interface) or Code injection Vendor, 3GPP TS
compiler, specifications provide opportunities to No compiler, other scripting technology is used, the NAA2, NAA3, SECAM 33.117
interpreter, or read files, acquire shell access, and interpreter, or shell CGI directory - or other corresponding NAA4 Accreditation 3GPP TS
shell via CGI or corrupt file systems on server machines via CGI or other scripting directory - shall not include Body, 33.511-519
other server- and their attached hosts. Means of server-side scripting compilers or interpreters (e.g. PERL Accredited 4.3.4.5
side scripting gaining access include: exploiting interpreter, PHP interpreter/compiler, Tcl Test Lab
assumptions of the script, exploiting interpreter/compiler or operating system
weaknesses in the server environment, shells).
and exploiting weaknesses in other
programs and system calls. Presence in
the scripting directory of compilers,
interpreters or operating system shells
renders the system particularly
vulnerable.
Common In upload is permitted in the gNB TS 33.117 / 4.3.4.6 If CGI or other scripting technology is Code injection Vendor, 3GPP TS
directory for CGI/Scripting, the system is vulnerable No CGI or other used, the associated CGI/script directory NAA2, NAA3, SECAM 33.117
uploads and to code injection / shell upload attacks. scripting for uploads shall not be used for uploads. NAA4 Accreditation 3GPP TS
CGI/Scripting Body, 33.511-519
Accredited 4.3.4.6
Test Lab
187
December 2020
Associated
Category
Execution of SSIs are directives present on Web gNB TS 33.117 / 4.3.4.7 If Server Side Includes (SSI) is active, Code injection Vendor, 3GPP TS
system applications used to feed an HTML page No execution of the execution of system commands shall NAA2, NAA3, SECAM 33.117
commands with with dynamic contents. The Server-Side system commands be deactivated. NAA4 Accreditation 3GPP TS
server side Includes attack allows the exploitation of with SSI Body, 33.511-519
includes (SSI) a web application by injecting scripts in Accredited 4.3.4.7
HTML pages or executing arbitrary Test Lab
codes remotely. It can be exploited
through manipulation of SSI in use in the
application or force its use through user
input fields.
Excessive / Improper setting of access rights for web gNB TS 33.117 / 4.3.4.8 Access rights for web server Manipulation of Vendor, 3GPP TS
improper server configuration files may lead to Access rights for configuration files shall only be granted server SECAM 33.117
access rights unauthorized disclosure or modification web server to the owner of the web server process configuration Accreditation 3GPP TS
for web server of configuration information. configuration or to a user with system privileges. files Body, 33.511-519
configuration Implementation example: Delete "read" NAA2, NAA3 Accredited 4.3.4.8
files and "write" access rights for "others." Test Lab
Only grant "write" access to the user who
configures the web server
Presence of Presence of default content may gNB TS 33.117 / 4.3.4.9 Default content (examples, help files, Abuse of Vendor, 3GPP TS
default content disclose information on the web server No default content documentation, aliases) that is provided vulnerable SECAM 33.117
version, add-ons and configuration or with the standard installation of the web content, collection Accreditation 3GPP TS
information/file structure, and thus server shall be removed. of system Body, 33.511-519
facilitate information gathering for a information Accredited 4.3.4.9
malicious party. Also, default content (NAA2, NAA3, Test Lab
may include known vulnerabilities (such NAA4)
as the case of IIS Default Page).
Inadequate Unsegregated traffic belonging to gNB TS 33.117 / 4.3.5.1 The network product shall support Lateral movement, Vendor, 3GPP TS
traffic separation different planes (data, control, Traffic Separation physical or logical separation of traffic elevation of SECAM 33.117
of traffic management) increases the risk that RFC 3871 / 2.3.5. belonging to different network domains. privileges, Accreditation 3GPP TS
belonging to unauthorized individuals will be able to Support Separate For example, O&M traffic and control eavesdropping Body, 33.511-519
different network observe management traffic and/or Management Plane plane traffic belong to different network NAA2, NAA3, Accredited 4.3.5.1
domains compromise the device. IP Interfaces domains. See RFC 3871 [3] for further NAA4, EIH4 Test Lab
information.
188
December 2020
F ANNEX: DETAILED VULNERABILITIES IN

NETWORK FUNCTION VIRTUALIZATION – MANO
Associated
Name of Security Security Requirements /Description of Threats (Threat
Description Assets Stakeholder Source Ref
Vulnerability Controls security controls Taxonomy)
Category
Service-Based Vulnerabilities of NFV components
Improper The transmitter of a message should NFV MANO Message Detection of any changes, deletions, Abuse and MNO ETSI GS
message and provide means to allow for the integrity checks insertions or replays. modification of NFV-SEC 014
session determination whether any modification, sessions and /6
integrity deletion, insertion, or replay has messages
checks on occurred. The receiver should have (NAA2, NAA5)
internal corresponding verification mechanisms.
interfaces Lack of or improper such measures
facilitate abuse and modification of
sessions and messages.
Improper Lack of appropriate confidentiality NFV MANO, Use of secure Provide confidentiality of internal transfers Data leakage MNO ETSI GS
confidentiality protection of data transferred over any VNF communication using an encrypted mode of well-known (NAA4, EIH4) NFV-SEC 014
protection of internal interface of MANO. protocols network protocols. /5
data
transferred
over internal
interfaces to
MANO
Improper API TLS not implemented for API Os-Ma-nfvo Secure API The confidentiality and data integrity of all Unauthorized MNO ETSI GS
Access communication, or implementation messages shall be ensured by using TLS on access (NAAx) NFV-SEC 022
implementation shortcomings such as lack of TLS-based each interface. /4
authentication: client and authorisation The client and authorisation servers shall
servers are not mutually authenticated or mutually authenticate.
client does not authenticate the resource The client shall authenticate the resource
server. server.
189
December 2020
Associated
Category
Use of legacy Vulnerabilities of a PNF could be used Control Enforce security The 5GC should be configured so that NFs Attackers using MNO 3GPP TR
PNF as a starting point for an attack against plane policies to can only communicate with NFs which they insecure 33.848 / 5.17
VNFs, potentially taking advantage of protect mixed are specifically authorised to communicate interfaces as
legacy security used by PNFs and not PNF-VNF with. injection points
provided by the virtualisation layer. deployments and for reverse
attack. (NAAx)
Improper If an internal interface allows any actions NFV MANO Identity Successful identification and verification of Abuse of VIM or MNO ETSI GS
verification of from received data without successfully validation the identity and location of the transmitting VNFM functions NFV-SEC 014
identity and identifying and verifying the identity and party by unauthorized /6
location of location of the transmitting party, it parties (NAAx)
transmitting enables masquerading of the
party on Orchestrator and other forms of privilege
internal escalation that in turn can lead to abuse
interfaces of VIM or VNFM functions by
unauthorized parties.
Improper protection of Data and Information of NFV components
Inability to Poor monitoring of stored images to VIM VIM shall The VIM shall monitor stored images to Unauthorized MNO ETSI GS
provide proof determine if any unauthorized monitor stored determine if any unauthorized modification, modification, NFV-SEC 014
of integrity of modification, deletion or insertion has images deletion or insertion has occurred deletion or / 5.2-c.1.1.4
the data stores occurred renders VIM unable to ensure insertion of the
used for VM integrity of VM images and of data data stores
images transfers. used for VM
images (NAAx)
Lack of An attacker could read data in transit if Control Encrypt control All control plane data in transit between An attacker MNO 3GPP TR
encryption of control plane data in transit between plane plane data hosts should be sent over an encrypted and could read data 33.848 / 5.15
control plane hosts is not sent over an encrypted and authenticated channel using non-proprietary in transit.
data authenticated channel. protocols. (NAA4, EIH4)
190
December 2020
Associated
Category
Improper hardening of NFV components
Improper patch Once identified, vulnerabilities in VNF System patching Regular and effective patch management Malware MNO ETSI GS
management software can be fixed through security program Denial of NFV-SEC 001
patches whereas hardware service / 7.2.2
vulnerabilities are much more costly to Unauthorized
fix. Security patches may require a access (NAAx,
reboot and could cause service FMx)
disruption, particularly if many
commodity servers have to be rebooted
over a short period. Security patches are
not always in time. Failure to apply
necessary patches leave the systems
open to exploitation of known
vulnerabilities.
Mis- Complexity brought by virtualisation VNF Hardening Careful planning, detailed documentation, Human error MNO ETSI GS
configuration increases probability for errors and standards and configuration review, testing before (UDx) NFV-SEC 001
misconfiguration remaining undetected. procedures production, periodic security configuration / 7.1
Accidental misconfigurations or failure to checks
follow security standards and practices
can cause service problems directly, or
leave open unintended vulnerabilities,
which will cause service problems if
exploited.
No mechanism The MANO system should allow NFV MANO Implementing Attribute-based access control and attribute- Unknown MNO ETSI GS
to enforce geo- instantiation of MANO components and mechanisms to based or multi-factor authentication - where geographic NFV-SEC 014
restrictions managed entities, the NFVIs, only at allow geolocation is one of the attributes or jurisdiction (e.g. /6
explicit geographic locations. Failure to restrictions behavioural factors for legal and
do so may leave the system vulnerable policy
to legal and licensing risks. compliance)
(LEG)
Time The VNFs must synchronize with trusted VNF The system The VNFs shall synchronize with trusted time Time MNO 3GPP TR
Manipulation time servers. Failure to do so, leaves the should provide a servers. manipulation 33.848 / 5.20
system vulnerable to an attack that protected and attacks. (NAAx)
manipulates the network timing source trusted network
or VNF clock, thus causing the network time source
to be compromised.
191
December 2020
Associated
Category
Virtualisation platform vulnerabilities
Inadequate Administrative models that enable an Virtualised Hardening of Granting access based on the "lowest Human error MNO ETSI GS
access admin/root/super user account type has Resources virtualized privilege" principle (NAAx) NFV-SEC 003
privileges in full access to system resources allow environments / 4.4.2.1.2
virtualized visibility and modification of
environments cryptographic keys, passwords in
memory, configuration files, intellectual
property and other resources within the
NFV.
The hypervisor is fully aware of the
current state of each guest OS it
controls. Hypervisor introspection can
enable the ability to view, inject, and/or
modify operational state information
associated with NFV through direct or
indirect methods. Access to state
information can result in the ability to
arbitrarily read and/or write the contents
of memory, storage, key storage and
other NFV operational aspects.
Improper key The host system shall provide NSM Core HBRT The host system shall implement a key Manipulation of MNO, Vendor ETSI GS
management cryptographically separated secure hardware management system which includes key VNFs (NAAx) NFV-SEC 012
system environments to different applications. In requirements generation, key storage, key deletion and / 5.1.2
the absence of these conditions, the cryptographic processing.
virtualised environment can be abused
to compromise sensitive functions from
less protected ones.
Lack of a A Hardware-Based Root of Trust NFVI Core HBRT The host system shall implement a Manipulation of MNO, Vendor ETSI GS
proper (HBRT) should act as Initial Root of hardware Hardware-Based Root of Trust (HBRT) VNFs (NAAx) NFV-SEC 012
mechanism for Trust to ensure a safe environment for requirements based on core hardware requirements / 5.1.1
ensuring a running sensitive virtualised
Hardware- components.
Based Root of
Trust (HBRT)
192
December 2020
Associated
Category
Software The risks from software vulnerabilities VNF Vulnerability Regular and effective vulnerability Malware MNO ETSI GS
Vulnerabilities could be higher with NFV than with assessment management program Denial of NFV-SEC 001
in NFV traditional bespoke appliances because service / 7.2.2
implementation VNFs are expected to run on commodity Unauthorized
software and hardware and because access (NAAx,
NFV is built on cloud technology with UDx, FMx)
standard security level.
Virtualisation technology will need to be
re-assessed before it can be considered
suitable for protecting critical network
infrastructure.
Vulnerable mechanisms for authentication and authorisation of NFV components
Improper VNF Improper procedures for signing and VNF Cryptographic Verification of VNF Package during Manipulation of MNO ETSI GS
on-boarding management of associated Manager signature of VNF instantiation; Handling of confidentiality VNFs (NAA2) NFV-SEC 021
cryptographic key may enable Package protected of VNF Package during / 5.1
manipulation and integrity compromise instantiation
of VNF Packages.
Improper VNF Lack of or improper mechanisms to Ve-Vnfm-em Signature of Signing of VNF Package; Handling of Manipulation of MNO ETSI GS
instantiation prevent instantiation of VNF Packages Ve-Vnfm-vnf VNF Package confidentiality protected for VNF Package VNFs (NAA2) NFV-SEC 021
unless their signature is verified may during on-boarding / 5.2
enable manipulation and integrity
compromise of VN Functions
Improper Unauthenticated access to system NFV-MANO, System The usage of a system function without Denial of Vendor 3GPP TS
authentication functions of NFV Management and VSF, ISF, functions shall proper authentication on basis of the user Service, 33.117
policy Orchestration PSF, not be used identity and at least one authentication Spoofing 4.2.3.4.1.1
without proper attribute (e.g. password, certificate) shall be identity,
The usage of a system function without authentication prevented. System functions comprise, for Tampering of
successful authentication on basis of the and example network services (like SSH, SFTP, Data,
user identity and at least one authorisation. Web services), local access via a Information
authentication attribute (e.g. password, management console, local usage of Disclosure
certificate) opens the opportunity of operating system and applications. This (NAAx)
exploitation and limits accountability. requirement shall also be applied to accounts
This includes M2M communication. that are only used for communication
between systems.
193
December 2020
Associated
Category
Insecure / Failure to protect accounts by at least NFV-MANO, Secure The usage of a system function without Denial of Vendor 3GPP TS
insufficient one authentication attribute, active VSF, ISF, procedures for successful authentication on basis of the Service, 33.117
authentication predefined authentication attributes. PSF, authentication user identity and at least one authentication Spoofing 4.2.3.4.1.2,
attributes and attribute (e.g. password, certificate) shall be identity, 4.2.3.4.2.1
Depending on information sensitivity, authorisation prevented. Tampering of 4.2.3.4.3.
different level of strong authentication The various user and machine accounts on a Data,
mechanisms are required. Fail to identify system shall be protected from misuse. To Information
the proper correspondence between this end, an authentication attribute is Disclosure
levels of protection and authentication typically used, which, when combined with (NAAx, Udx)
mechanisms implemented creates the the user name, enables unambiguous
possibility to allow unauthorized entities authentication and identification of the
to access unallocated resources. authorized user.
All predefined or default accounts and/or or
default authentication attributes shall be
deleted or disabled.
Insecure A password policy shall address the NFV-MANO, Password policy Password policy requirements include Denial of Vendor 3GPP TS
password password structure, password change, VSF, ISF, requirements regarding Password Service, 33.117
policy hiding password display capabilities, PSF, complexity, password change, Protection Spoofing 4.2.3.4.3.
consecutive failed login attempts. A against brute force and dictionary attacks, identity,
week password structure and/or a long hiding password display Tampering of
validity password period could lead to a Data,
successful brute force attack. Failure to Information
block consecutive failed login attempts Disclosure
may lead to password guess.
Insecure The network product management shall NFV-MANO, Protect Protect devices used for administration. Unauthorised Vendor 3GPP TS
authentication support mutual authentication VSF, ISF, management Reduce the exposure of management access at 33.117
mechanisms to mechanisms, the mutual authentication PSF, interfaces interfaces. system, theft of 4.2.3.4.4.1
management / mechanism can rely on the protocol Ensuring there's a trail of breadcrumbs. data
maintenance used for the interface itself or other
interfaces means.
Insecure The authorisations for accounts and NFV-MANO, Authorisation The authorisations for accounts and Denial of Vendor 3GPP TS
authorisation applications shall be reduced to the VSF, ISF, and access applications shall be reduced to the minimum Service, 33.117,
and access minimum required for the tasks they PSF, control required for the tasks they have to perform. Spoofing 4.2.3.4.6
control have to perform. Authorisations to a system shall be restricted identity,
mechanisms to a level in which a user can only access Tampering of
data and use functions that he needs in the Data,
course of his work. Information
Alongside access to data, execution of Disclosure,
applications and components shall also take Operator Error
place with rights that are as low as possible.
Applications should not be executed with
administrator or system rights.
194
December 2020
Associated
Category
Insufficient or improper monitoring mechanisms of NFV
Insufficient / Lack of security events logged together NFV-MANO, Security event Security events shall be logged together with Denial of Vendor 3GPP TS
inadequate with a unique system reference (e.g. NFVI logging a unique system reference (e.g. host name, Service, 33.117,
logging of host name, IP or MAC address) and the IP or MAC address) and the exact time the Spoofing 4.2.3.6.1
security events exact time the incident occurred do not incident occurred. For each security event, identity,
for MANO and allow a correct and rapid audit in case of the log entry shall include user name and/or Tampering of
NFVI security incident occurrence. timestamp and/or performed action and/or Data,
result and/or length of session and/or values Information
exceeded and/or value reached. Disclosure,
IETF RFC 3871, section 2.11.10 specifies Operator Error
the minimum set of security events.
Logs not Security event logs should be forwarded NFV-MANO, Transfer security Log functions should upload securely of log Denial of Vendor 3GPP TS
transferred to or uploaded to a central location or NFVI logs to a files to a central location or to an external Service, 33.117,
centralized external systems. Security event log files centralized system for the Network Product that is Spoofing 4.2.3.6.2
storage shall be protected in storage and storage logging. Secure transport protocols shall be identity, 4.2.3.6.3
transfer states, too. used. Tampering of
Data,
Information
Disclosure,
Operator Error
Improper Availability and integrity of security event NFV-MANO, Protection of The security event log shall be access Denial of Vendor 3GPP TS
protection of log files could conduct to delays, wrong NFVI security event controlled (file access rights) so only Service, 33.117,
security event audit results, delays in security log files privileged users have access to the log files. Spoofing
log files restauration, threats persistence. identity,
Tampering of
Data,
Information
Disclosure,
Operator Error
195
December 2020
G ANNEX: DETAILED VULNERABILITIES IN

