ensure Australia’s future prosperity

22
Huawei speech at CommsDay Melbourne Congress Melbourne, 10/10/2019 How to improve the security of business and communities and, at the same time, ensure Australia’s future prosperity

Transcript of ensure Australia’s future prosperity

Page 1: ensure Australia’s future prosperity

1

Huawei speech at CommsDay Melbourne Congress

Melbourne, 10/10/2019

How to improve the security of business

and communities and, at the same time,

ensure Australia’s future prosperity

Page 2: ensure Australia’s future prosperity

2

The “Flag of Origin” is not critical a element of cybersecurity

Route cause categories

66% (90% in UK) System failures: hardware

failures (36%) and software bugs (29%)

17% human errors

The country of origin of suppliers not among main causes for concern in how attacks are carried out... [UK NCSC]

The “Flag of origin” for Telco equipment is not the critical element in determining cyber security [UK ISC]

9% Natural phenomena

4% malicious actions: 2/3

Denial of Service (DoS)

attacks, and the rest are

mainly damage to physical

infrastructure

Page 3: ensure Australia’s future prosperity

3

Key security risks are associated with Telco supply chain*

1. National dependence on any one vendor, as vendors’ supply chain may have the

same level of risk, see: https://www.auscert.org.au/resources/security-bulletins/

2. Faults or vulnerabilities in network equipment Harms (impact)

3. The ‘backdoor’ threat – the embedding of malign functionality in vendor

equipment

4. Vendor administrative access to provide equipment support or as part of a

managed services contract

*) Telco Supply Chain: Includes the design, manufacture, delivery, deployment, support and decommissioning of equipment

(hardware and software) or services that are utilised within an organisations cyber ecosystem. Supply chain must consider

the whole life of an IT product or service in an organisation [ACSC]

Page 4: ensure Australia’s future prosperity

4

Statements on 5G suppliers 07/2019 [UK STC and ISC]

Carrier network to be resilient to any attack, such that no single action could

disable the system, can be best achieved by diversifying suppliers:

1. Reducing over-dependence from a single vendor: The network should not

be dependent on just one vendor, as this would render it less resilient

2. Increasing competition: Requiring operators to use equipment from more

than one vendor increases competition between those vendors, which will

force them to improve their security standards

Page 5: ensure Australia’s future prosperity

5

How to cope with Cyber Security?

5 Eyes• “There is agreement between the Five

Countries of the need to ensure supply

chains are trusted and reliable to protect

our networks from unauthorized access or

interference

• They recognize the need for a rigorous risk-based evaluation of a range

of factors which may include, but not be limited to, control by foreign

governments

• They also recognize the need for evidence-based risk assessment to

support the implementation of agreed-upon principles for setting

international standards for securing cyber networks”

Page 6: ensure Australia’s future prosperity

6

Telecoms supply chain is of major concern in UK 09/2019

• The UK takes the security of telecoms networks extremely

seriously

• Next generation networks like 5G raise security risks as well as

economic opportunities

• This is why the Government has undertaken a comprehensive

review of the supply arrangements for the UK telecoms Critical

National Infrastructure (CNI)

• The Review has addressed three key questions:

• How should we incentivise telecoms operators to improve

security standards and practices in 5G and full fibre

networks?

• How should we address the security challenges posed

by vendors?

• How can we create sustainable diversity in the telecoms

supply chain?

Page 7: ensure Australia’s future prosperity

7

EU: Joint efforts on unified cyber security verification standard

EU Cybersecurity Act (ENISA – EU Commission) NESAS: Network Equipment Security Assurance Scheme

Drive

NESAS/SCAS

to become

mature

international

standards

Gain

regulators'

recognition on

NESAS/SCAS

NESAS/SCAS are authoritative

security standards built by

3GPP/GSMA for the

communication industry

Engage more

industry

partners

including

labs/auditing

companies

3GPP / SCAS Product security

testing

GSMA / NESAS Audits of product

development and

lifecycle processes

NESAS to be officially released in August 2019.

5G SCAS specifications to be completed in Q3 of 2019.

Security Assurance Specs

Security Assurance Methodology

Security Assurance Standards Package

Set into effect by Article (EU) No 69/2019 since 27 June 2019

Step 1: Creation & Governance of a new Certification Scheme at EU Level –

Voluntary scheme for the industry but mandatory that member states put it into

place (By 28 June 2020)

Step 2: Enforcement of the new Certification Scheme at the national level (e.g.

