THE HAGUE, Netherlands – Mobile operators need to get security right as they deploy their 5G networks this year and next – because the ramifications for getting it wrong will include loss of life.
That’s the consensus at GSMA’s Mobile360 Security for 5G conference, where speakers on Wednesday noted that the next generation of internet of things (IoT) will include use cases like self-driving cars, remote surgery, smart factories, automated control of nuclear power plants and other critical infrastructure.
“When you’re talking about a patient going under a robot-controlled knife, you definitely don’t want exploitable vulnerabilities in that network,” Fred Streefland, CISO for the Benelux and Northern East Europe region at Palo Alto Networks, told Threatpost in an interview at the event. “If it goes down, so does the patient. Not to be a doomsayer, but this is reality.”
In 5G networks, operators will not only benefit from exponentially greater capacity and speeds, but thanks to a virtualized infrastructure, they’ll also gain the ability to create specific “network slices” of bandwidth that have customized attributes. These include things like low throughput and low latency, for, say, real-time remote sensor applications; or ultra-high-bandwidth to support virtual sports stadiums that revolve around real-time streaming video.
One bucket of use cases is the ultra-reliable, low-latency communications category, which includes industry-transforming (but high-risk) IoT applications like the aforementioned telemedicine scenario. A near-zero latency level and five-nines reliability (difficult to do with software, Streefland pointed out) will be required to support them; but 5G makes that possible.
“[5G] IoT is an important concept that will change existing business models,” said Evangelos Ouzounis, head of the secure infrastructure and services unit at the EU’s cybersecurity arm, ENISA, speaking on a panel at the conference on Tuesday. “We can expect an exponential growth in the IoT environment, with sensors everywhere – cars, health devices and so on. However, while we’re all very excited about this, because it creates a huge opportunity and transforms industries, there are many challenges – first and foremost because this is a huge attack vector.”
He added that the risk is simply too great for security to not be top-of-mind.
“This is an issue for safety and the potential impact on life itself,” he said. ‘And yet, what we’ve seen so far is that security is not a big priority for the developers of these devices. They want to be very fast and grab part of the market share, so they’re not paying a lot of attention to the dangers.”
This lack of care is exacerbated by a lack of skills, he added.
“It’s difficult to find people to understand both cybersecurity and IoT, so skills will be an issue,” Ouzounis noted. “Things like how to apply firmware updates – operators won’t know how to update things, and often there are no clear instructions.”
David Rogers, CEO at Copper Horse and the author of ETSI’s Cyber Security for Consumer Internet of Things specification, noted that operators will carry much of the liability – not just device manufacturers.
“5G really is a new world, and there are many different use cases, and companies that will choose to use 5G services will impact people’s lives in a much bigger way than ever before,” he said, speaking on a Wednesday panel. “The responsibility will be on network providers and telecom equipment manufacturers to increase resilience.”
Echoing others at the conference, he pointed out that it will have real-world consequences if they fail to do so.
“If your automated system cuts the irrigation supply to almond trees and they die, it will take five to seven years for them to grow back,” said Rodgers. “So, critical things like food security should be real concerns.”
ENISA and its counterparts around the world, like NIST in the U.S., are playing a part in addressing the issue, by providing guidelines for specific IoT use cases – in ENISA’s case, an IoT security evaluation framework addresses the areas of smart hospitals, smart cars, smart homes, industry 4.0, smart cities and smart airports. Ouzounis said that the next step needs to be for the various bodies to get on the same page with standards and baselines.
“NIST, ENISA and the GSMA have all published baseline requirements for IoT security,” Ouzounis said. “We all have to approach this problem in a scientific and professional way. It’s not easy to harmonize efforts but pave the way for a de facto standard for IoT security – or raise awareness for young developers – but we need to address this fragmentation of standards.”
Nils Ahrlich, head of end-to-end security solutions at Nokia, told Threatpost that the good news – and it was very much in evidence at the Mobile360 conference, which featured multiple global operators in attendance – is that carriers do seem to recognize that security failure is not an option.
“Even a 2 percent false positive rate [for security events] is unacceptable when you’re talking about remote surgery,” he said. “There is a growing awareness that before any of these applications roll out, the entire ecosystem needs to be secured, from the network to the endpoint. It will not be easy, but it’s possible.”