PTA Releases Strict Security Rules For a Safe 5G Rollout

ISLAMABAD: The Pakistan Telecommunication Authority (PTA) has issued its 5G Security Guidelines 2025 to ensure the secure deployment, operation, and management of 5G networks across the country.

The guidelines aim to protect national telecom infrastructure, critical services, and user data as next-generation networks continue to expand.

The framework is aligned with international standards, including 3GPP, GSMA, ITU, and NIST, to ensure Pakistan’s 5G networks meet globally recognized security benchmarks. PTA has stressed that 5G security is not just a technical requirement but a matter of national security and economic stability, given the technology’s integration with critical infrastructure and digital governance systems.

According to the guidelines, 5G’s cloud-native, virtualized, and service-based architecture significantly increases the cyber-attack surface compared to earlier network generations. To address this, PTA has introduced a Unified Authentication Framework that supports both mobile and non-mobile access, improving network security through centralized authentication.

To safeguard subscriber privacy, the guidelines mandate the use of Subscription Concealed Identifier (SUCI) to prevent IMSI catching and over-the-air tracking. Home Network-controlled authentication is required to reduce roaming fraud and block unauthorized or rogue network registrations. PTA has also mandated strict cryptographic standards such as TLS 1.3 and AES-128, while explicitly deprecating weak algorithms including MD5 and SHA-1.

The framework includes detailed measures for Network Slice Security, ensuring strict isolation between virtual network slices used by sectors such as IoT, industry, and public safety.

Read more: PTA Raids Illegal Phone SIM Issuer in Peshawar

Service-Based Architecture (SBA) security is strengthened through API protection, OAuth 2.0 authorization, mutual TLS authentication, and the use of Service Communication Proxies (SCPs). For roaming security, the guidelines require the use of Security Edge Protection Proxy (SEPP) to prevent inter-operator spoofing attacks.

PTA has warned that end-user devices, IoT endpoints, and edge computing infrastructure pose major security risks due to weak patching practices, legacy hardware, and third-party hosting vulnerabilities. Core network functions are identified as particularly sensitive, as attacks could disrupt authentication, session management, and national-level communications.

Physical security risks at radio access network (RAN) sites and administrative risks, including insider threats and weak identity management, are also highlighted.

To mitigate these risks, the guidelines recommend adopting a Zero Trust Security Model, continuous verification of users and devices, and the deployment of Security Operations Centers (SOC), SIEM systems, and AI-based anomaly detection for real-time threat monitoring.

PTA has also emphasized the importance of post-quantum cryptography readiness, strong governance, regular compliance audits, and close coordination among operators, vendors, and regulators to build a secure and trusted 5G ecosystem in Pakistan.