5G IoT security: Opportunity comes with risks
It will take years for widespread coverage and use to be achieved, so what better time than now for finding a way to ease into it while keeping security in mind?
Opportunity comes with risks
“Without a doubt 5G opens up a whole new world of opportunities for services that take advantage of the higher speeds and lower latencies that 5G will offer. However, as with most significant technology advances there are risks, to users and network operators alike,” Darren Anstee, CTO for Security at NETSCOUT, told Help Net Security.
“For the network operators, the 5G architectures of tomorrow will be complex; the Multi-Access Edge Computing needed to support new services will open up mobile infrastructure to a broader range of vendors, and the infrastructure that supports the service ‘slices’ will be virtualized or containerized, and orchestrated. The complexity of the control-plane to manage services and end-point connectivity also increases, and with all of this complexity comes the potential for security issues – either from compromised or poorly behaving devices and applications.
For consumers, a big issue will be privacy. Since one of the main uses of 5G is massive machine type communications (mMTC), which will support the ongoing proliferation of a large number of low power, low cost IoT devices, a growth in information gathering and exchange is to be expected.
Organizations will be able to gater a lot of information about our on- and offline activities, allowing them to create a more detailed picture of our behavior. While this will enable services tailored to consumers’ needs, locations and habits, it will likely also enable a new wave of social engineering attacks targeting individuals and the businesses they work within, Anstee says.
But there is another, broader concern: even if that data is anonymized, it’s often possible to construct a virtual identity for a user, and those may be used to drive analytics and other decision-making systems.
“This is where regulation may need to evolve. As data-gathering become more pervasive, and analysis more intelligent, individuals may need protection from pseudo-automated discrimination that can occur without reference to their real-world identity,” he noted.
5G IoT security worries
While mMTC networks are not expected to be deployed widely before 2021, they should eventually become ubiquitous, paving the way for wider IoT device use by enterprises, public entities, in industrial settings, and so on.
The increased scale for device connectivity and interconnectivity combined with the concept of “slicing” (separate, virtual mobile networks for specific applications or services with specific characteristics dependent on the application or service need) will certainly enable a new range of IoT services and applications, Anstee says.
One of the security weak points will be devices themselves. Most existing IoT devices have not been developed with security as a priority.
“Not all IoT devices are created equal and we should consider the more consumer-focused devices differently to those used in industrial applications. The latter tend to be better designed, better secured and in many cases will connect to specific network slices or through IoT gateway devices – removing the potential for generic scanning and compromise activity,” he explained.
“However, these devices can be mission- or safety-critical and must be monitored to ensure that they are behaving as intended, as a compromise or malfunction could have serious consequences.”
When it comes to consumer focused IoT, the concerns are evident in any conversation with a network operator looking to roll out 5G.
“Very large-scale DDoS attacks generated by wireline connected IoT devices are commonplace, and there is nothing to indicate that IoT devices connected to 5G networks will fare any better, as new devices with non-existent or poor security are still being deployed, and the ones that are out there today will be around for years,” he noted.
“Large numbers of vulnerable, 5G connected IoT devices pose a threat to mobile networks given the amount of traffic they can generate and the potential for synchronicity of action causing resource exhaustion within some aspect of the infrastructure.”
Advice for CISOs
Protecting an organization’s IoT network relying on 5G will be a complex task.
“Given the huge range of device types and purposes that we could be talking about here, I don’t have a simple, generic recommendation for CISOs. Elevators, connected cars, medical sensors and industrial robots are very different in terms of their purpose, the kind of communication services they need, their software stacks, traffic patterns, etc. And they are very different in terms of the potential impact of any security issue, from a personal or environmental safety perspective,” Anstee pointed out.
“Moreover, these different types of devices are supplied using different sales channels and maintained by different organizations, there is a lot of variability here.”
However, at the most basic level and to protect their device fleet against the vast majority of common attacks and mass-malware outbreaks, they should be:
- Selecting vendors/manufacturers that can prove they provide ongoing support and software updates for the devices
- Using up-to-date software whenever possible and putting up a process in place to assess new vulnerabilities that are disclosed/discovered so that they can be managed appropriately
- Put in place a visibility solution or service so that the behavior of devices can be profiled and monitored to spot and investigate deviations from the norm.
Those taking advantage of 5G for IoT-fueled automation in industrial environments will likely use various network slices for different services. They will have to ensure that their mobile service provider has appropriate monitoring in-place within their network to supervise the activity of connected devices and infrastructure with access to these slices.
“Managing the security of 5G networks and services requires a new approach, where security is an integral part of the end-2-end architecture. No longer can security be focused purely around firewalls ensuring protocol conformance within the mobile network, with other solutions providing inbound and outbound threat detection at the Internet edge (the SGi interface that connects the mobile core network to an Internet backbone),” he added.
“In 5G we will need cohesive visibility across the network so that we can identify the threats that may target the control-plane, user-plane, endpoints and service or application infrastructure, and to ensure that a threat can be identified and remediated WITHIN the network, protecting the network, services and users alike. Finally, the technologies delivering these visibility and threat management capabilities will need to be integrated with the virtualized or containerized infrastructure so that their lifecycles and scaling are linked.”