You’ve heard of the Gartner Hype Cycle for emerging technologies, with its “peak of inflated expectations,” “trough of disillusionment,” and “slope of enlightenment.” A similar concept applies to 5G security.
Based on Spirent’s experience with dozens of clients and extensive research (summarized in the recently published study 5G 2021: Market Drivers, Insights and Considerations), we have identified three key phases of 5G security: overwhelmed, overconfident and orchestrated.
Read on the learn more about each stage as well as insights, lessons learned and advice to help you speed your journey to 5G security.
Phase 1: Overwhelmed
To say 5G security is complicated is like saying Jeff Bezos is well off. Here are just a few of the key considerations that must be addressed:
Multiple layers to account for, including core, radio access, mobile edge, end-user device, and transport.
Multiple devices and locations, including internal networks and remote networks and devices.
Multiple criticality levels, from games and VR to consumer-grade IoT to autonomous vehicles, IIoT, and other mission-critical use cases.
Multiple telecom standards, including security protocols, algorithms, interfaces, etc.
Multiple constituents to protect, including the networks and data of suppliers, partners, equipment vendors, and users.
Multiple applications and development styles to account for, including open-source software.
Multiple processes to secure, from operations, monitoring and auditing procedures to design, configuration, hardening, and so on.
Multiple regulations are on the way, including the potential for national regulation due to concerns over Critical National Infrastructure and Supply Chains (the UK Telecoms Security Bill, for example).
At the same time, the explosion of connected devices and cloud-based software are creating a flood new security risks for network operators, including denial-of-service attacks, slice faking, CUPS hijacking, massive IoT and fronthaul attacks, virtualization (NFVi) attacks, cloud/edge distribution attacks, and security gateway attacks—not to mention ever-evolving risks such as data breach attacks, resource exhaustion, VLAN hopping, authentication & authorization attacks, and more.
Confronted with the titanic task of transforming all of this into a 5G security strategy, a natural impulse is to quit your job, find a secluded beach, and live out the rest of your days fishing and hunting for crabs.
Steel yourself to reject inertia. Embrace the complexity and begin crafting an effective security assessment and testing strategy.
There is an alternative to consider. Steel yourself to reject inertia. Embrace the complexity and begin crafting an effective security assessment and testing strategy. Research confirms that if all layers of the network and all projected use cases are carefully evaluated and thoroughly tested, the complexity of 5G security can be tamed and turned into competitive advantages.
Keep reading: "5G Security – Mitigate Risks, Maximize Opportunities"
The key is to realistically assess your security vulnerabilities and identify your best options for risk mitigation. But what can get in the way of that goal, and what can be done to overcome the obstacles?
Phase 2: Overconfident
It’s only natural. Once you’ve processed the fact that 5G security is insanely complicated, you start looking for footholds that can help you scale the mountain. And in your preliminary analysis of the security mechanisms available for 5G, you will find that 5G is already more secure than any previous network!
5G is inherently more secure than 4G LTE because it provides a mix of tried-and-true network technologies and newer, emerging technologies such as virtualization, containers, multi-cloud environments, SDN, VNF, and so on. There are effective security mechanisms for all of these technologies, old and new.
And with 5G, security challenges are anticipated and addressed proactively, from the start. 4G simply plugged security vulnerabilities as they were discovered. From a unified authentication framework and stronger air interface security, to enhanced user privacy protection, cryptographic algorithms, home control and roaming security, measures are already in place to proactively protect 5G networks from threats.
On the one hand, that means network operators can instantly benefit from the time savings and flexibility of security synergies. For example, authentication is the same for 5G and Wi-Fi, enabling more seamless handoffs between networks. User privacy is already safeguarded, laying the foundation for greater trust. Data transfers are already secure, expanding the types of information that can be sent safely over networks. And isolated network slices can be used to enhance the security of private networks and Industrial IoT (IIoT) smart factories where traffic is localized.
On the other hand, however, network operators may be overlooking the two most important words in 5G security: supply chain.
5G security is not only about protecting your networks; it requires a multi-vendor approach that accounts for the end-to-end security of the entire ecosystem—because 5G is fast becoming an integral part of cross-enterprise and national critical infrastructure.
Our recent research underscores this fact. It shows that the area of primary focus for 5G Core testing is validating multi-vendor security and robustness for commercial deployment.
The key to eliminating overconfidence, of course, is security validation. And that requires more than piecemeal, point-in-time testing of selected network elements. It requires proactive, continuous, realistic assessment of the entire environment, in production—across the 5G lifecycle from development to operations.
In short, it requires that security assessment and validation be “orchestrated” across the supply chain. Now let’s take a closer look at what orchestration of security validation actually entails, and how it benefits your organization.
Phase 3: Orchestrated
5G adoption is quickly accelerating across the supply chain. There are already 290 million 5G subscriptions, with 3.5 billion subscriptions expected by 2026. Coverage build-outs, cloud edge growth, and supply chain diversification are among the leading drivers of future growth. Of the leading CSPs upgrading in next 12 months, more than 50% will have multi-vendor offerings.
As the 5G supply chain grows and diversifies, so do security risks. Out-of-date security systems, poor access control, inconsistently applied policies, limited security compliance in third-party software, insider risks, and self-policed compliance are just a few examples. These and other risks extend across the entire spectrum of interactions among suppliers and service providers.
Clearly, suppliers and service providers must orchestrate security assessment across the supply chain to conform to new regulations and reduce risks, costs and potential penalties. The question is how.
Whether you are a 5G service provider, network equipment manufacturer, or enterprise, and whether you’re building private or standalone 5G environments, we recommend you do the following:
Continuously validate your suppliers and supply chain security, using both point-in-time and automated assessment techniques, to verify that security is still fit for purpose. Security revalidation must be as agile and continuous as the volume of releases coming into the network.
Continuously assess your networks and devices in the operational domain to proactively identify risk and handle mitigation. Active monitoring (i.e. synthetic attack traffic generation) and analytics will be extremely helpful in this area.
Continuously assess applications, APIs, authentication mechanisms, and container orchestration for known vulnerabilities, security misconfigurations, and access control.
Validate the security efficacy of the supporting PKI (public key infrastructure) platform that would be issuing the certification, check certificate strengths, supported cypher suites, key length, secure key storage, certificate lifecycle management, connections between network functions using TLS (VNF, CNF and PNF) and PKI security requirements compliance.
Continuously war-game your network to discover weaknesses and future risks.
To assist you in this orchestration phase, Spirent provides a range of proactive, end-to-end 5G security testing and validation capabilities that allow you to detect and mitigate vulnerabilities early and often. You can apply our solutions across the entire 5G environment in a wide range of use cases, and we can perform both point-in-time testing and continuous assessment of your live 5G environment.
This puts you on the path to the ultimate goal of 5G security: capturing more business opportunities with minimal risk.
Once you’ve orchestrated security validation across the supply chain, you can offer secure 5G services without sacrificing performance, easily deploy 5G inside and connect to the outside, use both Wi-Fi and cell networks in a closed environment with safety, and maintain a realistic, accurate assessment of your security posture across a wide range of 5G threats--including NFVi attacks, edge distribution attacks, network slice attacks, IoT attacks, Ethernet fronthaul attacks, security gateway attacks, and more.
So, where are you on your journey from overwhelmed to overconfident to orchestrated? Continue your voyage by downloading our eBook Safely Accelerate to Lead the 5G Race