Actors in France) (By 28 June 2024, and every five years thereafter)

Step 3: Introduction of new Certification Schemes (created in the Step 1) to

make it mandatory in the industry : Using the sectorial regulation from the

different DG ( FIMA, Home, Move, etc.) (By 31 December 2023)

Supporting Cybersecurity authorities (in the Union) - selected:

Supervisory authorities:

CERT-EU EC3 BEREC EDPB

EU Cybersecurity Act key milestones and activities

EDA

Page 8: ensure Australia’s future prosperity

8

Australian government achievements- Actions discharged since 2016, i.e. since the launch of Action Plan 2020

• Opened the Australian Cyber Security Centre (ACSC)

• Established Joint Cyber Security Centres (JCSCs) in five capital cities

• Launched cyber.gov.au

• Appointed an Ambassador for Cyber Affairs in Dr Tobias Feakin

• Publicly attributed cyber incidents to nation states

• Supported domestic industry through the Australian Cyber Security Growth Network (AustCyber),

Austrade's Landing Pad Program, and a AU$50 million investment in the Cyber Security Cooperative

Research Centre (CSCRC)

• Invested in skills and education, including through Academic Centres of Cyber Security Excellence at the

University of Melbourne and Edith Cowan University

• The Australasian Information Security Evaluation Program with evaluation activities certified by the

Australasian Certification Authority (ACA)

• The ASD Cryptographic Evaluation Program, for software and ICT equipment that contains

cryptographic functionality

• The ASD High Assurance Evaluation Program, for ICT equipment protecting highly classified

information

Page 9: ensure Australia’s future prosperity

9

Cyber Supply Chain Risk Management June 2019Practitioners guide by ACSC

Know the likely supply chain threats – intent and technical means [ACSC]

38. Be cautious of making decisions solely based on nationality of a vendor. A vendor from a country whose laws are not likely contrary to Australian law, does lower the immediate elevation of risk associated with likely adverse extrajudicial control in nationally critical systems. …

43. Threat to supply chain is not limited to extrajudicial influence. Foreign interference is not just related to a vendor’s country of origin. As the case studies demonstrate, it is usually simpler to compromise another product or service in the supply chain without lawful interference, in order to achieve the required outcome.

Page 10: ensure Australia’s future prosperity

10

Telecommunications Sector Security Reforms (TSSR) Act 18/09/2018https://cicentre.gov.au/tss/resources

Telecommunications Sector Security Reforms Act

• In force, with 5G ban on Carriers from buying

Huawei 5G technology

Security of Critical Infrastructure Act

• In force, no clear direction, but crucial for ICT

on Gas, Water, Electricity and Ports

Assistance and Access (Decryption) Act

• In force, continuing industry concerns

Australiahttps://cicentre.gov.au/

• Notifiable equipment C/NCSP Notification CAC* Risk Engagement or Mitigations

• C/NCSPs may receive a full or partial exemption from its obligation to notify the CAC

Minister for Home Affairs or ASIO may exercise a direction or information gathering power

• How do you meet your security obligation?

• Adopt a risk-based approach to protecting networks and facilities

• Maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier or provider

• Applies to all Carriers (persons who hold a carrier licence), Carriage service providers, Carriage service intermediaries, Nominated carriage service providers, and Providersthat networks and facilities, based in Australia or overseas, which are used to provide services and carry and/or store information from Australian customers

• Carriers, carriage service providers and carriage service intermediaries (C/CSPs) must take all reasonable steps to protect their networks and facilities from unauthorised access or interference

Government Provides 5G Security Guidance To Australian Carriers:

Edge/Core and Extrajudicial Direction, 23 August 2018*) Communications Access Co-ordinator (CAC)

Page 11: ensure Australia’s future prosperity

11

• The Government wants and updated strategy to cover the current cyber threat climate, and seeks to gain a better understanding of the magnitude of the threats faced by Australian businesses and families

• It asks respondents if they agree with the government's understanding of who is responsible for managing cyber risks in the economy, and also if the way such responsibilities are currently allocated is the best way to do that

• The government is also seeking feedback on what customer protections should apply to the security of cyber goods and services

