For alarm monitoring providers and alarm installers the advent of 5G – Optus just launched a couple of 5G points in Canberra – is going to deliver opportunities along with plenty of security challenges.
With 5G, there are going to be security challenges that will make worries about plugging alarm panels and access control solutions into current IP networks look trivial. A core issue that must be addressed is formulating global security standards for 5G communications modules – right from the get-go, this is going to demand vast collaboration to ensure existing security functionality such as encryption, IDS and authentication, are tested to a uniform standard. These security standards are going to need to be built into 5G modules and devices of all kinds.
It’s just not that 5G brings new threats – existing threats will undergo considerable lateral expansion and amplification as multi-layered network points hold hands. New threats might include virtual identity spoofing but some of the older threats are going to get much more difficult to manage. The first risk relates to the nature of the platform. 5G is lateral and supported by virtualised distributed network infrastructure which increases the area of exposure open to attackers. 5G is meant to be open in all directions, across multiple layers, for it to function at top speed.
What speed? The International Telecommunication Union (ITU) has developed draft technical specifications for 5G which include 1 Gbps data rates for hotspots, and 100 Mbps download and 50 Mbps upload for wide-area coverage. That’s way faster than current networks. Then there’s the massive connectivity – the standard suggests 1 million connections per square kilometre – as well as ultra-low latency of 1 millisecond, high reliability of 99.999 per cent for mission critical ultra-reliable communications, as well as mobility speeds up to 500 km/h. All these big numbers are great, but they mean threats are bigger and will grow faster – clearly the stodgy networks of the past have afforded a form of protection.
Trying to stay on top of device security is going to be next to impossible and threats will propagate wildly, thanks to massive scaling potential. Patching public 5G networks will be impossible but establishing standards of membership to a network and blocking devices that don’t meet that standard might be a solution. The challenging nature of applying 5G means the first networks are going owned and managed by one organisation – which rather defeats the purpose.
The simplest threat is one we’re all familiar with – the more connected everything is, the more intense will be the risks from distributed denial of service attacks driven by billions of devices (21.5 billion by 2025) on IoT networks. Many IoT device employ a client-server model which has a minimum of security and is likely to be deployed by users with little knowledge of cyber security. It’s a simple equation. The more devices, the bigger and faster and more widespread the networks, the more colossal DDoS events will be. Possible security fixes include validation of devices using Blockchain authentication.
Software-defined network (SD-WAN) vulnerabilities will also be amplified by 5G as SD-WANs are increasingly used to support mobile and IoT devices. Here, the threat is vulnerabilities in the SDN layers likely to be deployed to support industrial and home automation, self-driving cars and management of consumer services. The SDN-WAN risk highlights the fact security in a 5G environment must be layered and no layer can be ignored.
Another threat will be proximity service intrusions which compromise necessarily simplified device-device communications. The idea of proximity services is a good one – data will propagate in all directions through any network point, lowering latency, maintaining bandwidth and communication speeds and allowing vital services to be supported with greater redundancy. But bringing edge devices into networks means edge devices must be secure and must be capable of managing their own security real time – that means more processing power and greater power use. There’s something else, too. If edge devices can support 5G networks in emergency situations, they will be relied on to do so – that creates risk.
Something else that needs to be covered off is the Authentication and Key Agreement (AKA), which enables 3G, 4G and 5G networks to trust each other. AKA enables a user to shift usage charges to another user. It’s possible to use AKA to find nearby phones and track them. Only an update will resolve these issues.
For security people, the take away is that while 5G will offer new business models and functionalities, it needs a dependable secure basis if it is to avoid exposing itself to old and new risks that will be magnified by its turbo-charged nature. With 5G, anything that can go wrong is going to go wrong at gigabit speeds. It means security must be built into everything – into networks, network devices, automation devices – in order to reduce attack surfaces.
The responsibility for security will go lateral, too. Manufacturers and OEMs are going to need to pick up the baton with security capabilities, while standards bodies, industry associations, alarm monitoring providers and installers are going to need to be thoroughly across the risks and fixes to ensure their customers are never exposed.