ensure Australia’s future prosperity
Transcript of ensure Australia’s future prosperity
1
Huawei speech at CommsDay Melbourne Congress
Melbourne, 10/10/2019
How to improve the security of business
and communities and, at the same time,
ensure Australia’s future prosperity
2
The “Flag of Origin” is not critical a element of cybersecurity
Route cause categories
66% (90% in UK) System failures: hardware
failures (36%) and software bugs (29%)
17% human errors
The country of origin of suppliers not among main causes for concern in how attacks are carried out... [UK NCSC]
The “Flag of origin” for Telco equipment is not the critical element in determining cyber security [UK ISC]
9% Natural phenomena
4% malicious actions: 2/3
Denial of Service (DoS)
attacks, and the rest are
mainly damage to physical
infrastructure
3
Key security risks are associated with Telco supply chain*
1. National dependence on any one vendor, as vendors’ supply chain may have the
same level of risk, see: https://www.auscert.org.au/resources/security-bulletins/
2. Faults or vulnerabilities in network equipment Harms (impact)
3. The ‘backdoor’ threat – the embedding of malign functionality in vendor
equipment
4. Vendor administrative access to provide equipment support or as part of a
managed services contract
*) Telco Supply Chain: Includes the design, manufacture, delivery, deployment, support and decommissioning of equipment
(hardware and software) or services that are utilised within an organisations cyber ecosystem. Supply chain must consider
the whole life of an IT product or service in an organisation [ACSC]
4
Statements on 5G suppliers 07/2019 [UK STC and ISC]
Carrier network to be resilient to any attack, such that no single action could
disable the system, can be best achieved by diversifying suppliers:
1. Reducing over-dependence from a single vendor: The network should not
be dependent on just one vendor, as this would render it less resilient
2. Increasing competition: Requiring operators to use equipment from more
than one vendor increases competition between those vendors, which will
force them to improve their security standards
5
How to cope with Cyber Security?
5 Eyes• “There is agreement between the Five
Countries of the need to ensure supply
chains are trusted and reliable to protect
our networks from unauthorized access or
interference
• They recognize the need for a rigorous risk-based evaluation of a range
of factors which may include, but not be limited to, control by foreign
governments
• They also recognize the need for evidence-based risk assessment to
support the implementation of agreed-upon principles for setting
international standards for securing cyber networks”
6
Telecoms supply chain is of major concern in UK 09/2019
• The UK takes the security of telecoms networks extremely
seriously
• Next generation networks like 5G raise security risks as well as
economic opportunities
• This is why the Government has undertaken a comprehensive
review of the supply arrangements for the UK telecoms Critical
National Infrastructure (CNI)
• The Review has addressed three key questions:
• How should we incentivise telecoms operators to improve
security standards and practices in 5G and full fibre
networks?
• How should we address the security challenges posed
by vendors?
• How can we create sustainable diversity in the telecoms
supply chain?
7
EU: Joint efforts on unified cyber security verification standard
EU Cybersecurity Act (ENISA – EU Commission) NESAS: Network Equipment Security Assurance Scheme
Drive
NESAS/SCAS
to become
mature
international
standards
Gain
regulators'
recognition on
NESAS/SCAS
NESAS/SCAS are authoritative
security standards built by
3GPP/GSMA for the
communication industry
Engage more
industry
partners
including
labs/auditing
companies
3GPP / SCAS Product security
testing
GSMA / NESAS Audits of product
development and
lifecycle processes
NESAS to be officially released in August 2019.
5G SCAS specifications to be completed in Q3 of 2019.
Security Assurance Specs
Security Assurance Methodology
Security Assurance Standards Package
Set into effect by Article (EU) No 69/2019 since 27 June 2019
Step 1: Creation & Governance of a new Certification Scheme at EU Level –
Voluntary scheme for the industry but mandatory that member states put it into
place (By 28 June 2020)
Step 2: Enforcement of the new Certification Scheme at the national level (e.g.
