Managing the new security landscape of 5G, and beyond
Adam Brady at Illumio explores the new risks introduced by 5G and how the security and legal landscapes will change to manage them.
The telecoms industry has always been a fast-moving field, driven by rapidly evolving technology. Network operators must continually adapt their infrastructure and strategies to incorporate new technological developments – and the security and compliance challenges that come with them.
New technology can often represent a seismic shift in the way telecoms services are provided, enabling operators to provide faster connections over wider areas. This is particularly the case with 5G, the latest technical revolution in the sector.
While the average consumer will generally think of 5G as providing faster mobile download and streaming speeds, and the new technology can be as much as 20 times faster than a 4G connection, faster download speeds are only one facet of what the transition to 5G is providing.
The new technology is capable of delivering latency rates of just 1 millisecond, compared to the average 200 milliseconds seen in most 4G services. This has huge potential for fields such as internet of things (IoT) and operational technology (OT) where devices are operated remotely.
The low latency also means that many more devices can be connected to the same network in the same area, requiring far less energy. This means devices can operate for longer while also costing less to produce. Taken together, these advantages can transform the way many industries operate.
However, as with most technological advances, 5G is not without its drawbacks. Amidst all the bizarre conspiracy theories about COVID and mind control are some very real concerns about security. The telecoms companies constructing 5G infrastructure must contend with both potential new attack surfaces being exploited by threat actors, and internal threats with geopolitical motivations.
Perhaps more than any technical development before it, 5G is also forcing operators to keep up with a rapidly evolving regulatory landscape that is moving much faster than that which we normally see for technical laws.
What are the threats to 5G?
The most high-profile security concern around 5G has been the supply chain, particularly the potential for interference by foreign companies supplying equipment and infrastructure. The UK Telecoms Supply Chain Review Report published in July 2019 by the DCMS said that “the most significant cyber threat to the UK telecoms sector comes from states.”
While there have been concerns about several different vendors with ties to nation states, the most prominent example was the involvement of Chinese telecom giant Huawei, which had a large role in the initial development of the UK’s 5G infrastructure. There were widespread concerns that the company could establish secret backdoors that would allow the Chinese government to covertly access the network, conduct surveillance, and exploit it in hostile cyber activities.
Huawei was initially banned from involvement in the most sensitive core elements of the UK’s national 5G network, and the situation eventually escalated to the UK government banning the purchase of Huawei 5G equipment from 2021 onwards and committing to removing all existing technology from 5G networks by 2027. This will be a major priority for telco companies, and we are aware of several that are already underway with replacing their Huawei equipment.
Like all other forms of technical infrastructure, 5G networks will also be in the sights of cyber criminals. The most likely target will be the operators’ management layer, which confers a great deal of control over the network.
While the packet core is unlikely to be a direct target, lateral movement into the management layer and supporting services is a more realistic concern. The network as a whole is too big to attack head on, but attackers can compromise a machine at a network operator and move laterally to access the management layer. From there, an attacker will have a vast attack surface available to them.
One notable trait of the telecoms industry is that most operators tend to use very similar kinds of architecture and builds, whereas other entities such as banks tend to have very distinct infrastructure from each other. This can be quite advantageous when it comes to establishing interoperability between systems and an established security architecture.
It can also be a security weakness. The risk is that if threat actors discover a vulnerability in one operator’s infrastructure, they will potentially be able to exploit the same weakness in other organisations as well.
How does 5G security differ from 4G?
5G is not simply a faster version of 4G – it is a whole different technology. As well as performance, there are some fundamental shifts in security. This includes several improvements such as in-built end-to-end encryption with IMSI (International Mobile Subscriber). But there are also some new risks.
One of the biggest changes is that 5G enables devices to connect more directly to backbone applications and networks, whereas previous technology featured more intermediary layers . This is key to 5G’s transformative low latency. However this direct connectivity also means removing layers of obfuscation and security functions.
This new threat landscape is still largely theoretical. The true potential threats will probably not be understood until businesses have been using it for longer – and unfortunately potentially not until a landmark security breach has occurred.
5G has particularly strong applications for IoT and OT – two areas with their own distinct security challenges. IoT devices are often known to fall short on delivering adequate security, while OT systems often struggle with reconciling 30-year-old air-gapped industrial technology with digital cyber threats. 5G may exacerbate these risks and create new opportunities for threat actors.
The rapidly evolving legal landscape
Suitably enough for a technology that offers a revolution in speed, the legal and regulatory landscape around 5G is also moving at an unprecedented pace.
In November 2020, the DCMS published the Telecommunications (Security) Bill to establish a legislative framework suitable for keeping 5G infrastructure secure. Considering there was little by way of official guidance even three or four years ago, this is a remarkably fast turnaround for technical legislation.
The bill has a major focus on combating the risk of internal threats and backdoors. Telecoms operators must stop using equipment from high-risk vendors or face fines of up to ten percent of their turnover, or even as much as £100,000 a day for continuous contravention.
Other elements mandated by the bill include implementing secure design and maintenance for the sensitive equipment in the core of the network that handles how infrastructure is managed, as well as the implantation of effective access controls and regular security auditing.
Specific guidance has also been published in the Telecoms Security Requirement (TSR). The guidance draws on extensive research from the NCSC and lists comprehensive analysis of different threats and prescriptive advice on securing infrastructure. The process was also very interactive, and we are aware of telecoms clients that were provided with the chance to review drafts and feedback on language and processes.
What next for 5G?
We are now at the crucial phase where most operators’ 5G infrastructure is transitioning from build-and-design to real use. Most telecom companies are in a similar phase of productionising their networks.
Time will now tell how the interplay between security and risk introduced by 5G will work in the real world. Similarly, we will now wait and see if the new regulations and guidance have hit the mark and will withstand attention from threat actors.
