Considerations for Proactive Cyber Security Measures When Deploying 5G

This guide provides you with a first look, as we see it today, of how 5G may impact your cyber security and the areas where you may need to consider new potential risks for your organization and enterprise. At this time, many of the component's parts are yet to be built out and are merely concepts. This guide is aimed at those with an interest in how implementation of this new technology could affect the organizations that adopt it, but also for those who need to start considering the risks and potential mitigations in integrating 5G into their business processes.

5G has been positioned as game-changing and suitable for high-risk use cases. However if there are network performance failures, these could prove costly or catastrophic. Therefore, there is a need for purchasers of such services to set strict service level agreements (SLAs) with their suppliers. As with cloud service provisioning, the SLA should include key performance indicators on data downloads and upload speeds, end-to-end latency, jitter, network availability, or other metrics relevant to the required performance of apps that are reliant on a 5G connection. Where service providers are proposing 5G as a replacement for existing, mature technologies such as a wireless LAN, they require SLAs relevant to the performance of specific apps (voice, UCC, video, segmentation of IoT endpoints) currently on the WLAN.

One of 5G’s key features will be the opportunity for network slicing, the segmentation of a single physical network into multiple virtual ones in accordance with particular use cases. A clear benefit of 5G network slicing for operators will be the ability to deploy only the functions necessary to support specific customers and particular market segments. Communication between autonomous cars, for instance, requires minimal latency (the lag time it takes for a signal to travel), but not necessarily high throughput (the amount of data a network can process per second), while a use-case such as augmented reality will take more bandwidth. With slicing, these needs can be accommodated by delegating each to its own network-within-a-network.

It is essential that as a community we share existing 5G knowledge to stakeholder communities. There are a number of additional threats that have not been discussed in this guide that exist in the current generations, such as unauthorized data access, unlawful interception, compromised authentication gateways/keys, etc. Such threats remain but the mitigation is similar if not the same as previous generations.

Whilst we await the buildout of the component parts discussed and final agreements over standards, here are some suggested mitigating controls for the deployment of 5G:

• Fine-grained access control and authentication
• Use of Zero Trust Networks or architecture to minimize the potential exposure of your information
• Use of segmentation and isolation at the network and app layer to minimize the potential impact of any compromise
• Wide use of encryption, specifically encryption of the IMSI and/or use of improved pseudo-identifiers
• Careful use of cryptographic mechanisms, including public key-based cryptographic techniques combined with endpoint protection
• Use of monitoring of systems to detect abnormalities and breaches
• Policy-based security management combined with automated security controls
• Comprehensive physical security measures to prevent access to communication equipment
• Use threat modeling
• Vetting by vendors of their staff and monitoring for insider threats.

Ultimately, more so than ever before, it is about designing security from the start as opposed to retrofitting it. Over time there will no doubt be unknown security vulnerabilities discovered with 5G.It’s an immature and untested set of technologies which will be inevitable, so it's important to be vigilant and proactive to share lessons learnt. For more information, take advantage of the ENISA report on threat landscape for 5G networks and its findings.

What are your next steps? Identify the relevance of 5G for your organization, pay attention to the 5G rollout in your area, and conduct research on the different technology components that are relevant for your particular use cases. Then run each use case through a threat model. This will help influence your procurement process and design a strategy for continuous control, testing, and monitoring.

If you are interested in a high-level technical overview of the technologies that are driving the need for next generation mobile networks, you can view our courses on 5G Networks: Executive Briefing. I also recommend Multi-Access Edge Computing (MEC): Executive Briefing.