Recently, at the China Mobile 5G+ Industrial Internet Promotion Conference, China Mobile, ZTE, China Academy of Information and Communications Technology, Beijing University of Posts and Telecommunications, Sany Heavy Industry, Ansteel Group and other units jointly released the “5G+ Industrial Internet Security White Paper” (hereinafter referred to as the “White Paper”) ). The white paper aims to promote the standardization of 5G+ industrial Internet security, promote the security level of deep integration of 5G and industrial Internet, accelerate the transformation from “Made in China” to “Made in China”, and help the high-quality development of the real economy. The white paper addresses the universal security requirements of industrial vertical industries such as smart manufacturing, power grids, mines, and ports after the introduction of 5G, and provides a reference for the security protection of 5G+ industrial Internet application scenarios.

5G Empowers the Industrial Internet and Brings New Security Challenges

With its high bandwidth, low latency, and massive connections, 5G will greatly improve the informatization level of the industrial Internet and gradually become the infrastructure supporting industrial production. The deep integration of 5G and industrial systems is bound to bring a large number of ICT system threats and challenges to industrial OT networks, making the security challenges of 5G+ industrial Internet more difficult than traditional industrial control system security and Internet security. According to different protection objects, the white paper analyzes the security threats faced by the integration of 5G and industrial Internet from the following five levels.

in industrial networks, 5G uses network slicing to provide differentiated services for different industrial Internet services, so it puts forward higher requirements for network security isolation capabilities. The security challenges it faces include inter-slice security threats such as illegal access, resource contention, and illegal attacks, intra-slice security threats such as illegal access between different security domains, user data eavesdropping, and denial of service attacks against public NFs. Security threats between the slice and the DN network such as illegal access, virus and Trojan horse attacks, security threats to slice management such as illegal access by illegal tenants, abuse of administrator rights, and tampering of sensitive slice information.

in controlling security, Industrial control protocols, control platforms, and control software may not consider security requirements such as integrity and identity verification at the beginning of design. For this reason, its authorization and access control are not strict, authentication is insufficient, configuration maintenance is insufficient, and credential management is lax. Application software also continues to face traditional security challenges such as viruses, Trojan horses, and loopholes. The 5G network connects the previously unconnected or relatively closed private control network to the Internet, which virtually increases the risk of industrial control protocols and IT system vulnerabilities being exploited.

in terms of data security, 5G networks are based on NFV, cloud computing, and virtualization technologies, making security boundaries blurred and traffic invisible. MEC nodes are located at the edge of the network, in an open network environment with weak operator control, and the risk of data theft and leakage is relatively high. The multi-service scenarios of the Industrial Internet require the combination of security and business requirements, access technology, and terminal capabilities. Therefore, there are stricter requirements for data management and control, and enterprise data is required to leave the park. This puts forward higher requirements on the security of data storage, transmission and processing in MEC.

In terms of access security,The 5G network increases the risk of a large number of industrial IT software vulnerabilities being exploited. 5G has ushered in the era of the Internet of Everything. The integration of 5G and the industrial Internet has made it possible to access a large number of industrial terminals. There are loopholes, flaws, backdoors and other security issues in application software and functions, which are exposed in the relatively open 5G network, and there is a risk of being exploited.

in application security, The 5G network is based on network capability exposure technology and deeply integrated with the Industrial Internet, so that the Industrial Internet can make full use of its network capabilities to flexibly develop new services. Attackers can use the application programming interface (API) provided by the 5G network capability open architecture to carry out denial-of-service attacks on the network. In addition, there is also a security risk of illegal access between multiple applications. The open architecture of 5G network capabilities faces security risks such as unauthorized access and use of network capabilities, data leakage, and leakage of user and network sensitive information. The edge cloud platform (MEC) and its services also face internal and external security challenges such as illegal access and internal intrusion, which are common in virtualization. In particular, application defects on the MEC increase the risk of unauthorized access.

Integrated 5G+Industrial Internet Security Reference Architecture

With the integration of 5G and the industrial Internet, information security involves all levels of the industrial Internet. A single security solution cannot meet the needs of industrial Internet information security. Overall consideration is required to establish a unified security defense system. In addition, 5G+ industrial Internet security work needs to be coordinated and arranged from a more overall perspective such as system construction and industry support, so that more companies can realize the necessity and urgency of information security, and strengthen security management and risk prevention and control. Only by building a unified industrial Internet information security assurance system and covering security risks such as access, network, control, and data more comprehensively, can the industrial Internet security after the introduction of 5G be effectively guaranteed. Based on this, the white paper gives the following 5G+ industrial Internet security reference architecture.

Figure 1: 5G+ Industrial Internet Security Reference Architecture

The integrated 5G + industrial Internet security reference architecture is based on 5G’s own security capabilities, with my country’s security policies, relevant laws, and industry security planning as the main guiding principles, combined with the security requirements of the actual application scenarios of the industrial Internet, and through integration and innovation, zero trust Integrate cutting-edge security concepts such as internal security and endogenous security into customized security solutions, and maximize security measures on the basis of meeting the requirements of the corresponding level of security physical environment, security communication network, security area boundary, security computing environment, security management center and management parts protection ability.

