The Kryptonite for 5G

NFV, abstraction, high surface areas – it’s easy to guess why security can be the biggest concern as 5G gathers steam. Here is how the industry can pre-empt these risks.

IDC projects the number of 5G connections will go up to 1 billion and 5G will represent 8.9% of all mobile transactions by 2023. Each of these devices is a potential entry point – and securing them will require a Zero Trust mindset

By Pratima Harigunani

5G is big. It is arriving and will attract huge investments too. But there is a concern. Despite the massive application versatility, payback, disruption, and the low-latency impact it promises – or perhaps because of that – 5G could find security as its Achilles’ heel. Is this heel big and vulnerable enough to stop 5G from running fast? And can 5G open new back-doors on security-related fears?

Weak-spots: Why and where?

The very fact that 5G is exciting and raw makes it on the hot list of attackers and adversaries. And that’s a pattern that has proven itself for everything that is new on the maturity curve because that’s not just industry readiness but also standards and collaboration are half-baked.

Steve McGregory, Senior Director of Cyber Security R&D Keysight Technologies points out that historically, a new technology comes with unknowns and potential security weaknesses. “It takes time to mature the technology, get enough eyes on it, and vet out the issues. Looking specifically at 5G, the industry is adopting a much more open model that has positives and negatives. So, we will see a lot of open source options and this is great from a cost perspective. On the other side, this will provide access to the internal 5G systems that were not available in prior proprietary models. This exposure offers opportunities for cybercriminals to research and finds 0-days that can be used to exploit 5G networks.”

While the technology holds immense potential to benefit organizations and users, aspects like safety and privacy, especially for the emerging internet of things (IoT) ecosystem, pose the greatest risk to 5G, explains Venkat Krishnapur, Vice President of Engineering and Managing Director, McAfee Enterprise India. “It can possibly increase the likelihood of denial-of-service (DoS), distributed denial-of-service (DDoS), or even attacks due to the sheer number of connected devices.”

“We will see a lot of open source options and this is great from a cost perspective.  However, this will provide access to the internal 5G systems that were not available in prior proprietary models.”

Steve McGregory, Senior Director, Cyber Security R&D, Keysight Technologies

But about 3% of enterprises overall don’t see addressing security concerns as their responsibility. As per the GSMA Intelligence Enterprise in Focus Survey 2020, many enterprises, especially smaller ones, tend to fall victim to basic attacks. This is mainly due to a lack of baseline protection and a minimum level of digital hygiene. About 37% of those that haven’t amended security practices expect IoT solutions to already be secure. Also, 44% of operators have seen increased growth in demand for security services from their enterprise clients – this is because of COVID-19.

As many as 45% of operators consider it extremely important to invest in security to help achieve a long-term enterprise revenue goal. Operators also see not having enough knowledge or tools to discover and solve upcoming security vulnerabilities as a top challenge; as experienced by 48% of surveyed operators. There were also strong hints of a limited 39% pool of security experts that the industry has.

Krishnapur breaks down the security problem in a granular way. “Today, telecom companies are dealing with two specific types of attacks – one that looks to gain access to their organization, network operations and data, and the other that indirectly targets the company’s subscribers. While the first could lead to loss of valuable company information, impact finances and reputation, the latter could lead to a loss of customer trust. Through a successful advanced hacking attempt, bad actors can potentially gain access to a telcos customer database, and then be able to indirectly exploit customers’ mobile devices.

The big IoT playground

Network pervasiveness and an expanded surface area due to IoT are also the prime reasons that make 5G vulnerable on security. As Prakash Bell, Head of Customer Success, Regional SE Lead, Check Point Software Technologies, India and SAARC explain, the transition to 5G technology is much anticipated by organizations and consumers alike. This new technology will immensely expand capabilities in delivering new business solutions, data-heavy applications, and ubiquitous high-speed connectivity. However, as with any data connectivity that enables a farther reach with more end-points connected, it does bring a set of challenges.

He puts the spotlight on network ubiquity here. “As 5G makes mobile networks more powerful, employees and business devices may start to use them for newer applications, which were limited by bandwidth capabilities of current technologies. This emphasizes the need for taking security services to the edge; with smarter and disparate devices connecting to business, utility services, etc. This would put SASE (Secure Access Service Edge) at the core of securely connecting, managing whilst delivering applications in a seamless manner.”

“It can possibly increase the likelihood of denial-of-service (DoS), distributed denial-of-service (DDoS), or even attacks due to the sheer number of connected devices.”

Venkat Krishnapur, Vice President, Engineering & Managing Director, McAfee Enterprise India

“Full network visibility combined with ML and AI for detecting abnormal behaviour and hence taking action in real time will become standard operating procedure.”

