Professional Documents
Culture Documents
Security Aspects
of 5G for Industrial Networks
2 3
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
3 3GPP
The 3rd Generation Partnership Project (3GPP) is a collabora- As its name implies, it was first created to establish such Fig. 1: 5G-ACIA NPN scenarios
tive project that brings together standardization organizations specifications for the third generation (3G) of mobile commu-
from around the world to create globally accepted specifica- nication systems. It has continued its work for subsequent
tions for mobile networks. generations, including the one considered here, the fifth gen-
eration (5G).
Public Public
network network
services services
Public network Public network
4 5G-ACIA
Local path Local path
Optional
The 5G Alliance for Connected Industries and Automation technology (OT) players (industrial automation companies, connec-
tion
(5G-ACIA) was established to serve as the central and global engineering companies, production system manufacturers,
forum for addressing, discussing, and evaluating relevant end users, etc.), the ICT industry (chip manufacturers,
technical, regulatory, and business aspects with respect to network infrastructure vendors, mobile network operators,
5G for the industrial domain. It reflects the entire ecosystem etc.), higher education, research, and other groups. Non-public Non-public
network network
and all relevant stakeholder groups, ranging from operational services services
5 5G non-public network
deployment scenarios
Public Public
network network
services services
Public network Public network
5G-ACIA identified four types of non-public network (NPN) within the logical NPN perimeter. While it is possible
deployment scenarios. They have differing levels of integra- to have either shared or dedicated base stations for Local path
tion with the PLMN: the NPN, the RAN is operated by the public network
operator. This scenario corresponds to the 3GPP SNPN
1. Standalone NPN: An isolated or standalone NPN (SNPN) specification. From a technical perspective, there is
does not share any resources with the PLMN but might no difference for the PLMN between this scenario and
have access to it via a firewall. In this scenario, the NPN is the SNPN described above. From an OT operator point Non-public
Non-public network
logically and physically separate from the public network of view, since the PLMN base station is involved in network
services
services
and is typically operated by the OT operator on a shared authentication data exchange and has visibility into the Shared RAN and control plane NPN within public network
spectrum such as citizens’ broadband radio service user plane protection keys, the NPN operator needs to
(CBRS) or on an unlicensed spectrum. This scenario take this into account during their risk assessment.
corresponds to the 3GPP SNPN specification. Source: 5G-ACIA
3. Shared radio and control plane: Both the radio network
2. Shared radio access NPN: In this scenario, the NPN only and the control plane functions are shared between the
shares the radio access network (RAN) of the public NPN and the PLMN. The user plane is entirely within the
network. All other control and user plane functions and NPN, supporting NPN data flow within the logical NPN
network resources remain isolated. NPN data remains perimeter. NPN devices are subscribers to the public
4 5
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
network. This scenario would significantly benefit from According to 3GPP, the first two scenarios are classified as such as the UICC. OT devices that require PLMN access With the introduction of 5G into OT networks, the OT security
5G network slicing features for its implementation. 5G SNPNs and the latter two are classified as public network- would need to comply with the PLMN’s authentication toolbox needs to be expanded to include corresponding 5G
closed access group (CAG) functionality can be used for integrated NPNs (PNI-NPNs). Fig. 1 depicts the possible NPN and credential storage and processing requirements, be it security mechanisms that address the requirements outlined
access control in this scenario [5]. deployment scenarios. via 3GPP or non-3GPP access. above. It is worth noting that the OT security toolbox con-
tains numerous features that address security requirements
4. Shared radio, control and user planes: In this scenario, OT security requirements will differ according to the specific 4. Regulatory compliance and associated certifications are at layers above the network layer. “Defense in depth” is also
the NPN is hosted by the public network and all NPN NPN deployment scenario and will be related to the security major business imperatives. Each network configuration a common approach in OT networks. These features are dis-
traffic is routed via the public network. NPN devices are requirements of OT networks currently deployed. The most change or update needs to ensure continuity of cussed in greater detail in the following section.
subscribers to the public network. This scenario would common security requirements and characteristics of OT net- compliance. Otherwise, associated certifications could
significantly benefit from 5G network slicing features for works are discussed in the following sections. be lost. Some of these regulatory requirements relate
its implementation, enabling separation between traffic to restrictions on data flows to the outside, and to other
and control plane functions of the NPN and PLMN. 5G confidentiality and integrity protection mechanisms. 5G
closed access group (CAG) functionality can be used for security features and functions would need to support
access control in this scenario [5]. compliance with these requirements, especially those
defined in the IEC 62443 standard. By the same token,
regulatory requirements within the PLMN, such as strong
user authentication, access to emergency calls, and
lawful interception, where applicable, would need to be
6 Security and privacy met in the case of PLMN-integrated NPNs.
6 7
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
8 9
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
Table 1: IEC 62443 security levels for any industrial automation system. Since adversaries with Figure 3 illustrates an example IACS based on the Purdue
IACS-specific knowledge may implement dedicated attacks, model and the IEC 62443 security design where two produc-
Security Level Means Resources Skills Motivation
it is also advisable to contemplate level-3 defense mecha- tion plants are overseen by a headquarters. For this exam-
SL1 Casual or coincidental violation nisms based on the risk assessment. ple, three security zones for process control, safety control
and operations management have been created within the
SL2 Simple Low Generic Low The security levels are also reflected in the Security Require- plants. Each zone has its own functionality and characteris-
ments for Systems and Security Requirements for Compo- tics, and typically a dedicated owner, and therefore differing
SL3 Sophisticated Moderate IACS-specific Moderate
nents parts of IEC 62443 referenced above. Some require- security requirements. In the example, some assets in level
SL4 Sophisticated Extended IACS-specific High ments only need to be fulfilled at higher security levels, while 1 and level 2 of the Purdue model could be included in one
others are valid for all levels. For example, table 2 shows that security zone, because it is assumed that these assets have
Source: 5G-ACIA requirement CR 1.9 Strength of public key-based authen- the same security requirements and are owned by the same
tication needs to be fulfilled to achieve SL2, SL3 and SL4. responsible organization.
System, and Components. 62443-3-3 Security Requirements egress point of a network. Fulfillment of some requirements Moreover, for systems and components to achieve SL3 and
for Systems and 62443-4-2 Security Requirements for could potentially be left to higher layer functions SL4, there is a need for hardware security to protect keys and For assets within a security zone to provide value, information
Components reflect the functional requirements from a credentials. usually needs to flow not only within the security zone,
design perspective. For maintenance aspects, 62443-2-4 list In addition to requirements, IEC 62443 defines four security but also into or out of the security zone. The owner of the
the requirements. levels (SL) that drive system security measures according to As an example of how the 5G security toolbox would help fulfill security zone needs to control the information flows entering
the attributes of potential attackers (table 1). these requirements, it is important to note that 3GPP-com- and exiting the zone. To this end, the IEC 62443 standard
The standard defines seven foundational requirements (FRs) pliant 5G end-user devices store their security credentials series describes the concept of a conduit to cover the security
that need to be fulfilled to design a secure component/ The following are instances of the various kinds of attackers: on secure hardware, such as the (e)UICC for 3GPP-compliant aspects of the information flows. A conduit is a grouping
system: PLMNs or secure hardware components in non-UICC based of information flows crossing a border between security
• SL1: Any (Internet) user devices, which ensure compliance with high IEC 62443 secu- zones. The conduit can be physical or virtual, implemented
• FR1: Identification and authentication control • SL2: Hacker/company with generic security knowledge rity levels. This will be especially important for devices used via a network service, direct physical access (for a physically
• FR2: Use control • SL3: Expert/company with dedicated security knowl- in critical infrastructures. To ensure security for any of the isolated system), or a combination of these. The conduit
• FR3: System integrity edge that is willing and able to execute sophisticated 5G NPN scenarios would require consideration of which IEC usually employs a firewall to validate any communications
• FR4: Data confidentiality attacks 62443 security levels are pertinent. However, it might well be made via the conduit.
