Kate O’Flaherty speaks to a panel of experts who warn that we are in the uncharted territory of network slicing and mass service takedowns. 5G’s low latency and high bandwidth enable multiple IoT use cases, but a new approach is needed to secure it, she warns.
5G will enable IoT applications such as autonomous vehicles, healthcare solutions, and robotics. But the technology also poses a much larger security risk than the 2G, 3G, and 4G networks that came before it. Why is this?
Significantly, 5G represents an overhaul in the way that networks are run and managed. In contrast to the hardware-based networks of the past, the technology takes advantage of virtualisation and cloud systems, leaving it more vulnerable to breaches if not properly secured.
In addition, 5G’s low latency and high bandwidth capabilities could be used to increase the potential scale of a distributed denial of service (DDoS) attack, where IoT devices are targeted by hackers and used to form a botnet.
With more and more hackers accessing network resources to mine cryptocurrency, for example, it stands to reason that this will be just one form of attack.
According to Michael O’Malley, vice president of carrier strategy at Radware, 5G-connected devices that become infected would have the ability to perform much bigger and more complex attacks than we have witnessed before.
He cites the example of the 2016 Dyn IoT botnet cyber-attack, which “took down the East Coast of the US”, by preventing users from accessing websites. “Now take that threat and add a 5G network, which is faster and with lower latency: you could take down more than just the East Coast,” he says.
A significant change
Taking these risks into account, 5G will demand a significant change in the way security is managed, says Adrian Scrase, CTO at standards organisation ETSI. “It’s a move towards a service-based architecture. In other words: opening up the network through application programming interfaces (APIs) and allowing people to provide services,” he explains.
Adding to this, it is a complex challenge to secure 5G IoT high-data-rate devices with larger battery and computational resources – such as machines in factories – while ensuring that their functionality is unchanged. This is in direct contrast to many other IoT 5G use cases, which require a long battery life of up to 10 years, and are expected to work at very low data rates.
At the same time, says Scrase, 5G is no longer a ‘singular network’: it will include new elements such as network slicing, which will see mobile operators offering different levels of performance and varying contractual agreements.
This gives the operator the ability to “pretty much copy and paste a network instance”, explains Paul Bradley, Gemalto’s 5G strategy and partnerships director.
“There will be different configurations of the network: one might be concentrated on high speeds and low latency for autonomous driving; and another might have a normal level of security for a sensor network. Those slices will be configured by use case and isolated from each other.”
Adding to the complexity, network slicing is “completely new” to 5G and standards are not yet formalised, says Patrick Donegan, founder and principal analyst at HardenStance.
He describes the risk: “You need an individual instance of software in 5G: it can only go onto the slice – and not other slices. If my instances of virtualised software can appear on your slice, then someone can put malware onto your slice and corrupt it.”
Finding the solution
There’s no doubt that securing 5G is complex, but standards bodies are already examining these issues. Scrase points out that the 3rd Generation Partnership project’s (3GPP’s) TS33.501 specification around 5G security is due for approval in the coming weeks.
Technology itself can also help. In order to mitigate 5G-based IoT attacks, 451 analyst Ian Hughes says that artificial intelligence (AI) and machine learning will be useful when applied to anomaly detection at a fast rate across a complex environment.
Gerald Reddig, head of security at Nokia, says automation is integral, citing the vendor’s adaptive architecture that automates security.
“Our customer base is protecting its own customers’ networks and needs to adapt its security architecture for threats, including DDoS attacks and ransomware,” he says. “The value is in automaton in an orchestrated way to relieve the pressure on existing security teams.”
At the same time, network slices should be secured depending on the use case.
In addition, Bradley says data needs to be segregated in the device if it is being linked to multiple network slices. Meanwhile, he says: “The user needs to be authenticated to the device, and the network itself is important.
Virtualised network functions should be secured, with confidentiality and integrity protected. You need to look at where the weak links in the chain are.
It’s a complex environment, but in the end, strategy is key. As part of this, experts recommend taking a holistic approach to security, taking into account the entire ecosystem – including device manufacturers, mobile operators, and service providers.
And, while it’s important to consider the implications now, there is time to act before 5G really starts to impact on the IoT.
Indeed, different waves of 5G are expected over time from standards body 3GPP. The first release in December 2017 was around the technology’s consumer use cases, such as high-speed access.
The network side – including the core network and edge computing – is coming in the middle of this year. Meanwhile: “In 18 months, the next phase will arrive with standards around ultra reliability, low latency, and really high speed,” says Bradley. “They will start to look at IoT then.”
So, it is still some way off. But despite that, businesses should consider how they will be impacted by the technology now. Donegan advises: “You need to look at the security of the network, the content, and the device; where you put security controls depends on the use case.”
For example, he points out that some sensors don’t have the power and footprint to run security software. “So, you need to secure the network locally, accepting that the device has no security. And communications need to be interfaced by a secure gateway that takes account of this.”
In addition, the 451’s Hughes says that firms should enlist the help of penetration testers to find holes in their 5G IoT deployments. “You can trust your providers, but each enterprise will have a unique security risk that no one has thought of – such as an interface between two systems – so every company needs to have these people onboard.”
And in the end, says Donegan, securing 5G-based IoT consists of adapting well-worn principles. But he warns: “It is cheaper to get security sorted right at the outset: retrofitting after the event will cost more than getting it done at the start.”
Internet of Business says
5G networks might seem to be a future consideration, but tests and experimental rollouts have been gathering pace in recent weeks. Given the new forms of risk, organisations should consider the security aspects now. With AI and machine learning, for example, these technologies are going to become even more intelligent as virtualised telecoms networks develop.
However, the experts’ warnings should ring some alarm bells. A number of recent reports have suggested that IoT security is already lax, with non-expert device manufacturers rushing gadgets to market with basic security flaws built in. Meanwhile, organisations are giving little strategic thought to the unique challenges of IoT security. Factor in 5G and there is every chance things could get messy.
White-hat hackers are valuable in a changing security landscape, and firms such as Google and IBM have long known this. Google is among those offering cash ‘bug bounties’ to those who are able to find holes in their systems.
Standards and specifications will certainly help on the way to securing 5G-based IoT use cases, but in the end it will come down to strategy. Robust cybersecurity must include the network, the device, and the data, taking into account the unique issues that 5G networks bring.
• We welcome Kate O’Flaherty to our regular team of contributors.
Kate O’Flaherty is a freelance journalist with over a decade’s experience reporting on business and IT. She has held editor and news reporter positions on titles including The Inquirer, Marketing Week and Mobile Magazine, and has written articles for titles including the Guardian, the Times, the Economist, SC UK Magazine, Mobile Europe and Wired UK. She is also a contributing analyst at Current Analysis covering wholesale telecoms.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.