5G Network Slicing: New Security Guidance to Force Market Action

The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly published 5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance, developed by the Enduring Security Framework (ESF), a public-private cross-sector working group led by both agencies. The publication is the second iteration of a two-part series, with part 1 published back in December 2022. The second part essentially provides best practices (rather than a prescriptive methodology) on how to minimize the threats exposed in part 1. The document comes at a good time; Mobile Network Operators (MNOs) have yet to deploy commercially viable network slices, and many are arduously strategizing around how those may be built, deployed, and managed. It is important that security feature as part and parcel of those development discussions.

The publication provides important guidance, developed by two of the foremost authorities in the cybersecurity industry. Despite being U.S. based, much of the information published publicly by the NSA and CISA (as well as by the U.S. National Institute of Standards and Technology (NIST)) has global influence, and is therefore likely to impact market developments. Importantly, the guidance considers efforts by other organizations, and heavily relies on the established recommendations from the GSMA and the output of The 3rd Generation Partnership Project (3GPP) Technical Specification (TS) working group. This is key to ensuring market cohesion in security deployment; nothing exposes more vulnerabilities than mismatched or impracticable security practices.

The document provides rather detailed guidance on most aspects of network slicing, including principles and concepts, components, design, and operations and maintenance. Recommendations on control and mitigation strategies are appended to each sub-section, providing actionable insights that can be concretely implemented.

Ultimately, the goal of the publication is to provide a comprehensive security analysis of all the various factors that will come under consideration for network slices: from creation to deactivation, thus providing guidance on how these could be implemented effectively. In true cross-sectoral fashion, the document is addressed to all stakeholders involved in 5G network slices: MNOs and non-MNO entities alike, including software and hardware vendors, service providers, cybersecurity vendors, system integrators, and even end customers. There is little doubt that the guidance will have a far-reaching impact, on a global scale, and become a key reference point for future security work on the issue.

The guidance on security for network slicing is a much-needed publication, not just for MNOs, but also stakeholders keen to understand how they can monetize slices accordingly. For cybersecurity vendors in particular, the guidance provides some indication of how security tools may be used within these highly anticipated deployments. The document references zero-trust architecture as an ideal design concept for slices, which means authentication, authorization, and access control will play a key role. While this was broadly understood to be the case prior, the more technical details of the guidance allow for better strategizing around product development and eventual marketing. It will also likely lead to initial Proofs of Concept (PoCs) between cybersecurity vendors and MNOs, which are the precursors to eventual commercialization. Cybersecurity vendors focused on 5G markets would do well to take a look at the guidance and start familiarizing themselves with the various mitigation strategies. Aligning themselves with NSA and CISA recommendations is a sure-fire way to sell into the U.S. market at a minimum, and certainly holds some sway in the broader international market.

Cellular network infrastructure has been designed with security as an after-thought in previous generations. However, with network slicing enabling mission-critical and even life-critical use cases in 5G, security is becoming a key concern and a prime area of focus for standardization and commercial consortia. The initiative of the ESF is a key market development and will likely be considered by infrastructure vendors that develop equipment that will enable network slicing, certainly within the U.S. market going forward. This will also likely be adopted in other global markets, but the prioritization of security features will likely impact other facets of the network—most certainly its cost. ABI Research expects that these changes will happen gradually, as they may meet with operator resistance to investing incrementally for security, especially when network slicing use cases have not yet reached a critical mass. ABI Research expects security considerations to become more significant when large-scale standalone networks are being deployed in the United States, which will create the infrastructure platforms for network slicing. Network Equipment Operators developing cybersecurity platforms for MNOs should look closely at the guidance to ensure their offerings can effectively implement the requirements to facilitate operators’ deployment of slice-based security services to enterprise clients. This would provide a significant differentiator for enterprises that may otherwise look at cybersecurity vendors to provide the appropriate security technologies.