5G Security: What questions should we really be asking?

237

[ This article was originally published here ]

5G is set to dramatically impact the way we interact with our environment. Indeed, almost everything from the way our goods are produced to the cars we drive, to the buildings we work in will be touched by this next-generation connectivity technology.

Over the next five years we will have created billions of connections that use 5G, which ultimately means we need to start thinking seriously about how this infrastructure can best be secured and maintained on a global scale and, of course, in the long term. This comes down to understanding how the technology differs from its predecessors 3G and 4G, as well as why security must be at the heart of its deployment.


Below, we go through four key questions that can help map out security areas that must be addressed.

How do the security risks of 5G compare to those presented by 3G and 4G?

Being a progression of both 3G and 4G technology, 5G has taken key lessons from previous mobile connectivity technologies. Indeed, many of the security threats surrounding 5G, for example jamming, eavesdropping, man in the middle attacks, and denial of services already existed for 4G and 3G networks. As such, 5G developers have been able to consider these threats in their standardisation work, architecture design, and network deployment, to better protect users against these established attacks.

However, the novelty we have with 5G is the ability to deploy new use cases that were only possible in a limited way with 4G or 3G. For instance, with 5G you can now slice the network into segments (aka logical networks).

So, because we are using the network in a way that is completely different to previous mobile generations, we need to look more closely at security, not because the types of attacks are new but because the nature of the network is different to its predecessors. Given this, all the new elements that needed to use the technology must also be secured.

Indeed, in a recent survey conducted by Telecoms.com when respondents were asked what their main concern was about 5G security, over 40% stated it was the usage of more complex and potentially unsecured network technologies, that concerned them the most.

Where do the new opportunities/risks with the technology lie?

When it comes to new opportunities or risks posed within the core 5G network there are two key points to consider.

Slicing, for example, is one of the new innovations of 5G that will change the way we think about network connectivity. A slice is a dedicated, logical partition of the whole radio access network – including everything from edge to core – that is adapted to your requirements, for instance customised latency and bandwidth.

In other words, slicing is changing the way we conceive networks: instead of having service providers adapting their use cases to an (almost) monolithic network, now the 5G network is adapting itself to the use cases.

Secondly, with 5G, cloud native virtualisation can be used to partition the network and split it for your desired use case. This could be anything from a private gaming network, a smart city network, or even a smart hospital network. Overall, this will result in a greater elasticity, robustness, secure, and stable operations.

However, mobile network operators must be able to ensure an adequate level of security on these slices and networks – with high levels of authentication to safeguard data confidentiality and integrity. Without this adequate level of security, some customers could be tempted to use alternatives.

5G Critical Security ft. Thales

Whose responsibility is it to create security standards?

The regulation and standardisation of 5G is exceptionally important as we start to roll this technology out. Already we’ve seen various governments and industry bodies analysing what the risk that 5G networks pose and defining what the mitigation measures will need to be.

5G standards as worked out by ETSI and 3GPP have a specific and permanent focus on security and aim to complement work by industry bodies, defining the adequate implementation per vertical market or geography.

In addition, initiatives coming from associations like GSMA are also looking into creating a certification scheme for core elements of the network to make sure equipment providers have security built into the design of their products.

Only with a strong framework of certifications an adequate level of end-to-end security for 5G can be ensured.

While the way in which 5G standards are implemented may vary from country to country (based on what regulation a government determines is required), the standards on the equipment itself will apply universally.

How can we start to proactively prevent security risks from 5G?

Security and trust must be at the heart of 5G for it to work as intended. One way mobile network operators can garner this trust is to make sure there is a strong level of primary authentication for customers, by providing them with highly secure tamper-resistant, certifiable hardware (e.g. 5G SIM cards).

On the network side, the best thing companies can do is to use Hardware Security Modules (HSM) to securely store the authentication symmetric key secrets (kept on device side within the SIM card), or root-of-trust keys, and run safely crypto-processing operations.

Finally, we need to make sure we have solutions in place that will secure operations within the cloud, or between cloud, as 5G core functions will be cloud native based. The proper authentication and data security policies must then consistently be applied.

We are excited by new use cases 5G offers as well as the existing ones it complements – we are really starting to see how it will be the basis of the digital society of the future. However, before everything we must make sure we are providing trusted 5G that is secure and reliable. Without this necessary Trust, 5G will fail.

If you have any other questions on 5G please tweet us @ThalesDigiSec