Customized 5G+Industrial Internet scenario-based security capabilities

In response to the security challenges brought by new technologies and new architectures, 5G networks refer to relevant 5G security specifications and follow the “Telecommunication Network and Internet Management Security Level Protection Requirements”, providing wireless access security, 5GC security, MEC security, slice security and Manage secure end-to-end secure communication capabilities. However, for vertical industries, especially industrial systems with strict security requirements, the basic security capabilities provided by 5G cannot meet the security requirements in different business scenarios. To this end, the white paper pointed out that in the process of enabling the industrial Internet, 5G should build a customized 5G+ based on its own security capabilities, combined with the characteristics and operation mode of the industrial Internet, and integrating cutting-edge security technologies such as zero trust and endogenous security. Industrial Internet security solutions to meet the level protection requirements of the Industrial Internet itself. The white paper provides that customized solutions can be constructed from the following aspects:

Differentiated slicing meets enterprise network security isolation requirements. According to the security isolation requirements of the industry and the key SLA (service level agreement) that needs to be guaranteed, different types of slices are selected and parameter configurations are performed. From the perspective of resource isolation and service assurance, wireless networks can provide multiple slice isolation technologies to provide differentiated customized network services. Different business systems can choose different network isolation solutions according to their own needs.

UPF sinking + FlexE to support low-latency business requirements of enterprises. In order to further reduce the end-to-end communication delay, the UPF (user plane function) in the 5G network can be downgraded to the MEC. By introducing data, applications, and intelligence into the edge side of the base station, data transmission routing nodes can be reduced to reduce the end-to-end communication delay. delay. In addition, in the 5G network, the FlexE crossover technology is used to realize the information transfer between network devices. It realizes the forwarding of user service flows based on the physical layer. User packets do not need to be parsed at the intermediate nodes of the network, and the process of service flow crossover is almost instantaneously completed. The single-hop device forwarding delay is 1~10us, which effectively solves the simulation and spoofing of time messages.

Multiple mechanisms provide end-to-end data security for enterprises.In order to reduce data security risks in 5G industry applications, 5G provides a stronger data security protection method. The white paper gives suggestions on access authentication, access control, and data transmission. The slice secondary authentication mechanism is adopted, that is, after the user is authenticated when accessing the network, the authentication is performed to establish a data channel for accessing a specific service, so as to ensure that the enterprise can independently control the security policy; follow the principle of least privilege authorization, and provide different users Assign different data operation permissions to avoid access by users from unreliable sources, and provide a variety of access control methods. In addition, encryption algorithms such as SHA256 and AES256 are used for key sensitive data for encrypted storage; to protect data transmission between networks, you can use The new security edge protection proxy function of 5G is used to protect the security of data generation, processing, and use in the industrial Internet.

Zero trust architecture enhances the access security of massive terminals. Traditional security adopts the border protection method, that is, verifies the identity of the terminal at the network border to determine whether the user is trusted. With the diversification of attack methods and threats, the traditional network access security architecture has shown great limitations. For this reason, the 5G+ industrial Internet security architecture introduces a security concept based on zero trust, enables a new identity authentication management model, and makes full use of identity authentication credentials. , devices, networks, applications, and other combined security boundaries. The secure access of terminals under the zero-trust security architecture of the 5G Industrial Internet is no longer limited to the network boundary. Whether it is a user outside the enterprise network or a user inside the enterprise network, authentication and authorization are required before establishing a connection. The zero-trust security architecture of the 5G industrial Internet has changed the original passive defense to active defense, and changed from the border defense method to endogenous security, which effectively guarantees the access security of a large number of industrial terminals in the 5G network environment.

Situational awareness ensures the overall security capability of the network.After 5G is applied to industrial systems, the original passive defense is no longer reliable and cannot effectively prevent organized large-scale attacks. New security technologies are urgently needed. 5G industrial Internet situational awareness technology can cover 5G assets, including 5GC network elements, slices, virtual machines, physical machines, middleware, etc., and can associate assets at all levels, and locate loopholes, vulnerabilities, and attack events based on asset association relationships It can track the attack chain to locate the source of the threat, analyze the possible scope of impact, and determine the disposal method and means according to the asset value and business impact. In addition, situational awareness can also be based on the in-depth mining of network attack events, combined with the network infrastructure and operating status, to evaluate the network security situation and predict possible future network attacks.

The deep integration of 5G and industrial control systems is the key to improving the quality and efficiency of the industrial Internet, and security issues will inevitably arise during the integration process. To reconcile the openness of the 5G network with the privacy of the industrial control protocol, especially to solve the problem of weak security of the industrial control protocol, it is necessary to introduce the concept of endogenous security defense to improve the completeness of the industrial Internet in terms of security design. In addition, the openness of the 5G network will accelerate the establishment of a cross-department, cross-industry, cross-platform information sharing and joint disposal mechanism for the industrial Internet. It is difficult for any enterprise to carry out independent defense. For this reason, industrial Internet companies based on 5G networks , It is necessary to establish a coordination mechanism with mobile operators, equipment providers, security service providers, regulatory agencies, etc., to jointly deal with cross-field and cross-industry security challenges from 5G, industry, etc.

At present, the development of 5G industrial Internet security protection is still in its infancy. The release of this white paper provides a security reference for 5G to empower the industrial Internet. As the breadth and depth of 5G’s integration into the industrial Internet continue to increase, it is necessary to introduce new security concepts and technologies to continuously improve the security protection system of the 5G industrial Internet. To ensure the steady and long-term progress of industrial digital transformation and upgrading.