The NCSC Chimes in for 5G Security
|
NEWS
|
5G security is increasingly gathering a lot of attention and ABI Research posits that cyber-security operations regarding 5G connectivity are lacking in certain key areas. Stakeholders might need to re-think their long-term strategies, especially when certain high-profile Mobile Network Operators (MNOs) and vendors are dominating the value chain and extending their reach in other geographic areas worldwide. All signs point toward 5G increasing the cyber-threat surface across the board.
Essentially, this may well boil down to one key factor: Internet of Things (IoT) integration. The premise of having such a high-powered, IP-enabled cellular technology intertwined with billions of IoT devices and systems worldwide will expand both network- and internet-related threats. This has the potential to affect most related verticals and end markets that chose to invest in 5G: critical features in automotive, smart city integrations and public security, energy, critical infrastructure, healthcare systems, industrial/manufacturing, and Industrial IoT (Industrial Internet of Things), enterprise and, of course, consumer verticals.
Is 5G Good or Bad for Network Security?
|
IMPACT
|
By itself, 5G does not “help” or “hinder” security, since it all depends greatly on the target implementation. The key difference that implementers need to keep in mind is the edge versus core processing. In 4G, there is a clear distinction between the network core (which processes the data) and the edge (which allows for user connectivity). In 5G, these two operations will be intertwined and supported by virtualized hardware components with software from multiple vendors at the same time (and potentially from different countries), which might significantly affect the overall security posture. Some claim this might increase security since there might be no single point of failure (i.e., no separation between core and edge); others point out that certain vendors with less-than-optimal security measures or perhaps even sinister intentions might compromise the network (in some cases, even in another country). This is in tune with the U.S. executive order issued on May 15, 2019 regarding foreign threat actors that constantly monitor and exploit vulnerabilities in network and communication systems.
To put it simply, in practice, assigning a “critical component” tag on certain parts of a network or system (or any technology really) is a good thing. This allows organizations to clearly address the security functions in key technological components before moving on to other system functions. If this core and edge merge in 5G networks means that this separation between critical and non-critical components becomes rather blurry, then risk-assessment needs to be addressed, standardization and regulations implemented, and multiple security aspects reworked for each different implementation and vertical. This does not necessarily mean “no core network,” but rather that the core will be split up into many smaller base-stations that might not have the ability to enhance the cyber-security operations that will be required in some cases.
What to Expect in the Future
|
RECOMMENDATIONS
|
Looking ahead, all involved and opposed parties should not be too quick to outright adopt or blindly combat future 5G integrations but rather seek to reach an appropriate level of tolerance—an acceptable security threshold per se—which will clearly outline the security scope for involved use case scenarios while also taking into account the monetary infrastructure investments that might be required.
Security prerequisites for 5G will change considerably, and one must also keep in mind that the tech migration and transition from 4G will not be easy for some verticals in IoT that historically have a higher dependence on legacy tech (e.g., industrial and manufacturing). This potentially includes different network segmentation, more secure gateway components and firewalls, and the introduction of more potent behavioral network monitoring and intruder prevention systems, virtualization and software container aspects, encryption key lifecycle management, consistency over patching and firmware updates, and anti-Distributed Denial of Service (DdoS) measures, among a host of other variables, while still keeping in mind the number of vendors, network operators, implementers, government agencies, and/or any other entities that need to be part of that security value chain. On the other hand, if only a small number of vendors control access, then that might greatly increase the chances for network exploitation, greatly propagate vendor-specific vulnerabilities, increase risk for data privacy concerns, or enable third-party access, outright fraud, or unlawful conduct threating citizen rights.
The bottom line is that cyber-security concerns are still at the bottom of the implementation list for a large percentage of organizations worldwide. There are still a great deal of security concerns that are, even now, quite prevalent across the entire tech spectrum and relate to technologies that are quite familiar to organizations (including cellular tech like 4G or industry-specific protocols like Modbus). If companies fail to combat the already-known security issues of familiar technologies and protocols, one can only speculate the impact that a new technology like 5G will have on the entire IoT spectrum if security is not properly addressed.
