Insights European Union Agency for Cybersecurity publishes report on Network Function Virtualisation (NFV) Security in 5G

ENISA explains that NFV is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, the technology also introduces new security challenges.

ENISA’s new report sets out good practices for the secure deployment of NFV networks. It supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

ENISA explains that traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. NFV is used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms. Applying NFV therefore reduces the number of operations and maintenance costs.

The report identified 60 security challenges in seven categories:

  1. virtualisation or containerisation;
  2. orchestration and management;
  3. administration and access control;
  4. new and legacy technologies;
  5. adoption of open source or COTS;
  6. supply chain; and
  7. lawful interception.

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. It sets out 55 best practices classified under Technical, Policy and Organisational categories. Key findings include:

  • resource virtualisation: the virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software; if the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences;
  • resource sharing: a single physical server may run several different tenants’ virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant’s virtual resource might be distributed across several physical servers; multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks;
  • use of open source: there will be increasing use of open-source software; this introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws; and
  • multi-vendor environment: in such environment, it remains difficult to coordinate security policies and determine responsibility for security problems; more effective network security monitoring capabilities are required.

ENISA says that NFV is an important technology in 5G, and its security is critical for the overall security of 5G networks, especially since 5G networks underpin critical infrastructures. To read ENISA’s press release in full and for a link to the report and other relevant documents, click here.