Powered by SA: Smart Port MEC Security Application China Mobile & Huawei Table of Contents Powered by SA: Smart Port MEC Security Application . 1 Introduction . 1 5G Enables Smart Port Development . 1 Security Challenges and Assurance Requirements for 5G Smart Ports . 2 5G Smart Port Security Solution . 3 5G Network Security Protection . 3 MEC Security Risk Elimination . 3 Slice security assurance. 5 Security issues when the app is co-deployed with the MEC . 6 Data transmission security . 7 Smart Port Security Practices Based on 5G SA Slices . 7 Additional technical achievements . 8 Ecological construction . 8 Summary . 8 1 Introduction 5G is a key enabling technology that will drive the development of the industrial internet, which in turn, will be critical to accelerating the commercial deployment of 5G. In addition, the requirement of the industrial internet for low latency makes it important to introduce MEC (Multi-access Edge Computing) at the edge of the 5G network. As an example of a typical industrial operation environment, a port is usually densely deployed with heavy mechanical equipment such as gantry cranes etc. Therefore, the deep integration of 5G and MEC technology with ports will have a profound impact on the port infrastructure, transportation organization, and business governance. In this scenario, it is also important to ensure high security and reliability. In October 2019, China Mobile, Ningbo Port, and Huawei jointly launched the 5G SA Smart Port MEC Security Application innovation project, focusing on 5G network security protection, MEC security risk elimination, industrial internet application risk control, slicing security assurance, and data security protection. This document outlines typical risks and security solutions for smart port service scenarios, providing practical guidance for large-scale 5G+1 industrial internet security assessment and security operation and maintenance (O&M). The project has made major breakthroughs in verifying technical feasibility, exploring business expansion opportunities, and fostering the industry ecosystem. It highlights the benefits of the 5G SA network and MEC to enable industrial internet applications, while providing a valuable reference for cooperation between global operators and 5G industry ecosystem. 5G Enables Smart Port Development Operational efficiency and automation levels of the port are crucial in determining future competitiveness and economic benefits. With the maturity of remote control technology of container cranes, as well as the increase in labor cost and market tension, the need for separating human, machine and intelligent remote control has been increasing. 5G provides ultra-low latency and high bandwidth access capabilities to meet the requirements of remote control, automatic guided vehicle (AGV) driving, and campus security monitoring. In addition, MEC technology implements local traffic processing and logical calculation, saves bandwidth and delay, and further meets the requirements of remote low latency control of heavy machinery equipment and high bandwidth transmission of on-site HD video. Therefore, 5G and MEC can enable the efficient development of smart ports while reducing operation costs. In particular, 5G NR is directly connected to the 5G core network without relying on 4G network when applying the 5G SA (Standalone) networking mode. With network slicing and MEC technologies, a complete and independent 5G network has the advantages of convenient interconnection, flexible and reliable service, etc., which can be innovatively applied across all industries. Meanwhile, many 5G application innovations will be limited with 5G Non-Standalone (NSA), when considering that the 5G NSA networking mode has limited capabilities in the 5G core network, uplink bandwidth, delay, etc. 1 5G+ is the trade mark of China Mobile for 5G services 2 Figure 1. Port remote tally system based on 5G network Security Challenges and Assurance Requirements for 5G Smart Ports Smart ports can be a major application of 5G within vertical industries. They are closely related to the Information and Communications Technology (ICT) infrastructure of the port and enable the enterprise distributed intranets to communicate with one another through a carriers 5G network. In addition, MEC puts the core network elements of the 5G network to reside in the port making it dependent on the requirements of the ports application security. Therefore, the 5G smart port application scenario not only needs to ensure 5G network security and MEC security, but also needs to address new security capabilities for port applications. This poses higher requirements on network security assurance, including the following five aspects: 1. 5G cyber security risks: New risks are arising from CU (Central Unit)/DU (Distributed Unit) separation, air interface, core network, and interconnection. In addition, the actual security assurance capabilities for SDN (Software-defined Networking), NFV (Network Function Virtualisation), and slicing technologies need to be verified. 2. MEC security risks: The MEC facility is deployed at the edge of the network. As a result, the number of edge nodes and security borders increase. In addition, core network elements reside locally and are more open. The unified MEC management is complex and prone to exposure attacks. 3. Industrial internet application risks: As a typical edge cloud computing environment, the 5G MEC platform may be subject to data leakage, software tampering, unavailability, and attacks from 5G Core. Industrial internet applications require a more trusted MEC environment. 4. Standalone (SA) slicing security risks: SA slicing does not implement security isolation, resulting in competition and abuse of CPU, storage, and I/O resources. In addition, security authentication for slicing access to 5G networks needs to be considered to ensure access 3 to valid slices and the controllability of applications to slice the networks and resource usage. 5. Data security risks: The traditional closed industrial network becomes more open with 5G and MEC. As a result, public network users may be able to access private network users. Carrier networks and enterprise networks can be accessed from each other. Data centers are more vulnerable to attacks and sensitive data leakage. 5G Smart Port Security Solution 5G Network Security Protection The smart port enterprise network and carrier network are both trusted domains. Protection measures must be deployed at the border of the network to prevent attacks from the other domain. The N6 interface on the 5G network is located at the border between the MEC and the enterprise network. Security devices, such as firewalls, anti-DDoS (Distributed Denial-of-Service) devices, and IDS (Intrusion Detection System) devices, need to be deployed. The security device on the MEC side is used to defend against attacks from the enterprise network to the carrier network. The security device on the enterprise network is used to defend against attacks from the carrier network to the enterprise network. In real application, there are several construction modes for the MEC platform. The MEC platform can be constructed and provided by carriers or it is constructed and provided by users, while basic resources are provided by carriers. The APP may be constructed by users and security protection in different modes may vary. The 5G network must consider different levels of protection requirements due to different MEC homing. For example, a firewall is deployed between the 5G core network and radio access network to prevent attacks from the enterprise network to the carrier network by using the user MEC platform as a springboard. Figure 2. MEC network architecture MEC Security Risk Elimination 1. Physical security: According to the service scenario in Hong Kong, MEC physical security involves the equipment room of the MEC node campus and the site close to the user. In a relatively open environment, MEC devices are more vulnerable to physical damage. To ensure the physical security of the infrastructure, security measures such as access control and environment monitoring need to be implemented. In addition, the structure design for anti-theft and anti-damage of the MEC must be enhanced, and the input/output and debugging interfaces of the device must be controlled. 