Security Standards For 5G
Momentum continues to build for 5G deployments, and while most industry observers agree that security is tighter than in its 4G and 3G predecessors, there are still considerations to ensure corporate data stays safe as the number of endpoints connected to networks increases.
Gartner predicts that the 5G enterprise IoT endpoint installed base will more than triple between 2020 and 2021, from 3.5 million units in 2020 to 11.4 million units in 2021 (not including 3GPP low-power wide-area wireless endpoints). By 2023, the enterprise 5G IoT endpoint installed base will surpass 49 million units, the firm says.
Already, researchers at Purdue University and the University of Iowa last November reporting finding 11 vulnerabilities in the next generation cellular network. The threats the researchers found expose a person’s location, allow real-time location tracking and surveillance, along with the ability to spoof emergency alerts to trigger panic.
The researchers identified the flaws with a custom “5GReasoner” tool, which found five additional issues that carried over from 3G and 4G.
See Related: 11 Ways To Boost Your Mobile Device Security Now
Security problems in mobile networks has been an issue for a while, but the potential for attacks is increasing, says Patrick Donegan, founder and principal analyst at HardenStance.
“Currently, with the initial suite of 5G services being offered, the level of security features available to the operators is significantly better than with 4G,’’ Donegan says.
However, what is not here yet at scale--but is coming--are the more advanced vertical industry use cases of 5G, he says. These cases will leverage the more distributed capabilities of the 5G Stand Alone (5G SA) architectures, which are more open and distributed, that we will start to see roll out in the second half of this year, he says.
See Related: IoT Is Officially Part Of Enterprise Mobility
For example, this includes having telco and enterprise data and applications hosted in more remote locations rather than on premises or in the cloud, Donegan says. “Here, there are a slew of new security challenges relating to data protection, including use cases where open API access to third parties is provided to those remotely located resources.”
This is when the risks associated with 5G increase, he says. “It’s with those deployments that telcos, cloud providers and enterprise security teams all need to up their game to meet that challenge at the same time as capturing the opportunity.”
Enhancing Security For 5G
The 3GPP (3rd Generation Partnership Project) has developed 5G standards that include measures for encryption, mutual authentication, integrity protection, privacy and network availability to provide guidance for cybersecurity organizations. According to 5G Americas, a trade association for mobile operators, the standards provide:
- A unified authentication framework that enables seamless mobility across different access technologies and support of concurrent connections
- User privacy protection for vulnerable information often used to identify and track subscribers
- Secure Service-Based Architecture (SBA) and slice isolation optimizing security that prevents threats from spreading to other network slices
- Improving SS7 and diameter protocols for roaming
- Adding native support for secure steering of roaming (SoR), allowing operators to steer customers to preferred partner networks – improving the customer experience, reducing roaming charges, and preventing roaming fraud
- Improved rogue base station detection and mitigation techniques
- And even more proprietary operator and vendor analytics solutions that offer additional layers of security
But some observers believe the standards are too complex for those in the mobile industry ecosystem to securely implement. “The 5G standards committee missed many opportunities to improve security,’’ wrote international security expert Bruce Schneier, in a recent blog post.
Many of the new security features in 5G are optional, and network operators can choose not to implement them, according to Schneier. This happened with 4G as well; operators even ignored security features defined as mandatory in the standard because implementing them was expensive, he wrote.
“But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.”
Schneier also believes that 5G networks will be blended with the decade-old 4G network, and, he claims, “There's so much backward compatibility built into the 5G network that older vulnerabilities remain.’’ This could lead to attackers possibly being able to force 5G systems to use more vulnerable 4G protocols, for example, he wrote.
Without the ability to do a clean break from 4G to 5G,” Schneier wrote, “it will simply be impossible to improve security in some areas.”
Actions For Security Teams And Network Providers
For their part, businesses can enhance security by ensuring software updates are applied when patches are delivered, security experts say. IoT and other devices also need to be properly tested at the outset to ensure any open ports that lead to exposed entry points are closed.
There are three steps Donegan says security teams can take:
- Work with telcos to define and implement variations of the ‘Shared Responsibility Model’ of the cloud providers for 5G use cases
- Exploit existing and emerging partnerships in edge services between telcos and cloud providers, since neither party can exploit the full potential of the 5G enterprise services roadmap by themselves
- Balance verification of the security in new 5G use cases across the security of data in transit (where telcos have traditionally been strong) with the security of data at rest (where their record tends to be weaker)
There has to be a new corporate culture that treats cyber risk as ‘an essential corporate duty” and investments are made to shore up 5G, according to a 2019 Brookings report. But cyber security essentially starts with the 5G network providers, the report stresses.
“Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications,’’ the Brookings report warned. “The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.”