THE HAGUE, Netherlands – With the advent of 5G, the tech community is bracing itself for new applications like self-driving cars and other IoT applications. But what does that mean for the security landscape?
At the GSMA Mobile 360 Conference taking place this week in the Netherlands, experts shed light on the security challenges that 5G is presenting, including the need for secure networks and a more visible infrastructure.
“5G is coming… that’s for sure,” said Fred Streefland, CISO for the Benelux and Northern East Europe region at Palo Alto Networks – but what does that mean for use cases like self-driving cars, remote surgery, smart factories, automated control of nuclear power plants and other critical infrastructure?
Listen to Threatpost editor Tara Seals’ recent podcast with Streefland. A lightly edited transcript of the podcast also follows below.
For direct download, click here.
*** A lightly edited transcript of the podcast follows below ***
Tara Seals: Hi, everybody, this is Tara Seals, Senior Editor at Threatpost, and I am here with Fred Streefland, CISO for the Benelux region and northern east Europe at Palo Alto Networks, and we are at the GSMA Mobile 360 Conference on 5G security. Thanks for joining me Fred.
Fred Streefland: You’re welcome.
Tara Seals: And so, Fred graciously agreed to talk about some of the emerging risk areas that 5G is presenting to the market, or will present to the market. So, tell me a little bit about what you think needs to be on people’s radar as we go forward and these networks get actually deployed?
Fred Streefland: I think we need to know 5G is coming, there’s no way back, that’s for sure. And what you see in 5G, is that 5G creates a lot of opportunity, because things are possible that are not possible with 4G. Things are moving extremely fast, 100,000 times, sometimes, faster than 4G. So, things like remote surgery and things like self-driving cars, all those good things are possible. However, the good things also create risk, because the attack landscape is going to be bigger. It will be bigger because there are more devices connected to the network. And also, things are moving faster, so if there’s a bad person who wants to do something bad in the network, it probably already happened before we detect it nowadays.
So, we see that in order to create those 5G networks, we have to basically secure by design the networks, before we put them in place; otherwise you’re too late. It’s basically that simple.
Tara Seals: And so, in order to do that, there are a number of different telcos here at the conference that are talking about what they’re doing with their network design. We have a lot of things going on the device side of the house as well, but you know from a security vendor perspective, what does that mean in terms of how defensive products need to evolve in order to help enterprises adjust to some of the challenges?
Fred Streefland: Well, I think the first thing that is needed is that the telcos need to understand, and I think they do understand, that they have a function here. Normally they are used to being a connection provider, they provided the connection, and the applications were hosted in a data center somewhere. And now, the applications will be hosted at the edge. So, without only doing the connection, the network providers, they have a responsibility to create secure networks, and secure connectivity. And like I said, most providers, they have seen that they have a role in this, so that’s also one of the reasons why we have these discussions here at this conference, with those telco providers.
But again, what they need to do is that they have to understand that the new networks that they are creating with 5G, that they have to be secured by design. And that everything that runs on the network, and we’re talking about a thousand little antennas. The whole infrastructure needs to be visible for us to see what’s going on. Because you need visibility, we call it a zero-trust approach. ‘Zero trust’ means never trust, always verify. So, everything what happens on the network, every device, every IoT device, but also all the data, you need to have it visible in order to see is it good, or is it bad?
So, there’s a lot of, I would say, preparation work to be done in order to create that secure network. And it’s not just simple, “Well, we put some antennas in and here we go.” No, it’s a different ball game, because I always say 5G makes security personal. It’s a matter of life and death. I mean if you were having a surgery done by a robot with remote surgery, because that possible with 5G, you want it to work. You don’t want [an attacker] being in that system of the robot. I mean, you can imagine what happens. So, I don’t want to scare people because that’s not our story, but let’s be aware of it, and make sure that you take a prevention approach to the 5G networks.
Tara Seals: And so, do you feel as though the telcos that you’ve dealt with understand this and are taking this into account, and are building it into their networks? So, you know, target date is later this year and next year for more wide-scale 5G to roll out, obviously. In the States we have Verizon and AT&T, we have quote, unquote 5G deployments already, who knows what their security by design is that’s built in or not built in, you know, we don’t really know yet. But, going forward, how do you think the security aspect is going to affect those deployments? Is it, I mean, it sounds very complex, and it sounds like a huge to-do list here.
Fred Streefland: It is. It is complex. Absolutely.
Tara Seals: So, are we going to see the type of thing where you have certain applications that maybe don’t have these personal effects. So, you know, say a smart factory floor for example, or something like that, where 5G is really useful and you can kind of feel comfortable about deploying it for that use case, without it being a matter of life and death. And then maybe the automated car, for example, comes five years from now or something like that?
Fred Streefland: Well, I think there’s a role for the governments and legislation standards, and that’s also a discussion that took place today, what about standards for IoT devices that are hooked up to the internet, and in this case to the 5G network. So, I think you need to work together with governments, with legislation bodies and also with the industry, and with the providers of the internet, and in this case the internet service providers, to work together to come to kind of agreement. Okay, when are we saying it’s a green light? When are we saying this 5G network is good to go? What can be plugged into the network, and what cannot be plugged into the network?
So, you can indeed, as you said, we can indeed decide, “Hey, this self-driving car has too many risks at this point, we’re not going to do it, we wait until we know for sure that we have the security in place.” So, security can be, instead of being an enabler normally, it can be an inhibitor, an obstructor to rolling out [applications]. So, you will see now, I think in real life, you will see now a tension between the industry, and the business that would like to have 5G, but governments and security people say, “Hey, hold on, wait a moment. Perhaps we have to do a security risk-assessment before we’re going to implement it.” So, it’s an interesting time, that’s for sure.
Tara Seals: Yeah. Well, there was a representative from ENISA that just spoke actually, and he was really fascinating in terms of his take on the role of government and regulation, and how fragmented the landscape is — but he said that they’re trying to work with NIST in the States, and people in the UK to address it.
Fred Streefland: Absolutely. And I think there’s a big role that has to be played, because otherwise, things will go ballistic in all directions, and you don’t want that. Especially not in a 5G landscape, where things are moving so fast and if something happens, like I said, you might be too late.
Tara Seals: Mm-hmm (affirmative). And you have operators who have ponied up a billion dollars per license. The stakes are very, very high.
Fred Streefland: The stakes are very high. But again it’s a dilemma for the businesses and the enterprises and the citizens, because people demand 5G. But they also demand it in a secure way. So, I think that is what you see nowadays, is that people are now, luckily, they are going to consult with each other and say, “Okay, what’s the best approach?” And I think Palo Alto Networks can definitely help with this, because we are doing this for other areas, also in 4G. A lot of internet service providers and businesses are customers of us, so we give them the visibility that is also needed in this area. And I think one of the key elements in the whole 5G security space is the automation, you have to be capable of automating security at the same pace as 5G is going.
So, 5G, the latest G, for example [latency] goes down from 50 milliseconds to one millisecond. This is faster than a brain.
Tara Seals: That’s a synapse firing.
Fred Streefland: Exactly. The security needs to be as agile as the business requires it to be; I think that is key. And so, you can only secure a 5G infrastructure with, I would say, an automated, integrated security platform. Because you cannot secure it with the legacy point products that we currently have in place in a lot of organizations. So, we have to be serious about it, and that is always the thing that I’m saying about 5G security. A lot of things are coming our way, and again a lot of opportunities, I like to keep it positive. But also risks, and you just have to be aware of the risks and you know it is possible to mitigate them, in advance. Security by design as I mentioned, think zero trust, so assume that everything is untrusted, do network segmentation, automate and integrate your security.
That’s not easy, I say it’s doable, but it’s definitely not easy.
Tara Seals: Yeah.
Fred Streefland: But, you have to take it seriously, and that is our story which we keep on telling, and later on today you will hear a colleague of mine telling the same story; what I just told you. That is how we see it, but it is a new area. So, also for us there are challenges.
Tara Seals: Oh, yeah, I can imagine.
Fred Streefland: We don’t have the silver bullet, nobody has.
Tara Seals: Right. There’s a lot of learning going on.
Fred Streefland: A lot of learning, and probably people and organizations, and enterprises, and countries, they might learn by making mistakes. But again, hopefully not a lot, because this is a matter of life and death.
Tara Seals: Mm-hmm (affirmative).
Fred Streefland: 5G security can make security personalized, I told you before.
Tara Seals: Right.
Fred Streefland: It’s critical infrastructure, self-driving cars, smart cities, so a lot of things are depending on 5G. And again, not again to put emphasis on fear, but as a reality.
Tara Seals: You know, there’s a step change here. But also even the types of attacks that we’re already familiar with, like IoT botnets for example, with the sheer volume of devices that are going to be supported with 5G. I mean, can you imagine? That is a flood to end all floods.
Fred Streefland: That’s it exactly. And I told you in the beginning, the attackers are getting more and more sophisticated. The attack surface is going to be increased. With 5G, more and more devices are hooked up to the internet, IoT devices. And it’s being researched that probably there are now already more IoT devices then people on earth, and in 2022 we have more than 29 billion IoT devices, and not all of them are secured. So, the attack surface is huge, the bad guys are getting smarter and smarter, they are using the vulnerabilities in those devices, they are using automation, they’re using cloud computing. Also, people say they are using artificial intelligence; I don’t think we are there yet, but they might get there in some way.
Tara Seals: Interesting.
Fred Streefland: Machine learning, perhaps. They are not sitting still. So, the attackers are pretty good, and also one of the things, they are also using encryption, and also there was a discussion about encryption earlier this morning, that we need to encrypt the data. Well, you can do that, but make sure that it is visible. So, I keep on focusing on visibility, visibility, visibility, because I think it’s the only way how you can control 5G, and stay secure in 5G. Because at the end, the customers, the consumers, the business, they want 5G networks that are trusted, that are reliable. So, and again, because there are so many important and critical business-critical applications running on those networks, you cannot afford to have mistakes, basically.
Tara Seals: Right.
Fred Streefland: And it’s hard, it’s not easy. But it is doable. If you take the good approach. Start from the foundations, start with a risk approach, risk assessments, think zero trust and automate. Those are the things that I would like to focus on.
Tara Seals: And so, you know, as kind of a wrap-up question, if we’re here next year looking at this threat landscape, by that point we will have some broader commercial deployments of 5G. So, what do you think will be top-of-mind, what are the discussions going to revolve around in a year from now?
Fred Streefland: Oh, that’s a good question. That’s a good question. I think personally that I already forecasted it. This year at the RSA conference there was a lot about zero trust, artificial intelligence, machine learning, those were the hype words.
Tara Seals: Yes.
Fred Streefland: I think next year ,5G security will be the hype at the RSA conference. So, we are pretty much a forerunner in this area. I think 5G is not at the hype level yet, 5G security. So, I think next year people are more aware of it, hopefully. But also, I think by then we will have then already seen that some incidents have happened. I don’t hope so, but I think some rollouts will have gone wrong, or whatever. Again, not to be a doom thinker, but I think something may happen, and we can hopefully learn lessons from it.
5G, there is no way back. And some successful deployments will be there, hopefully more than unsuccessful, but we hopefully have some lessons learnt from how to do it good. Because it’s an opportunity to do it good at once. Start 5G security at the basis, do it good at once, and I think that’s the best way. So, hopefully we have some very good lessons learnt, and say, “Well, we’ve told you, it’s not easy.” And it is not easy, but again, it is doable. So, also we have some good examples of countries, or businesses, or enterprises, that don’t have a problem at all, and they work like they would like it to work; self-driving cars as an example. So, hopefully we have a city where there are some self-driving cars without any issues in the 5G security. I mean, who knows? I don’t know.
Tara Seals: It will be interesting to see.
Fred Streefland: We are at the beginning. And luckily, that’s the positive thing, people are busy with it, they are serious about it, and that’s also the reason why you are here, why we have this conference. Well, we are working on this. We are aware that 5G security is a big thing.
Tara Seals: Right.
Fred Streefland: And that’s a good thing. And that’s the most positive thing, that we don’t deny it, we work on it. We’re not there yet, we are at the beginning, but yeah, let’s see where it goes.
Tara Seals: Absolutely. Okay. Well, we’ll leave it there. This has been Fred Streefland with Palo Alto Networks, gracious enough to join us. This is Tara Seals, senior editor with Threatpost, and thanks everybody for listening.