5G networks are transforming how businesses operate, offering faster speeds, lower latency, and the capacity to connect up to 1 million devices per square kilometer. But with these advancements come new security challenges. Here’s what you need to know:
- Increased Risks: The cloud-native design of 5G expands the attack surface, introducing vulnerabilities in APIs, virtualized infrastructure, and connected devices.
- Key Standards: Security measures are guided by 3GPP TS 33.501, IEC 62443, and GSMA NESAS, covering device access, network slicing, and API security.
- Advanced Protections: Features like the Subscription Concealed Identifier (SUCI) and Security Edge Protection Proxy (SEPP) ensure encrypted communication and secure inter-network connections.
- Deployment Choices: Businesses can opt for Standalone (SA) 5G for advanced features or Non-Standalone (NSA) for easier integration with existing 4G systems. Private networks offer more control but require higher investment and expertise.
- Zero-Trust Approach: Continuous verification of devices, users, and data is critical to mitigating risks in a virtualized 5G environment.
- Supply Chain Security: Weak links in hardware or software can expose networks to threats, making vendor assessments and compliance with global standards essential.
Key Takeaway: Securing 5G networks demands a proactive approach, combining robust standards, targeted risk assessments, and advanced security measures like network slicing and micro-segmentation. Businesses must prioritize security from the start to protect sensitive data and maintain operational continuity.
Assessing Your 5G Deployment Model
MNO-Orchestrated vs On-Premise Private 5G Networks Comparison
Before implementing security measures, it’s crucial to identify what needs protection. Your deployment model shapes where vulnerabilities might arise, who is accountable for addressing them, and which safeguards align with your business needs. Essentially, your deployment architecture directly influences your security outcomes. This understanding forms the backbone of the deployment options discussed below.
Understanding Deployment Options
One of the first decisions you’ll face is whether to go with Standalone (SA) or Non-Standalone (NSA) deployment. SA deployments use a cloud-native 5G core, enabling advanced features like network slicing. However, this API-driven setup also increases the potential attack surface. On the other hand, NSA models rely on existing 4G LTE control planes, making initial deployment simpler but carrying over known vulnerabilities from legacy signaling systems.
For private networks, you’ll decide between MNO-orchestrated and on-premise models. MNO-orchestrated networks are managed by a Mobile Network Operator (MNO) via a central data center. This approach simplifies deployment but may route enterprise data through MNO infrastructure, limiting your control over data sovereignty. In contrast, on-premise private 5G networks give you full control over your data and operations. However, this comes with higher upfront costs and the need for in-house expertise to handle tasks like patching, monitoring, and incident response.
Ownership models introduce another layer of decision-making. With enterprise-managed deployments, you maintain full control over security settings and updates, but you also bear the operational workload. Operator-managed models split responsibilities between you and the provider, which can lead to visibility gaps if roles and obligations aren’t clearly outlined. Neutral host environments present additional risks, as multiple tenants share the same infrastructure. If isolation between tenants fails, a breach in one tenant’s slice could potentially affect others.
"Security outcomes are shaped by deployment architecture itself – by how trust boundaries are defined, how traffic is segmented, and how management access is governed." – Hema Kadia, TeckNexus
| Feature | MNO-Orchestrated Private 5G | On-Premise Private 5G |
|---|---|---|
| Control | Managed mainly by the MNO | Managed by the enterprise |
| Data Sovereignty | Partial (Data may pass through MNO) | Full (Data stays on-site) |
| Cost Model | OPEX (Subscription-based) | CAPEX (High upfront investment) |
| Latency | Dependent on MNO edge proximity | Ultra-low (Local processing) |
| Operational Responsibility | Shared with provider | Full in-house burden |
Once you’ve defined your deployment model, you can move on to a targeted risk assessment to identify specific vulnerabilities.
Conducting a Risk Assessment
As device density increases, so do potential attack vectors. To secure your network, map it across six key domains: RAN, Core/Control Plane, User Plane, Edge/Applications, Devices/Gateways, and Management/Orchestration. Each domain comes with unique entry points for potential attacks. Among these, the management plane is particularly critical since it holds the highest administrative privileges. It must remain strictly isolated from production traffic to prevent attackers from gaining control of your entire network.
Pay special attention to the location of your User Plane Function (UPF). Placing it at the edge can enhance performance through local breakout, but it also adds complexity to segmentation. In setups where OT (Operational Technology) overlaps with enterprise IT, a misconfigured breakout point could allow lateral movement between safety-critical systems and general business networks.
Given the broad integration of 5G networks, supply chain security becomes a pressing concern. Review every vendor’s patching protocols, security certifications, and adherence to international standards. A single compromised component – whether hardware or software – can expose your entire infrastructure to potential backdoors. Regular penetration testing is essential to uncover vulnerabilities before attackers do.
