Page 153 - Kaleidoscope Academic Conference Proceedings 2021
P. 153
Connecting physical and virtual worlds
frequency,and space domains to transmit data. The 5.2.2 Smart factory security
transport network uses FlexE-based hard isolation to
have exclusive timeslots similar to TDM; services can • UE access security: A CPE equipped with a SIM card
be carried over network slices based on time division, initiates a registration procedure to the 5G network, and
and services on different FlexE slices do not affect each then initiates a registration authentication procedure to
other. The core network uses NFV to allocate the control plane of the 5G core network through the 5G
independent physical server resources to the power grid. base station and 5G transport network. During this
process, the identity of the SIM card is authenticated (in
compliance with the 5G AKA mutual authentication
standard) to prevent unauthorized access to the 5G
network. Since operators provide the authentication
capabilities of SIM cards, if enterprises need to
independently authenticate and manage enterprise UEs,
they can deploy AAA services to perform secondary
authentication on enterprise UEs. This ensures that only
authorized users and UEs are allowed to access the
campus network.
• Communication network confidentiality and integrity
protection: One the one hand, the 5G air interface
Figure 8 – Differences between 5G and legacy networks in security and transmission security mechanisms are used
carrying electric power services to implement E2E segment-based confidentiality and
integrity protection on 5G networks. 5G air interface
• Vertical authentication: There are some dispatching security ensures confidentiality and integrity of radio
centers, power plants and substations that require special interfaces between 5G UEs and base stations.
protection because their data is highly sensitive. In this Transmission security ensures confidentiality and
case, their data should pass through dedicated vertical integrity from the base station to the UPF and from the
encryption and authentication devices or encryption and UPF to the enterprise intranet. Operators and enterprises
authentication gateways and related facilities. This can deploy IPsec to ensure confidentiality and integrity
implements bidirectional identity authentication, data of the transport network. On the other hand, enterprises
encryption, and access control. Vertical encryption and deploy security capabilities of CPEs and border security
authentication devices authenticate and encrypt WAN gateways to ensure security of communication links at
communication, protecting the confidentiality and the application layer such as creating a dedicated tunnel
integrity of the data in transmission, as well as ensuring for local transparent transmission and deploying E2E
secure filtering. In addition to all the functions provided encryption and integrity at the application layer.
by encryption and authentication devices, the encryption
and authentication gateways should also be able to
process power systems' data communication
application-layer protocols and messages.
5.2 Smart factory
5.2.1 Overview
A smart factory is a typical LAN MEC scenario. The overall
project covers component material inspection, AR-assisted
component assembly, status monitoring and analysis during
equipment trial, and AR-based remote guidance for the
maintenance of any identified issues. The project
preliminarily implements equipment trial and manufacturing
throughout the process, achieves secure production, and Figure 9 – E2E encryption and integrity protection
improves the efficiency of research and production. To meet • Enterprise network border isolation: To ensure border
service requirements, the smart factory network architecture security of the 5G and enterprise networks, a firewall
consists of 5G UEs, 5G base stations, a 5G transport network, can be deployed between the UPF and the core switch
and 5G core network. In addition, the MEC local breakout on the enterprise network. The firewall provides refined
mode is deployed to implement low-latency and high- access control policies to reduce the attack surface,
bandwidth access to local network resources and ensure that traffic and behavior analysis capabilities, and malware
data is not transmitted out of the factory. In this case, the defection. The firewall adopts a security policy of least
equipment complies with 3GPP specifications and meets the privilege, so incoming traffic enters the untrust zone.
carrier-class reliability of 99.999% or higher. The security policy is configured based on protocols and
allows only Internet key exchange and IPsec traffic to
– 91 –
