How regulation is impacting 5G security in Europe

How regulation is impacting 5G security in Europe
(Image credit: Shutterstock)

Over the past few years, there’s been an increased focus in Europe on telecom and 5G security. Many service providers are evolving cybersecurity practices and postures, both for existing 4G networks and also for planned 5G deployments, many of which are launching now. All of this effort is in reaction to the growing number of cyberthreats on mobile networks, plus the realization that security can be a service differentiator. It also comes in response to growing expectations by government policymakers.

Securing service providers and their IT infrastructure is not new but it is a growing challenge. Cyberattacks on mobile networks continue to grow in volume and sophistication, attacking network infrastructure, applications, services and service providers’ end-users (both enterprises and consumers). 

Like for customers, 5G offers advantages that cyberattackers could exploit, for example potentially leveraging 5G speeds. There’s also a much expanded attack surface resulting from the sheer volume of IoT devices that will attach to 5G networks. Taken together, these factors could accelerate the pace of attacks or breaches. All of this makes securing networks, data, IoT devices and enterprise services essential.

Stopping cyberthreats

European governments understand what is at stake, issuing legislation and guidance encouraging organizations to secure and stop cyberthreats on mobile networks. In April 2020, Germany’s telecommunications regulator, Bundesnetzagentur, issued a draft “Catalogue of Security Requirements for Operating Telecommunications and Data Processing Systems, and for Processing Personal Data, Version 2.0”. Annex I, Section 2.2 of Germany’s catalogue requires “telecommunications service providers with an IP infrastructure” to regularly monitor traffic data for any abnormalities “in order to detect attacks or faults” and to implement a suitable monitoring infrastructure that “should be able to continuously identify and prevent threats”.

Germany’s guidance is laudable because it recognizes that monitoring for threats and preventing attacks in real time is essential to reducing the volume and impact of cyberattacks on national infrastructure, government networks, businesses and citizens.

Toolbox on 5G Cybersecurity

It is worth noting that Germany’s effort is in the context of government activity throughout Europe. In January 2020, the European Commission published the Toolbox on 5G Cybersecurity for EU member states. The Toolbox recommends 19 strategic and technical measures member states can implement to strengthen the security of their 5G networks, based on domestic risk assessments. These measures include strict access controls, the “least privileged” principle, segmentation of duties and authentication, authorization, logging and auditing.

While voluntary, implementation of the Toolbox is happening at national levels, as indicated in a July 2020 report. In some cases, this is aligned with transposition into domestic law of the European Electronic Communications Code (EECC), a vast new EU telecom law that member states are supposed to implement by December 2020. The EECC’s security requirements, Articles 40 and 41, call on providers of public electronic communications networks or publicly available electronic communications services to “take appropriate and proportionate technical and organizational measures to appropriately manage the risks posed to the security of networks and services”.

These measures should have “regard to the state of the art”, “ensure a level of security appropriate to the risk presented”, and “prevent and minimize the impact of security incidents on users and on other networks and services”. The European Cybersecurity Agency, ENISA, issued two documents on December 10 for member states’ national regulatory agencies to help them implement these provisions: the Guideline on Security Measures Under the EECC and a 5G Supplement to this Guideline.

State-of-the-art security tools

Legislation and guidance notwithstanding, many European service providers have already begun to invest in proven, state-of-the-art security tools and capabilities to secure networks, driven in part by ongoing news about vulnerabilities in 4G and 5G mobile technologies. These investments are in solutions for real-time mitigation, authentication and access control, network segmentation and container security. Service providers also are prioritizing “Zero Trust Architectures”, prevention and automation. Importantly, there is a growing understanding of the need to maintain constant monitoring and enforcement to be able to detect and stop cybersecurity threats within mobile traffic in real time.

Notably, GSMA, the industry association representing the interests of mobile operators worldwide, including more than 200 European operators, issued a reference document in March 2020 that outlines recommendations for communications service providers to detect and prevent attacks on the mobile data layer against networks, services and applications.

Security ramifications of mobile networks

It’s not just service providers who need to be aware of the growing regulatory guidance around 5G networks and applications. Many European enterprises are ready to adopt private 5G networks, like many of their peers globally. Germany’s Bundesnetzagentur recently awarded more than 80 licenses for spectrum in the 3700–3800MHz band to firms including Audi, Bosch and Lufthansa to use in local 5G networks. Regulators need to consider security ramifications brought by the introduction of private 5G networks.

Finally, regional groups are providing guidance on mobile security. For instance, the Switzerland-based World Economic Forum runs a cross-sector initiative aimed at accelerating a sustainable and secure transition to the next generation of mobile networks. The initiative identifies and communicates to senior leaders the emergent security risks and systemic challenges of mobile networks and provides key recommendations for actions that could address them.

Investing in cybersecurity

All in all, we cannot forgo investing in cybersecurity when it comes to the future of mobile networks. This guidance and regulation of 5G security will be helpful in raising baseline security and reducing critical cyber risks. Guidance will especially help small mobile operators or operators of private 5G networks, such as enterprises, which often cannot afford cybersecurity expertise on this topic.

Like the financial sector, good well-thought out regulation of mobile network security can help to increase trust in the infrastructure and technology and enable new business models. It is not surprising that some mobile network operators started to invest in mobile security a while ago, going beyond minimum requirements as a market differentiator. However, now it is the time for everybody to act.

Cybersecurity must be embraced, in the design phase of future mobile architectures by all relevant stakeholders: mobile network providers, governments and enterprises running their own private networks. This is possible by taking a comprehensive approach to securing 5G networks and by leveraging best practices and state-of-the-art, scalable security tools and capabilities that can help secure today’s complex network infrastructures, communications and data.

Sergej Epp is Chief Security Officer at Palo Alto Networks in Central Europe. In this role, he develops regional cybersecurity strategy and is overseeing cybersecurity operations and threat intelligence.