The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published cybersecurity guidance to securely build and configure cloud infrastructures in support of 5G.
The Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement, published Oct. 28, focuses on detecting malicious cyber actor activity in 5G clouds and preventing actors from leveraging the compromise of a single cloud resource to compromise the entire network. And it provides recommendations for mitigating lateral movement attempts by malicious cyber actors who have successfully exploited a vulnerability to gain the initial access into a 5G cloud system.
“This series provides key cybersecurity guidance to configure 5G cloud infrastructure,” Natalie Pittore, chief of Enduring Security Framework (ESF) in NSA’s Cybersecurity Collaboration Center, said in a press release. “Our team examined priority risks so that we could provide useful guidance, disseminated in an actionable way to help implementers protect their infrastructure.”
NSA and CISA developed this document to further their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
“[This] exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA, and industry,” Rob Joyce, NSA Cybersecurity director said in a press release. “Service providers and system integrators that build and configure 5G cloud infrastructures who apply this guidance will do their part to improve cybersecurity for our nation.”
This is the first of a four-part series created by the ESF, which builds on the ESF Potential Threat Vectors to 5G Infrastructure white paper, released in May 2021, which focused explicitly on threats, vulnerabilities, and mitigations that apply to the deployment of 5G cloud infrastructures.
The following are the remaining upcoming reports in the series:
- Part two will focus on securing isolated network resources;
- Part three will discuss the protection of data in transit, in-use, and at rest; and
- Part four will focus on ensuring the integrity of infrastructure.