Skip to main content
Experiment on security features of multi-provider mobile network infrastructure

Project Coordinator (EU) :

Warsaw University of Technology

Country of the EU Coordinator :

Poland

Organisation Type :

Academia

Project participants :

EU: Warsaw University of Technology

Jordi Mongay Batalla  has Ph.D. degree from Warsaw University of Technology and works as Assistant Professor.  His research interest focuses mainly on Quality of Service (Diffserv, NGN) in both IPv4 and IPv6 infrastructures, Future Internet architectures (Content Aware Networks, Information Centric Networks) as well as applications for Future Internet (Internet of Things, Smart Cities, IPTV).

Constandinos Mavromoustakis (SM IEEE) is a distinguished external collaborator of the 'Next Generation Mobile Networks' Team. He is currently a Full Professor in the Department of Computer Science at the University of Nicosia, Cyprus.

Peinado Gomez (MSc by Polytechnic of Madrid, Spain; Master by Pontifical University of Salamanca, Spain; PhD Student in Warsaw University of Technology, Poland) is a senior telecommunications and security professional with 20+ years of career in the telco industry.  Currently he works as a senior security standardization specialist in Nokia Standards organization.

US: Embry-Riddle Aeronautical University

Houbing Song (M’12–SM’14) joined the Department of Electrical Engineering & Computer Science, Embry-Riddle
Aeronautical University, Daytona Beach, FL, where he is currently a Tenured Associate Professor and the Director of the Security and Optimization for Networked Globe Laboratory (SONG Lab, www.SONGLab.us).

Yingying Ren is a Ph.D. candidate in Computer Science and Engineering at Central South University (CSU), Changsha, China; and she is in a successive Master-Doctor program at CSU starting from September 2017. Her research interests include crowd sensing networks, deep learning, reinforcement learning and the Internet of Things (IoT).

State of US partner :

Florida

Starting date :

Experiment on security features of multi-provider mobile network infrastructure


Experiment description

There are two main trends for 5G development, one is classical where the hardware provider (e.g., Ericsson, Huawei) sells the full infrastructure with hardware and software (called purpose-built network), and the other one builds the 5G software on 5G-agnostic commercial off-the-shelf (COTS) hardware (called multi-vendor network).

From the point of view of security assessment, purpose-built network deployment is based on the security-by-design concept where a security assurance scheme (called NESAS and built and governed by GSMA) introduces controls of processes of the equipment deployment as well as controls of final product conformity with strict security requirements. Instead, the multi-vendor approach lacks of an end-to-end security baseline that will permit to provide security assurance at all levels. Such a baseline should introduce a comprehensive security level specification between the different parts of the infrastructure in order to make the network as secure as the purpose-built classical 5G networks.

In this experiment, we will analyse both security frameworks and will propose a security baseline for multi-vendor infrastructures. The context of the experiment is the security level provided by the Telco Cloud infrastructure hosting the Virtual Network Functions (VNFs) and/or Cloud Native Functions (CNFs), which build the 5G network for Slice Tenants (which deploy critical and/or broadband applications).

We see a trend in the market, starting in the US, to bring the network functions in whatever format to Cloud virtual infrastructures in a very complex and distributed Data Centres topology (Edge, Regional, Central), deployed not only on private clouds but also on public ones like Amazon Web Services, Google Cloud or Microsoft Azure. Even in on-prem operator sites, there are already offers from the big IaaS actors offering fully equipped racks, including the virtual infrastructure managed by them. In Europe, some countries such as Germany and UK are pushing the idea for critical infrastructure.

Our basic scenario will include requirements of critical Unmanned Aerial Vehicles (UAV) platform(as the Slice Tenant) hosted by the US partner, the requirements for the Cloud Provider (where 5G will be installed), and for the Carrier Service provider (providing the 5G network software) and the outcome will be the specification of clearly separated security levels and security assurance levels (as required by Cyber Security Act - EU No 526/2013), that will have interest to the (US and EU) Regulators for certification purposes. The proposed baseline contributes in part to solve the problem of accountability of the network (i.e., who is responsible for the security maintenance of the network), which is crucial in multi-vendor infrastructures.

