Private 5G Network Security

Non-Public mobile network also known as Private mobile network. It also promises the benefits of 5G technology that are beneficial for enterprise-specific needs, privacy and control. 

There are several architecture for deploying private mobile networks, that vary based on the enterprise requirements and use cases along with a spectrum of regulations and allocation. 

There are multiple parts to cover to apply the end-to-end security to Private 5G network:

  1. Security for 5G Core: Recognizing the security needs of customers’ security in day-to-day operations. 
  2. MEC Security: Recognizing target service security controls required for each application.
  3. RAN Security: Incorporating RAN(Radio Access Network) Security is one of the newer challenges for enterprises.
  4. Endpoint Security: In addition to network, cloud and application security, endpoints security is the key.

Private 5G Network Security Risks

There are some potential security risks which are involved with implementing Private 5G. 

Below is the list of some potential risks involved in implementing Private 5G:

1. Four Penetration Routes

There are four potential penetration routes. In this, vulnerability can be exploited in the OS or programs of regular x86 servers. An Open Private 5G network has four possible penetration routes. 

If an organisation migrates to open options for hardware and software that made the core network and radio access network, this will bear the risk for vulnerabilities as an open IT environment. Now-a-days many companies are building PoCs through which they can implement a full-scale private 5G network. 

The four potential vulnerabilities routes for Private 5G networks are:

  1. CN hosting server
  2. VM/Container
  3. Network infrastructure
  4. Base station

1. CN Hosting Server

As private 5G networks are growing day by day, we can expect from the organisations to use general-purpose servers through which they can host their core network and the aim behind it will be less cost. We can also use a regular x86 server to host the core network.

2. VM/Container

It is also vital to consider the vulnerabilities in containers and other virtualized environments. There is an attack called “container escape” in which the attacker can go through the container to infiltrate the host server. In private 5G core network container technology plays a big role and container images are largely made up of open-source packages such as SQL database engines and programming languages. 

3. Network Infrastructure

Another infiltration is the network infrastructure, which includes routers and firewalls. There are some network devices in private 5G solutions like switches, routers, and other networking equipment in the core network. 

4. Base Station

There are some vulnerabilities in the base station also. We surge these vulnerabilities with the vendor. However, verification environments often include important documents and intellectual property, so it is important to secure the same level of security for equipment in the verification environment as in the production environment.

2. Three Signal Interception Points  

Once an attacker has got into the core network then they will go to the next phase i.e., intercepting and tampering with data. There are three interception points within the user plane that processes user data.

  1. The first interception is the link between the core network and the internet. This is the backhaul that connects the core network to the outside. 
  2. The second interception is where the SGW and PGW talk to each other. This is the point between the serving gateway for user data and the packet data network gateway that connects to the external network.
  3. The third interception is between the base station and the core network. This is where data comes from user equipment into the user plane.

3. Six Attack Methods

There are a total six methods for attacking the manufacturing site in Private 5G Network:

  Name          MethodPotential Damage
Modbus/TCP hijackingIntercepting/tampering with Modbus function codes and data values to spoof the temperature readings seen at the HMI. Damage to products Impairments to the manufacturing process
SIM swappingPhysically obtaining a SIM card to access the network and use it as a springboard for further attacks.Stealing confidential information lateral movement through privilege escalation.
DNS hijackingAccessing the PGW or router, intercepting DNS queries, and altering records.Stealing confidential information Containing equipment with malware.
MQTT hijackingintercepting/tampering with sensor readings in MQTT messages, and sending false values.Damage to products Impairment to the manufacturing process
PLC firmware resetIntercepting/tampering with packets between the PLC and TIA to force a reset of the PLC.   Damage to productsImpairment to the manufacturing process         
Remote desktop exploitsStealing keystrokes and passwords through packet sniffing at the RDP/VNC port.Stealing confidential informationLateral movement through privilege escalation