Multi-access edge computing represents a game-changing capability in 5G environments for organizations, delivering faster speeds and enhanced bandwidth, thereby fostering a new level of products and services for their customers.
Alongside 5G, MEC has emerged as an amplified means of delivering the ultra-low latency and high bandwidth that enterprises value and that is crucial for existing and emerging use cases such as autonomous vehicles and smart cities. As well, the cutting-edge of advantage in cloud and next-gen mobile gaming, requiring the lowest latency and highest performance possible for users – in essence defining the next generation of networking – is powered by MEC.
To achieve that capability, a new level of rich complexity is introduced into the 5G equation, and with that comes a drastically expanded threat surface which must be accounted for with comprehensive end-to-end security coverage. Understanding the range of threat vectors and factors associated with MEC solutions offers insight into comprehensive testing strategy requirements to assure validation of the entire MEC solution so 5G it can deliver on its promise.
Security threats to 5G via MEC
One of the fundamental characteristics of MEC solutions is that they are largely open environments for third parties to enable better performance for users. MEC data centers will host a large variety of stakeholders, applications, application programming interfaces (APIs), data, and technologies, which will constantly interact.
It’s that multivariate and open environment which can be so easily abused, exploited, or misused. Each of these component parts have their own security concerns and they must each be secured, as well as the way they communicate. Applications, for example, should be logically separated, while data needs to be segmented appropriately and their interactions must be policed and monitored.
There are a range of threats that a MEC data center could face when it goes live. A successful attack on a MEC solution could lead to exploitation of any of the technologies, data, and users within the MEC ecosystem and can even be a vector for a broader attack on 5G core networks or the broader supply chain. The categories where vulnerabilities may exist in 5G MEC solutions are described in the following sections.
Abuse of assets
A first point of concern is that the internal assets of the MEC data center might be abused by attackers, co-opting the architecture of MEC solution to their own ends. These threats include:
Tampering and exploitation
Availability and performance degradation
Supply chain compromise
The MEC ecosystem fundamentally connects users, technologies, enterprises, vendors, customers and 5G networks. Attacks that enable a compromise of the broader supply chain and affect the users and systems within it include:
Source code manipulation
System image compromise
Software component replacement
Misconfigurations and weak security controls
Improper or poorly implemented security controls are an enduring challenge for MEC solutions. When attackers find those gaps, they will exploit them. These gaps can also lead to accidental unauthorized access and exposure of information and APIs by otherwise legitimate actors. Vulnerabilities include:
Manipulation of target environment
Compromise of network integrity
Misconfiguration of software
Tampering with security controls
Platform security and integrity
The security and integrity of the MEC platform relies on the resilience of the tools and processes that protect and manage it. This is the starting point when planning and developing MEC security and understanding the associated list of potential vulnerabilities. Platforms include:
Operations, Administration and Management (OA&M) Security
Key and certificate management systems
MEC solutions host a large variety of web applications, and through software vulnerabilities in those applications, serious threats can arise if authentication or access controls are not properly managed. The entry points in applications can present vulnerabilities which permit a range of cyber intrusions where attackers can gain unauthorized access to data, elevate their privileges, and exploit a variety of MEC components and internal assets.
One of the main characteristics of a MEC solution is that it can open itself to third parties to host their services. Opening those APIs to third parties also presents the potential for vulnerability exploitation on numerous levels.
Assessment strategies for 5G MEC security
A wide range of threats must be understood and ultimately mitigated if 5G and MEC’s true potential is to be realized. Security will be a firm expectation for all stakeholders in the MEC ecosystem. In order to assure them of a MEC solution’s trustworthiness, rigorous and comprehensive testing in both the development and live environments is crucial.
Recognizing that MEC solutions are architected in multiple ways, where individual implementations vary in a variety of bespoke environments, Spirent SecurityLabs has many years of experience delivering testing solutions in this space. This includes a special focus on 5G security. With this extensive background, SecurityLabs created of a set of essential testing strategies to assess the security posture of the MEC solution – whether public or private – before deployment, to identify and prioritize vulnerabilities.
Focused on Network Functions (NFs) the testing strategy includes, but is not limited to, the steps found below. This assessment model has been utilized with a number of major North American Tier 1 operators:
MEC Security Architecture Review
Network Penetration Test
Host Security Assessment
Kubernetes Security Audit
MEC Application and API Penetration Test
Accounting for new cybersecurity frameworks
Any testing strategy for 5G MEC security should also account for the new cybersecurity frameworks which have come out since the emergence of 5G, which resulted in more sophisticated threats and a broader threat surface. This elevated the urgency and importance of holistic security and necessitated employing new frameworks of security management. They include:
Secure Access Secure Edge (SASE): A cloud-centric distributed security architecture securing users and applications as opposed to subnetworks and IP resources
Zero Trust and Zero Trust Network Access (ZTNA): Eliminating the notion of trust, necessitating that access must be granted for each application transaction
Transport Layer Security (TLS): Use of encryption targeted at preventing malicious unauthorized altering of transmitted data between endpoints and eavesdropping
Mutual authentication: Where the sender and recipient must verify the other party is genuine and trusted
The testing strategy described above is covered in greater detail and much more, in the associated white paper on this topic.
Qualifications for comprehensive 5G MEC testing
Recognizing the significant list of requirements for holistic 5G MEC security, organizations at times see the benefit of supplementing their inhouse capabilities with a qualified testing partner. This option often provides subject matter expertise to augment in-house testing teams, as well as saves on costs due to the elimination of ramp-up time required for expert testing in this space. A test partner who has a full spectrum understanding of the nuances and complications of 5G network infrastructures and the variety of MEC implementations, are key elements of a qualified testing partner.
Learn more, read the white paper The Fundamentals of Ensuring 5G MEC Security.