The new generation of 5G cellular networks are beginning to be rolled out in leading countries like the U.S., bringing to life the promise of connecting everything from sensors and systems to robots and platforms. With unmatched reliability, capacity and low latency, 5G is forming the foundation of an automated “whole” that operates in mission-critical environments.
However, this next-generation of connectivity also brings about new and sizable security risks, relative to what we have known even in recent times.
For years, telecommunication networks were basically isolated networks built on proprietary telecom protocols. Today, they are migrating to internet-facing, all-IP networks with standardized protocols. Fed by automation and virtualization, the unfolding of this major technology shift has both significantly shortened development and deployment cycles and given bad actors a much broader canvas – more opportunities in a network –to seize vulnerabilities.
From industry to regulators to consumers, this technology shift challenges everyone to evolve the way we approach security and mitigate risks.
Security: The foundation for mission critical networks
Securing products for mission-critical networks is an industry imperative and has long been a byword for trust with customers.
Even so, efforts to learn and improve never stop, given the challenges of implementing strong product security in today’s fast-evolving technology landscape. It is not enough to just have process controls and deliverables or mandatory technical requirements with expectations for things to be implemented.
Having a security development process and set of technical security requirements is a good start. However, none of these matter if you do not follow up, measure and observe the level of implementation – and have everyone across the organization committed to maintaining rigorous security practices and policies.
Lessons learned should be continuously designed from security from the ground up; from the initial development stage that address the security challenges of today and those we believe we will see tomorrow.
Designing for security
As a proactive approach by design, security standards, tools and processes ensure that privacy is implemented before a product is ever integrated into a business.
Over time, it is critical that the telecommunications industry builds a catalogue of security requirements, grouped by priority and severity, which are mandatory in every product. This forms the proactive core of the security process, which is also informed by external engagement in industry forums, like 3GPP, and with customers and regulatory bodies. Taken together, all the various inputs should be incorporated into a company’s mandatory security requirements.
Products must then be assessed to establish a security baseline and to define roadmaps on security, privacy and interoperability; and later be subjected to rigorous testing using both internal and commercially available tools. Wherever feasible, companies must utilize both static and dynamic code analysis, as well as strong cryptography to ensure the integrity of products throughout the development cycle.
Now, even the best software, rigorously tweaked and tested over and over again, could end up being shown later to have an exploitable flaw, so companies must continuously monitor public and private sources for indications that their software or third party software embedded in products could have a security vulnerability. Vulnerabilities should then be graded on a scale in the context of each product, and R&D teams must take a variety of actions to troubleshoot these. This action must apply across all R&D teams, who in turn are accountable for adhering to the highest standards of security while monitoring compliance centrally.
Automation is also essential for the development process and security enforcement. Companies should aim to provide developers with automated feedback about potential security problems in their code at the earliest possible stage of development; and seek to automate network vulnerability scans and various application security tests to ensure they are regularly and consistently executed. As that process occurs, early stage indicators and more comprehensive product tests should be tracked by R&D and security management teams to enable rapid intervention where it is needed. In cases of non-compliance, security departments should issue a veto on a product – and have no qualms about doing that – as the cost of poor security is simply too high for businesses.
Looking towards the 5G future
There will always be work ahead for all relevant stakeholders on the security front, as bad actors look for the next new vulnerability to exploit. Still, as we move forward in the 5G era, the systems put in place must be thoroughly designed for security to effectively optimize safety checks and deliver the type of reliable and protected products customers have long come to expect.