 Hello, and thank you for being here today, and for taking the time to understand the importance of prioritizing 5G security now. I want to thank the Linux Foundation and the sponsors of this event for the opportunity to speak today. My name is Brian Newman, and I'm a senior manager in Verizon's global network and technology team. A little about me, I'm based in Cary, North Carolina, and I've been in the telecommunications industry for over three decades. This has been on both the wire line and the wireless sides. I would love your feedback on today's presentation. Feel free to reach out to me through the contact information shown here. In my team at Verizon, through software, we have instantiated and simulated an entire 5G network. This has been from UE to Core, and we placed a user interface on top of it for modeling and analysis, just to understand how 5G may perform in real-world conditions across different frequency bands. To accomplish this, we've leveraged Linux, Kubernetes, and open-source software. All this to say that I have insight into the complexities of deploying 5G networks and the DevSecOps methodologies needed to do so. My session today will focus on prioritizing 5G security now and also as 5G evolves and develops over the next decade and beyond. Before I go further, however, I want to stress just how important securing 5G is. Let me shift your attention to the petroleum industry for just a moment. Despite advances in electric vehicles, 98% of the approximate 1.5 billion cars and trucks in the world today run on some form of petroleum, whether it's gas or diesel. You could say that oil is still the lifeblood of many economies around the world for transportation, manufacturing, logistics, and government services. It's what gives many of us the mobility to commute, to work, and to travel the world when we're not constrained by a pandemic, obviously. What happens, however, when the flow of oil and gas slows down? More specifically, what happens when a major gasoline pipeline is shut down due to ransomware? Well, you get situations as we face in the spring of 2021 across the U.S. East Coast. I live in one area where gasoline was unavailable for over a week. Businesses shut down, schools closed, and there was a lot of disruption. What does that have to do with 5G? Well, I believe, along with many others, that 5G will be the fuel, the gasoline, so to speak, of the next industrial revolution. Consider that 5G will be the connectivity that supports everything from industrial IOT to autonomous vehicles to gaming, virtual reality, and much more, including the burgeoning metaverse. If we don't act to secure 5G from the beginning and build insecurity every day in every release, then we could see breaches impacting multiple industries, stifling businesses, and consumers. We could also see ransomware being used to prevent access to connectivity, not just to the data. Before I go a step further, though, let me underscore the issue just a bit more. The Brookings Institution noted in a report from 2019 that how we secure 5G will have a decades-long impact, with the conversion to a mostly all-software network, cyber vulnerabilities have become the critical focus. Consider, too, that 5G networks are operational across the world. According to the Global Mobile Suppliers Association, there are now 443 network operators in 133 countries or territories investing in 5G mobile or 5G fixed wireless access or home broadband networks. So the challenge before us is how do we secure the most important network of the 21st century and all of the devices and applications that use it? Step one is understanding the model for security standards. Verizon has been building and improving its state-of-the-art 4G LTE network for years. Although we are and will be at the cutting edge of technological advances, our 5G security features are enabled by rigorous technical standards development processes that ensure high levels of data protection across future networks. Technical standards help everyone to be on the same page when it comes to how things will work. Technical systems become more stable, easier, and better for interoperability between different programs or devices, which also leads to greater security because an open and transparent process is involved in developing these technical standards. Verizon is participating in and influencing the 5G standards setting process through the third generation partner project, 3GPP. There are seven organizational partners in 3GPP which work on the standards and also many peripheral organizations that reference or provide input to 3GPP standards. 3GPP Technical Specification, TS33.501 specifies the security architecture for the 5G network. This document includes security features, mechanisms, and procedures for 5G new radio and the 5G core. It leverages security protocols or recommendations from organizations such as the Internet Engineering Task Force, IETF, and the Department of Commerce, NIST. Other organizations providing requirements or recommendations to 3GPP include the Next Generation Mobile Networks Alliance and the International Telecommunications Union. And additionally, the European Telecommunications Standards Institute, Etsy, has provided security specifications for the network function, virtualization, and the multi-access edge compute, the MEC. Verizon was the first provider in 2018 to launch 5G, which we did by embracing security by design principles that included working with vendors on cutting-edge security features. For example, our early deployment used encryption techniques between customer devices and Verizon's Edge network, similar to those later articulated in 3GPP TS33.501, which is the security architecture and procedures for 5G system of release 15. Verizon continuously monitors and participates in the standards development process to identify and prioritize new security features to be implemented in its network. Prioritization of feature implementation is based upon a risk assessment process that evaluates the likelihood and impact of the threats a given security feature could mitigate. Verizon is evaluating security enhancements for 5G ran and core as we continue building today's 5G network and planning for future development. As a member of the working group for the Communications Security, Reliability, and Interoperability Council, Verizon advocates not just for security specifications, but for their use and adoption. For instance, 3GPP TS33.501 specifies mandatory support for several signaling protocols, user plain confidentiality, and M-suit encryption. However, these are optional for service providers to use. 5G carriers need to carefully weigh the risk of not choosing to implement optional security methods and for what use cases. Further, if encryption is not used, say for