CISA and DoD Release 5G Security Evaluation Process Investigation Study

CISA and DoD Release 5G Security Evaluation Process Investigation Study
05/26/2022 09:00 AM EDT

2.3 5G Threat Landscape
A key input to any security risk assessment is threat analysis. The 5G system model supports
depiction of the attack surface for the investigation. There are numerous threat frameworks such as
those offered by MITRE ATT&CK® [5]; the European Union Agency for Cybersecurity’s (ENISA) 5G
Threat Landscape [6]; the Threat Modeling Framework for Mobile Communication Systems [7];
3GPP’s Security Assurance Specifications (SCAS) and Technical Specification (TS) 33.501 [8];
publications released by the Federal Communications Commission (FCC) Communications Security,
Reliability, and Interoperability Council VII (CSRIC) [9]; 5G Enablers for Network and System Security
and Resilience (ENSURE) [10]; and the GSM Association’s (GSMA) Security Manual [11]. The study
team examined these resources as well as threat analyses conducted by 3GPP and a paper on
potential 5G threat vectors published by the Enduring Security Framework’s 5G Threat Model
Working Panel [12]. Figure 3 shows some of the threats to the 5G subsystems that were extracted
from these sources. Some of the threats such as eavesdropping, theft of user data, or user location
tracking may impact integrity and confidentiality of user data as well as service availability to
individual users. Other threats may impact local or regional network, application, or service availability
(e.g., denial of service [DoS] or Distributed DoS [DDoS] attacks, misconfigured or compromised
virtualization platforms or network functions, vulnerable components [supply chain threats], or
physical attacks on edge computing components), with follow-on effects on the confidentiality,
integrity, and availability of 5G services and applications for enterprises relying on 5G for their

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”