For operators, 5G security is a rapidly rising priority, in part because of national legislation, but also because they recognize its growing importance to their customers and in turn their profits. It's complex and time consuming but unquestionably necessary.
Consumers sensitivity to security has become larger with the increase in phishing during the COVID-19 lock downs, but businesses have far more to gain from 5G so the impact of security could be felt by enterprises first.
5G can drive productivity to the extent the term "industry 4.0" has been coined to describe its impact. An example is a factory owner -- the manufacturer can monitor environmental conditions, machinery performance, supply chain logistics and product quality via IoT sensors, then feed this huge volume of data into AI or ML algorithms and gain the ability to push improvements to smart factory equipment, streamlining and increasing output like never before. However, as early adopters they would be deploying applications that are new and lack security maturity.
Security by design is key, but is currently lacking in a majority of solutions. There are a number of reasons why.
Smaller IoT hardware can't support security in the same way a laptop or mobile phone could as it simply doesn't have the resources to host antivirus, malware or other protection.
IoT can be a very cost sensitive and this coupled with the significant "first to market" advantage in the sector means most IoT devices use generic hardware and software to reduce costs. This inevitably compromises the control and granularity of design, and in turn security. It also proliferates vulnerabilities into multiple and diverse IoT solutions, sometimes with no obvious association between them.
Some IoT solutions cannot be secured from the planning stage as they augment existing equipment. For instance, it may be commercially unfeasible to retool the manufacturing plant with smart machinery, but adding a small interface would be an option. This is not security by design and cyber vulnerabilities are more likely as a result.
It only takes one seemingly small weakness in the IoT ecosystem to cause an issue. Famously, a casino was hacked using a fish tank thermometer. This is an industry that for many years has employed the zero trust model with tiers of customer and employee surveillance and has security ingrained into its psyche. Nonetheless, this was undone by an oversight due to the perceived lack of risk. As more and more IoT is deployed it's estimated there will be 41 billion devices by 2025 this threat increases exponentially.
Cellular IoT provides significant security advantages over other IoT connectivity methods, such as Sigfox or LoRaWAN, in that it uses licensed spectrum which is much more difficult to block and utilizes eSIM/SIM technology. The SIM is central to how mobile operators secure access to their networks and as such has the benefit of 30 years of investment and development to secure these billion dollar companies' core business activity.
Ultimately, for 5G and IoT to truly succeed it has to be driven by the enterprise. It is only at this level that true innovation can really flourish, which means the mobile operators need to adopt a position to facilitate this. This is a proven strategy as it mirrors the practices of the hyperscalers: Azure, Google and AWS, but for connectivity.
To achieve it, the operators will need to be open to more varied and niche vendors in their network. They will need to provide access at many more points of their networks, all the way to the core. The access needs to accommodate and support API interfaces to seamlessly integrate the applications driving the IoT physical devices. All of this is new technology increases risks, not least from the supply chain, and also changes how operators control the networks to maintain the level of service we expect.
5G will draw a broader map, with more vendors and more technologies, and calls for more diverse security skills than ever before. Effective security must be embedded throughout the cycle, from device though the network to the applications. This is true in not only recognizing threats but also addressing them.
Cooperation between network operators, network vendors, IoT manufacturers, system integrators, security professionals and the users of 5G is the only way protection can scale to secure 5G. Enabling that collaboration is just as important as any particular technology.
Jimmy Jones, Telecoms Cybersecurity Expert, Positive Technologies
About the author
Jimmy Jones is a telecoms cybersecurity expert at Positive Technologies, a global cybersecurity company that has pioneered research into telecoms security, discovering numerous methods for exploiting telecoms vulnerabilities and dozens of zero-day flaws in telecoms systems. Jones has worked in telecoms for over 20 years, developing a wide range of expertise through a variety of engineering roles within major operators such as WorldCom (now Verizon), and vendors including Nortel and Genband. He began his career working extensively on legacy telecom exchanges, moving from maintenance, to commissioning and integration, and then specializing in protocol interoperability testing. In 2005, he transitioned into telecom security, taking up a position with a vendor specializing in SIP and Session Boarder Controller equipment. He joined Positive Technologies in 2017 to once again widen his horizons in information security, while utilizing his extensive experience of telecom operations.
Photo by Sebastian Scholz (Nuki) on Unsplash.