How Regulation Is Impacting 5G Security in Europe

This post is also available in: Deutsch (German)

Over the past few years, I have witnessed a growing focus in Europe on telecom and 5G security. Many service providers in the region are evolving cybersecurity practices and postures, both for existing 4G networks and also for planned 5G deployments, many of which are launching now. This increased focus is in reaction to the growing number of cyberthreats on mobile networks, as well as the realisation that security can be a service differentiator. It also comes in response to growing expectations by government policymakers.

As the world’s leading cybersecurity company, Palo Alto Networks works with service providers and enterprises globally that rely on mobile networks. We have completed numerous deployments around the world enabling our customers to detect and prevent mobile protocol-specific threats, malware and other vulnerabilities within mobile networks. We’re seeing cyberattacks on these networks continue to grow in volume and sophistication, attacking network infrastructure, applications, services and the customers’ own end-users (both enterprises and consumers). In the future, cyberattackers can potentially leverage 5G speeds– as well as the expanding attack surface resulting from the sheer volume of IoT devices that will attach to 5G networks– to accelerate the pace of attacks or breaches. All of this makes securing networks, data, IoT devices and enterprise services essential. To meet these challenges, Palo Alto Networks recently introduced the industry’s first 5G-native security solution, which includes containerized 5G security, real-time correlation of threats to 5G identifiers and 5G network slice security.

European governments understand what is at stake, issuing legislation and guidance encouraging organisations to secure and stop cyberthreats on mobile networks. In April 2020, Germany’s telecommunications regulator, Bundesnetzagentur, issued a draft “Catalogue of Security Requirements for Operating Telecommunications and Data Processing Systems, and for Processing Personal Data, Version 2.0”. Annex I, Section 2.2 of Germany’s catalogue requires “telecommunications service providers with an IP infrastructure” to regularly monitor traffic data for any abnormalities “in order to detect attacks or faults” and to implement a suitable monitoring infrastructure that “should be able to continuously identify and prevent threats”. Germany’s guidance is laudable because it recognises that monitoring for threats and preventing attacks in realtime is essential to reducing the volume and impact of cyberattacks on national infrastructure, government networks, businesses and citizens. The security requirements will reportedly be officially announced in a federal gazette before the end of 2020.

It is worth noting that Germany’s effort is in the context of government activity throughout Europe. In January 2020, the European Commission published the Toolbox on 5G Cybersecurity for EU member states. The Toolbox recommends 19 strategic and technical measures member states can implement to strengthen the security of their 5G networks, based on domestic risk assessments. These measures include strict access controls, the “least privileged” principle, segmentation of duties and authentication, authorisation, logging and auditing. While voluntary, implementation of the Toolbox is happening at national levels, as indicated in a July 2020 report. In some cases, this is aligned with transposition into domestic law of the European Electronic Communications Code (EECC), a vast new EU telecom law that member states are supposed to implement by December 2020. The EECC’s security requirements, Articles 40 and 41, call on providers of public electronic communications networks or publicly available electronic communications services to “take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services”. These measures should have “regard to the state of the art”, “ensure a level of security appropriate to the risk presented”, and “prevent and minimise the impact of security incidents on users and on other networks and services”. The European Cybersecurity Agency, ENISA, issued two documents on December 10 for member states’ national regulatory agencies to help them implement these provisions: the Guideline on Security Measures Under the EECC and a 5G Supplement to this Guideline.

Legislation and guidance notwithstanding, many European service providers have already begun to invest in proven, state-of-the-art security tools and capabilities to secure networks, driven in part by ongoing news about vulnerabilities in 4G and 5G mobile technologies. These investments are in solutions for realtime mitigation, authentication and access control, network segmentation and container security. Service providers also are prioritising “Zero Trust Architectures”, prevention and automation. Importantly, there is a growing understanding of the need to maintain constant monitoring and enforcement to be able to detect and stop cybersecurity threats within mobile traffic in realtime. In fact, GSMA, the industry association representing the interests of mobile operators worldwide, including more than 200 European operators, issued a reference document in March 2020 that outlines recommendations for communications service providers to detect and prevent attacks on the mobile data layer against networks, services and applications.

European enterprises also are ready to adopt private 5G networks, like many of their peers globally. Germany’s Bundesnetzagentur recently awarded more than 80 licenses for spectrum in the 3700–3800MHz band to firms including Audi, Bosch and Lufthansa to use in local 5G networks. Regulators need to consider security ramifications brought by the introduction of private 5G networks.

Finally, regional groups are providing guidance on mobile security. For instance, the Switzerland-based World Economic Forum runs a cross-sector initiative aimed at accelerating a sustainable and secure transition to the next generation of mobile networks. The initiative identifies and communicates to senior leaders the emergent security risks and systemic challenges of mobile networks and provides key recommendations for actions that could address them.

All in all, we cannot forgo investing in cybersecurity when it comes to the future of mobile networks. This guidance and regulation of 5G security will be helpful in raising baseline security and reducing critical cyber risks. Guidance will especially help small mobile operators or operators of private 5G networks, such as enterprises, which often cannot afford cybersecurity expertise on this topic. Similar to the financial sector, regulation of mobile network security can help to increase trust in the infrastructure and technology and enable new business models. It is not surprising that some mobile network operators started to invest in mobile security a while ago, going beyond minimum requirements as a market differentiator. However, now it is the time for everybody to act. Cybersecurity must be embraced not just post-mortem, but now, in the design phase of future mobile architectures by all relevant stakeholders: mobile network providers, governments and enterprises running their own private networks. This is possible by taking a comprehensive approach to securing 5G networks and by leveraging best practices and state-of-the-art, scalable security tools and capabilities that can help secure today’s complex network infrastructures, communications and data.