SOFTWARE DEFINED NETWORKS
Associated Security
Category
Vulnerabilities in implementation of SDN functionalities
Improper Lack of functionality in the SDN control SDN Prevention of flow It is required to provide a functionality in Flow rules MNO, Vendor Rec. ITU-T
mechanisms layer to support preventing flow rules Controller rules confliction the SDN control layer to support confliction, Fake X.1038
for preventing confliction in order to avoid mandatory preventing flow rules confliction in order to flow rule (10/2016) /
flow rules network policies from being bypassed. avoid mandatory network policies from insertion (NAA2, R15
confliction being bypassed. UD2, FM2)
SBA/SBI vulnerabilities of SDN components
Insecure APIs Like any software, APIs can be Northbound Secure APIs Network providers should consider Interception, MNO ENISA Threat
compromised and data can be Interface, deploying encryption and authentication Eavesdrop, Landscape
intercepted. The 10 most known APIs Southbound techniques to all SDN APIs. Availability and Good
vulnerabilities are those presented by Interface, Attacks, TCP Practice
OWASP foundation in the "OWASP API Eastbound- Attack (NAAx) Guide for
Security Project". API exploitation may Westbound Software
relate to all the different types of APIs that Interface Defined
may be found in an SDN: Northbound API Networks/5G /
exploitation, Southbound API exploitation, 8.1
Eastbound-Westbound API exploitation.
Improper Inadequate security of configuration data SDN Data integrity Implement security mechanisms for Unauthorized MNO Rec. ITU-T
mechanisms (including security policies and QoS Controller integrity protection of configuration data access, Denial X.1038
to protect policies) while being transported from stored in the SDN controller and of service, (10/2016) / R-
integrity and SDN applications to the SDN controller configuration interfaces. eavesdropping, 18, R-22
confidentiality over the application-control interface. Holistic Support for Security policies Manipulation
of attacks. (NAAx,
configuration EIH4)
data
196
December 2020
Associated Security
Category
Vulnerable mechanisms for authentication and authorisation of SDN components
Improper Improper authentication and/or SDN Authentication and It is required to provide a functionality in Unauthorized MNO Rec. ITU-T
authentication authorisation mechanism for SDN Controller authorisation the SDN resource layer to authenticate access, Denial X.1038
and controller or defective implementations of the SDN controller. of service, (10/2016) / R-
authorisation these mechanisms, It is required to provide a functionality in eavesdropping, 10, R-11, R-
the SDN control layer to authenticate the repudiation 12, R-13, R-
SDN switch. attacks, 14
information
disclosure
(NAAx, EIH4)
Improper hardening of SDN components
Multiple An attacker may exploit vulnerabilities of SDN Operating system Disable unused services; close unused Spoofing MNO Rec. ITU-T
vulnerabilities the operating system such as default Controller hardening ports, activate firewall, update software (NAAx) X.1038
in operating passwords, back-door accounts, open package, monitor integrity of file system. (10/2016) / R-
system ports, unprotected services, unsecure 24
protocols.
Software SDN controllers operate as a software SDN Vulnerability Regular and effective vulnerability Authentication MNO Rec. ITU-T
vulnerabilities platform. Vulnerabilities of general Controller assessment management program and X.1038
software become vulnerabilities for the authorisation (10/2016) / R-
SDN controller. A software vulnerability is attacks, denial 25
a flaw, defect in software construction, of service,
weakness or even an error, which could eavesdropping,
be exploited by attackers to alter the repudiation
normal behaviour of the SDN network or attacks,
to reconfigure the whole network to make information
further attacks. disclosure
(NAAx, FMx)
Improper Improper mechanisms to manage SDN Cryptographic It is required to provide a functionality in Spoofing, MNO Rec. ITU-T
cryptographic cryptographic key, including use of weak Controller controls the SDN controller layer to perform Repudiation, X.1038
key algorithms, undermine trust in integrity key/certificate management. Information (10/2016)
management and confidentiality protection mechanisms Disclosure /R19
mechanisms (NAAx)
Lack of, or Lack of DoS mechanisms lays all SDN SDN DoS protection It is required to provide a functionality in DoS attacks MNO, Vendor Rec. ITU-T
improper DoS applications and resources potentially Controller mechanisms the SDN control layer to support anti-DoS (NAA5) X.1038
protection uncontrollable in case of an attack protection. (10/2016)
mechanisms /R16
197
December 2020
Associated Security
Category
Insufficient or improper monitoring mechanisms of SDN components
Improper log Improper monitoring may lead to attacks SDN Log and audit It is required to provide a functionality in Undetected MNO Rec. ITU-T
and audit or failures going undetected and therefore Controller management the SDN control layer to support log and nefarious X.1038
mechanisms not mitigated audit. activities (10/2016) /R-
Undetected 17
malware
Undetected
failures of
malfunctions
(NAAx, FMx)
Lack of, or Improper monitoring and management of SDN Hardware It is recommended to provide a Hardware MNO Rec. ITU-T
improper hardware resources may lead to the Controller monitoring functionality in the SDN control layer to failure (FMx) X.1038
hardware operator not being able to prevent or to mechanisms support hardware management to (10/2016)
monitoring mitigate hardware failures in a timely discover hardware failure automatically /R26
mechanisms manner. Hardware failures may in turn and recover from such a failure as soon
compromise network security or bring as possible.
down the SDN network.
Virtualisation vulnerabilities of relevant SDN components
Vulnerabilities SDN offers a high level of abstraction to SDN Application Sandboxing, application-Kernel isolation, Eavesdropping, Developers, ENISA Threat
in the programmers. When applications are Application, Isolation application permission policy enforcement Interception, Administrators, Landscape
virtualization developed caution is required to protect SDN Hijacking System and Good
layer the network operation against application Resources (NAAx, EIH4) configuration Practice
misbehaviour and bugs. Guide for
Software
Defined
Networks/5G /
8.1
Physical and environmental vulnerabilities of relevant SDN components
Data centre Many SDN systems are deployed within SDN Traffic encryption Encrypt the interconnection traffic Eavesdropping, Administrators, ENISA Threat
vulnerabilities data centres. Security vulnerabilities of Infrastructure between Data Centres. Interception, System Landscape
data centres should be considered. Data layer Hijacking configuration and Good
servers are using Data Centre (NAAx, EIH4) Practice
Interconnect (DCI) protocols, which may Guide for
lack authentication and encryption to Software
secure the packet contents. Defined
Networks/5G /
5.3
198
December 2020
H ANNEX: DETAILED VULNERABILITIES IN

MULTI-ACCESS EDGE COMPUTING
Associated Security Threats

Description Assets (Threat Stakeholder Source Ref
Vulnerability Controls security controls
Category Taxonomy)
Vulnerabilities in implementation of MEC security functionalities
Improper The mobile edge system shall allow the Application Collection of The mobile edge system shall allow the "Unauthorised MNO, Edge ETSI GS MEC
mechanisms for collection of charging-related information, Data Traffic, charging related collection of charging-related information, access to data, Computing 002 V2.1.1
collection, log it in a secure way and make it MEC Host information log it in a secure way and make it Fraud Service (2018-10) /
secure storage available for further processing. available for further processing. Provider 8.3.
and NAA2" [Charging-01]
transmission of
charging-
related
information
Improper The mobile edge system shall comply Multi-edge Compliance with The mobile edge system shall comply Inability to MNO, Edge 8.2.
mechanisms for with regulatory requirements for lawful computing lawful interception with regulatory requirements for lawful respond to Computing [Lawful-01]
Lawful interception. requirements interception. lawful Service ETSI GS MEC
Interception at interception Provider 002 V2.1.1
Edge level mandates (2018-10)
LEG
SBA/SBI vulnerabilities of MEC components
Improper CAPIF main purpose is to have a unified 3GPP SA6 Secure APIs The confidentiality and data integrity of all Unauthorized MNO, Edge ETSI White
implementation north bound API framework across interfaces, messages shall be ensured by using TLS access, Computing Paper #36 -
of APIs several 3GPP functions. Like any ETSI MEC on each interface. Interception, Service Harmonizing
software, APIs can be compromised and interfaces The client and authorisation servers shall Eavesdrop, Provider standards for
your data can be stolen. Since APIs mutually authenticate. Availability edge
serve as conduits that reveal applications The client shall authenticate the resource Attacks, TCP computing
for third-party integration, they are server. Attack
susceptible to attacks. NAAx, EIH4
199
December 2020

Category Taxonomy)
Improper traffic MEC system is able to flexibly choose Application 5GC control plane Obtaining the mandatory input Service MNO, Edge ETSI GR
path update for UPF(s) and the corresponding DN Data Traffic solution parameters and use high level message unavailability Computing MEC 031
mobility according to MEC operators' and/or MEC flow to influence traffic path. FM5 Service V2.0.20
support application providers' operation policy or Provider (2020-08) /
unstable physical conditions. If traffic 5.1
path is not updated appropriately, user
context may not be transferred to the
application instance.
Improper protection of Data and Information
Improper The mobile edge platform shall only MEC Information access The mobile edge platform shall only Unauthorised MNO, Edge ETSI GS MEC
access control provide a mobile edge application with platform, controls provide a mobile edge application with access to data, Computing 002 V2.1.1
to information the information for which the application MEC the information for which the application malicious Service (2018-10) /
is authorized. Application, is authorized. Authentication of access to modification of Provider 8.1.
EAS the MEC services has to be performed configuration [Security-02]
according to CAPIF data, elevation
of privileges
NAAx
Virtualisation vulnerabilities of relevant MEC components
Vulnerable Security risks and concerns around Virtual Best Practices for The design should take into account the Unauthorised MNO, Edge Cloud
virtualisation / virtual IT systems can be broadly infrastr., Mitigating Risks in appropriate logical segregation of access, Computing Security
container / classified into three types: 1. Virtual Virtualized instances that contain sensitive data. eavesdropping, Service Alliance - Best
micro-service Architectural: The layer of abstraction Infrastr. Environments During implementation, extensive modification of Provider practices for
environment between physical hardware and manager assessment of the vulnerability of the security mitigating
virtualized systems running IT services is (VIM) virtualization components is mandatory. parameters, risks in
a potential target for attack. A VM or The underlying virtualization platform lateral virtualized
group of VMs connected to the same should be hardened using vendor- movements, environments
network can be the target of attacks from provided guidelines and/or third-party denial of
other VMs on the network. 2. Hypervisor tools. In a virtualized environment, robust services
software: The most important software in key management is essential to access NAAx, FMx
a virtual IT system is the hypervisor. Any control and proof of ownership for both
security vulnerability in the hypervisor data and keys. Role-based access
and associated infrastructure and policies should be enforced to enable
management software / tools puts VMs at segregation of duties and data. Proper
risk. 3. Configuration: Given the ease of VM encryption is required to significantly
cloning and copying images in a virtual reduce the risk associated with user
environment, a new infrastructure can be access to physical servers and storage
deployed very easily. This introduces containing sensitive data.
configuration drift. As a result, controlling
and accounting for rapidly deployed
environments becomes a critical task.
200
December 2020

Category Taxonomy)
Improper hardening of MEC Components
Lack of / Due to the distributed nature of edge Customer Response to Although specific measures required Denial of MNO, Edge ISO/IEC
improper DDoS computing deployments, appropriate facing DoS/DDoS attacks depend upon the type of DoS/DDoS Service Computing 27011 - ITU
Protection DDoS mechanisms may be impractical to service attacks, telecommunications NAA5 Service x.1205 /
deploy. Alternative protection (CFS) portal organizations Provider TEL.13.1.6
mechanisms need to be implemented in should take account of the following
order to deter attacks. countermeasures:
a) filtering of packets heading for the
target site under attacks;
b) restriction of communication port used
for DoS/DDoS attacks;
c) reduction or suspension of operation of
target telecommunications facilities.
MEC Application Vulnerabilities
Vulnerabilities Vulnerabilities in MEC Applications may MEC Security Testing of A regular security testing program should Exploitation of Edge ISO/IEC
in MEC be used as an entry point for attacks applications, MEC Applications be implemented to provide assurance application Computing 27001 /
applications aiming at exploiting the virtualisation Edge that application vulnerabilities are security Application A.18.2.3
environments, unauthorised access to Application identified and mitigated in a timely vulnerabilities Provider
data, elevation of privileges or denial of Server manner.
service. (EAS)
Vulnerabilities of the MEC virtualization platform
Improper Physical and logical resources should not Virtualisation Resource isolation Network segmentation, resource Unauthorized MNO, Edge NIS Directive
isolation of be shared with components which have infra- separation, data segregation. access, Computing
resources not the same criticality. This constraint structure, Interception, Service
requires the right level of isolation around MEC host, Eavesdrop Provider
the service to prevent regulation pollution MEC NAAx
to its own components and Platform
infrastructures
201
December 2020