 

Impacts :

Our project has addressed and will further address the impacts in relation to the NGI initiative, as follows:
 

Impact 1: Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation.
Multi-provider security is a hot topic of 5G development in the US and Europe. In April 2021 DISH has published the intent to build the first 5G network based on AWS cloud in Las Vegas (https://www.businesswire.com/news/home/20210421005315/en/), and security is the main concern of the new infrastructure, as also shown above by the US Department of Commerce Notice of Inquiry. The business approach to cybersecurity in the US is more reactive (when a threat appears) and based on cyberthreat intelligence (analysis of attackers’ motivations and capabilities).
Some European countries (Germany, UK) are pushing multiple providers for critical infrastructure where security concerns need to be solved. The European approach to cybersecurity (from the introduction of the Cyber Security Act - EU No.526/2013) is to propose scalable risk-based security and assurance through the introduction of scaled controls that are comparable in the whole ICT market. The guidelines of the Cyber Security Act is to achieve common definitions of security and security assurance that are consistent for all the ICT sectors and across different certification schemes (if any) and to follow the basic that assurance requirements of services, processes and products should be based on the risk associated to the intended use.

This project has analysed and assessed the risks of multi-provider infrastructure based on practical experiments on such infrastructures and comparison with the purpose-built network. The approach has been considered in the presented methodology for a common understanding of how to assess security and security assurance in multi-provider networks, and, due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks.

Impact 2: Reinforced collaboration and increased synergies between the Next Generation Internet and the Tomorrow's Internet programmes.
This project, by addressing the issues of security and accountability, contributes to build an infrastructure with many providers, which will provide a renovation of the development of the mobile network with more open architecture, while providing, in a long term, enhanced efficiency, scalability and resilience in the network, and partially solving the problem of vendor trustiness.

Impact 3: Developing interoperable solutions and joint demonstrators, contributions to standards.
Our experiment compared the security features of purpose-built and multi-provider network infrastructures. The network infrastructure requires the development of Service platform (in our case UAV platform, provided by US partner). The complete infrastructure (network + vertical) has been the base of the network assurance methodology that we have presented as a result of the project.
The project aimed to contribute to the main cybersecurity trend in the US and Europe, with the analysis of the security features of the network from an external laboratory. Jordi Mongay Batalla has been invited to CEN/CLC/JTC 13 standardisation group (under the auspices of the European Commission) for studying new security standards on 5G multi-vendor infrastructures valid for the EU certification scheme, based on previous work . We strongly think that the knowledge achieved in the framework of this project will be an important input to potential future standards on 5G security.

Impact 4: An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet
One of the objectives of the project was to share knowledge on security assessment among US and EU universities, so that future engineers may adopt visions of cybersecurity based on risk assessment for the intended use (more used in Europe) and information from cyber threat intelligence (more used in the US). Due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks. A course was provided in ERAU by WUT’s researchers for creating an EU – US ecosystem of top researchers in security aspects. Future collaboration between the project partners is in progress with the in-short submission of two collaborative research proposals. We are conscious that many more efforts are needed for educating a generation of engineers that will consider security aspects as one of the most valuable features of the Next Generation Internet.

 

 

Results :

This project aims to assess the risks of multi-provider infrastructure based on practical experiments on such infrastructures and comparison with the purpose-built network. This approach may be very fruitful for a common understanding of how to assess security and security assurance in multi-provider networks, and, due to the increasing interest of US and EU markets by multi-provider approach, this comprehensive approach may help to increase security in next-generation mobile networks.

We aim also to share knowledge on security assessment among US and EU universities, so that future engineers may adopt visions of cybersecurity based on risk assessment and cyber threat intelligence.

Future Plan :

The experiment has provided a number of and some characteristics of the security tests, as well as the number of publications and course for students. A strong collaboration with the US partner has initiated and several other initiatives will be started in short (the IRES program supports research and related logistical and other expenses for the U.S. team while in an international location. And the AccelNet funds supports U.S. organizations for international collaborative research). Prof. Houbing Song (Embry-Riddle Aeronautical University) is acting as the anchor for those initiatives.

The experiment results have provided more information than expected at the beginning and have really consolidated our position in EU institutions as experts of 5G security working on the field of security assurance. As an example, Jordi Mongay Batalla has been included in the CEI list of experts in 5G security.

The future work is clearly oriented to conduct and formalize a methodology for network security assurance in the framework of EU institutions (ENISA and CEN CLC), to increase contributions to standards (through CEN CLC) and to consolidate the EU team competences to build a commercial-operative cybersecurity laboratory in the field of networking. At last but not least, we want to deepen the ties with our US partner and initiate several exchanges of students and, probably, post-doc staff.

Key Results

 

 

NGI related Topic :

Open Internet Architecture and Renovation

Call Reference :

4

The 30-months project NGIatlantic.eu will push the Next Generation Internet a step further by providing cascade funding to EU-based researchers and innovators in carrying out Next Generation Internet related experiments in collaboration with US research teams.




contact action add button