5G network security concerns and how to prepare for them

Enterprises assess 5G network security risks

The need to address 5G network security concerns is pressing, although not necessarily immediate for everyone.

Chris Antlitz

Ultimately, 5G will be everywhere, and it will pervade everything. But that's years away, Antlitz said. "We're looking out at least seven years before we see that. In the interim, we're going to see 5G deployed in pockets, with a phased evolution to that ubiquitous deployment." But some enterprises are already pushing the envelope to see how they can deploy 5G in their enterprises, he added.

Industries harnessing 5G now include agriculture and manufacturing, as well as the natural resources sector -- i.e., mining and energy production. Others experimenting and piloting 5G-enabled use cases include those in transportation and logistics, where everything from self-driving vehicles to delivery drones will be supported by the technology; physical security, with its need to power facial recognition capabilities in real time; and healthcare, which is exploring increased robotic surgery and other highly sensitive activities.

Still other sectors, such as retail and professional services, are in evolving stages of 5G interest and adoption, Antlitz said.

With 5G, the threat vectors dramatically increase.

Some organizations will rely on telecommunications service providers to fully provide 5G capabilities, while others will build out some or all of their own capabilities, depending on where and why they're using 5G.

Despite the varying levels of 5G market penetration and industry adoption, most enterprise security leaders are already concerned about the risks associated with it.

AT&T Cybersecurity's 2019 "Security at the Speed of 5G" survey, conducted with 451 Research, found 76% of the 704 respondents expected wholly new security threats to emerge out of a 5G world, and 72.5% expressed either a high or medium-high level of concern about 5G's impact on their organization's security posture. Another 21% expressed a medium level of concern, while only 5% expressed a low level of concern.

5G network security pros and cons

Yet, the security news surrounding 5G isn't all negative. The 5G network itself comes with security improvements over its predecessors, with telecom operators and equipment providers addressing known vulnerabilities and adding new security elements.

For example, 5G has 256-bit encryption compared to the 128-bit encryption used in 4G, Antlitz pointed out. Others cited federal efforts, including the U.S. ban on using equipment from China-based vendors, such as Huawei and ZTE, as evidence of taking steps toward a more secure 5G network.

Experts still see security vulnerabilities, however.

"When people say 5G is more secure, it depends on the context," Antlitz said. He agreed that the higher encryption levels with 5G adds security, but it doesn't offer protection if hackers use unsecured endpoint devices to break into a system.

Some 5G vulnerabilities are at the network level. Unlike its predecessors, 5G doesn't use centralized, hardware-based switching but rather distributed, software-defined routing, which eliminates central points where inspection and control could be concentrated. The software itself could also be compromised by skilled hackers, whether nation-states or criminal actors.

Some vulnerabilities fall more on the user side, as organizations and individual consumers attach millions more devices to the network that will, in turn, need to be security-hardened.

Philip Chan

"We still have existing threats. Threats that were there with 4G will remain there in 5G," said Philip Chan, adjunct professor of cybersecurity at University of Maryland Global Campus. "But the amount of attacks will be more, partly because you'll have more devices. There are so many more connected points, and the attacks will be able to route to many more points."

Other experts offered similar warnings.

Dmitry Galov

"5G could open the door for large-scale DDoS [distributed denial-of-service] attacks, and additional challenges are inherent in protecting a sophisticated network of connected devices, where the compromise of one device can lead to the whole network crashing," said Dmitry Galov, security researcher at cybersecurity firm Kaspersky.

Moreover, 5G's speed could enable hackers as much as it does legitimate users, Galov said, explaining that attackers can more quickly steal data from compromised internal networks. "Security systems may detect the leak, but by the time they do, much more data will have leaked," he said.

How to prepare for 5G risks

AT&T Cybersecurity's report on 5G security found most respondents believe they need to update their security posture in response to 5G, with 22% expecting to rethink their security policies altogether and another 53% saying at least some adjustments will be needed. Only 25% believe their current security policies will be effective under 5G.

Despite these findings, however, security leaders have been slow to respond, with AT&T Cybersecurity finding only 16% of respondents have started making 5G-related security upgrades.

The respondents listed the following as their top 5G concerns and challenges:

• a larger attack surface due to increased connectivity (44%);
• a greater number of devices accessing the network (39%);
• extension of security policies to new types of devices (36%); and
• authentication of a larger and wider variety of devices (33%).

"There is a variant in the amount of maturity organizations have in respect to cybersecurity and how ready they are for 5G," said Theresa Lanowitz, head of evangelism at AT&T Cybersecurity.

Theresa Lanowitz

Organizations that have succeeded in cultivating a security-first mindset for their enterprises, where they perform foundational security hygiene flawlessly, are the most mature and ready to securely use new and emerging technologies, according to Lanowitz.

As such, she advises organizations to create that culture, noting it's a critical step toward securing against 5G network security risks.

Yet, that's only the first step, Lanowitz and others said.

Chan said CISOs must also work with business colleagues and users -- as well as vendors -- to make sure they're only selecting devices embedded with security-related features that meet established standards.

"Businesses must inspect and certify 5G devices via standard-setting agencies, like the National Institute of Standards and Technology and other reputable sources," Chan said, adding that the NIST 5G Cybersecurity framework must be established and followed. "When the best security practices are identified, there will be protection, detection and better security responses."

Chan also advised CISOs to work with their IT counterparts to advance the use of secure application development techniques, such as DevSecOps, noting that "the practice of building security throughout the complete development lifecycle and verification of the finished products is critical."

"Since 5G is expected to be software-driven, it is more important than ever to integrate security in software, hardware and firmware development. Regulatory bodies should enforce the maximum or minimum security requirements in all 5G hardware and software environments and centers," said Chan, who also works at the U.S. Army Combat Capabilities Development Command Data & Analysis Center cybersecurity division, Aberdeen Proving Ground.

In addition, CISOs must advance their deployment of AI, machine learning and automation in order to identify, detect and respond to the rapidly increasing volume and velocity of attacks, experts said.

Enterprise security executives also should consider building their own 5G private networks for sensitive use cases and even then separating out the most sensitive elements to ensure security.

"Where they're very concerned about security risks, they want to have a fully closed system that they control," Antlitz added.

Rob Clyde

Implementing zero-trust security is also a must, given the exponential growth of connected devices and the speed of 5G, said Rob Clyde of Clyde Consulting LLC, former board chair for ISACA, an international professional association focused on IT governance, and board director for Titus, a data protection company.

"No longer will firewalls be able to protect everything, so each device has to take care of its own security: That's the nature of zero trust," Clyde said. "Trust nothing, and validate everything. That's the whole paradigm shift."