Actors in France) (By 28 June 2024, and every five years thereafter)
Step 3: Introduction of new Certification Schemes (created in the Step 1) to
make it mandatory in the industry : Using the sectorial regulation from the
different DG ( FIMA, Home, Move, etc.) (By 31 December 2023)
Supporting Cybersecurity authorities (in the Union) - selected:
Supervisory authorities:
CERT-EU EC3 BEREC EDPB
EU Cybersecurity Act key milestones and activities
EDA
8
Australian government achievements- Actions discharged since 2016, i.e. since the launch of Action Plan 2020
• Opened the Australian Cyber Security Centre (ACSC)
• Established Joint Cyber Security Centres (JCSCs) in five capital cities
• Launched cyber.gov.au
• Appointed an Ambassador for Cyber Affairs in Dr Tobias Feakin
• Publicly attributed cyber incidents to nation states
• Supported domestic industry through the Australian Cyber Security Growth Network (AustCyber),
Austrade's Landing Pad Program, and a AU$50 million investment in the Cyber Security Cooperative
Research Centre (CSCRC)
• Invested in skills and education, including through Academic Centres of Cyber Security Excellence at the
University of Melbourne and Edith Cowan University
• The Australasian Information Security Evaluation Program with evaluation activities certified by the
Australasian Certification Authority (ACA)
• The ASD Cryptographic Evaluation Program, for software and ICT equipment that contains
cryptographic functionality
• The ASD High Assurance Evaluation Program, for ICT equipment protecting highly classified
information
9
Cyber Supply Chain Risk Management June 2019Practitioners guide by ACSC
Know the likely supply chain threats – intent and technical means [ACSC]
38. Be cautious of making decisions solely based on nationality of a vendor. A vendor from a country whose laws are not likely contrary to Australian law, does lower the immediate elevation of risk associated with likely adverse extrajudicial control in nationally critical systems. …
43. Threat to supply chain is not limited to extrajudicial influence. Foreign interference is not just related to a vendor’s country of origin. As the case studies demonstrate, it is usually simpler to compromise another product or service in the supply chain without lawful interference, in order to achieve the required outcome.
10
Telecommunications Sector Security Reforms (TSSR) Act 18/09/2018https://cicentre.gov.au/tss/resources
Telecommunications Sector Security Reforms Act
• In force, with 5G ban on Carriers from buying
Huawei 5G technology
Security of Critical Infrastructure Act
• In force, no clear direction, but crucial for ICT
on Gas, Water, Electricity and Ports
Assistance and Access (Decryption) Act
• In force, continuing industry concerns
Australiahttps://cicentre.gov.au/
• Notifiable equipment C/NCSP Notification CAC* Risk Engagement or Mitigations
• C/NCSPs may receive a full or partial exemption from its obligation to notify the CAC
Minister for Home Affairs or ASIO may exercise a direction or information gathering power
• How do you meet your security obligation?
• Adopt a risk-based approach to protecting networks and facilities
• Maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier or provider
• Applies to all Carriers (persons who hold a carrier licence), Carriage service providers, Carriage service intermediaries, Nominated carriage service providers, and Providersthat networks and facilities, based in Australia or overseas, which are used to provide services and carry and/or store information from Australian customers
• Carriers, carriage service providers and carriage service intermediaries (C/CSPs) must take all reasonable steps to protect their networks and facilities from unauthorised access or interference
Government Provides 5G Security Guidance To Australian Carriers:
Edge/Core and Extrajudicial Direction, 23 August 2018*) Communications Access Co-ordinator (CAC)
11
• The Government wants and updated strategy to cover the current cyber threat climate, and seeks to gain a better understanding of the magnitude of the threats faced by Australian businesses and families
