As an organization, we’ve been very involved in the development of the emerging 5G standards, both in discussions with the GSMA and the NGMN organization. There are a lot of interesting discussions, trends and considerations emerging as we get closer to commercial launch in the next few years; 5G will both be similar to and yet critically different from every previous generation of mobile network technology. There are a few reasons for this, which become clear when you start to think through the implications of these changes on the way we secure people and machines through the upcoming 5G ecosystem.
We wanted to pick out some of the key ways in which security thinking for mobile network operators needs to change in the months and years ahead as 5G gets closer to commercial launch. We’d be interested in your thoughts and comments on the topic, if not online, then certainly when I speak at the upcoming NGMN event on Oct 13th – I’ll be speaking on “Security, Privacy and Identity in 5G: Strategies and Measures.” More info here if you’re interested.
In the meantime, the key changes in security over 5G:
5G has a bigger attack surface than current cellular networks
We are moving from the hardware/software combinations from trusted vendors, supplied to mobile network providers… to a new world of virtualized infrastructure powered by a mix of open-source and proprietary software. This means that the potential ‘attack surface’ of a next generation 5G network will be much more similar to a traditional enterprise, as standard virtualized technology is more accessible and more familiar to attackers than the proprietary networking technology that is characteristic of current generation cellular technology.
The emergence of mobile edge shifts the perimeter for security
5G allows for much more flexible use of ‘edge’ resources which take the load off the ‘core’ network – critical as more ultra-low-latency applications start to run over cellular networks, from high definition gaming through to critical applications like autonomous vehicles where human lives are at stake. This allows for content, for example, to be cached locally… so, if you want to watch Netflix, it might stream from a local cache rather than transmitting over the core network to find the original Netflix hosting servers… which in turn changes the way that data and cellular communications needs to be secured.
New options for secure layers over cellular channels are emerging
Currently, the key consideration around cellular security is to protect against eavesdropping. In an emerging world of smartphones and the IoT, however, eavesdropping is probably a lesser concern in the machine space. Rather, we need to be concerned about things like data manipulation attacks, which could, for example, be used to instruct a machine to carry out a given action (e.g. opening a front door or taking control of an autonomous vehicle). Mobile Network Operators – and consumer electronics manufacturers – will have an opportunity to deliver ‘security as a service’, allowing application providers to apply extra layers of security on top of pre-existing secure cellular network channels for appropriate data types.
Introducing security mechanisms by data type
Today all onus is on the application provider to encrypt and secure data. With 5G, the network operator will have a role too, particularly as the IoT introduces devices that lack the processing power to meaningfully encrypt communications. Security as a Service providers could create three offers riding on top of what the network provides by default, for example; unencrypted (for low-value data which is worthless to anyone intercepting it, such as ping data), moderate security (perhaps for IoT sensor data that could be subject to data manipulation attacks, for example by showing water levels in a flood plain are lower than they are and not triggering automated defenses) and high security (stronger confidentiality and privacy protection, appropriate for high value data, e.g. credit card data transmission for retail transactions). This would help application developers beyond the smartphone platform to gain an additional layer of security as needed.
Responding to the rise of M2M comms
The anticipated rise in the number of connected devices coming online in the next decade is staggering. Maintaining the confidentiality and integrity of data traversing between machines is vital, as new types of exploit become possible in this environment. Recently, we’ve seen data manipulation attacks proved in research lab environments on autonomous vehicles. We have to think about how we protect this kind of data against this at every stage in the chain, on the cellular network and beyond. Even with the security channels described earlier, you might need to maintain encryption when data traverses the public IP network on leaving the MNO network through the operator’s gateway.
There is still a lot to be defined around 5G, and the whole conversation around security will run for a while before we see a commercial roll-out. However, 5G really is the ‘Windows 10’ of mobile network infrastructure – the software release that changes everything. From here on in, instead of substantial hardware upgrades at the core network level to get to 6G and beyond, we’ll be operating in a software-defined environment where very different rules apply. Operators have a lot to think about, and we look forward to engaging with them to map out the new threats – and opportunities – 5G networks have to offer.