Category Taxonomy)
Physical and environmental vulnerabilities of relevant MEC components
Improper Edge computing facilities are, by their MEC Host Improper physical To protect physically isolated operating Destruction of MNO, Edge ISO/IEC
Physical and nature, seated in locations distributed security of areas (e.g., mobile base stations) in edge computing Computing 27011 - ITU
environmental geographically. Normally, the first choice equipment in which telecommunications facilities are facilities, Service x.1205 /
security of edge will be communications shelters already remote locations located for providing telecom business, unauthorised Provider TEL.11.1.8,
computing operated by MNO. While the following controls should be access at TEL 11.3
facilities communications shelters have physical considered: system level as
security controls in place, these are a) earthquake-proofing; an entry point to
calibrated to risks associated with b) automatic fire control equipment; all hosted
communication equipment. An additional c) monitoring by a remote office for the resources, theft
risk assessment is needed to assess purpose of detecting facility failures, of data on local
suitability in the context of additional risks power failures, fire, humidity and storage.
incurred by presence of computing temperature and so on; Vandalism,
facilities. d) physically secure perimeters, including Sabotage
an automatic alert function. Natural Disaster
PAx, DIS
Improper Mobile-edge computing have to be MEC Host Security Incident Event logs recording user activities, Denial of MNO, Edge ISO/IEC
security integrated in the network-wide Security and event exceptions, faults and information Service, Computing 27011 - ITU
monitoring of Incident and Monitoring System, but with monitoring security events should be produced, kept Spoofing Service x.1205 /
edge computing additional considerations: development of and regularly reviewed. identity, Provider A.12.4.1
facilities use-case specific alert rules, integration Additional considerations: development of Tampering of
and correlation of data at all levels use-case specific alert rules, integration Data,
(network, application), integration and and correlation of data at all levels Information
correlation with service provider -level (network, application), integration and Disclosure,
monitoring mechanisms. Failure to do so correlation with service provider -level Unauthorised
may leave advanced or sustained threats monitoring mechanisms. access,
undetected, as well as technical failures Elevation of
or malfunctions of local resources. privileges.
Technical
failures
NAAx, FMx
202
December 2020

Category Taxonomy)
Insecure The mobile edge system shall provide a MEC Host Secure The mobile edge system shall provide a Unauthorised MNO, Edge ETSI GS MEC
service secure environment for running services environment secure environment for running services access, Computing 002 V2.1.1
environment for the following actors: the user, the for the following actors: the user, the eavesdropping, Service (2018-10) /
network operator, the third-party network operator, the third-party modification of Provider 8.1.
application provider, the application application provider, the application security [Security-01]
developer, the content provider, and the developer, the content provider, and the parameters,
platform vendor. platform vendor. lateral
movements,
denial of
services
PAx, DIS,
NAAx, FMx
Vulnerable mechanisms for authentication and authorisation of MEC components
Improper The usage of a system function without LCM Proxy, System functions The usage of a system function without Denial of MNO, Edge 3GPP TS
authentication successful authentication on basis of the MEC shall not be used proper authentication on basis of the user Service, Computing 33.117
policy, such as user identity and at least one Orchestrator without proper identity and at least one authentication Spoofing Service 4.2.3.4.1.1
unauthenticated authentication attribute (e.g. password, authentication and attribute (e.g. password, certificate) shall identity, Provider
access to certificate) opens the opportunity of authorisation. be prevented. System functions Tampering of
system exploitation and limits accountability. This comprise, for example network services Data,
functions, use includes M2M communication. (like SSH, SFTP, Web services), local Information
of generic access via a management console, local Disclosure
accounts usage of operating system and
applications. This requirement shall also
be applied to accounts that are only used
for communication between systems.
Insecure / Depending on information sensitivity LCM Proxy, Secure procedures The usage of a system function without Denial of MNO, Edge 3GPP TS
insufficient different level of strong authentication MEC for authentication successful authentication on basis of the Service, Computing 33.117
authentication mechanisms are required. Fail to identify Orchestrator and authorisation user identity and at least one Spoofing Service 4.2.3.4.1.2,
attributes, such the proper correspondence between authentication attribute (e.g. password, identity, Provider 4.2.3.4.2.1
as failure to levels of protection and authentication certificate) shall be prevented. Tampering of 4.2.3.4.3.
protect mechanisms implemented creates the The various user and machine accounts Data,
accounts by at possibility to allow unauthorized entities on a system shall be protected from Information
least one to access unallocated resources. misuse. To this end, an authentication Disclosure
authentication attribute is typically used, which, when
attribute, active combined with the user name, enables
predefined unambiguous authentication and
authentication identification of the authorized user.
attributes. All predefined or default accounts and/or
or default authentication attributes shall
be deleted or disabled.
203
December 2020

Category Taxonomy)
Weak or A password policy shall address the LCM Proxy, Password policy Password policy requirements include Denial of MNO, Edge 3GPP TS
missing password structure, password change, MEC requirements regarding Password Service, Computing 33.117
password hiding password display capabilities, Orchestrator complexity, password change, Protection Spoofing Service 4.2.3.4.3.
policy consecutive failed login attempts. A week against brute force and dictionary attacks, identity, Provider
password structure and/or a long validity hiding password display Tampering of
password period could lead to a Data,
successful brute force attack. Failure to Information
block consecutive failed login attempts Disclosure
may lead to password guess.
Insecure The network product management shall LCM Proxy, Protect Protect devices used for administration. Unauthorised MNO, Edge 3GPP TS
authentication support mutual authentication MEC management Reduce the exposure of management access at Computing 33.117
mechanisms to mechanisms, the mutual authentication Orchestrator interfaces interfaces. system, theft of Service 4.2.3.4.4.1
management / mechanism can rely on the protocol used Ensuring there's a trail of breadcrumbs. data Provider
maintenance for the interface itself or other means.
interfaces
Insecure The authorisations for accounts and LCM Proxy, Authorisation and The authorisations for accounts and Denial of MNO, Edge 3GPP TS
authorisation applications shall be reduced to the MEC access control applications shall be reduced to the Service, Computing 33.117
and access minimum required for the tasks they have Orchestrator minimum required for the tasks they have Spoofing Service 4.2.3.4.6
control to perform. to perform. identity, Provider
mechanisms Authorisations to a system shall be Tampering of
restricted to a level in which a user can Data,
only access data and use functions that Information
he needs in the course of his work. Disclosure,
Alongside access to data, execution of Operator Error
applications and components shall also
rights.
Insufficient or improper monitoring mechanisms of MEC components
Insufficient / Lack of security events logged together MEC Security event Security events shall be logged together Denial of MNO, Edge 3GPP TS
inadequate with a unique system reference (e.g. host platform, logging with a unique system reference (e.g. host Service, Computing 33.117
logging of name, IP or MAC address) and the exact MEC Host, name, IP or MAC address) and the exact Spoofing Service 4.2.3.6.1
security events time the incident occurred do not allow a MEC time the incident occurred. For each identity, Provider
for MEC App correct and rapid audit in case of security Application, security event, the log entry shall include Tampering of
and MEC host incident occurrence. VIM user name and/or timestamp and/or Data,
performed action and/or result and/or Information
length of session and/or values exceeded Disclosure,
and/or value reached. Operator Error
IETF RFC 3871, section 2.11.10 specifies
the minimum set of security events.
204
December 2020

Category Taxonomy)
Logs not Security event logs should be forwarded MEC Transfer security Log functions should upload securely of Denial of MNO, Edge 3GPP TS
transferred to or uploaded to a central location or platform, logs to a log files to a central location or to an Service, Computing 33.117
centralized external systems. Security event log files MEC Host, centralized storage external system for the Network Product Spoofing Service 4.2.3.6.2
storage shall be protected in storage and transfer MEC that is logging. Secure transport protocols identity, Provider 4.2.3.6.3
states, too. Application, shall be used. Tampering of
VIM Data,
Information
Disclosure,
Operator Error
Improper Availability and integrity of security event MEC Protection of The security event log shall be access Denial of MNO, Edge 3GPP TS
protection of log files could conduct to delays, wrong platform, security event log controlled (file access rights) so only Service, Computing 33.117
security event audit results, delays in security MEC Host, files privileged users have access to the log Spoofing Service 4.2.3.6.2
log files restauration, threats persistence. MEC files. identity, Provider 4.2.3.6.3
Application, Tampering of
VIM Data,
Information
Disclosure,
Operator Error
205
December 2020
I ANNEX: DETAILED VULNERABILITIES IN

THE PHYSICAL INFRASTRUCTURE

Name of Security Requirements /Description
Description Assets (Threat Stake-holder Source Ref
Vulnerability Controls of security controls
Category Taxonomy)
Vulnerabilities of Data centre and telecommunication facilities
Improper physical Communication centres should provide Physical Securing Physical security of communication Destruction of MNO ISO/IEC
security of a full set of physical and environmental asset, communication centres, where telecommunications assets, 27011 - ITU
communication controls aimed to assure access Cloud Data centres facilities such as switching facilities for unauthorised x.1205 /
centres control, monitoring, continuity of Centre providing telecommunications business access, theft of TEL.11.1.7,
operations and protection against are housed, should be designed, data on local TEL 11.3
environmental disasters. Failure to do developed and applied. storage,
so may lead to unauthorised access, vandalism,
destruction of assets and impairment of sabotage Natural
operations. Disasters
(PAx, DIS)
Improper physical Telecom equipment rooms should Physical Securing Physical security of equipment room, Destruction of MNO ISO/IEC
security of provide a risk-calibrated set of physical asset, Light telecommunications where telecommunications facilities are assets, 27011 - ITU
telecommunications and environmental controls aimed to Data equipment room set for providing telecommunications unauthorised x.1205 /
equipment room assure access control, monitoring, Centre business, should be designed, access, theft of TEL.11.1.8,
continuity of operations and protection developed and applied. data on local TEL 11.3
against environmental disasters. Failure storage,
to do so may lead to unauthorised vandalism,
access, destruction of assets and sabotage Natural
impairment of operations. Disasters
(PAx, DIS)
206
December 2020

Category Taxonomy)
Improper physical Remote equipment facilities should Physical Securing physically For physically isolated operating areas, Destruction of MNO ISO/IEC
security of provide a set of physical and asset, Light isolated operation where telecommunications facilities are assets, 27011 - ITU
physically isolated environmental controls aimed to assure Data areas located for providing telecom business, unauthorised x.1205 /
operation areas access control, monitoring, continuity of Centre physical security controls should be access, theft of TEL.11.1.9,
operations and protection against designed, developed and implemented. data on local TEL 11.3
environmental disasters, taking into storage,
account its remoteness and lack of vandalism,
human presence. Failure to do so may sabotage Natural
lead to unauthorised access, Disasters
destruction of assets and impairment of
operations. (PAx, DIS)
Improper physical Equipment located in third party Physical Protection of When telecommunications Destruction of MNO, Partner ISO/IEC
security equipment facilities rooms should be protected asset, Light equipment sited in organizations install equipment outside assets, 27011 - ITU
sited in other using a risk-calibrated set of physical Data other carrier's of their own premises, the equipment unauthorised x.1205 /
carrier's or and environmental controls aimed to Centre premises should be sited in a protected area so access, theft of TEL.11.1.8,
partner's premises assure access control, monitoring, that any risks from environmental data on local TEL 11.3.1
continuity of operations and protection threats or dangers and from the storage,
against environmental disasters. Failure possibility of unauthorized access are vandalism,
to do so may lead to unauthorised reduced. sabotage Natural
access, destruction of assets and Disasters
impairment of operations.
(PAx, DIS)
Improper protection Lack of a power supply continuity Physical Continuity of power Power supply facilities in the isolated Unavailability of MNO, Vendor ISO/IEC
to Power Outages strategy that includes multiple power asset supplies area such as mobile base stations resources 27011 /
supplies to avoid a single point of should preferably provide an 11.2.2
supply failure. uninterruptible power supply with
capacity for all loading and capable of (OUT)
withstanding primary power supply
failures for the duration of likely
outages. If that is impossible, a
mechanism to provide uninterruptible
power to critical equipment should be
installed. Batteries may need to be
augmented with a private electric
generator, especially in isolated areas.
207
December 2020

Category Taxonomy)
Improper protection Environmental conditions, such as Physical Equipment siting Equipment should be sited or protected Destruction of MNO, Partner ISO/IEC
against temperature and humidity, should be asset and protection to reduce the risks from environmental assets, natural 27011 /
environmental monitored for conditions, which could threats and hazards, and opportunities disasters 11.2.1
disasters adversely affect the operation of for unauthorized access.
information processing facilities. If the
systems of several organizations are (FM5, DIS)
sited in the same data centre as
telecommunications facilities, the
telecommunications organization
should implement appropriate
measures to protect customers'
information stored in their systems.
Improper capacity Lack of capacity for mission critical Physical Capacity The use of resources should be Unavailability of MNO ISO/IEC
planning telecommunication systems and asset management monitored, tuned and projections made services 27011 /
facilities. of future capacity requirements to 12.1.3
ensure the required system
performance. (OUT)
Improper Improper maintenance of equipment in Physical Maintenance Equipment should be maintained in Destruction of MNO ISO/IEC
maintenance the data centre can lead to failures. asset program accordance with the supplier’s assets, 27011 /
recommended service intervals and unavailability of 12.1.4
specifications. Only authorized services
maintenance personnel should carry
out repairs and service equipment.
(UD4, OUT)
Improper The lack of monitoring of the hardware Physical Monitoring program Develop a program to monitor critical Destruction of MNO ISO/IEC
monitoring of parameters means that the preventive asset hardware resources assets, 27011 /
hardware alerts given by the equipment are not unavailability of 12.1.4
parameters included in the operative maintenance. services
Thus, preventive maintenance is not
done in time and defects can occur,
creating incidents and making (UD4, OUT)
equipment unavailable. The cost of
corrective maintenance is much higher
than the cost of preventive
maintenance
208
December 2020

Category Taxonomy)
Hardware vulnerabilities
Firmware Firmware could be hacked and Hardware Secure firmware The firmware must be secured by a Firmware Vendor
vulnerabilities embedded with malware. Firmware cryptographic signature (hash) in order malware
producers usually do not design their to be able to detect infiltration. Update
firmware with security in mind. firmware periodically. Buy hardware (NAAx)
Firmware malware will exploit this lack with built-in protections against
of security by attaching their code to the malicious firmware.
firmware’s code.
Side-channel A side-channel vulnerability bypasses a Hardware TEMPEST-resistant Shielding of devices from EMR is Unauthorised Vendor
vulnerabilities computer’s account permissions, standards achieved by a number of methods. The access at
virtualization boundaries and protected most sophisticated devices use system, theft of
memory regions and exposes sensitive advanced micro-components that have data
device information. Timing information, been designed from scratch to minimize
power consumption, electromagnetic Tempest emanations. Generally,
leaks or even sound can provide an shielding involves encompassing the (PAx)
extra source of information, which can device in a Faraday cage that does not
be exploited. Notable side-channel permit stray emanations, along with
vulnerabilities include: Spectre / special modifications to the power
Meltdown, Foreshadow, TLBleed, source. Tempest shielding also involves
PortSmash, NetSpectre. such issues as the design of a room
and placement of equipment within it, to
ensure that no information can escape.
Hardware Backdoor A hardware backdoor might easily be Hardware Firmware upgrade Hardware backdoor might be removed Recovered keys Vendor
installed through re-flashing BIOS. A by replacing the hardware or re-flashing could be used
hardware backdoor typically has full BIOS, or firmware for net devices. to compromise
access to the device it runs on. The the operating
backdoors may be directly implemented system and
as hardware Trojans in the integrated encrypted data.
circuit. (NAAx)
Semiconductor Adding impurities to silicon-based semi- Hardware Product testing Purchase and use of tested and Rogue designer Vendor
Doping conductors change or control their certified hardware equipment. /developer /
electrical properties. It is possible to admin
'dope' transistors of a chip to change
function behaviour. This was done
successfully to change the random (NAAx)
number generator of Ivy Bridge Intel
processors.
209
December 2020

