U.S. 5G bandwidth availability has expanded and accelerated considerably in recent months, offering early adopters technological, financial and other competitive advantages. The lower latency and increased bandwidth of 5G are expected to drive an exponential increase in the volume and diversity of data, IoT devices and general innovation, which may simultaneously create an expanded attack surface. As such, organizations building 5G networks should approach the technology with a security-by-design mindset, while also building trust throughout multivendor ecosystems.
The problem is that many organizations may not be thinking about 5G cyber risks as fundamentally different from those of its 4G predecessor. Some subscribe to the false notion that implementing a pre-secured system on a 5G network is as simple as it was with 4G, but it’s not. Many 5G networks are built to serve specific use cases with enablement metrics, such as latency, bandwidth, speed and capacity, making them vulnerable to cyberthreats that exploit security domains including network access, availability, user equipment, application, data and 5G’s service-based architecture. Unlike 4G, where network elements are contained, many 5G core network functions are virtualized and run on mobile edge computing platforms. This also introduces new zones to be secured at the edge of the mobile network. Similarly, the increased number of IoT devices connecting to 5G inherently creates a wider attack surface than 4G networks ever had. The wide selection of 5G architectures and the variety of vendors offering 5G software-defined functions enable far more agility and innovation than legacy 4G networks.
While many organizations may relish the opportunity to create their own networks, the challenge is that if those networks are built from loosely coupled components, a broad security program must be built in — from early stages — to prevent, detect and mitigate cyberthreats in an effort to establish trust with business partners, customers, employees and/or stakeholders. And, as CISOs and security teams know, purposeful security by design is the place to start.
Building 5G security by design
The overall success of 5G adoption should begin with a fundamental rethinking of how organizations protect both physical and virtual network technology, edge deployment models and infrastructure — including cloud computing. Similarly, the ability to have private 5G networks interact with public 5G and 4G networks introduces a new security domain to be addressed. For example, an organization may allow its employees to switch between its private 5G network and public networks using the same device. In such scenarios, this new identity and device openness introduces new cyberthreats that should be accounted for and neutralized. Integrity protection for the user plane between the user equipment and next generation Node B is a new feature in 5G. While supporting integrity protection is mandatory for both user equipment and radio access network vendors, its use is optional — yet highly recommended for private 5G networks.
Further, 5G connectivity can enable organizations to take greater advantage of the functionality of new IoT devices, not all of which are created equally from a security perspective and some of which have new IoT-specific regulations pending. This situation raises important questions about data risks. In fact, according to a recent poll, data is the top challenge for companies that plan to adopt 5G in the next 12 months (26.8%), and a top three cybersecurity challenge for businesses that already use 5G (20.2%).
One way organizations can combat risk using data transmitted via 5G is through network slicing, which enables organizations to “slice” data into smaller groups to isolate it on subnetworks during transmission, thus increasing the security of that data. Note that 5G infrastructure must be designed to permit such data separation and management. Despite the advantages network slicing provides for data segmentation, use cases will require unique user authentication for each slice. This introduces additional threat vectors — especially if shared, central core functions exist.
Adopting a zero-trust framework for 5G may reduce the risk and effect of potential attacks through independence of user privileges and processes, ultimately enabling more resilient environments. Zero trust is an approach building momentum in IT ecosystem security, as it’s effectively a “never trust, always verify” policy for users, workloads, networks and devices. It commits to enforcing contextualized and risk-based access decisions for information systems and services in order to limit the attack surface in the face of an evolving threat landscape.
Fostering a 5G cyber-aware culture
Designing a secure 5G architecture from the start is one step, but it’s also important to have proper governance and leadership in place to build and nurture a cyber-aware organizational culture. Cybersecurity efforts must be aligned with business strategy, not relegated to a silo that doesn’t permit close coordination with business, industrial and operations teams. In a 5G deployment, security design work should include the stakeholders of devices, radio access, core, edge, cloud, IoT and application security, as well as those in other enterprise-wide domains and functions. Each respective team should execute on an end-to-end strategy built to protect their use case from cyber attacks, while also offering plans to recover from possible later network breaches or unexpected downtime.
From a leadership perspective, some organizations are naming a CISO or business information security officer for operational security to interface with IT and help keep security front-of-mind and engrained with organizational functions. Similarly, leaders can advocate for training and awareness-building that help set the foundation for a more cyber-aware culture.
From a governance perspective, cybersecurity, privacy and other policies must comply with and evolve alongside ever-changing regulations globally. Cyber strategy should also make clear who is responsible for which areas — for example, IoT, California Privacy Rights Act and GDPR. Key performance indicators — including uptime, mean time to identify and mean time to contain — should be established, monitored and reported on to leadership to raise awareness of anomalies and corrective action needed.
Whether your organization has already adopted 5G or is in the process of doing so, it is important to reflect on the nature of this new technology and how to build trust in it. While established cybersecurity principles still hold for 5G, cybercriminals have the advantage of exploiting a wider attack surface that they may have not been able to reach in contained 4G networks. Ultimately, building confidence in 5G applications and use cases will stem from maintaining 5G availability, integrity and performance while detecting and preventing cyber threats. As 5G networks, algorithms and procedures evolve in the years to come, organizations should proactively address new cybersecurity threats that may surface.
About the authors
Wendy Frank is the Deloitte Risk & Financial Advisory 5G Cyber leader, Deloitte & Touche LLP.
Shehadi Dayekh, Ph.D., is a Deloitte Risk & Financial Advisory 5G Cyber specialist master, Deloitte & Touche LLP.