Get Ready for the 5G Security Transformation
By Richard Orgias
5G will usher in a new era of wireless networking, or at least that is what the headlines would have us believe. The promise is that 5G will offer much faster connection speeds than current-generation 4G technologies, opening up new ways to use wireless network capacity to support both human subscribers and Internet-of-Things (IoT)-enabled services.
Resulting growth will be explosive, with the 5G subscriber base projected to rise from effectively zero today to one billion by 2023. In the same way that Captain Quinn needed a bigger boat to take on the great white shark in Jaws, wireless network providers need to expand their capabilities in terms of speeds, supportable subscriber base, and robust cybersecurity.
While many may view 5G as the next step in the evolution of cellular phone technology development, this view is limiting. In fact, 5G is viewed by its proponents as a way to converge all wireless networking services—mobile devices, WiFi, near field communications, Bluetooth, etc.—under a single technological umbrella. Accordingly, 5G proponents envision three domains of 5G services. These include:
- Enhanced Mobile Broadband (eMBB). Much like the current bill of cellular communications services, but faster and with more subscriber capacity.
- Ultra-Reliable Low Latency Communications (URLLC). Services for autonomous vehicles, industrial, and connected electro-mechanical systems.
- Massive Machine Type Communications (MMTC). A connecting fabric for Internets-of-Things (IoT) applications.
To date, deployments of 5G have focused on limited cases. For example, communications service providers demonstrated 5G at the 2018 Winter Olympics in PyeongChang, South Korea and at the 2018 Commonwealth Games in Queensland, Australia. Several U.S. wireless communications providers plan to offer 5G on a trial bases in select urban areas in 2019, with a full, nationwide commercial rollout expected in 2020.
Some Significant Sea Changes
But 5G offers more than just faster, higher capacity mobile communications for subscribers. Wireless networking evolves from a service provider operated infrastructure into an open platform that is expected to spur product and service innovation. This promises customers choice and convenience, offering businesses of all kinds of new opportunities for profit and differentiation.
Some of the factors advancing this revolution include service convergence, dedicated roles for industrial and IoT services, and virtually unlimited capacity. However, 5G technology also calls for migrating significant amounts of computing power and storage from remote data centers and cloud installations to the network edge. In provisioning computing services closer to end users, 5G base stations acquire intelligence sufficient to act as application servers. This also means that 5G service providers will be able to offer capacity on their base stations to third parties seeking to deliver applications and services to end users.
Exactly what kinds of applications and services third parties will offer is a big TBD at present. It is reasonable to expect that these will initially include a mix of a) established mobile computing services—mapping/navigation, entertainment, delivery, payments, etc., b) previously non-mobile services—industrial, physical access control, and office networks, and c) innovative services, many of which we can’t imagine yet—autonomous vehicles, augmented/virtual reality, cash register-less retail, and whatever else might be attracting bets on Kickstarter and other venture capital-based venues.
Security Implications of 5G
Needless to say, by disrupting current relationships between networks, computing resources, and end users, 5G will have a tremendous collateral impact on cybersecurity. One can foresee several knock-on effects of the 5G revolution. But it is safe to say that many unexpected things will likely occur beyond the expectations of the most well-briefed technology analyst. The following are a few:
- Bigger, Weirder Attack Surfaces. An explosion in the sheer numbers of users, devices, applications, and services will vastly expand the potential attack surface available to be exploited. Not only are there more targets to attack, but the methods of accessing sensitive resources will change, often in unpredictable ways. For example, at present, installing a firewall across an Internet backbone is a standard way to filter traffic ingressing and egressing an enterprise. What happens when users—some with bad intentions—can come and go at will, able to exploit edge-computing resources for which responsible organizations exercise no visibility or control?
- Increased and More Menacing Public Infrastructure Attacks. Right now, cybersecurity professionals have their hands full protecting public infrastructure—the electric grid, water, fossil fuel pipelines, and the like from Internet-borne attack. What happens when private and public vehicles, flying drones, facility HVAC, elevator and power control systems, and institutional and personal healthcare devices climb aboard the 5G express?
- Securing Edge Resources. Migrating workloads to 5G edge-computing resources combines the cybersecurity risk factors posed by endpoint computing with those of cloud computing. That is to say, how do you monitor and maintain thousands of computing nodes for which you have limited access rights and that can come and go as their owners shift workloads around?
- The Vanishing Perimeter. By now, cybersecurity professionals have gotten used to the idea that the perimeter, if it exists at all, has become ambiguous and porous. What happens when all wireless networks converge into 5G and connectivity becomes amorphous? In particular, network segmentation has been positioned as an effective technique for containing cybersecurity risks and protecting sensitive resources. How do you segment a network that doesn’t differentiate between local and remote resources and mixes segments that you may or may not have rights to control?
Opportunities in Working Clothes
“Won’t get fooled again” should be the motto of every IT organization preparing to take advantage of the 5G revolution when it comes to cybersecurity. Rather than fretting about security risks that come with the move to 5G networking technologies, security professionals have the opportunity to build security into 5G projects from the beginning. To a certain extent, attempting to manage 5G-related cybersecurity risks will involve preparing for the unimaginable. Indeed, there are many current cybersecurity technologies and techniques that can reduce opportunities for harm. These include:
- Upgrading Threat Intelligence. Many 5G threats and exploits will be completely new ones—both in terms of how they attack and what they attack. Due to the high probability of attack innovation, plus the fact that it will be early days for the 5G learning curve in the IT and cybersecurity communities, upgrading and honing threat intelligence should be the top priority when building security into 5G-related initiatives.
- Strengthened Access Controls. With 5G networks exposed to many more people and things, I expect a renewed interest in network and resource access controls. In fact, the closer that organizations can come to operating their IT infrastructures on a zero-trust basis,—where they don’t have to rely on the good intentions of resource end users to transact business—the better.
- Fabric-based Security Architectures. Vendors, such as Fortinet, offer fabric-based approaches to security that can stretch and trim to meet changing requirements—an especially valuable attribute in a time of rapid change. In particular, the most advanced security fabrics are increasing their usage of software-defined network (SDN) technologies to agilely stay ahead of adversary “innovation,” quickly deploying capabilities to address new wrinkles in enterprise attack surfaces.
Cybersecurity as Change Enabler
One final thought. In preparing your organization for the 5G era, sound cybersecurity should be practiced as an enabling technology rather than an added cost and complexity tax on innovation. I’m personally very bullish on 5G. If anything, communications service providers have undersold the benefits of the coming 5G transformation. Don’t let security worries get in the way of your organization’s moves to harvest the benefits of 5G. Prepare now, and seize the day.