The next generation of wireless technology, 5G, is more than just an incremental improvement in cellular networks. It holds the potential to be up to 100 times faster than 4G and offer ultra-reliable low latency communications. 5G is, therefore, poised to become the key enabler of internet of things (IoT) and machine-to-machine communication, which are finding wide application across enterprises. 5G networks are expected to play a key role in facilitating digitisation and automation in sectors such as healthcare, manufacturing and transport.
However, as 5G opens up new use cases across industries, it also makes networks more vulnerable to cyberattacks. With their limited bandwidth and speeds, the current generation of cellular networks have allowed telecom operators to monitor security threats in real time. However, the blazingly high bandwidth and the consequent increase in data traffic with 5G will mean that security teams will have to deploy additional workforce and solutions to guard the networks.
Some of the cybersecurity risks associated with the deployment of 5G services stem from the nature of the network itself, while others involve the devices that would be connected through 5G. Given that 5G will soon form the digital backbone of several strategic sectors, it is imperative to look at the key security concerns that are likely to emanate with the proliferation of 5G services, and the possible solutions.
Inherent risks in 5G network architecture
The majority of telecom operators have either rolled out or are rolling out their 5G services based on existing long term evolution (LTE) network cores. As a result, these networks inherit all the vulnerabilities of LTE networks, according to a report by the GSM Association. Since almost all LTE networks are vulnerable to denial of service (DoS) attacks, 5G non-stand-alone networks will also be vulnerable to DoS.
Further, the 5G network core will be based on software-defined networking (SDN) and network function virtualisation (NFV) technologies. While virtualisation will make the deployment of 5G networks simpler, faster and more flexible, replacing dedicated hardware with software-defined systems may make mobile networks more vulnerable to attacks. Both SDN and NFV rely extensively on the hypertext transfer and representational state transfer protocols. The fact that these protocols are well known and widely used on the internet will probably make it be easier for hackers to accrue tools for finding and exploiting vulnerabilities in 5G networks.
Moreover, compared to 3G and 4G, 5G has far more traffic routing points, making it difficult to perform thorough security checks repeatedly. In order to make a network completely secure, all of these routing points will have to be monitored, as even a single unsecured area might compromise the entire network.
Lack of security standards in IoT devices
The bulk of 5G use cases will consist of IoT devices, such as those deployed in industrial monitoring systems, smart city and smart transportation infrastructure. The behaviour of IoT devices will be entirely different from that of human subscribers, as the network activity of the latter is more consistent. The behaviour of IoT devices varies greatly across devices. For instance, sensors communicate and exchange data periodically regardless of the time of day, but they may remain entirely stationary. By contrast, devices in other segments such as driverless vehicles are constantly moving. Operators will therefore have to devise new solutions to mitigate IoT-related risks as the existing models, developed for identification of suspicious activity in the context of a human subscriber, will not work in an IoT set-up.
Cybersecurity is not a priority area for most manufacturers of low-end smart devices, which may open up several breach points in the networks. There is likely to be a wide variation in the quality of the security standards of the billions of IoT devices that will be connected through 5G. A lack of security standards for IoT devices has therefore emerged as a major cause of worry. Another related area of concern is the lack of encryption standards in IoT devices, which will make it easier for hackers to acquire information on the type of devices connected to a network (smartphones, vehicle modems, etc.) and the associated operating system. This will make the entire network and the connected devices vulnerable to device-specific IoT targeted attacks.
Possible solutions
Given that 5G will soon become the mainstay of cellular networks, it is extremely necessary for operators and equipment vendors to take suitable steps to protect 5G networks from cyberattacks. Telecom operators often skip the security aspects of networks during testing and even implementation, and deploy security solutions only once the network is in use. While this expedites network deployment and saves costs initially, operators eventually end up paying more to buy equipment that integrates well with their existing network infrastructure. Going forward, operators should focus on installing suitable security solutions at the time of network deployment.
Since 5G networks will initially be based on the 4G network core, operators need to start by securing previous-generation networks. A careful analysis of all signalling information crossing the border of their existing network will help operators build adequate protection for 5G services.
As for the threat from the lack of standards in the IoT ecosystem, there is a need to establish product labelling standards for connected devices. This will help retail users and enterprises ascertain how safe their IoT devices are. Also, greater awareness needs to be created regarding the importance of securing all internet devices with software updates. Operators and equipment vendors can also explore machine learning models capable of detecting unknown threats in a 5G environment.
The way forward
5G aims to provide a reliable and trusted innovation platform for businesses and organisations to build and deliver new value-added services while acting as a key enabler for digitising and modernising critical national infrastructure such as energy and transport. The latter objective raises the bar for 5G systems with respect to providing extremely secure communication services.
However, the very characteristics of 5G that make it fundamentally different from earlier generations also make it more prone to cyberattacks. Security risks are far greater in a 5G ecosystem, as it has to grapple with threats stemming from a greater reliance on cloud and IoT. Further, with 5G networks increasingly relying on virtualisations, there are potential risks related to major security flaws, such as poor software development processes within suppliers. The overdependence on software has also made it easy to maliciously insert backdoors into 5G products, making them harder to detect during security checks. The sheer number of devices that will be connected to 5G networks, with varying degrees of security standards, is another major challenge. Moreover, because 5G networks are far more decentralised than 3G and 4G networks, it may be difficult to carry out the same security checks as those for earlier-generation networks in a 5G ecosystem.
While the potential security breaches in a 5G set-up have become common knowledge now, operators are grappling with a lack of tools and a limited pool of security experts to identify and mitigate these threats. There is a need to expand the scale of current mobile network security performance and operations to meet the challenge of securing 5G networks. Further, since some of the elements in a 5G ecosystem, such as edge computing, distributed core and network slicing, will potentially generate new attack surfaces, service providers must implement advanced security measures capable of mitigating attacks from a broader threat landscape.
Going forward, enterprises and service providers need to collaborate to devise solutions to ensure end-to-end security of their networks, jointly. A highly secure and reliable 5G network will serve as a key differentiator and an essential revenue enabler for both operators and enterprises.
