So, 5G is one of those once-in-a-generation types of leaps that will alter how we operate. However, 5G security comes with a lot of challenges. Private 5G networks require us to look at attack surface management in a different way. How do they change the way we need to defend our data? And, what is the best way to use them safely?
5G Security for Attack Surface Management
An immediate appeal of private 5G networks is the supposed cost savings from a capital cost perspective: you no longer need to bust up concrete and cut up walls to run cables. Why the italics though? Because the usual bean-counting does not take into account a hidden but brutal cost: the breach.
They say in life two things are certain: taxes and death. Perhaps for the enterprise nowadays, these two things are certain: taxes and breaches, meaning that 5G security concerns have an impact on your breach resilience.
Yet, 5G security is something different. The U.S. Cybersecurity and Infrastructure Security Agency give a good rundown of possible 5G attack vectors:
- Policy and standards: fast deployment has led to open standards and inconsistent use of security controls.
- Supply chain: counterfeit components and inherited components. Devices are not always certified, meaning: do you really know what’s in your network?
- Architecture: software/configuration (plugging in a wire is easy by comparison), network security (exploits will always be there), network slicing (no clear standards, meaning you can move laterally in an easier manner), legacy infrastructure (bringing over any previous vulnerabilities), multi-access edge computing (core elements can now be at greater risk), spectrum sharing (frequencies are scarce) and software-defined networking (threat actors just need to inject some code to unleash havoc).
How 5G Security Adds to Other Risks
These come in addition to other risks today:
- Manageability: Lots of devices, lots of data. Think endpoint security and traffic analysis.
- Supply chain: Think hardware and software vulnerabilities. Lots of them. Wires are pretty easy things to trust, regardless of where they are made. Wireless nodes, not so much.
- Usage: What will the network ultimately do and what will be allowed on it? If you decide to deploy a private 5G network, can you really risk having personal devices on it?
The Possible Hidden Risks
Some of these 5G security problems exist in a private wired network, while others are new. And think for a moment what all the 5G and Internet of Things devices will do for inventory management. Is your configuration management database ready for the influx of devices? The moment it becomes easier to connect, more devices will connect.
Are you ready to take the time to whitelist every device, or will you take your chances and hope you have a tool that discovers all assets? Pro tip: knowing an asset is on the network and knowing what that asset is doing while on the network are two very different things. Monitoring all that valuable data and sifting through the noise is no easy task.
There is another attack surface issue: physical changes. If you are on a private network with no outside connections, there is some peace of mind that wires will keep the data contained. But can you really say that about a ‘private’ wireless network? Wi-Fi has been around for a while and we still see attacks happening as a result of spoofing, misconfigurations, man-in-the-middle tactics and good old-fashioned jamming. What’s stopping somebody from parking a truck near your private network and cranking up some microwaves to degrade and interfere with your network? Almost makes a direct-denial-of-service attack look state-of-the-art. And let us not forget that frequencies are already scarce to begin with.
Finally, 5G security includes privacy concerns as well. Will you allow personal devices to be a part of your private network? What safeguards do you have in place to ensure possible personally identifiable information does not get siphoned off on a much more highly exposed network?
Business Models Change With a Private 5G Network
Private 5G networks may look great out of the gate, but there is a lot of long-term thinking that needs to be done, especially considering we still fail with the basics. There are a lot of changes happening too, which need to be considered. Work-from-home and remote work has proven to be effective, meaning the business needs for a private network change, at least in the short-term.
Will a private network add a hidden cost to your ledger? Unknown, but it is something to consider.
So is the capital spent on a private 5G network really worth it? Perhaps it is. You have to do the math: understand the business and before you take the plunge, consider all the identifiable 5G security risks and associated costs.