Multi-access edge computing standards combine to offset security threats

Article By : Dario Sabella

MEC offers application developers and content providers cloud-computing capabilities and an IT service environment at the edge of the network.

Multi-access Edge Computing (MEC) offers application developers and content providers cloud-computing capabilities and an IT service environment at the edge of the network. This technology, standardized by ETSI ISG MEC, enables an open market and new business models, including the possibility to serve multiple use cases and applications. Edge computing environments are characterized by a diverse ecosystem of market players, ranging from infrastructure owners, to service providers, system integrators and application developers. Edge computing systems themselves encompass a complex multi-vendor, multi-supplier, multi-set of equipment including both HW and SW devices. Given this overall level of system heterogeneity, areas of security, trust, and privacy are key topics for the edge environments. Finally, the advent of edge cloud federations and the presence of (far) edge devices, e.g. in Internet-of-Things environments, requires tackling MEC security with an end-to-end (E2E) approach, by leveraging existing standards relevant in the area, as carefully selected to be applicable in edge computing systems.

(Source: ETSI)

In this heterogeneous environment, talking about end-to-end MEC security implies considering the impact on the elements coming from all stakeholders involved in the system. In that perspective, MEC stakeholders should pay attention to the vulnerability and integrity of any third-party elements, and a truly end-to-end approach to MEC security needs to consider not only the current standards in ETSI ISG MEC, but also the other available standards that can be applicable to the MEC environment.

Starting from a recent study from the European Union Agency for Cybersecurity (ENISA), the potential threats related to MEC include:

  • Abuse of assets, which mainly involves exploitation of software or hardware vulnerabilities leading to Zero-day exploits, software tampering and system execution hijack which can impact information integrity, service availability, etc. Furthermore, APIs serve as conduits that expose applications for third-party integration; as a consequence of that, also APIs are potentially susceptible to attacks like any other software.
  • Compromised supply chain, vendor and service providers due to tampering of network product (configuration or source code), abuse on third parties’ personnel access to MNO facilities and manipulation of network product updates can also result in service unavailability, information destruction and initial unauthorized access.
  • Unintentional damages, that may occur due to misconfigured or poorly configured systems, inadequate designs, and erroneous use or administration of the network, system and devices can potentially impact service availability and information integrity.

The threats pertaining to MEC can be common to most of the use cases and the threat factors can be broadly categorized based on various areas of vulnerabilities related to Platform Integrity, Virtualization and Containerization, Physical security, Application-Programming Interfaces (APIs) and Regulatory issues.

In addition, since MEC is based on virtualized infrastructure, it needs to include real-time Security Management based on NFV specifications. Especially when deploying MEC in NFV environments, MEC should be considered as part of a whole system real-time security monitoring and management strategy.

Moreover, when it comes to MEC platforms and third-party software components (e.g. implementing APIs or MEC Apps), a large number of third-party mirrors come from the open-source community, and there is usually the possibility of vulnerability and tampering. So, the MEC platform should also be able to check the integrity of the third-party image to prevent attackers from inserting malicious code into the image. MEC apps should provide their own security parameters and use the available ETSI MEC standards that allow applications to securely interact with the MEC system.

In a recent ETSI White Paper,  many experts in the domain of edge computing, security and involved in various standard bodies offer an overview of ETSI MEC standards and current support for security, which is also complemented by a description of other relevant standards in the domain (e.g. ETSI TC CYBER, ETSI ISG NFV, 3GPP SA3) and cybersecurity regulation potentially applicable to edge computing.

The White Paper is simply a must-read for all ecosystem stakeholders, as the adoption of edge computing technologies introduces a need for infrastructure owners and application/content providers to guarantee a level of security on the usage of edge computing assets in order to meet customer demands. Providing the needed clarifications in this White Paper, as the very first initiative in this domain, is a step forward for the alignment of the edge ecosystem and a means to further encourage the adoption of MEC technologies.

This article was originally published on Embedded.

Dario Sabella is Chairman of ETSI MEC (Multi-access Edge Computing), an Industry Specification Group (ISG) within ETSI. He works with Intel as Senior Manager Standards and Research, driving new technologies and edge cloud innovation for advanced systems, involved in ecosystem engagement and coordinating internal alignment on edge computing across standards and industry groups. Prior to becoming ETSI MEC chair, from 2019 he served as vice-chairman, previously Lead of Industry Groups, and from 2015 vice-chair of IEG WG. Since 2017 he is also a delegate of 5GAA (5G Automotive Association). Before 2017 he worked in TIM (Telecom Italia group), as responsible in various research, experimental and operational activities on OFDMA technologies (WiMAX, LTE, 5G). He is author of several publications (40+) and patents (30+) in the field of wireless communications, energy efficiency and edge computing, Dario is IEEE senior member and has also organized several international workshops and conferences.

Leave a comment