5G national security framework: boosting network security – Telefónica
At a time when 5G networks are in full expansion, enabling the emergence of new services and increasingly advanced functionalities, their security is of particular importance. In this context, it is essential to seek a comprehensive approach to the security of 5G networks and services that guarantees an efficient management framework, compatible with the development and sustainability of these infrastructures in Spain and Europe.
Indeed, the recent approval of the Spanish 5G Security Plan (ENS5G) by RD 443/2024 of 30 April is the latest regulatory milestone in this area in Spain, completing the regulatory framework applicable to all actors involved in the deployment and operation of this technology at national level.
The growing importance of 5G network security
The deployment of the new 5G mobile networks represents a transformation of the telecommunications sector, as it implies greater capacities and new network functionalities. This is possible thanks to joint investments in a number of complementary technologies, such as Network Slicing or network virtualisation, which will enable the emergence of new services with high added value for society and the economy, in areas such as medicine, transport, energy and logistics, among others. For this reason, public authorities at national and European level have recently placed particular emphasis on promoting the rapid deployment of these fifth generation networks.
With this deployment and the emergence of new services related to 5G networks, new risks and threats emerge that could have far-reaching effects and that need to be addressed in a holistic manner, given the involvement of a wide range of actors in the value chain. The ENS5G therefore essentially identifies and details a series of measures aimed at minimising the impact of these potential risks, threats or vulnerabilities, thus making our 5G networks and services highly resilient and allowing citizens to have confidence in the services they enjoy in the EU.
In short, the ENS5G, published in April 2024, develops the security framework applicable to 5G networks and services in Spain, established by Royal Decree-Law 7/2022 of 29 March and recently amended by the fifth final provision of Royal Decree-Law 6/2023 of 19 December.
The Integrated Security Concept
The security of any network or service, and 5G is no exception, must be addressed at multiple levels, end-to-end, and with due regard to the shared responsibility of all actors involved in the value chain.
In this sense, it is essential that all elements present in the 5G ecosystem – human, material, technical, legal and organisational – are taken into account when defining and implementing security protocols and processes aimed at making the network robust and creating confidence in the services enjoyed by citizens. In addition, each actor in the 5G ecosystem value chain must take measures to enable the secure operation of 5G networks and services.
For example, 5G providers will need to ensure the security of equipment and ancillary services, and comply with a number of technical standards based on ISO standards and certifications, as well as auditing and transparency measures.
This concept, that of total security, is also of the utmost importance and represents one of the major challenges to which the approval of the ENS5G is a response, seeking to minimise risks, whatever their origin or the agent involved.
The importance of mitigating the potential risks of a 5G network
In line with the standard, the ENSG5G adopts an approach based on the criticality of each element of a 5G network, identifying the risks, vulnerabilities and threats to which each of these elements may be exposed, with risk-based security management.
In order to mitigate these risks and minimise the impact of a hypothetical incident, the ENSG5G requires 5G network operators and suppliers of equipment involved in these networks to carry out a risk analysis as a basis for a comprehensive security management, which must be duly updated to adapt to technological developments and the state of the art in security.
Critical network elements, which must be located within the national territory (with certain reservations), are defined as those related to core network functions, control and management systems and support services, as well as the access network in geographical areas and locations to be determined.
The ENS5G also proposes security measures to resolve, reduce or mitigate the identified risks. The higher the criticality of the element or the greater the impact on the service and/or customers, the more stringent the security measures to be taken. Operators shall take appropriate technical and organisational measures to manage risks during installation, use or operation, including having appropriate certificates and the ability to be audited. Operators and suppliers must implement prevention, detection, response and information preservation measures for each network segment, which will be developed in the corresponding technical orders and audited every two years. Telefónica is fully aligned with ENS5G after many years of implementing a security management policy by design.
Specific measures for the security of 5G networks in Spain
In addition to the mandatory 2-yearly, or as needed, risk analysis and implementation of procedures to mitigate these risks, the ENS5G sets out a number of specific measures aimed at increasing control over the 5G equipment supply chain where necessary.
These measures are as follows:
- Establish a mechanism allowing the Council of Ministers to designate certain suppliers as high risk, based on an analysis of both the technical guarantees of their equipment and their potential exposure to foreign interference. This will take into account, among other things, the supplier’s links with third country governments, the composition of its share capital, the ability of a third country to exert pressure, the legislation and/or cyber defence policy of that third country, security cooperation agreements and compliance with data protection rules.
- This declaration, if it is made, will have the following implications:
- High-risk suppliers shall submit to the Ministry information concerning the safety of their equipment.
- 5G network operators would not be able to have equipment from declared high-risk vendors in critical network elements.
- In addition, the National Security Council may designate locations, areas and centres of special importance to national security, such as nuclear power plants, centres related to national defence and other strategic locations. On the towers providing 5G coverage to these locations, equipment from suppliers classified as high-risk cannot be installed and operators must follow a specific administrative procedure to carry out installation or maintenance activities.
- As a final specific measure, the ENS5G obliges 5G network operators operating critical network elements to develop a supplier diversification strategy tosecure the supply chain as far as possible in accordance with the identified obligations, which should also be updated accordingly.
5G Operations Centre, a pioneer in Europe
Lastly, and as a major innovation, the ENS5G includes the creation of a 5G reference operations centre, funded in part by the Transformation, Recovery and Resilience Plan, with the following tasks:
- Acquire 5G cybersecurity skills or monitor and ensure that the security measures in the Security Scheme are implemented
- Determining the criticality of 5G infrastructure elements
- Develop improvement proposals to increase monitoring and defence in 5G networks
- Develop R&D capabilities in terms of security
This Operations Centre shall, as far as possible, provide an adequate response capability to 5G cybersecurity incidents and provide support and assistance to the different actors involved. Actors bound by this Regulation may also establish 5G Security Operations Centres,
The ENS5G completes the regulatory framework for the security of 5G networks and services in Spain. It addresses security from a comprehensive perspective and aims to provide legal certainty to the different players in the value chain, including operators and suppliers.
Novel as it may seem, the ENS5G does not cease to embody, at a regulatory level, the main principles and procedures of security management that operators such as Telefónica, as responsible for the deployment and operation of their networks and services, are already working on to minimise any security risk and impact for their customers, thanks to a comprehensive security policy from the design stage.
Cooperation, coordination and simplification of the communication of incidents and the protocols for dealing with them by the actors involved in the value chain, and the different competent authorities, will be essential to ensure the highest level of security.
This post was originally published on the 3rd party mentioned in the title ofthis site