Increased exposure to attacks and more potential entry points for attackers come along in the implementation of 5G networks, in an attempt to attenuate the risks and threats associated to these networks, on March 2019 the European Commission adopted a Recommendation for a Common European Approach to the Security of 5G Networks (“Recommendation”), establishing a set of concrete actions to be carried out, both in each state’s national sphere and at EU level by October 2020.
As a first step towards achieving the aforementioned common approach, the EU urged the member states to formulate an internal risk assessment. Based on the latter the European Commission along with the European Union Agency for Cybersecurity (“ENISA”) drew the EU-Wide Coordinated Risk Assessment of 5G Networks Security (“Assessment”). In parallel and as an additional input, ENISA framed the landscape of the possible threats surrounding these technologies, publishing on November 21st the ENSIA Threat Landscape for 5G Networks (“Threat Landscape”).
The Assessment identifies the main cyber threats and actors, the most sensitive assets, key vulnerabilities and a number of strategic risks. Overall, threats considered most relevant fall in the broad categories of confidentiality, availability and integrity, being these the three main pillars to be ensured by all parties involved in the supply chain.
Particularly, the Assessment outlines as the most concerning the following threats: (i) local or global 5G network disruption; (ii) spying of traffic/data in the 5G network infrastructure; (iii) modification or rerouting of the traffic/data in the 5G network infrastructure; and (iv) destruction or alteration of other digital infrastructures or information systems through the 5G networks.
In this regard, and taking into consideration the fundamental roll played by stakeholders in terms of contributing to the cybersecurity of 5G networks, as well as their position as potential entry points or vectors for attacks, the Assessment emphasises the importance of identifying the concrete risks around each of them and developing measures to attenuate them. For these purposes, the report has catalogued the following as the main stakeholders in 5G networks infrastructures: (i) mobile network operators; (ii) suppliers of mobile network operators; and (iii) manufacturers of connected devices and related service providers; additionally, service and content providers and end-users of 5G mobile networks have been included under as other stakeholders.
Furthermore, the Assessment identifies the vulnerabilities of 5G networks related to hardware, software, processes and policies, as well as those related to third party suppliers, recommending in regard to the latter, the assessment of the supplier’s risk profile taking into consideration reports and/or notices issued by member states and EU authorities. In like manner, special attention was given to the vulnerability that may arise from the dependency on individual suppliers, especially regarding equipment and solutions.
Additionally, an analysis on some possible risk scenarios was carried out in view of the major threat scenarios across the EU, their potential systemic impact and their likelihood on increasing with 5G networks or even arising from them. These include those related to insufficient security measures; 5G supply chain (faults or vulnerabilities in equipment, low quality equipment and dependency); modus operandi of main threat actors (i.e. state interference through 5G supply chain, or the exploitation of 5G networks by organised crime); interdependencies between 5G networks and other critical systems such as health, autonomous vehicles, power, gas and water supply, defence, among others; as well as those related to end-user devices which derive mainly from the increasing number of devises with diverse functions, encompassing under this specific risk those related to the Internet of Things.
As a complement to the Assessment, ENISA - with the support of EU Member States, the European Commission and an expert group – drew and published the Threat Landscape which purpose is to provide a detailed assessment, from a technical point of view, on 5G network design and architecture, the identification of important assets, the threats affecting 5G, the exposure of the assets to these threats, as well as an overview of possible threat agent motives.
The latter aims at supporting stakeholders to get a better understanding on cybersecurity threats, thus, a detailed and correct knowledge and understanding of the most critical components in 5G networks which may be exposed to attacks is essential. In this vein, the report provides further details on the information included in the Assessment and complements it with the threat exposure on various subsystems based on previous experience and theoretical cyberthreats identified by analogy to existing mobile networks.
In this regard, it focuses on the RAN and CORE components leaving out any interconnected services, APIs, application components and other sectors such as transportation, eHealth, Industrial Internet-of-things, Smart Environments, etc. as well as technical vulnerabilities, on which ENISA plans to assess in the future.
Moreover, the Commissioner for the Security Union, Julian King, and the Commissioner for the Digital Economy and Society, Mariya Gabriel, have recently stated that the completion of the risk assessment enables to move towards the next step of the Recommendation, the production of a toolbox of possible responses for managing and mitigating the risks identified at national and EU levels, which is expected to be ready by December 31st, 2019; affirming that “This joint approach by all Member States will underpin secure roll-out of 5G networks across the European Union”.
From the consumers’ perspective, the EU, during the celebration of the European Cyber Security Month which took place this past October, conducted a cybersecurity awareness campaign in order to raise the citizens’ knowledge and awareness on these threats and to promote cybersecurity through education and sharing of good practices, emphasising on the mutual responsibility of the EU, the governments and the citizens under the slogan “Cybersecurity is a shared responsibility!”.
Spanish public consultation on cybersecurity
In line with the diverse recommendations issued by the European Commission, the Spanish Secretariat of State for Digital Progress of the Ministry of Economy and Business launched a public consultation prior to the formulation of national regulation on 5G networks and services, which will be open until December 13th.
The objective of this consultation is to gather inputs from any person or entity, especially stakeholders, regarding the development of national regulations on this matter, whilst collecting information that could be useful for the production of a national assessment on possible risk alleviating measures and best practices, which shall be submitted to the European Commission pursuant to preparation of the toolbox referred to in the Recommendation.
Maria Eugenia García, Abogada de Cremades & Calvo-Sotelo