5G Security: Simplicity and Risk Management Key Constructs for Growth

On the security front, 5G introduces several new facets; first, standardization and the underlying ecosystem are complex. This is true for all software but even more so for 5G, a distributed architecture by design. For example, the User Plane Function (UPF), a key network element in 5G core, can be flexibly deployed close to users for local traffic handling. Consequently, in contrast to preceding cellular networks, 5G blurs the lines between the access radio networks connecting devices with base stations and the core network that routes the traffic onto the Internet. Furthermore, 5G networks are virtualized from the onset. Much of their functionality runs on top of dynamically configured Commercial Off-the-Shelf (COTS) hardware. This increases the attack surface, as does the expected increase in both devices connected to the network and the data routed through it.

Second, 5G networks are an evolution of existing 4G deployments. Most Communications Service Providers (CSPs’) operations will span both 4G and 5G. This backward compatibility means that, if not secured in a robust fashion, malicious entities may exploit “old” 4G vulnerabilities to compromise 5G networks. Third, as was the case with 4G, many of the security enhancements in 5G are optional. This may well mean that security is an afterthought, as opposed to it being addressed at 5G’s design and deployment phase. Going forward, this is bound to be a key part of the 5G security discourse, particularly when we consider that performance, cost, and Time to Market (TTM) are all dimensions that typically take priority in the adoption of next-generation technologies.   

There are three segments that lend themselves to new security offerings well. First, there are existing 5G rollouts that focus on Non-Standalone (NSA) 5G New Radio (NR). Here, there is a need for seamless and secure transition in the interworking between 5G NR and 4G. A second segment concerns Internet of Things (IoT) security for different industry/business verticals that seek to establish a centralised control of production processes by leveraging IoT cellular connectivity. A set of unique security challenges abound here. At present, cybersecurity vendors do not have a solution that easily adapts to cellular core networks. Moreover, the diverse security requirements that 5G presents are creating a need for risk management and mitigation capabilities that can be incorporated into production processes. For example, self-adapting and cyber-resilient networks could be utilized to quarantine malicious traffic coming into a smart manufacturing establishment.

One option to secure 5G networks, in addition to integrating security mechanisms into the infrastructure itself (such as secure hardware and roots of trust), is to pile on security defense mechanisms. That is, invest in preventative measures such as firewalls, intrusion detection and prevention systems, encryption mechanisms, and Public Key Infrastructure (PKI). The effectiveness of these preventative measures is a function of two things: first, security budgets are limited, and second, oftentimes the “pile of defense mechanisms” may not be secure if not properly managed once deployed. Further, 5G is a global mobility standard. Therefore, the demand for 5G security may have to be approached with domain-specific, End-to-End Solutions (E2ES) that are buttressed by two foundational pillars: the innovation that technology provides, and the rigidness and structure that processes afford.

Security, after all, is as much about the process as it is about the product. Products are indispensable for fruitful commercial discussions. On the other hand, it will be processes and intimate knowledge of vertical specifics that will determine the effectiveness of products. Cybersecurity vendors and CSPs are investing accordingly to address those aspects. For example, Telefonica recently announced that it is investing in Nozomi Networks, a provider of IoT and Operational Technologies (OT) security. This bolsters Telefonica’s ability to provide managed security services for the factory floor. In a similar fashion, the supply side of the market is amalgamating security and 5G IoT cellular capabilities to address security in industrial environments. Palo Alto’s acquisition of Zingbox, for example, enhances its capabilities to help end verticals embrace simplicity and manage risk as they broaden their operational boundaries.

5G security requirements remain largely undefined at this time. But, as highlighted in this ABI Insight, 5G’s continued adoption is certain to create new demand, particularly in market segments that require targeted security solutions. To meet that demand, CSPs and cybersecurity companies must focus on the following:

• CSPs should not lose sight of the fact that complexity is the worst enemy of security. 5G will introduce increased digitization, in turn creating more interfaces and processes and, by extension, complexity. Moreover, the continued shift to virtualized and containerized network elements further exacerbates that complexity. A network is only as secure as its weakest link, so a network with fewer touch points and links is easier to secure. Guarding several domains is harder than guarding one. To that end, CSPs should be cautious by picking partners that seek to simplify and cyber hygiene at every possible choke point. 
• Cybersecurity vendors must pay attention to key market trends—e.g., Open Radio Access Network (RAN) etc.— and recognize that such trends will lead to an ecosystem predicated on ever-expanding features and options. There will be ever-faster product releases, ever-increasing complexity, and, unless managed well, ever-decreasing security. Consequently, the first step is to accept this reality so that ecosystem entities can work with it. As a second step, solution providers should think of security offerings as a way to manage risk, not avoid threats. The latter is binary; one either avoids a threat or one does not. Managing the risk is an ongoing process that spans three dimensions: either accept risk, reduce it, or ensure against it.
• Standardization bodies—e.g., the 3rd Generation Partnership Project (3GPP)— and industry associations must engage with key stakeholders across the value chain to institute 5G security standards, compliance frameworks, and processes. The point about standardizing security processes is that the risk can be quantified. Increasing adoption of 5G means that CSPs and their partners will need to contend with unique security dynamics—and a security compliance scope—that will almost certainly go beyond conventional Information Technology (IT) security metrics.

Risk management may well be the future of digital security in a 5G world. The demand will be products that go beyond mere detection and prevention mechanisms. Vendors that accompany existing preventative security products with a risk management element will be the big winners. Insurance is a key element of risk management, but one that falls within the purview of insurance companies. Technical cybersecurity solutions and services to mitigate the risk is a second key element, and one that the likes of Palo Alto, Fortinet, Cisco, Nokia, and Ericsson are already addressing.