At MEF Connects Cyber Security, industry analyst Terry Norman led an expert panel discussing 5G in the context of cybersecurity, and here takes a deep dive into the debate and the key points explored.
When one talks of Industry 4.0 – Industrial IoT, Machine to Machine – and fifth generation mobile technologies, 5G, the metaphor ‘perfect storm’ is not far away from the lips of commentators of a more pessimistic persuasion. They accept that the convergence of machine communications, the Internet of Things and next generation of mobile communications, 5G, will bring about an explosion of machine communications and multimedia, mobile-internet access.
Their anxiety derives from the notion that this will also create unprecedented vulnerabilities in communications security, national security and personal data. We discussed the subject in our MEF Cyber Security Event with the help of a panel of experts.
Our objective was to explore whether indeed this is a reasonable concern and what the industry as a whole – mobile equipment vendors, network operators and their business customers – are doing about it. Will we weather the storm; is the forecast bright and sunny or should we fix to bring our ‘brollies?
This blog summarises the discussion and conclusions. The full panel recording can be seen below.
Knowledge and experience in the field of networks cyber security was not in short supply among the panelists. Mobile operators were well represented by Rémy Harel and Bechara Kaddoum. Remy is the Head of the Security and Interception team at Orange Innovation. While Bechara is Telefonica’s Global Solutions Strategic Account Manager for Europe Middle-East and Africa and Asia-Pacific. The GSMA – representing the interests of mobile operators worldwide – was itself represented by Martin Beauchamp, a senior security analyst, well known in the cyber security world and GSMA IoT Security Director for the GSMA Working Group. The providers of network equipment to the mobile operators carry the lions share of the burden of implementing 3GPP 5G standards. To give their view we had Alessandro Bovone. Alessandro is the customer experience CTO at Nokia, North & West Europe. We were also fortunate to be able to have Jason Longley on the panel. Jason is the Technical Leader at Palo Alto Networks, a world leading multi-national cyber security company.
The session divided naturally into two parts. First we discussed the difficulties mobile operators face when endeavouring to put up a strong security shield around their 5G networks. Then the discussion moved on to consider the security implications of using off-the-shelf equipment and open source software and the installed base of legacy equipment within 5G networks.
Part I. The Mobile Operators
The standards govern the build and deployment of each generation of mobile equipment, 5G is no exception. Standards are concerned with defining functional elements of the network and interfaces. They are not overly preoccupied with implementation. This is left to the vendor, operator and infrastructure provider, guided by operational and economic considerations. For example, whether certain functions are implemented in a cloud, in physical or virtual machines. Clearly, operators are free to choose from a wide variety of possibilities, mixing both physical and virtual, each with its own unique commercial advantages and operational setting. This leads directly to our first question for the panel.
Will the sheer number of implementation scenarios mean that attempts to define a uniform approach to security assurance is unrealistic? In other words, will this ‘mix’ of technologies and implementations create such a range of attack opportunities that it is almost impossible to recommend security best practices?
Security reviews and audits of both software, hardware and operational procedures should be baked into the project from standards, equipment design and build, deployment and operation. This should further serve to share the costs of security among those benefiting from the value chain.“
Here all panelists agreed that the complexity of the situation should not be underestimated. A one size fits all approach to securing ‘services’ is unrealistic and those looking to follow bench-mark guidance and then tick the ‘security done’ box will be disappointed.
First the complexity of the task must not be underestimated. Martin Beachamp makes the point that with any change in new technology comes new capability, but also new security attack opportunities. “The enemy of security is complexity and change”, says Jason Longley. Jason points out that significant changes in the way in which mobile communications is done [through proprietary protocols] are with us. Now we are seeing rest APIs, HTTP, virtualisation [etc]. “All the elements are there to create a real security problem”, says Jason. He illustrates his point, “When we tested in the lab a large vendor’s MEC (Mobile Edge Computing), we found over 10,000 [security] vulnerabilities.”
However, on the question of whether a bench-mark approach to ensuring network cyber-security is achievable the panelists were more bullish. Every solution would not have to be entirely bespoke was the general conclusion. Proven techniques for managing network security should be employed. A methodical approach to assuring security would pay dividends. Security reviews and audits of both software, hardware and operational procedures should be baked into the project from standards, equipment design and build, deployment and operation. This should further serve to share the costs of security among those benefiting from the value chain.
