ENISA, the European Union Agency for Cybersecurity has published its Threat Landscape for 5G Networks report, assessing the threats related to the fifth generation of mobile telecomunications networks (5G).
This report complements the EU Member States report on EU-wide risk assessments on 5G security released in October 2019.
According to the report, 'the technological changes introduced by 5G will increase the overall attack surface and the number of potential entry points for attackers:
These new technological features will give greater significance to the reliance of mobile network operators on third-party suppliers and to their role in the 5G supply chain.
This will, in turn, increase the number of attacks paths that could be exploited by threat actors, in particular non-EU state or state-backed actors, because of their capabilities (intent and resources) to perform attacks against EU Member States telecommunications networks, as well as the potential severity of the impact of such attacks.
In this context of increased exposure to attacks facilitated by third-party suppliers, the individual risk profile of suppliers will become particularly important, in particular where a supplier has a significant presence within networks or areas:
Together, these challenges create a new security paradigm, making it necessary to reassess the current policy and security framework applicable to the sector and its ecosystem and essential for Member States to take the necessary mitigating measures.
This requires identifying potential gaps in existing frameworks and enforcement mechanisms, ranging from the implementation of cybersecurity legislation, the supervisory role of public authorities, and the respective obligations and liability of operators and suppliers.
In order to address the above-described risks and to make full use of potential security opportunities linked to the 5G technology, various types of measures may be considered. Among these measures, some of them are already in place, at least partially. This concerns in particular security requirements applicable to previous generations of mobile networks and which remain valid for the future deployment of 5G networks.
In addition, for many of the identified risks, particularly those affecting the core or access levels, contingency approaches have been defined through standardisation by 3GPP.
However, the fundamental differences in how 5G operates also means that the current security measures as deployed on 4G networks might not be wholly effective or sufficiently comprehensive to mitigate the identified security risks. Furthermore, the nature and characteristics of some of these risks makes it necessary to determine if they may be addressed through technical measures alone.
The assessment of these measures will be undertaken in the subsequent phase of the implementation of the Commission Recommendation. This will lead to the identification of a toolbox of appropriate, effective and proportionate possible risk management measures to mitigate cybersecurity risks identified by Member States within this process.
Consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc.'
You can read the full report here: https://ec.europa.eu/digital-single-market/en/news/enisa-publishes-threat-landscape-5g-networks