IoT introduces new UEs with different life cycles, including IoT devices with no user interface (e.g. embedded sensors), long life spans during which an IoT device can change ownership several times (e.g. consumer goods), and which cannot be pre-provisioned (e.g. consumer goods). These drive a need for secure mechanisms to dynamically establish or refresh credentials and subscriptions. New access technologies, including licensed and unlicensed, 3GPP and non-3GPP, drive a need for access-independent security that is seamlessly available while the IoT device is active. High-end smartphones, UAVs, and factory automation drive a need for protection against theft and fraud. A high level of 5G security is essential for critical communication, e.g. in industrial automation, industrial IoT, and the Smart Grid. Expansion into enterprise, vehicular, medical, and public safety markets drive a need for increased end user privacy protection. 5G security addresses all of these new needs while continuing to provide security consistent with prior 3GPP systems.

The 5G system shall support a secure mechanism to store cached data. The 5G system shall support a secure mechanism to access a content caching application. The 5G system shall support a secure mechanism to access a service or an application in an operator's Service Hosting Environment. The 5G system shall enable support of an access-independent security framework. The 5G system shall support a mechanism for the operator to authorize subscribers of other PLMNs to receive temporary service (e.g. mission critical services). The 5G system shall be able to provide temporary service for authorized users without access to their home network (e.g. IOPS, mission critical services). The 5G system shall allow the operator to authorize a third-party to create, modify and delete network slices, subject to an agreement between the third-party and the network operator. Based on operator policy, a 5G network shall provide suitable means to allow a trusted and authorized third-party to create and modify network slices used for the third-party with appropriate security policies (e.g. user data privacy handling, slices isolation, enhanced logging). The 5G system shall support a secure mechanism to protect relayed data from being intercepted by a relay UE. Subject to HPLMN policy as well as its service and operational needs, any USIM able to access EPS instead of a 5G USIM may be used to authenticate a user in a 5G system to access supported services according to the user subscription. The 5G system shall provide integrity protection and confidentiality for communications between authorized UEs using a 5G LAN-type service. The 5G LAN-VN shall be able to verify the identity of a UE requesting to join a specific private communication. The 5G system shall provide suitable means to allow the use of a trusted third-party provided encryption between any UE served by a private slice and a core network entity in that private slice. The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a private slice and a core network entity in that private slice. The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a non-public network and a core network entity in that non-public network. The 5G system shall enable a PLMN to host an NPN without compromising the security of that PLMN.

The 5G system shall support an efficient means to authenticate a user to an IoT device (e.g. biometrics). The 5G system shall be able to support authentication over a non-3GPP access technology using 3GPP credentials. The 5G system shall support operator-controlled alternative authentication methods (i.e. alternative to AKA) with different types of credentials for network access for IoT devices in isolated deployment scenarios (e.g. for industrial automation). The 5G system shall support a suitable framework (e.g. EAP) allowing alternative (e.g. to AKA) authentication methods with non-3GPP identities and credentials to be used for UE network access authentication in non-public networks. Subject to an agreement between an MNO and a 3rd party, the 5G system shall support a mechanism for the PLMN to authenticate and authorize UEs for access to both a hosted non-public network and private slice(s) of the PLMN associated with the hosted non-public network. The 5G network shall support a 3GPP supported mechanism to authenticate legacy non-3GPP devices for 5G LAN-VN access. The 5G system shall support a mechanism for the non-public network to authenticate and authorize UEs for access to network slices of that non-public network. The 5G system shall enable an NPN to be able to request a third-party service provider to perform NPN access network authentication of a UE based on non-3GPP identities and credentials supplied by the third-party service provider. The 5G system shall enable an NPN to be able to request a PLMN to perform NPN access network authentication of a UE based on 3GPP identities and credentials supplied by the PLMN.

The 5G system shall allow the operator to authorize an IoT device to use one or more 5G system features that are restricted to IoT devices. The 5G system shall allow the operator to authorize /de-authorize UEs for using 5G LAN-type service. Based on operator policy, before establishing a direct device connection using a non-3GPP access technology, IoT devices may use 3GPP credentials to determine if they are authorized to engage in direct device connection. Based on operator policy, the 5G system shall provide a means to verify whether a UE is authorized to use prioritized network access for a specific service. A 5G system with satellite access supporting S&F Satellite operation shall be able to support mechanisms to authorize a UE to use the S&F satellite operation. A 5G system with satellite access shall be able to support mechanisms to authorize the UE-Satellite-UE communication, based on e.g., location information and subscription.

