In developing markets, 5G will bring connectivity capabilities that don’t exist currently. Across the world, 5G is a game changer in terms of supporting the Internet of Things (IoT), connecting devices to deliver everything from smart transport networks and driverless cars, to the provision of health services and energy. It will underpin and enable connectivity across all our critical infrastructure. The potential is limitless – as is the security threat.
The Risks of 5G
With greater connectivity comes greater risk.
The surface area for an attack increases, effectively, with 5G, and the more connected devices there are, the more vulnerabilities. The benefit of 5G is the speed at which we can connect – that means attacks can happen faster, too. The future of warfare, arguably, is in taking down infrastructure; imagine the disruption from compromising a nation’s energy or water supply, interfering with data-driven healthcare and medical supplies, or taking over a capital city’s transport network.
This potential threat is why some governments are wary of 5G equipment providers who may have links (real or perceived) to state-sponsored security services. The wrong kind of access to 5G hardware could, in theory at least, give you a back door into national infrastructure.
As more countries adopt 5G, these threats will increase. We’ll see an increase in availability of bandwidth over 5G – which is significantly harder to track than wired networks. Tracking attackers will also take longer as they can use IPv6 with cloaking over 5G networks, masking their trail somewhat.
There’s also physical security to consider. We’re going to have more physical locations for 5G technology infrastructure, and they’re unlikely to be as secure as current sites are due to their location and number.
The Current Security Picture
Currently, in developing countries, most IoT networks are isolated in the wider network. There are individual use cases, but as 5G is rolled out, more and more devices will connect to each other. We need to start thinking about IT and OT (operational technology) networks as the same thing, under a combined security framework.
Any system is only as secure as its weakest endpoint, and that could be a smart meter, an autonomous car or a robotic surgery device in a new, interconnected world. Calculating the number of connected devices is inherently impossible but it’s fair to say they will exceed the number of laptops or smartphones even today, these representing a substantial risk to networks.
Security is as critical to the success of the 5G roll-out as getting the right hardware in the first place. But who do we trust to deliver that security? Who is responsible for securing our infrastructure? We have minimum global security standards for 5G. But not all 5G networks operate in exactly the same way, and there’s plenty of room for interpretation.
As with most standards, they lay out the bare minimum, and can’t possibly be expected to go into the detail of all the different variations of service or hardware providers involved in the network.
The future of 5G security
Some organisations will specialise in running smart meters. Others will focus on autonomous vehicle technology. They’ll operate differently, with different vulnerabilities. Experts in the national grid will know more than an overseeing body within government what the specific vulnerabilities might be in their environment. What equipment is connected to the network (and how secure is it)? What data is being transferred (and how is it secured, stored and mirrored)? What’s the risk versus reward – and how much risk is deemed acceptable to keep costs down?
The security risk posed by a vulnerability in my washing machine isn’t the same as a backdoor into the transport network, for example. Even government standards will change depending on location. And so will their priorities. Richer nations might be able to ban an equipment provider that’s perceived as a security threat, but nations with less capital to invest might be attracted to its low price and overlook the potential risk.
All countries will put their own financial interests first – the US is likely to favour American equipment providers or equipment from allied nations, in the same way that Chinese allies – or nations benefitting from Chinese investment in Africa, for example – might favour Huawei.
Then there’s Vodafone, which is working to launch an Open RAN (Radio Area Network) in Europe and Africa with strategic vendors Dell, NEC, Samsung Electrics, Wind River, Capgemini Engineering and Keysight Technologies.
The big question is: who is responsible for securing the new networks and devices that 5G will enable? There is an assumption that it is the hardware providers. Manufacturers of washing machines will have to be security and data transfer specialists or hire people who are.
Private networks put the onus of security onto the enterprise; public network security becomes the network operator’s problem. There are some big questions. Identity verification and authentication is part of all our lives now when we log in to a bank account or utility service, but it’s harder to authenticate a robot, if part of your system is automated.
There have to be strict security rules for any device that’s going to attach to the network, to validate entry to it using something more than a device ID . We’re seeing unique codes being generated (a bit like a software licence key) which can be created by an authorised computer.
But that has flaws – what humans make, humans can break – and with the kind of computing power available today, decrypting a code is simply a matter of time. So, we see the entry of dynamic encryption keys that don’t stay constant to stay ahead of the hackers. It’s a race. No sooner does technology evolve, than hacking increases in sophistication. You can buy a cybercrime kit as a service, now, if you know where to look, complete with robots to deliver DDOS attacks, 24//7 support team and even ‘try before you buy’ schemes available for first-time buyers.
This is big business, and the stakes are high. Most enterprises I talk to are fairly early on in their 5G roll-outs, and determining the possibilities and use cases that will most benefit their businesses.
5G is still in its infancy, and smart cities are still at the proof-of-concept stage. But there are huge possibilities, particularly in the developing world where traditional infrastructure has been patchy. It is critical that we think about – and design – security right at the point at which we envisage the 5G network, and think about it holistically, across IT and OT networks.
We often talk about the ‘race’ to roll out 5G networks. But that’s not the race to win. We should be focusing on the race to build the security for those networks. For that to happen, government, standardisation organisations and 5G providers must work together to set, apply and regulate security standards, constantly assessing risk – and the organisation responsible for setting the standards, 3GPP, is complex and will only grow in complexity as more members are added to its groups.
Unless we want to rely on trust that this public-private partnership will deliver to secure a nation’s infrastructure, we need effective regulation and oversight to enforce those standards, both globally and locally
By Jon Harrod, Director ISG
Jon specialises in the IT and data network/telecommunications sectors with over 25 years’ delivery, programme and transformation management experience. Jon’s business management experience includes leading the definition, design deployment and delivery of global data network services; analysis of complex sourcing service contracts; product and portfolio management.
Jon has a strong background in managing technical support, network communication infrastructures, business systems and data centre operations, with a proven ability to plan and lead successful business system and network infrastructure design, implementation and migrations at client, national and global levels.
Since joining ISG Jon specialized in IT and Managed Data network Services leading the definition, design and delivery of projects through-out Europe, North and South America and Asia Pacific in the Public, FMCG, Manufacturing, Financial Services, Petrochemical and Pharmaceutical sectors., having recently led the following complex engagements:
• HSBC – Global stream lead for Network Services (Voice/Data) sourcing advice and vendor management.
• Shell-Assessment of global IT and Managed Network Services contracts and pricing.
• British American Tobacco – Lead consultant for sourcing review of global network services. • BP – Sourcing advisory and scenario planning of global telecoms.
• Credit Suisse – WAN and voice Performance Improvement initiatives to consolidate European voice and data networks
ISG (Information Services Group) (Nasdaq: III) is a leading global technology research and advisory firm. A trusted business partner to more than 700 clients, including more than 75 of the world’s top 100 enterprises, ISG is committed to helping corporations, public sector organizations, and service and technology providers achieve operational excellence and faster growth.
Published in “SPECIAL REPORT: CYBERSECURITY”. Copyright © 2021 Developing Telecoms Ltd.