Using zero trust to mitigate 5G security challenges

The total number of 5G connections will reach 3.2 billion by 2026, rising from 310 million in 2021, a study from Juniper Research has found. 45% of operators consider it extremely important to invest in security to achieve long-term enterprise revenue goals, according to Trend Micro.

In this interview with Help Net Security, Chris Christou, Vice President at Booz Allen Hamilton, talks about evolving 5G security issues, leveraging zero trust, as well as implementing 5G security.

Worldwide 5G adoption has started, and more networks are coming online every day. While increased speeds are an obvious benefit, organizations tend to overlook the security implications. What security issues may await those implementing 5G?

5G technology has the potential to increase the attack surface for threat actors, introducing new vulnerabilities and expanding the number of targets. For example, some organizations will establish private multi-access edge networks that need to connect into carrier networks – and these private 5G networks could be open to vulnerabilities and attacks. 5G also introduces multi-edge access computing, which requires trust between carriers and the enterprise networks.

In some cases, implementing 5G will mean relying on public and untrusted infrastructure, which is inherently less secure. There are national security implications to this as well, as the Department of Defense (DoD) looks to capitalize on 5G infrastructure in coalition partner countries or contested areas. In those cases, the DoD needs to consider the full implications of this technology – from how it can be used, how it can be deployed, and how mature and secure it is – before making that leap. More risky operations may depend on “gray zone” network infrastructure run by organizations with vastly different goals than DoD.

When DoD operates on a 5G network, the underlying equipment brings risks of its own. Unknown and untrusted equipment has the capability to detect and disrupt DoD communications. In addition, the broader risk remains that threat actors could sabotage missions and equipment, compromise operational security, and jeopardize the lives of military leaders and warfighters.

How can organizations leverage zero trust to enable a better response to new security challenges as 5G rolls out?

Along with operating under the “assume breach” mentality, organizations need to take additional measures by integrating a zero-trust security model into their response planning. This includes adding it to their data-protection strategy, breaking down organizational and programmatic silos, and gaining and maintaining buy-in from senior leadership and other key stakeholders.

Organizations can build stronger 5G security using the seven pillars of zero trust. One of the pillars, for example, is automation and orchestration. Because 5G networks are complex and many of the components are virtualized, you need to leverage orchestration capabilities for configuration. A management and orchestration solution (MANO) is software that automates large-scale management of service configurations across networks through dynamic scaling with real-time resource allocation/deallocation. MANO solutions enable the rapid instantiation, automation, and recovery of the complex, virtual elements found in 5G networks.

Also, industry partners can segment and isolate critical traffic by using 5G network slicing, as well as end-to-end encryption capabilities.

Additionally, organizations with national security missions must implement zero trust architecture not only in 5G networks they directly control, but also implement as an overlay of 5G networks they do not own or operate. This will make them better prepared to respond to new security challenges around the globe.

How can zero trust mitigate the risk that 5G threat vectors might be used to steal or sabotage sensitive defense technology?

The zero-trust model questions the idea that something deserves to be trusted just because it’s in the network. Applying this mindset can help protect critical data and technology from threats. For example, security teams must coordinate deployment of comprehensive security monitoring capabilities that leverage advanced analytics, granular dynamic and risk-based access controls, and system security automation across an entire defense infrastructure.

Of course, this can only be successful if basic security principles are also followed: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors.

Organizations should focus not only on designing a zero-trust architecture, but also on supporting it with vulnerability research and embedded security. Is that feasible for organizations of all sizes that will adopt 5G?

Integrating zero trust within large enterprises can be complicated, as zero trust needs to be scalable, which requires a robust infrastructure. However, this infrastructure is critical to the success of zero trust – and it includes vulnerability research and embedded security. It’s not a question of size as much as it is a question of commitment.

Operators of 5G ecosystems cannot fully realize the potential of 5G without these complementary components. Organizations can use the pillars of zero trust, plus governance, to understand the strengths and gaps in current capabilities, and to design actionable plans for improved security.

For smaller organizations that are struggling to find resources to design a zero-trust architecture, pursuing open architectures can help. This makes it easier for vendors to offer 5G services. Expanding the community of stakeholders working to ensure overall integrity of the network frees up time for those within your organization to focus more on vulnerability research and embedded security.

What advice would you give to an enterprise CISO who needs to implement 5G security in the next year?

Zero trust isn’t a vendor buy. Your organization can do a lot with what it already has, so don’t wait to start embracing zero trust as a security model for 5G. Instead, start looking at the seven pillars of zero trust (user, device, network/environment, application and workload, data, visibility and analytics, and automation and orchestration) to see what changes you can make now with minimal effort from your security teams.

Also, remember, zero trust isn’t a checklist, it’s a mindset. And it’s important for the CISO to inspire top-down adoption of this mindset, as it needs to be understood and supported at all levels of an organization to be successful. This isn’t a one-and-done effort – CISOs must also focus on building, operating and sustaining a zero-trust approach to 5G security, and support it with vulnerability research and embedded security.

Implementing a threat-centric approach to managing the 5G attack surface is key, which can only happen with a deep understanding of threats and vulnerabilities – this needs to be a key focus of any CISO currently prioritizing 5G security.