NIST Requests Public Comment on Draft Guidance for 5G Cybersecurity


NIST’s new draft practice guide is intended to help with the cybersecurity of 5G networks, which could enable applications from telemedicine to autonomous vehicles.

Credit: N. Hanacek/NIST

As wireless networks transition to 5G technology, they could enable a host of new capabilities ranging from autonomous vehicles to surgery performed at a distance — but they also will place new cybersecurity demands on industry. A new draft publication from the National Institute of Standards and Technology (NIST) is designed to help network operators navigate the demands while delivering the new features 5G is designed to provide.

The publication describes a standalone 5G network that NIST’s National Cybersecurity Center of Excellence (NCCoE) is constructing, largely for the purpose of demonstrating 5G cybersecurity capabilities in different situations. The network, which the NCCoE team is constructing from off-the-shelf commercial technology, is currently being deployed, and the team is seeking comments on the publication in part to ensure the finished network will allow the researchers to develop practical guidance that the wireless security community will find useful.

The publication, titled 5G Cybersecurity Volume B: Approach, Architecture and Security Characteristics (NIST Special Publication 1800-33B), describes the cybersecurity capabilities that their example 5G network will enable. It also provides a risk analysis for the security capabilities that the network will demonstrate. Its authors, who characterize it as a preliminary draft, plan to develop it to include actionable guidance on using standards and recommended practices for multiple use case scenarios. 

“The information contained in the document highlights security features that 5G offers,” said Jeff Cichonski, a NIST information technology specialist and one of the publication’s authors. “Understanding what’s available can be critical to help operators and users of 5G understand and manage their cybersecurity risk when it comes to 5G.”

One advantage of 5G will be greater customization of a network to fit its purpose. A large company might want its own 5G network for communication at its headquarters building, while a hospital might want one to enable telemedicine. These different use cases might well have varied cybersecurity demands that the network can be configured to provide appropriately — by activating some available security features rather than others, for example.

A potential issue, however, is the current lack of 5G standards that specify how to deploy cybersecurity protections onto the underlying components that support and operate the 5G system. One difference between 5G and previous-generation cellular networks is 5G’s use of cloud-based technology, which is similar to that used for many internet applications. 5G systems can leverage the robust security features available in cloud computing architectures to protect 5G data and communications. As these features may be unfamiliar to some in the industry, Cichonski said, the publication is designed to help clarify how the cloud-infrastructure-focused security capabilities can help secure a 5G network. 

“The first phase of the project will also showcase how 5G can help address known security challenges that existed in previous-generation networks,” Cichonski said. “If we identify gaps in 5G cybersecurity standards, we will let standards development organizations know what we learn. We are hoping this project will help the entire wireless security community.” 

The publication is intended primarily for commercial mobile network and private 5G network operators, as well as for organizations using and managing 5G-enabled technology. Once completed, the approach will offer several benefits to organizations that implement it, including reduced susceptibility of a 5G network to cyberattack, better protection of 5G communications against eavesdropping and tampering, and increased privacy protections for 5G users. To develop the draft further, the authors are requesting comments that focus on the security capabilities their example 5G solution implements. 

“We’d like to know if the guide accurately describes technical security capabilities and related threats and vulnerabilities,” Cichonski said. “One major goal is to assist organizations in understanding and managing the cybersecurity capabilities available in 5G and the supporting IT infrastructure, so we want the community to let us know what we can add to make the information more relevant to their organizations.” 

Comments on the preliminary draft publication may be submitted to 5g-security [at] nist.gov by the deadline of June 27, 2022.