CISA, DOD Report Gap for 5G Security Risk Assessors

Cyber ​​Security and Infrastructure Security Agency and Ministry of Defense officials to approve the agency for 5th Generation Networking Projects, reporting blindnesses to assess security risks associated with specific ways of incorporating technology into government systems. Shows the way.

The agency has a sample “5G Security Assessment Process SurveyWas released on Thursday. Government agencies are developing ways to use the U.S. National Institute of Standards and Technology’s risk management framework in combination with a variety of tools, including industry-created tools, to approve 5G projects as a technology security standard. is.

and Blog post With the release, Eric Goldstein, CISA Executive Assistant Director of Cybersecurity, said, “We are excited to implement the proposed five-step 5G security assessment process derived from research and security analysis.” Said.

“This process allows government agencies to carry out the preparatory steps for the Risk Management Framework (RMF) for system approval at the National Institute of Standards and Technology,” he said. “The jointly proposed process is an existing one. Developed to address gaps in security assessment guidance. Standards emanating from new features and services in 5G technology. Key threat frameworks, 5G system security considerations, industry security specifications, federal security Identify guidance documents and relevant methodologies for conducting cybersecurity assessments of 5G systems. “

As defined in the documentation, gaps occur “when security requirements exist without evaluation guidance, policies, or organizations to validate the effectiveness of government operations.” It is believed that there are security requirements to mitigate the threat, but gaps can also occur if formal requirements have not been established. ”

The authors of the documentation suggest that implementers will encounter more gaps as the third generation partnership project, which is the leading standards development organization for next-generation networking technology, and other organizations such as the European Telecommunications Standards Institute. [Open Radio Access Network] The Alliance continues to identify new threats and work on security specifications.

The particularly difficult part of the process described by CISA and DOD is the evaluation for approval, with the cooperation of NIST and MITER Corporation, especially considering the complex considerations for protecting the radio access network of 5G systems. It’s about establishing boundaries.

“Depending on the boundaries and configuration of system evaluation, the 5G RAN infrastructure contains infrastructure elements from one or more geographic locations, various network switches / routers, base stations, access points / cell sites. Equipment and software may be included, “the document states. Read. “When the RAN segment employs an open and fragmented RAN solution, additional Tier 1 vendors (and their component hardware and / or software products) are involved in this security assessment step compared to traditional RAN solutions. The level of interoperability and penetration testing can increase as well as the identification and mitigation of potential open RAN attack vectors. “

This document also points out the usefulness of software bills for risk assessment in the private 5G networks used in the scenarios described.

“Examples of private 5G networks include on-premises RAN segments with RAN slicing to support multiple tenant applications,” the authorities wrote about determining the appropriate evaluation boundaries. .. “All hardware and software components, including cloud / edge platforms, internal and external system interfaces, are subject to threat and security feature analysis. Specific security conditions and warranty requirements require extensive investigation. In some cases, this may include Tier 2 (and later) vendors and the proof of integrity that accompanies each software bill of material. “

For “network slicing” used to create segmentations within the “core” of 5G networks, it is advisable for security evaluators to perform additional testing. Including supply chain threatsOfficials said.

“The basic functionality provided by the 5G core includes user authentication and authorization, data connectivity, mobility management, subscriber data management, and policy management and control,” they write. “Depending on the operator’s implementation of network slicing … Network slicing is a new technology and its threat vector is not yet fully understood, so further testing is wise.” CISA, DOD Report Gap for 5G Security Risk Assessors

Back to top button