Thanks to the advent of open radio access networks, or Open RAN, which adds a huge software ecosystem to the radios, cell towers and base stations converting wireless signals to data, 5G is a ginormous data onramp to the network of networks we call the internet. The latest generation of wireless promises to deliver, to filch from a Hollywood box-office title, “Everything Everywhere All At Once.”
What is 5G security?
5G security, operating outside the walled garden of dedicated equipment, servers and protocols that characterized 4G LTE, involves a software ecosystem as part of the “virtualization” of RAN and implicates containers, microservices and other cloud-forward services as a new core network.
As former FCC Chairman Tom Wheeler wrote in a recently released Brookings report on securing 5G systems, the 5G standard brings with it two synergistic cybersecurity challenges:
- The 5G standard “virtualization” means network functions that used to be performed by proprietary or single-vendor hardware are now being performed by software, and software is hackable — ergo, network infrastructure built on software code is vulnerable.
- Network operators are supplementing or replacing traditional infrastructure vendors and closed proprietary systems with an expanded set of vendors bearing O RAN protocols. Wheeler wrote that this diversity of suppliers could become a per se invitation to a new diversity of unaddressed attack vectors
The open, flexible and programmable nature of 5G networks, he noted, make for a highly susceptible framework.
The dangers of 5G security
Networks are only as strong as their weakest link
Among other things, 5G constitutes networks linked, often weakly, because each network and device within it may have different security protocols and technology. Partly because of this, the demand for 5G security products is powering up a booming security vendor ecosystem for things like next-generation firewalls and DDoS attack defense and security gateways.
Grand View research predicts the global 5G security market will reach $27.59 billion by 2030 — a CAGR of $39.6 billion from 2022 to 2030 — driven in part by improvements in software-defined technologies like network slicing.
SEE: Best network monitoring software and tools (TechRepublic)
Talk amongst yourselves
With 5G-enabled automated communications, machines and devices in homes, factories and on-the-go will communicate vast amounts of data with no human intervention, creating greater risk.
Kayne McGladrey, field CISO at HyperProof and a member of IEEE, explained the dangers of such an approach.
“Low-cost, high-speed and generally unmonitored networking devices provide threat actors a reliable and robust infrastructure for launching attacks or running command and control infrastructure that will take longer to detect and evict,” he said.
McGladrey also pointed out that as organizations deploy 5G as a replacement for Wi-Fi, they may not correctly configure or manage the optional but recommended security controls.
“While telecommunications providers will have adequate budget and staffing to ensure the security of their networks, private 5G networks may not and thus become an ideal target for a threat actor,” he said.
Virtualization: Let the wrong one in
5G virtualized network architecture opens every door and window in the house to hackers because it creates — in fact, requires — an extraneous supply chain for software, hardware and services. It invites software development using open source code, and lots of software as-a-service frameworks living in easy-to-jimmy edge cloud systems.
In a May 2022 report on the security of Open RAN, the EU noted that strengthening the role of national authorities, audits on operators and required information are all high impact measures that could help ensure the application of basic security requirements.
McGladrey said the NIST special publication on 5G Cybersecurity offers a good basis for security requirements for 5G network architecture.
“Although this document is in draft form, it provides a reasonable risk analysis including the mitigations for those risks,” he said. “A theme throughout the document is security observability and visibility throughout the environment so that security teams can rapidly identify security events.”
Trust no one
Especially important to 5G is the need to mandate who gets access to systems, including virtualized networks, network management operations and monitoring, and efforts to bolster software integrity.
In a new study, the CTIA takes on the task of delineating zero trust for policymakers. The trade association argued that zero trust needs to replace the “single perimeter defense” or “castle-and-moat” model that typified previous generations of wireless.
The group delineated key terms:
- Zero trust is a network security approach designed to minimize uncertainty by requiring continuous authentication of users, applications and any associated devices as they access different parts of a network and corresponding network functions.
- Zero trust architecture refers to the way an organization applies zero trust principles to its own networks. Because each network has different capabilities and designs, ZTAs must be customized to fit within the constraints and risk profile of a given network.
- Zero trust network access refers to the consequence, outcome or implementation of zero trust architecture — in particular, the products or services that use access control rules to define the data, applications, services and other access areas.
For their part, the CTIA advocates for a laissez faire approach, rejecting any single, fixed method and avoiding private sector mandates.
McGladrey sees a potential risk implicating network hardware, as counterfeit or inherited components could include functionality allowing a threat actor to compromise the confidentiality, integrity or availability of data.
“This risk could become a reality if a vendor intentionally included malicious software in their components, or an indirect attack, where a threat actor compromises the build process of a component manufacturer to insert malicious code without the approval of the vendor,” he said.
There will be big rewards for the U.S. or any nation that can cultivate security and tech innovation. The government, policymakers and anyone with oversight might want to tread with a light — or maybe agile — foot. As Walker said, efforts should be aimed at “encouraging investment while keeping pace with technology, markets and the activities of aggressors.”