Securing 5G against 21st century threats
David Williams, founder, chairman and CEO of Arqit, examines the reality of 5G’s vulnerabilities and how telcos can protect against them
The telecoms world is transforming, with new technologies like 5G and future network architectures such as Open RAN (radio access network) being rolled out across the world to connect mobile subscribers and billions of internet-of-things (IoT) devices. By 2025, in excess of 70% of 5G revenue is forecast to come from enterprise applications rather than consumer usage, according to Omdia’s Telco and AI Automation report (December, 2020).
5G’s security challenges
While 5G networks enable the introduction of new services across multiple industries, the National Cyber Security Centre UK has acknowledged they increase attack surfaces.
Legacy 2G, 3G and 4G networks were modelled on hierarchical trust. It is different in 5G, where the network between the uSIM/eSIM on the subscriber end and the unified data management (UDM) in the core is untrusted, with services running on private and public cloud.
As commercial demand for 5G ramps up, and it is used for connecting critical services, especially in the automotive, smart city, healthcare and public safety sectors, end-to-end security remains a prerequisite to running critical applications. However, the rapid deployment of consumer 5G has left some obvious holes in the solution’s security barriers. We have observed the following as causes for concern.
5G networks will use cloud native SDN (software defined networking) technology and the scale of edge computing is now rising exponentially. This edge computing facilitates a dramatic improvement in service capability in areas like artificial intelligence at the edge. However, the expansion of the edge also increases the cyberattack surface, and while 5G is more secure than 4G, it is a communication architected progression, not a security anchored effort. 5G specifications fall short of improving the security of data at rest or the infrastructure chain in this new edge compute cloud. This security weakness will be compounded by the explosion of IoT devices and sensors. Companies building sensor-based solutions are already realising that the very small flash memories built into such sensors are simply unable to run PQAs (post-quantum algorithms) because of their high computational burdens. The growth in a new edge architecture expands the target space for cyber threats without a commensurate set of defences.
5G initially is being rolled out in non-standalone access (NSA) mode. This requires interaction between the high-risk vendor (HRV) supplying 2G, 3G and 4G network elements and the non-HRVs supplying the 5G elements. This interaction needs to be secured.
5G is positioned to implement open network architecture which involves disaggregating the software and the hardware in the RAN and opening of interfaces for meeting the requirements for the supply chain diversification. As identified in an EU report, Cybersecurity of 5G networks, combining devices from diverse suppliers increases security risks in the network.
The security for open networks is still being defined and will take time for vendors to implement them.
As it is introduced in many 5G networks globally, operators hope that Open RAN will be more flexible and cheaper. But what about security? To make building blocks interoperable, Open RAN comes with new interfaces, with often unclear security properties. Open RAN also adds complex IT technologies, which come with their own security issues. Many components are run on Linux in virtual machines or Docker containers on top of Kubernetes, adding multiple layers of possible threat risk.
As private 5G rollouts are gaining momentum in enabling enterprise-critical Industry 4.0 use cases, the security of seamless mobility between private and public networks for users is being challenged and requires attention. Private networks in UK do not fall under the government’s Telecom Security Regulations, leaving them vulnerable to security compromises.
How can we secure 5G?
The solution to these security issues resides in the power of symmetric encryption. This is an alternative for network security that addresses the shortcomings of public key infrastructure (PKI) – the most common current encryption standard – and delivers a host of new benefits to customers. It also offers protection against attacks from quantum computers. Using a cloud-based symmetric key platform means it is easy to scale and allows customers to concentrate on security outcomes. Enabling the generation of symmetric keys at end points using only symmetric cryptography also completely removes the mathematical attack vectors in existing methods.
As 5G networks using an open ecosystem for RAN and Core are rolled out across the world with services moved into the cloud and enterprises handling billions of IoT devices, it is time to redefine the way we implement security in telecom networks.
The rigid PKI system with asymmetric keys needs to be replaced by a dynamic light-touch symmetric key agreement process. Without stronger, simpler encryption, these networks are all compromised.