• What role government and industry should play in supporting the cybersecurity of consumers, and how both can "sensibly" increase the security, quality, and effectiveness of cybersecurity and digital offerings; if the regulatory environment for cybersecurity is appropriate; what specific market incentives or regulatory changes government should consider; and whether there are any functions the government currently performs that could be palmed off to the private sector

• Proposing a "trusted marketplace" for security-related products and services to be procured from, the discussion paper asks for guidance on how to approach instilling better trust in IT supply chains and how it can ensure cybersecurity is built-in to digital offerings

• Asking a total of 26 questions, the discussion paper also asked for examples of best-practice behaviourin the cyber realm; what private networks should be considered "critical systems" that need stronger cyber defences; how the government should set up its funding model around cybersecurity; and if there any barriers currently preventing the growth of the cyber insurance market in Australia

• It also wants to know how it can create a hostile environment for malicious cyber actors

Australia new Cybersecurity Strategy:

26 Questions – Call for views by Nov 1st 2019https://www.zdnet.com/article/australia-is-getting-a-new-cybersecurity-strategy/

Publishing a discussion paper [PDF]

Page 12: ensure Australia’s future prosperity

12

20

3x

500

16

100x

100x

10

5G Superiorities Enabling the 4th Revolution

More Connected More Responsive

Ultra Fast

5G1/ 10 (1ms) 100X (1M/ km2)

4~4.5G

5G

uRLLCmMTC

eMBB5G Superior Efficiency & Capabilities

Slicing

Slicing as a Service + Agile Operation + Superior New Experiences Redefining Telcos

20X (20Gbps)

Page 13: ensure Australia’s future prosperity

13

5G RAN and CORE are separated and won’t ever overlap

S1-C S1-U

eNB gNBX2

EPC

5G NSA

5G UE

5G Wireless

base station

4G Core

Network

4G Wireless

base station

NGC

NG-C NG-U

5G SA

5G Core

Network

gNB

5G Wireless

base station

5G UE

• Basis for eMBB Service • Enhancement for URLLC services

• Enhancement for mMTC services

20202018 20192017

Rel-15 Rel-16 Rel-17+

NSA: Non-standalone SA: Standalone

eMBB: Enhanced Mobile Broadband URLLC: Ultra-Reliable and Low-Latency Communications mMTC: Massive Machine-Type Communications

5G future usage

Operator Third party

Specific area

Remote Driving Power Distribution Control Smart Factory

Page 14: ensure Australia’s future prosperity

14

Huawei has deeply contributed to

3GPP security standardization

35 CC certifications

15 FIPS certifications

# 3GPP study Item (Huawei as Rapporteur)

1 Security Assurance Specification for 5G

2 Study on the security of the Wireless and Wireline

Convergence for the 5G system architecture

3 Study of KDF negotiation for 5G System Security

4 The SID on security for 5G URLLC

Huawei has deployed 329 LTE commercial

networks with good security records

2013

2014

2018

2019

R15 to enhance security

• eMBB

R16/R17 to enhance security

• URLLC

• mMTC

Huawei EPC obtained

CC EAL3 certification

Huawei LTE obtained

CC EAL4+ certification

Security standard roadmap and Huawei 4G security experience

Page 15: ensure Australia’s future prosperity

15

EnhancedInterconnection Security

EffectiveAuthentication framework

StrongerSecurity Algorithm

BetterPrivacy Protection

L=256

e.g.

L=256

L=128

4G Various AuthenticationSS7 re-routing

Diameter Message Spoofing

IMSI Exposure

User Plane no Integrity Protection128-bit Key Length

5G

256-bit Key Length

LTE

5G

Wi-Fi

Unified Authentication Encrypted Subscribers’ ID

User plane integrity protection

E2E security

between PLMNs

3GPP security improvements in 5G

CN

Years of common contributions by dozens of vendors/operators/regulators…

Page 16: ensure Australia’s future prosperity

16

5G network assets and security control zone

SBA : Service Based Architecture CDR: Charging Data Record

UE RAN 5GC(SBA)Bearer network

Internet/ 5G service

FirewallSecurity gateway

EMS + Security Management Platform

MEC

NEF NRF UDM PCF

SEPP

AMF SMF AUSF

UE RAN Transmission MEC 5GC 5G service Operation & Mgmt.

