5G Security Challenges – Featuring Jon Zayicek
5G Service is set to roll out in 2019, bringing with it new security concerns. Jon Zayicek, Cask’s IT Risk & Security Principal, contributes to this article laying out the 5 major security issues associated with 5G service.
Preparing for 5G’s Biggest Security Challenges
The imminent arrival of a long-anticipated next-generation cellular technology presents some cutting-edge security challenges. Here’s how to get ready.
Businesses won’t have to wait too much longer for the arrival of 5G cellular service, which carriers will begin deploying across the U.S. during 2019. As 5G establishes itself as a mainstream communications technology, here are five security issues that bear close attention:
- A greater risk of distributed denial of service (DDoS) attacks on Internet of Things (IoT) networks
IoT device connectivity is set to receive a major boost from 5G. Faster speeds will lead to greater functionality for both authorized users and attackers. “The danger is that IoT devices use a client-server model with limited security mechanisms, making them more likely to be breached and participate in a DDoS,” warned Ted Wagner, chief information security officer for SAP National Security Services (NS2).
The IoT client/server model, possessing a limited number of security attributes, is particularly problematic in an IoT environment, Wagner noted. “Blockchain technology offers an alternative approach,” he suggested. By establishing a “trust network,” validated by blockchain technology, many IoT device security risks could be mitigated. “In this model, a private blockchain network is created where all participants are authorized and authenticated, and each participant is accountable for its actions,” Wagner explained. “This method is theoretical, and there are questions of scale, but the current model creates the potential for more significant attacks.”
- A wider attack surface
Upon arrival, 5G will instantly accelerate the adoption of virtualized distributed network infrastructures and the use of containerized workloads, both for applications as well as network functions. “This increases the attack surface and makes the 5G ecosystem an attractive ground for adversaries to exploit, either for economic gain or just to inflict damage both to telecom operators as well as the users,” cautioned Prakasha Ramachandra, assistant vice president for technology and innovation at engineering at design firm Aricent. With distributed systems and a containerized environment, it will be difficult to ensure that all systems and applications remain up-to-date with the latest security patches, he noted.
Challenges related to maintaining vulnerability and security configuration postures within the 5G ecosystem could be effectively handled by building a security orchestrator, Ramachandra proposed. “The security orchestrator would also have the capability to define security goals that are derived from regulatory compliance requirements, as well as from industry/organization best practices,” he added.
- Proximity Service (ProSe) intrusions
Proximity Service (ProSe), which promises streamlined device-to-device communication, is an important new 5G feature. ProSe offers many potential benefits, including the ability to lower latency in real-time scenarios, such as vehicle-to-vehicle messaging, extending communications to devices beyond the reach of a base station, enabling IoT traffic off-loading, and supporting locally-targeted messaging and emergency communications, noted Michael Daly, CTO for cybersecurity and special missions at Raytheon Intelligence, Information and Services. “However, implementing this new feature also means that there’s an increased threat landscape and a processing challenge for intrusion prevention,” he explained. “Each node will need to handle more of the load when it comes to defending itself, rather than relying on the central network to screen out malicious activity.”
The security features embedded in 5G communication modules, including authentication, authorization, intrusion prevention, and encryption, will all need to be more robust and tested thoroughly. “We will likely need to create mechanisms for peer-to-peer security collaboration and mechanisms for improved cloud-based security to help the endpoint devices make smart security decisions in near-real-time,” Daly said. An example of this peer-to-peer collaboration might include a message to a security expert asking if the online traffic he or she is seeing is typical or a point of concern. “We’ll also need to design in resiliency—assume that bad things can happen and build in the mechanisms to know when things are wrong, so we can take action to operate through the attack successfully,” he concluded.
- Software-defined network (SD-WAN) vulnerability
The arrival of 5G technology will bring an expanded use of SD-WANs and extend their reach to a wider array of mobile and IoT devices. “The biggest threat isn’t necessarily the 5G standard itself, but possible vulnerabilities in the SDN layers for new use cases,” explained Jon Zayicek, IT risk and security principal at Cask, a business and technology consulting firm. “Some of these use cases include things like smart/connected vehicles, enhanced industrial control connectivity, and broad consumer use for media, content, and applications,” he observed.
Security must be built in and pervasive in every layer of a 5G deployment, Zayicek noted. Network operators must be vigilant and monitor for out of band activity, access, and traffic patterns. “OEMs should secure hardware and firmware components, and device manufacturers should have multiple layers of security, limiting the attack surface as much as possible,” he said.
- An overall need for fundamental security protection
While 5G technology delivers immense advances in how networked devices are able to communicate, it also carries with it existing 4G security issues in a much more dynamic and highly configurable environment. The new technology requires well thought out, foundational security built into its systems, observed Bob Flores, a cybersecurity advisor with Fidelis Cybersecurity, an automated detection and response technology provider. “Security needs to be built into these systems from the very first draft, from the ground up,” he advised.
Flores pointed to 5G-linked autonomous vehicles as an example of a technology that will need specially-designed security measures. “While the progression of this kind of technology is eagerly anticipated, we need cybersecurity standards and best practices for hardened security measures that can keep up with the new capabilities that 5G will enable,” he stated.