Category Taxonomy)
Unprotected Management interfaces are written in Hardware Protect Protect devices used for administration. Unauthorised MNO, Vendor
management software, and like all software, can management Reduce the exposure of management access at
interfaces and contain vulnerabilities. interfaces interfaces. system, theft of
consoles Ensuring there is a trail of breadcrumbs. data
(NAA4, EIH4)
TPM-FAIL TPM-FAIL vulnerabilities allow Hardware Monitor hardware Buy only tested and certified hardware. Recovered keys Vendor
vulnerabilities attackers to steal cryptographic keys vulnerabilities Replace vulnerable hardware could be used
protected inside of Trusted Platform immediately. to compromise
Modules (TPMs). the operating
system and
encrypted data.
(NAA4, EIH4)
Cabling vulnerabilities
Unprotected cables Fibres routed between pieces of Cables Compliance with Raceway / conduit, is one of the easiest Destruction of MNO TIA-569-E
equipment without proper protection are cable standards ways to protect any cable, fibre optic assets,
susceptible to damage, which can included. These hollow pieces of plastic unauthorised
critically affect network reliability. The act like a protective outer shell. access,
fibre cable management system should vandalism,
therefore ensure that every fibre is sabotage (UD4,
protected from physical damage. OUT)
Unprotected Lack of protection of junction boxes / Cables Secure junction Optical fibre junction boxes / splice Destruction, MNO TIA-569-E
junction boxes splice closures. Improper cable routing boxes closures shall be accessible to unauthorised
also causes increased congestion in maintenance personnel and access,
the termination panel and the maintenance vehicles. A closure should vandalism,
cableways, increasing the possibility of be located away from high traffic or sabotage
bend radius violations and long-term conditions that could cause damage to
failure. the closure or injury to personnel. (UD4, OUT)
Vulnerabilities related to virtualisation technologies
Improper protection Management interfaces are written in Virtualisation Secure Reducing the exposure of management Improper MNO, Cloud
of access to software, and like all software, may assets management interfaces. protection of Security
management contain vulnerabilities. Avoiding interfaces access to Alliance
interfaces exposure of management interfaces management
can reduce attack surface. interfaces
210
December 2020

Category Taxonomy)
Vulnerable A Hardware-Based Root of Trust Virtualisation Core HBRT The host system shall implement a Hardware MNO, Vendor NA
mechanisms for (HBRT) should act as Initial Root of assets hardware Hardware-Based Root of Trust (HBRT) manipulation
Hardware-Based Trust to ensure a safe environment for requirements based on core hardware requirements
Root of Trust running sensitive virtualised
(HBRT) components.
Hypervisor A hypervisor-based attack is an exploit Virtualisation Hardening Secure access can become Hypervisor- MNO, Vendor NA
vulnerabilities in which an intruder takes advantage of assets hypervisor compromised due to VM sprawl and based attacks
conduct to cross- vulnerabilities in the program used to other issues. Ensure that authentication
contamination of allow multiple operating systems to procedures, identity management, and
shared resources share a single hardware processor. A logging are enforced
compromised hypervisor can allow the
hacker to attack each virtual machine
on a virtual host.
Improper Denial of service attacks exploit many Virtualisation VM traffic The ability to monitor VM backbone Denial of MNO, Vendor NA
availability hypervisor platforms and range from assets monitoring network traffic is critical. Conventional service
arrangements for flooding a network with traffic to methods will not detect VM traffic
hardware sophisticated leveraging of a host’s own because it is controlled by internal soft
infrastructure resources. The availability of botnets switches. However, hypervisors have
continues to make it easier for attackers effective monitoring tools that should be
to carry out campaigns against specific enabled and tested.
servers and applications with the goal
of derailing the target’s online services.
Shared resource VM guest OS may escapes from its VM Virtualisation VM segregation In addition to normal isolation, VM image MNO, Vendor NA
contamination encapsulation to interact directly with assets strengthen VM security through attacks, VM-
the hypervisor. This gives the attacker functional segregation. based attack
access to all VMs and, if guest
privileges are high enough, the host
machine as well. Although few if any
instances are known, experts consider
VM escape to be the most serious
threat to VM security.
211
December 2020

Category Taxonomy)
Vulnerability to Radio Jamming Attacks
Vulnerability to As any wireless cellular networks, 5G Base Implement Anti- Jam-resistance designs. Eavesdropping, Vendor NA
radio jamming networks are built upon open sharing in stations Jamming Use hardware-based real-time Interception,
attacks which the communication medium is Technologies encryption and decryption. Hijacking,
three space making them prone to Denial of
interference. This weakness can be service,
used by some adversary nodes to information
cause intentional interference and disclosure
hinder legitimate user’s communication
over specific wireless channels. 5G
improves resilience against jamming (EIH4)
attacks over the 4G LTE but remains
vulnerable to customised attacks.
Jamming attacks are a special concern
for mission-critical applications.
212
December 2020
J ANNEX: DETAILED VULNERABILITIES IN

IMPLEMENTATION OPTIONS
Associated
Category
Vulnerabilities of legacy technologies
Inadequate Should the Access Stratum (AS) over- UE, eNB, Integrity protection User data and signalling data integrity, Tampering of MNO 3GPP 33.401
integrity the-air User Plane traffic not be MME of AS User Plane 3GPP 33.401 / 5.1.4 Data, Information / 5.1.4
protection of adequately protected by Integrity Traffic Disclosure
over-the-air Protection security algorithms, a
User Plane scenario is possible where a customer’s NAAx, EIH4
traffic message and/or communication flow
could be intercepted in the middle
between the UE and the server. An
adversary could then manipulate the
customer’s message and/or
communication flow between the UE and
the server.
Exposure of Exposure of IMSI may occur due to clear UE, eNB, Encryption of Security Aspects of IMS Emergency Tampering of MNO 3GPP 33.401
international text transmission of IMSI during MME authentication Session Handling 3GPP 33.401 / 15 Data, Information / 15
mobile Authentication Procedures, or by means procedures Disclosure
subscriber of insecure IMS Emergency Session Authentication and key agreement3GPP 3GPP 33.401
identities (IMSI) Handling 33.401 / 6.1 NAAx, EIH4 / 6.1
Roaming vulnerabilities
SS7 Extensive research of SS7 and Diameter LTE Visiting Compensating Compensating controls are detailed in the Tampering of MNO, Signalling
Vulnerabilities vulnerabilities is available in the ENISA - PLMN controls referred report Data, Information Roaming Security in
Signalling Security in Telecom Disclosure partners Telecom
SS7/Diameter/5G,” Report, https:// SS7/Diameter
NAAx, EIH4 /5G / Section
www.enisa.europa.eu/publications/signal 3.3
ling-security-in-telecom-ss7-diameter-
5g/at_download/fullReport.
213
December 2020
Associated
Category
Diameter Extensive research of SS7 and Diameter LTE Visiting Compensating Compensating controls are detailed in the Tampering of MNO, Signalling
vulnerabilities vulnerabilities is available in the ENISA - PLMN controls referred report Data, Information Roaming Security in
Signalling Security in Telecom Disclosure partners Telecom
SS7/Diameter/5G,” Report, https:// SS7/Diameter
NAAx, EIH4 /5G / Section
www.enisa.europa.eu/publications/signal 3.3
ling-security-in-telecom-ss7-diameter-
5g/at_download/fullReport.
VoLTE Vulnerability to ReVOLTE attack: LTE Visiting Increase bearer Using different radio bearer identities Tampering of MNO, See reference
vulnerabilities PLMN identities; derive mitigates the threat of keystream reuse, as Data, Information Roaming
Adding a PDCP entity for the VoLTE new key with an a separate input parameter changes the Disclosure partners
data-bearer in the same radio intra-cell handover; output keystream for the subsequent call.
connection resets packet counts fora mandatory media However, the radio bearer identity is only NAAx, EIH4
second time, which introduces the encryption and defined as a 5-bit field, which means that
keystream reuse for a subsequent call integrity protection incrementing it only works for 32 new
along with reusing the same bearer bearers.
identity96
An inter-cell handover allows transferring a
phone from one cell to another while the
phone stays connected. Using an intracell
handover as mitigation works, as the
handover procedure has a built-in key
reuse avoidance.
A successful REVOLTE attack requires
that no additional media encryption is
active. Even though the adversary can
attack and decrypt the radio layer
encryption, such additional encryption via
SRTP prevents access to any voice data
96
David Rupprecht and Katharina Kohls and Thorsten Holz and Christina Popper, Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE, 29th USENIX Security Symposium
Proceedings, 2020. isbn 978-1-939133-17-5, pages 73-88, accessed October 2020
214
December 2020
Associated
Category
Improper implementation of updated security functions
Vulnerabilities Improper or not updated configuration MME MME security Relevant security requirements include: Tampering Data, MNO, 3GPP TS
in MME and implementation of MME to comply functionalities and Information Vendor 33.401
implementation with updated security requirements as configurations as - User data and signalling data Disclosure, Denial v.16.3.0 / eNB
defined by Release 16 versions of defined by 3GPP confidentiality and integrity of Service NAAx, / 5.1, 5.3, 6, 7,
applicable 3GPP requirements updated - Integrity-, confidentiality- and replay- EIH4 8.1, 9,11,
specification protection of control plane data over S1- 14.1, 14.3, 15
MME and X2-C interfaces
- Compliant Security Procedures between
UE and EPC / EPS
- Secure key derivation and management
requirements
- NAS Integrity mechanisms
- Network Domain Control Plane
protection
- Secure IMS Emergency Session
Handling
Vulnerabilities Improper or not updated configuration eNB User-to-network User-to-network security requirements Tampering Data, MNO, 3GPP TS
in evolved and implementation of eNB to comply security; include: Information Vendor 33.401
Node B (eNB) with updated security requirements as Disclosure, Denial v.16.3.0 / eNB
implementation defined by Release 16 versions of Security visibility - User identity and device confidentiality of Service NAAx, / 5.1, 5.2, 5.3
applicable 3GPP requirements and configurability; - Entity authentication EIH4
- User data and signalling data
Security confidentiality
requirements for - User data and signalling data integrity
eNB Security requirements for eNB include:
- Requirements for eNB setup and
configuration
- Requirements for key management
inside eNB
- Requirements for handling User plane
data for the eNB
- Requirements for handling Control plane
data for the eNB
- Requirements for secure environment of
the eNB
215
December 2020
Associated
Category
Vulnerabilities in the technical baseline of EPC+ functions
Improper Inadequate security measures for EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Elevation of MNO, 3GPP TS
protection of protecting sensitive data, such as: functions 4.2.3.2 Protecting a similar level to 5G Core components. Privilege, Vendor 33.117, 116,
Data and data and Detailed description of security Information 216 / 4.2.3.2.
Information of - System functions revealing information requirements in the technical baseline is Disclosure,
EPC+ confidential data presented in the corresponding 5G Core Tampering
components - Improper protection of data and detailed vulnerabilities section.
information in storage NAA2, NAA3,
- Lack of or improper cryptographic NAA4
protection of data in transfer
- No traceability of access to personal
data
Improper Inadequate security measures for EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
protection of protecting availability and integrity, such functions 4.2.3.3 Protecting a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
availability and as: availability and Detailed description of security Tampering of 216 / 4.2.3.3.
integrity of integrity requirements in the technical baseline is Data, Information
EPC+ - Failure to address overload situation presented in the corresponding 5G Core Disclosure
components - Boot from unauthorized memory detailed vulnerabilities section.
devices NAAx
- Improper handling of unexpected input
- Insufficient assurance of software
package integrity
Vulnerable Inadequate mechanisms for EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
mechanisms authentication and authorisation, such functions 4.2.3.4 a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
for as: Authentication and Detailed description of security Tampering of 216 / 4.2.3.4.
authentication authorisation requirements in the technical baseline is Data, Information
and - Unauthenticated access to system presented in the corresponding 5G Core Disclosure
authorisation functions detailed vulnerabilities section.
of EPC+ - Improper authentication mechanisms NAAx
components - Predefined/ default accounts and/or
authentication attributes
- Weak or missing password policy
- Lack of mutual authentication of
entities for management interfaces
- Improper authorisation and access
control policy
216
December 2020
Associated
Category
Improper The system shall have a function that EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
session allows a signed in user to logout at any functions 4.2.3.5 Protecting a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
protection time. All processes under the logged in sessions Detailed description of security Tampering of 216 / 4.2.3.5.
mechanisms of user ID shall be terminated on log out. A requirements in the technical baseline is Data, Information
EPC+ permanent exposed session increases presented in the corresponding 5G Core Disclosure,
components the exposure of the system as an entry detailed vulnerabilities section. Operator Error
point for unauthorized person.
OAM user interactive session shall be NAAx, Udx"
terminated automatically after a
specified period of inactivity.
Insufficient or Lack of security events logged together EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
improper with a unique system reference (e.g. functions 4.2.3.6 Logging a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
monitoring host name, IP or MAC address) and the Detailed description of security Tampering of 216 / 4.2.3.6.
mechanisms of exact time the incident occurred hinder a requirements in the technical baseline is Data, Information
EPC+ correct and rapid audit in case of presented in the corresponding 5G Core Disclosure,
components security incident occurrence. Security detailed vulnerabilities section. Operator Error
restauration is delayed. NAAx, Udx
Vulnerabilities Inadequate or missing security EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
in Operating measures at O.S. level, such as: functions 4.2.4. Operating a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
Systems Systems Detailed description of security Tampering of 216 / 4.2.4.
supporting - Improper / missing controls for requirements in the technical baseline is Data, Information
EPC+ protection of security event log files presented in the corresponding 5G Core Disclosure,
components - Improper handling of growing content detailed vulnerabilities section. Operator Error,
by file system equipment /
- Processing of ICMP packets not software errors,
required for operation growing dynamic
- Processing of IP packets with content r
unnecessary options or extensions NAAx, Udx, FMx
- Privilege Escalation allowed without
re-authentication
- Recurrent UIDs for UNIX System
accounts
Vulnerabilities Inadequate or missing measures to EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Spoofing identity, MNO, 3GPP TS
in Web Servers secure web servers, such as: functions 4.2.5. Web Servers a similar level to 5G Core components. Tampering of Vendor 33.117, 116,
supporting Detailed description of security Data, Information 216 / 4.2.5.
EPC+ - Unsecure Https connection to web requirements in the technical baseline is Disclosure, Denial
components servers presented in the corresponding 5G Core of Service,
- Lack of / improper logging of access to detailed vulnerabilities section.
the webserver Session hijacking
- Lack of / improper http user session
protection Injection, cross-
- Improper validation of HTTP input site scripting,
NAAx, EIH4
217
December 2020
Associated
Category
Vulnerabilities Inadequate or missing security in EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of service, MNO, 3GPP TS
of network network devices, such as: functions 4.2.6. Network a similar level to 5G Core components. packet flooding, Vendor 33.117, 116,
devices Devices Detailed description of security malware, 216 / 4.2.6.
running EPC+ - Lack of packet filtering functionality requirements in the technical baseline is authorisation
components - Lack of robustness against presented in the corresponding 5G Core attacks, man-in-
unexpected input detailed vulnerabilities section. the-middle attacks
- Improper or absent GTP-C Filtering NAAx, FM5
- Improper or absent GTPU Filtering
Improper Failure to implement hardening baseline EPC+ 3GPP TS 33.117 / EPC+ components should be secured on Denial of Service, MNO, 3GPP TS
hardening of controls, such as: functions 4.3. Security a similar level to 5G Core components. Spoofing identity, Vendor 33.117, 116,
EPC+ requirements Detailed description of security Tampering of Data, 216 / 4.3
components - Unnecessary or insecure services / related to requirements in the technical baseline is Information
protocols hardening presented in the corresponding 5G Core Disclosure,
- Unrestricted reachability of services detailed vulnerabilities section. Component
- Unused software components malfunctions,
- Unused software or hardware Authorisation
functions attacks, elevation of
- Unsupported components privilege,
- Remote login of privileged users Unauthorised /
- Excessive Filesystem Authorisation erroneous data
privileges element
- Lack of protection against IP-Source modification /
address spoofing deletion, Packet
- Unneeded kernel network functions flood, Exploitation
- automatic launch of removable media of vulnerable kernel
- No SYN Flood Prevention functions, malware,
- No protection against buffer overflows bypassing of
- No/improper external file system security controls,
mount restrictions running
- Directory listings unauthorised
- Web server information in HTTP operating system,
headers Syn Flood attacks,
- Web server information in error pages Buffer overflow
- Unused file type- or script-mappings attacks, Exploitation
- Unrestricted access to files of vulnerable
- Execution rights outside CGI/Scripting components, Code
directory injection, Elevation
- System privileges for web server of privileges, Abuse
processes of unused
- Active and unused HTTP methods vulnerable methods
- Unused web server addons
- Access to compiler, interpreter, or NAAx, UDx,FMx
shell via CGI or other server-side
scripting
- Common directory for uploads and
CGI/Scripting
218
December 2020
Associated
Category
- Execution of system commands with
server side includes (SSI)
- Excessive / improper access rights for
web server configuration files
- Presence of default content
- Inadequate traffic separation of traffic
belonging to different network domains
- Code execution or inclusion of
external resources by JSON parsers
- JSON Parser not robust
219
December 2020
K ANNEX: DETAILED VULNERABILITIES IN

