This guide will provide you with a first look at how we see 5G increasing the attack surface of our systems in comparison to older generations of mobile networks. At this time, many of the component's parts are yet to be built out and are merely concepts. This guide is aimed at those with an interest in how implementation of this new technology could affect the organizations that adopt it, but also for those who need to start considering the risks in integrating 5G into their business processes.
One of the most important aspects of the transition from previous generations of mobile telecommunications to 5G is the virtualization of software in higher-level network functions formerly performed by physical appliances. Some of these physical components were mostly proprietary and incompatible with other solutions.
The physical architecture of 5G is going to remain exposed to more generic threats that are pertinent to physical components, such as damage, theft, sabotage, natural disasters, outages, failures, and malfunctions. This increases the criticality of 5G physical infrastructure components, as multiple services are going to depend on them. The higher frequency will deliver much more data between the device and the mobile cell towers. However, this higher band mmWave cannot travel as far as the 4G radio signals. This means many more cells will be needed to cover a smaller area.
This increased footprint means a greater need for physical security over a great number of cells. Additionally, the attack surface in 5G is much bigger because of the potential for massive numbers of connected devices, the virtualization techniques, and the support for open networks. That said, in order to compensate, multiple carriers have embraced a multi-tier 5G strategy that uses three types of radio signals to deliver cellular service to 5G devices: low, mid, and high band frequencies. Each will offer its own combination of speed and range to help improve performance. For example, the low band 5G offers a slightly better experience than 4G, with an expected guarantee of widespread coverage. The implementation of these bands will likely be different from country to country, deployed in various combinations depending on your location and supplier.
There is a threat of manipulation of hardware equipment throughout the network, but this is even more acute given the vast number of remote masts or cells. There is also a threat of concealed hardware or software in the product by a vendor or supplier. This threat may occur at an initial stage of the product implementation or during maintenance with the application of uncontrolled updates and new features. Because a user may not be able to identify such nefarious activities, they are reliant on their supplier to mitigate such threats. Therefore, assurances will need to be backed up in contracts and service level agreements (SLAs) to provide assurance that such threats will be monitored and quickly resolved if identified.
Some commentators have said that a shared security model, similar to that of the public cloud, is likely to emerge for 5G. Multi-access Edge Computing (MEC) allows for the provision of cloud computing capabilities at the edge of the network, that is high bandwidth, low latency end-user applications. A user’s traffic would no longer be tunneled to a provider’s data center; instead that tunnel is terminated at smaller, local data centers near the local cell or mast. This approach can eliminate network delays from end-to-end latency because the traffic isn’t traversing back to the central data center. MEC is a novel approach in the 5G ecosystem that enhances mobile user experience by covering services that, in previous generations, were using the run-time of end-user devices. Through the capabilities of MEC, a variety of services can be bundled or converged into a single component, such as video, location services, virtual reality, etc. It is expected that MEC will emerge following the evolution of app services and verticals and will be one of the main drivers for a wider coverage and penetration of 5G Networks. This increases the reliance of security management at the device level.
The conventional risk analysis based on the ISO 27000 series where the level of risk is determined from a combination of threat likelihood and impact still applies, as does NIST SP800-30, “Risk Management Guide for Information Technology Systems.”
The final point to make is that there are only a handful of providers of 5G technology, making reliance on these providers' integrity important. This in itself may lead to an increase in supply-chain attacks. With the geographical locations of these providers, there is a concern of the influence that may be placed on them by state actors.
What are your next steps? Identify the relevance of 5G for your organization, pay attention to the 5G rollout in your area, and conduct research on the different technology components that are relevant for your particular use cases. Then run each use case through a threat model. This will help influence your procurement process and design a strategy for continuous control, testing, and monitoring.
If you are interested in a high level technical overview of the technologies that are driving the need for next generation mobile networks, you can view our course 5G Networks: Executive Briefing. I also recommend Multi-Access Edge Computing (MEC): Executive Briefing.