Part 4 · RAN, Mobility, and Roaming Security

Non-Standalone and Standalone Security

Why "5G" on the status bar doesn't always mean 5G security

“The phone shows 5G. The marketing says 5G. But if it's NSA, the security is LTE's — anchored in a 4G core that never heard of SUCI.” — THE NSA REALITY

Most early 5G was Non-Standalone (NSA): a 5G radio bolted onto a 4G core for speed-to-market. NSA delivers 5G data rates but inherits LTE's security model — no SUCI, no user-plane integrity origin, no SBA. Standalone (SA) is the real 5G security architecture this book describes. This chapter explains the NSA options, EN-DC security, the LTE-anchor dependency, and the security gains of migrating to SA.

🎯 Learning objectives

Explain NSA options (3/3a/3x) and EN-DC.
Describe EN-DC security: the S-K_gNB and SCG bearers.
Explain the LTE-anchor dependency and its risks.
Contrast with the SA security model.
Identify the security gains of NSA→SA migration.

📘 Standards reference box — Chapter 18

Specification	Title	Release / version verified
TS 33.401	EPS security — EN-DC / dual connectivity security	Rel-18 edition
TS 33.501	5G security (SA)	Rel-18, v18.11.0 (2026-04)
TS 37.340	Multi-connectivity (EN-DC) overall description	Rel-18/19 edition

Checked June 2026 — verify against the latest 3GPP version. NSA security is anchored in TS 33.401 (LTE), not TS 33.501.

18.1 NSA Options and EN-DC

FIGURE 18.1NSA Option 3/3a/3x — the Anchor Is LTE

Purpose: the defining fact of NSA. The 5G NR is a secondary leg for throughput; the LTE eNB and 4G EPC own the control plane and security — so NSA security is LTE security.

FIGURE 18.2EN-DC Security Architecture

Purpose: how the NR leg is keyed in NSA. The secondary gNB receives an S-K_gNB derived from the LTE master's K_eNB — so even the 5G radio's keys are rooted in LTE, not 5G.

FIGURE 18.3S-K_gNB Derivation and the SN Counter

Purpose: the freshness mechanism for the secondary leg. The SN Counter plays the role NCC plays in SA handovers — ensuring each S-K_gNB is fresh.

FIGURE 18.4SCG Bearer Security Setup Flow

Purpose: how an NSA secondary leg comes up securely. The master adds the secondary, passes the SN Counter, and the UE derives the matching S-K_gNB — all within LTE's security framework.

18.2 The LTE Security Ceiling

FIGURE 18.5NSA Inherits LTE's Security Ceiling

Purpose: the headline. NSA's 5G is real for throughput and unreal for security — every 5G security advance in this book requires SA.

FIGURE 18.6What NSA Cannot Give You — vs SA

Purpose: the migration motivation in one table. The "✗" column is the list of 5G security features a subscriber forfeits on NSA — the concrete reason SA matters.

FIGURE 18.7SA Security Model — the Real 5G (Recap)

Purpose: the contrast and the recap. SA unlocks the whole book; the chapter references show how much of "5G security" simply requires SA to exist.

FIGURE 18.8NSA → SA Migration — Security Gains by Phase

Purpose: migration as a security upgrade, not just a performance one. Moving to SA is what switches on the protections — a concrete argument for prioritizing it.

FIGURE 18.9Mixed NSA/SA Network — Threat Picture

Purpose: the operational reality during migration. A mixed network has a heterogeneous security posture; attackers herd UEs toward the weaker NSA areas — so monitoring must span both and watch for forced downgrades.

FIGURE 18.10Migration Risk Checklist

Purpose: the migration security job on one card. The transition period is a heterogeneous-security window that needs active management, not just a capacity rollout.

18.3 The Practical Operator View

Be precise in risk assessments: "5G NSA" means LTE security. Don't claim 5G security features you can't deliver until SA.
Prioritize SA for security-sensitive use cases — enterprise slices, IoT needing UP integrity, anything where SUCI matters.
Secure both cores during coexistence — EPC and 5GC run in parallel for years.
Monitor NSA/SA split and forced downgrades (Chapter 26).
Verify SA features are active, not just present — deployed ≠ enabled (Chapter 1 example).

