5G-R Security Solution: Safeguarding Network Security Standards

GSM-R is a communication system optimized from GSM technology to meet railway requirements, specifically designed for railway private networks. It is widely used in Europe and China. However, with the growing demand for modern communication services, GSM-R is increasingly unable to meet the expanding needs of railway communication. As a result, 5G-R will gradually replace the GSM-R system, with network security becoming a critical cornerstone in the development and deployment of 5G-R.

To achieve its 5G-R development goals, ZTE is committed to maintaining network security and has developed a multi-layered, endogenous 5G-R security solution. ZTE’s 5G-R product security solution provides both basic and enhanced security capabilities across various areas, including terminal security, air interface security, transmission security, core network security, O&M security, and infrastructure security, addressing different levels of security requirements. In addition, throughout the security design, R&D process control, delivery, and service phases, ZTE employs a range of security services, such as supply chain management, security tools, security assessments, security products, incident response, vulnerability management, and security laboratories, to ensure the security of 5G-R products throughout their lifecycle.

Complete Terminal Security to Establish a Comprehensive Management and Control System

There are many types of 5G-R network terminals in various forms, and their computing and security protection capabilities vary significantly, creating a weak link in 5G access security. The 5G-R terminal security solution addresses this by providing multiple authentication modes at the 5G network, slice, and service levels, allowing for flexible deployment according to the service security level. Additionally, it provides basic terminal access control through terminal-SIM binding and access location control. The solution also introduces a terminal security management and control platform that integrates various security functions, such as asset management, baseline security, trust management, and security hardening, to establish a comprehensive, defense-in-depth terminal security system.

Based on Standards to Strengthen Air Interface Protection

The radio air interface provides confidentiality and integrity protection based on 3GPP standards to safeguard the signaling and data security of railway services. The 5G network enhances security on the air interface, adds user-plane integrity protection solution, and implements subscription permanent identifier (SUPI) protection for key private data.

To address the risks of interference, DDOS, and pseudo base station attacks that can be easily initiated on the air interface, ZTE has developed an enhanced protection solution. This includes pseudo base station detection, air interface anti-DDOS attack, wireless anti-interference, and interference detection capabilities to protect the air interface environment within the 5G-R coverage area.

Flexible Deployment to Ensure Transmission Security

In the wireless network architecture, the transport layer provides security protocols such as VLAN, IPsec, TLS, HTTPS, and SFTP, which establish the fundamental security protections for the 5G-R transport domain. These functions can be flexibly configured to meet the security requirements of different application scenarios.

To meet the requirements of various 5G-R service types, ZTE has developed two solutions based on basic transmission security functions: the transmission link backup solution and the physical isolation solution. The physical isolation solution provides refined security isolation for different services and allows for flexible customization of physical isolation channels, ensuring that service transmission channels with high security requirements remain free from interference.

Improving Border Protection to Build a Security Core

As a key infrastructure of the railway mobile communication system, the 5G-R core network enhances endogenous security protection and builds a secure, reliable software platform using a range of virtual machine (VM) platform security technologies. It offers slice isolation technology to ensure the independence of service resources and manages data resources in accordance with industry-standard security technologies to ensure data security.

As a core asset of 5G-R, core network devices require enhanced security protection. Additionally, deploying security devices such as firewalls, bastion hosts, and cloud WAFs can further strengthen border protection.

Horizontal Coordination in O&M to Expand Security Depth

In terms of O&M security, ZTE’s security design focuses on confidentiality, integrity, and availability to protect the security of management channels and service data. The 5G-R network system is managed and controlled through access control, log auditing, version security, and data protection solutions. For more comprehensive security, the EMS integrates NE security baseline checks, with clear southbound security. In addition, the EMS can connect with the northbound 4A audit system, enabling dynamic log analysis through external capability linkage and enhancing the depth of security management.

Enhancing Infrastructure for Comprehensive Situational Awareness

In addition to enhancing the basic security of hardware, operating systems, and VM platforms, the infrastructure layer must include functions such as secure startup and secure storage for important 5G-R data and services. This forms a foundational protection solution for communication system facilities.

Looking ahead to 5G-R development objectives, we have taken into account the security situation awareness to implement an enhanced endogenous 5G-R security solution. This solution features unified management, active protection, and flexible deployment.

The 5G-R security solution not only provides security technologies for each module but also ensures the security of each link in network delivery. This is achieved through a comprehensive approach that includes the security supply chain, security assessment, vulnerability management, and incident response, covering the entire product design, R&D, and delivery lifecycle.

ZTE’s 5G system products comply with both domestic and international communications security standards and have actively incorporated new network security technologies. With a focus on delivering secure networks, ZTE has supported China Railway Group in accelerating the deployment and application of 5G-R.