Gaurav Agarwal, Senior Director – Enterprise Sales, VMware India

As for IoT, he cautions that historically, IoT devices have had poor security, creating potential gaps in an organization’s security, while expanding its attack surface.

“One of the best, innovative approaches is to use ‘nano’ footprint plugins that can work on any device or operating system across various environments.” Prakash Bell, Head, Customer Success, Regional SE Lead, Check Point Software Technologies, India & SAARC

5G private networks have a bigger attack surface as they focus more on IoT, connecting more devices, echoes the GSMA Intelligence survey as well. What has been pointed as a disturbing finding here is that some enterprises still don’t regard data from IoT devices as important. 5G SA has been explained here as more secure than any previous network generation. But the problem begins when the attack surface expands and convergence of IT/OT and IoT continues which is where any security breach has a company-wide impact.

The security side of 5G is a big cause of concern. Yong Zhou, Security Solutions Architect, Keysight Technologies tells this is so because 5G provides critical enterprise and national infrastructure and enables mission-critical applications like industrial IoTs (IIoTs), connected automotive, and robotic medicines. Add to that the fact that the 5G network architecture is more open, disaggregated, and virtualized, plus the support to user equipment (UEs), greatly expands its attack surface for cyber threats comparing to previous generations of monolithic networks.

5G will bring with it many benefits, but the newfound connectivity between devices will exponentially increase the surface of vulnerability, making it simpler for cybercriminals to infect devices, stay hidden, and cause widespread damage. For cybercriminals, an increased attack surface can only mean increased opportunities to exploit for their nefarious gains, Krishnapur reasons.

“Earlier this year, McAfee Enterprise researchers discovered a cyber espionage campaign targeting telecommunications companies linked to 5G technology. The campaign, ‘Operation Diànxùn’, used branded phishing domains to lure telecoms workers into downloading malware to their work computers, with a strong focus on German, Vietnamese, and Indian telecom companies,” he informs.

And it’s not just IoT that we need to be worried about.

Abstraction – The big plus, the big fear

A major novelty about 5G is that its network infrastructure design hinges a lot on the disaggregation of network functions from the underlying infrastructure. It works a lot through Software Defined Networking (SDN), Network Function Virtualisation (NFV), and cloud-native architecture. So when we think of 5G, we are also thinking of 5G-specific aspects like Multi Edge Cloud (MEC), Non-Public Network (NPN), virtualization, and software-isation that could definitely affect security in a big way.

Bell avers. “Yes, Carriers today have largely adopted NFV bringing in VFN into multiple areas of their network. Moreover, the voice services are delivered over IP data networks allowing rapid scalability, switching performance, and quality. With more and more software-defined capabilities in their networks, securing the 5G infrastructure in itself is very important.”

“The open-source, virtualisation, and anyone can deploy 5G-aspect, will have a greater attack surface and potential for broader impact on vulnerabilities since all the deployments must be managed and patched. We see delays in patch management throughout the industry and this will likely convey to 5G,” wars McGregory as well.

As to Software-isation and virtualization, they are expected to have a considerable impact on forthcoming 5G deployments as they guarantee to accelerate innovation of network architectures. Software-defined architectures become important in a high-speed, low-latency ecosystem such as 5G where network and bandwidth optimizations, for example, need reduced hardware dependencies. However, when software-based components are offered by different vendors, the potential of security holes due to integration complexity also intensifies, adds Krishnapur.

In the GSMA Survey report, it has been explained that the 5G network core will be based on SDN and NFV which make heavy use of the HTTP and REST API protocols. “These protocols are well known and widely used on the internet and are thus hackable,” reminds the report. As many as 41% of operators highlight vulnerabilities related to network virtualization.

Gaurav Agarwal, Senior Director – Enterprise Sales, VMware India explains the aspect of virtualization and software-ization here, and whether it affects or aids security in a big way. “A software-defined network delivers visibility into the entire network, providing a holistic view of security threats. Operators can create separate zones for devices that require different levels of security, or immediately quarantine compromised devices so that they cannot infect the rest of the network and SDN supports moving workloads around networks quickly. For instance, dividing a virtual network into sections, using a technique called NFV allows telecommunications providers to move customer services to less expensive servers or even to the customer’s own servers.”

Now the disaggregation of Core and RAN makes security a very important consideration as the attack surface increases dramatically and all players in the supply chain will not have consistent secure frameworks. “Full network visibility combined with machine learning (ML) and artificial intelligence (AI) for detecting abnormal behavior and hence taking action in real-time will become standard operating procedure. Perimeter Security will have to be complemented with East to West traffic visibility and security to prevent lateral movements.”

As Krishnapur dissects it, compared to traditional telecom networks, MEC has undergone significant changes in network architecture and operational models, which have spawned new security threats and challenges. “MEC often contains data assets of operators and industrial customers, making it necessary to manage each party from the aspects of authentication, authorization, and monitoring to secure MEC nodes.”