Common misconfiguration risks

Assuming NSA delivers 5G security in compliance/risk documents.
SA deployed but key features (SUCI scheme, UP integrity) left off (Chapter 1, 4, 9).
No monitoring of forced downgrades from SA to NSA/LTE.
Neglecting EPC security because "we're moving to 5G" — it's still live.

18.4 Threats and Mitigations

Threat	Vector	Defense
Identity exposure	NSA has no SUCI	migrate to SA; until then accept LTE limits
User-plane modification	NSA has no UP integrity	SA with UP integrity required
Forced downgrade	push UE SA→NSA/LTE	monitor downgrades, prioritize SA coverage
Roaming attacks	NSA uses Diameter	SA + SEPP
Misrepresented posture	"5G" ≠ 5G security	accurate risk assessment

18.5 Terminology, Example, Checklist

Term	Meaning
NSA / SA	Non-Standalone (LTE-anchored) / Standalone (full 5GC)
EN-DC	E-UTRA–NR Dual Connectivity (the NSA radio model)
Option 3/3a/3x	NSA variants differing in where user-plane traffic splits
S-K_gNB	Secondary gNB key derived from the LTE K_eNB
SCG bearer	Secondary Cell Group bearer (the NR leg in EN-DC)

Real network example. An operator's security questionnaire to an enterprise customer claimed "5G security including user-plane integrity protection." The enterprise's own auditor checked and found the service ran on NSA — an LTE core with a 5G radio, which has no user-plane integrity at all. The claim was simply false for that deployment: NSA's security is TS 33.401 (LTE), and the advertised 5G protections don't exist until SA. The operator had conflated "5G radio" with "5G security." Fix: correct the security documentation to reflect the actual (NSA/LTE) posture, and fast-track SA for the enterprise slice that genuinely needed UP integrity. The status bar said 5G; the security spec said LTE — and only one of them was true.

Document the actual posture (NSA=LTE security) accurately in risk/compliance.
Prioritize SA for use cases needing SUCI, UP integrity, slicing security.
Secure both EPC and 5GC during coexistence.
Monitor NSA/SA split and forced downgrades.
Verify SA security features are enabled, not merely deployed.

★ Chapter Summary

NSA (Option 3/3a/3x, EN-DC) bolts a 5G NR leg onto a 4G core; the LTE eNB is master and the EPC is the anchor — so NSA security is LTE security (TS 33.401).
The NR leg is keyed by S-K_gNB derived from the LTE K_eNB, with an SN Counter for freshness.
NSA cannot provide SUCI, user-plane integrity, SBA/OAuth security, SEPP roaming, or full slicing security — those require SA.
SA is the prerequisite for 5G security; migration is a security upgrade, switching on the protections phase by phase.
Mixed networks have heterogeneous posture; monitor for forced downgrades and don't mistake "5G radio" for "5G security."

? Review Questions

In NSA Option 3, which node is master and which core is the anchor, and what does that mean for security?
How is the NR leg keyed in EN-DC, and from what does S-K_gNB derive?
List five 5G security capabilities NSA cannot provide and why.
Why is SA a prerequisite (not an optimization) for 5G security?
What is a forced-downgrade attack in a mixed NSA/SA network, and how do you detect it?
Why must both EPC and 5GC be secured during migration?
A vendor claims "5G UP integrity" on an NSA deployment. Why is this false?
What does the SN Counter do in EN-DC, and what SA mechanism is it analogous to?

🧪 Mini lab — NSA vs SA posture audit

For a network (real or hypothetical) running both NSA and SA: (1) For a UE on NSA, list which of these are active: SUCI, UP integrity, SBA core security, SEPP roaming. (2) Repeat for a UE on SA. (3) Identify which of your services/slices genuinely need the SA-only protections and would be misrepresented if claimed on NSA. (4) Design the monitoring that would tell you what fraction of traffic is on NSA (LTE-level) security at any moment, and alert on forced downgrades. (5) Write one honest sentence describing your network's security posture that distinguishes "5G radio" from "5G security." This audit is exactly what separates a marketing claim from a defensible compliance statement.