With 5G poised to become widely available across the globe, enterprise organizations need to seriously consider the security implications of deploying the technology.
Over the next few years, 5G networks are expected to play a central role in enabling new digital transformation initiatives and in supporting new business use cases that are beyond the reach of current 4G-network technology. Driving much of that change will be 5G’s speeds of up to 1Gbps, its 1-millisecond latencies, and its support for up to about 100 times more connected devices per unit area compared to 4G.
Katell Thielemann, vice president at Gartner Research, says the first impact of 5G will be in the form of enhanced mobile broadband services with up to ten times faster speeds than current technology. Over the longer term, expect 5G to enable ultra-reliable low-latency communications for applications such as autonomous vehicles and to support massive machine-to-machine networks with billions of connected sensors and other devices, she says.
Many of these capabilities are still far away from being fully realized. Despite the hype, communication service providers are still building out their 5G networks and some of the standards associated with the technology are still evolving. Even so, security is an issue that organizations should be planning for right now, analysts say.
“5G is emerging as both an accelerator to deployment and as a cautionary tale from a security standpoint,” Thielemann says. “As is unfortunately usual, speed to market and cost considerations are taking precedence over security considerations,” Thielemann notes.
Here, according to Thielemann and others, are the key security considerations that organizations should keep in mind when deploying 5G technologies.
End-point device security
The high speeds and bandwidth available with 5G networks will allow organizations to connect much more powerful sensors and other devices to the internet—and a lot more of them—than currently possible. 5G networks will allow organizations to deploy powerful internet-connected devices virtually anywhere around the world for a variety of use cases—from monitoring industrial control systems to tracking containers and climate and enabling new smartphone and tablet apps.
Protecting these devices—both at the physical and virtual layer—will become far more important than today. A bad actor that infiltrates these connected devices will potentially have the ability to do more damage than possible on an IoT network today, says Scott Crawford, an analyst at 451 Research.
“With 5G networks there’s a lot more computing functionality that you can deploy at the endpoint,” Crawford says. That means organizations will need to pay more attention to tasks like identifying and validating endpoints and ensuring the connected devices are in compliance with security policies before they interact with other devices or with sensitive data.
Because the consequences of an endpoint compromise will be more significant, organizations will need to pay greater attention to enabling endpoint visibility and monitoring for suspicious behavior of connected ‘things’ on 5G networks. “What kind of functionality will you be asking of these endpoints and these networks? How does that functionality expose the organization to risk and how do you mitigate that risk?” Crawford says.
Bigger attack surface
As the capabilities and the number of connected devices on 5G networks increase, attackers will have more things to target, and organizations will have a greater surface to protect. “We are connecting these things to very broad public networks so anyone having an interest in probing security weaknesses or exposures on these networks has a lot more opportunity to do so,” Crawford says. Organizations will need to find ways to implement and enforce security much closer to the endpoint.
Another issue is that base stations and management and orchestration (MANO) functions on 5G networks will become more attractive targets for bad actors as network functions that once used to be centralized are integrated into them.
“Near-edge computing will be an opportunity for the communications companies to bring AI, data processing and computing power to the base station,” says Jason Haward-Grau, CISO at PAS Global. This practice will raise vital questions about who will manage these base stations and whether organizations will be able to fully trust them to be safe from improper access and physical compromise.
The more software-centric nature of 5G networks will also open them up to increased risks associated with software development and update processes, configuration errors and other vulnerabilities, a coordinated report from October 2019 on 5G security risks by the European Commission and the European Agency for Cybersecurity said.
IT operations groups skilled at working with wireless networks and standard hard-cabled networks will likely face challenges—initially at least—with some of the newer characteristics of 5G networks, says Haward-Grau. “The risk is that by deploying 5G without understanding the potential implications, you open up your attack surface not just because you run through 5G, but because you likely run through an external provider,” he says.
The question organizations should be asking is how to ensure that use of the new technology is properly controlled and managed within the environment, Haward-Grau says. “Is this technology mature enough and are there enough of the right people either in the organization or our supplier organizations?”
The EU report identified multiple potential issues tied to a lack of 5G specialists in coming years. Among them were poorly designed and misconfigured networks, poor access control mechanisms, and weaknesses in security measures and processes put in place by mobile network operators. An increase in human errors is likely because of a lack of specialists familiar with some of the more novel characteristics of 5G networks, the report noted.
“The fast-evolving threat landscape and technology and the complexity of 5G networks will lead to an increased need for IT security professionals with specialized knowledge” in areas like cloud architecture, the report said.
5G represents a move away from a centralized hub-and-spoke design with hardware-based switching and chokepoints that could be checked, to a continuously changeable, distributed, software-defined digital routing infrastructure, Thielemann says. “An attacker that gains control of the software managing the networks can also control the network.”
The fact that mobile network operators will need to rely on third-party component suppliers will necessitate a greater focus on supply chain risk management. Threat actors—in particular, state-backed ones—might try to exploit supply chain weaknesses to perform attacks on telecommunications networks, the EU Commission on Cybersecurity warned. Since 5G networks will be predominantly software based, attackers could try and insert hard-to-find backdoors in the products that service providers use to deliver 5G functions.
New considerations in industrial and OT networks
5G will decrease the need for traditional IT infrastructure and allow organizations to more efficiently deploy industrial IoT devices across the operational technology (OT) landscape. The technology will help enable executive mandates for big data initiatives by making connectivity and data gathering easier across the OT environment. However, Haward-Grau believes with these benefits will come new uncertainties and challenges.
“One of the biggest concerns is that 5G-network technology opens up the potential for real time access and modern network connections directly to physical devices. “Traditional thinking has placed ‘walls’ around the ICS environment and leveraged effective firewall and network segregation as a key mechanism to protect critical processes that by design focus on safety and efficiency not security,” he says.
Always-on 5G networks will allow access potentially everywhere at all points in the network, including parts that may not even have been digitized previously. The independent layers of protection that have been at the core of industrial operations and safety for decades will come under new pressures.
In addressing these risks organizations will need to pay more attention to data integrity through the chain of custody, Haward-Grau says. “How will data flow up the enterprise given that it may no longer be on your network from the point of the sensor?”
Write to us firstname.lastname@example.org