Carefully map data flows from device authentication to application access, and establish strict trust boundaries to isolate sensitive network segments. For example, radio-layer authentication should not automatically grant application access. To maintain security, separate your management plane from production traffic using hardened configuration baselines. This prevents configuration drift as your network scales.
Lastly, secure edge nodes by restricting access and maintaining detailed entry logs. Review these logs every 90 days and enforce password changes on the same schedule for high-security management systems. By taking these steps, you can strengthen your network’s resilience against potential threats.
sbb-itb-2fdc177
Implementing Key Security Measures
After evaluating your deployment model and pinpointing vulnerabilities, the next step is to implement controls that protect every layer of your network. With 5G’s shift to a cloud-native architecture, traditional perimeter-based defenses no longer suffice. Instead, focus on identity-centric security – verify every access request, isolate traffic based on functionality, and enforce rigorous authentication across all network domains.
Role-Based Access Control (RBAC)
In a 5G environment, RBAC goes beyond simple credentials by incorporating 5G-AKA (Authentication and Key Agreement) and EAP-AKA’ protocols. These protocols leverage hardware-based credentials like USIM/UICC or eSIM to establish trust while encrypting permanent identifiers (SUPI) into Subscription Concealed Identifiers (SUCI).
To secure Service-Based Architecture (SBA), network functions rely on APIs protected by OAuth 2.0 tokens and TLS certificates. Using short-lived, narrowly scoped tokens mitigates the risks associated with static API keys. For example, when accessing the Network Exposure Function (NEF), ephemeral, single-session credentials are issued.
"The 5G standard introduces a new authentication framework based upon a well-established and widely used IT protocol called extensible authentication protocol (EAP) that is open, network-agnostic, and more secure."
- James Weaver, Cradlepoint/Ericsson
Adopting a Zero Trust model ensures that no entity is trusted by default. Policies should be dynamic, continuously reassessing factors like device health, location, and unusual behavior. For instance, if a device connects from an untrusted network or fails a compliance check, access should be downgraded or revoked automatically. Vendor access to the Data Control Network (DCN) should be tightly controlled, with permissions restricted to specific network elements using VPN concentrators, Multi-Factor Authentication (MFA), and **Security Group Tags (SGTs).
"In a zero trust methodology we would wish to limit vendor A to only being able to access elements that they need to support, also limiting the protocols allowed on that interface."
- Cisco White Paper
These measures lay the groundwork for more granular network segmentation, which further strengthens security.
Network Segmentation and Isolation
Network slicing turns 5G into a highly adaptable platform by enabling the creation of logical networks tailored to specific needs. Each slice operates with its own isolation, resources, and optimized topology, identified by S-NSSAI (Single Network Slice Selection Assistance Information), which includes a Slice/Service Type (SST) and a Slice Differentiator (SD). This allows distinct security policies to be applied to different types of traffic.
For example, an eMBB slice may prioritize high encryption and throughput, while a URLLC slice focuses on ultra-low latency. Since each slice functions as an independent, virtualized environment, a breach in one doesn’t compromise the others.
Firewalls deployed at key interfaces (N3, N4, N11) can monitor PFCP and HTTP/2 traffic while correlating slice data with IP traffic. Additionally, slice-specific security rules – such as antivirus, URL filtering, and intrusion prevention – should align with each slice’s SST and business requirements.
Critical network functions like the Access and Mobility Management Function (AMF) and User Plane Function (UPF) benefit from micro-segmentation, which isolates them into distinct security zones with strict communication allow-lists.
While traditional tools like VLANs and Virtual Routing and Forwarding (VRF) still play a role in enforcing segmentation, 5G’s Software-Defined Networking (SDN) capabilities provide finer control. Protect Virtualized Network Functions (VNFs) through hypervisor-based isolation and secure boot processes to safeguard the virtual infrastructure. For roaming traffic between carriers, a Security Edge Protection Proxy (SEPP) ensures end-to-end encryption, filtering, and robust security.
"Network slicing is about transforming the system from a static, one-size-fits-all paradigm to a new paradigm where logical networks and partitions are created with appropriate isolation, resources, and optimized topology."
Monitoring, Auditing, and Incident Response
Once access controls and segmentation are in place, staying vigilant becomes crucial. The distributed nature of 5G networks – spanning the Radio Access Network (RAN), edge nodes, and virtualized core functions – introduces complexity, with threats potentially arising from multiple directions. Considering that 5G networks can handle up to one million devices per square kilometer (around 2.6 million devices per square mile), manual oversight simply isn’t feasible. Automated systems are essential to detect anomalies, respond in real time, and maintain detailed audit trails for compliance purposes. This approach ensures both proactive incident planning and rigorous audits.
