In terms of business operations, it is imperative for Huawei to follow the security design principles of attack and defense. Speciﬁcally, enhanced cyber resilience based on confidentiality, integrity, and availability is critical in the design of cyber security.
To speed up service recovery if a security incident occurs, the design must realize continuous monitoring and response to security incidents so that their impact scope and resulting service loss can be minimized.
As an equipment vendor, Huawei implements authoritative industry standards and best practices and supports operators in building resilient networks, helping them better meet the service requirements for the cyber resilience of their critical information infrastructure.
The equipment supports secure end-to-end transmission at the network layer to ensure data confidentiality and integrity and implements encryption, integrity protection, and anti-replay on interfaces between UEs, base stations, and core networks.
Slice isolation is supported, which requires collaboration among wireless, transmission, and core networks for E2E security isolation. Radio bearer (RB) reservation and spectrum isolation are used on the RAN to prevent air interface resource preemption; FlexE is used on the transport network to isolate slices; NFs, VMs, and zones are isolated on the core network.
Measures are taken to implement precise and flexible slice isolation, preventing resource preemption between slices. The management, control, and signaling planes can be isolated to prevent mutual access and horizontal attacks.
The equipment provides the ﬂow control mechanism with load monitoring to prevent DDoS attacks. In cloud-based scenarios, elastic scaling and pool-based disaster recovery are also provided to enhance cyber resilience.
The equipment provides security management capabilities. The operations support system (OSS) implements security management for base stations and core networks based on alarms, logs, and configuration In addition, it interconnects with a third-party service operations center (SOC) through a standard interface to report data, implementing network-wide security management.
Zero-trust@5G is introduced to network management and control units, allowing evolution from “static authentication and authorization” to “user-identity-based authentication and authorization, continuous trust assessment, and dynamic access control”, thereby building a new security O&M system.
Privacy Protection Measures
To comply with applicable privacy protection laws, such as the EU General Data Protection Regulation (GDPR), consider the following privacy protection measures:
- 3GPP 5G standards stipulate that user IDs are encrypted during transmission over the air interface, and encryption and integrity protection are performed on the end-to-end transmission channel to prevent personal data from being stolen or tampered with.
- User plane data protection: Both the air interface and transmission channel support encryption and integrity protection according to 3GPP speciﬁcation.
This article is by Mr. Kevin, Cyber Security and Privacy Officer (CSPO), Huawei Uganda