purposes of testing and validation between components or network functions, it's critical to ensure that this vulnerability does not leak into production once software is deployed. When it comes to 5G, it will be more software centric than any previous generation. There will be a heavy dependence on open source software. Verizon is proponent and active member of several open source initiatives for 5G. This includes ONAP, the Open Network Automation Platform Project, which is focused on automation and orchestration to transform the service delivery life cycle for network providers. Verizon is also a leader in Open RAN and is a member of the O-RAN Alliance. Through our experience with O-RAN and real-world experience, we have learned how to advance the virtualization of the Radio Access Network, the RAN. This effort produced technical specifications and referenced architecture, which conforms to and influences technical standards. It also promotes security through network segregation or slices and RAN vendor diversity. Security standards are relevant to both public 5G networks and private 5G networks. Verizon is very active in private 5G, what we call on-site 5G. On-site 5G is the next generation of private network, bringing small-cell wireless technology to large facilities such as manufacturing plants. It provides secure connectivity and tailored services for those facilities by the living reliable, on-site connections that are isolated from public networks. Along with seamless mobility, reliable connectivity, agility and performance, and ease of use, security is top of mind. Security is built in with seamless authorized user access and 24x7 network monitoring. When it comes to 5G, we need to make sure that our focus on security includes looking at 5G networks holistically. Access is connectivity. It could be via 4G LTE as part of NSA and Wi-Fi as part of interoperability. Many devices and many applications with different needs result in complexity. With demands for low latency, high capacity and high bandwidth, this complexity requires flexibility in security modeling and other approaches. RAN virtualization presents new challenges. With RAN virtualized and distributed across multiple physical sites, a focus on cybersecurity best practices is necessary to keep user access operational. Open RAN means keeping software versions current and monitoring for threats. One means to do this is with software composition analysis tools that identify open-source compliance risks. Cloud platforms for the 5G Core and the MEC is the next focus. The MEC or a multi-axis edge compute platform is the secret sauce to 5G. It supports a low latency as well as the network slicing needed for 5G innovation. The core is the heart of the network. Both are cloud-native infrastructures requiring secure perimeters. Cyber security frameworks and policies need to be in place with tightly controlled authorized access. Use cases with M5G also have to be considered when developing a comprehensive security policy. 5G is expected to be used for self-driving cars as well as drones. Already, private 5G on-site networks are operational and supporting demanding industrial applications. This is often in manufacturing where low latency and support for a large, high-quality of devices is needed. Security is paramount in these environments to prevent any disruption. Devices used in the 5G network are the next focus and it's more than smartphones. IoT devices will dominate 5G in the decade ahead with over 25 billion expected by 2027. Thus, IoT security is becoming more critical. The unique aspects of low power and high capacity require specialized security approaches to secure them and keep them from being compromised. The team needs to thoughtfully develop a comprehensive strategy toward managing security across the 5G network for senior security operations staff. This includes five steps. One, understanding the context of 5G network deployment and use cases. Know how your network is currently being used. The second step is assessing the security threats and potential exploitation. This means taking a preventative approach to security if you can and monitoring for anomalies that might suggest an attack or exploit. Third, architect solutions that can be implemented to minimize or make threats unlikely are very expensive to malicious actors. This may mean developing tools that rely heavily on artificial intelligence and machine learning to draw out patterns and to respond to them. Fourth, secure the resources to act on the vulnerability or threat. This may be through budget allocation and investment in new staff, better training or software tools and applications. Finally, act on the strategy. Take the steps necessary to secure the 5G network. Ensure the protection of all network assets and subscriber information on an ongoing proactive basis. Further, threats and vulnerabilities are constantly changing. Malicious actors are always looking for one more open port or insecure subroutine, so be agile to address new security challenges. Also, reassess your strategy on a routine basis. While I have highlighted some of the bigger considerations in securing 5G networks, I would like to take it a bit lower. In my particular area, I have seen the rapid development of virtualization with VNFs and CNFs. Much of this may be familiar to those with telecom knowledge. I think it's important, however, to provide some context. When I discuss VNFs and CNFs, I'm talking about virtual network functions and containerized network functions, respectively. In contrast to VNFs and CNFs, physical network functions or PNFs refer to legacy appliances still present in networks today. This diagram highlights the differences. Here we have monolithic devices such as a router or firewall existing on purpose-built hardware. Virtual network functions, VNFs, is a term used in computer networking to describe the idea of running different virtual appliances on top of existing standard hardware infrastructure rather than using dedicated hardware appliances. An example of a VNF would be a virtual firewall or virtual router. Virtualized network functions are often deployed as virtual machines on Linux KVM or VMware vSphere hypervisors running on commercial off-the-shelf hardware. Containerized network functions, CNFs, can be multiple virtualized instances of a single software package or service. These instances operate independently from any other containerized model, yet they will work together as if they were all one piece of hardware. CNFs provide better portability and agility for network operators that need to move or adjust their network capacity on demand quickly. Typical examples of containerized network functions include traditional packet processing, content delivery, and security tools like firewall, intrusion