• It asks respondents if they agree with the government's understanding of who is responsible for managing cyber risks in the economy, and also if the way such responsibilities are currently allocated is the best way to do that
• The government is also seeking feedback on what customer protections should apply to the security of cyber goods and services
• What role government and industry should play in supporting the cybersecurity of consumers, and how both can "sensibly" increase the security, quality, and effectiveness of cybersecurity and digital offerings; if the regulatory environment for cybersecurity is appropriate; what specific market incentives or regulatory changes government should consider; and whether there are any functions the government currently performs that could be palmed off to the private sector
• Proposing a "trusted marketplace" for security-related products and services to be procured from, the discussion paper asks for guidance on how to approach instilling better trust in IT supply chains and how it can ensure cybersecurity is built-in to digital offerings
• Asking a total of 26 questions, the discussion paper also asked for examples of best-practice behaviourin the cyber realm; what private networks should be considered "critical systems" that need stronger cyber defences; how the government should set up its funding model around cybersecurity; and if there any barriers currently preventing the growth of the cyber insurance market in Australia
• It also wants to know how it can create a hostile environment for malicious cyber actors
Australia new Cybersecurity Strategy:
26 Questions – Call for views by Nov 1st 2019https://www.zdnet.com/article/australia-is-getting-a-new-cybersecurity-strategy/
Publishing a discussion paper [PDF]
12
20
3x
500
16
100x
100x
10
5G Superiorities Enabling the 4th Revolution
More Connected More Responsive
Ultra Fast
5G1/ 10 (1ms) 100X (1M/ km2)
4~4.5G
5G
uRLLCmMTC
eMBB5G Superior Efficiency & Capabilities
Slicing
Slicing as a Service + Agile Operation + Superior New Experiences Redefining Telcos
20X (20Gbps)
13
5G RAN and CORE are separated and won’t ever overlap
S1-C S1-U
eNB gNBX2
EPC
5G NSA
5G UE
5G Wireless
base station
4G Core
Network
4G Wireless
base station
NGC
NG-C NG-U
5G SA
5G Core
Network
gNB
5G Wireless
base station
5G UE
• Basis for eMBB Service • Enhancement for URLLC services
• Enhancement for mMTC services
20202018 20192017
Rel-15 Rel-16 Rel-17+
NSA: Non-standalone SA: Standalone
eMBB: Enhanced Mobile Broadband URLLC: Ultra-Reliable and Low-Latency Communications mMTC: Massive Machine-Type Communications
5G future usage
Operator Third party
Specific area
Remote Driving Power Distribution Control Smart Factory
14
Huawei has deeply contributed to
3GPP security standardization
35 CC certifications
15 FIPS certifications
# 3GPP study Item (Huawei as Rapporteur)
1 Security Assurance Specification for 5G
2 Study on the security of the Wireless and Wireline
Convergence for the 5G system architecture
3 Study of KDF negotiation for 5G System Security
4 The SID on security for 5G URLLC
Huawei has deployed 329 LTE commercial
networks with good security records
2013
2014
2018
2019
R15 to enhance security
• eMBB
R16/R17 to enhance security
• URLLC
• mMTC
Huawei EPC obtained
CC EAL3 certification
Huawei LTE obtained
CC EAL4+ certification
…
Security standard roadmap and Huawei 4G security experience
15
EnhancedInterconnection Security
EffectiveAuthentication framework
StrongerSecurity Algorithm
BetterPrivacy Protection
L=256
e.g.
L=256
L=128
4G Various AuthenticationSS7 re-routing
Diameter Message Spoofing
IMSI Exposure
User Plane no Integrity Protection128-bit Key Length
5G
256-bit Key Length
LTE
5G
Wi-Fi
Unified Authentication Encrypted Subscribers’ ID
User plane integrity protection
E2E security
between PLMNs
3GPP security improvements in 5G
CN
Years of common contributions by dozens of vendors/operators/regulators…
16
5G network assets and security control zone
SBA : Service Based Architecture CDR: Charging Data Record
UE RAN 5GC(SBA)Bearer network
Internet/ 5G service
FirewallSecurity gateway
EMS + Security Management Platform
MEC
NEF NRF UDM PCF
SEPP
AMF SMF AUSF
UE RAN Transmission MEC 5GC 5G service Operation & Mgmt.
