Content for TR 33.794 Word version: 19.0.0

3.1 Terms 3.2 Symbols 3.3 Abbreviations
...

1 Scope p. 8

The present document studies enablers for Zero-Trust Security in the 5G System. The document specifically includes security analysis with recommendations, key issues, potential security requirements and solutions with respect to the following objectives:

Data exposure for security evaluation and monitoring
- Identify potential threats and attacks on the 5G SBA layer intended to identify which data may be relevant to be exposed, and whether additional data exposure is necessary to detect the threats and attacks.
NOTE 1:
The external security evaluation and monitoring is up to operator's implementation and outside the 3GPP domain. The aspects to enable OAM based data collection are not in scope of the present document. The necessary adaptations specific to exposure services for providing data to the external security function.
Security mechanism for dynamic policy enforcement

2 References p. 8

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TR 33.894: "Study on applicability of the zero trust security principles in mobile networks".

[3]

3GPP SP-231784: "New Study on enablers for Zero Trust Security".

[4]

TS 33.501: "Security architecture and procedures for 5G System".

[5]

RFC 6749: "The OAuth 2.0 Authorization Framework".

[6]

TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".

[7]

NIST Special Publication 800-207: "Zero Trust Architecture".

[8]

TR 33.738: "Study on security aspects of enablers for network automation for the 5G system phase 3".

[9]

TS 29.500: "5G System; Technical Realization of Service Based Architecture; Stage 3".

[10]

TS 23.502: "Procedures for the 5G System (5GS); Stage 2".

[11]

TS 29.501: "5G System; Principles and Guidelines for Services Definition; Stage 3".

[12]

TS 23.288: "Architecture enhancements for 5G System (5GS) to support network data analytics services".

[13]

RFC 9113: "HTTP/2".

[14]

TS 33.117: "Catalogue of general security assurance requirements"

[15]

TR 33.926: "Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes

[16]

https://owasp.org/www-community/Threat_Modeling_Process

[17]

TS 23.501: "System architecture for the 5G System (5GS)".

[18]

NIST SP-800-92: "Guide to Computer Security Log Management".

[19]

TS 29.510: "5G System; Network function repository services; Stage 3".

[20]

TS 28.541: "Management and orchestration; 5G Network Resource Model (NRM); Stage 2 and stage 3".

[21]

TS 29.552: "5G System; Network Data Analytics signalling flows".

[22]

TS 29.571: "Common Data Types for Service Based Interfaces; Stage 3".

[23]

RFC 9557: "Date and Time on the Internet: Timestamps with Additional Information".

[24]

IEEE 1588: "Precision Clock Synchronization Protocol for Networked Measurement and Control Systems".

3 Definitions of terms, symbols and abbreviations p. 9

3.1 Terms p. 9

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

3.2 Symbols p. 9

Void.

3.3 Abbreviations p. 9

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

AMF

Access and Mobility Management Function

AUSF

Authentication Server Function

CSR

Certificate Signing Request

DCCF

Data Collection Coordination

DoS

Denial of Service

MANO

Management and Orchestration

Network Function

NRF

Network Repository Function

NRF-Sec

Network Repository Function - Security

NWDAF

Network Data Analytics Function

OAM

Operations, Administration and Maintenance

OSF

Operator Security Function

PCF

Policy Control Function

PDP

Policy Decision Point

PEP

Policy Enforcement Point

SADF

Security Administration Function

SBA

Service Based Architecture

SBI

Service Based Interface

SCP

Service Communication Proxy

SDCF

Security Data Collection Function

SDRF

Security Data Repository Function

SDPI

Security Data Point of Ingest

SMF

Session Management Function

SOC

Security Operation Center

4 Security Assumptions p. 10

This clause describes the potential security assumptions to be considered for the study specific to the objectives [2]. The security aspects identified with respect to the zero trust security tenets in the context of the 5GC SBA in TR 33.894 are still relevant and applicable for the present document.

Assumption #1:

Based on Objective 1 (i.e., Data exposure for security evaluation and monitoring) the operator has deployed a Security Function.

The Security function that performs the security evaluation and monitoring resides in the operator's domain (i.e., external to the 3GPP network) and it is considered as a trusted entity. This Security function and its application logic are upto the operator's implementation, and it is outside the scope of 3GPP in the present document.

For security related data or logs, care needs to be taken when logging or triggering notification for such events. Some guidelines and measures on data collection, and secure handling is described e.g., [18].

Assumption #2:

For Objective 2 (i.e., Security mechanism for dynamic policy enforcement), the dynamic security policy enforcement is configured and controlled by the operator based on operator's policy.

Exposing the security data in a structured manner can help automated continuous security monitoring. To do this, classification of security data and defining a structure can help.

In relation to data exposure for security evaluation and monitoring, it is important to understand the relevant security risks associated with SBA. Accordingly, symptoms required to assess the possibility of exploiting any such risks can be considered for data exposure. For this study, it is assumed that following attacks may be applicable to SBA layer, which can be implemented using microservices or virtual network functions:

Network level attacks
Service-level attacks
API security risks
Infrastructure related attacks: These attacks can be considered out of scope for 3GPP. However, operators may want to define specific security data to be exposed for such attacks. The present document does not consider defining data exposure for these attacks.