detection, and prevention systems, as well as web caching. CNFs are typically container images in Docker and managed through Kubernetes. Docker is a container engine or platform, and Kubernetes is a container or orchestrator for these platforms. Kubernetes coordinates and schedules container images. It supports upgrades and scaling without interrupting service and performs health monitoring so that it can seamlessly restart failed processes. Inside a 5G mobile network, you may find a combination of PNFs, VNFs, and CNFs. VNFs and CNFs live in cloud environments. Our preferred of these clouds is Far-Edge, Edge, and Core. The Far-Edge cloud environment is where the RAN functions would reside. The Edge cloud platform would be the MEC or Multi-Access Edge compute, and the Core cloud would have managed to support 5G core functions. In the RAN at the Far-Edge, the Geno-B would have both the DU and CU virtualized and functioning as VNFs. Inside the MEC and Core, CNFs are more likely deployed to support scalability and agility to grow, shrink, or respond to service interruption. The CNFs support vendor applications for a low latency in the MEC, as well as network slicing functionality. The Core houses many of the 5G functions necessary to authenticate, authorize, and control service to end users. These would be CNFs. As CNFs and VNFs are defined, coded, compiled, and deployed as software, cybersecurity best practices must mitigate impacts to VNFs and CNFs operations. These include zero trust, continually authenticating and authorizing interactions between assets before granting access. It includes hardening assets and the use of multi-factor authentication. It also means encrypting and securing communication between all network functions. Integrity, assessment of vendor security practices and security programs, and running security scans internally. Visibility, having complete visibility across the infrastructure to identify all assets and continuously monitoring asset security logs and anomalous behavior or communications patterns that reveal potential risks. Segmentation, software-defined segmentation to create logical groups of assets that restrict communication flows between them. Threat protection, defensive security controls along with continual monitoring. It means having a centralized security operations center with AI and ML tools. Data protection and privacy practices to ensure that the 5G network data remains secure and policies for protecting sensitive information exist. Beyond these, however, VNFs and especially CNFs require additional security. In using VNFs, additional security considerations exist. Let's take this diagram and work from the bottom up for VNFs. First, the hardware needs to be secure. This hardware could be a blade or server. To secure this, the root of trust function, a set of hardware and software security modules, should be enabled on the server. Roots of trust is a set of functions that is always trusted by the computer's operating system. Next, at the hypervisor layer, vulnerabilities present there or in the NFVI can allow an attacker to take advantage of the system and undermine confidentiality, integrity, and availability. One solution is the secure boot system that provides a form of trust for the underlying computing resources. It ensures that they have not been tampered with. In the Mano layer, attackers may try to eavesdrop or modify the traffic that passes between the VNFs and the Mano. One way to safeguard against such attacks is by hardening nodes in both the network functions' virtualization space and also limiting access control within components themselves. Next, the software-defined networks are at risk from two types of attacks. Denial of service and man in the middle. Solutions like dividing physical networks into logical ones could be a countermeasure for denial of service, as SSH-TLS security would help prevent man in the middle attacks. A VNF could be a potential target of an attack. VNFs are often provided by a vendor and not built internally. Security scans should be conducted as well as penetration testing. Extensive software validation is needed too. When it comes to CNF security, we need to mitigate threats within the container and the Kubernetes cluster. In the CNF, the following steps should be taken. Thoroughly verify container functions and content. This means inspection and testing. Know what your CNF is doing and what it should do and run security scans. Again, review what is in your container and understand what it is supposed to do. There are both commercial and open-source container security tools which can help. Control root access and consider removing it. Containers are commonly built with root access by default. This could put the network at risk. Next, review container runtimes and runtime configurations. Runtimes launch and manage containers and may contain security gaps. Access may be broad to host devices and directories. Limit that or remove it if possible. Implement DevSecOps. Follow a DevSecOps methodology where continuous security is the focus and review and approval is needed prior to production deployment. As for the Kubernetes cluster, key actions you should take for security include Control access to the Kubernetes API. Limit who can access the cluster and the actions they can perform. As highlighted previously, the use of transport layer security or TLS should be a real requirement between all APIs in the cluster. Control capabilities of Oracle or a user at runtime. Limit resource usage and control the privileges that containers have. Restrict network access. Network policies allow pod-to-pod communication within a namespace, but the user has to create them. Protect cluster components from compromise. First, you can do this by restricting access to SCD backend. SCD is a consistent and highly available key value store used in Kubernetes for backup of the cluster data. Second, enable logging and rotate infrastructure credentials frequently. Also use encryption at rest within Kubernetes. In this discussion, you have a good understanding now of how seriously Verizon takes 5G security. This is through active participation in standard development and open source initiatives. We also take security seriously by looking holistically at our 5G network and then drilling down to improve cybersecurity when it comes to managing network virtualization. The threats never stop, so we know too that we can never rest. You could classify it as an infinite game, one that could have serious repercussions if the bad guys win. If you'd like to learn more about Verizon's focus on security, especially 5G security, please take a moment to access the resources available in the links shown. Thank you for your time and attention today. Let's all make 5G security a top priority.