“3GPP have done a fantastic job at putting together 5G, end-to-end security”, Jason Longley. 5G is designed for security, Alessandro Bovone. Alessandro goes on to say security is a challenge, but not one we cannot overcome. He further makes the point that it is not a static thing, it is dynamic and vendors, operators, supply chain and regulators will have to work together to maintain network security. “We know the approaches, its about working through those, doing them and maintaining them”, Martin Beauchamp.
The previous question however makes clear that security comes at a price. So as a follow up question, I asked if the panel might see a time when operators will see a need to share the cost of security with their customers, maybe providing levels of security, but at a price?
Again there was consensus among the panelists. Securing the network and associated services against the multiplicity known and new attack vectors will bring will be expensive. It is not an undertaking that can be financed entirely by the mobile network operators. The general consensus was that it is unlikely to affect domestic deals. However, tiers of security – enhanced at a price – for those business customers that require a bullet-proof offering is envisaged.
“Mobile operators are most likely to focus upon protecting their own infrastructure and not the customers workload, unless they are going to get paid for that”, Jason Longley
“B2B customers will pay for security, for them it is totally worth it”, Remy Harel.
Part II Equipment Vendors and Enterprises
In this section we moved on to look at the issues of network security from the perspective of vendors and enterprises. In particularly we considered the use by vendors of off-the-shelf equipment and open source software in their offerings and the installed base of equipment in ‘soon to be’ IoT networks of enterprises.
We are seeing increasing numbers of off-the-shelf software and components creeping into network architecture. More and more, vendors are using open source components to reduce costs and time to market. Whilst this ensures they remain competitive, at what price is this to network security?“
We are seeing increasing numbers of off-the-shelf software and components creeping into network architecture. More and more, vendors are using open source components to reduce costs and time to market. Whilst this ensures they remain competitive, at what price is this to network security? Are data and services which maximize the use of open source more vulnerable to cyber attack? What are the vendors doing to ensure Open source software and off-the-shelf components they incorporate are safe to use? Realistically, is there much they can do? I asked the panelists for their opinion.
The premise was accepted as a given by the panel. “All vendors use more and more open source software”, Alessandro Bovone, Nokia. With regards to managing the risk this brings, a rigorous approach to audit before implementation and commission is the answer. “We check and control all software we bring in”, Alessandro. Further, this should be a continual process. According to Alessandro goes this should be ongoing during development of the product or service. Palo Alto agreed with this approach. Jason illustrated this well with the Palo Alto Networks Shift Left approach. In its most simple terms, “Shift Left” security is moving security to the earliest possible point in the development process.
Whilst operators and service providers are able to guarantee cyber security in a green field deployments, after all, they control the equipment in their networks, there will be many brown field deployments in the future. A brown field deployment describes the idea that as the Internet extends further into areas of society its reach touches equipment installed for many years and previously outside the world of Information Technology and Cyber Security. Consider manufacturing as an example. As the industry progresses towards Industry 4.0, a growing number of programmable logic controllers and the like from existing SCADA systems will be brought into their inventory of operators network equipment. Much of these devices have been connected to machines for decades, long before security and the Internet became an issue. The equipment can be decades old and often beyond compliance regulations, which means it is either too expensive or not technologically compatible to update or augment. So, does this legacy equipment offer a back door for criminals, I asked the panel?
We didn’t have enough time to explore this subject properly in the panel session. However, other conversations I have had lead me to believe that this is the real ‘Elephant in the room’ question. As observed by Allesandro Bovone, “The problem is not our [Nokia] equipment, but how we configure and connect to legacy equipment”. Protecting networks against attack via legacy equipment, the installed base as it is called, will not be straightforward. There are methodologies that operators and service providers can use.
These tend to adopt common sense strategies like authorising connectivity using digital signatures from trusted sources , limiting the extent of connectivity – how far into the network a connected device can reach, understanding what is connected to your network and partitioning risk using network hubs to control access, and so on. However, given the increasing number of devices, 27.8Bn devices at 2030 (up from 9,4Bn at end of 2020) range of industries, applications like health, transport manufacturing, the number of connected devices. Strategies are available, and many are common sense. Practically, The risk will need to be shared by all and as observed by Bachara Kaddoum, “Responsibility will be shared [by all in the value chain]”