5G网络安全设计原则:应用5G网络安全和隐私功能(最终版)
5G Network SecurityDesign Principles: NIST CSWP 36E Applying 5G Cybersecurity andPrivacy Capabilities Michael BartockJeffrey CichonskiMurugiah Souppaya * Karen KentTrusted Cyber Annex Parisa GrayeliSanjeev Sharma *Former NIST employee; all work forthis publication was done while at NIST March 2026 Final This publication is available free of charge from:https://doi.org/10.6028/NIST.CSWP.36E Abstract This white paper describes the network infrastructure design principles that commercial and private 5G networkoperators can use to improve cybersecurity and privacy. Such a network infrastructure isolates types of 5Gnetwork traffic from each other: data plane, control plane, and operation and maintenance (O&M) traffic.This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G Audience Technology, cybersecurity, and privacy professionals who are involved in using, managing, or providing5G-enabled services and products. This includes commercial mobile network operators, potential private 5G Keywords 3GPP, 5G, cybersecurity, privacy, virtual routing and forwarding (VRF) Acknowledgments We are grateful to the following individuals for their generous contributions. MiTAC Computing Technology Corp.: Simon HwangThe MITRE Corporation: John Kent, Theresa SulowayNIST: Cherilyn Pascoe, Adam Sedgewick *, Kevin StineNokia: Gary Atkinson, Rajasekhar Bodanki,Robert Cranston, Jorge Escobar, Don McBridePalo Alto Networks: Aarin Buskirk, Bryan Wenger AMI: Muthukkumaran Ramalingam, Stefano RighiAT&T: Jitendra Patel, Bogdan Ungureanu CableLabs:Tao WanCisco: Matt Hyatt, Kori Rongey, Steve Vetter *,Robin White Dell Technologies: Dan CarrollIntel Corporation: Steve OrrinKeysight Technologies: Corey Piggott * Former employee; all work for this publication was done while at that organization Overview 5G is designed to use service-based architectures (SBAs) that are intended to be implemented on cloud-nativetechnologies leveraging microservices and containers. A single 5G network function (NF) can be comprised ofa multitude of containers running on many distributed servers. The 5G NFs communicate with each other over Most network traffic in data centers and cloud environments flows over the same physical connections andis processed by the same network devices. Because physical separation is not feasible, methods for logicallyseparating 5G traffic from other traffic and further separating types of 5G traffic from each other are needed What’s the problem? Data centers and cloud environments process and handle many types of traffic. Within the scope of 5G, the Data Plane:Transmitting user data, such as voice calls, video streaming, and internet browsing. Control Plane:Setting up, maintaining, and tearing down communication sessions. It includes tasks like Operation and Maintenance (O&M):Providing connectivity for the 5G network equipment, including Each of these traffic types carries data with different sensitivity levels, and security and privacy implicationsif accessed by unauthorized or malicious users. O&M traffic provides access to devices that make up the 5Genvironment, allowing administrators important privileges and configuration capabilities, whereas the controlplane traffic carries critical setup information, and the data plane carries user data. For example, the dataplane segment is susceptible to distributed denial of service (DDoS) attacks on the N6 interface, the control Additional micro-segmentation can be applied within each traffic type for granularity of isolation. For example,rules and policies can be put into place that only allow specific network functions within the Control Plane tocommunicate with each other. The focus of the rest of this white paper is isolating the three types of 5G traffic A malicious actor can target the data plane, and if control plane and O&M traffic are not separated from thedata plane, the malicious actor could target them as well. For example, the adversary can conduct privilegeescalation and process injection for gaining administrative rights, attempt password cracking of valid user Another reason for separating the types of traffic is to prevent attackers from targeting one type to impactthe performance of the others. For example, if an attacker overwhelms the data plane, and control planeand O&M traffic are not separated from the data plane, the attack can disrupt critical network functions The 5G standards as defined by 3GPP do not specify cybersecurity and privacy protections for the underlyingnetwork infrastructure that supports and operates the 5G system; these aspects are deemed implementationspecific[2]. Mobile network operators are left to make risk-based decisions on how to segment their network to How can secure network design principles address the problem? Network operators can use common network technologies to logically separate the 5G data plane, signaling,and O&M traffic from each other
