Delivering on the Promise of 5G Requires New Security Standards
In order to deliver on the promise of 5G, we need new industry standards for security, testing, and training
5G has the potential to deliver incredible innovations — from smart cities to self-driving cars to advances in healthcare, manufacturing, and other key verticals. While 5G improves upon previous generations’ cybersecurity vulnerabilities, it also brings new risks:
● 5G is software-defined. The increased role of software in 5G makes it more susceptible to dynamic, software-based attacks on the software that manages the network and the network itself.
● 5G will accelerate IoT. Frost & Sullivan predicted there will be 67.7 billion IoT devices in service by 2025. Each of these devices represents expanding attack surfaces and potential entry points for cyber attackers to gain access to the network and its connected devices. This opens up a wealth of frightening possibilities for attackers — from taking over a webcam or manipulating sensor readings to far more serious implications like crashing a power station, shutting off a pacemaker, or even taking control of a car.
● 5G has a complex supply chain. 5G’s decentralized, open source foundation is made up of a complex, interconnected supply chain of networks (as recent high-profile breaches can attest), mobile operators, and suppliers that creates new opportunities for cyber attacks.
Developing security standards across the 5G ecosystem
These fundamental network changes lay the foundation for innovation, but also create an expanded attack surface for dynamic, software-based cyber threats. As a result, in order to deliver on the promise of 5G, we need new industry standards for security, testing, and training.
The 5G ecosystem of mobile operators, device manufacturers, vertical industries, standards bodies (such as 3GPP), and regulators must come together to reassess current security standards and provide updated recommendations before 5G scales. These new standards should communicate steps that businesses can take to proactively combat 5G cyber threats and minimize risks, including the following strategies.
1. Build cybersecurity into the software development lifecycle
Security by design means integrating security measures into each stage of the software development process — from requirements, design, and implementation to testing and deployment. This philosophy focuses on proactively preventing breaches instead of reactively repairing them and is critical as the number of 5G-enabled devices and networks proliferates.
Building security into software early and from the ground up not only mitigates risk, but creates more effective and reliable applications by discovering and addressing potential vulnerabilities. This ensures security is always top of mind, helps identify potential design flaws early, and lowers overall development costs. Ultimately these important steps reduce potential risks for organizations and help to protect end users from breaches.
2. Take a holistic approach to continuous testing
Security is never static. Attackers are always looking for new vulnerabilities to exploit and the only way to stay ahead of them is through continuous validation. While device penetration tests are valuable, they overlook two major factors: the network infrastructure and networking blind spots. Additionally, penetration tests are only valid for a limited period of time; results become outdated after changes are made to the device software, the network configuration, or security policies.
5G security standards should include the implementation of breach and attack simulation, using automated tools that are regularly updated to detect the latest threats. Continuous testing goes beyond a simple penetration test and should include a full suite of attack vectors, helping to expose vulnerabilities throughout the network’s core and edge — covering both security gateways and endpoint devices. As dynamic attacks continue to shift in a 5G environment, a continuous testing strategy dynamically minimizes risk.
3. Develop comprehensive training for cybersecurity teams
Learning how to manage the high-stress situation of a network breach is critical for security teams today. As part of the 5G security standards, security teams should undergo hands-on security simulation training so they can know what an attack looks like and practice responding to it before it happens.
Cyber range environments offer realistic, virtual attack simulations using the actual network equipment and systems used by the team every day. In these exercises, team members are assigned roles on the “defender” or “attacker” teams, and practice detecting and containing attack vectors, evasions, good traffic, and attack life cycles in a simulated hostile environment. These exercises enable cybersecurity teams to learn key lessons that dramatically improve their ability to thrive under pressure in the event of a real breach scenario.
Redefining security standards for the 5G era
In order to stay ahead of the evolving landscape of 5G vulnerabilities and threats, mobile carriers, suppliers and businesses need to implement new security, testing, and training standards across their organizations. With industry cooperation and collaboration, this new security framework will proactively protect 5G users and deliver on the near limitless potential of 5G.