How to securely monitor a 5G network

Every generation of wireless technology has required organizations to adapt their security practices to effectively monitor and protect their networks. But monitoring a 5G network presents a new level of complexity due to the different protocols and architecture involved.

In our final blog of the 5G security series, it’s time to explore the complexities of monitoring a 5G network and how organizations can ensure that their infrastructure is watertight.

The 5G step change

Traditionally, security monitoring has focused on IT networks, such as MPLS or IP networks, where most security operations centers (SOCs) operate from. These SOCs primarily monitor enterprise systems like office, financial, and HR systems. However, with the proliferation of connectivity in operational environments, including manufacturing facilities, warehouses, and critical infrastructure, the monitoring scope has evolved to include operational technology (OT) networks too.

OT networks differ from enterprise networks in terms of protocols and tools required for monitoring. Proprietary protocols often govern devices and equipment in the OT environment, each requiring specific protocols and tools for monitoring.

Unlike IP networks, 5G networks operate on cellular protocols and follow cellular standards developed over previous generations (e.g., 2G, 3G, 4G). The difference is that as organizations deploy their own private or hybrid 5G networks, the responsibility for monitoring these networks shifts from telco providers to the enterprises themselves.

This is a completely new world for organizations, introducing unique complexities tied to cellular protocols and the division between the control and data plane (the former handles the initial handshake, authentication, encryption, and bandwidth allocation, while the latter facilitates the actual data transfer). Monitoring both planes and correlating the data is essential for effective 5G network security operations.

24×7 log collection

A fundamental aspect of 5G network security is continuous monitoring through 24×7 log collection. Logs are gathered from various components spanning from the user equipment (UE) to the core, providing crucial insights into potential security events.

The extent of log collection depends on the deployment model adopted. In private deployment models, higher volumes of log collection is possible. However, where the 5G architecture is shared with mobile network operators (MNOs), the service provider must collaborate to ensure the necessary logs are collected.

To achieve comprehensive monitoring, it is essential to collect logs from both the control plane and the data plane of the 5G architecture. Additionally, specialized toolsets are required as existing enterprise log collection tools may not fully comprehend the specific protocols, such as GTP, used in 5G networks. These tools not only collect data but also correlate them to identify ongoing attacks effectively.

Indicators of compromise

The next aspect of monitoring are indicators of compromise(IoCs),which play a vital role in detecting security attacks within the 5G environment. The best-in-class toolsets available today provide a range of IoCs that can be utilized by SOC analysts to identify potential security breaches. These IoCs can subsequently be categorized into device-related and traffic/performance-related indicators.

Some examples of device related IoCs include:

Detecting unknown devices in the network, Monitoring changes in device connection status, Identifying new device vendors, Detecting devices that have not been seen for a specific period, Identifying new device types, Monitoring abnormal device traffic usage, Tracking abnormal traffic usage by devices in specific locations, Identifying user equipment (UE) connection failures, Detecting consistent failures in UE IP allocation, Identifying conflicting IMEI numbers with SUPI and SUCI mapping, Detecting unknown UEs joining the network, Monitoring repeated UE authorization failures, Identifying devices with unknown locations, Identifying devices with vulnerabilities or performance issues.

Similarly some traffic and performance IoCs include

Identifying unauthorized traffic patterns, Monitoring compliance with quality of service (QoS) parameters, Detecting abnormal traffic for specific devices or applications, Monitoring the absence of traffic, Identifying abnormal protocol usage for user equipment (UE) and Internet of Things (IoT) devices, Detecting spikes in control traffic to UE, radio access network (RAN), and core, Monitoring spikes in user plane data, potentially indicating distributed denial of service (DDoS) attacks

These IoC examples offer a glimpse into the extensive use cases built around them, and with the right tools, SOC analysts should feel empowered to detect and respond to security breaches effectively.

Best practices for securely monitoring 5G networks

Monitoring a cellular network can be complex but when taken step-by-step it can also be manageable and efficient:

• Develop expertise: Invest in training and familiarize the team with the unique aspects of 5G protocols and the control-data plane division.
• Collaborate with telco providers: Engage with telco providers to understand their monitoring capabilities and coordinate efforts to ensure end-to-end security for private 5G networks.
• Adopt specialized tools: Acquire monitoring tools designed specifically for 5G networks, capable of monitoring both the control plane and the data plane. These tools should provide comprehensive visibility and correlation capabilities.
• Implement network slicing: Leverage network slicing capabilities to isolate and monitor different slices within the 5G network. This approach enhances security and allows focused monitoring for specific services or devices.
• Continuous monitoring and analysis: Implement real-time monitoring and analysis to identify anomalies, detect potential threats, and respond promptly. Incorporate threat intelligence feeds to stay updated on emerging threats and vulnerabilities in 5G networks.

As these different components come together in different deployment models, achieving end-to-end security in 5G can become challenging. This is why IT, OT, and cellular network security policies must all be well aligned and integrated to bring enterprise grade security that is governed by zero trust principle protecting north–south and east–west traffic as well as data at storage and in transit. 

Overall, any monitoring of a 5G network requires organizations to adapt their security practices to the unique characteristics of cellular protocols and the control-data plane division. By investing in expertise, collaborating with telco providers, leveraging specialized tools, and adopting best practices, organizations can ensure the security of their 5G networks and start embracing the benefits of 5G technology.

Contact Capgemini today to find out about 5G security.