Hello readers….. a very good day to you…
In this article, we shall talk about the security issues related to establishing trust and how security needs to be use case specific in the 5G world.
The below diagram summarizes evolution of telecommunication generations and 5G use cases on a very broad spectrum. This clearly shows that unlike the previous generations, 5G not only has human subscribers but cover a huge range of non-human connected and inter-connected devices like, mMTC(massive machine type communication) devices, VR(virtual reality) devices and applications, AR(augmented reality) devices and applications, MR(mixed reality) and applications , URLLC (Ultra high reliable & low latency) for connected card or self-driving cars.
Figure 1: 5G its not only about the human subscribers but much more
All of the above are non-human touch points in an operator’s network, which means that operator’s network is at risk with each of these touch points, from confidentiality, integrity and availability standpoint.
These billions of devices, being used in critical use cases ranging from life-saving surgery to time sensitive critical decision to apply the brakes when the car is moving at a high speed. Core of the issues here is for operator to establish trust on these devices and how shall an operator tailor its security controls as per the use case. As shown in the figure below, security controls implemented for latency sensitive autonomous car shall be different than implemented for a remote surgery.
Figure 2: latency and time sensitive 5G use case
Let’s talk about a use case here, where a smart city has mMTC sensors for traffic management in a city, this involves installation of some 3rd party OEM sensors by an operator’s enterprise customer or government entities. The issue with these numerous number of sensors from the 3rd party OEM’s is that this exposes operator network to the outside world and all those small tiny compute sensors out there in the field are in trust zones by operators by default. Off course until the same has been logically segregated from network point of view.
The risk is two pronged here and might not be contained at level of the operator, as all connected applications at the backend of these non-human touch points are hosted in an on-prem operator data center or cloud data center being used as SaaS, PaaS. The impact of any potential vulnerability might not only be on the operator but also on the end consumer, be it any of the 5G use cases. The damage is collateral in case of 5G.
The core issues that I wanted to express, considering the above use cases is, we can consider a situation that has billions of sensors across the operator’s network, which by default are not built with security in mind. You can consider this situation as SS7 network and abuse of this network, as it was developed in the 1970’s with communication in mind, security was just fit in as an overlay afterthought, when the trust relationships in the SS7 world started getting exploited.
Coming back to our topic of this post, the non-human connected and interconnected devices in the 5G world are huge in number and pose serious chain of trust issues. This calls for the operators to take special consideration of how non-human devices will authenticate to the network, what are the chances that devices identity can be masqueraded, what are the chances that this identity can be abused.
An end to end risk assessment of each and every use case for 5G is required. We cannot go with the traditional approach for assessing risk of the platform for 5G. As each use case will involve its own context with respect to security. Each 5G use case might need to be treated differently (one shoe doesn’t fit all).
For example, security controls for a use case specific to connected cars which are highly sensitive to latency might be different than use case which is related to augmented reality which is bandwidth sensitive.
Figure 3: security controls to be tailored for each network slice
For addressing the new dimensions of the security concerns and issues arising from this generation of telecommunication need a new way to look at the following (but not limited to the below) :-
Will write soon about, what 3GPP says about security and how we as a community of security professionals can contribute and secure our networks and users.
Thanks to you, please share your valuable comments, to make the blog better by your contribution….
Very informative.
Great Research article..recommend everyone to read..
Awesome