NSA shares tips on mitigating 5G network slicing threats

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI), have published a joint report that highlights the most likely risks and potential threats in 5G network slicing implementations.

The report also provides mitigation advice and a framework for developing defense and prevention strategies implemented by 5G network operators, integrators, and providers.

The 5G network slicing report builds upon Potential Threat Vectors to 5G Infrastructure, a paper published last year by the Enduring Security Framework (ESF) cross-sector working group focused on addressing risks and threats to the security and stability of U.S. national security systems.

5G network slicing

5G network slicing is a configuration architecture that allows creating multiple virtualized and independent networks on top of a common physical infrastructure.

Each network slice is an isolated end-to-end network dedicated to the fulfillment of particular requirements for each application.

Potential applications for network slices include autonomous vehicle fleets, virtual and augmented reality solutions, industrial automation systems, etc.

Network slicing diagram
Network slicing examples (CISA)

The users of network slices of each of these applications are authenticated for that particular network area, achieving data and security isolation for the wider 5G infrastructure and other slices.

Network slicing is made possible through Network Function Virtualization (NFV), one of the main advantages of a 5G network, offering different users operational efficiency, resiliency, and higher quality of service and support.

NFV essentially removes the need of hardware like routers and firewalls and virtualizes them in cloud-based servers. It also moves all network functions to the radio interface or the cloud, and dynamically allocates bandwidth to match each user’s performance requirements.

Moreover, NFV offers better monitoring and logging options, enabling network engineers to detect anomalies and prevent security breaches more effectively.

Mobile network operators implement 5G network slicing via specialized network Management and Network Orchestration systems (MANO).

"The MANO system [shown below] supports slice design and creation, activation, deactivation, and termination across the Radio Access Network (RAN), core network, and transport network domains," explains the guidance.

Network slicing management system
Telecom operators network slicing management system (CISA)

Most prominent threats

The CISA guidance highlights the complexity of managing the network slices, resulting in critical security gaps.

“While there are standards defining specifications for how network operators build their 5G network, there are not clear specifications for how network operators should develop and implement security for network slicing,” mentions the paper.

“Improper network slice management may allow malicious actors to access data from different network slices or deny access to prioritized users.”

The three most relevant threat vectors to 5G network slicing are denial of service (DoS) attacks on centralized control elements, attacks leveraging misconfigured system controls, and man-in-the-middle (MitM) attacks on unencrypted network channels.

In the case of DoS attacks, threat actors disrupt the service, thus making the network slice unavailable for legitimate users.

MitM attacks would not only threaten to disclose confidential information and expose user data but could also allow an intermediary to modify the transmitted messages, resulting in misinformation.

Attacks taking advantage of misconfigurations could have a broad range of implications, as the adversary could exploit them to deactivate system monitors and security features.

Chaining multiple attack types is also possible, delivering potentially devastating attacks that could extend beyond a single network slice.

CISA provides an example of such an attack where a threat actor conducts an International Mobile Subscriber Identity (IMSI) caching attack on an autonomous vehicle service, degrading its performance and reliability.

The attacker uses IMSI caching to derive the vehicle’s precise location, cargo information, and routes.

Next, the threat actor deploys a DoS attack on the network signaling place to disrupt the link between the autonomous vehicle and its controller and then launches a configuration attack to disable security features or change the VNF policies.

If the operator hasn’t implemented robust security measures to prevent unauthorized policy changes, the attacker could expand their access to other network slices on the same infrastructure.

Mitigation recommendations

CISA suggests that operators apply network management and monitoring in four logical layers (shown below) to identify and address any potentially malicious disruptions as soon as possible.

Monitoring layers

Moreover, the guidance suggests that operators use multiple network monitoring solutions, as these generate different data that can be used to gain insight into unauthorized network activity.

Monitoring solutions

The paper promotes the principles of Zero Trust architecture where all logged-in users are constantly verified and all network requests are validated.

This makes intruder activities less likely to go unnoticed or have any damaging impact, as no users are inherently trusted, so they are bound to be stopped in one of the multiple data inspection points.

Common Zero Trust strategy components include multi-factor authentication, data encryption, multi-layered security for access control, cross-domain boundaries, and instance isolation.

Related Articles:

NSA shares zero-trust guidance to limit adversaries on the network

New Google Chrome feature blocks attacks against home networks

CISA warns of Microsoft Streaming bug exploited in malware attacks

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks