Project Coordinator (EU) :
Warsaw University of TechnologyCountry of the EU Coordinator :
PolandOrganisation Type :
AcademiaProject participants :
EU: Warsaw University of Technology
Jordi Mongay Batalla has Ph.D. degree from Warsaw University of Technology and works as Assistant Professor. His research interest focuses mainly on Quality of Service (Diffserv, NGN) in both IPv4 and IPv6 infrastructures, Future Internet architectures (Content Aware Networks, Information Centric Networks) as well as applications for Future Internet (Internet of Things, Smart Cities, IPTV).
Constandinos Mavromoustakis (SM IEEE) is a distinguished external collaborator of the 'Next Generation Mobile Networks' Team. He is currently a Full Professor in the Department of Computer Science at the University of Nicosia, Cyprus.
Peinado Gomez (MSc by Polytechnic of Madrid, Spain; Master by Pontifical University of Salamanca, Spain; PhD Student in Warsaw University of Technology, Poland) is a senior telecommunications and security professional with 20+ years of career in the telco industry. Currently he works as a senior security standardization specialist in Nokia Standards organization.
US: Embry-Riddle Aeronautical University
Houbing Song (M’12–SM’14) joined the Department of Electrical Engineering & Computer Science, Embry-Riddle
Aeronautical University, Daytona Beach, FL, where he is currently a Tenured Associate Professor and the Director of the Security and Optimization for Networked Globe Laboratory (SONG Lab, www.SONGLab.us).
Yingying Ren is a Ph.D. candidate in Computer Science and Engineering at Central South University (CSU), Changsha, China; and she is in a successive Master-Doctor program at CSU starting from September 2017. Her research interests include crowd sensing networks, deep learning, reinforcement learning and the Internet of Things (IoT).
State of US partner :
FloridaStarting date :
Experiment on security features of multi-provider mobile network infrastructure
Experiment description
In this experiment, we will analyse security frameworks of multi-vendor and purpose-built mobile network infrastructures and will propose a security baseline for different levels of network assurance.
The Next Generation Telecom and its Cloud industry are more vulnerable to potential attacks than other IT infrastructures due to its ubiquitous nature and vital role in digitalization. In addition, atomized infrastructure (such as the multi-vendor model) introduces added potential attack vectors, ranging from the potential exposure of virtualization platforms through network slicing, connectivity of unknown underlying (e.g., private cloud), and the apparition of vulnerabilities in new network functions developed by third-party software developers.
Our aim is to develop a Security baseline providing a common reference model for Cloud infrastructure providers and 5G Service Providers (including slices tenancy). It will need to be aligned with Standardization bodies like 3GPP and ETSI NFV and compliant with EU CyberSecurity guidelines and normative work. It will serve as an enabler for new 5G use cases business development (e.g., drones, eHealth, Smart Cities, online Education, etc.), setting a sound trust level among the multiple stakeholders, and providing the Regulator with evidence of security due care and due diligence.
With our baseline, it will be possible to provide security assurance to the infrastructure based on multiple vendor providers, which will be the basis of the audit of such networks. Security assurance will open the door to test and evaluation of products, regardless of whether the products are from a big player or small. The security requirements at all levels will provide the principles for accountability of the network, such that security issues can be identified, isolated and/or repaired under risk mitigation policies.
Multi-provider security is a hot topic of 5G development in the US and Europe, and security is the main concern of the new infrastructure. Some European countries are pushing multiple- provider approach for building the critical infrastructure where security concerns need to be solved. The European approach to cybersecurity (from the introduction of the Cyber Security Act - EU No.526/2013) is to propose scalable risk-based security and assurance through the introduction of scaled controls that are comparable in the whole ICT market. The guidelines of the Cyber Security Act is to achieve common definitions of security and security assurance that are consistent for all the ICT sectors and to follow the basic that assurance requirements should be based on the risk associated to the intended use.
This project aims to assess the risks of multi-provider infrastructure based on practical experiments on such infrastructures and comparison with the purpose-built network. This approach may be very fruitful for a common understanding of how to assess security and security assurance in multi-provider networks, and, due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks. We aim also to share knowledge on security assessment among US and EU universities, so that future engineers may adopt visions of cybersecurity based on the risk associated to the intended use.
