The Thorny Problem of 5G Security
By Chris Adams
Only a few years ago, putting the words “mobile telecoms security” in the title of an article would be a license to write whatever you wanted below, because no one was likely to read any of the words after the title. Sprinkling the magic ingredient 5G has changed this, and “5G security” is a hot topic now.
For example, last month we saw U.S. Federal Communications Commission Chairman Ajit Pai focus his keynote speech at the GSMA MWC event in Los Angeles on 5G equipment security.
On the other side of the Atlantic, BEREC (Body of European Regulators for Electronic Communications) focused its annual stakeholder event on security in 5G.
What has changed? There is obviously a geopolitical aspect to 5G security, but this is not the full story by any means. Fundamentally, security for 5G is important now because 5G is going to become essential to many more parts of our lives.
While mobile telecom networks undoubtedly are important today, the expected use of 5G as a fundamental enabler of manufacturing, healthcare, smart cities, industry, agriculture, and many other applications makes it a strategically vital part of a country’s infrastructure.
5G is expected to shift the role of mobile networks from their current focus of moving data from one place to another to performing the additional function of control.
The Security Challenge
Before getting into the new security challenges 5G brings, it is important to recognize that 5G networks will be a lot more secure than those operating under previous mobile standards. Security issues — from the air interface (the wireless part that connects your phone to the network using radio waves) to the core network (the “brains” controlling, enabling and managing the mobile network) — have been addressed and mitigated during the standardization process.
5G standards are set in the 3rd Generation Partnership Project, or 3GPP, where security has been addressed with the involvement of other expert bodies, like the Internet Engineering Task Force.
So 5G will start from a much higher baseline than existing mobile systems. Security threats are a constantly evolving arms race, though. The new technologies and new ways of using them will create new vulnerabilities.
There is a lot of excellent information publicly available on 5G security challenges, but these reports often run to hundreds of pages and are written, of necessity, for experts in the field. Although there are many ways of distilling and condensing this information into focused areas, these four stand out:
No. 1: Network Slicing and Virtual Networks
What is slicing? 5G networks will make extensive use of software to perform most of the functions necessary for them to work. In the past this would have been done on dedicated hardware. With 5G it is all in software so things can be changed, customized and reconfigured instantly.
It will allow mobile network operators to create virtual networks that run entirely in software and are customized to customers’ specific requirements. Someone using a slice will be able to combine their own software, systems and network elements with it too.
The potential for new uses and applications is significant, and once it is fully implemented this is going to be a fascinating area of 5G for innovation. It does present a lot of new security threats, however, due to the novelty of new ways of using this new capability, and the speed at which changes can be made.
No. 2 Threat Surface
5G will have lots more base stations, or cells. Using higher frequencies, they will be essential for providing more capacity and the highest performance levels. There also will be many more devices connecting to the network. In particular, the expectation is for lots of 5G connected machines or IoT devices measuring and controlling to make things run more efficiently and generally work better.
The downside to this is something called “increased threat surface,” in security jargon. This simply means there will be more things that can be attacked and need securing. Careful thought will be needed to secure all these new IoT devices, which historically have had lower security standards and capabilities.
It is not just devices that need attention. Lots more small cells on street furniture and in buildings mean that things like physical security will need more careful consideration. Leaving an easily accessible unsecured port at the back of a small cell base station that allows someone to plug a laptop in and take control of the cell is a surprisingly easy mistake to make. In the past, when cell sites were large secured sites, it didn’t matter. In the future it will.
No. 3 Heterogenous Networks
5G will allow separate networks operated by different entities to work together seamlessly. This could mean networks like a private 5G network operated on a company campus, or a community broadband service in a remote village.
It also might include nonterrestrial ones using satellite systems or HAPS. The security risks here are related to the whole being only as strong as the weakest link. Practically, how do you ensure that all the networks being run by different organizations are properly configured, and that consistent security levels are maintained?
No. 4 High Impact Applications
An important part of the 5G security debate concerns the consequences of future security breaches. Currently, if a mobile network stops working it causes problems — but ultimately the impact is that people can’t do the things they normally would, like messaging, watching videos, making calls or using apps. Security breaches also can lead to fraud or data theft.
In the future, if 5G fulfills its expectations, the failure or compromising of a network due to a security breach could be fundamentally different. Scenarios include exposing personal health data, stopping production in a factory for weeks, freezing or crashing autonomous vehicles, stopping a remotely directed medical operation halfway through, to name just a few.
There is an element of alarmism in identifying these types of risks, but the fact remains that when 5G is used for controlling vitally important functions across the economy, security matters more.
That All Sounds Pretty Scary – What’s the Solution?
A lot of things already have been done to address 5G security. Stronger security standards are built into the specifications, for instance. There is a growing focus from governments and regulators on 5G security.
Thinking about these problems early on is vital in making sure any regulation is carefully considered and scrutinized, and works as it is intended to. In this respect, the focus of regulators and governments across the world is a positive sign.
The one place that can make a big difference is in the business arena. Health and safety is an essential activity for any company, and in many industries it carries deep and immediate relevance due to the inherently dangerous nature of the work.
Even though most countries have well-organized rules and processes for ensuring the safety of employees in every industry, people regrettably are still injured and die every year at work. Many governments require companies to document those incidents. The more serious ones are investigated by an official body that produces reports and makes them publicly available so everyone can learn from the accidents.
Reading through the reports from any country with a well-developed system of rules and processes for safety reveals a recurring pattern. Nearly every incident is the result of people not following the rules; management not listening to concerns or pressuring employees to ignore safety to meet deadlines; or rules not being in place even when the safe approach already is known. These failings are cultural and are summed up well by this quote from ACSNI:
“The safety culture of an organization is the product of individual and group values, attitudes, perceptions, competencies, and patterns of behavior … .
… Organizations with a positive safety culture are characterized by communications founded on mutual trust, by shared perceptions of the importance of safety, and by confidence in the efficacy of preventive measures.”
ACSNI Human Factors Study Group: Third Report
Now that 5G security is becoming critical, it is time for companies and organizations to adopt a security culture in the same way that they adopt a safety culture. The request to leaders in any company involved with 5G is to create a security environment that emphasizes three things:
Trust in communications — Those who have concerns about security should know they will be listened to and taken seriously.
Shared values in the importance of security — From the board to the call center, everyone needs to focus on security.
Effective systems and processes — Company leaders should create the rules, process and standards that keep systems and data secure, and follow them.