Then there is the aspect of an NPN. Typically, an NPN is intended for the sole use of a private organization, providing coverage and private network services to devices that are within the organization’s defined premises, explains Krishnapur. “An NPN can be secluded from external networks and stay behind corporate firewalls. However, the standardization work on the use of NPNs in 5G systems is still in its infancy. The increased adoption of 5G will require NPN to combine the security and configurability benefits of a private network with the significant advantages of 5G.”

Historically, internet of things (IoT) devices have had poor security, creating potential gaps in an organization’s security, while expanding its attack surface.

Plus, there is the legacy baggage again. Just a minority of 5G private networks will be greenfield, and most will have to integrate and interoperate with existing (legacy) technologies. The GSMA Survey report tells that merely a quarter of surveyed operators see it as a challenge.

Filling the gaps – In time

Security cannot be an option – especially when we expect 5G to touch a lot of citizen applications and state infrastructure as well. All this has prompted many governments to look at the security aspect of telecom operators, drawing up guidelines for telcos to adhere to, as these networks form part of any nation’s mission-critical infrastructure. Bell suggests that security is fundamental and is to be embedded in the architecture, design, and operations of such infrastructures; and cannot be an afterthought.

Forrester’s report – ‘The CIO’s Guide To 5G In The Public Sector’ tells how only 34% of public sector decision-makers recognise the technology’s ROI (compared to 42% across all industries) and 32% remain unconvinced of its ability to increase operational efficiency. It suggests that we should be making security and privacy imperatives to protect citizens and government data. “To build trust, data protection technology must be integral to any 5G solutions in the public sector.”

A lot of measures can be taken. We can lock the stable doors well in time before the horses stroll out. For instance, there is a need to take care of the IoT surface area. Suggests Bell, “Given this huge volume and variety of products, many of which will have extremely limited or zero security capabilities, organizations would need an easy way to deploy and manage security on any type of device. One of the best, innovative approaches is to use ‘nano’ footprint plugins that can work on any device or operating system across various environments. These ‘nano’ software agents control every attribute that goes to, and from, the device on the 5G network and connect to the consolidated security architecture to enforce protection.”

The connectivity between devices will increase the surface of vulnerability, making it simpler for cybercriminals to infect, stay hidden, and cause widespread damage.

Agarwal illustrates how, for the rollout of new services, Airtel felt limited due to its existing legacy networking and security architecture. “Despite the size and the scale of its operations, Airtel found it challenging to adapt to the changing preferences of its consumers. Hence, Airtel decided to transform its traditional security operations to a software-defined network security model. Previously, their legacy physical firewalls added layers of complexity during mission-critical troubleshooting. The lack of automation and inconsistency in configuration also limited policy information. Deploying NSX SDFW turned this around by optimizing their firewall policies by reducing their firewall rule count by over 30%.”

As Zhou weighs in, there are two sides of the security concern – one is supplier-related and the other is related to the service provider. “Because of the 5G network architecture, securing the supply chain of the 5G network elements is the foundation of a secured 5G.” Also securing its networks, communications, and operations is the key of a secured 5G network, which includes (but is not limited to) zero-trust architecture, network security controls at the perimeter and internal zone/segment, end-to-end encryption, and continuous security assessments and monitoring.

Zhou stresses the ‘Security by Design’ principle and advises that MEC/virtualization requires trusted computing at the infrastructure and host layer, authentication at the MEC application layer, and encryption at the transport layer, while service APIs should be another security emphasis. “Third-party/open-source software (applications) bring in additional risks to the end-to-end security, therefore we need to follow the above-mentioned guidance of supplier security.”

Bell also recommends the use of automation and strong security posture management solutions that would simplify governance and enforcement of compliance easier. Krishnapur points out that there is a need to develop governance, ensure compliance, strengthen the design, to deploy and operate secure network infrastructure and services. “To ensure this, users, devices, software, networks, and back-end infrastructures all play an important role in improving the security of 5G devices.”

In response to the dynamic nature of threats, CSOs and CTOs will need to invest in security solutions that are agile enough to evolve alongside threats, he adds. “Practices like employee awareness and training, policies, and tools to reduce insider risk, protection of intellectual property will need to be updated. Training should be provided and good practices rewarded.”

Thankfully, according to the GSMA Intelligence survey, over 45% of operators have considered it extremely important to invest in security to help them achieve a long-term enterprise revenue goal in 2021. And certainly, the realisation and awareness matter.

There is no doubt that 5G will have its chinks. But the Achilles heel can still be in the left foot if the industry puts the right foot forward and uses it smartly, wisely, and with a mindset that does not forget or side-step security but prioritises it. Tip-toeing may help too. Until we feel sure-footed enough.

pratimah@cybermedia.co.in