We can expect lawmakers to act quickly to amend and adapt legal and regulatory powers as the situation develops. Telecoms operators will likewise need to be able to move rapidly to adapt their infrastructure as new laws – and threats – emerge.
Adam Brady is Director of Systems Engineering, EMEA at Illumio
Main image courtesy of iStockPhoto.com
Can you accurately work out where your critical controls failed?
One of my squaddies shared an article with me this weekend that I feel compelled to share here because its subject – the malicious “insider threat” – tends to make leaders queasy. The article was written by David Roza for the website Task & Purpose on 26th January and titled (seriously!): ‘Delete all phones’ — How one man killed communications at an Air Force base for weeks. Kudos to the editor because that headline has made me laugh every time I’ve read it.
I’m only going to summarize the story since I want you to both read and share the original. In a nutshell, some years back, the military IT boffins at Whiteman AFB, Missouri hired a corporate contractor to run part of their voice systems network for them. In October 2017, one of the civilian company’s civilian contractors decided – for some reason – to destroy all of the base’s virtual phone records in their VOIP switch. This fellow took it upon himself to wilfully and maliciously scrag thousands of virtual phones, plunging the base into administrative chaos. Then … and this is, to me, the best part of the story … the saboteur just … stayed at his desk, He carried on working for an unknown number of days or weeks until the MPs nicked him.
You’d think that sort of criminal breach of trust would lead to the perpetrator getting fricasseed by a drone-delivered AGM-114R9X “flying ginsu” missile. Apparently, the base’s reaction wasn’t so creatively vindictive (although I daresay I can guess how the local comm squadron commander felt about it). Per the last paragraph in Mr. Roza’s article:
“The [accused’s plea]agreement does not specify why [the accused] triggered the command, but it did explain that his crimes have a maximum punishment of 10 years of imprisonment and a $250,000 fine. Instead, with the guilty plea, [the accused] agreed to a sentence of five years’ probation, no fine, $26,927.08 in restitution to the Air Force and a $200 special assessment. The court has the option of rejecting the plea agreement.”
That seems like an awfully good deal, considering
This fellow is guilty of violating privileged user ethics rules and sabotaging a comms system on a bomber base. Yeah, I can see the military “rejecting the plea agreement.” If nothing else, the next potential “rebel sysadmin” needs to consider what awful fate befell this bloke and reconsider their dastardly plan before pulling a similar stunt on their government employer’s crucial C4I systems.
All that being said, I’m absolutely fascinated by the fact that the saboteur didn’t immediately flee after committing his crime. I want to read the court psychiatrist’s records on this case. Saboteur dude did a sabotage, then stuck around like nothing hand happened! He kept processing work orders (or whatever his job was) for … hours? Days? Weeks? I suspect that a more rational criminal would have legged it just as soon as their caper was complete. What was this guy thinking?! He had to realize that getting caught would bring a world of hurt down on him. Abusing your privileged position and betraying your nation’s trust to disrupt critical comms for a freaking military base? That’s not the sort of “whoopsie!” moment that the military is known for laughing off.
This one, peculiar twist in the narrative stands out to me like one of those third act side comments from an episode of Vera that retroactively re-frames the entire narrative and shifts focus from the assumed suspect onto one of the minor background characters. There’s something about this odd, unexpected, atypical behaviour that I find captivating. If the saboteur’s objective was to inflict a coms outage, then why stick around after the deed was done. If the objective was to make a statement, then why not make one as soon as the attention-grabbing exploit was executed? If, instead, the objective was to keep getting paid as cushy government contractor gig, then why sabotage the bloody phone system in the first place?
Insider threat cases fascinate me. The psychopathology required to gamble away a fantastic opportunity and ruin your life for such small potential gain …
It’s maddening. It really is. We’re probably never going to know the fellow’s real motivations or thought process, so let’s make the best of what we do have: the internal sabotage of Whiteman AFB’s VOIP service can serve as a killer case study or tabletop exercise premise for Cyber Ops teams. It’ll make for great discussion fodder. Consider:
- How was one sysadmin able to execute the entire delete all phones command sequence on his own? Why were our ‘two-person accountability’ rules violated without anyone knowing?
- Why did this major system change not trigger any alarms? Or were alerts sent to Splunk, etc., and missed or ignored?
- Why wasn’t the VOIP phones database backed up such that it could be restored in hours rather than re-built over weeks?
- Had anyone noticed this fellow acting strangely in the weeks leading up to the crime? If someone did notice peculiar behaviour, why didn’t they report it? If they did report it, why weren’t those concerns acted on?
- Did this fellow have any history of squirrely behaviour, either on this job or in previous jobs? If there was evidence of potential untrustworthiness, why was this fellow entrusted with superuser authority over this comms system?
So many good questions. I imagine the After-Action Review from Whiteman has already addressed these questions and has meticulously reconstructed the event from square one. I’d adore getting to read it (just please don’t send me classified info, as I don’t have a U.S. security clearance anymore) (thanks).
For the record, I am not the least bit interested in trying to continue this column series from prison. I’m all for a healthy challenge, but … no thanks. I’ll pass.
Nonetheless, with a little adaptation, I encourage security departments everywhere to use variations of these same questions in a local exercise. Pick a system that a malicious insider could take offline with their elevated credentials and play through not just the immediate security incident, but the post-incident investigation as well. Challenge yourselves: can you accurately work out what really happened and where your critical controls failed?
Odds are, a rousing tabletop exercise might highlight a few of your team’s existing suboptimal security controls. Give you a change to apply some process improvement now, before they’re really needed. That might save your organisation a ton of downtime and drama if one of your own – God forbid – tries to pull off a “Whiteman Wipe.”
Author: Keil Hubert
Keil Hubert is the Head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