Security Audits and Training
Auditing in 5G environments must go beyond traditional perimeter checks, covering everything from physical hardware to Virtual Network Functions (VNFs) and individual network slices. These audits should prioritize identity-based verification, enforcing zero-trust principles through continuous authentication that considers device health, location, and behavior. Key elements to verify include 256-bit encryption, mutual authentication mechanisms, and secure handling of Subscriber Permanent Identifiers (SUPI).
Simulating real-world attacks, such as signaling-storm scenarios or breaches in slice isolation, through penetration testing is another essential step. Additionally, supply chain security cannot be overlooked – continuous evaluation of third-party vendors and hardware providers is necessary to ensure compliance. Employee training also plays a pivotal role, equipping staff with knowledge about 5G-specific threats and fostering a security-conscious workplace culture. Together, these measures lay the groundwork for an effective incident response plan.
Developing an Incident Response Plan
The decentralized architecture of 5G calls for tailored response strategies. A robust Incident Response Plan (IRP) should map all network segments – edge nodes, network slices, RAN, and core functions – to eliminate blind spots. Leveraging network slicing for containment is a key tactic, allowing the isolation of malicious traffic on a specific slice without disrupting other operations.
"You can’t secure what you can’t see."
Given the sheer scale of 5G networks, AI-driven tools become indispensable for detecting threats like signaling storms or Denial-of-Service (DoS) attacks targeting control messages. The IRP should also include clear protocols for vendor notifications, ensuring service level agreements (SLAs) mandate rapid patching and immediate communication when vulnerabilities arise.
Anomaly Detection and Monitoring
A centralized security management system, such as an NFV Security Controller (NFV SC), can oversee virtual network security. By integrating AI and machine learning analytics, these systems can quickly identify and respond to anomalies.
Monitoring efforts should span multiple layers, including VNFs, virtual resources (like CPU and memory), and physical hardware. Specialized databases – such as the NFV-AUD-DB (Audit Database) and NVFSeCM DB (Security Monitoring Database) – are essential for storing logs, alerts, and audit trails, supporting forensic analysis and compliance efforts. To address potential visibility gaps at distributed edge nodes, deploying local monitoring tools ensures consistent security enforcement across the network.
Here’s a breakdown of key components in 5G security monitoring:
| Monitoring Component | Role in 5G Security |
|---|---|
| NFV Security Controller (NFV SC) | Centralizes the management and orchestration of security functions |
| Security Monitoring Analytics | Employs AI/ML to detect patterns and predict threats |
| NFV Security Service Provider (SSP) | Monitors the health and security of VNFs and physical resources |
| Security Monitoring Databases | Stores logs, alerts, and audit trails for compliance and forensic purposes |
Automated anomaly detection is especially critical in identifying issues like misconfigured containers or insecure APIs, which are more prevalent in virtualized environments compared to traditional hardware setups.
Physical Security and Compliance Standards
Physical security serves as the first line of defense for 5G infrastructure. From base stations to edge nodes and core network equipment, these tangible assets are vulnerable to unauthorized access, theft, and environmental risks. The distributed nature of 5G – with more transmitters deployed compared to 4G – further expands the physical attack surface for organizations.
Protecting Physical Infrastructure
While virtual safeguards are critical, protecting the physical components of 5G infrastructure is just as important. Measures like Hardware Root of Trust (HRoT) and secure boot mechanisms ensure that hardware remains authentic and untampered. Other essential steps include implementing Physical Access Control Systems (PACS) with Personal Identity Verification (PIV) smartcard credentials, maintaining visitor records for two years, and conducting annual audits of access lists.
Transmission lines also need protection, which can be achieved through locked wiring closets, secured cable conduits, and fixed spare jacks. Environmental safeguards play a complementary role, with systems like fire suppression, water leakage sensors, HVAC controls, and Uninterruptible Power Supplies (UPS) for orderly shutdowns. Backup generators provide longer-term resilience. For real-time monitoring, security measures like guards, surveillance cameras, motion sensors, and alarms are indispensable.
Traffic isolation is another critical component. Separating operational and maintenance (O&M) traffic from data plane and signaling traffic minimizes the risk of attackers gaining access to sensitive management interfaces. The Enduring Security Framework (ESF) highlights 11 specific threats to 5G infrastructure, such as counterfeit hardware and vulnerabilities tied to multi-access edge computing, emphasizing the importance of securing the supply chain. All these physical security measures should align with established frameworks to ensure comprehensive protection.