• FR5: Restricted data flow • SL4: Government organizations/states the case that differing parts of a network would have differ-
• FR6: Timely response to event ing security levels. The following sub-section looks at such an In the following figure, two conduits are defined for each
• FR7: Resource availability While security level 1 describes a system that is protected architecture and how the IEC 62443 framework would apply. plant, and there is an enterprise conduit connecting the
against casual or coincidental violation, level 4 assumes that headquarters and the plants, most probably via a public or
For each foundational requirement, a list of system require- the system implements mechanisms to counter adversaries private WAN service. The security design of this example
ments (SR) and requirement enhancements (RE) are de- that have sophisticated means, extended resources and an prevents direct information flow over multiple levels of the
fined. The 5G security toolbox will be especially relevant for IACS-specific skillset. The required security level is subject to 8.1 Concepts of zones and Purdue model (for example, directly between level 1 and level
network- and data-related requirements such as, for exam- individual risk and threat analysis. In general, it can be as- conduits in the IEC 62443 4 without passing through the intermediate levels).
ple, visibility into communication flows at a given ingress or sumed that level 2 attacks will always have to be considered standard series
Implementation of this architecture with 5G will depend on
It is not practical to apply a single security level to a large the existing network architecture and isolation requirements.
Table 2: IEC 62443 requirements reflect the security levels. Example with CR 1.9 or complex IACS. The IEC 62443 standard series therefore Network slicing and closed access groups (CAGs) [5] could play
describes the concept of a security zone, i. e. a logical grouping a part in this architecture. Logical segmentation using virtual
IEC 62443 Requirement SL1 SL2 SL3 SL4
of physical, informational, and application assets that share local area networks (VLANs) is another technique that could
CR 1.9 – Strength of public key-based authentication x x x common security requirements. A security zone has a clearly be used in conjunction with or in place of network slicing to
defined border that creates a division between included and implement security zones and conduits over the 5G network.
RE(1) Hardware security for public key-based authentication x x excluded assets. Assets in differing security zones are usually
isolated from each other.
Source: 5G-ACIA
10 11
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
Each zone can be treated as a separate network slice, i. e. of them with 5G. Slicing for each zone makes sense if the 3GPP currently mandates that in a 5G system a USIM in the In 3GPP Rel-15, network slice authentication and authorization
headquarters, plant A and plant B would be separate slices network offers differing types of services to each zone. On UE must hold the shared secret (3GPP credentials) between are defined as part of primary UE authentication. When the
with slice-specific authentication (on top of primary authen- the other hand, if intra-zone and inter-zone communication the UE and the operator when using 5G-AKA or EAP-AKA’. UE is authenticated by the network upon initial access, a set
tication). This provides logical separation between the mem- is protected end-to-end at the application layer and the 5G Accordingly, when these two authentication methods are of NSSAI (network slice selection assistance information)
ber groups. The conduits can be implemented by means of network is only used for transport, then slicing may not be not used, such as in the case of other EAP authentication items denoting what is permissible is sent back to the UE.
WAN connections. Based on the security level of each zone, needed. methods, for example EAP-TLS for SNPNs, the 3GPP standard The serving network also receives a copy of the NSSAI which
core network functions might have to be implemented sepa- does not specify how the credentials are stored and processed the UE is entitled to access. The UE can request to access
rately for each slice. Now that the major security requirements and characteris- within the UE, leaving the choice to the SNPN operator. any one of the permissible network slices (by including the
tics of OT deployments as well as their overarching standard corresponding NSSAI in the service request), but any request
It is worth noting that, since OT deployments are often security management framework have been described, this For PNI-NPNs, since they will be connecting to PLMNs, the to access a network slice that is not part of the NSSAI item
brown-field projects, and many existing processes do not paper next looks at 5G security features that would be most use of 5G-AKA and EAP-AKA’ authentication methods are set is denied.
require modification, it may not be desirable to replace all relevant for the OT security implementation toolbox. mandatory, together with the presence of USIMs in the UE for
12 13
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
Table 3: Network slicing scenarios 3GPP has defined specifications for the secure storage and (GP) VPP technology to support applications for various uses,
processing of subscription credentials within a tamper- such as network authentication and non-telecommunica-
NPN deployment Subscription Default network/ Authentication Comments
scenario owner slice interworking method resistant secure hardware component to ensure the security tions applications e. g. banking, etc.
of the 5G system [3]. The secure hardware component is
Standalone NPN NPN operator No interworking Multiple methods Totally isolated NPN for an normally strongly linked to the platform hardware design, The Trusted Computing Group (TCG) standardizes two types
(SNPN) + shared with any other PLMN possible OT, with no interworking
RAN NPN network. with external networks, and a number of standardized solutions are available. of technology for the implementation of protected secure
providing total isolation.
hardware components. The first of these two technologies,
Public network- PLMN operator Default network is Primary authentication The subscription is owned
A secure hardware component can be used as the anchor for the trusted platform module (TPM), provides security services,
integrated (PNI-NPN) PLMN, but certain by the PLMN using by the PLMN. Access to the network authentication application (NAA) employed for such as attestation, key management and authentication
(i. e. shared RAN and users have access to AKA-based authentication PLMN is controlled by the
control plane or fully NPN enterprise network methods. The credentials for PLMN operator. mutual authentication between the UE and the 5G System from a tamper-resistant hardware component. The second,
integrated NPN). acting as a separate primary authentication are (5GS). TS 33.501 5G Security architecture and procedures the device identity composition engine (DICE), addresses
slice. stored and processed within
the USIM. But slice-specific for 5G System includes methods for authentication in identity creation in resource-constrained devices, such as
authentication (EAP method) NPNs, namely 5G-AKA, EAP-AKA’, as well as any other key- IoTs.
can optionally be performed
between the UE and the NPN, generating EAP authentication method for SNPNs, for
if 3GPP Rel-16 is applied.
example EAP-TLS. The prerequisite for all methods is that The Global Platform (GP) defines the GP trusted execution
Source: 5G-ACIA the authentication key is protected. environment (TEE) and GP VPP technology. The difference
between TCG and GP technologies is that TCG provides static
Rel-15 therefore supports network slices by means of the UE’s A standalone NPN (SNPN) or public network-integrated NPN For 5G AKA and EAP-AKA’, 3GPP mandates usage of a USIM services as defined by the standardization organization
subscription information, and authentication and authoriza (PNI-NPN) can be built using Rel-15 and Rel-16 security pro- on a UICC to protect storage and processing of credentials. whereas Global Platform provides a framework within which
tion for slice access is incorporated into primary authenti cedures. It is up to the NPN operator or tenant to choose the For SNPNs, other EAP methods than AKA are allowed. The applications can be hosted to provide the corresponding
cation. It is also possible for the NSSAI to be concealed, and appropriate NPN-PLMN interworking and level of authenti- choice of solution for the secure storage and protection of services. Key to evaluating secure hardware components
therefore not exposed in the radio layer, if it is considered cation and authorization. A PLMN could deploy a PNI-NPN in associated credentials is left to the SNPN operator(s). is their certification on the basis of protection profiles.
sensitive. such a way that the PLMN is the default network and the OT Standardization organizations develop schemes to help with
is a separate, dedicated slice. In this case, the PLMN would The conventional solution for hosting the NAA is within a this process.
