Understanding 5G security

Why 5G security?

5G is the fifth generation of cellular technology, offering faster speeds and lower latency compared to 4G. It makes the connected era and Internet of Things (IoT) possible, and whether it’s smart cities, steelmaking, or healthcare, few industries will be untouched by its capabilities.

There are two types of 5G networks: public and private –

• Public 5G networks are primarily used by retail customers for smartphones and other day-to-day devices connected to the internet. Owned and operated by mobile carriers, public networks are available to anyone who subscribes to their service. As a network established by telco providers, the security rests with them for the most part.
• Private 5G networks are not accessible to the public. They are owned and operated by a single entity, such as a company or government agency, and are used to connect devices within a specific location or facility. For example, a factory might set up a private 5G network to connect its machines and other equipment to streamline operations and improve efficiency.

Most companies using 5G for manufacturing and operations will need to build a private network or employ a hybrid model of public and private, fitted to the requirements. Whichever model a company uses must be underpinned by robust security frameworks.

5G security is complex because, unlike 4G, it operates outside the perimeter of dedicated equipment, servers, and protocols. Instead, a highly vulnerable software ecosystem of virtualized RAN and cloud-forward services constitutes its core network. The concept of 5G security is new and evolving, which is why it’s essential to be alert to the challenges and develop and deploy new security measures in response.

5G security challenges

The introduction of new use cases, new business models, and new deployment architectures makes securing 5G networks more challenging. But without a cohesive approach to mitigating the security risks, it can be difficult to ensure that all potential vulnerabilities are identified and addressed.

These are the key security challenges for 5G as we see them:

• Increased attack surface: Millions of new connected devices are entering the digital ecosystem, which increases the attack surface exponentially. Many IoT devices are vulnerable and unprotected and typically operate with lower processing power, making them easy targets for attackers. This makes implementing zero-trust frameworks with true end-to-end coverage critical for protection against threats.

• New paradigms for telco: With 5G, the telco ecosystem is essentially inheriting IT challenges requiring a software security mindset. Whether public or private, 5G’s virtualized network architecture creates a new supply chain for software, hardware, and services, and this “virtualization” of traditional single-vendor hardware is a major security challenge. It’s time for professionals to acquaint themselves with network function virtualization (NFV), virtualized network functions (VNFs), service-based architectures (SBAs), software-defined networks (SDNs), network slicing, and edge computing.

• Operational challenges: The requirements or the capabilities needed to monitor a 5G network are different to IT and OT. This means that the tools used for monitoring the IT and the OT networks cannot be retrofitted or scaled for the cellular world, so 5G requires new tools and new capabilities. This involves training new people to understand the protocols and use cases.

• The complexity of implementation: There is no one way to build 5G architecture. It depends on the requirement of the organization and, as a result, the specification range can be extensive. Trying to bring these models together and manage them is one part of the challenge; the other is finding skilled professionals who know how to do it. Consequently, the margin for human error is another factor to bear in mind.

• Increased number of stakeholders: Finally, the industry recognizes that the success of building 5G networks is dependent on the entire ecosystem of hardware and software vendors spanning multiple suppliers, from chip vendors to cloud providers. Coordinating new stakeholders and their security efforts while ensuring that all potential vulnerabilities are covered is likely to be challenging. Note that different stakeholders may have different levels of knowledge and expertise when it comes to security.

Introducing 5G risk assessment

5G security is extensive and there are multiple parts to be cognizant of to understand where the risks and vulnerabilities are when running a network. You’ll see this mapped out into horizontal and vertical layers in the diagram. To conduct a comprehensive risk assessment of 5G, both axes need to be secured. Knowing where to start involves understanding what constitutes each layer:

• 5G horizontal security is the sum of five parts: user equipment, radio access, edge/multi-access edge computing, core network, and the cloud. Due diligence is necessary in every area to ensure assets are protected from confidentiality, integrity, and availability attacks.
• 5G vertical security is the sum of four layers: the product, the network, the applications, and the security operation layer on top. This is generally referred to “chip to cloud” security, particularly in the context of IoT devices.

A risk assessment, therefore, has to be holistic in nature, covering every aspect of the horizontal and vertical layers with due consideration of the threats, vulnerabilities, and assets that touch each of the specific components in the architecture. Such a risk assessment must also address any regional and industrial compliance requirements, and we will discuss this later in the series.

At Capgemini, we know that building and securing a 5G network is complex. We also know that everything must be protected end-to-end and in unison for it to work effectively. With deep technology, business, and engineering expertise, Capgemini has the unique capability to guide you on the 5G security journey end-to-end.

Security today adds value to a business tomorrow, and realizing the possibilities of a new, truly Intelligent era relies on it. Our experts can help you maximize the benefits.

The next blog in the series will consider how to conduct a robust risk assessment and monitoring in more detail.