As IoT adoption continues to expand and more 5G networks are deployed, IoT security is more important than ever. ABI Research
estimates there will be more than 3 billion IoT cellular connections by 2026.
The possible impact of a successful cyberattack on an Internet of Things (IoT) ecosystem may result in failure of critical systems and and even physical danger to the environment and to individuals. Two recent illustrative examples can be found in the attacks on Colonial Pipeline and the New Cooperative, a farming organization in Iowa.
Smart doesn't necessarily mean secure and we're especially seeing that reality in IIoT (Industrial IoT) environments in which the threat rises with each new smart device introduced. 5G adds more complexity to this equation, which, although more secure than its predecessors, creates a whole new environment for threat actors. Accordingly, organizations will still need additional security.
Specific security challenges of 5G implementation
5G implementation provides malicious actors with new ways to infiltrate organizations' systems, networks and applications. 5G deployments face six distinct security risks that organizations should be aware of, according to the Cybersecurity and Infrastructure Security Agency (CISA):
- Zero-day attacks via the supply chain: Bad actors may try to infiltrate 5G networks via the supply chain.
- Expanded attack surface: Because 5G networks require more components, this increases the number of network edges and access points, ultimately increasing the attack surface. This also exposes the organization to new risks because many of these devices may lack physical security features.
- Built-in vulnerabilities: Building out local 5G networks requires organizations to add more Information and Communications Technology (ICT) components to their infrastructure, which may not have enterprise-grade security and come with their own set of vulnerabilities.
- Issues with updating and repairing custom technologies: Custom equipment needed to maintain the interoperability necessary to optimize 5G deployments may become a security and availability risk.
- Legacy technologies: Because 5G wireless networks are built on a foundation of legacy hardware and software, such as 4G LTE networks, this exposes them to the same known vulnerabilities.
- Misconfiguration: This issue is only going to get more challenging with the advent of 5G networks.
How to improve 5G security
In addition to understanding how 5G will change attack surfaces, vectors and methodologies, organizations must think about where their Mobile Network Operator's (MNO) responsibility begins and ends. Four models exist:
- MNO-Dependent (RAN): The Radio Access Network (RAN) is sliced so that private traffic stays within the enterprise and public traffic moves to the public network.
- MNO-Dependent (RAN and CP): Control Plane (CP) and RAN sharing with the MNO controlling and centralizing signaling and user data management.
- MNO-Dependent (full sharing): Only RAN is present at the enterprise site, with all other 5G components on the MNO public network.
- MNO-Independent: Private 5G network with no connection to the public Internet.
Organizations need to make sure that they understand how their deployment choices might affect their security responsibilities. They also need to consider network slicing, which enables organizations to create traffic-based customizations by dividing single network connections into multiple virtual connections optimizing the allocation of network resources. As organizations build out their 5G strategies, they need to consider three primary elements.
One is connected devices, and especially Internet of Things (IoT) devices which are more vulnerable and require enhanced security. Another is applications. Their authentication, access and firewall policies may be different based on application criticality. The third is network function virtualization (NFV), which coordinates and manages applications, user demands and networks for efficient allocation according to operational and security needs.
Organizations also need to adopt Zero Trust for IoT and 5G networks. It's a strategy based on the notion that any user or device/entity accessing the network is untrustworthy and should only be given access based on a need-to-know basis after being authenticated. For a robust Zero Trust architecture, organizations should consider the two complementary models. The first is Zero Trust Access (ZTA). All users and devices must provide appropriate authentication before gaining access to networks, and all access must be set using the principle of least privilege.
The second is Zero Trust Network Access (ZTNA). In this model, all users and devices must be appropriately authenticated before being granted access to any application, and all access should be set according to the principle of least privilege.
The main difference between these two models lies in the access point at which users and devices must authenticate. Under ZTA, the access point is the network itself. Under ZTNA, users and devices may be able to access the network, but an additional authentication layer is placed in front of the application.
A well-rounded network
The landscape is changing for IoT security as 5G adoption continues. 5G has its own set of security challenges that organizations must keep in mind, as well as their MNO responsibility model. Network slicing, connected devices and Zero Trust all figure in, too. Careful consideration of each of these aspects of the 5G network will help organizations make sound, long-term decisions for their deployment.
Jonathan Nguyen-Duy, Vice President, Global Field CISO team, Fortinet
Photo by Andres Urena on Unsplash