In 3GPP Rel-16, support is included, in addition to the prima- perform default authentication and authorization of the UE. UICC. The UICC is a tamper-resistant hardware platform. Over
ry authentication for network slice access, for a slice-specific Using Rel-15 and Rel-16 methods, the OT can create an addi- time, the UICC has evolved from a credit card-sized smartcard
authentication procedure using the EAP authentication tional security layer on top of PLMN authentication for more to smaller form factors. With the current state of the art, one 9.3.2 Choice of secure hardware
framework (RFC 3748). control and isolation. option is to solder the UICC to the printed circuit board (PCB). components for NPN
This is also known as an embedded UICC. Several standard-
Any EAP authentication method based on this framework Given the two choices, i. e. deployment as either an SNPN or a ization organizations are currently working on defining the This section considers how to best choose a secure hardware
could be used. When the UE is authenticated for network PNI-NPN, there are several possible slice configurations. The evolution of secure hardware components. The following sec- component for an NPN. An NPN with a shared RAN and
access, the serving network and the UE receives a list of following table provides an overview: tion will outline the activities of these organizations and how control plane, and an NPN hosted by a public network, needs
permitted network slices, indicated by their NSSAIs. The they relate to NPN deployment scenarios. to adhere to the security requirements set by the PLMN in
permitted network slices may further require slice-specific accordance with 3GPP specifications. For the SNPN, including
authentication by the slice Authentication, Authorization the shared RAN-only scenario, the choice of solution for
and Accounting (AAA) function. This additional slice-specific 9.3 Secure storage and processing 9.3.1 Standardization of secure credential storage and protection is left to the SNPN
authentication is indicated by the UE subscription information. of credentials hardware components operator(s) by 3GPP specifications.
If it is the case, the Access and Mobility management Function
(AMF) in the serving network triggers the EAP authentication Another cornerstone of 5G security features is the secure There are a number of components that are being standard- A standalone NPN hosts its own authentication and subscrip-
procedure for slice-specific access. This additional slice- storage and processing of credentials used in 5G security pro- ized. The UICC is standardized by ETSI SCP, and 3GPP follows tion services. This implies that a variety of solutions for cre-
specific authentication gives much more control to the NPN cedures, thereby ensuring their trustworthiness. This section this standardization. The UICC platform hosts a file system dential storage and processing could be used. One example
(enterprise) slice tenant in managing access to the slice outlines the options available for various NPN deployment and an authentication service used to authenticate towards is the TPM module, which may already be employed during
instead of solely relying on the PLMN operator for access scenarios. the network. ETSI SCP also standardizes the alternative secure boot of the device, but can also be used to host the
control. smart secure platform (SSP), which utilizes Global Platform EAP-TLS keys for authentication to the network.
14 15
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
Table 4: Secure hardware component scenarios Fig. 4: Generic trust anchor API concept
Standalone NPN (SNPN) and shared RAN NPN Alternative solutions: GP TEE, TCG TPM, etc. Conventional PLMN SE:
(e)UICC, Future PLMN solution(s): iSSP, eSSP I4.0 Application Device Management
PNI-NPN with shared RAN and control plane and fully Conventional PLMN solutions: (e)UICC, PLMN future solution(s): iSSP,
integrated PNI-NPN eSSP (not currently in 3GPP specifications although ETSI SCP has
already published the standard) OPC UA TLS …
Device
Identity
Source: 5G-ACIA
5G IEEE 802.x …
It is recommended that NPN operators consider adopting and 9.3.3 A conceptual framework for the
contributing to one of the available credentials management usage of secure hardware components
solutions and the organization(s) that maintain them, rather in OT networks
Generic Trust Anchor API
than creating a brand-new solution that is maintained sepa-
rately. All these options need to be evaluated in addition to As described in the previous section, UICC has been used for Session 1 Session 2 Session 3 Session 4 Session n
the security model and specific security requirements of the secure credential storage and processing for a significant
Secure Hardware Secure Hardware Secure Hardware Secure Hardware … Secure Hardware
NPN operator before selection of the solution. NPN config- time in mobile communication networks. The use of secure Component Component Component Component
Component
urations and possible solutions are summarized in table 4. hardware components by industrial communication protocols
does not have such a long history but is clearly gaining mo-
For standalone NPNs (including the shared RAN-only sce mentum. With increasing connectivity and the introduction Source: 5G-ACIA
nario), OT operators can choose from the wide range of se- of new communication protocols, such as OPC UA, message
cure hardware components already on the market, or deploy security and device authentication have become more and
a PLMN-proven UICC-based solution. The protection provided more important. The level of protection afforded to keys and Figure 4 shows the basic concept of the generic trust anchor This completes the overview of the 5G security features most
by the chosen solution must be in line with the requirements credentials is directly linked to the 5G system’s level of se- API. The aim of standardization activities is to ensure that relevant to NPN deployments. The following section provides
of the OT security risk assessment. For PNI-NPNs, a UICC is curity. The use of a secure hardware component is therefore not only OPC UA and TLS but also other protocols and an assessment of a physical layer security concept that is
currently mandatory when it comes to primary authentica- advisable for industrial communication protocols as well. communication standards are supported by the API. One highly relevant for OT networks.