USIM RAN
BBU/RRU
hardware;
Router and
switch
hardware;
Cabinet;
COTS server;
Firewall and security
gateway hardware;
UPF:
Can NOT touch subscriber ID
Can NOT touch root key
COTS server;
Operator's data: reports and CDRs;
Some User privacy information:
subscription information, location
information, etc;
UDM, AUSF:
Process subscriber ID
Process root key
AMF, SMF:
Process subscriber ID
Can NOT touch root key
User’s service information:
ID, location, key, password,
state info, health data etc.
(The data above are stored in
5G service Database)
Password;
Certificate;
Configuration;
Monitoring data;
(BY network carriers)
17
Types Specific for 5G?Air Interface vulnerabilities No
Internet Security vulnerabilities New API expose to the 5G service
Roaming Security vulnerabilities No
Lawful Interception Security vulnerabilities No
Security vulnerabilities between 5GC/MEC and gNodeB No
Software and hardware security vulnerabilities No
Data vulnerabilities No
O&M security vulnerabilities No
SBA vulnerabilities Yes
MEC vulnerabilities No. use NFV-base architecture
Cloud vulnerabilities No
Slicing vulnerabilities Yes
5G introduces new vulnerabilities in the core network
18
Cloud Infra. Threats:
• Compute
• Storage
• Network
• CloudOS
Huawei provides comprehensive features for 5G Security
3GPP
definition
Enhanced
by Huawei
Resilience
Recover Identify
Detect
Respond Protect
RAN Threats:
• User Data Leakage
• DDoS Attack
Common Threats:
• Illegal Access
• Malicious Software
• Data Tamper/Leakage
• DDoS Attack
• O&M Security Threat
5GC Threats:
• SBA
• Roaming
• Network Slice
• MEC
NEF NRF UDM PCF
SEPP
AMF SMF AUSF
UPF UPF/MEC
Internet
5G wireless
base station
5G UE
Transmission
5GC
NFV
3-plane Isolation
Built-in firewall
Authentication
Transport Security Malicious Signaling Detect
DDoS Detect (Overload)
Slice resource isolation KPIs monitoring
Slice authentication
Access Authentication Service security auditService access
authorization
Slice key
Topology hiding
Signaling audit
Application layer security
Air Interface Encryption & Integrity Protection
Digital Signature, Secure Boot and DIM
Hardware RoT and HSM Anonymization
IPsec TLS//SSH
Slice resource reserve
Communication
encryption
Target
encryption
Software
security
E2E Data lifecycle
Security Protection
VNF/Application
hardening
Automatic security policy
Vulnerabilities Management
Intrusion detection
big data security and correlation analysis
Multi-layer Isolation
MechanismsSystem hardening
ACL blocking
VM migration
VM rebuilding
Periodic VM restoration
Blacklist and whitelist
Access control
Flow control
Network isolation
Remote attestation
Configuration correction
Account disabling
Patch/upgrade
Port disable
Configuration rollback
Data recovery
Identify Protect DetectRespond/
Recover
19
5G security is a shared responsibility…
Application Security
Equipment Security
Service Provider & Customers
Delivery
Deployment & Operation Security
Operators
Standard OrganizationsDefine requirement & standard
scheme
GovernmentDevelop legislation and
regulations
Implement E2E security
supervision
8
Eco
Sec
Eco
Sec
Equipment Vendor
20
How to improve the security of business and communities
and ensure Australia’s future prosperity:
1. Reduce the risk of national dependency on individual suppliers, regardless their
country of origin, to improve 5G and fibre networks resilience
2. Ensure more competitive, sustainable and diverse supply chain, to drive higher
quality, innovation, and more investments on Cybersecurity
3. Define network security and resilience requirements on 5G and fibre networks,
contribute to unified standards, and enforce tailored and risk-based certification
schemes to improve cyber security standards
4. Ensure effective assurance testing for equipment, systems and software and support
specific evaluation arrangements. (The assessment and evaluation of products from
different vendors should be the same, as their supply chain has the same level of risk)
5. Invest on 5G Testbeds and Trials Programme, with industry, looking at end-to-end
cybersecurity system assurance; new architecture and business models; tools for risk
mitigation and transparency, and greater interoperability and more open interfaces;
and share results, in closed loop (3.)