The 5G system shall provide a mechanism for an operator to allow access from a UE using a temporary identifier that hides its subscriber identity. The 5G system shall provide a mechanism for an operator to allow access from a UE connected in an indirect network connection using a temporary identifier that hides its subscriber identity. The HPLMN shall be able to associate a temporary identifier to a UE's subscriber identity. The 5G system shall be able to protect subscriber identity and other user identifying information from passive attacks. Subject to regional or national regulatory requirements, the 5G system shall be able to protect subscriber identity and other user identifying information from active attacks. The 5G system shall be able to allow the equipment identifier to be collected by legitimate entity regardless of UE's user interface, when required. The 5G system shall be able to support identification of subscriptions independently of identification of equipment. The 5G system shall support a secure mechanism to collect system information while ensuring end-user and application privacy (e.g. application level information is not to be related to an individual user identity or subscriber identity and UE information is not to be related to an individual subscriber identity). Subject to regional or national regulatory requirements, the 5G system shall be able to provide the 5G positioning services while ensuring the protection of the privacy of the UE's user or owner, including the respect of his consent to the positioning services. For a private network using 5G technology, the 5G system shall support network access using identities, credentials, and authentication methods provided and managed by a third-party and supported by 3GPP.

The 5G system shall support regional or national regulatory requirements for all supported access networks. The 5G system shall support Lawful Interception, subject to regional or national regulatory requirements. A 5G satellite access network connected to 5G core networks in multiple countries shall be able to meet the corresponding regulatory requirements from these countries (e.g. Lawful Interception). A 5G system shall support regulatory requirements for 5G LAN-type services.

Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to disable from normal operation of a UE reported as stolen. Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to re-enable a recovered stolen UE to normal operation. The 5G system shall be able to protect user location information from passive attacks. Subject to regional or national regulatory requirements, the 5G system shall be able to protect user location information from active attacks. Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to protect the production of the user location information and user positioning-related data against tampering and spoofing. Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to detect tampering and spoofing attempts on the production of the user location information and the user position-related data.

The 5G system shall minimize security signalling overhead without compromising the security level of the 3GPP system. The 5G system shall support an efficient secure mechanism to transmit the same data (e.g. service provisioning multiple sensors) to multiple UEs.

The 5G system shall support data integrity protection and confidentiality methods that serve URLLC, high data rates and energy constrained devices. The 5G system shall support a mechanism to verify the integrity of a message as well as the authenticity of the sender of the message. The 5G system shall support encryption for URLLC services within the requested end-to-end latency. Subject to regulatory requirements, the 5G system shall enable an MNO to provide end-to-end integrity protection, confidentiality, and protection against replay attacks between a UE and third-party application server, such that the 3GPP network is not able to intercept or modify the data transferred between a UE and third-party application server. Subject to regulatory requirements and based on operator policy, the 5G system shall provide a mechanism to support data integrity verification service to assure the integrity of the data exchanged between the 5G network and a third-party service provider. Subject to regulatory requirements and based on operator policy, the 5G system shall provide a mechanism to support confidentiality to prevent exposure of data exchanged between the 5G network and a third party service provider. Subject to operator's policies, a 5G system with satellite access supporting S&F Satellite operation shall be able to preserve security of the data stored and forwarded.

The 5G system shall support a mechanism to verify authorization of a 3rd party application to use 5G timing resiliency. The 5G system shall support a mechanism to monitor and verify authenticity of the timing source, where supported by the time source.

The following set of requirements complement the requirements listed in TS 22.115. The requirements apply for both home and roaming cases.

A 5G core network shall support collection of charging information for a 5G LAN-type service based on resource usage (e.g. licensed or unlicensed spectrum, QoS, applications). The 5G core network shall support collection of charging information for a 5G LAN-type service when a UE joins or leaves a specific private communication. The 5G core network shall support collection of charging information for a 5G LAN-type service for both home and roaming UEs based on the UE's HPLMN.

The 5G system shall be able to collect charging information based on the timing source (e.g., the source in use, start and stop of source usage). The 5G system shall be able to collect charging information per UE for use of a timing source (e.g., start/stop time and source used by a UE, timing source used by UE, holdover capability). The 5G system shall be able to collect charging information on 5G system timing resiliency (e.g., resiliency KPIs, holdover capability, number of UEs using a certain timing source). The 5G system shall be able to collect charging information per application using 5G timing resiliency, including 3rd party application, (e.g., timing resiliency KPIs, holdover capability, number of UEs using a certain timing source).

In a 5G system with satellite access, charging data records associated with satellite access(es) shall include the location of the associated UE(s) with satellite access. A 5G system with satellite access supporting S&F Satellite operation shall be able to collect charging information per UE or per application (e.g., number of UEs, data volume, duration, involved satellites). A 5G system with satellite access shall be able to collect charging information for a UE registered to a HPLMN or a VPLMN, for UE-Satellite-UE communication.