tion. (or several) Industry 4.0 applications on a device could
In order to increase security by lowering the integration initiate a number of sessions with one (or multiple) secure
It is acknowledged that use of secure hardware components overhead, the German Federal Office for Information Secu- hardware components. This way all cryptographic functions
might not be common in current OT networks, and their rity (BSI) has created a reference API for the usage of secure would be performed on the applicable secure hardware 9.4 Protection against radio
introduction might seem like a challenge. As described in the hardware components in OPC UA [6]. The goal was the defi- component. In Figure 4, session 1 would make use of one jamming in 5G
following sub-section, there are initiatives to encourage the nition of a standardized, vendorindependent API that allows secure hardware component to offer cryptographic services
integration of secure hardware components into OT networks the usage of various types of secure hardware components. for the 5G connection. Session 2 would use another secure Industrial operations have little tolerance for disruption of
where they potentially interact not only with 5G systems but As a result, higher layer applications can be developed inde- hardware component for the OPC UA-related cryptographic production lines or operations due to the unavailability or
also with other networking and security technologies, such pendently of the cryptographic software libraries or hardware functions. Session 3 could use a secure hardware component unreliability of their communication channels. The possibility
as OPC UA. trust anchors underneath. as cryptographic service provider for a TLS handshake. of radio level jamming has been a concern during the early
adoption of wireless/mobile, mostly Wi-Fi-based, technolo-
The importance of this BSI approach is widely accepted in the In addition to supporting applications, the generic trust an- gies within OT communication architectures.
OT industry and standardization efforts are currently ongoing. chor API could be used for device identity and lifecycle man-
A new ISO/IEC JTC1 SC41 work item for a Generic Trust Anchor agement, as indicated in the figure by session n. Integration There are numerous industrial use cases for 5G, such as
Application Programming Interface for Industrial IoT Devices, with 5G authentication methods for private networks should autonomous guided vehicles (AGVs) and massive industrial
supported by many OT companies, is scheduled to commence be considered to increase the usability of both the API and IoT (IIoT) deployments where the mobility features (handover
in the first half of 2020. 5G-based solutions in OT networks. between base stations and roaming) of 5G play a central role.
16 17
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
Authentication and secure Highly flexible implemen- Highly flexible implemen- Choice is determined Choice is determined by
storage and processing of tation. tation. by 3GPP, PLMN 3GPP, PLMN authentication
credentials According to 3GPP speci- According to 3GPP speci- authentication and and credentials manage-
fications, it is permissible fications, it is permissible credentials management ment requirements.
to use additional SNPN to use additional SNPN requirements.
authentication and creden- authentication and creden-
tials management options tials management options
(that are outside the scope (that are outside the scope
of 3GPP specifications). of 3GPP specifications).
Regulatory compliance Low effort for OT network Low effort for OT network Medium effort to ensure High effort for OT and low
regulatory compliance. regulatory compliance. regulatory compliance for effort for PLMN.
PLMN regulatory compli- PLMN regulatory compli- both OT and PLMN. For PLMN, identical to
ance does not generally ance does not generally public network
apply since the endpoints apply since the endpoints
are not on the PLMN. are not on the PLMN. compliance.
