5G is set to revolutionize the mobile communications industry — offering high data rates, low-latency and ubiquitous connectivity with levels of reliability not previously seen. This will enable new services and use cases that go far beyond communication between individuals. The rapid progression of 5G deployments has huge potential for connecting economies at scale, while simultaneously exposing potential vulnerabilities that must be addressed.
Shift to software-centric, virtualized networks changing the communications landscape
To deliver higher performance and lower cost, 5G networks are leveraging technologies that are software-centric and virtualized, moving from custom hardware to software components running on commercial off-the-shelf (COTS) hardware. This increase in software content across 5G deployments continues to fuel an exciting faster development pace. But with this comes some challenges since these 5G technology innovations are also expanding the attack surface of the system. While 5G core network functions are making use of a new and different software architecture, common technologies like HTTP and REST APIs that are well known are replacing proprietary interfaces of the past. All of these things increase the potential for cybersecurity attacks and vulnerabilities.
Network Function Virtualization (NFV) will deliver far more scalability than traditional platform approaches. NFV relies on a software stack and infrastructure where network functions execute. While virtualization has significant advantages in terms of scalability and efficiency of the underlaying hardware resources, moving to a software platform that is made up of many different components from many different vendors, often including open-source, increases the risk of a vulnerability being exploited that could compromise the entire system. Additionally, with 5G network slicing, which makes extensive use of virtualization techniques, guaranteeing slice isolation and preventing data leakage between slices are key for the security of the 5G networks.
Another core assumption with 5G is related to the proliferation of connected devices that will become an essential part of our daily lives. 5G will enable new use cases, where an agreed upon quality of service is required to support the reliability, throughput, or latency requirements associated with critical infrastructures and real-time systems. While there are standards available (or being developed) to mandate and evaluate security across different sectors like automotive, health, utilities, etc., there is lack of standardization for general IoT devices. The effect of poorly secured devices, proliferated across the network, can easily disrupt essential and nonessential services enabled by 5G.
5G networks are incredibly complex and the deployment of infrastructure elements at the edge, make them more difficult to secure. Network operators faced with the complexity of these systems may rely on a third party for the configuration and management of their networks, giving administration privileges to potential adversarial actors. Poorly configured systems may compromise the networks, independent of the definition and use of security functions defined in the standard.
Delivering on the promise of 5G will require security diligence
The global technology ecosystem is taking steps to ensure we have a hardened infrastructure and has made significant progress. Governments are carefully analyzing the security risks of 5G networks and systems. In the EU, the NIS Cooperation group completed a coordinated risk assessment of the cybersecurity of 5G networks, followed by a threat landscape for 5G by ENISA (European Agency for Cybersecurity). Similar studies and activities are taking place in other regions. At the same time, the mobile communications industry has developed a Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, to facilitate improvements in security levels across the mobile industry. NESAS uses a comprehensive approach to assess the product development life cycle, as well as security test cases defined by 3GPP SA3 for network equipment.
However, given the increase in the attack surface, the level of emphasis on the security must be intensified, especially compared with previously deployed generations of mobile communications systems.
The security industry offers many categories of security assessment tools including endpoint, penetration test, vulnerability scanning, fuzzing, and identity and access management solutions. All of these should be collectively used to validate all aspects of the communications infrastructure.
Comprehensive security testing will become paramount
Even though 5G standards will improve the security mechanisms over previous generations, there will still be areas that require further work to achieve and maintain secured 5G systems. The complexity of 5G networks require proper configuration and management of the security aspects, as well as tighter security for third parties managing the networks, ultimately making for stricter control of the supply chain.
The increase in software content of 5G networks and the massive increase of IoT devices will drive a need for enhanced security controls. This must be a key area of focus for the industry as 5G scales. Security standards and best practices guides are becoming available for different sectors, covering all software development stages, from architecture and design to coding, testing, and release. With the evolving landscape of vulnerabilities and threats, companies will need to carefully consider and adopt continuous security testing using automated tools that are regularly updated to the latest threats.
Satish Dhanasekaran is senior vice president and president, Communications Solutions Group, at Keysight Technologies, which addresses the end-to-end communications ecosystem including wireless and wireline, and aerospace defense. He is a member of the United States Federal Communications Commission (FCC) Technological Advisory Committee and sponsors Keysight representation in standards bodies such as 3GPP, CTIA - The Wireless Association, GCF/PTCRB, and industry consortia including IMT-2020 and the International Wireless Industry Consortium (IWPC).