NSA gives tips to mitigate 5G network slicing threat

A joint report by the National Security Agency, Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence has been published. It highlights the potential risks and threats to 5G network slicing.

This report provides advice on mitigation and offers a framework to help providers, operators and integrators of 5G networks develop defense and prevention strategies.

is based on which was published by the Enduring Security Framework cross-sector group last year. It focuses on how to address risks and threats that threaten the security and stability U.S. security systems.

5G network slicing

5G network slicing allows you to create multiple independent virtual networks over a single physical infrastructure.

Every network slice is an end-to-end, isolated network that fulfills specific requirements of each application.

Network slices could be used for industrial automation, virtual reality, and autonomous vehicle fleets.

Network slicing examples


Each of the network slices are used by authenticated users. This allows them to gain data isolation and security isolation from other 5G slices.

Network Function Virtualization, or NFV, is a way to slice networks. This technology offers different users greater operational efficiency and resilience, as well as higher quality service and support.

NFV virtualizes hardware such as routers or firewalls in the cloud and removes their need. The NFV also virtualizes all network functions via the radio interface and the cloud. It dynamically assigns bandwidth according to each user’s needs.

NFV also offers better monitoring options and logging, which enable network engineers to spot anomalies more efficiently and avoid security breaches.

Operators of mobile networks implement 5G network slicing using specialized Network Management and Orchestration Systems (MANO).

The guidance explains that the MANO system (shown below) supports slice design, creation, activation and deactivation as well as termination across Radio Access Networks (RAN), core networks and transport network domains.

Telecom operators network slicing management system


The most prominent threats

CISA’s guidance highlights how complex it is to manage network slices. This can lead to critical security gaps.


An inadequacy in network slice management could allow malign actors to gain access to data from other network slices, or deprive prioritized users of access.

Three of the most important threats to 5G network slicers are DoS attacks on central control elements and misconfigured systems controls. Man-in-the Middle (MitM), attacks on unencrypted networks channels.

DoS attacks are caused by threat actors who disrupt the service and make it unavailable to legitimate users.

MitM attacks could not only expose confidential user data and threaten users, but also enable an intermediary modify transmitted messages. This would lead to misinformation.

An attack using misconfigurations can have many implications. The adversary may use them to disable security and system monitoring systems.

It is possible to chain multiple attacks types, which can deliver potentially deadly attacks beyond the boundaries of a network slice.

CISA is an example of this type attack. A threat actor uses an International Mobile Subscriber Identity caching attack to degrade an autonomous vehicle service’s performance and reliability.

To determine the exact location of the attacker’s vehicle, as well as cargo information and routes, IMSI caching is used.

The threat actor then deploys DoS attacks on the signaling area to interrupt the link between autonomous vehicles and controllers. Next, he launches a configuration attack in order to disable security and modify VNF policies.

The attacker can gain access to additional network slices on the same infrastructure if the operator doesn’t have strong security measures in place.

Mitigation recommendations

CISA recommends that network managers and monitors apply four layers of network monitoring (shown below), to detect and respond quickly to any potential malicious disruptions.

The guidance also suggests operators should use several network monitoring tools, which can generate different data, that could be used to get insight into unauthorised network activity.

This paper advocates Zero Trust Architecture, where every user logged in is constantly validated and any network request is verified.

Intruder activity is less likely to go unnoticed and have any negative impact. Users are not inherently trustworthy, therefore they will be caught in the various data inspection points.

The Common Zero Trust Strategy components are multi-factor authentication and data encryption. They also include cross-domain boundary security, instance isolation, and multi-layered access control.