USIM RAN

BBU/RRU

hardware;

Router and

switch

hardware;

Cabinet;

COTS server;

Firewall and security

gateway hardware;

UPF:

Can NOT touch subscriber ID

Can NOT touch root key

COTS server;

Operator's data: reports and CDRs;

Some User privacy information:

subscription information, location

information, etc;

UDM, AUSF:

Process subscriber ID

Process root key

AMF, SMF:

Process subscriber ID

Can NOT touch root key

User’s service information:

ID, location, key, password,

state info, health data etc.

(The data above are stored in

5G service Database)

Password;

Certificate;

Configuration;

Monitoring data;

(BY network carriers)

Page 17: ensure Australia’s future prosperity

17

Types Specific for 5G?Air Interface vulnerabilities No

Internet Security vulnerabilities New API expose to the 5G service

Roaming Security vulnerabilities No

Lawful Interception Security vulnerabilities No

Security vulnerabilities between 5GC/MEC and gNodeB No

Software and hardware security vulnerabilities No

Data vulnerabilities No

O&M security vulnerabilities No

SBA vulnerabilities Yes

MEC vulnerabilities No. use NFV-base architecture

Cloud vulnerabilities No

Slicing vulnerabilities Yes

5G introduces new vulnerabilities in the core network

Page 18: ensure Australia’s future prosperity

18

Cloud Infra. Threats:

• Compute

• Storage

• Network

• CloudOS

Huawei provides comprehensive features for 5G Security

3GPP

definition

Enhanced

by Huawei

Resilience

Recover Identify

Detect

Respond Protect

RAN Threats:

• User Data Leakage

• DDoS Attack

Common Threats:

• Illegal Access

• Malicious Software

• Data Tamper/Leakage

• DDoS Attack

• O&M Security Threat

5GC Threats:

• SBA

• Roaming

• Network Slice

• MEC

NEF NRF UDM PCF

SEPP

AMF SMF AUSF

UPF UPF/MEC

Internet

5G wireless

base station

5G UE

Transmission

5GC

NFV

3-plane Isolation

Built-in firewall

Authentication

Transport Security Malicious Signaling Detect

DDoS Detect (Overload)

Slice resource isolation KPIs monitoring

Slice authentication

Access Authentication Service security auditService access

authorization

Slice key

Topology hiding

Signaling audit

Application layer security

Air Interface Encryption & Integrity Protection

Digital Signature, Secure Boot and DIM

Hardware RoT and HSM Anonymization

IPsec TLS//SSH

Slice resource reserve

Communication

encryption

Target

encryption

Software

security

E2E Data lifecycle

Security Protection

VNF/Application

hardening

Automatic security policy

Vulnerabilities Management

Intrusion detection

big data security and correlation analysis

Multi-layer Isolation

MechanismsSystem hardening

ACL blocking

VM migration

VM rebuilding

Periodic VM restoration

Blacklist and whitelist

Access control

Flow control

Network isolation

Remote attestation

Configuration correction

Account disabling

Patch/upgrade

Port disable

Configuration rollback

Data recovery

Identify Protect DetectRespond/

Recover

Page 19: ensure Australia’s future prosperity

19

5G security is a shared responsibility…

Application Security

Equipment Security

Service Provider & Customers

Delivery

Deployment & Operation Security

Operators

Standard OrganizationsDefine requirement & standard

scheme

GovernmentDevelop legislation and

regulations

Implement E2E security

supervision

8

Eco

Sec

Eco

Sec

Equipment Vendor

Page 20: ensure Australia’s future prosperity

20

How to improve the security of business and communities

and ensure Australia’s future prosperity:

1. Reduce the risk of national dependency on individual suppliers, regardless their

country of origin, to improve 5G and fibre networks resilience

2. Ensure more competitive, sustainable and diverse supply chain, to drive higher

quality, innovation, and more investments on Cybersecurity

3. Define network security and resilience requirements on 5G and fibre networks,

contribute to unified standards, and enforce tailored and risk-based certification

schemes to improve cyber security standards

4. Ensure effective assurance testing for equipment, systems and software and support

specific evaluation arrangements. (The assessment and evaluation of products from

different vendors should be the same, as their supply chain has the same level of risk)

5. Invest on 5G Testbeds and Trials Programme, with industry, looking at end-to-end

cybersecurity system assurance; new architecture and business models; tools for risk

mitigation and transparency, and greater interoperability and more open interfaces;

and share results, in closed loop (3.)

