5G network security problem
The 5G conundrum leaves embedded security as the key to Australia's critical infrastructure safety.
Cloud, the Internet of Things (IoT) and telco networks are all at the forefront of data privacy and cybersecurity conversations in Australia. This is not new — everyone agrees higher levels of security are needed to face the challenges arising from today’s accelerated digital growth rate.
What is new, however, is that over the next three to five years most of the technologies aforementioned and organisations’ digital platforms, which are already facing increased cyber threats, will rely directly or indirectly on 5G networks. This includes our national infrastructure as well as organisations from critical infrastructure sectors including banking and finance, government, communications, energy, food and grocery, health, transport and water.
This reliance on 5G, while providing fantastic opportunities, will also greatly increase the cybersecurity risk for our economy and for Australia as a nation.
Before 5G becomes a keystone to our economy, it is important we understand how to better secure it for a safer connected future.
5G’s balancing act: a world of opportunities in a heightened cyberthreat universe
5G will offer organisations unprecedented opportunity, radically enhancing the way enterprises and government capture, store and use data.
This will have particular benefits when looking at the growing number of IoT devices used by those critical infrastructure sectors. With 5G, connected devices will be able to generate and exchange a wide variety of high- and low-value data at much greater scale, leading to a lower price point.
It will increase the extent and speed at which data and insights can be analysed –— thanks to greater machine learning capabilities — to help drive new digital services, faster and cheaper.
5G will also offer latency of a few milliseconds, enabling organisations and service providers to operate highly autonomous systems that are geared towards specific requirements.
Critical and vital industries such as health care, financial services, energy and more are already heavily investing in or exploring the potential of 5G.
However, 5G poses unique threats that need specific considerations and approaches. In particular, concerns are rising around data confidentiality, integrity and availability: these are intrinsic to safe and reliable operations, yet most organisations in critical industries are not fully prepared to guarantee its safeguard.
Addressing the unique intricacies and challenges of securing the 5G network
First of all, the architecture behind 5G itself poses new risks to the security of data.
Historically, network functions resided on their own propriety hardware platforms, the physical isolation of which provided a particularly strong level of protection. However, network function virtualisation (NFV) –— whereby network functions rely on software and run on virtual machines (VMs) –— means that, going forward, network elements will be distributed as and reside in software.
This poses a risk of contamination from malware to the networks themselves or the infrastructure that is connected to the network.
Secondly, to deliver ultra-low-latency requirements, many of the new 5G applications are hosted in data centres at the edge of the network (mobile edge computing, ie, MEC). Edge locations typically have fewer physical protections or computing security controls and new use cases that employ edge computing subsequently increase the attack surface, exposing organisations to greater risks.
There is also a risk that 5G could actually be too fast, chiefly when we look to automate actions based on data, known as zero-touch automation (ZTA).
In practice, this could mean that corrupted data from hacked or compromised devices automate the wrong or even harmful outcomes. The high level of automation could also unwittingly help malware spread throughout a system or to third-party and downstream systems that would otherwise be secure.
Finally, we have seen the software and technologies that have driven the digital economy over the last decade being weaponised to steal, expose, compromise or block access to data.
With 5G being the first ever cellular generation to launch in the era of global organised cybercrime, nation states are implementing aggressive cyber programs — this raises many concerns in terms of the scale, depth and impact of a successful cyber attack. This is particularly worrying considering the increased attack surface brought by the billions of devices expected to be connected to the internet in the next couple of years –— massive denial-of-service attacks could be performed by coordinating thousands or even millions of devices.
We absolutely need to prioritise the protection of the network and the data at the source, before looking at other, more superficial, security layers.
Promising regulatory conversations and initiatives: a first step
For the past year, we have seen positive conversations and initiatives happening at a national and state level, some of which rightly call for embedding security at the core of the technologies and networks themselves.
The Australian Strategic Policy Institute has, for example, called for the Australian Government to implement ‘Clean Pipes’, a default level of security delivered to customers that prevents cyberthreats at the source of the network provided to them.
The Department of Home Affairs is currently progressing the Protecting Critical Infrastructure and Systems of National Significance reforms, a key initiative of Australia’s Cyber Security Strategy 2020 and part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The NSW Government-sponsored taskforce of industry leaders has recently called on federal, state and local governments across Australia to adopt internationally recognised cybersecurity standards for cloud services. It has also urged governments to evaluate proposals or tender bids more favourably from companies that adopt cybersecurity and other risk standards for telecommunications and IoT.
It is important we move those conversations further, to start actively protecting infrastructure, systems and technologies so they can be highly secure when 5G peaks.
Embedded security the only way: a change of mindset needed, today
5G will expand the attack surface, with data and digital systems being located anywhere from a few metres from its origin to miles away in the cloud with billions of devices as potential attack vectors.
Unfortunately, we cannot rely on users to provide the extra level of security needed in such a highly connected world. Each new data breach report we see points to users –— humans –— being one of the biggest risk factors in cyber incidents and data breaches.
We need to move away from user- and computer-centric approaches and instead focus on the systems, data and network. Security needs to be embedded, woven into digital systems as well as into organisations’ operations and processes.
It is vital that any edge computing and its locally stored data is physically and logically secured, typically using public key infrastructure (PKI) and encryption. With any solution supporting low processing latency, wide geographical diversity, centralised management and integrated threat alerting are a must.
Luckily, much of the automation required for codifying PKI, encryption and granular access control is already available and has been deployed successfully. We just need to go further.
Cohesive security from the edge to the core
Traditional security, such as encryption of data in transit, should be augmented with the securing or anonymising of the data as it is collected at the edge.
Edge data security should be able to be systematically integrated with downstream processing, such as in cloud applications. This will require organisations to embrace holistic security platforms and move away from point security solutions — often favoured by application providers or developers.
Keys as the root of all trust (even in the zero-trust era)
The keys needed to secure networks, machines, devices, users and data must be protected and managed in a highly secure manner to ensure integrity of the digital systems and its operations.
Legacy approaches of storing security keys in software or applications, or of storing keys and the data it is protecting together, are untenable and too easily exploited in the current cyberthreat landscape.
To ensure integrity of critical infrastructure, security needs to be implemented end to end from the device to the corresponding application in the cloud, ensuring systems and data can be trusted and only authorised access is allowed at either the application or user level.
Trust in the digital ecosystems that we build is what will allow organisations –— and Australia as a nation –— to reap the benefits of 5G. As such, it is critical that industry and government work together to re-think, re-frame and re-strategise our overall cybersecurity posture to focus on embedded security first.
Working with a charity they are installing internet in the major ports of Australia.
Study highlights how quickly 5G networks are taken up and replacing older systems.
Critical Comms does a Q&A with BAI's Brendan O'Reilly