FCC CSRIC Finds 4G Vulnerabilities Could Threaten 5G
The FCC Communications Security, Reliability and Interoperability Council approved a report Wednesday that warned vulnerabilities in 4G networks could carry over into a 5G world. The report was developed by the Managing Security Risk in the Transition to 5G Working Group and is expected to be posted by the FCC Thursday, officials said. CSRIC also got an additional charge from the FCC to look at duplicative weather alerts. The group met virtually for the second time because of COVID-19.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The report recommends the FCC encourage industry adoption of previous CSRIC recommendations, said WG Chair Lee Thibadeau, Nsight co-chief technical officer. “There’s been a lot of good work done already and the working group wishes to ensure that attention continues to be paid to that work.”
The report also recommends a focus on control- and user-plane security, Thibadeau said. He noted many networks' command and control functions are transmitted using 4G, while 5G carries user-plane data. “Control-plane vulnerabilities can expose networks to risks such as rogue base stations,” he said. The FCC should consider future CSRIC focus on ongoing improvements in 4G, plus 3rd Generation Partnership Project standard enhancements focused on user-plane security, he said. The document advises the FCC participate in supply chain risk management programs “because those public-private partnerships are helping develop the framework that’s needed for trusted 5G networks,” he said.
Industry should also pay close attention to prior CSRIC recommendations on 4G, especially on signaling security and encryption, Thibadeau said. Device security is more important with 5G than earlier generations, he said. “5G networks are going to see not only a great deal more devices connected to networks, but there will be a great variation in the capability, sophistication and potentially the security of those devices.” Some devices are likely to be used for long periods without software updates, he said.
Among other updates, Managing Security Risk in Emerging 5G Implementations WG Chair Farrokh Khatibi said a top focus is 3GPP Releases 15 and 16. The WG is looking at the releases with an eye on security and other risks, and “risk mitigation strategies,” said Khatibi, Qualcomm director-engineering. The WG is examining all the optional features in the 3GPP specifications and will provide recommendations on which will likely be accepted in the U.S. “to make sure that the North American deployment is secure and roaming is possible,” he said. That group is focusing on stand-alone 5G rather than 5G built on LTE, he said.
Public Safety Bureau Chief Lisa Fowlkes asked the Alert Originator Standard Operating Procedures WG to look at why some subscribers are getting duplicative weather alerts. “These duplicate alerts can cause confusion and need to be resolved,” she said. Fowlkes said Clay Freinwald, chair of the Washington State Emergency Communications Committee; Harold Price, president of Sage Alerting Systems; and Joe Berry, president of the California Broadcasters Association, were named to the WG to work on the issue. CSRIC next meets Sept. 16.