2. Platform security: To prevent software tampering of the MEC platform, it is necessary to enhance platform security, platform management security, data storage, and transmission 4 security, as well as introduce trusted computing technologies, start the system to upper- layer applications, verify the system level by level, and build a trusted MEC platform. In addition, Virtual Machine (VM) isolation is required to improve virtualization security. For VMs deployed on MEC, micro segmentation is used to strictly isolate VMs and applications. In addition, the VM running status can be monitored in real time to effectively detect malicious VM behaviors and prevent MEC from being infected by malicious VM migration. 3. Cyber security: MEC connects to multiple external networks and therefore needs to implement isolation protection based on traditional defense technologies such as border defense, internal and external authentication, isolation, and encryption. From the perspective of the MEC platform, the MEC is divided into different functional domains, such as the management domain, core network domain, basic service domain (capability openness), and third-party application domain. The MEC is divided into different security domains to implement isolation and access control. In addition, the built-in intrusion detection function detects malicious software and malicious attacks to prevent horizontal expansion of threats. Figure 3. MEC internal network security domain isolation 4. MEC interface security: The MEC is connected to the N4 interface on the control plane of the core network. The N9/N6 interface on the user plane can provide the IPSec security transmission channel. An Access Control List (ACL) can be provided for packet filtering to detect malformed packets. 5 Figure 4. MEC interface security protection 5. O&M security: First, authentication and authorization management is required. To ensure the security of assets and data on the MEC node, the user needs to perform authentication, authorization, and audit on the behaviors of the parties that use the MEC. Secondly, the ownership, right to use, and O&M rights of data assets are managed by rights- and domain- based management at the platform, network, and service levels. When key communications such as management and charging are carried out between the MEC and the core domain, the Public Key Infrastructure (PKI) and Transport Layer Security (TLS)/IPSec protocols are fully used to implement authentication authorization and transmission encryption. Virtual Network Function (VNF) version verification is also necessary. To ensure the security of the running version and prevent viruses, the MEC needs to support both the release party and receiver signature of the VNF version package in the different delivery phases. In addition, the MEC needs to verify the signature of the released version package. Thirdly, a security assessment is required. To prevent security vulnerabilities from affecting other functional domains on the MEC node, a strict control process must be performed before other applications on the campus network are introduced, in order to perform comprehensive security evaluation and detection. At the same time, the application registration process is used to control the application rights, and the audit method is used to standardize the execution of the application. Slice security assurance Sectional access security First, authentication of the user access slice should be provided. When a terminal accesses the network, the 5G network access authentication is used to ensure the validity of the user, that the access legal slice is valid, and that the campus application can control the slice network and resource usage. Secondly, protection should be provided for slicing selection auxiliary information. The slice selection auxiliary information Network Slice Selection Assistance Information (NSSAI) can distinguish slices of different types. When the campus terminal initially accesses the network, the NSSAI instructs the base station and the core network element to route the network element to the correct network slice element. Slice selection auxiliary information is sensitive information for smart ports, therefore 5G networks need to protect NSSAI privacy. Slice isolation Network slicing is a logically independent private network. However, network slices share physical resources and IT infrastructure, and each slice is a tenant on them. The slice manager Network Slice Management Function (NSMF) allocates a corresponding server resource to each slice according to the slice Quality of Service (QoS) and security policy. NSMF uses multiple means, such as resource allocation policy and virtualization isolation, to ensure that no competition and abuse of Central Processing Unit (CPU) , storage, and I/O resources occur among different tenants. A three-level, three-dimensional security isolation system is required for slicing, as shown in the following figure. 6 Figure 5. Three-level three-dimensional isolation system for network slicing The slicing isolation system includes: 1. Slicing isolation: Slicing isolation is effectively carried out based on the service application scenario and the importance of data assets, so as to ensure that each slice has the corresponding security level. 2. Slicing network and user isolation: To ensure secure and reliable 5G network slices, an isolation mechanism is configured on both the end-user and campus application sides during network slicing design to provide high-reliability slicing services for different applications based on Service Level Agreement (SLA). This ensures clear security boundaries of the slicing as well as the security and controllability of the slice itself. 3. Isolation between network elements in a slice: Security zones are divided on the slicing network to provide security isolation between network elements. In the three-hierarchical security isolation system, the isolation solution at each level can be implemented at three layers: network element, network, and data. When the mature virtualization isolation solution is used, the NFV and SDN technologies are used to collaborate with the VM orchestration and slicing orchestration functions, leading to precise and flexible slicing isolation. Security issues when the app is co-deployed with the MEC To accommodate more low-latency and high-bandwidth services in ports, smart ports deploy industry apps on the MEC platform. The co-deployment of industry apps and carriers MEC brings more security challenges such as the issue of