Impacts :
Our project has addressed and will further address the impacts in relation to the NGI initiative, as follows:
Impact 1: Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation.Multi-provider security is a hot topic of 5G development in the US and Europe. In April 2021 DISH has published the intent to build the first 5G network based on AWS cloud in Las Vegas (https://www.businesswire.com/news/home/20210421005315/en/), and security is the main concern of the new infrastructure, as also shown above by the US Department of Commerce Notice of Inquiry. The business approach to cybersecurity in the US is more reactive (when a threat appears) and based on cyberthreat intelligence (analysis of attackers’ motivations and capabilities).
Some European countries (Germany, UK) are pushing multiple providers for critical infrastructure where security concerns need to be solved. The European approach to cybersecurity (from the introduction of the Cyber Security Act - EU No.526/2013) is to propose scalable risk-based security and assurance through the introduction of scaled controls that are comparable in the whole ICT market. The guidelines of the Cyber Security Act is to achieve common definitions of security and security assurance that are consistent for all the ICT sectors and across different certification schemes (if any) and to follow the basic that assurance requirements of services, processes and products should be based on the risk associated to the intended use.
This project has analysed and assessed the risks of multi-provider infrastructure based on practical experiments on such infrastructures and comparison with the purpose-built network. The approach has been considered in the presented methodology for a common understanding of how to assess security and security assurance in multi-provider networks, and, due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks.
Impact 2: Reinforced collaboration and increased synergies between the Next Generation Internet and the Tomorrow's Internet programmes.
This project, by addressing the issues of security and accountability, contributes to build an infrastructure with many providers, which will provide a renovation of the development of the mobile network with more open architecture, while providing, in a long term, enhanced efficiency, scalability and resilience in the network, and partially solving the problem of vendor trustiness.
We have developed a security assurance baseline providing a common reference model for Cloud infrastructure providers and 5G Service Providers (including slices tenancy). Our approach is clearly aligned with Standardization bodies like 3GPP and ETSI NFV and compliant with EU CyberSecurity guidelines and normative work currently in progress. Out methodology shows the holes of world-wide security assurance schemes for mobile networks and it will serve as an enabler for new 5G use cases business development (e.g., drones, eHealth, Smart Cities, online Education, etc.), setting a sound trust level among the multiple stakeholders, and providing the Regulator with evidence of security due care and due diligence. For this, further regulatory work will be done at a EU level based on our previous work on a Methodology for Sectoral Cybersecurity Assessments: https://www.enisa.europa.eu/publications/methodology-for-a-sectoral-cybersecurity- assessment.
With our baseline, it will be possible to provide security assurance to the infrastructure based on multiple vendor providers, which will be the basis of the audit of such networks.
The US team is being funded by the National Science Foundation under Grant No. 2150213: REU Site: Swarms of Unmanned Aircraft Systems in the Age of AI/Machine Learning. Future collaboration with ERAU is being funded with focus on Programmes of students’ transfer. The US National Science Foundation offers some programmes for sending US students to Europe (among others). It is our common intention with ERAU to apply to that programme, such that some ERAU students will pass some time at Warsaw University of Technology in the team leaded by Jordi Mongay Batalla. The proposal is almost ready to be submitted.
Impact 3: Developing interoperable solutions and joint demonstrators, contributions to standards.
Our experiment compared the security features of purpose-built and multi-provider network infrastructures. The network infrastructure requires the development of Service platform (in our case UAV platform, provided by US partner). The complete infrastructure (network + vertical) has been the base of the network assurance methodology that we have presented as a result of the project.
The project aimed to contribute to the main cybersecurity trend in the US and Europe, with the analysis of the security features of the network from an external laboratory. Jordi Mongay Batalla has been invited to CEN/CLC/JTC 13 standardisation group (under the auspices of the European Commission) for studying new security standards on 5G multi- vendor infrastructures valid for the EU certification scheme, based on previous work https://www.enisa.europa.eu/publications/5g-cybersecurity-standards. We strongly think that the knowledge achieved in the framework of this project will be an important input to potential future standards on 5G security.
Impact 4: An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet
One of the objectives of the project was to share knowledge on security assessment among US and EU universities, so that future engineers may adopt visions of cybersecurity based on risk assessment for the intended use (more used in Europe) and information from cyber threat intelligence (more used in the US). Due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks. A course was provided in ERAU by WUT’s researchers for creating an EU – US ecosystem of top researchers in security aspects. Future collaboration between the project partners is in progress with the in-short submission of two collaborative research proposals. We are conscious that many more efforts are needed for educating a generation of engineers that will consider security aspects as one of the most valuable features of the Next Generation Internet.
