5G Security and Resilience
5G represents a complete transformation of telecommunication networks, introducing a wealth of benefits that will pave the way for new capabilities, and support connectivity for applications like smart cities, autonomous vehicles, and telemedicine.
Roughly every ten years, the next generation of mobile communications network is released, bringing faster speeds and increased capabilities.
- The first generation (1G) of wireless networks brought the very first cellphones
- 2G brought improved coverage and texting
- 3G introduced voice with data/internet
- 4G long-term-evolution (LTE) delivered increased speeds to keep up with mobile data demand.
5G will transform the digital landscape and serve as a catalyst for innovation, new markets, and economic growth. As tens of billions of devices are connected to the internet through 5G, these connections will empower a vast array of new and enhanced critical infrastructure services.
100x Faster Download Speeds
While a 3-gigabyte movie would take 40 minute movie to download on 4g, it would only take 35 seconds on a 5g network.
10x Decrease in Latency
Data response times will be as low as 1 milisecond, providing endless possibilities from remote surgery to self-driving cars.
100x Network Capacity
5g promises greater traffic capacity, allowing for millions of devices to be connected to the same network in the same area.
Potential Threats to 5G Network Slicing
December 13, 2022: Today, CISA, the National Security Agency, and the Office of the Director of National Intelligence published Potential Threats to 5G Network Slicing. Developed by the Enduring Security Framework (ESF), a cross-sector, public-private working group, the paper provides an in-depth review of network slicing, a key component of 5G infrastructure and an assessment of the security, risks, benefits, design, deployment, operations, and maintenance of a network slice. This assessment builds upon the 2021 ESF paper on Potential Threat Vectors to 5G Infrastructure.
When Will 5G Be Available?
Widespread usage of standalone 5G networks is not expected until at least 2022. Initial 5G deployment will operate on a non-standalone network (relying on existing telecommunications infrastructure (i.e., 4G) and has begun being rolled out incrementally across several U.S. cities. Additionally, the continued exponential increase of connected devices will also utilize 4G, 4G Long-Term Evolution (LTE), and 4G/5G hybrid infrastructures to improve the bandwidth, capacity, and reliability of broadband services. The evolution from non-standalone to standalone 5G networks (which do not rely on existing infrastructure) will take years. But the goal remains to meet the increasing data and communication requirements, all while securely reaping the benefits and possibilities 5G brings.
National Strategy to Secure 5G
In March 2020, the White House developed the National Strategy to Secure 5G, which expands upon the National Cyber Strategy and outlines how the Nation will safeguard 5G infrastructure domestically and abroad. In January 2021, the accompanying Implementation Plan was released. The National Strategy to Secure 5G and Implementation Plan puts the United States on the path to make sure that we are equipped to continue development, deployment, and management of secure and reliable 5G.
As the lead federal agency for cybersecurity, CISA is helping shape the rollout of this emerging critical infrastructure through strategic risk mitigation initiatives that stem from the National Strategy to Secure 5G's four Lines of Effort:
- Facilitate Domestic 5G Rollout
- Assess Risks to and Identify Core Security Principles of 5G Infrastructure
- Address Risks to United States Economic and National Security During Development and Deployment of 5G Infrastructure Worldwide and,
- Promote Responsible Global Development and Deployment of 5G
Through its unique authorities, the Agency is working with interagency, industry, and international partners to ensure relevant policy, legal, security, and safety frameworks are in place to mitigate significant 5G risks. Critical infrastructure systems across all 16 sectors rely on ICT (included 5G components when deployed), for the operation of the National Critical Functions (NCFs), making securing 5G a priority for the Agency.
CISA 5G Strategy
The CISA 5G Strategy establishes five strategic initiatives that are guided by three core competencies:
- Risk Management: Promote secure and resilient 5G deployment by leading efforts to identify, analyze, prioritize, and manage risks.
- Stakeholder Engagement: Actively engage federal, state, local, tribal and territorial, industry, association, academia, non-profit, and international partners to address 5G challenges.
- Technical Assistance: Update and develop instructional tools and services to support stakeholders with the planning, governance, operational, and technical aspects of secure 5G deployment.
