Testing Times: Automation Is the Key to a Secure 5G Future


Automated security testing of the 5G control plane is a critical step in reducing network vulnerabilities.

In previous times, the cellular network was considered pretty secure. Essentially, it was an almost closed-loop environment based on a few vendors with highly proprietary systems; instances of hacking or attacks against carriers are almost impossible to find referenced within the news media. There are likely to have been several attempts over the years, but quantifiable breaches are like unicorns – they may not exist.

But things are changing. The arrival of 5G heralds not just more bandwidth and lower latency, but also a fundamental shift in how cellular networks are designed, operated, and interconnected with the wider world of ICT. Most operators are embracing expansive designs that utilize more vendors within software-defined and cloud-centric architecture. The exciting potential offered by 5G includes intelligent smart city applications, private enterprise 5G networks, and even the growing use of 5G to replace traditional emergency services radio networks.

Because of this increasingly open and flexible approach, cellular networks have become more exposed to potential bad actors. Within network security practices, most of the attention has focused on attacks through the user plane (or data plane), which carries the network traffic, but there also needs to be consideration on securing the control plane, which carries critical signalling traffic. The industry is recognizing the potential vulnerabilities and coalescing around agreed upon best practice counter measures.

Standard bearer

3GPP is at the heart of this push through several initiatives. At the top of the pyramid is the Network Equipment Security Assurance Scheme (NESAS), which defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as 3GPP-defined test cases for the security evaluation of network equipment.

This leads to the 3GPP Security Assurance Methodology (SECAM), which is developed from a purely industrial perspective, with a focus on the security of the Common Criteria (CC) and Common Criteria Recognition Arrangement (CCRA) framework and its implementation in the mobile network.

At the node level, we have the 5G Security Assurance Specification (SCAS) that defines security requirements and test cases for network equipment implementing one or more 3GPP network functions. This is the point where we need to run specific tests across elements including Access Mobility Management Functions (AMF), User Plane Functions (UPF), Session Management Functions (SMF), and many others. The nodes go through a series of tests based on the specification that include key elements such as vulnerability, compliance, and application testing.

Automation with CI/CD

However, this is not just a fire and forget process. The high frequency of updates and larger number of vendors means that the sedate pace of change found in 3G and 4G networks – where updates might be considered every few months – is instead replaced with a constant drumbeat of weekly or even daily changes.

This has made it essential for this NESAS, SECAM, and SCAS secure process chain to become both continuous and highly automated. This shift has been a focus of the development teams atSpirent. The 5G Core Security Automation Package, which just launched this month, is an addition to their industry-first subscription-based 5G Core Automation Platform – a wrap-around and end-to-end testing solution that is fully compliant with 3GPP testing methodologies. The new package is essentially a continually updated security test library that grows in step with the ongoing revisions and additions to the underlying SCAS specification.

Spirent has also gone further through the inclusion of security attack emulation tests for threats such as Distributed Denial of Service (DDoS) and Man-in-the-Middle (MITM) attacks.