MNO PROCESSES
Associated Threats
Name of Security Security Requirements /Description of
Category Taxonomy)
Improper Resource Capability Delivery Processes
Improper The Map & Analyse Resource 5G system Map & Implement sound processes to define the Design errors; MNO eTOM 20 /
processes to Requirements processes define the architecture Analyse detailed resource infrastructure requirements network 1.5.2.1
map and detailed resource infrastructure Operational Resources to support the service capabilities required by complexity;
analyse requirements and the associated processes Requirements new technological arrangements in the context new
resource performance requirements. The high for end-to-end of 5G. technology;
requirements complexity of the 5G system demands 5G network lack of
well-structured analysis of such lifecycle using Such requirements should be based on competences
requirements. Failure to do so may lead as a reference detailed analysis of new resource (NAAx, EIH4,
to inability to deliver on planned the applicable requirements and should include detailed Pax, UDx,
operational and security parameters. requirements, performance requirements – current and FMx, OUT,
such as 3GPP forecast. DIS, LEG)
33.501 and
23.501 and
corporate /
service-level
security
requirements.
Failure to adapt The Enable Resource Support & Resource Enable Operator examines the network product; the Faults or MNO, eTOM 20 /
resource Operations processes manage the support and Resource compliance reports and the test laboratories vulnerabilities Vendor, 1.5.2.5
support and design of any improvements or changes operations Support & accreditation published by the SECAM in equipment Accreditation
operations required to the operational support processes Operations - Accreditation Body and decides if the results FMx, OUT Body
processes to support the new eTOM process are sufficient according to its internal policies
capabilities and infrastructure brought by type
the new technology. Improper
functioning of these processes leads to
operational support shortfalls which
impair the ability to achieve, preserve or
restore operational and security
attributes.
220
December 2020
Associated Threats
Category Taxonomy)
Inability to Processes must be in place to identify Resource Capture Sound analysis to identify specific or imminent Network MNO eTOM 20 /
capture specific or imminent resource capacity, capability Resource resource capacity, resource performance complexity; 1.5.2.2
resource resource performance and/or resource delivery Capability and/or resource operational support shortfalls. new/untested
capability operational support shortfalls. These processes Shortfalls Special attention needs to be given to technology;
shortfalls processes must be adapted to the new process - foreseen impact to connected systems, such new/untested
technological and operational challenges eTOM process as business support, billing, customer business
of the 5G System. Failure to do so may type interfaces and common infrastructure, and models; lack
lead to failure to foresee otherwise adequate mechanisms have to be enabled for of
preventable operational and security monitoring Tolerance (Survivability, Disruption competences
incidents triggered by resource failure or Tolerance, Traffic Tolerance) (UDx, FMx)
limitations.
Improper Resource capabilities design processes Resource Design Sound management of resource infrastructure Network MNO eTOM 20 /
Resource must ensure a sound integration capability Resource management to ensure that requirements of complexity; 1.5.2.4
Capabilities between the existing legacy resource delivery Capabilities the migration projects include relevant new/untested
design infrastructure and the new resource processes process - standards and best practices as well as technology;
infrastructure. Care must be given that eTOM process security functionalities and controls. new/untested
resource analysis references relevant type business
standards and best practices as well as models; lack
security functionalities and controls. of
Failure to do so expose the system to competences
degradation of operational and security (UDx, FMx)
attributes.
Improper Adequate processes must be in place to Resource Manage Implement sound processes to manage the Exploitation of MNO eTOM 20 /
management of manage the provision, implementation, capability Resource provision, implementation, commissioning and 5G networks 1.5.2.6
Resource commissioning and roll-out of the new delivery Capability roll-out of the new or enhanced resource triggered by
Capability resource capabilities and their processes Delivery capability and associated operational support improper
Delivery associated operational support process - processes, aligned with the relevant eTOM management
processes. Improper management and eTOM process reference and industry best practices. and co-
co-ordination of the delivery of individual type ordination of
resource infrastructure components lead Such processes should include management the delivery of
to inability to deliver the overall resource of suppliers/partners responsible for the individual
capability and therefore inability to resource delivery, installation, and resource
deliver the planned operational and construction, and may include audits on infrastructure
security parameters operators and on implementation projects. component;
nefarious
activity/abuse
(NAAx)
221
December 2020
Associated Threats
Category Taxonomy)
Improper Adequate processes must be in place to Resource Manage Implement sound processes to manage the Lack of MNO eTOM 20 /
processes to ensure that all relevant requirements capability Handover to handover new resource infrastructure to available skills 1.5.2.7
manage have been met, and prerequisites for delivery Resource operational control, aligned with the relevant and
Handover to successful operation are in place at the processes Operations eTOM reference and industry best practices. competences
Resource prior to new resource infrastructure is Resource process Such processes should ensure that all relevant (UDx)
Operations handed over to operations. Failure to do Management requirements are met by the new resource
so may lead to loss of operational & Operations infrastructure, and prerequisites for successful
control over the newly deployed Processes operation are in place, including skills,
resources. equipment and support processes and include
coordination of all stakeholders involved in the
approval and acceptance of handover to
operational control.
Improper Resource Development & Retirement Processes
Improper Adequate processes must be in place to Resource Develop Implement sound processes to manage the Network MNO eTOM 20 /
control of develop and document detailed Development Detailed develop and document detailed technical, complexity; 1.5.3.4
Detailed technical, performance and operational & Retirement Resource performance and operational specifications, new/untested
Resource specifications for the components of the Process Specifications aligned with the relevant eTOM reference and technology;
Specifications new 5G System. Failure to ensure - eTOM industry best practices. Such processes must lack of
development adequate control on specification process type have as mandatory input security requirements competences
development may lead to significant and adherence to 3GPP specifications. (UDx, FMx)
security and operational exposure,
especially so in the context of emerging
technologies such as 5G System
components.
Inadequate Adequate processes must be in place to Resource Manage Processes to ensure that the required service Legal Threats, MNO eTOM 20 /
coordination of ensure that all resources needed to Development Resource level agreements and operational level Loss of 1.5.3.5
resource support new resource & Retirement Development - agreements are developed and agreed for Quality (LEG,
development classes/components are identified and Process eTOM process each resource class deployed, and that any FMx)
developed. These might include new SLAs type supplier/partner operational support has been
operational processes and procedures, OLAs identified and agreed, aligned with the relevant
IT / network changes and eTOM reference and industry best practices.
operational/service level agreements.
Failure to do so impairs the ability to
deliver the required resource capability
and the associated operational and
security attributes.
222
December 2020
Associated Threats
Category Taxonomy)
Improper Adequate processes must be in place to Resource Manage Implement sound processes to ensure the co- Flawed MNO eTOM 20 /
management of ensure the co-coordinated deployment Development Resource coordinated deployment of new resources products / 1.5.3.6
resource of new resources aligned with the & Retirement Deployment - aligned with the approved 5G business cases resources,
deployment approved 5G business cases and to Process eTOM process and to ensure that all resources needed to flawed
ensure that all resources needed to type support new resource classes/components are processes,
support new resource implemented, aligned with the relevant eTOM unreliable
classes/components are implemented. reference and industry best practices. processes,
These might include new operational lack of
processes and procedures, IT / network competences,
changes and operational/service level unreliable
agreements. partners (UDx,
FMx)
Failure to do so impairs the ability to
deliver the required resource capability
and the associated operational and
Improper Reuse of data storage media without Decommission Manage Resource exit procedures should include clear Unauthorised MNO ISO/IEC
storage media properly deleting previous data could ing processes Resource Exit risk-based rules for media sanitisation upon access to 27001
sanitisation lead to confidentiality loss of various Network - eTOM decommissioning of network elements. information /A.8.3.2
types of data (management, operation, Elements process type (NAA1, NAA4)
personnel) and subsequently to major
security, commercial or judicial issues
Improper Appropriate processes must be in place Decommission Manage Implement sound processes to ensure the Nefarious MNO eTOM 20 /
management of to develop specific exit or migration ing processes Resource Exit controlled of resource exit, aligned with the activity / 1.5.3.7
resource exit strategies, develop resource Network - eTOM relevant eTOM reference and industry best abuse of
infrastructure transition and/or Elements process type practices. Such processes should ensure that vulnerable
replacement strategies, and manage the specific exit, migration, resource infrastructure components,
operational aspects of the exit process. transition and/or replacement strategies are information
Failure to do so leaves open gateways developed, and that the operational aspects of leaks,
for security threats, information leaks the exit process are managed. operational
and operational failures. failures
It is key that these processes include cross- (NAAx)
enterprise co-ordination to ensure that the
needs of all stakeholders are identified and
managed.
223
December 2020
Associated Threats
Category Taxonomy)
Improper Party Tender Management Processes
Inadequate Sourcing requirements take into account Tender and Determine the Implement sound processes to determine Scarcity of MNO eTOM 20
definition of the required functional, technical and/or purchasing Sourcing sourcing requirements, aligned with the potential and /1.6.2.1
sourcing operational specifications. Such processes Requirements relevant eTOM reference. existing
requirements requirements must include security - eTOM industry
relevant requirements, must be aligned process type Such requirements should include technical, suppliers and
with industry standards, and must be Indispensable operational, training, and specific supplier partners,
aligned with the risk level of the baseline support requirements. Security requirements, limited
purchased component. security with regard for the entire supply chain must be interoperability
requirements taken into consideration. between
Failure to do so may lead to inability to for the different
deliver on security and operational Industry standards and applicable regulatory
procurement requirements provide an essential input for this suppliers'
attributes of the system. of secure ICT equipment,
process.
products and high-risk
services suppliers
(NAAx, FMx,
UDx, LEG)
Improper Potential S/P selection process must Tender and Determine Implement sound processes to determine Scarcity of MNO eTOM 20 /
process to leverage information available from the purchasing Potential Potential Suppliers/Partners, aligned with the potential and 1.6.2.2
determine Gather & Analyse Supply Chain processes Parties - relevant eTOM reference. existing
Potential Information processes, as well as other eTOM industry
Suppliers/Partn specific inputs available from within the Process Type Such processes should shortlist suppliers that suppliers and
ers enterprise, or from external supplier Indispensable meet specific enterprise and industry standard partners,
research organizations at the specific baseline requirements. limited
time the need arises. Failure to do so security Also, such processes should provide detailed interoperability
may lead to selection of suppliers whose requirements analysis of potential partners/suppliers, between
risk profile is inadequate for the for the leveraging information available from internal different
purchased product / service. procurement and external sources, such as dependency suppliers'
of secure ICT risks, espionage by state or state-backed equipment,
products and actors using malware to abuse poor quality high-risk
services network components or unintentional suppliers
vulnerabilities affecting sensitive elements in (NAAx, FMx,
the network. UDx, LEG)
224
December 2020
Associated Threats
Category Taxonomy)
Manage the In absence of sound tender Tender and Manage the Implement sound processes to manage and Scarcity of MNO eTOM 20 /
Tender management process, delays, and purchasing Tender administer the mechanics of the tender potential and 1.6.2.3
Process errors in selecting the appropriate processes Process process, aligned with the relevant eTOM existing industry
vendors and solutions may result in reference. suppliers and
deteriorating the security and availability partners, limited
of the 5G system, and failure to comply Such processes should ensure coordination interoperability
with applicable regulation. and control of engagement interactions with between
potential parties, timing of the process, different
inclusion of relevant commercial and functional suppliers'
requirements and tender analysis equipment,
mechanisms, procedures, and approach. high-risk
suppliers
(NAAx, FMx,
UDx, LEG)
Improper Resource management and operation Support & Readiness processes
Improper Improper processes for supporting Resource Enable Implement sound processes to ensure Network MNO eTOM 20 /
processes to Resource Provisioning processes may management Resource availability and adequacy of support complexity; 1.5.4.1
support lead to ineffective and uncontrolled and operation Provisioning - infrastructure for Resource Provisioning new/untested
resource resource provisioning processes, leading processes eTOM process processes, and ensure that these processes technology;
provisioning availability issues and wrong type are adequately managed, monitored, and lack of
configurations due to inappropriate reported on, aligned with the relevant eTOM competences;
information or emergency handling reference and industry best practices. flawed design/
equipment /
Key objectives of these processes in the system
context of 5GS migration include: integration
- creation and deployment of support tools for (UDx, FMx,
resource deployment, and of adequate OUT)
processes for newly modified resource
infrastructure;
- scheduling, management, and monitoring of
the roll-out of new resource infrastructure
-·monitoring of newly deployed infrastructure
to provide early detection of potential
shortfalls;
225
December 2020
Associated Threats
Category Taxonomy)
Improper Sound processes should be in place to Resource Enable Implement sound processes to monitor and Network MNO eTOM 20 /
processes to monitor and assess resource management Resource assess resource infrastructure performance, complexity; 1.5.4.2
support infrastructure performance, as well as and operation Performance and to monitor, manage and report on the new/untested
resource ensuring the capability of the Resource processes Management - capability of the Resource Performance technology;
performance Performance Management processes. eTOM process Management processes, aligned with the lack of
management Soundness of such processes increases type relevant eTOM reference and industry best competences;
in importance with the increase in practices. flawed design/
complexity and performance equipment /
requirements of 5G networks system
integration
(UDx, FMx,
OUT)
Improper Proper processes to conduct resource Resource Support Implement sound support processes for Network MNO eTOM 20 /
processes to infrastructure maintenance and repair management Resource Resource Trouble Management, such as complexity; 1.5.4.3
support activities will be key to prevent and operation Trouble statistically driven preventative and scheduled new/untested
resource performance degradation caused by processes Management - maintenance and repair activities, and technology;
trouble unforeseen corelations and eTOM process monitoring, management and reporting on lack of
management dependencies, and to proactively identify type Resource Trouble Management processes, competences;
and remediate flaws that can affect aligned with the relevant eTOM reference and flawed design/
confidentiality, integrity, availability of industry best practices. equipment /
systems and data. system
integration
(UDx, FMx,
OUT)
Improper Improper processes to establish and Resource Manage Implement sound support processes for System MNO eTOM 20 /