Copyright©2018 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without
limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual
results and developments to differ materially from those expressed or implied in the
predictive statements. Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei may change the
information at any time without notice.
Thank You.
https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119515579.ch7
22
References
[1] Australia’s 2020 Cyber Security Strategy - A call for views: https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020
[2] Discussion paper: https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-security-strategy-2020-discussion-paper.pdf
[3] Huawei, “Position Paper on Cyber Security”, White Paper, September 2019. https://www-file.huawei.com/-/media/corp/facts/pdf/huaweis-position-paper-on-cyber-security-0918.pdf?la=en-us
[4] Huawei, “AI Security”. White paper, October 2018. https://www-file.huawei.com/-/media/corporate/pdf/cyber-security/ai-security-white-paper-en.pdf
[5] EU Cybersecurity Agency (ENISA), “Annual Report Telecom Security Incidents 2018”, May 2019. https://www.enisa.europa.eu/publications/annual-report-telecom-security-incidents-2018
[6] Connected Nations 2018, Ofcom, December 2018. https://www.ofcom.org.uk/research-and-data/multisector-research/infrastructure-research/connected-nations-2018/main-report
[7] https://www.ncsc.gov.uk/speech/ciaran-martins-cybersec-speech-brussels
[8] UK Department for Digital, Culture, Media & Sport, “UK Telecoms Supply Chain Review Report”, July 2019. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/819469/CCS001_CCS0719559014-
001_Telecoms_Security_and_Resilience_Accessible.pdf
[9] The Prague Proposals, “The Chairman Statement on cyber security of communication networks in a globally digitalized world, Prague 5G Security Conference, May 2019. https://www.vlada.cz/en/media-centrum/aktualne/prague-5g-security-conference-announced-series-of-
recommendations-the-prague-proposals-173422/
[10] The Intelligence and Security Committee of Parliament, “Statement on 5G suppliers”, July 2019. http://isc.independent.gov.uk/news-archive/19july2019
[11] The Science and Technology Select Committee, “Letter to the Secretary of State for Digital, Culture, Media and Sport about Huawei’s involvement in the UK’s 5G network”, July 2019. https://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-
technology-committee/news-parliament-2017/chairs-comments-huawei-5g-network-17-19/
[12] http://telecoms.com/498852/five-eyes-align-security-objectives-but-where-does-this-leave-huawei/
[13] https://www.fastcompany.com/90344450/dont-ban-huawei-do-this-instead
[14] https://www.innovationaus.com/2019/07/5g-a-decision-that-demands-scrutiny
[15]Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), “Cyber Supply Chain Risk Management - Practitioners guide”, July 2019. https://www.cyber.gov.au/sites/default/files/2019-06/Supply%20Chain%20Risk%20Management%20-%20Practitioners%20guide.pdf
[16] European Commission, “Commission Recommendation – Cybersecurity of 5G Networks”, March 2019. https://www.europeansources.info/record/recommendation-on-cybersecurity-of-5g-networks/
[17] EU Cybersecurity Act “ENISA and Cybersecurity Certification Framework”, June 2019. https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act
[18] European Commission, “Connectivity for a Competitive Digital Single Market - Towards a European Gigabit Society”, September 2019. https://ec.europa.eu/digital-single-market/en/news/communication-connectivity-competitive-digital-single-market-towards-european-gigabit-society
[19] https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act
[20] https://www.3gpp.org/DynaReport/33-series.htm
[21] https://www.gsma.com/security/network-equipment-security-assurance-scheme/
[22] https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
[23] https://eugdpr.org/
[24] https://www.minister.communications.gov.au/minister/mitch-fifield/news/government-provides-5g-security-guidance-australian-carriers
[25] https://www.cyber.gov.au/programs?page=0
[26] http://www.europarl.europa.eu/RegData/etudes/BRIE/2019/635518/EPRS_BRI(2019)635518_EN.pdf
[27] https://ec.europa.eu/digital-single-market/en/proposal-european-cybersecurity-competence-network-and-centre