The future is 5G
5G is priming well to fuel technology and business innovation that will disrupt industries from automotive and energy to agriculture and city management.
While 5G presents immense opportunities for businesses to launch innovative services, there are new cyber security risks and concerns to be addressed. The highly connected 5G ecosystem comes with challenges such as expanded, large attack surfaces with multiple entry points; difficulty in detecting anomalies and security incidents; and complex security standards that leave loopholes for hackers.
5G players need to be one step ahead and ensure proactive defense by leveraging technology advancements. This paper recommends four key security principles and strategies for 5G players to improve network reliability and customer trust. We also share an actionable roadmap to help enterprises mitigate advanced security risks.
The journey to proactive security begins by adopting four key principles, namely implementing security by design, taking a zero-trust approach, automating vulnerability management, and building cyber-resilient networks.
The evolving 5G landscape
Enterprises are poised to harness 5G’s functional capabilities, such as high reliability, low latency, and enhanced mobile broadband speed.
However, assuring end-to-end security for the exponentially growing number of 5G use cases is a foundational need for successful and wider adoption of the technology. This is particularly important with several reports warning of some real risks. Like this US government report that indicates that growth of 5G technology and its use cases could “introduce significant risks that threaten national security, economic security, and impact other national and global interests.”
Industries and communities will rely on the demonstration of positive security assurance from stakeholders as the technology ecosystem of these use cases, including 5G, are vulnerable to numerous cyberattacks by hackers and nation-state actors with different motives.
Securing 5G networks
5G networks run the risk of inheriting vulnerabilities from 4G. By embedding security at the core, enterprises can proactively fend off threats.
We believe the journey to proactive security begins by adopting four key principles—implementing security by design, taking a zero-trust approach, automating vulnerability management, and building cyber-resilient networks.
1. Security by design: Various stakeholders involved in the 5G ecosystem must adopt security by design and implement prescribed design-level controls (Table 1).
Inappropriate isolation and authentication controls of network slices exposes to the DOS attack and risk of disclosing customer location data. In such a scenario, bolt-on security controls or security as an afterthought are proving inadequate, costly, and susceptible to multiple attacks. Principles like secure boot environment, pervasive data protection, subscriber data privacy, least privilege, and resilient systems are some of the key design principles to be factored into design life cycles to make 5G secure.
Different stakeholders involved in 5G ecosystem will need to adopt a security by design principle and implement design level controls. Inclusion of design principles during the development of system will beef up security with built-in controls. Adherence to design principles will ensure improved security posture and compliance, reduce costs on fixing the security bugs.
2. Zero trust principle: Establishing trust and continuously validating it is key to mitigating potential attacks on 5G networks. Unlike 4G LTE where mobile packet core is centralized with a clearly defined network perimeter, 5G uses technologies like multi-access edge computing (MEC), which has practically blurred the perimeters. 5G’s service-based architecture comes with loosely coupled systems involving multiple stakeholders and increases the attack surface with multiple entry points into the network. In non-standalone rollouts, mixed usage of 4G LTE and 5G components introduce additional risks.
Hence, traditional methods of implicitly trusting the network post authentication are no longer sufficient in the new ecosystem. Embedding the following five zero-trust principles will bolster security in the 5G landscape:
Never trust, always verify: The many entities involved in the 5G ecosystem, including subscribers, network nodes and management users, must be authenticated for every session through various authentication mechanisms such as digital identities, devices, device states, and contextual risk analysis.
Provide least privilege: Grant policy-based access (role-based and/or attribute-based access) to the required resources with the principle of least privilege. Access to critical systems, including HSS (home subscriber server) and MME (mobile management entity), should be designed purely on least-privilege basis.
Reduce attack surface: Mechanisms like segmentation and segregation of applications and systems help in reducing the attack surface and increasing the visibility of east-west traffic.
Enhance visibility: Enterprises cannot protect what they cannot see. So, there is a need to establish mechanisms to collect telemetry data from edge, radio access networks, and within the core, including north-south traffic and east-west traffic. Enterprises must analyze this telemetry data at the source for any pattern deviations from the baseline traffic to identify indicators of compromise (such as Distributed Denial of Service attacks and malware traffic).
Offer data-centric security: 5G handles various types of sensitive data sets including subscriber and billing data. Hence, it becomes critical to persistently secure these using data protection mechanisms. These methods must leverage native database encryption at the HSS level and include TLS-level encryption (transport layer security) for data in motion and IPsec for backhaul communication protection.
3. Robust and automated vulnerability management: The dynamic nature of 5G services invariably introduces new risks and exposes vulnerabilities present in the software code, APIs (application programming interfaces), and microservices. Managing these vulnerabilities manually without prioritization becomes a daunting task and vulnerabilities pile up over time.
This necessitates setting up a robust vulnerability management program that has elements of threat-based prioritization, aggregation capability, and automation to handle the various tasks and remediation.
4. Building cyber-resilient networks and systems: Security enhancement measures, however robust, cannot offer 100% immunity from cyberattacks. 5G players can improve resiliency by:
Identifying critical assets and the potential lucrative targets of adversaries through business-impact analysis.
Referring a standard cybersecurity framework (NIST 800-160) and guidance from 3GPP/ITU to identify suitable security controls