18 19
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
11 Conclusions
ry requirements vary from country to country in accordance generations in terms of jamming resilience. Furthermore, 3GPP 5G security features generally provide robust support In a conventional OT deployment, all entities within a network
with national legislation, and these variances are reflected in it is important to evaluate the risks realistically for any for OT network deployments. These security features to- or zone are assumed to be part of a single trust domain. In
the options provided in 3GPP standards. given scenario (indoor/outdoor, etc.). Additional measures gether form a toolbox that allows OT companies to address an OT 5G PNI-NPN, where a PLMN operator provides part of
can be developed at the implementation stage, and may the varying security risks of the multiple OT 5G deployment the network infrastructure or services, the PLMN operator
Where IEC 62443 security levels 3 and 4 apply, secure hard- not necessarily require changes to specifications. This scenarios described in this paper. The degree of involvement is a new entity that the OT operator must trust with regard
ware components would be necessary for non-trusted is an area that calls for additional investigation and the of the PLMN operator in implementation of the OT network to its certification requirements. This new relationship
elements of the network. This might be achieved by means development of robust solutions to alleviate persistent plays an important part in determining which security fea- could be compared to outsourcing. As in any outsourcing
of the 3GPP 5G-defined security features for mutual authen- concerns. tures would be applicable. model, visibility and monitoring capabilities become key to
tication of the UE and the network, or additionally at higher establishing trust and verifying compliance.
layers with necessary security assurance functions. Most 3. It would be helpful to establish security profiles and The OT domain is characterized by the interdependence of
likely, multiple layers of security would be deployed, reflect- implementation guidelines corresponding to each companies with various industry roles, such as manufactur- In this context, the PLMN operator aims to maintain its
ing a “security in depth” approach. 5G-ACIA-defined deployment scenario. These would ers, integrators and operators. The 5G security toolbox may trust relationship with the UE as before and the OT operator
essentially make 5G security expertise and the toolbox be used differently by each of these. Additionally, as much seeks to continue its conventional model of integral trust
It can be concluded from the above table that the isolated widely available and deployed. Operational considerations as technology requirements, the OT field is characterized by zones, perhaps through higher-level security functions, such
SNPN deployment scenario is generally closer to the current and implementation options will be just as much key operational and implementation-related requirements spe- as application layer encryption. Each will strive to minimize
OT network deployment characteristics while the fully inte- factors in such an endeavor as technology specifications. cific to each field deployment. Therefore, it will not be suffi- disruption to its existing mode of operation. It has been
grated PNI-NPN scenario is closest to a PLMN architecture. This work would need to be a joint effort on the part cient to select security features based on technical consider- demonstrated that 5G security features form a toolbox that
Available 5G security features can be adapted to each deploy of operational experts in the ICT and OT domains, and ations alone. Thought will have to be given to operational and both OT and PLMN operators can use to manage the risks in
ment scenario to meet the security requirements of OT may not necessarily be the remit of the standardization implementation-related constraints the OT networks of the future.
operators. organizations.
In the IEC 62443 standard context, when the 5G network
The outlook: would be part of a critical industrial system, the administra-
To enhance the 5G security toolbox even further, to meet tors and operators of the 5G network must be trusted by the
OT-specific security requirements, the following steps could industrial systems operator. When security levels 3 and 4 are
be taken. While these might not necessarily translate into needed, higher layer protections (e. g. a secure application
3GPP 5G specifications, their availability would enhance layer protocol such as TLS or IPsec) may have to be provided.
secure implementation of 5G in OT scenarios.
