Enabled by the convergence of a broad array of advanced technologies, 5G networks promise to wirelessly interconnect devices, individuals, enterprises, and nations at unprecedented levels of performance and service. The technologies underlying the 5G infrastructure complete the digital transformation of communications networks, offering a more fluid fabric needed to respond to fast-changing demands. In protecting these networks and their users the challenge lies in ensuring that those diverse technologies combine to serve as a shield rather than a sieve to cyberattacks. Because 5G networks are expected to reach into every aspect of the connected society, the need to respond to this challenge is critical.
MEC: A Security and Privacy Enhancer
NFV: A Critical Enabler
Is the 5G Network Secure “Enough”?
Across the layers of the 5G network hierarchy, core technologies shift the nature of mobile communications, sometimes in profound ways. At the lowest layer, the 5G wireless millimeter wave (mmWave) frequencies dramatically boost available bandwidth, but also bring a fundamental change in the network topology. Instead of the large cell towers of current cellular networks, the reduced range and limited structure-penetration capability of GHz-frequency signals dictate the need for a closer distribution of more 5G cells. Placed in neighborhoods or even individual buildings, small 5G cells are the most evident transformation of the new network architecture—one that more closely resembles a hierarchical distributed computing environment than a communications network. In the 5G infrastructure, a radio access network (RAN) built around those small cells interact with a software-based 5G core network cloud, using local multi-access edge computing (MEC) systems to reduce latency to end devices and to provide local processing that reduces the load on the cloud.
Although small cells are often closely associated with a user’s view of a 5G network, the 5G core is the centerpiece of this new software-based communications framework. As with current public cloud services, the 5G core unshackles applications and services from the underlying hardware foundation using software technologies built around the concepts of software-defined networking and virtualization:
- Software-defined networking (SDN) separates control and data planes to provide greater flexibility in the communications network configuration and performance. This process permits data flow through the core in any number of defined paths.
- Virtualization separates application- or service-level functionality from hardware resources. This separation means that network providers can scale the computational backbone and deploy virtualized services to meet changing performance demands. As discussed further below, this capability also allows providers to add specialized services at any point in a network without the costs and delays traditionally required to provision resources at specific physical locations in a network.
MEC: A Security and Privacy Enhancer
SDN, virtualization, and cloud services are by no means new. Yet, their use in combination with other software-based elements in the 5G hierarchical architecture presents a novel set of capabilities that can enhance security. The availability of MEC resources can significantly enhance security and privacy in these networks. For better security, these edge computing resources can employ more extensive operational methods within their local RAN and provide vital maintenance support such as cell commissioning/decommissioning and secure over-the-air (OTA) updates of cell firmware.
In the connection between end devices and cloud-based services, MEC systems can enhance both security and user privacy in several ways. For example, MEC systems can serve as mediators, leading to more secure authentications—not only reducing the chance of man-in-the-middle attacks but also reducing the amount of personally identifiable information (PII) available for interception. Beyond their role in these fundamental services, MEC systems can serve as connections between end devices and hybrid clouds that combine the public cloud core with private resources that protect sensitive data, including PII.
While MEC elements can help tighten security, the extensive software foundation of 5G networks enables novel new approaches for enhanced security. For example, in 5G networks, virtualization offers more than the isolation that is commonly associated with virtualized environments such as cloud virtual machines or containers. In 5G wireless, this concept extends to a capability called network function virtualization (NFV). NFV transforms traditional hardware-based network node functions such as load balancers or firewalls into software-based services that providers can deploy where necessary and scale to meet changing demand.
NFV: A Critical Enabler
NFV is a critical enabler of the 5G vision with its potential to tune network-service delivery to just the right level of performance, reliability, and functionality needed to meet specific service objectives. NFV already serves a role in providing development features such as monitoring and testing in 5G testbeds and early deployments.
For security, NFV conceptually offers a significant advantage over current approaches. Besides using virtualization broadly to scale performance, service providers can use NFV to scale threat detection and response capabilities. At the first sign of an attack, a provider’s security monitoring system can upgrade an NFV firewall to provide deeper filtering and even scale its hardware resources to maintain the same quality of service during the attack. Using SDN features, the provider can even reconfigure the network to move defensive nodes closer to the source of the attack, eventually isolating bad traffic from good. Using this broad approach, service providers and third-parties can essentially parameterize configurations, node capabilities, and cloud-based applications to offer on-demand security-as-a-service offerings. This concept jells in a 5G capability called network slicing.
A network slice is essentially a frozen network configuration, using the same 5G SDN and virtualization capabilities that enable dynamic real-time responses to network events. Unlike a virtual private network (VPN), which tunnels encrypted traffic through shared resources to a VPN server, a network slice comprises a set of dedicated virtual resources that are defined in an SDN configuration and served by NFV services. A high-security slice might include enhanced NFV firewalls and defensive nodes as part of its “frozen” configuration rather than as an on-demand response to an attack, as mentioned earlier.
Conversely, a slice built for Internet of Things (IoT) applications might relax some security policies, conforming to the relatively lightweight security capabilities of resource-constrained IoT sensors for example. At the same time, a slice for financial networks could use a different SDN configuration provisioned with NFV services optimized for security as well as for high-volume, low-latency transactions. The ability to match specific domain requirements with optimized slices provides a security capability of importance that cannot be overstated. Combined with concepts such as micro-segmentation for finer-grained isolation, 5G solutions give providers a wealth of emerging tools that support and protect unique application-specific networks (ASNs).