CISA's 5G Strategic Initiatives are:
- Strategic Initiative 1: Support 5G policy and standards development by emphasizing security and resilience: Developing 5G policy, best practices, and standards that emphasize security and resilience to prevent attempts by threat actors to influence the design and architecture of 5G networks;
- Strategic Initiative 2: Expand situational awareness of 5G supply chain risks and promote security measures: Educating stakeholders on 5G supply chain risk, particularly around vendors, equipment, and networks to promote leading security practices within the public and private sector;
- Strategic Initiative 3: Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments: Strengthening and securing existing infrastructure to support future 5G deployments by recommending improvements for existing 4G Long-Term Evolution (LTE) infrastructure and core networks;
- Strategic Initiative 4: Encourage innovation in the 5G marketplace to foster trusted 5G vendors: Catalyzing innovation in the 5G marketplace to foster trusted 5G vendors; and
- Strategic Initiative 5: Analyze potential 5G use cases and share information on risk management strategies: Assessing risk mitigation techniques on 5G use cases in order to share and popularize strategies that continue to secure the NCFs.
These initiatives include associated objectives to ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks.
The Agency is working interagency, industry, and international partners to manage the accompanying risks and challenges to 5G implementation appropriately, increasing its security and resilience at the design phase and reducing national security risk from an untrustworthy 5G network. While the deployment of 5G presents opportunities to enhance security and create better user experiences, there are several risks that should be considered, such as:
- Attempts by threat actors to influence the design and architecture of 5G networks: 5G will utilize more ICT components than previous generations of wireless networks. Municipalities, companies, and organizations may build their own local 5G networks, potentially increasing network vulnerabilities. Improperly deployed, configured, or managed 5G equipment and networks may be vulnerable to disruption and manipulation.
- Susceptibility of the 5G supply chain due to the malicious or inadvertent introduction of vulnerabilities: The 5G supply chain is susceptible to the malicious or unintentional introduction of risks such as malicious software and hardware, counterfeit components, and poor designs, manufacturing processes, and maintenance procedures. 5G hardware, software, and services provided by trusted entities could increase the vulnerabilities of network asset compromise and affect data confidentiality, integrity, and availability.
- Current 5G deployments leveraging legacy infrastructure and untrusted components with known vulnerabilities: 5G builds upon previous generations of wireless networks and is currently being integrated with 4G LTE networks that contain some legacy vulnerabilities. Some of these legacy vulnerabilities, whether accidental or maliciously inserted by untrusted suppliers, may affect 5G equipment and networks despite the integration of additional security enhancements.
- Limited competition in the 5G marketplace resulting in more proprietary solutions from untrusted vendors: Despite the development of standards designed to encourage interoperability, some companies, such as Huawei, build proprietary interfaces into their technologies. This limits customers' choices to use other equipment. Lack of interoperability with other technologies and services limits the ability of trusted companies to compete in the 5G market.
- 5G technology potentially increasing the attack surface for malicious actors by introducing new vulnerabilities: The implementation of untrusted components into a 5G network could expose communications infrastructure to malicious or poorly developed hardware and software, and could significantly increases the risk of compromise to the confidentiality, integrity, and availability of 5G data.
Enabling Security and Resilience
CISA works with industry leaders and public sector agencies to bring awareness to national critical infrastructure risk, as well as to educate and drive behavioral change towards the Nation's relationship with ICT and other critical systems, including 5G technologies.
- Federal Departments and Agencies: Through information sharing and coordination with federal departments and agencies, CISA helps establish collective risk management strategies that support the development of national policy and strategy frameworks for future 5G deployment.
- SLTT Government Agencies: CISA engages with state, local, tribal, and territorial (SLTT) government agencies to understand common vulnerabilities and share assessments of potential risks posed by 5G technology. In addition, CISA works with SLTT stakeholders to discuss the specific policy, technological, and legal implications inhibiting secure 5G deployment.