management of manage the enterprise Resource management Resource resource inventory management, aligned with heterogeneity 1.5.4.5
resource Inventory Database may lead to and operation Inventory - the relevant eTOM reference and industry best (UDx, FMx,
inventory uncontrolled access to the resource processes eTOM process practices. OUT)
inventory and poor data quality, which in type
turn opens the path to risks such as Key objectives of these processes in the
resource misconfiguration, loss of context of 5GS migration include:
confidentiality for security-sensitive data - updating of processes and tools for resource
and inefficient resource allocation and inventory management and information
incident response capture;
- management of registration and access
control processes
- accuracy, completeness, and validation of
resource inventory;
226
December 2020
Associated Threats
Category Taxonomy)
Improper Party Agreement processes
Insufficient / Improper processes for party agreement Party Prepare Party Define and maintain a sound process to Nefarious MNO, Vendor, eTOM 20 /
improper management may lead to Insufficient / Agreement Agreement prepare agreements or a template agreement activities, Service 1.6.5.1
definition of improper definition of relevant processes that can be used as the basis for party-specific Improper Provider
relevant operational and security clauses in agreements. performance,
operational and agreements with suppliers and partners Improper
security Agreements should define the commercial definition of
clauses in terms and conditions and requirements to security
agreements ensure compliance with the technical / responsibilities
with suppliers operational reference specifications. All and
and partners agreements should include relevant security parameters,
clauses System
misconfigurati
on, Lack of
responsibility
(NAAx, UDx,
FMx, OUT,
LEG)
Improper Improper management of contract Party Manage Party Define and maintain a sound process to Nefarious MNO, Vendor, eTOM 20 /
management of variations may lead to improper updating Agreement Agreement manage changes to the terms/conditions of an activities, Service 1.6.5.4
contract of security-relevant clauses and processes Variation agreement during its term of agreement. Improper Provider
variations parameters, thus imperilling the overall performance,
security of the system Improper
definition of
security
responsibilities
and
parameters,
System
misconfigurati
on, Lack of
responsibility
(NAAx, UDx,
FMx, OUT,
LEG)
227
December 2020
Associated Threats
Category Taxonomy)
Improper Party Support processes
Support Party In the absence of sound processes to Party Support Support Party Define and maintain sound Support Party High-risk MNO, Vendor, eTOM 20 /
Requisition manage engagement with parties who processes Requisition Requisition Management processes to: suppliers, Service 1.6.6.1
Management own and manage outsourced Management - arrange and manage external party access to supplier Provider
infrastructure, and to ensure that the infrastructure deployment support tools and dependency,
Party Requisition Management processes; resource
processes are operating effectively, a - oversee roll-out of the new infrastructure; scarcity (UDx,
variety of risks affecting resource - track and monitor infrastructure deployment FMx, OUT,
integrity and availability may ensue. undertaken by contractors; LEG)
Also, as these processes manage - continuously update relevant inventories;
access authorisation, unauthorized
access may result from faulty processes
Support Party In the absence of sound processes to Party Support Support Party Define and maintain sound Support Party High-risk MNO, Vendor, eTOM 20 /
Performance manage performance restoration activity processes Performance Performance Management processes, aligned suppliers, Service 1.6.6.3
Management with outsourced infrastructure providers, Management with the relevant eTOM reference and industry supplier Provider
and to ensure that the Contractor best practices. dependency,
Performance Management processes resource
can operate effectively, resource and scarcity (UDx,
service availability issues may affect the FMx, OUT,
performance and security of the system LEG)
Support Party These processes are responsible for Party Support Support Party Define and maintain sound processes to High-risk MNO, Vendor, eTOM 20 /
Interface implementing generic and specific processes Interface ensure that there is adequate capability to suppliers, Service 1.6.6.5
Management changes to supplier/partner interfaces, Management support effective operation of the S/P Interface supplier Provider
and to keep up to date all information Management processes, aligned with the dependency,
concerning suppliers and partners. relevant eTOM reference and industry best resource
Inability to do so may lead to wrong practices. scarcity (UDx,
allocation of resources, inability to liaise FMx, OUT,
to S/P resources for resolution of LEG)
operational / security incidents or
allowing/maintaining unauthorized
access rights due to obsolete contact
data.
228
December 2020
Associated Threats
Category Taxonomy)
Improper resource provisioning processes
Improper Improper processes for allocation, Resource Allocate & Define and maintain sound processes to Network MNO eTOM 20 /
processes for installation, configuration, activation and provisioning Install allocate & deliver specific resources required complexity; 1.5.6.1
resource testing of specific resources to meet the processes Resource - to support new services, and to ensure that new/untested
allocation and service requirements, or in response to eTOM process sufficient information is supplied with the technology;
installation requests from other processes may lead type resource requisition orders regarding resource lack of
to resource capacity shortfalls, installation and configuration, aligned with the competences;
availability concerns or failure relevant eTOM reference and industry best flawed design/
conditions, as well as misconfiguration- practices. equipment /
related security risks system
integration
Improper / The objective of the Configure & Activate Resource Configure & Define and maintain sound processes to Network MNO eTOM 20 /
obsolete Resource Processes is to configure and provisioning Activate configure and activate the specific resources complexity; 1.5.6.2
processes to activate the specific resources allocated processes Resource - allocated against issued resource orders, new/untested
Configure & to fulfil resource orders. Improper eTOM process aligned with the relevant eTOM reference and technology;
Activate processes or obsolete data used in type industry best practices. lack of
Resources process may lead to insecure competences;
configuration of equipment as well as Key control objectives in the context of 5GS flawed design/
lack of visibility over the systems' active migration include: equipment /
resources. - configuration and activation approach and system
planning; integration
- resource inventory update with the (UDx, FMx,
configuration of new resources and their OUT, LEG)
status.
Improper Inefficient processes for tracking and Resource Track & Define and maintain sound processes to Network MNO eTOM 20 /
tracking & management fail to provide guarantee provisioning Manage ensure resource provisioning activities are complexity; 1.5.6.4
management of that all provisioning tasks are finished at processes Resource assigned, managed, and tracked efficiently, new/untested
resource the appropriate time and in the Provisioning - aligned with the relevant eTOM reference and technology;
provisioning appropriate sequence. An aggravating eTOM process industry best practices. lack of
circumstance is reliance on provisioning type competences;
activities when that have been Key control objectives in the context of 5GS flawed design/
outsourced or contracted to external migration include: equipment /
parties. - resource provisioning scheduling, allocation system
and coordination; integration
- tracking of the execution process; (UDx, FMx,
- including all relevant information to resource OUT, LEG)
orders, such as use case-specific security or
operational requirements;·
- Monitoring resource orders’ status, and
escalating resource orders as necessary;
- engaging external suppliers when necessary
229
December 2020
Associated Threats
Category Taxonomy)
Resource Trouble Management
Improper Improper resource alarm event Resource Survey & Define and maintain sound processes and Network MNO eTOM 20 /
survey and notification collection, filtering and Trouble Analyse tools to: complexity; 1.5.8.1
analysis of correlation impairs the ability of the Management Resource - detect, collect, record, and manage resource new/untested
resource operator to detect and respond to processes Trouble alarm events; technology;
trouble service impacting condition, either by - perform alarm event notification analysis, lack of
failing to respond to a relevant event, or correlation, and filtering; competences;
by allocating resources to deal with - report alarm events to relevant processes. flawed design/
false-positives, such as events triggered equipment /
by planned outages. system
In the case of security event integration
notifications, improper correlation and (UDx, FMx,
analysis may lead to significant losses of OUT, LEG)
Improper Improper procedures for root-cause Resource Localize Define and maintain sound processes and Network MNO eTOM 20 /
processes for analysis and problem isolation, or failure Trouble Resource tools to: complexity; 1.5.8.2
localisation of to abide by such procedures may lead to Management Trouble - - verify resource configuration and validate new/untested
resource significant delays in incident analysis processes eTOM process fitness for the relevant service features; technology;
trouble and response and degradation of type - schedule and perform diagnose, test, and lack of
operational and security attributes audit of resources in order to localise resource competences;
trouble events flawed design/
equipment /
system
integration
(UDx, FMx,
OUT, LEG)
Improper Improper procedures, or deficient Resource Correct & Define and maintain sound processes and Network MNO eTOM 20 /
processes for resource allocation for correction and Trouble Resolve tools to restore or replace resources that have complexity; 1.5.8.3
correction and resolution activities, as well as improper Management Resource failed as efficiently as possible, aligned with new/untested
resolution of communication of correction & resolution processes Trouble - the relevant eTOM reference and industry best technology;
resource results to other relevant processes may eTOM process practices. lack of
trouble lead to significant losses of operational type competences;
and security attributes. flawed design/
equipment /
system
integration
(UDx, FMx,
OUT, LEG)
230
December 2020
Associated Threats
Category Taxonomy)
Resource data collection & distribution
Incomplete / Processes and mechanisms for Security Data Collect Define and maintain sound processes and Network MNO eTOM 20 /
untimely / collection of management and security Management tools to collect management and security complexity, 1.5.7.1
inaccurate information and data records from and Security information and data records from resource evolving threat
Management resource and service instances and from Information & and service instances and relevant enterprise landscape
and Security relevant processes produces produce Data - eTOM processes, aligned with the relevant eTOM (NAAx, EIH4,
Information & incomplete / untimely / inaccurate or process type reference and industry best practices. Pax, UDx,
Data otherwise inadequate management and FMx, OUT,
security information and data Key control objectives in the context of DIS, LEG)
operation of 5GS include:
- collection of security information and data
from networks, systems, and security sensors
- collection of usage, network, security, and
information technology events and,
performance and other management
information
- distribution of relevant information to other
corporate processes or to resource and
service instances.
Improper Processing of management and security Security Data Process Define and maintain sound processes and Network MNO eTOM 20 /
processing of information and/or data that does not Management tools for processing of management and complexity, 1.5.7.2
management output a form suitable for the intended and Security security information & data, aligned with the evolving threat
and Security recipient processes, resource or service Information & relevant eTOM reference and industry best landscape
Information & instances renders such data unusable Data - eTOM practices. (NAAx, EIH4,
Data and hinders action upon it. process type Pax, UDx,
FMx, OUT,
DIS, LEG)
Inadequate Audit and analysis of information & data Security Data Audit and Define and maintain sound processes and Network MNO eTOM 20 /
processes for collection, processing and distribution Security Data tools to audit information & data collection complexity, 1.5.7.4
Audit of activities is not executed on a consistent Collection & activities, aligned with the relevant eTOM evolving threat
Management basis to identify possible anomalies and Distribution - reference and industry best practices. landscape
and Security to preserve audit data for future forensic eTOM process (NAAx, EIH4,
Data Collection use. type Pax, UDx,
& Distribution FMx, OUT,
DIS, LEG)
231
December 2020
Associated Threats
Category Taxonomy)
Improper Resource Performance Management Processes
Improper Improper processing of resource Performance Monitor Define and maintain sound processes and Network MNO eTOM 20 /
monitoring of performance data, or improper setting of data Resource tools to monitor received resource complexity, 1.5.9.1
resource performance thresholds and standards, Performance - performance information and perform direct evolving threat
performance as well as failure to notify relevant eTOM process detection of security-relevant events, aligned landscape
resource trouble or resource type with the relevant eTOM reference and industry (NAAx, EIH4,
performance management processes best practices. Pax, UDx,
may lead to failure to detect and FMx, OUT,
adequately respond to security-relevant Key control objectives in the context of DIS, LEG)
events. operation of 5GS include:
- first in detection of security relevant events
by monitoring specific resource performance
data;
- detection of performance threshold violations
that signal resource failures;
- detect performance degradation that provides
early warning of potential issues;
- log resource performance degradation and
violation details to ensure historical records
are available for other relevant processes.
Improper Control Resource Performance Performance Control Define and maintain sound processes and Network MNO eTOM 20 /
processes for processes are designed to optimize data Resource tools for timely and effective restoration of complexity, 1.5.9.3
controlling resource performance by restoring failed Performance - failed resource instances, or normal operation evolving threat
resource resource instances, or normal operation eTOM process thereof, aligned with the relevant eTOM landscape
performance thereof. Improper control plans, or type reference and industry best practices. (NAAx, EIH4,
improper decision making on necessary Pax, UDx,
controls may lead to exposure to FMx, OUT,
security risks or degradation of security DIS, LEG)
attributes. This is especially relevant due
to the highly interdependent nature of
5G systems
232
December 2020
Associated Threats
Category Taxonomy)
Improper Party Interaction Management Processes
Track and In the absence of sound processes to Party Track and Define and maintain sound processes and Network MNO, Vendor, eTOM 20 /
Manage Party ensure that Party Interactions are Interaction Manage Party tools to track and manage interactions with complexity, Service 1.6.9.3
Interaction managed and tracked efficiently to meet Management Interaction relevant parties, aligned with the relevant evolving threat Provider
applicable interaction policies and SLA Processes eTOM reference and industry best practices. landscape
requirements, performance and security (NAAx, EIH4,
deviations may appear Key control objectives in the context of Pax, UDx,
operation of 5GS include: FMx, OUT,
- track and manage timely completion and DIS, LEG)
closure of all interactions
- monitoring and notifying situation when
applicable SLAs are endangered;
- measure, analyse and communicate KPIs to
improve efficiency of interactions.
Handle Party The purpose of this process is to Party Handle Party Define and maintain sound processes and Loss of MNO, Vendor, eTOM 20 /
Interaction manage all requests. Improper Interaction Interaction tools to fulfil all inbound and outbound quality, legal Service 1.6.9.4
(Including Self management of interactions may leave Management (Including Self requests from/to external parties, aligned with threats, Provider
Service) unresolved security or operational Processes Service) the relevant eTOM reference and industry best supplier
events that involve external parties in practices. interface
analysis, response, and mitigation. complexity
(FMx, OUT,
LEG)
Improper Party Problem Handling Processes
Receive Party In the absence of sound processes to Party Problem Receive Party Define and maintain sound processes and Loss of MNO, Vendor, eTOM 20 /
Problem receive party-originated problems, Handling Problem tools to manage problem raised by, or related quality, Service 1.6.10.1
problems may get unnoticed and Processes to external parties, aligned with the relevant security Provider
unmanaged. eTOM reference and industry best practices. incidents,
legal threats
(NAAx, FMx,
OUT, LEG)
Assess Party In the absence of sound processes to Party Problem Assess Party Define and maintain sound processes and Loss of MNO, Vendor, eTOM 20 /
Problem analyse party problems, solutions are Handling Problem tools to manage problem raised by, or related quality, Service 1.6.10.2
