April 12, 2026
Checklist for Deploying 5G in Assembly Lines
read now
BREAKING NEWS: Firecell and Accelleran Merge to Deliver Sovereignty-Compliant Industrial Private 5G Learn more
Private 5G networks are increasingly targeted by advanced cyber threats, making rigorous security testing essential. Attackers often exploit vulnerabilities in the management layer, legacy components, and poorly configured environments. Here’s what you need to know:
For organisations deploying private 5G solutions, these steps are crucial for protecting operations and ensuring resilience. Security is an ongoing process – continuous testing and monitoring are non-negotiable.
5G Network Security Testing Framework: 4-Phase Approach
Security testing doesn’t begin with running vulnerability scans or penetration tests. It starts much earlier, with a solid preparation phase. Without this groundwork, critical attack vectors could go unnoticed. This stage lays the foundation for a thorough security assessment of your private 5G infrastructure, ensuring weaknesses are properly identified and addressed.
Start by mapping out your entire 5G network topology. This includes everything: core network functions, Radio Access Network (RAN) components, edge computing nodes, and management interfaces. Don’t forget to document details like Service Based Interface (SBI) APIs, network slicing configurations, and interconnections between virtualised components hosted on platforms such as Kubernetes or OpenStack. Pay special attention to entry points, including those used by vendors, as these could pose vulnerabilities.
Next, establish a security baseline. Record current access controls, firewall rules, and authentication mechanisms. Identify which IP ranges can access your 5G core and management platforms, and ensure all default credentials on hardware control layers are updated to prevent unauthorised access. If your deployment includes legacy 4G components – like SS7, Diameter, or GTP protocols in Non-Standalone (NSA) setups – these should also be documented, as they remain notable attack vectors. This baseline will guide your testing by highlighting areas that need extra scrutiny.
It’s essential to align your security practices with UK regulations and international standards, such as ISO/IEC 27001, NIST, GDPR, and 3GPP. This ensures your network is not only secure but also compliant.
Apply Zero Trust principles by restricting access to a defined set of IP ranges. When working with vendors, limit their access to the absolute minimum required. Avoid granting broad or default permissions, and instead, segment vendor-specific management systems to contain potential breaches. For Kubernetes-based environments, admission controllers should be configured to block the deployment of privileged containers.
Create a controlled lab environment that closely mirrors real-world conditions. This setup should include high-capacity servers for 5G RAN and Core functions, software-defined radio (SDR) equipment like the USRP family or SYRTEM platform, and 5G-compatible antennas. For simulating end devices, use 5G-capable smartphones or Raspberry Pis equipped with specialised kits.
Recreate your production core network using open-source tools such as Open5GS, free5GC, or Magma for the 5G Core, and RAN distributions like OAI 5G RAN or the srsRAN Project. These services can be deployed as containers via Kubernetes or as virtual machines through OpenStack, allowing you to replicate a cloud-native environment with features like autonomous scaling and self-healing. A high-capacity network connection is also recommended.
Network segmentation is key in this environment. Separate the management network from signalling and user data traffic using VLANs and enforce strict firewall rules with a "deny all" policy.
"A segmented network can improve network performance by containing specific traffic only to the parts of the network that need to see it. It can help to reduce attack surface by limiting lateral movement".
For radio testing, use anechoic boxes or chambers to prevent interference with commercial spectrum and comply with local frequency regulations.
"The use of anechoic boxes or chambers is encouraged, to not disrupt commercial networks".
Finally, enable automatic vulnerability scanning for all container images before deploying them in your test environment. This proactive step ensures that potential security flaws are caught early, maintaining a lab environment that mirrors the security posture of your production network.
Once your testing environment is ready, the next step is to examine the critical components of your private 5G network’s security in line with 3GPP SCAS specifications. These are the areas where attackers are most likely to focus their efforts.
To secure network connections, ensure mutual authentication between devices and the network. This step is crucial to block rogue base stations from gaining access. Mutual authentication guarantees that both the device and the network verify each other’s identity before any connection is established.
The 5G standard employs SUCI to protect SUPI across all device types, including IoT sensors and industrial equipment. Confirm that this protection is consistently applied. It’s also essential to enforce control-plane integrity checks across all signalling traffic. This measure prevents "silent downgrades", where networks might bypass mutual authentication or revert to outdated, insecure protocols due to misconfigurations.
Given 5G’s service-based architecture, it’s vital to audit APIs connecting key functions like the Access and Mobility Management Function (AMF), Authentication Server Function (AUSF), and Unified Data Management (UDM). These audits should identify risks such as unauthorised access or lateral movement. Each function has specific SCAS testing requirements: AUSF aligns with TS 33.516, UDM with TS 33.514, and AMF with TS 33.512.
With authentication secured, attention shifts to the core network components.
Using your established security baseline, conduct rigorous tests on core network interfaces. For the SBA-based 5G core, look for unencrypted SBIs and XML processor misconfigurations that could lead to XXE injection attacks. Ensure all HTTP/2 interfaces are protected using TLS, with mutual authentication for both client and server certificates.
The Network Repository Function (NRF), serving as a service registry, is a high-value target. If compromised, attackers could reroute traffic or impersonate legitimate network functions. Similarly, the Network Exposure Function (NEF), which provides external access to network capabilities, must be thoroughly tested for API security. The GSMA NESAS framework, which adopts 3GPP SCAS, offers a recognised standard for evaluating these risks.
Since many core functions operate as Kubernetes pods, it’s essential to test for container-specific vulnerabilities. These include risks like container breakouts via cgroups, overly permissive pod settings, and kernel-level exploits. Additionally, the management network (OSS/BSS) is a critical point of concern. Weak segmentation here could allow attackers to pivot from corporate networks into the core.
After securing the core, the focus moves to the RAN and edge components.
RAN and edge nodes, often located in remote or unsupervised areas, are particularly vulnerable to physical tampering and other risks. The 5G standard mandates the use of temporary identities instead of SUPI for paging protocols, which helps prevent attackers from tracking or locating users. Regular audits are necessary to ensure these temporary identities are implemented correctly.
"5G network operators and organisations using 5G technologies are encouraged to verify that the paging is happening as described in the 5G standards." – NIST
Distributed Units (DU), often deployed in less secure locations, should be designed to avoid any access to customer communications. On the other hand, Centralised Units (CU) and edge servers must be installed in physically secure locations to minimise tampering risks. Encryption is critical for both control and user planes, whether data is in transit or at rest, with IPsec being the standard choice. Additionally, edge binaries should incorporate exploit mitigation techniques, such as ASLR, NX bits, and stack cookies, to enhance security.
Multi-Access Edge Computing (MEC) servers are another area of concern. Poorly configured CI/CD pipelines can introduce vulnerabilities, so securing the code ingestion process is essential to prevent malicious executions at the edge. In OpenRAN deployments, the open specifications used for interfaces between the Radio Unit (RU), Distributed Unit (DU), and Centralised Unit (CU) increase the number of exposed services. These services require continuous monitoring to mitigate risks.
Take a proactive approach to securing your 5G network by identifying weaknesses before attackers can exploit them. This process blends automated tools with manual testing to uncover vulnerabilities and strengthen defences.
Automated scanning is a cornerstone of managing vulnerabilities in 5G networks. One critical step is container image scanning. Configure your registry to scan container images before they’re deployed. Tools like Trivy can integrate seamlessly with registries like Harbor, enabling scans to run automatically whenever a new image is pushed. This "scan-on-push" method helps detect known vulnerabilities early, preventing them from reaching production.
Automated tools should also verify that services and binaries include essential exploit mitigations, such as Address Space Layout Randomisation (ASLR), non-executable bits, and stack cookies. For proprietary 5G services, fuzzing tools like AFL fuzzer can help uncover memory corruption issues, such as stack buffer overflows. Additionally, scanning HTTP/2 Service Based Interface (SBI) APIs can reveal vulnerabilities like XML External Entity (XXE) injection or insecure configurations. The MITRE FiGHT (5G Hierarchy of Threats) framework serves as a useful guide for identifying threats specific to 5G networks.
"Basic vulnerability management is key – identifying and prevent risks to all the hosts, images and functions." – NCC Group
In Kubernetes-based 5G setups, admission controllers play a crucial role by blocking the deployment of containers with weak security measures or those that fail vulnerability scans. Establish workflows to patch critical vulnerabilities as soon as they are detected. Automated scripts can also help identify default or weak passwords in network switches, routers, and management interfaces, further reducing risks.
Once vulnerabilities are flagged through automated scans, take the next step: simulate attacks to test how well your defences hold up.
Penetration testing goes beyond identifying vulnerabilities – it demonstrates how these weaknesses can be exploited in real-world scenarios. For example, researchers have shown how XXE injection in management APIs can lead to multi-stage attacks, allowing attackers to read filesystems, recover credentials, and gain SSH access. From there, attackers have been able to exploit kernel vulnerabilities to escape containers, gain root privileges on Kubernetes cluster hosts, and eventually compromise Radio Access Network (RAN) clusters.
"In most cases, the main avenue of attack is via the management layer into the core network – either utilising the operator’s support personnel or via the 3rd party vendor." – NCC Group
Design attack simulations that mimic an attacker’s path from the network edge to the core. This approach helps uncover security gaps by peeling back each layer of functionality. For instance, test whether overly permissive pod capabilities (e.g., CAP_SYS_ADMIN or hostNetwork) could allow container breakouts and cluster-wide compromises. Simulate lateral movement to assess how an attacker might pivot from a compromised corporate network into the 5G core using a jumpbox or management platform. Align these tests with frameworks like MITRE FiGHT or MITRE ATT&CK to ensure you’re covering a broad range of known adversary tactics.
After conducting these simulated attacks, it’s vital to evaluate your organisation’s ability to detect, respond to, and recover from breaches.
Effective incident response is critical for mitigating the impact of breaches. Given the complexity of 5G networks, attacks can unfold over extended periods, sometimes weeks or even months. Long-term red team exercises can help assess whether your internal teams can detect and respond to persistent threats.
Test your segmentation controls to ensure they can isolate an attacker within a specific segment, such as a single RAN edge node, preventing further lateral movement into the core management network. Monitoring systems should be configured to trigger alerts whenever unauthorised access attempts are made to critical layers like the Operations Support System (OSS), Business Support System (BSS), or hardware management interfaces such as Dell iDRAC or HP iLO. In containerised environments, regularly audit login events and operating system changes to detect container breakouts or privilege escalations. Finally, ensure your admission controllers are effective at blocking malicious manifests – even if an attacker gains initial deployment privileges.
For organisations using private 5G solutions, like those provided by Firecell, implementing these rigorous testing protocols is essential for maintaining a secure and resilient network. By combining automated scanning, simulated attacks, and robust incident response validation, you can stay ahead of potential threats and protect your 5G infrastructure.
Keeping private 5G networks secure requires constant vigilance. Real-time monitoring gives you a continuous view of network activity, helping you spot and deal with potential threats before they escalate. It’s no surprise that spending on 5G security is projected to grow from £3.2 billion in 2025 to over £8.8 billion by 2029.
AI-powered anomaly detection systems are key to identifying unusual patterns in network activity. Extended Detection and Response (XDR) platforms simplify this process by consolidating data from across the network, endpoints, and cloud into a single interface. By 2029, telco-specific XDR spending is expected to hit £456 million.
These systems don’t just flag issues; they also provide automated alerts, dashboards, and insights for radio optimisation. In environments like factories or warehouses, RF assurance tools can be invaluable. They monitor spectrum activity in real time, focusing on sub‑6 GHz bands and Wi‑Fi to detect signal interference or dead zones caused by machinery or structural barriers.
Organisations using AI and automation tools see a data breach lifecycle that’s 108 days shorter than those that don’t. Software-based signalling firewalls further strengthen defences by authenticating messages and preventing threats like signalling storms, spam, and denial-of-service attacks. In hybrid setups where legacy 2G, 3G, or 4G protocols coexist with 5G – something 85% of operators plan to maintain – monitoring systems must also address vulnerabilities in older signalling layers. All of this real-time detection feeds into actionable threat intelligence.
Incorporating threat intelligence into your security strategy helps you stay ahead of emerging risks. Frameworks like MITRE FiGHT (5G Hierarchy of Threats) categorise 5G-specific attack vectors, making it easier to focus on critical areas. For instance, Operations Support Systems (OSS) and Business Support Systems (BSS) are prime targets for Advanced Persistent Threat groups aiming to disrupt networks or steal data.
"Targeting the 5G NFVI or mobile core cloud via the corporate access is a likely attack vector, either disrupting the service by a DoS attack or acquiring billing data." – NCC Group
Security measures like integrating threat intelligence into container registries (e.g., using Trivy) allow automated scanning during code pushes. Additionally, monitoring HTTP/2 Service Based Interface (SBI) APIs used by 5G core components ensures real-time logging and security checks. These interfaces should always be secured with TLS certificates and monitored for unusual activity.
A zero-trust approach, such as applying micro-segmentation with "deny all" defaults, is essential. This strategy helps contain threats by preventing lateral movement between the corporate network, management layers, and the 5G core. Unlike traditional perimeter-based security, zero trust verifies every access request independently.
Automated response systems can act immediately when anomalies are detected, reducing the time it takes to mitigate threats. For instance, Software-Defined Networking (SDN) controllers can quickly isolate compromised network segments to limit damage. Similarly, micro-segmentation with strict firewall rules – using an "implicit deny all" setting – can block lateral movement between critical systems.
In Kubernetes-based 5G deployments, admission controllers add another layer of protection. They can automatically block insecure pods, such as those running as root or with risky configurations like host-path mounts, which could otherwise lead to widespread compromise. Regular testing of these automated systems is crucial to ensure they perform as expected during an actual breach.
Generative AI tools are also stepping up in the fight against cyber threats. Currently, 65% of surveyed telco companies use these tools for predictive security. Large Language Models incorporated into XDR platforms can summarise incidents and suggest remediation steps, allowing teams to respond more effectively to complex threats. Centralised access management platforms further enhance security by monitoring and controlling connections to OSS and BSS automatically.
For organisations using private 5G solutions, such as those from Firecell, validating automated response mechanisms is critical. It’s important to confirm that SDN controllers can isolate compromised segments without affecting essential operations. Similarly, admission controllers must be tested to ensure they block malicious deployments, even if attackers manage to gain initial access. This ensures your network remains secure in dynamic industrial settings.
Securing private 5G networks requires a thorough, multi-layered approach to testing. Start by examining the network edge – focusing on the Radio Access Network (RAN) and Mobile Edge Computing (MEC) components – to uncover vulnerabilities across all layers of the network.
One critical point to remember: the management layer remains the most vulnerable to attacks. Most breaches don’t happen via the radio interface but through corporate networks, operator personnel, or third-party vendors. This highlights the importance of targeting these areas in your security efforts.
To strengthen Zero Trust principles, ensure management traffic is completely separated from signalling and user data. As Philip Marsden from NCC Group aptly puts it:
"There is a fine line between testing time and finding vulnerabilities, and we can never guarantee we have found all the issues with a component."
This statement emphasises the need for constant vigilance. Security is not a one-time task; it requires continuous monitoring and long-term commitment to identify and address emerging threats.
With these insights in mind, it’s essential to evolve your security measures alongside network changes. Use tools like Trivy to enable "scan on push" functionality, catching vulnerabilities before deployment. Incorporate Kubernetes admission controllers to block insecure or privileged containers – this is particularly critical in 5G cores running on virtualised cloud systems, where attackers could exploit containers to access the underlying host.
Don’t overlook legacy components. Many 5G networks still operate alongside 4G protocols like SS7, Diameter, and GTP, which bring known security risks into the mix. Conduct regular audits of login activity, apply patches for critical vulnerabilities promptly, and ensure firmware updates for network infrastructure are part of your routine.
For organisations utilising private 5G solutions from providers like Firecell, integrating these practices is essential to maintaining a secure and resilient network. Constant improvements not only address current risks but also prepare your systems to handle future challenges effectively.
To keep your 5G network’s core components safe from API vulnerabilities, it’s essential to put strong authentication measures in place. Techniques like token-based or certificate-based access controls can significantly reduce risks. Alongside this, make a habit of conducting regular security checks, including vulnerability assessments and penetration testing, to uncover and fix potential weak points.
Stick to API security best practices: restrict access permissions, encrypt data while it’s being transmitted, and keep an eye out for any unusual activity. Additionally, ensure you apply software updates and patches as soon as they’re available to address new threats. By staying vigilant and taking these steps, you can protect the integrity and reliability of your 5G network.
To establish a secure testing environment for 5G networks, begin by designing a controlled setup that closely replicates real-world scenarios. This allows you to focus on vulnerability assessments and penetration testing to identify any potential weak points. Base your security testing on established standards, such as 3GPP TS 33.117, which provides key security requirements.
Make sure all network devices, operating systems, and related infrastructure are correctly configured for security. Regularly test network functions, management interfaces, and connected devices for any vulnerabilities. Using lab kits for testing and incorporating automated assessments through CI/CD frameworks can enhance both efficiency and precision.
Additionally, ensure your testing environment stays up to date, conduct regular attack simulations, and stay alert to emerging threats. This proactive strategy will help keep your private 5G network resilient and secure.
Continuous monitoring is essential for keeping 5G networks secure, especially given the complexity of their architecture and the growing number of potential vulnerabilities. By spotting threats as they arise, organisations can take immediate action to prevent breaches or disruptions.
This real-time vigilance allows businesses to stay ahead of advanced threats, including persistent attacks from highly skilled adversaries. Through continuous monitoring, companies can safeguard the integrity and reliability of their private 5G networks, ensuring both data and operations remain protected.