Despite all the advantages potentially available in underlying technologies of a 5G infrastructure, implementing a new architecture with these technologies presents its own share of challenges to security. Even the most fundamental element, the small cell, adds to security concerns. Although current cell towers present at least some level of challenge to physical attacks, small cells are physically more vulnerable, and with the need to deploy them in large numbers, they are readily accessible.
Practically speaking, however, the threat of network penetration through physical access of a small cell is likely minimal. This is because the industry has gained considerable insight and experience in the local deployment of smart utility meters, for example, and proven tamper and intrusion detection mechanisms used in smart meters are readily available to limit the impact of physical attacks on small cells. Of course, cyberthieves do not require physical access to a small cell to attack the 5G network infrastructure, its services, or its users. In fact, the combination of its software-heavy architecture and new operating model might expose a richer set of threat surfaces in 5G networks than mere physical access would.
The ascendancy of the 5G software-driven service-based architecture enables a radically new model that empowers multiple contributors, shrinking the influence and oversight that the single-provider model offers in today’s mobile services. New opportunities will emerge for additional players to package 5G software components into service offerings at a sensible cost but that also optimize reach, latency, bandwidth, and any other parameters of interest to consumers. At the same time, qualified third-party developers will be able to take advantage of application programming interfaces (APIs) associated with each component and be able to offer unique NFV services, specialized SDN configurations, and even enterprise-scale “apps.”
As with any complex software integration, the combination of many software components with different APIs, protocols, and stakeholders can leave security holes in the final offering. Although each software component might intend to offer the tightest possible security, security weaknesses can be built-in inadvertently through the component’s own code or through the software libraries used for its development. The result of these types of internal weaknesses has given rise to the disturbingly commonplace discovery of “zero-day defects” in widely distributed, supposedly stable code, and such defects in evolving-code sets remain a concern.
In a system of cooperating software components as complex as a 5G network, the likelihood of security defects grows dramatically. Each boundary crossing between components, subsystems, or systems represents a potential threat surface arising from weaknesses in the API or related transaction protocols. Although tools have evolved for API development and protocol analysis, 5G networks face a potential flood of third-party software offerings, each with potential security holes waiting for discovery by determined cybercriminals.
Although a few of those security holes might be planned avenues for future exploits, some security vulnerabilities can arise simply as developers rush to stake their claim as first to the market with new capabilities. Unfortunately, the industry is replete with examples like these. Poorly secured connected products have been rushed into the market—only to be hijacked as part of botnets for massive distributed denial-of-service (DDoS) attacks. The rush to link 5G components into nascent 5G networks mirrors this flawed approach on a potentially wider scale.
Worse, this same goldrush mentality threatens the broader set of 5G services as major cellular players and new participants hurry to field their offerings. History shows that ensuring security in complex software systems is hard to achieve, and typically, the test phase pays the price for schedule shortfalls.
Aside from the expected difficulties of systems integration, 5G developers are dealing with an inherently complex framework where standards and fundamental issues are still evolving.
Industry stakeholders continue to work through many details involved in setting standards for critical features including key security agreements, authentications, and PII transports. Though challenging in itself, defining these standards also creates additional challenges, especially with the need to maximize security and privacy in the 5G domain while also maintaining compatibility with previous generation networks. 5G connectivity through multiple access networks, including Wi-Fi, further complicates the model’s standards and its fundamental security protocols.
As standards evolve for 5G networks, 5G security will continue to face a broad array of threats from familiar attack vectors as well as new attack vectors looking to exploit the novel elements of 5G networks. For example, a 5G network formed from familiar technologies such as SDN and virtualization faces the same threats that have followed each of these embedded technologies, but the integration of these technologies into 5G networks also presents completely new avenues of attack.
Case in point, the files used to dynamically configure a network or build a slice face a series of threats similar to firmware updates in smart products. To secure the configuration process, 5G network providers will not only need to apply secure update mechanisms but also embed them within higher level security policies. In turn, these policies will need to encompass middleware and higher level services and even involve cooperating entities at the enterprise level. Defining the appropriate trust models and implementing them in dynamically changing networks will take some time to establish, much less optimize.
Is the 5G Network Secure “Enough”?
There are earnest and widespread efforts taking shape to build trust models and define comprehensive security measures for the new 5G network infrastructure. However, these efforts are not strongly established yet, especially to a level that prevents the most security-conscious organization from carefully weighing the total costs of security against the sheer magnitude of the coming 5G market opportunities. In fact, it would be unrealistic to expect that a framework intended to connect untold numbers of devices, services, and individuals could ever achieve “complete” security.
In practice, a system only needs to be secure “enough,” shifting the requirement from one of attempting to identify every threat to one of building security into the foundation of the system. Even with the many 5G features available for enhancing security, the most fundamental approach lies in maintaining constant security awareness for each component of a 5G network. This approach means implementing security by design rather than patching security holes after attacks have already taken their toll.
By Stephen Evanczuk for Mouser Electronics Stephen Evanczuk has more than 20 years of experience writing for and about the electronics industry, discussing a wide range of topics including hardware, software, systems, applications, and the Internet of Things (IoT). Dr. Evanczuk received his PhD in neuroscience with an emphasis on neuronal networks.