- Private Industry: CISA relies on its partnership with the private sector to understand and manage risks posed to 5G technology. With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that CISA and industry collaborate to identify vulnerabilities and ensure that cybersecurity is prioritized within the design and development of 5G technology. By coordinating with 5G network providers, infrastructure technicians, and telecom companies CISA is helping ensure that risk mitigation techniques are consistently applied across the network — both for existing 4G LTE and new 5G deployment. Through meaningful risk dialogues, industry working groups, and partnerships, CISA can provide extensive value to industry players looking to shore up their security apparatus.
- Non-Governmental Organizations: The research and development (R&D) initiatives carried out by associations, academia, and non-profits is invaluable to the security and resilience of 5G networks. From the analysis, design, testing, and development of new 5G capabilities, partnerships with these entities provide both subject matter insight and expertise that promote secure 5G deployment.
- International Allies: As 5G connectivity becomes a reality, there is the potential for an increase in untrusted vendors, equipment, and devices. Whether vulnerabilities are malicious or inadvertent, there will remain a need to maintain strong relationships with international partners to communicate risks and safeguard the flow of information.
CISA developed these resources as voluntary tools for secure adoption and implementation of 5G technologies. Any analysis of 5G vulnerabilities represents the beginning of CISA's thinking on this issue, not the culmination of it. These resources are not an exhaustive risk summary or technical review of attack methodologies.
The CISA 5G Strategy details our approach to advance the development and deployment of a secure and resilient fifth generation (5G) infrastructure.
CISA 5G Innovation and Transformation Video Series
A series of videos describing 5G technology, it's risks and benefits, implementation best practices, and use cases.
5G Basics Infographic
The 5G Basics Infographic describe 5G, compares it to 4G, explains 5G risks, and predicts when it will be available in the U.S.
5G Market Penetration and Risk Factors Infographic
This infographic explains the major components of 5G networking, points of vulnerability in the 5G network, and mobile equipment components in market leaders.
Edge vs. Core - An Increasingly Less Pronounced Distinction in 5G Networks
This report describes edge computing and the opportunities and risks it presents in combination with 5G networks.
Open Radio Access Network Security Considerations
This assessment considers the security of a mobile industry initiative toward an Open RAN.
Overview of Risks Introduced by 5G Adoption in the United States
An overview of the opportunities and challenges presented by 5G implementation in the U.S.
Potential Threat Vectors to 5G Infrastructure
This report describes threats identified by the Enduing Security Framework and 5G Threat Model Working Panel across the various 5G domains.
Potential Threats to 5G Network Slicing
An in-depth review of network slicing, a key component of 5G infrastructure.
Security Guidance for 5G Cloud Infrastructures
Security Guidance for 5G Cloud Infrastructures Part I: Prevent and Detect Lateral Movement
Discusses the importance of detecting malicious cyber actor activity in 5G clouds and prevent actors from leveraging the compromise of a single cloud resource to compromise the entire network.
Security Guidance for 5G Cloud Infrastructures Part II: Securely Isolate Network Resources
Discusses practices to ensure that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.
Security Guidance for 5G Cloud Infrastructures Part III: Data Protection
Informs reader about methods to ensure that network and customer data is secured during all phases of the data lifecycle (at-rest, in transit, while being processed, upon destruction).
Security Guidance for 5G Cloud Infrastructures Part IV: Ensure Integrity of Cloud Infrastructure
Emphasizes the importance of ensuring that 5G cloud resources (e.g., container images, templates, configuration) are not modified without authorization.
These resources are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide warranties of any kind regarding this information, nor does it endorse any commercial product, service, or subjects of an
3rd Generation Partnership Project (3GPP)
A telecommunications standards organization, develops a series of releases that provide developers with a stable platform for the implementation of cellular telecommunication features. Releases 15, 16, and 17 focus on 5G.
Framework to Conduct 5G Testing
A Framework by the Federal Mobility Group (FMG) to support the diverse needs of federal use-cases of 5G as well as coordination of 5G test activities across the federal government.
National Telecommunications and Information Administration
Housed within the Department of Commerce, NTIA is principally responsible for advising the President on telecommunications and information policy issues.
An effort committed to transforming radio access networks (RAN) towards open, intelligent, virtualized and fully interoperable RAN
State Department's 5G site
Provides the latest security and policy concerns related to 5G.