How to navigate the current 5G and IoT threat landscape
5G wireless technology and Internet of Things devices are a common staple among both modern consumers and businesses alike, helping people and organizations communicate rapidly and effectively as well as to gather, transmit and process data for better results.
Like all technologies, however, as they grow in popularity and usage along with corresponding consumer or business needs, the 5G and IoT attack surfaces grow in turn. Hence there are always new or looming risks in these innovations, which malicious hackers can capitalize upon, as well as explicit strategies companies should be aware of to address these threats.
Current challenges and risks entailing 5G / IoT
A key differentiation between 5G and its predecessor networks is that 5G entails an untrusted core network between the subscriber end and the unified data management environment, whereas predecessor networks had a hierarchical trust model.
SEE: Mobile Device Security Policy (TechRepublic Premium)
As is usually the case, security may be downplayed here in favor of speed and efficiency to meet the increasing data and traffic demands of 5G, but this can indeed be a costly underestimation of the value of security, even when only private 5G networks are used. New technologies often aren’t fully analyzed and comprehended before or during rollout, leading to security gaps.
A Trend Micro report on the challenges of securing 5G cited the fact that “48% of operators admit that not having enough knowledge or tools to deal with security vulnerabilities is their number one challenge. A limited pool of security experts, as cited by 39%, further reduces in-house knowledge.”
Lack of proper knowledge can lead to devastating consequences. The global coronavirus pandemic proved the value and criticality of supply chains to keep consumers and business stocked up on necessities and supplies.
A 2021 report by the Cybersecurity and Infrastructure Security Agency regarding Potential Threat Vectors to 5G Infrastructure listed supply chain risks as a particularly dangerous threat in the 5G space.
“Those countries that purchase 5G equipment from companies with compromised supply chains could be vulnerable to the interception, manipulation, disruption or destruction of data,” the report said. “This would pose a challenge when sending data to international partners, where one country’s secure network could be vulnerable to threats because of an untrusted telecommunication network in another country.”
With regard to IoT devices, the use of unencrypted data storage can pose a tremendous risk, especially when portable, easily lost or easily stolen objects are involved. Malware poses a significant threat to unsecured data.
These devices usually lack strong password and network access controls and can be prone to rely on public Wi-Fi data transmission. Botnets are another troubling factor which can target IoT devices for malicious purposes.
An Intersog 2021 report on IoT security statistics cited some similar concerns to 5G security: “Globally, 32% of the companies that have already adopted IoT consider data security issues related to the lack of skilled personnel to be the most critical concern for their IoT ecosystem. Thirty-three percent of these companies consider attacks on devices to be the primary concern.”
This is a significant problem for an industry expected to entail nearly a $31 billion security market by 2025 with 40 billion connected devices worldwide.
This report also stated that 58% of IoT attacks were committed with the intent of mining cryptocurrency, demonstrating the wide variety of ways malicious actors can capitalize upon IoT security vulnerabilities.
Anubhav Arora, vice president of security engineering at Cradlepoint, a cloud-managed wireless edge networking equipment provider, advocates for a full understanding of 5G technology and the setting up of security infrastructures to support all transport layers. This is because increased complexity in traffic paths and routing may create an inability to detect normal activity.
“The misconception is that 5G is only a data transport technology,” Arora said. “Most cybersecurity teams are focused on vulnerabilities in applications and operating systems because of their criticality and volume. On the surface, 5G networking is a transport technology — it moves data from one place to another — and so is often deprioritized for security review. However, this view doesn’t consider the significant difference between 5G and other transport protocols, including how 5G can create or reduce risk.”
Arora pointed out that a threat actor could capitalize on 5G vulnerabilities by using 5G network connections for lateral movement or as a proxy for initial access into victim organizations. Failure to differentiate between normal and suspicious 5G transport behavior would allow a threat actor to move about the network more freely with less likelihood of being detected.
Recommendations for business end users, IT departments and consumers
Arora advised a zero trust network access environment for protecting and securing 5G.
“Examples would be a built-in, next-generation firewall, robust network slicing management, intrusion detection and response, and user access awareness,” Arora said. “It’s also important to understand that new vulnerabilities will be introduced not only by 5G but also through how other technologies in the environment interact with 5G.”
In my own view, symmetric encryption is another key element to securing 5G. More powerful than a public key infrastructure, this can significantly cut down on attack vectors, and it’s fast, efficient and easy to implement. This type of encryption relies on a single key that facilitates usage of the technology, but it’s important to rotate the key periodically for best results.
5G edge security can be another viable tool in the battle, particularly multi-access edge computing which can safeguard mobile device activity.
Managed security services for 5G are yet another option to help ease the burden. Sometimes delegating responsibilities to the experts can be a valuable investment to free up company resources for other endeavors. Examples of such providers include Palo Alto Networks, A10 Networks, AT&T, Ericsson and Nokia.
SEE: How to recruit and hire a Security Analyst (TechRepublic Premium)
A comprehensive guide to 5G security by the CISA includes a series of strategic initiatives and can be found here. The guide is recommended reading for IT professionals tasked with utilizing, maintaining and/or securing 5G networks.
For IoT devices, Arora recommends the use of networking segmentation and slicing to keep devices segregated from potential threats. He also emphasized the criticality of a differentiated implementation plan, IPS/IDS systems designed to protect IoT devices and their respective networks, and a thorough and periodic risk review.
I would also urge companies to routinely patch and update IoT devices, utilize strong password measures and avoid authenticating to company systems or transmitting data over public networks. Where possible, implement device tracking and monitoring, and always utilize an employee check-in and check-out process for handing out IoT devices and returning them. Be sure to confirm terminated employees have no such devices remaining in their possession as well.
Any given information set is only going to be as valuable as when it was last released, updated or examined. Threat vectors continually evolve and new risk variants are inevitable, so make sure to subscribe to vendor alerts and newsletters and stay up on the latest developments and terms. A proper understanding of how new technology works, identifying the risks and pain points, determining how to utilize official security standards and policies, and ongoing education and awareness training is essential for both IT professionals, end users and overall consumers.