Transcription
EDGE VS. CORE AN INCREASINGLY LESSPRONOUNCED DISTINCTIONIN 5G NETWORKS2020Cybersecurity and Infrastructure Security Agency
EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKSKEY FINDINGSThe Cybersecurity and Infrastructure Security Agency (CISA) assesses that integration of untrustedi fifth generation (5G)core functions into the Radio Access Network (RAN) and the transition away from traditional network boundaries increasesrisk to telecommunication networks from equipment previously thought to be less critical (e.g., base stations, small cells).Accordingly, CISA recommends avoiding the use of hardware or software from untrusted entities that impact the operationsof both the core and edge portions of the networks, and does not believe that the distinction between the two is meaningfulfrom a risk management perspective. To reduce the national security risks associated with the implementation of 5Gtechnology, network operators should use only trusted providers and encourage the continued development of trusted 5Gtechnologies, products, and services across the entire 5G ecosystem.SCOPE NOTE: CISA produced this Critical Infrastructure Security and Resilience Note to informAgency leadership and partners about how edge computing increases the risks of installing untrustedcomponents into 5G networks by moving core functions into the RAN edge. This product is intendedto provide an overview of edge computing and represents CISA’s analysis of the risks associatedwith the installation of untrusted components into 5G infrastructures. This analysis represents thebeginning of CISA’s thinking on this issue, and not the culmination of it. It is not an exhaustive risksummary or technical review of attack methodologies. This product is derived from the considerableamount of analysis that already exists on this topic, to include public and private research andanalysis. Analysis of complex, sophisticated, and distributed cyber intrusions against 5G networksis beyond the scope of this product. At the time of this product’s creation, 5G and edge computingstandards, networks, and components are still under development.Untrusted companies are those that do not meet most, if not all, of the criteria in the Center for Strategic and International Studies’ May 13, 2020 document, “Criteria for Security andTrust in Telecommunications Networks and Services.” For more information refer to: telecommunications-networks-and-services.ii
iiEDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKSCONTENTSWhat is Edge Computing01Mobile Edge Computing (MEC) - Edge computing StandardEdge vs. Core - An Increasingly Less Pronounced DistinctionRisk From Untrusted Entities03Increased Risk LandscapeSoftware Assurance ConcernsSoftware Defined Networking (SDN) – A Key Enabler ofEdge ComputingNational Opportunities to Mitigate EdgeComputing RiskEncouraging continued development of trusted 5Gtechnologies, software, and servicesRestricting the use of 5G equipment from untrustedcompanies and those with poor hardware and/orsoftware assuranceContinued engagement with the private sector on riskidentification and mitigation efforts05
EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS1WHAT IS EDGECOMPUTING?Edge computing transforms the way data is processedand stored by moving some core network functions tobe more proximate to the end user at the network edgerather than relying on a central location that may behundreds of miles away.1 Moving the data processingand storage closer to the point at which it is createdminimizes the amount of long-distance communicationrequired between a client and a server.2Edge computing supports 5G emerging technologies byproviding reduced latency and decreased core networktraffic. For example, 5G will help autonomous vehiclesthat rely on immediate data processing and analysis toensure near-instantaneous responses. An autonomousvehicle using edge computing sends data to a nearbyaccess point where it is analyzed and returned,avoiding all the additional network hops it takes to sendinformation to a centralized data center.ii Conversely, in atraditional network architecture, the autonomous vehiclewould communicate with a centralized data center, whichcould increase the number of network hops and impacttime-sensitive applications like high definition mapping,real time traffic flow, and industry specific logistical data.iiEdge computing provides new possibilities for criticalapplications, particularly for those relying on ultralow latency, such as telesurgery, thermal imaging foremergency response, traffic safety and control, andautonomous manufacturing. Figure 1 shows emergingtechnologies that are enabled by edge computing.Edge computing provides network operators improvedvisibility over traditional networks and enables fasteridentification of potential security issues. Data that wastraditionally sent to a data center at the core of networkcan now be scanned closer to where it originated,potentially allowing for faster remediation. This allowsnetwork defenders to allocate security resources, suchas threat monitoring and analytic tools, to where they’reneeded most. While the move to edge computingpresents opportunities to enhance the security andimprove the reliability of 5G networks, the insertion ofuntrusted components within the RAN may negate anysecurity advantages that edge computing offers.A hop occurs when a packet passes from one network segment to the next as they travel between source and destination.
2EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKSFIGURE 1 — EMERGING TECHNOLOGIES ENABLED BY EDGE COMPUTINGMulti-Access Edge Computing (MEC) - EdgeComputing StandardMEC is a standard architecture that exists within edgecomputing.3 The communications industry widelyaccepts the MEC standard, and technologies mustmeet this standard for consideration in edge computing.Specifically, MEC is a type of edge computing thatextends the capabilities of cloud computing by bringingit to the edge of the network. While traditional cloudcomputing occurs on remote servers located far from theuser and device, MEC allows processes to take placein base stations, central offices, and other aggregationpoints on the network. This functionality increasesnetwork and data storage reliability and will limit thenumber service outages and cyber-attacks.4 MECalso allows for the RAN to be available to third partyapplication developers and content providers to allow forimproved real-time optimization of applications andnetwork resources.Edge vs. Core - An Increasingly Less PronouncedDistinctionIn a Third Generation/Fourth Generation (3G/4G)wireless network, devices such as smart phones andcomputers generate data that transmit to a RAN basestation. The base station then connects wirelesssubscriber devices to the internet via the core network,which acts as the backbone of the U.S. communicationsinfrastructure that routes and transports data, andconnects the different parts of the RAN. A 3G/4G RANincludes thousands of base stations and antennas thatrelay information, but do not store or process it.5Edge computing blurs the distinction that previouslyexisted in wireless networks by hosting core resourceswithin the RAN near base stations and closer toend users. While edge computing will support corefunctionality at the RAN, it is not part of the core andany issues that affect the edge may not reach the corenetwork. The integration of some core functions into theRAN and the blurring of traditional network boundariesmay increase the risk that compromises of previouslynon-sensitive equipment (e.g., base stations, small cells)will lead to greater impacts to the confidentiality, integrity,and availability of the overall network.6
EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS3RISK FROMUNTRUSTED ENTITIESCISA assesses that the introduction of untrusted 5G components into the RAN could expose core network elements torisks introduced by software and hardware vulnerabilities, counterfeit components, and component flaws caused by poormanufacturing processes or maintenance procedures. The integration of core functions into the RAN and the transition fromtraditional network boundaries increases risk to telecommunication networks from equipment previously thought to be lesscritical (e.g., base stations, small cells). This equipment, if exploited, will impact the confidentiality, integrity, and availabilityof the network.Risk LandscapeIn edge computing, core traffic functions like dataprocessing and storage exist within the last mile oftelecommunication networks, unlike traditional networkconfigurations.iii The ubiquity of core components in theRAN may provide malicious actors with additional attackvectors to intercept, manipulate, and destroy criticaldata. Untrusted components inserted within the RANmay impact user privacy by providing malicious actorsthe capability to clone devices and impersonate endusers to make calls, send texts, and use data.7Malicious actors can use untrusted components to gainaccess to Internet of Things (IoT) devices, which can bedifficult to secure due to poor device management andplatform diversity. Malicious actors may target IoTiiidevices with attacks that exploit poor configurations, andthen use those devices as a hop point in order to gain afoothold in RAN networks.8Extending communication networks with edgecomputing changes the surface area for attacks, andmay compound risks for networks utilizing untrustedendpoint components. Malicious actors may useunsecure endpoints and IoT devices as attack vectors indistributed denial-of-service attacks, or as entry pointsto access core networking components. To mitigatethese risks, network carriers have implemented networkcompartmentalization and isolation, which can limit theimpacts from compromised components.The last mile refers to the final leg of the telecommunications networks that deliver services for end-user applications.
4EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKSSoftware Assurance ConcernsUntrusted entities can enable serious and systematicdefects in their software engineering, maintenance,and cybersecurity practices.9,10 Poorly developed codemakes vulnerability management significantly moredifficult, and can lead to unsupportable software. If acritical outage occurs, systems, programs, and data withcode from untrusted entities are more difficult to recoverand may lead to extended outage times.The functionality of 5G and edge computing is relianton proper cyber and network security. Untrusted entitieswith poor software assuranceiv develop technologies thatare vulnerable to cyber attacks and may be difficult toupdate, repair, and replace, potentially requiring costlyongoing management and mitigation support.11Software Defined Networking (SDN) – A Key Enablerof Edge ComputingSDN is a software-based approach to networkmanagement that enables dynamic provisioning andpolicy-based management of network resources,allowing the network to make decisions for the operatorto improve efficiency and utilization.12 SDN enables edgecomputing by managing traffic between traditional cloudinfrastructure and the edge, acting as a decision-makerivfor tasks and determining which should be processedat the network edge or in the cloud.13 SDN has a singlepoint of control known as the SDN controller, which ifdeveloped by an untrusted provider with poor softwareassurance and cyber security competence, couldallow cyber actors to move laterally within a networkand bypass security points. SDN is anticipated to bea foundational component of 5G, enabling improvedvirtualization, increased bandwidth and capacity, andreduced latency.SPOTLIGHT:Risk from Poor Coding PracticesIn June 2019, Finite State, a cybersecurity vulnerabilityresearch firm, analyzed more than 1.5 million uniquefiles embedded within 9,936 firmware imagessupporting 558 different products within Huawei’senterprise networking product lines. The report notesthat Huawei used decade-old versions of librariescontaining multiple vulnerabilities, and even found thatHuawei engineers disguised known unsafe functionsas the safe version. The results of the analysis showedthat Huawei quantitatively poses a high risk to theircustomers, not only due to their failure to use commonlyaccepted secure coding practices, but also because oftheir attempts to purposefully disguise poor practices inorder to deceive code reviewers.Software assurance is the user’s confidence that a software functions as intended, and is free of vulnerabilities throughout the product lifecycle.
EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS5NATIONALOPPORTUNITIES TOMITIGATE EDGECOMPUTING RISKCISA recommends avoiding the use of hardware or software from untrusted entities that impact the operations of both thecore and edge portions of the networks, and does not believe that the distinction between the two is meaningful from arisk management perspective. To reduce the national security risks associated with the implementation of 5G technology,network operators should use only trusted providers and encourage the continued development of trusted 5G technologies,products, and services across the entire 5G ecosystem. Opportunities for the U.S. Government and industry to worktogether to maximize the benefits of next generation communication networks, and to promote security and resilienceassociated with emerging 5G technologies exist at the strategic level.Opportunities for the U.S. Government and industryto work together to maximize the benefits of nextgeneration communication networks, and to promotesecurity and resilience associated with emerging 5Gtechnologies exist at the strategic level. Follow-on effortsand discussions are necessary to expand on specificpotential actions.Encouraging continued development of trusted 5Gtechnologies, software, and servicesReliance on untrusted 5G technologies often occursbecause of relatively low costs associated with thosetechnologies. Additionally, if untrusted companies’equipment and software is already installed as part
6EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKSof the 4G (Long-Term Evolution) LTE network, lackof interoperability may make it impossible to installother companies’ 5G equipment without replacing theexisting 4G LTE equipment, which may be extremelycostly. Some solutions such as national investment inresearch and development, promoting efforts to ensureinteroperability, and promoting the standardization ofopen protocols within RAN componentry could lead toreduced risk and increases security across 5G networkdeployments.Restricting the use of 5G equipment from untrustedcompanies and those with poor hardware and/orsoftware assuranceThe United States can take action to limit the adoptionof 5G equipment that may contain vulnerabilities due topoor hardware and software assurance. Cybersecuritycan be improved for U.S. communications across thefederal enterprise by limiting the installation of 5Gcomponents from companies with poor security culturesand risky software assurance.14 The United