Take 5: 5G cybersecurity has been saved
Take 5: 5G cybersecurity
Part of the Take 5 on 5G article series
Wendy Frank and Anil Ramcharan, leaders from the Cyber & Strategic Risk practice of Deloitte Risk & Financial Advisory, share their perspectives on five key questions around organizations’ need for a robust 5G cybersecurity approach.
1. As organizations explore advanced connectivity, what should they know about 5G security?
Anil Ramcharan: 5G network technology provides a powerful platform at the intersection of edge computing and the Internet of Things (IoT) to drive incredible value for organizations. It’s going to open the door to new applications—there’s a huge upside for 5G in government and public services (GPS) applications, for example—and help close the digital divide by lowering the cost to get broadband to areas that don’t have a mature infrastructure. In preparing to use 5G, organizations should pay close attention to the software-defined aspect of 5G infrastructure. It is very different than the Wi-Fi and 4G networks in use today. Implementing 5G network security requires a risk management framework that adapts to the flexibility and programmability of network services and traffic flows in software-defined networks.
Wendy Frank: What makes 5G special is its much greater bandwidth and lower latency; its ability to enable real-time or near-real-time communication. Technologies that require that kind of very low latency—autonomous vehicles, mission-critical GPS systems, utility company smart grids—also require continuous monitoring and protection. Edge computing cybersecurity will be important, as well. Edge computing goes hand in hand with 5G; it’s going to drive the expansion of IoT devices, which will, in turn, create considerably more critical data, much of it sensitive, that must be analyzed, much of it in real time.
2. How do 5G security concerns differ from previous generations?
Wendy Frank: One of the inherent vulnerabilities in 4G and LTE networks is that a subscriber’s unique identifier is unencrypted. 5G fixes that and helps identify and defend against “man-in-the-middle” attacks. In addition, 5G’s unified authentication framework improves usability, connectivity, and endpoint security by allowing open and network-agnostic authentication with 4G, LTE, Wi-Fi, and cable networks. 5G is also built for efficient network slicing, which allows customers to segregate sensitive and more generic data and provide precise security and privacy controls in the different slices. 5G also includes an edge protection proxy that securely interconnects different networks to help maintain data consistency, accuracy, and integrity. On the other hand, 5G networks are built with hardware and software and use the cloud, so it has a much larger attack surface. An important part of our discussions with customers is how to design and build in 5G security from the start.
Anil Ramcharan: As Wendy mentioned, 5G networks’ larger attack surface is a security concern; however, risks also arise from the increasingly sophisticated endpoint equipment (the IoT devices and user equipment) that use these networks. Sensors and cameras for augmented reality and virtual reality applications in next-generation health care is one such example. Their use may require encryption capabilities for compliance with data privacy regulations. Moreover, beyond compliance concerns, organizations will have to develop methods to test and evaluate the embedded systems and firmware in these IoT devices to understand the relevant cyber risks. As organizations start to leverage innovative digital technologies and 5G’s increased bandwidth to generate more and better data, potential privacy issues and IoT security will have to be addressed. I think 5G’s promise will continue to drive adoption forward, and cybersecurity will need to keep pace.
3. What are the security risks of 5G adoption?
Anil Ramcharan: As we think about 5G adoption, the transition from hardware- to software-defined networks, and interoperability between 4G, Wi-Fi, and 5G, the concepts of resiliency, redundancy, and reliability move front and center. We need to put safeguards in place to ensure that the quality of service that 5G provides is sustainable within and across organizations, industries, and geographies.
Wendy Frank: With traditional networks, security was focused on making sure that a breach didn’t occur; that systems didn’t go down. But as Anil mentioned, it’s even more critical that there’s redundancy in 5G systems and that they’re not compromised, whether it’s an attempted breach or someone interfering with the signal to bring the network to its knees. Also, 5G isn’t without its own set of infrastructure, physical asset, and supply chain security concerns. The amount of third-party hardware and software it takes to build and run a private 5G network is substantial; the addition of every device and application increases the possibility of a security breach that may spread across the network. Organizations will need to continuously monitor and manage all connected devices, keep device software up to date, and regularly examine individual interfaces to confirm they are secure. A private 5G network will offer organizations the most benefits and flexibility, but it will also create a whole new set of 5G security challenges to manage.
Anil Ramcharan: Exactly. Security assumes a different posture if you’re a consumer of public 5G services or you’re building and operating a private 5G network. We’ll consider the needs of the user plane, where the applications run, versus the control plane, where the network is managed. As a consumer of 5G services, you’re using shared spectrum, shared infrastructure, and shared networks in the user plane, which drives a Zero Trust approach to 5G network security. As a private 5G network operator, you need to carefully monitor and manage the radio access, core, and interconnect networks—the control plane side—and it encompasses a greater scale of infrastructure components than in earlier networks.
4. Who should be thinking about 5G security?
Anil Ramcharan: I’m fighting the urge to say “everyone,” but that really is the case. We’re becoming increasingly connected, and computing functions have evolved from the data centers we know to cloud, distributed compute, edge devices, and IoT. I think 5G is the network equivalent: It’s going to continue to become decentralized and extend our thinking beyond network perimeters and security control points. This creates an imperative for technology, security, and business stakeholders to embrace the innovation expanded connectivity enables and manage the associated cybersecurity issues and risks.
Wendy Frank: From an industry perspective, we are seeing a lot of activity and use cases in the government and private sector space, smart manufacturing, retail, life sciences and health care, power and utilities, and energy and resources. Within organizations, CIOs, CSOs, CISOs, CTOs, and their teams are generally leading 5G cybersecurity efforts, but we’re also having conversations with business function leaders who likely will be affected by the technology, such as manufacturing operations, supply chain logistics, and R&D.
Anil Ramcharan: We’re also finding out among our government clients that in addition to traditional technology owners, certain mission owners—logistics, operations, communications—are advocating for 5G and robust network and data security to jump-start digital transformation and gain greater accessibility and connectivity to do what they’re doing today even better.
5. What steps should organizations take now around 5G security?
Wendy Frank: Directionally, you want to keep that Zero Trust model in mind and, from the start, design and build in security around the entire 5G ecosystem, including hardware, software, applications, cloud, multiclouds, IoT devices, and the use of the edge. It’s planning for end-to-end 5G network security that addresses people, processes, and technology.
Anil Ramcharan: We suggest organizations begin by answering questions around specific 5G use cases: How is the technology going to be applied? What is it going to touch? Who are the key stakeholders? Next, they should overlay a network security framework that identifies 5G security threats and associated security requirements and engage with 5G specialists and industry professionals to talk about appropriate cybersecurity solutions. In some cases, there are ways to leverage existing cybersecurity solutions to start the transition to 5G.
Wendy Frank: Because 5G is an emerging technology, it will be important to track its evolution over time, as well as specific 5G security threats and vulnerabilities, and take corrective measures based on what is uncovered.
Anil Ramcharan: Implementing 5G is going to be a long-term journey as organizations transition critical systems, platforms, and applications from their existing networks. Because 5G is a disruptive technology, establishing an ongoing partnership between the CIO function and the business and operating units it supports is essential. Also, good, old-fashioned risk management never goes out of style. Organizations should embrace their risk management principles and think about their missions, functions, the supporting data, and the ecosystem they’re working in to help drive 5G cybersecurity decisions.