5G is Awesome! – Continued Security Vigilance Needed
The hype around 5G seems everywhere, and in many cases, for very good reasons. As good as 5G is, however, adopters of 5G technology must continue to be vigilant toward security vulnerably – particularly as the first generation of 5G rolls out.
5G is an amazing evolution in wireless capability. During the 1G and 2G years, we were giddy to cut the phone cord and enjoy our voice calls on the move. As our appetite for mobile computing grew, so did our appetite for mobile data. 3G and 4G wireless evolutions focused on moving data and delivering computing power for our smart phones and applications. Still, even with 4G LTE, we used our mobile internet connectivity at one speed– as fast as we could go. Never mind that our insatiable need for data was choking some parts of our networks while other parts were hardly used. What we needed now is a system that matches different applications and use cases to the best means and connectivity available. Enter 5G, delivering an optimized pathway specially tailored to each application ranging from autonomous vehicles to telemedicine and swarms of delivery drones. With updates in frequency bands, faster electronics, software defined networks, and new security features, 5G delivers 100 times the speed, lower latency, higher reliability, and significantly higher device densities. With 5G, your mobile smart phone will be faster than ever, but more importantly, applications traditionally relegated to hardline connectivity can be dependably and securely wireless.
The 5G evolution enables a revolution in wireless capability for applications. A bold statement, but here are a few examples. Today, self-driving cars can make it slowly down the street by themselves, but millions of cars at high-speed need very reliable mobile connectivity to communicate with cars and traffic systems around them. 5G delivers the connectivity. Surgeons can’t be everywhere, particularly in hazardous situations, but telesurgery robots operated by a remote might one day be. This requires very low latency and precise control - 5G is the enabler. Our aircraft become high speed communications hubs in the sky thanks to the connectivity 5G enables, while thousands of unpiloted aerial vehicles (UAVs) deliver packages in hours or minutes. 5G provides nationwide connectivity for these UAVs. With each generation of wireless connectivity, we’ve been greeted with security threats and vulnerabilities. 4G LTE was a major step in the right security direction, but there were still concerning issues. Rogue base stations could intercept calls, jamming could wipe out connectivity for blocks, mobile devices could connect with and attack other mobile devices, digital voice over LTE (VOLTE) was susceptible to intercept, streaming media content providers could be ransomed, and architectured private networks were vulnerable to compromise and denial of service attacks.
These threats still exist within the first generations of 5G. The initial 5G systems we have today (called 5G Non-Stand Alone, or 5G NSA) use the existing 4G cores that still contain many of these vulnerabilities. Second, 5G enables a relatively new network construct, the private enterprise network. Security on these private enterprise networks can be left to individual companies and application developers, some not as security savvy as national wireless carriers. Finally, 5G enables an exponential growth in the number of connected physical devices, not just cell phones or mobile tablets. Additionally, the number and variety of device and application code developers is growing rapidly. While major cell phone manufacturers have thorough security development procedures, small startup businesses often lack the same resources to design, develop, test, and deliver devices and apps with adequate security. Another way to phrase this is that the threat surface of the 5G system grows significantly even though the 5G ecosystem provides greater power to reduce this vulnerability. Thus, future security efforts must focus on certification, analysis, and testing of the mobile, IOT, and private enterprise applications and device hardware connected to the 5G network.
Solutions for the many of the know 4G vulnerabilities will be available with the emergence of the next evolution of 5G system, the 5G Stand-Alone system. These updated systems replace the 4G core with a completely rebuilt core, and even more importantly, enable integration of the entire end-to-end network into a coordinated connectivity and processing system designed to optimize resources for every application.
5G Stand Alone security improvements include better authentication of devices onto the network so you know you are connecting to authorized end point, jamming and Denial of Service reduction through beam forming antenna’s enhancement to end-to-end encryption, and finally, network slicing to apply appropriate levels of network capability, including security, to different applications. 5G modem manufacturers also provide security software development kits and built in security applications accessible to app developers to improve security even further.
With all of these improvements there are still vulnerabilities that must be carefully monitored, analyzed, tested, and assessed. Challenges including how vendors implement 5G security, security vulnerabilities of application software, and supply chain vulnerabilities require continual assessment. The Department of Homeland Security and Department of Energy’s Idaho National Laboratory (INL) have initiated programs to develop and implement evaluation techniques and procedures to assess how these applications and private enterprise network systems implement security; and to continue assessment of new, unknown security vulnerabilities in 5G systems.
As part of these efforts, the INL’s Wireless Security Institute hosts periodic conferences bringing together leading national security experts and researchers to discuss national challenges and potential solutions. At the last conference, experts discussed these vulnerabilities and developed a list of recommendations to help organize 5G security, including:
1) Develop measurable security metrics—Build metrics and models specifically focused to characterize how to fix impacts security, the cost-benefit of that fix, and whether the fix has unintended consequences.
2) Address security by design through engagement with 5G equipment vendors—Work with vendors to understand the security features they have devised for 5G systems and how they are implemented.
3) Identify a required set of 5G security procedures— Develop a minimum set of 5G security standards and a core methodology of how they are applied that guarantees sound system security across multiple vendors and applications.
4) Validate that critical security procedures are implemented and performing to the level required—Facilitate external, third party validation that security has been implemented correctly, particularly for high security applications and federal government purposes.
5) Consider all types of wireless end devices that can introduce security problems to the 5G network—Understand the significant number and diversity of 5G enabled devices, particularly those considered as part of the Internet of Things (IOT), and evaluate their potential security vulnerabilities.
6) Plan for resilient response and gather and analyze forensic data to develop mitigations in the event of a major 5G system breach—In the event of a major 5G security breach or a disaster such as a hurricane, develop a plan to reconstitute the network as quickly as possible. This may include developing the capability to reorganize the network using drones or other mobile cellular service devices so the network is back online within minutes, not days or weeks.
The conference included a wide range of experts and was one of the first times that such a diverse group came together and hashed out the top wireless security concepts to make 5G more secure.
The INL WSI will host the next virtual Security Conference Nov 17-18 2020. The conference focuses on Research and Development priorities for secure and resilient 5G devices, UAV operations, and secure spectrum sharing technologies.
ABOUT INL’S WIRELESS SECURITY INSTITUTE
INL’s Wireless Security Institute leads and coordinates government, academic, and private industry research efforts fostering more secure and reliable 5G wireless technology. The institute consolidates INL’s experience leading communications-focused cyber security research, dynamic spectrum sharing research and development, waveform development, and operating one of the nation’s largest and most diverse open-air wireless broadband communications test ranges.
The institute integrates research, analysis, design, test, and standards recommendations to improve cellular, radio, and satellite communication systems. It supports government agencies, regulatory bodies, and private industry by establishing a collaborative, core partnership of public and private leaders in the wireless security field. Together with partners, the institute helps prioritize the most pressing national security challenges and elevate research efforts.
ABOUT THE AUTHOR
Dr. Carl Kutsche is the Chief Technologist for Idaho National Laboratory’s Critical Infrastructure Security and Resilience Directorate which organizes capabilities solving communications, cyber security, energy grid, and critical infrastructure challenges across the nation. Prior to joining INL, Dr. Kutsche served 25 years with the U.S. Air Force leading communications, intelligence, and counter-terrorism programs. He received his Doctorate in Electrical and Optical Engineering from the University of Central Florida, focusing on high speed communications and electrooptic systems.