20 21
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
12 Definitions 13 Abbreviations
5G-AKA: Device authentication method defined by 3GPP and 3GPP 3rd Generation Partnership Project OPC object linking and embedding for
introduced for 5G. 5G-AKA 5G authentication and key agreement process control (OPC Foundation)
AKA authentication and key agreement OPC UA OPC Unified Architecture
5GS: Fifth generation system of the mobile network. API application programming interface OT operational technology
CAG closed access group, as defined by PCB printed circuit board
Constrained device: Small device with limited CPU, memory, 3GPP TS 23.501, V16.3.0, section PLMN public land mobile network
and power resources. (RFC 7228) 5.30.3 PNI-NPN public network-integrated non-public
CBRS Citizens Broadband Radio Service network
EAP-AKA’: Device authentication method. DICE device identity composition engine RAN radio access network
DTLS datagram transport layer security SCP smart card platform
Network slicing: Network slicing is a specific form of virtual- EAP Extensible Authentication Protocol SIM subscriber identity module
ization that allows multiple logical networks to run on top of EAP-AKA‘ IETF RFC 5448: Improved Extensible SNPN standalone non-public network
a shared physical network infrastructure. Authentication Protocol Method for SoC system on chip
3rd Generation Authentication and TCG Trusted Computing Group
Non-3GPP access: Access to the core network via connectivi- Key Agreement (EAP-AKA‘) TEE trusted execution environment
ty other than the base station, such as Wi-Fi. EAP-TLS IETF RFC 5216: The EAP-TLS TLS transport layer security
Authentication Protocol TPM trusted platform module
Non-public networks: A non-public (private) telecommuni- eSSP embedded Smart Secure Platform UE user equipment
cations network providing mobile cellular services. ETSI European Telecommunications UICC a smart card conforming to the
Standards Institute specifications of the ETSI Smart Card
PNI-NPN: A non-public telecommunications network inte- eUICC embedded UICC Platform (SCP) project ref. TR 102 216
grated into a public network by sharing core functions. GP Global Platform VLAN virtual local area network
IACS industrial automation and control VPP virtual primary platform
Purdue model: A reference model for industrial control sys- system WAN wide area network
tem (ICS) network segmentation, based on the Purdue Enter- ICT information and communication
prise Reference Architecture (PERA). technologies
IEC International Electrotechnical
Security controls: Countermeasures designed to manage se- Commission
curity risks. IIoT Industrial Internet of Things
IoT Internet of Things
Trust anchor: A trust anchor is an authoritative entity for ISO International Organization for
which trust is assumed and not derived. (RFC 5914). Standardization
iSSP integrated smart secure platform
Trust domain: A trust domain is a network area defined by its IT information technology
trust boundaries wherein mutual trust is assumed. NAA network authentication application
NIST National Institute of Standards and
Technology (USA)
NPN non-public network
NSSAI network slice selection assistance
information
OECD Organization for Economic
Cooperation and Development
22 23
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
14 References
[1] 5G-ACIA white paper “5G Non-Public Networks 5G-ACIA White Paper
for Industrial Scenarios”, https://www.5g-acia. Security Aspects of 5G for Industrial Networks
org/fileadmin/5G-ACIA/Publikationen/5G-ACIA_
White_Paper_5G_for_Non-Public_Networks_for_ Contact
Industrial_Scenarios/WP_5G_NPN_2019_01.pdf, 5G Alliance for Connected Industries and
July 2019. Automation (5G-ACIA), a Working Party of ZVEI
[2] 3GPP TS 22.261: “Service requirements for the 5G Lyoner Strasse 9
system; Stage 1”, October 2019. 60528 Frankfurt am Main
[3] 3GPP TS 33.501: “Security architecture and Germany
procedures for 5G system (Release 16)”, September Phone: +49 69 6302-209
2019. Fax: +49 69 6302-319
[4] 5G Americas white paper, “The Evolution of Email: info@5g-acia.org
Security in 5G”, October 2018. www.5g-acia.org
[5] 3GPP TS 23.501: “System architecture for the 5G
System (5GS); Stage 2,” December 2019. Published by
[6] “SE API Reference for OPC UA Project 314”, ZVEI – German Electrical and
German Federal Office for Information Security Electronic Manufacturers’ Association
(BSI), Draft v0.7, December 17, 2018. 5G Alliance for Connected Industries and
Automation (5G-ACIA), a Working Party of ZVEI
www.zvei.org
February 2021
Design: COBRAND Berlin
© ZVEI
The work, including all of its parts, is protected
by copyright. Any use outside the strict limits of copyright
law without the consent of the publisher is prohibited.
This applies in particular to reproduction, translation,
microfilming, storage, and processing in electronic systems.
Although ZVEI has taken the greatest possible care in
preparing this document, it accepts no liability for the
content.
24 25
White Paper Security Aspects of 5G for Industrial Networks White Paper Security Aspects of 5G for Industrial Networks
15 5G-ACIA Members
As of February 2021
26 27
White Paper Security Aspects of 5G for Industrial Networks
www.5g-acia.org
28