not properly identified and implemented Processes to external parties, aligned with the relevant security Provider
eTOM reference and industry best practices. incidents,
legal threats
(NAAx, FMx,
OUT, LEG)
233
December 2020
Associated Threats
Category Taxonomy)
Track Party In the absence of sound processes to Party Problem Track Party Define and maintain sound processes and Loss of MNO, Vendor, eTOM 20 /
Problem track party problems, problems may stay Handling Problem tools to manage problem raised by, or related quality, Service 1.6.10.4
unsolved Processes to external parties, aligned with the relevant security Provider
eTOM reference and industry best practices. incidents,
legal threats
(NAAx, FMx,
OUT, LEG)
Analyse Party In the absence of sound processes to Party Problem Analyse Party Define sound processes to conduct and report Loss of MNO, Vendor, eTOM 20 /
Problem Trend analyse party problem trends, availability Handling Problem Trend trend analysis on party problems. These quality, Service 1.6.10.9
and integrity of critical systems and Processes should include security parameters security Provider
services may be imperilled incidents,
legal threats
(NAAx, FMx,
OUT, LEG)
Improper Party Performance Management Processes
Monitor & Improper processes to monitor & control Party Monitor & Improper processes to monitor & control Loss of MNO, Vendor, eTOM 20 /
Control Party performance of services, processes or Performance Control Party performance of services, processes or quality, Service 1.6.11.1
Performance resources delivered by external parties Management Performance resources delivered by external parties open security Provider
open significant operational risks due to Processes significant operational risks due to the high incidents,
the high availability objectives of the 5G availability objectives of the 5G system and legal threats
system and attack path via forcing of attack path via forcing of emergency (NAAx, FMx,
emergency arrangements due to arrangements due to Supplier-side OUT, LEG)
Supplier-side performance degradation. performance degradation.
Track & The objective of the track & manage Party Track & The objective of the track & manage party Loss of MNO, Vendor, eTOM 20 /
Manage Party party performance resolution processes Performance Manage Party performance resolution processes is to ensure quality, Service 1.6.11.2
Performance is to ensure improvement and Management Performance improvement and restoration activities are security Provider
Resolution restoration activities are being assigned, Processes Resolution being assigned, coordinated, and tracked incidents,
coordinated, and tracked efficiently, and efficiently, and that corrective actions are legal threats
that corrective actions are initiated for initiated for any relevant performance (NAAx, FMx,
any relevant performance degradation degradation reports. Failure to do so may lead OUT, LEG)
reports. Failure to do so may lead to to degradation of operational and security
degradation of operational and security attributes.
attributes.
234
December 2020
Associated Threats
Category Taxonomy)
Manage and Improper management of Supplier Party Manage and Improper management of Supplier inventory Loss of MNO, Vendor, eTOM 20 /
Administer inventory may lead to availability, Inventory Administer may lead to availability, integrity, and quality, Service 1.6.21.2
Party Inventory integrity, and confidentiality risks on Management Party confidentiality risks on supplier data, including security Provider
supplier data, including capabilities, Processes Inventory capabilities, resources, and contact data. incidents,
resources, and contact data. These in These in turn may lead to operational and legal threats
turn may lead to operational and security security risks of unauthorized access, inability (NAAx, FMx,
risks of unauthorized access, inability to to respond to operational or security events, or OUT, LEG)
respond to operational or security resource misallocation.
events, or resource misallocation.
Business Continuity Management
Inadequate / Business continuity plans must be BCM Process Plan Business Business continuity must be carefully planned Disasters, MNO eTOM 20 /
obsolete updated to take into consideration the Continuity - and operational procedures that support outages (OUT, 1.7.2.1.2
business changed operational and risk landscape. eTOM process business continuity must be proactively tested, DIS)
continuity Failure to do so may lead to inability to type in line with the relevant eTOM specifications
plans respond to major disruptive events. and industry best practices.
Inadequate / Infrastructure recovery plans must be BCM Process Plan Proactive determination and implementation of Disasters, MNO eTOM 20 /
obsolete updated to take into consideration the Infrastructure recovery procedures and backup planning for outages (OUT, 1.7.2.1.3
Infrastructure changed operational and risk landscape. Recovery - all key 5G infrastructure capabilities and their DIS)
Recovery plans Failure to do so may lead to inability to eTOM process regular testing, in line with the relevant eTOM
respond to major disruptive events, type specifications and industry best practices.
Inadequate / Incident management plans must be BCM Process Plan Serious Plan and implement sound processes and for Disasters, MNO eTOM 20 /
obsolete updated to take into consideration the Incident Serious incident management, including roles outages (OUT, 1.7.2.1.4
incident changed operational and risk landscape. Management - and responsibilities, operational procedures, DIS)
management Failure to do so may lead to inability to eTOM process and escalation criteria.
plans respond to major disruptive events, type
Fraud Management
Failure to adapt Practices and processes for detection, Fraud Fraud Policy Manage and maintain sound policies for fraud Disasters, MNO eTOM 20 /
fraud investigation, ongoing education, tool Management Management - prevention and management, aligned with the outages (OUT, 1.7.2.3.1
management uses, feedback of identified frauds, eTOM process relevant eTOM specifications and industry best DIS)
policies and external interactions (partners, LEAs) type practices.
controls must be adapted to the risks of 5G
operations and technology. Failure to do
so may lead to inability to prevent,
detect, and respond to fraud,
235
December 2020
Associated Threats
Category Taxonomy)
Insurance management
Failure to With the introduction of the 5G systems, Insurance Identify The risk management process must ensure Outages, MNO eTOM 20 /
identify areas, and activities within the enterprise management Insurable that all risks that are insurable are identified, failures and 1.7.2.5.1
insurable risks where risk aspects are insurable must Risks - eTOM assessed, and appropriately mitigated. malfunctions,
be updated. Failure to identify insurable process type denial of
risks may lead to unnecessary risk service
exposure. attacks,
privacy threats
(OUT, DIS,
NAA5)
Regulatory management
Failure to 5G system with its verticals will involve Regulatory Ensure Ensure that the enterprise complies with all Evolving and MNO eTOM 20 /
identify and significant changes in applicable management regulatory existing government regulations. complex 1.7.6.4
comply with compliance requirements, including but compliance - regulatory
updated not limited to security, privacy, consumer eTOM process landscape,
compliance protection. Failure to identify applicable type outages,
requirements requirements for implementation failures and
scenarios and verticals may lead to malfunctions,
significant regulatory actions denial of
service
attacks,
privacy threats
(NAAx, OUT,
DIS, LEG)
236
December 2020
Associated Threats
Category Taxonomy)
Security management
Non-proactive Security management processes should Security Manage Identify internal and external sources of threat. Evolving MNO eTOM 20 /
Security proactively identify areas of threat and management Proactive Areas of threat can be physical or logical. threat 1.7.2.2.1
Management support the categorization and Security landscape,
prioritization of threat and deal with Management - Set up a sound framework for security risk network
exposure to loss of value or reputation. eTOM process analysis. complexity,
Failure to ensure a systematic risk type Connect to information exchange sources and resource
analysis framework based on ENISA Threat communities. scarcity, lack
information collection and exchange Landscape of
leaves the organisation exposed in the competences,
context of implementing 5G technology advanced
in which the threats and vulnerabilities threats, fraud,
landscape is in ongoing exploration. abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Failure to Monitoring of industry trends and best Security Monitor Security management threat minimization Evolving MNO eTOM 20 /
monitor practice approaches is essential to management Industry through monitoring of industry trends and best threat 1.7.2.2.2
Industry ensure the 5G operator is on top of Trends for practice approaches. landscape,
Trends for security challenges. Failure to do so is Security network
Security especially damaging in the context of 5G Management - complexity,
Management technology in which the threats and eTOM process resource
vulnerabilities landscape is in ongoing type scarcity, lack
exploration. ETSI, GSMA, of
3GPP, ITU competences,
Standards advanced
ENISA Threat threats, fraud,
Landscape abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
237
December 2020
Associated Threats
Category Taxonomy)
Inadequate / Security Management corporate policies, Security Define Define and follow corporate policies, Evolving MNO eTOM 20 /
obsolete guidelines, best practices, and auditing management Security procedures, guidelines, best practices. Audit threat 1.7.2.2.3
Security processes need to be updated to adapt Management processes are needed to provide assurance landscape,
Management to the new challenges posed by the new Policies & that the necessary control structures are in network
Policies & technologies and subsequently changed Procedures - place and provide assurance that the complexity,
Procedures operations, services, and business eTOM process procedures are followed and are effective. resource
models. type scarcity, lack
ISO 27011 / of
ITU 1051 competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Failure to Security management functions should Security Assist with Deploy appropriate physical infrastructure, Evolving MNO eTOM 20 /
involve assist operational areas in deploying management Security procedures, and monitoring capabilities to threat 1.7.2.2.4
security appropriate infrastructure, procedures, Management support relevant operational areas. Security landscape,
management and monitoring capabilities. Security Deployment - Management processes are implemented at network
functions in management functions should be eTOM process many levels of the enterprise. complexity,
Deployment of involved in all phases of the system type resource
adequate lifecycle. Failure will be translated in scarcity, lack
security poorly deployed or inadequate security of
controls controls competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
238
December 2020
Associated Threats
Category Taxonomy)
Improper data Improper definition and deployment of Security Manage Implementation of tools and capabilities for Evolving MNO eTOM 20 /
collection updated processes and tools to capture management Reactive data collection on operational activity. threat 1.7.2.2.5
capabilities relevant operational and security date Security Incorporate in the operational infrastructure the landscape,
may generate significant blind spots that Management - procedures and facilities for security network
may impede security management and eTOM process monitoring, control, and management in the complexity,
fraud prevention activities. type areas of the SIP process and Operations. resource
Integration of these processes with relevant scarcity, lack
fraud management processes. of
competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Improper Failure to adapt analysis and correlation Security Detect Up to date data analysis and correlation tools Evolving MNO eTOM 20 /
detection algorithms and procedures to the new management Potential and rulesets to detect potential threats, threat 1.7.2.2.6
capabilities of technologies and changed threat Security security violations, fraud, or other security- landscape,
Potential landscape may leave the operator Threats & relevant events. network
Security unable to detect potential threats, Violations - complexity,
Threats & security violations, fraud, or other eTOM process resource
Violations security-relevant events. type scarcity, lack
of
competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
239
December 2020
Associated Threats
Category Taxonomy)
Investigate Forensic procedures must be adapted to Security Investigate Update tools, processes, and rulesets for Evolving MNO eTOM 20 /
Potential new technologies. Failure to do so may management Potential forensic investigations to provide capabilities threat 1.7.2.2.7
Security impede investigations and fitness of Security adequate to the new technologies. landscape,
Threats & forensic evidence. Threats & network
Violations Violations - complexity,
eTOM process resource
type scarcity, lack
of
competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Improper Improper process to select, design and Security Define Implementation of risk management plans that Evolving MNO eTOM 20 /
security risk specify a baseline set of security management Security take into account in addition to technical threat 1.7.2.2.8
treatment controls may leave the system Management options and the value of assets to be landscape,
unprotected by ignoring relevant areas Prevention - protected, as well as the probability of threats. network
or failing to identify adequate sizing and eTOM process complexity,
prioritisation of preventive measures. type The technical specifications of security resource
ISO/IEC controls, operational procedures such as scarcity, lack
27011 / ITU vulnerability management, risk assessment of
X.1051 and secure configuration procedures must be competences,
EU 5G considered. advanced
Toolbox Catalogues of best practices such as EU 5G threats, fraud,
Implementatio Toolbox Implementation Plan and ISO abuse (NAAx,
n Plan 27011/ITU x.1051 provide frameworks to EIH4, PAx,
check for completeness and consistency of UDx, FMx,
prevention measures. OUT, DIS,
LEG)
240
December 2020
Associated Threats
Category Taxonomy)
Improper Failure to define updated policy-based Security Define Development of security monitoring Evolving MNO eTOM 20 /
Monitoring of tools and processes for collection, management Monitoring to procedures as part of prevention process, threat 1.7.2.2.9
Security filtering, aggregation, distribution, and Facilitate which define rules for collecting and storing landscape,
retention of relevant data may lead to Security relevant data that come from or are associated network
several alternative risk scenarios: Management - with a certain set of managed resources and complexity,
monitoring blind spots, excessive eTOM process services. Tools and mechanisms for collection, resource
resource consumption, data overload, type filtering, aggregation, distribution, and scarcity, lack
inability to process data for relevant retention of relevant data will be implemented. of
decisions. competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Improper Failure to adapt tools and procedures for Security Define Update and maintain sound processes and Evolving MNO eTOM 20 /
Security assessment of collected/correlated data management Security tools for collecting, assessing, and correlating threat 1.7.2.2.10
Management for events or trends of interest may lead Management relevant data into statistical models to detect landscape,
Analysis to inability to form complete and Analysis - patterns and trends, in line with industry best network
accurate picture of events and eTOM process practices and newly implemented complexity,
conditions and in turn to failure to adapt type technologies. resource
preventive measures to changed threat scarcity, lack
and vulnerability environment. of
competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
241
December 2020
Associated Threats
Category Taxonomy)
Improper Failure to adapt policies and procedures Security Define Update and maintain sound implement policies Evolving MNO eTOM 20 /
Security for anomaly detection may lead to management Security and procedures for incident detection, in line threat 1.7.2.2.11
policies & operator unable to define automated Management with industry best practices and newly landscape,
procedures to policy-based remediation controls. policies & implemented technologies. network
facilitate Increased complexity of systems and procedures to complexity,
detection of operations may render current facilitate resource
incidents correlation & analysis tools unable to detection scarcity, lack
generate meaningful and accurate incidents - of
predictions and alerts. eTOM process competences,
type advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
Improper Incident management processes need to Security Define Implement ITSM-based or ISO 27011 incident Evolving MNO eTOM 20 /
Incident be adapted to take into account changed management Incident management policies and procedures to threat 1.7.2.2.12
Management technologies and processes and Management identify and undertake necessary response landscape,
policies and updated incident response ecosystem policies and and recovery actions that may be conducted network
procedures and responsibilities. procedures - by Business Continuity Management complexity,
eTOM process processes or within Operations or Assurance. resource
type scarcity, lack
ISO 27011 / of
ITU X.1051 competences,
advanced
threats, fraud,
abuse (NAAx,
EIH4, PAx,
UDx, FMx,
OUT, DIS,
LEG)
242
December 2020
L ANNEX: DETAILED VULNERABILITIES IN