Adhering to Industry Standards
Like digital safeguards, physical security measures must comply with rigorous industry standards. The National Strategy to Secure 5G, introduced by the White House in March 2020, provides a roadmap for safeguarding 5G infrastructure both domestically and globally. The National Risk Management Center at CISA has emphasized the transformative role of 5G in critical infrastructure, stating:
"5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud" and stressed that "it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology".
The NIST Special Publication 1800-33 offers practical guidance on integrating native 5G security features with third-party controls to create secure, standalone 5G networks on trusted cloud-native platforms. These principles have been tested on a National Cybersecurity Center of Excellence (NCCoE) testbed using commercial-grade 5G equipment. Additionally, the NIST Cybersecurity White Paper 36E outlines strategies for isolating 5G network traffic – covering data plane, signaling, and O&M traffic – to enhance both security and privacy.
Businesses are encouraged to align their security strategies with these frameworks. For instance, using Virtual Routing and Forwarding (VRF) can isolate O&M traffic from data and signaling flows. In virtualized 5G environments, the CISA/NSA Cloud Security Guidance series provides recommendations for preventing lateral movement, isolating network resources, and securing data throughout its lifecycle. Routine audits of cloud resources – such as container images, templates, and configurations – are essential for identifying and addressing unauthorized changes promptly.
Conclusion
Securing 5G networks is a continuous effort that requires vigilance, adaptable strategies, and shared responsibility. The virtualized, cloud-native nature of 5G demands a fresh approach to security. As Palo Alto Networks aptly states:
"Security in 5G isn’t someone else’s job. Responsibility is shared – clearly, but not equally".
While Communications Service Providers focus on securing the infrastructure, businesses must take charge of protecting their applications, edge workloads, and network slices.
The urgency of this shared responsibility becomes evident when you consider the scale and complexity of 5G. These networks can support up to 2.6 million devices per square mile, and the 5G security market is expected to grow by nearly 60% by 2030. This rapid expansion introduces a vast attack surface, with every IoT sensor, edge node, and network slice representing a potential vulnerability. Real-time visibility and continuous monitoring are no longer optional – they are critical.
To secure your 5G deployment, start by applying Zero Trust principles. Assume no device or user is inherently trustworthy, and verify every access request based on identity, context, and risk. Leverage network slicing and micro-segmentation to separate essential business functions from public-facing or IoT traffic. Conduct thorough supply chain assessments to ensure third-party equipment and cloud services meet your security standards. Additionally, audit configurations to eliminate weaknesses, such as downgrade attacks that push connections back to less secure 3G or 4G protocols. These measures, combined with continuous monitoring and strict access controls, create a strong foundation for a resilient network.
As threats evolve, so must your security strategy. Emerging challenges – like vulnerabilities tied to network slicing or AI-driven attacks – require regular audits, updated incident response plans, and, where feasible, collaboration with a 5G-specific Security Operations Center. Such partnerships ensure deeper insights into slice visibility and the ability to address latency-sensitive threats.
The businesses that succeed in the 5G era will be those that prioritize security from the outset and adapt their defenses as new threats emerge. By safeguarding your network now, you not only protect your operations but also maintain a competitive edge in an increasingly connected world.
FAQs
Which 5G security standards should my business follow first?
To build a solid defense for your 5G network, begin by establishing a security framework rooted in trusted standards like NIST and the EU’s 5G Security Toolbox. Prioritize measures such as strong encryption, strict authentication protocols, and a zero-trust security model to counter the broadened attack surface that comes with 5G technology.
It’s also crucial to align with local security regulations. This includes certifying essential network components before they are deployed. By doing so, you can ensure your network meets regional requirements and is better equipped to handle potential security threats.
Should we choose SA, NSA, or private 5G for better security?
The best 5G option for security really hinges on what you need it for.
- Private 5G stands out as the most secure choice. It offers a completely isolated setup and gives enterprises full control over encryption and access, making it perfect for highly sensitive, mission-critical tasks.
- Standalone (SA) 5G is another strong contender. It delivers lower latency and advanced capabilities like network slicing, which enhances security while improving performance.
- Non-Standalone (NSA) 5G is quicker to roll out since it relies on existing 4G infrastructure. However, this convenience comes with a trade-off – it might carry over some of 4G’s vulnerabilities.
If absolute security is your priority, Private 5G is the way to go.
How can we secure 5G network slices and APIs in a Zero Trust model?
To protect 5G network slices and APIs within a Zero Trust framework, it’s essential to focus on strong identity verification, least privilege access, and continuous monitoring. This involves verifying every request to ensure legitimacy, enforcing strict access controls to limit permissions, and using micro-segmentation to isolate network slices effectively. Additionally, dynamic policy enforcement and real-time activity monitoring play a critical role in maintaining trust boundaries and stopping unauthorized lateral movement across the network.