Adam Brady at Illumio explores the new risks introduced by 5G and how the security and legal landscapes will change to manage them.
The telecoms industry has always been a fast-moving field, driven by rapidly evolving technology. Network operators must continually adapt their infrastructure and strategies to incorporate new technological developments – and the security and compliance challenges that come with them.
New technology can often represent a seismic shift in the way telecoms services are provided, enabling operators to provide faster connections over wider areas. This is particularly the case with 5G, the latest technical revolution in the sector.
While the average consumer will generally think of 5G as providing faster mobile download and streaming speeds, and the new technology can be as much as 20 times faster than a 4G connection, faster download speeds are only one facet of what the transition to 5G is providing.
The new technology is capable of delivering latency rates of just 1 millisecond, compared to the average 200 milliseconds seen in most 4G services. This has huge potential for fields such as internet of things (IoT) and operational technology (OT) where devices are operated remotely.
The low latency also means that many more devices can be connected to the same network in the same area, requiring far less energy. This means devices can operate for longer while also costing less to produce. Taken together, these advantages can transform the way many industries operate.
However, as with most technological advances, 5G is not without its drawbacks. Amidst all the bizarre conspiracy theories about COVID and mind control are some very real concerns about security. The telecoms companies constructing 5G infrastructure must contend with both potential new attack surfaces being exploited by threat actors, and internal threats with geopolitical motivations.
Perhaps more than any technical development before it, 5G is also forcing operators to keep up with a rapidly evolving regulatory landscape that is moving much faster than that which we normally see for technical laws.
What are the threats to 5G?
The most high-profile security concern around 5G has been the supply chain, particularly the potential for interference by foreign companies supplying equipment and infrastructure. The UK Telecoms Supply Chain Review Report published in July 2019 by the DCMS said that “the most significant cyber threat to the UK telecoms sector comes from states.”
While there have been concerns about several different vendors with ties to nation states, the most prominent example was the involvement of Chinese telecom giant Huawei, which had a large role in the initial development of the UK’s 5G infrastructure. There were widespread concerns that the company could establish secret backdoors that would allow the Chinese government to covertly access the network, conduct surveillance, and exploit it in hostile cyber activities.
Huawei was initially banned from involvement in the most sensitive core elements of the UK’s national 5G network, and the situation eventually escalated to the UK government banning the purchase of Huawei 5G equipment from 2021 onwards and committing to removing all existing technology from 5G networks by 2027. This will be a major priority for telco companies, and we are aware of several that are already underway with replacing their Huawei equipment.
Like all other forms of technical infrastructure, 5G networks will also be in the sights of cyber criminals. The most likely target will be the operators’ management layer, which confers a great deal of control over the network.
While the packet core is unlikely to be a direct target, lateral movement into the management layer and supporting services is a more realistic concern. The network as a whole is too big to attack head on, but attackers can compromise a machine at a network operator and move laterally to access the management layer. From there, an attacker will have a vast attack surface available to them.
One notable trait of the telecoms industry is that most operators tend to use very similar kinds of architecture and builds, whereas other entities such as banks tend to have very distinct infrastructure from each other. This can be quite advantageous when it comes to establishing interoperability between systems and an established security architecture.
It can also be a security weakness. The risk is that if threat actors discover a vulnerability in one operator’s infrastructure, they will potentially be able to exploit the same weakness in other organisations as well.
How does 5G security differ from 4G?
5G is not simply a faster version of 4G – it is a whole different technology. As well as performance, there are some fundamental shifts in security. This includes several improvements such as in-built end-to-end encryption with IMSI (International Mobile Subscriber). But there are also some new risks.
One of the biggest changes is that 5G enables devices to connect more directly to backbone applications and networks, whereas previous technology featured more intermediary layers . This is key to 5G’s transformative low latency. However this direct connectivity also means removing layers of obfuscation and security functions.
This new threat landscape is still largely theoretical. The true potential threats will probably not be understood until businesses have been using it for longer – and unfortunately potentially not until a landmark security breach has occurred.
5G has particularly strong applications for IoT and OT – two areas with their own distinct security challenges. IoT devices are often known to fall short on delivering adequate security, while OT systems often struggle with reconciling 30-year-old air-gapped industrial technology with digital cyber threats. 5G may exacerbate these risks and create new opportunities for threat actors.
The rapidly evolving legal landscape
Suitably enough for a technology that offers a revolution in speed, the legal and regulatory landscape around 5G is also moving at an unprecedented pace.
In November 2020, the DCMS published the Telecommunications (Security) Bill to establish a legislative framework suitable for keeping 5G infrastructure secure. Considering there was little by way of official guidance even three or four years ago, this is a remarkably fast turnaround for technical legislation.
The bill has a major focus on combating the risk of internal threats and backdoors. Telecoms operators must stop using equipment from high-risk vendors or face fines of up to ten percent of their turnover, or even as much as £100,000 a day for continuous contravention.
Other elements mandated by the bill include implementing secure design and maintenance for the sensitive equipment in the core of the network that handles how infrastructure is managed, as well as the implantation of effective access controls and regular security auditing.
Specific guidance has also been published in the Telecoms Security Requirement (TSR). The guidance draws on extensive research from the NCSC and lists comprehensive analysis of different threats and prescriptive advice on securing infrastructure. The process was also very interactive, and we are aware of telecoms clients that were provided with the chance to review drafts and feedback on language and processes.
What next for 5G?
We are now at the crucial phase where most operators’ 5G infrastructure is transitioning from build-and-design to real use. Most telecom companies are in a similar phase of productionising their networks.
Time will now tell how the interplay between security and risk introduced by 5G will work in the real world. Similarly, we will now wait and see if the new regulations and guidance have hit the mark and will withstand attention from threat actors.
We can expect lawmakers to act quickly to amend and adapt legal and regulatory powers as the situation develops. Telecoms operators will likewise need to be able to move rapidly to adapt their infrastructure as new laws – and threats – emerge.
Adam Brady is Director of Systems Engineering, EMEA at Illumio
Main image courtesy of iStockPhoto.com