Statescan also promote proper engineering, maintenance,and cybersecurity best practices, which can improvesoftware assurance and make U.S. communicationsinfrastructure more resilient to cyber attacks. Aspracticable, CISA recommends not using 5G equipmentfrom untrusted companies and those with poor hardwareand software assurance.Continued engagement with the private sector onrisk identification and mitigation effortsThe U.S. Government can continue to work withthe private sector—to include information andcommunication technology providers—to help mitigatevulnerabilities. The private sector can provide insightson where government support or intervention—suchas through the development of best practices, theconvening of industry and government partners, andthe prohibition of untrusted equipment—will help secureedge technologies and 5G networks. As highlightedin a recent report by the Communications Security,Reliability, and Interoperability Council, 5G in standaloneconfigurations actually presents opportunities for securityenhancements over previous generations. These includeincreased home operator control, enhanced subscriberprivacy, and user plane integrity protection in RAN.15DISCLAIMER: This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide anywarranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced inthis bulletin or otherwise. This report is TLP: WHITE: Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information maybe distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS7The Cybersecurity and Infrastructure Security Agency (CISA), National Risk Management Center (NRMC) is theplanning, analysis, and collaboration center working in close coordination with the critical infrastructure communityto Identify; Analyze; Prioritize; and Manage the most strategic risks to National Critical Functions. These are thefunctions of government and the private sector so vital to the United States that their disruption, corruption, ordysfunction would have a debilitating impact on security, national economic security, national public health orsafety, or any combination thereof. NRMC products are visible to authorized users at HSIN-CI and Intelink. Formore information, contact NRMC@hq.dhs.gov or visit 00301Keith Shaw. “What is edge computing and why it matters.” Network World. November 13, 2019. k.html. Accessed on June 22, 2020.2Federal Communications Commission (FCC) Technological Advisory Council: 5G IoT Working Group. “5G Edge Computing White Paper.” l.pdf. Accessed on June 22, 2020.3ETSI. “Multi-access Edge Computing (MEC)” ETSI, e-computing. Accessed on Oct 5, 20204Connor Craven. “What’s the Difference Between Edge Computing and MEC?” SDX Central. April 29, 2019. the-difference-between-edge-computing-and-mec/. Accessed on June 22, 2020.5Iain Morris. “Telecom industry rift widens over key 5G security issue.” Light Reading. e/d/d-id/756247. Accessed June 22, 2020.6European Commission. “The EU Toolbox for 5G security.” /eu-toolbox-5g-security. Accessed on June 22, 2020.7Andrew Coutes. “Meet the 250 Verizon device that lets hackers take over your phone.” Digital Trends. August 1, 2013. izon-hack/.Accessed on June 22, 2020.8Microsoft Security Response Center (MSRC) Team. “Corporate IoT - a path to intrusion.” Microsoft: Security Research and Defense. te-iot-a-path-to-intrusion/. Accessed on June 22, 2020.9Gov.UK. “Huawei cyber security evaluation centre oversight board: annual report 2019.” Cabinet Office from the Huawei Cyber Security Evaluation Centre Oversight Board. March 28,2019. nnual-report-2019. Accessed on June 22, 2020.10Finite State. “Finite State Supply Chain Assessment: Huawei Technologies Co., Ltd.” Finite-State-SCA1-Final.pdf. Accessed on June22, 2020.11Gov.UK. “Huawei cyber security evaluation centre oversight board: annual report 2019.” Cabinet Office from the Huawei Cyber Security Evaluation Centre Oversight Board. March 28,2019. nnual-report-2019. Accessed on June 22, 2020.12Michael Cooney. “What is SDN and where software-defined networking is going.” Network World. April 16, what-sdn-is-and-where-its-going.html. Accessed on June 22, 2020.13Andrew Froehlich. “Where does SDN fit in edge computing architecture?” TechTarget: SearchNetworking. November 2018. re-does-SDN-fit-in-edge-computing-architecture. Accessed on June 22, 2020.14Rep. Mac Thornberry [R-TX-13]. “H.R. 5515 - John S. McCain National Defense Authorization Act for Fiscal Year 2019.” U.S. Congress: House Armed Services Committee. -bill/5515/text. Accessed on June 22, 2020.15Communications Security, Reliability, and Interoperability Council VII. bility-council-vii. Accessed on June 30, 2020.
8EDGE VS. CORE - AN INCREASINGLY LESS PRONOUNCED DISTINCTION IN 5G NETWORKS
Cybersecurity and Infrastructure Security Agency
MEC is a standard architecture that exists within edge . computing. 3. The communications industry widely . accepts the MEC standard, and technologies must meet this standard for consideration in edge computing. Specifically, MEC is a type of edge computing that extends the capabilities of cloud computing by bringing it to the edge of the network.
