Organizations everywhere are talking about the exciting potential of 5G technology. 5G is set to change the way we connect people, processes and assets over public or private networks. But it’s not only organizations that are anticipating the possibilities – businesses can also expect cyber attackers to be poised to respond. It’s critical, therefore, that cybersecurity isn’t just viewed as a bolt-on to 5G – it should be prioritized from the outset.
Cybersecurity risks and issues
Maintaining security has never been more challenging. Cyber threats have moved from attacks on individual institutions to attacks on networks at large. The 5G shift accelerates the convergence of information technology (IT) and operational technology (OT), introducing new cybersecurity vulnerabilities. Due to the scale of today’s risks, some countries have now realized they must take action to ensure communications service providers (CSPs) can handle 5G from a national security perspective.
Rising above and beyond the organizational level, EY teams have recently helped a leading telecom regulatory body establish cybersecurity controls and 5G non-stand alone (NSA) network requirements, as well as identifying the relevant threats. This excerise will be carried forward to assess the maturity of all the 5G telecom service providers in the regulatory body’s region.
From key concerns around cloud security, to radio interface protection, interworking and roaming, and core network security, there’s certainly a lot to consider. However, of all the risks presented, 5G network slicing and user equipment security are two of the biggest challenges.
Network slicing is a fundamental architectural component of 5G, serving various business use-cases through logically separated network resources. However, if the network is not securely sliced, it may expose operator network and customer environments to various security threats. The answer is to establish secure network design and architecture from the outset, with a focus on correct segmentation and secure user access controls.
Meanwhile, because 5G presents an enormous opportunity to connect massive numbers of internet of things (IoT) devices to the network, there’s now a wide range of associated security requirements to consider. When it comes to user equipment security, device-level features and their secure integration with the network are the only way to overcome the vulnerabilities arising from low-cost devices being developed at scale by suppliers.
Security by design
A comprehensive approach for addressing cybersecurity in the 5G ecosystem is clearly needed. New risks must be identified, older technologies supported, customer data and business processes protected, as well as urgent skill shortages addressed. Viewing cyber risk as purely an IT issue simply falls short.
Security by design is, therefore, a fundamental objective. However, it’s currently more of an aspiration than a reality for many organizations. Many clients of EY firms, for example, are already providing some form of communications technology and have invested heavily in previous mobile generations. They have legacy systems that can’t just be turned off. The challenge is to leverage 5G while maintaining these existing investments.
There are two factors to consider here. First, security by design practices adopted by an original equipment manufacturer (OEM) providing these devices to industry operators; and second, secure deployment within the environment after a security assessment has been performed. It’s important to make sure that data is exchanged securely with existing systems because there may be issues around data replication; older systems that aren’t patched may be vulnerable to attacks; and a 5G network could expose legacy infrastructure to modern threats. It can be incredibly complex to merge old and new.
Zero trust is an effective cybersecurity model whereby you assume everyone is a risk and only turn things ‘on’ when there’s a need for them to be accessed. Zero trust is a much safer option than having everything “on” by default and turning “off” what is not permitted to specific entities – and it’s really the most sensible way to build 5G networks. But how is it possible to innovate at pace within this restricted environment?
Moving forward, fast
The purpose of successful 5G cybersecurity solutions is to protect users and businesses without stifling innovation. It’s important also to ensure that normal business operations can continue working seamlessly in the background. The key is, therefore, to automate some security processes, providing access to the business quickly, yet securely.
A good example of this can be seen with recent innovations in email authentication. Rather than providing a company with a personal email address when buying a product or service – which always carries a risk of being passed on to third parties – trusted tech providers are now offering to generate a random email address and act as a secure mediator to prevent unwarranted information sharing. It’s convenient for the user, allows the seller to contact you and protects personal data.
From a purely business perspective, however, it’s crucial to understand the context around 5G cybersecurity – and recognize that not every asset is equal. In fact, many organizations don’t often know what they’re trying to protect. This is where asset discovery and asset inventory processes come in. From there, businesses can conduct vulnerability management and basic security hygiene. And they can prioritize security for the most important parts of the business. Asset classification will help them to better understand what’s fundamental to the business, so they don’t have to waste money protecting the things that have far less value.
Risks will always be present. It’s the reality of cybersecurity today. But, by putting the right controls in place businesses can both reduce the risk of something happening and reduce the impact of when things do happen. Rather than being a hinderance to progress, an effective cybersecurity strategy can help support and enable the overarching business strategy – which is the most effective way to achieve secure outcomes.