VENDOR PROCESSES

Category Taxonomy)
Design
Failure to apply Security-by-design ensures Vendor Security by The Network Product shall implement Design Flaws, Vendor, GSMA FS.16
security vulnerabilities can be mitigated by a Development design security by design throughout the whole Exploitation of Auditor /7.2.1.
architectural and secure design of the Network Product. Processes, 5G development and product lifecycles. vulnerabilities.
security design Failure to apply security architectural System Therefore, architecture and design (NAAx, UDx)
principles and security design principles and follow Components decisions shall be made based on a set
throughout the them throughout the entire development of security principles that are tracked
development lifecycle leads to structural security throughout the development and product
lifecycle. problems that imperil the security of the lifecycles.
components and of the 5G system Security principles must be considered
and applied when appropriate. In the
design phases, a threat analysis process
for the Network Product shall be
undertaken to identify the potential
threats and related mitigation measure
Coding
Lack of or Failure to apply consistent code review Vendor Source code The Equipment Vendor shall ensure that Insecure Code Vendor, GSMA FS.16
improper code in line with specification and security Development review process; new and changed source code dedicated (Source code Auditor /7.3.1.
review best practices elevates the risk of risk of Processes, 5G application of for a Network Product is appropriately dedicated for
accidental occurrence of vulnerabilities. System coding best reviewed in accordance with an use in the
Components practices; use of appropriate coding standard. If feasible, Network
static and the review should also be implemented Product leads to
dynamic code by means of using a Source Code a vulnerability)
review tools; Analysis Tool and automation where (NAAx, UDx)
external code appropriate
review process
243
December 2020
Ineffective code In absence of effective mechanisms for Vendor Robust change The Equipment Vendor shall ensure that Rogue Vendor, GSMA FS.16
governance code governance source code changes Development management no changes are introduced into the developer Auditor /7.3.1.
are not controlled, and it is impossible to Processes, 5G processes; Network Product without appropriate (secretly
trace reasons and requirements for System independent governance introduces a
code changes Components lines of control vulnerability into
for any changes source code
dedicated for
use in the
Network
Product) (NAAx,
UDx)
Compilation
Vulnerabilities in Compilation and build processes and Vendor Automated Build The Equipment vendor shall apply an Malicious Vendor, GSMA FS.16
Build process environment must protected from Development Process; Build automated build tool with a minimum of attacker, Auditor /7.4.1, 7.4.2
and environment tampering, to ensure that builds are Processes, 5G Environment manual intervention to compile the Tampering with
reproducible, deterministic and cover System Control source code and store the build log. build tools
the security procedures defined by the Components All the data (including source code, (NAAx, UDx)
Equipment Vendor. Manipulated build building scripts, compilation tools, and
tools or parameters may introduce compilation environment) of the
vulnerabilities to the Network Product compilation build environment shall come
through the compilation environment. directly from a version control system.
Testing
Lack of or Failure to ensure proper testing leaves Vendor Security testing Security testing should include the Rogue Vendor, GSMA FS.16
improper the network products exposed to Development validation of security functionality, both developer, Poor Auditor /7.5.1.
security testing vulnerabilities and unexpected and Processes, 5G positive and negative testing, as well as Design,
unspecified behaviour. System vulnerability testing of the Network Erroneous /
Components Product. Network Products are to be Insecure Code
tested from a security perspective within (NAAx, UDx)
a fair representation of the operational
environment. Vulnerability testing shall
test for the robustness of the Network
Product against undefined/unexpected
input.
Release
Improper Software integrity verification methods Vendor Software The Equipment Vendor shall establish Intentional or Vendor, GSMA FS.16
verification of are not implemented or not effective. In Development Integrity and maintain methods to ensure that the unintentional Auditor /7.6.1.
software integrity their absence, maliciously or Processes, 5G Protection delivery of Network Products is carried use of non-
unintentionally tampered software loads System out under controlled conditions. The genuine release
may be accidentally installed. Components mobile network operator shall be (NAAx, UDx)
provided with appropriate means to
identify whether a received software
package is genuine
244
December 2020
Ambiguous Failure to ensure that software versions Vendor Strict release All released software package versions Intentional or Vendor, GSMA FS.16
software release are uniquely identified may lead to old Development mechanisms shall bear a unique identifier that maps to unintentional Auditor /7.6.2.
identifiers versions of software being accidentally Processes, 5G including a specific build version use of outdated,
installed and old vulnerabilities being re- System allocation of vulnerable
introduced in networks. Components unique identifiers release (NAAx,
to software UDx)
versions
Inaccurate / Failure to ensure that product Vendor Change Customer documentation shall be up to Intentional or Vendor, GSMA FS.16
obsolete documentation is updated in all security Development management date in all security related aspects and unintentional Auditor /7.6.3., 7.6.4.
documentation relevant aspects and properly reflects Processes, 5G processes. Strict reflect the current functionality of the impairing of
the current functionality. This may in System release Network Product at the time when both system
turn impair operation, protection and Components mechanisms. the Network Product, or software operation or
maintenance of network products. Documentation upgrades of it, and the customer security (NAAx,
management. documentation are shipped to the UDx, FMx)
customer.
The documentation delivered with the
Network Products contains all up-to-date
information necessary to securely
configure and run the Network Product.
Operation
Failure to For all security inquiries the customer Vendor Security Point of The Equipment Vendor shall provide a Security Vendor, GSMA FS.16
provide a should know who to approach in the Development Contact point of contact for security incidents Auditor /7.7.1.
security contact Equipment Vendor organisation. In Processes, 5G questions/issues and communicate this (NAAx, UDx,
absence of a clear communication from System point of contact to its customers and FMx)
the Equipment Vendor to let clients Components 3rdparty vulnerability disclosers. This
know who to contact for any security point of contact shall be able to find the
inquiries or incidents, incident response right person/department inside the
and resolution are impaired. Equipment Vendor organisation to deal
with security concerns raised by a
customer/3rd party vulnerability discloser
Insufficient Failure to collect and process updated Vendor Threat and The Equipment Vendor shall have Exploitation of Vendor, GSMA FS.16
vulnerability information with regard to vulnerabilities Development vulnerability reliable processes in place to ensure it unfixed Auditor /7.7.2.
awareness in 3rd party components may lead to Processes, 5G intelligence can become aware of newly revealed vulnerabilities
situations in which vulnerabilities go System potential vulnerabilities in used 3rd party (NAAx, UDx)
undetected although they may be Components components and to evaluate whether
publicly known and are therefore not they result in vulnerabilities in the
mitigated. Network Product
Ineffective In absence of a reliable process to deal Vendor Vulnerability The Equipment Vendor shall establish a Exploitation of Vendor, GSMA FS.16
vulnerability with vulnerabilities found in, or in Development Remedy Process process to deal with vulnerabilities found unfixed Auditor /7.7.3, 7.7.4
remedy process relation to, released Network Products it Processes, 5G and mechanisms in, or in relation to, released Network vulnerabilities
cannot be ensured that known System Products. Vulnerabilities shall be dealt (NAAx, UDx)
vulnerabilities are addressed Components with appropriately and, if applicable,
appropriately and timely. Failure to patches/software upgrades shall be
deploy security patches independently distributed to all affected mobile network
245
December 2020
from regular functional updates operators, in order to honour existing

increases the time window of exposure. maintenance contracts within an agreed
schedule.
Equipment Vendor shall have the facility
to provide patches/software upgrades
that close security vulnerabilities
independently from unrelated
patches/software upgrades that modify
functionality of the Network Product
Unreliable Absence of reliable processes and Vendor Vulnerability A reliable process shall ensure that Exploitation of Vendor, GSMA FS.16
communication mechanisms to inform network Development Remedy Process information regarding available security unfixed Auditor /7.7.5.
of software fixes operators that security fixes are Processes, 5G and mechanisms related fixes is communicated to mobile vulnerabilities
available, unnecessarily extends the System network operators that have maintenance (NAAx, UDx)
window of vulnerability within their Components agreements in place at the time the fix is
networks. released
Entire lifecycle
Improper version The version control system should cover Vendor Version control During the entire lifetime of a Network Rogue Vendor, GSMA FS.16
control system all relevant components of the network Development system Product, the Equipment Vendor shall developer Auditor /7.8.1.
product, and it should ensure Processes, 5G utilise a version control system on (NAAx)
accountability, authorisation and System hardware, source code, build tools and
integrity of all changes. Otherwise, the Components environment, binary software, 3rd party
changes in components cannot be components, and customer
controlled, and vulnerabilities may find documentation ensuring accountability,
their way in to the finished product, authorisation and integrity of all changes
unintentionally or on purpose.
Improper change Properly controlled change Vendor Change tracking The Equipment Vendor shall establish a Rogue Vendor, GSMA FS.16
management management is essential to ensure that Development comprehensive, documented and cross developer Auditor /7.8.2.
process changes are appropriate, effective, Processes, 5G Network Product line procedure to (NAAx) ISO/IEC
properly authorised and carried out in System ensure that all requirements and design 27001
such a manner as to minimise the Components changes, which may arise at any time /A.12.1.2.
opportunity for either malicious or during the development and product
accidental compromise. Failure to do so lifecycles and which impact the Network
may lead to uncontrolled Product(s), are managed and tracked in
a systematic and timely manner
appropriate to the life cycle stage of all
affected product components in all
Network Products.
Insufficient Staff involved in design, engineering, Vendor Staff education Continuous education of all staff involved Insecure Code Vendor, GSMA FS.16
security development, implementation, and Development in Network Product design, engineering, (NAAx, UDx) Auditor /7.8.3.
education and maintenance is insufficiently aware of Processes, 5G development, implementation, testing ISO/IEC
awareness of IT/network security matters. System and maintenance shall be provided to 27001
staff Components ensure knowledge and awareness on /A.7.2.2
security matters, relevant to their roles
are up-to-date
246
December 2020
Ineffective In the absence of an effective ISMS, Vendor Information In the entire lifecycle, the Equipment Information Vendor, GSMA FS.16
Information reliable identification and mitigation of Development Security Vendor shall employ an information Leakage Auditor /7.8.3
Security risks and achievement of relevant Processes, 5G Management classification and handling scheme to (NAA4) ISO/IEC
Management security objectives cannot be System Continual avoid sensitive information, such as 27001 /4-10
System demonstrated. Components Improvement security flaws, signing keys, etc., being
Process leaked
The Equipment vendor must have a
continual improvement process for its
development and product lifecycle and
this process must include a root cause
analysis of the security flaws. The
resulting improvements shall be
incorporated into the relevant design or
processes.
247
December 2020
M ANNEX: DETAILED VULNERABILITIES IN

SECURITY ASSURANCE PROCESSES
Associated
Vulnerability of security controls Taxonomy)
Category
Standardisation Processes
Obsolescence As 5G technology is rapidly advancing and Assurance Standardisation {NA} {NA} ENISA, CSA
of standards new security risks and requirements are processes, Harmonisation Standardisatio Regulation
identified, standards need to be updated 5GS n Bodies,
constantly. Slow response of components Industry
standardisation activities to technological Associations
advances and security research may leave
the systems exposed.
Alignment of As several organisation are working on Assurance Standardisation {NA} {NA} ENISA, CSA
standards standardisation in the 5G sector, alignment processes, Harmonisation Standardisatio Regulation
of standards is paramount to ensure 5GS n Bodies,
consistency and usability of developed components Industry
references Associations
Missing While security assurance specifications Assurance Standardisation {NA} {NA} ENISA, CSA
security exist for the building blocks of the 5G processes, Harmonisation Standardisatio Regulation
requirements system, no security assurance criteria and Communicat n Bodies,
reference for processes are defined for 5G verticals. ion services Industry
verticals This may leave relevant security Associations
considerations not covered or reference
security requirements unfit for specific use
cases.
248
December 2020
Associated
Category
Accreditation Processes
Recognition of While GSMA accreditation body and the Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
accreditation accreditation scheme are internationally processes pending decision from Member States security European Regulation
scheme agreed by all technology providers, no (NIS CG, ECCG)] certification Commission,
mechanisms such as peer review are in ECCG
place to ensure recognition of the
accreditation scheme by all relevant
stakeholders.
No alignment Accreditation and conformity assessment Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
with processes should be aligned with the processes pending decision from Member States security European Regulation
internationally internationally recognized conformity (NIS CG, ECCG)] certification Commission,
recognized assessment standards - the ISO 17xxx ECCG
standards for series. Failure to do so may cast doubt on
accreditation the soundness of conformity assessment
and conformity processes.
assessment
Lack of control While the existing assurance scheme - Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
by regulatory NESAS/SCAS- is accepted by processes pending decision from Member States security European Regulation
and manufacturers and operators, it defines no (NIS CG, ECCG)] certification Commission,
supervisory oversight mechanisms from regulatory and ECCG
bodies supervisory bodies.
Conformity Assessment Processes
No security While SECAM / SCAS scheme provides Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
evaluation of that accredited security test laboratories processes, pending decision from Member States security European Regulation
the operational (vendors or third party) evaluate network 5G (NIS CG, ECCG)] certification Commission,
environment product according to SCAS. Conformity components ECCG
and security evaluation is performed on
individual network products in a vendor-
documented configuration for SECAM
testing, without due consideration on the
environment for specific deployments.
249
December 2020
Associated
Category
Insufficient The logic of the SECAM/SCAS scheme is Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
assurance of that environmental assumptions taken into processes, pending decision from Member States security European Regulation
environmental consideration at product testing time are 5G (NIS CG, ECCG)] certification Commission,
assumptions upheld and tested at deployment by the components ECCG
Operator. This validation of environmental
assumptions can only be performed during
deployment and is needed for security, but
at present no framework exists to provide
sufficient assurance for a third-party
certification
Certification Certification must not be a barrier to entry Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
overhead and or to innovation. Any certification scheme processes pending decision from Member States security European Regulation
relevance needs to add value and go beyond a box (NIS CG, ECCG)] certification Commission,
ticking exercise ECCG
No assessment No agreed assessment/certification Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
scheme for scheme for virtualised products. processes, pending decision from Member States security European Regulation
evaluation of Virtualised (NIS CG, ECCG)] certification Commission,
virtualized Network ECCG
products Products
Insufficient Once the operator received the evaluation Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
security report, the operator then decides if the processes, pending decision from Member States security European Regulation
assurance level results are sufficient according to its Legal (NIS CG, ECCG)] certification Commission,
internal policies and whether to accept the Requirement ECCG
security assurance level of the network s
product or not. The operator's acceptance
decision may depend on external forces
such as regulatory requirements.
Re-use of In the absence of a recognized Assurance EU 5G CSA Scheme [Scheme to be developed given Lack of EU-wide ENISA, CSA
evidence assessment scheme of conformity processes, pending decision from Member States security European Regulation
created by assessment bodies, re-use of evidence Legal (NIS CG, ECCG)] certification Commission,
conformity produced by auditors and laboratories to Requirement ECCG
assessment support certification processes or s
bodies regulatory compliance statements is
limited.
250
ABOUT ENIS A
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge
sharing, capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s
infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More
information about ENISA and its work can be found at www.enisa.europa.eu.
ISBN: 978-92-9204-445-9
DOI: 10.2824/802229

ENISA 5G Threat Landscape - Update

Uploaded by

Copyright:

Available Formats

ENISA 5G Threat Landscape - Update

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ENISA 5G Threat Landscape - Update

Uploaded by

Copyright:

Available Formats

What is ENISA and what is its role?

What is ENISA and what is its role?

What are the main components of 5G network design and architecture?

What are the main components of 5G network design and architecture?

`

ISBN: 978-92-9204-445-9 - DOI: 10.2824/802229

3. 5G NETWORK DESIGN AND ARCHITECTURE 17

5.4 THE RELEVANCE OF ASSETS THROUGHOUT THE LIFECYCLE 100

7. THREAT AGENTS 118

A ANNEX: ASSETS MAP 123

LIST OF ACRONYMS AND

3GPP 3rd Generation Partnership Project

Therefore, the ENISA 5G Threat Landscape aims at contributing to the EU Cybersecurity

1.2 SCOPE AND METHODOLOGY

 The threat and vulnerability analysis performed is based on the extrapolation of

 The comprehensive architecture of 5G developed in the previous threat landscape

 Implementation options – migration paths from 4G to 5G infrastructures have been

 The development of this report followed a ‘best-effort’ approach. The collected

 To collect relevant technical material and available 5G knowledge, ENISA has

 The content of this report was restricted to components/matters found in relevant

Figure 1: Methodology adopted based on ISO 27005

Wish to abuse and/or may damage

1.3 TARGET AUDIENCE

 Non-technical stakeholders such as policy-makers, regulators, law enforcement: this

 Experts working in the telecommunication sector, such as operators, vendors, and

1.4 STRUCTURE OF THE REPORT

 Chapter 2 presents the stakeholders having a role in all phases of 5G implementation,

 Chapter 3 presents the architectural framework of 5G technology by offering a generic

 Chapter 5 presents the 5G asset inventory. It consists of a collection of important

 Chapter 6 presents an overview of the assessed cyber-threats. Interrelated threats

 Chapter 7 provides information on threat agents. It is a first approach towards the

The detailed vulnerabilities, emerging security requirements, corresponding threat groups

2.1 STAKEHOLDERS MAPPING

 Service customers (SC);

 Network infrastructure providers;

 International standardisation bodies holding an obvious role in the development of

 Accreditation bodies will be active in the assurance of security

3. 5G NETWORK DESIGN AND

3.1 5G USE CASES

Table 1: 5G Deployment Scenarios

Intelligent transportation systems (ITS) and vehicle-to-anything (V2X) communications

Integrated access and backhaul (IAB)

NR-Based access to unlicensed spectrum (NR-U)

Table 2: Additional 5G enabling features for all verticals

Release 16 introduces MIMO enhancements including:

Dual connectivity and carrier aggregation (CA/DC)

Enhanced ultra-reliable, low-latency communication (eURLLC)

Self-Organised Network (SON)

Figure 2: Timeline of 3GPP specification versions

It is considered as meaningful to plan prospective versions of the 5G Threat Landscape in order

3.2 GENERIC 5G ARCHITECTURE

Figure 3: Generic 5G Architecture

3.3 CORE NETWORK ARCHITECTURE (ZOOM-IN)

Figure 4: Core network architecture Zoom-in

The description of the elements of 5G Core network are as follows:

Element Short description

Access and Mobility (As defined in 3GPP TS23.501 Section 6.2.117)

Session Management (As defined in 3GPP TS23.501 section 6.2.2)

User plane function UPF supports:

Policy Control Function PCF supports: