ISLAMABAD (Kashmir English): For the secure rollout, operation, and management of 5G networks within the country, the 5G Security Guidelines 2025 have been issued by the Pakistan Telecommunication Authority (PTA).
The new guidelines are geared towards ensuring that the national telecommunication infrastructure and data are protected as next-generation telecommunication networks expand their coverage.
The standard is aligned with international best practices, such as 3GPP, GSMA, ITU, and NIST, ensuring Pak’s 5G networks are secure and adhere to international security standards. A major emphasis by the country’s telecom regulator, PTA, regarding 5G security is that security in 5G is no longer a technical issue; rather, it is a concern of national security and economic well-being.
As per the guidelines, the cloud-native and virtualized/sbRAN architecture of 5G elevates the attack surface substantially relative to the previous network generations. In this regard, and for securing the network connections, the Unified Authentication Framework has been unveiled by the PTA that provides support for both non-mobile and mobile access methods.
In order to protect privacy, it is a requirement to use a Subscription Concealed Identifier (SUCI) to avoid IMSI catching and Over-the-air tracking. It is also a requirement to use Home Network-controlled authentication in order to minimize roaming fraud, as well as prevent unauthorized/rogue network registrations. PTA has also made it a requirement to use robust cryptographic policies of TLS 1.3, AES-128, while deprecating others like MD5 and SHA-1.
The framework elaborately outlines parameters like Network Slice Security, in which a high level of isolation between virtual network slices must be ensured for sectors like IoT, industry, and public safety.
Security in the Service-Based Architecture (SBA) is enhanced by the provision for API protection, OAuth 2.0 authentication, mutual TLS authentication, and the service communication proxies (SCP) mechanism.
In roaming security, the policy must employ the Security Edge Protection Proxy (SEPP) mechanism that protects the data against spoofed attacks from the operators.
The PTA has indicated that end-user devices, IoT devices, and edge computing nodes are major security threats because of poor patching mechanisms, outdated hardware, and third-party hosting risks.
Core functions in the network are classified as security-sensitive, since they could potentially interfere with authentication, session, and national-level communications processes.
References to physical security challenges at radio access networks (RANs) and risk relating to administration threats and identity management issues are made.
For this purpose, according to the guidelines, one should implement the “Zero Trust Security Model” and also establish “SOC, SIEM, and AI-based anomaly detection” for monitoring threats in real time.
“PTA has also emphasized the significance of readiness for post-quantum cryptography, good governance, continuous auditing for compliance, and coordination among operators, vendors, and regulators for the development of a secure and trusted 5G network ecosystem in Pakistan.”