Results :
In summary, the main results of the project are:
- We presented the principles of ICT security assurance with a long analysis of the State of the Art;
- We showed how security assurance should be provided in multi-provider ICT systems, including composite, multi-layer and composite multi-layer security assurance. The Annex 1 (Annex 1. Security assurance in multi-provider ICT systems_Task 1.pdf) shows a detailed analysis of multi-provider security assurance;
- We proposed the methodology for security assurance of supporting communication systems for ITS purposes. The Annex 2 of this Deliverable (Annex 2. Description of Tests on Security Functionality (Template)_Task1.pdf) comprises the templates for evaluation of security features of the products under evaluation.
- We studied aspects of 5G security when the network serves to communication needs of a vertical. In our case, we focused on terrestrial automotive (Intelligent Transport Systems);
- We analysed the standards for discussing the interoperation points between layers, this is which are the security functionalities in the network that may serve the vertical application (automotive) and which are the security features at underlying infrastructure that may serve the network. These results are presented in the Annex 3 of this document (Annex 3. Context of Security aspects in 5G multi-provider implementation.pdf);
- We (the US partner of the project) set up a platform for UAV communication. The platform is accountable with demonstrated network assurance. The platform is part of the REU Site: Swarms of Unmanned Aircraft Systems in the Age of AI/Machine Learning: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2150213;
- We performed evaluation tests of security features of:
- Network layer. We selected on example of Network Function: The User Plane Function and performed security tests at low, medium hand high levels of security assurance. The tests focused on N4 interface (between the User Plane Function and the Session Manager Function). The network was running on private cloud. Results of the security evaluation are in the Annexes 4-7;
- Underlying infrastructure. We selected kubernetes and Containers as the example platform to provide tests. This was running on Amazon Web Services cloud. In addition the virtualization platform considered not only Openshift but also OpenStack (opensource and Red Hat versions) . Results of the security evaluation are in the Annexes 8-12;
- Vertical application. We considered security aspects of the automotive layer and concretely, security issues of unlicensed local area networks for Vehicle- to-Everything interconnectivity. Results of the security evaluation are in the Annex 13.
- We compared our methodology with current evaluation schemes at different layers (5G network, cloud and virtualization layers);
- We developed an algorithm for the selection of a product based on levels of security assurance. The algorithm considers the different market-driven features of the products and selects the best product based on multi-criteria decision making. Among the considered features, we take into consideration the security requirements that should be fulfilled by the selected product. This algorithm is presented in Annex 14 (Annex 14. Algorithm for the selection of a product based on levels of security assurance_Task 4.pdf);
- We proposed the templates for security evaluation of products with the possibility of providing different levels of evaluation. The template explained for 5G Network Functions is presented in Anne 15 (Annex 15. Security assurance guidelines (Template)_Task 4.pdf).
- We prepared and taught a course on security and security assurance in the ERAU university (July 2022). The course was a part of the US project: REU Site: Swarms of Unmanned Aircraft Systems in the Age of AI/Machine Learning: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2150213. The course put emphasis on the development of a risk-based approach to cybersecurity for all sectors, including assets (primary of the business and supporting of underlying ICT infrastructures). The materials will be incorporated into CS432 Information and Computer Security and CS529 Computer Security, and disseminated to broader 5G Cybersecurity community in the US and EU. The materials of the course can be found in the Annexes 16-21.
Future Plan :
The experiment has provided all the products (Mesurable KPIs) that were assumed at the proposal stage, including the number and characteristics of the security tests as well as the number of publications and course for students. A strong collaboration with the US partner has initiated and several other initiatives will be started in short (the IRES program supports research and related logistical and other expenses for the U.S. team while in an international location. And the AccelNet funds supports U.S. organizations for international collaborative research). Prof. Houbing Song (Embry-Riddle Aeronautical University) is acting as the anchor for those initiatives.
The experiment results have provided more information than expected at the beginning and have really consolidated our position in EU institutions as experts of 5G security working on the field of security assurance. As an example, Jordi Mongay Batalla has been included in the CEI list of experts in 5G security.
The future work is clearly oriented to conduct and formalize a methodology for network security assurance in the framework of EU institutions (ENISA and CEN CLC), to increase contributions to standards (through CEN CLC) and to consolidate the EU team competences to build a commercial-operative cybersecurity laboratory in the field of networking.
At last but not least, we want to deepen the ties with our US partner and initiate several exchanges of students and, probably, post-doc staff.
From our side, we are really grateful by the possibility of doing this experiment during these last months.