Page 21: ensure Australia’s future prosperity

Copyright©2018 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without

limitation, statements regarding the future financial and operating results, future product

portfolio, new technology, etc. There are a number of factors that could cause actual

results and developments to differ materially from those expressed or implied in the

predictive statements. Therefore, such information is provided for reference purpose

only and constitutes neither an offer nor an acceptance. Huawei may change the

information at any time without notice.

Thank You.

https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119515579.ch7

Page 22: ensure Australia’s future prosperity

22

References

[1] Australia’s 2020 Cyber Security Strategy - A call for views: https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020

[2] Discussion paper: https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-security-strategy-2020-discussion-paper.pdf

[3] Huawei, “Position Paper on Cyber Security”, White Paper, September 2019. https://www-file.huawei.com/-/media/corp/facts/pdf/huaweis-position-paper-on-cyber-security-0918.pdf?la=en-us

[4] Huawei, “AI Security”. White paper, October 2018. https://www-file.huawei.com/-/media/corporate/pdf/cyber-security/ai-security-white-paper-en.pdf

[5] EU Cybersecurity Agency (ENISA), “Annual Report Telecom Security Incidents 2018”, May 2019. https://www.enisa.europa.eu/publications/annual-report-telecom-security-incidents-2018

[6] Connected Nations 2018, Ofcom, December 2018. https://www.ofcom.org.uk/research-and-data/multisector-research/infrastructure-research/connected-nations-2018/main-report

[7] https://www.ncsc.gov.uk/speech/ciaran-martins-cybersec-speech-brussels

[8] UK Department for Digital, Culture, Media & Sport, “UK Telecoms Supply Chain Review Report”, July 2019. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/819469/CCS001_CCS0719559014-

001_Telecoms_Security_and_Resilience_Accessible.pdf

[9] The Prague Proposals, “The Chairman Statement on cyber security of communication networks in a globally digitalized world, Prague 5G Security Conference, May 2019. https://www.vlada.cz/en/media-centrum/aktualne/prague-5g-security-conference-announced-series-of-

recommendations-the-prague-proposals-173422/

[10] The Intelligence and Security Committee of Parliament, “Statement on 5G suppliers”, July 2019. http://isc.independent.gov.uk/news-archive/19july2019

[11] The Science and Technology Select Committee, “Letter to the Secretary of State for Digital, Culture, Media and Sport about Huawei’s involvement in the UK’s 5G network”, July 2019. https://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-

technology-committee/news-parliament-2017/chairs-comments-huawei-5g-network-17-19/

[12] http://telecoms.com/498852/five-eyes-align-security-objectives-but-where-does-this-leave-huawei/

[13] https://www.fastcompany.com/90344450/dont-ban-huawei-do-this-instead

[14] https://www.innovationaus.com/2019/07/5g-a-decision-that-demands-scrutiny

[15]Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), “Cyber Supply Chain Risk Management - Practitioners guide”, July 2019. https://www.cyber.gov.au/sites/default/files/2019-06/Supply%20Chain%20Risk%20Management%20-%20Practitioners%20guide.pdf

[16] European Commission, “Commission Recommendation – Cybersecurity of 5G Networks”, March 2019. https://www.europeansources.info/record/recommendation-on-cybersecurity-of-5g-networks/

[17] EU Cybersecurity Act “ENISA and Cybersecurity Certification Framework”, June 2019. https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act

[18] European Commission, “Connectivity for a Competitive Digital Single Market - Towards a European Gigabit Society”, September 2019. https://ec.europa.eu/digital-single-market/en/news/communication-connectivity-competitive-digital-single-market-towards-european-gigabit-society

[19] https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act

[20] https://www.3gpp.org/DynaReport/33-series.htm

[21] https://www.gsma.com/security/network-equipment-security-assurance-scheme/

[22] https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html

[23] https://eugdpr.org/

[24] https://www.minister.communications.gov.au/minister/mitch-fifield/news/government-provides-5g-security-guidance-australian-carriers

[25] https://www.cyber.gov.au/programs?page=0

[26] http://www.europarl.europa.eu/RegData/etudes/BRIE/2019/635518/EPRS_BRI(2019)635518_EN.pdf

[27] https://ec.europa.eu/digital-single-market/en/proposal-european-cybersecurity-competence-network-and-centre