close

Cyber Security

5GCyber Security

Private 5G & Enterprise Network Security- Discussion!

In my previous blogs, I covered some important topics, including how enterprise networks or IT networks could evolve to integrate Private 5G (P5G) network on their premises or hybrid cloud. Moreover, it’s also known that P5G networks have been on roll for past few months, where service providers and enterprises are partnering to solve different business use cases, collaboratively.

It brings forth another important question, how do enterprises ensure security of P5G as well as their existing enterprise network?

Trend-micro has conducted a detailed survey on ‘Expectations of P5G Network Security’ recently and published the findings. Not surprising at all, some of the challenges we already foresaw during our earlier discussions.

Although it’s known that cellular networks (4G/5G) are more secure (compared to Wi-Fi), many enterprises do have concerns regarding data transferred on 5G air interface (devices to cell tower), and attacks on devices connected to network. There are additional concerns about whether 5G network equipment can be compromised, esp. if you are deploying it in hybrid or public cloud setup. These concerns are quite valid ones.

With respect to data transfer on air interface, 5G offers very robust cryptographic encryption process, with the introduction of NEA (New Encryption Algorithm) and NIA (New Integration Algorithm). The details of which are beyond scope of this blog post but interested readers can refer to ITU Workshop for more details. Moreover, with SUPI being encrypted with public key in home network itself, subscriber identity is protected completely.

To address the above security concerns, many enterprises, are either partnering with specialized security partners with 5G domain expertise or relying on existing IT security partners to address those cocerns. In any situation, task at end requires specialized understanding of entire 5G security landscape and there’s no easy route to find possible answers.

Interestingly, the findings from TrendMicro survey shows that many enterprises are intend to connect their existing enterprise network with P5G network in some way. In fact, close of 70% enterprises are going to integrate networks, which brings forth an interesting question, on how to do enterprises ensure seamless security of traffic, integration of devices connectity and policies. Surely, with P5G, enterprises need to take a holistic view of their entire enterprise network security, including P5G networks.

Topic of 5G security does require discussion around open standards. With O-RAN on rise, and many enterprises relying on building cloud-native networks with open source modules, ensuring compliance with open standard is must for enterprises. Issue of vulnerabilities, esp. with adoption of open standards is another major concern.

While there’s no easy route to 5G security, many enhancements with 5G Security from standard perspective are going to help but they aren’t enough. Along with P5G, deployment of MEC (multi-access edge compute) based architecture, integrated with P5G is also on rise. MEC, although a boon to solve business problems in real time, brings many other complexities on-campus. esp. MEC is deployed in data plane path with UPF on N6 interface, many of these MEC apps could be part of Enterprises network deployed on Cloud or in Hybrid model. Securing traffic on N6 interface, as well as ensuring right policies applies to traffic flowing in/out of UPF (service provider’s network) is going to be important. Moreover, how do enterprises integrate their existing network and apps with these policies is interesting to see.

What’s way forward for enterprises adopting P5G and MEC?

TrendMicro recommends enterprises should perform pilot of security operations, integrating their existing enterprise network with P5G before going live with P5G applications. Moreover, in our view, many enterprises, adopting P5G/MEC should gear up to understand 5G security aspects, and build domain expertise early by upskilling their existing IT team or partnering with right partners or hiring such experts from outside. Implementing such pilots won’t be easy, and without skilled resources on-board, it will be an uphill task.

read more
5GAI/MLCyber Security

5G and AI Expected to Bring Heightened Cybersecurity Risks, Study Finds

An overwhelming majority of cybersecurity and risk management leaders believe that developments in 5G wireless technology will create cybersecurity challenges for their organizations. Their top three 5G-related concerns are greater risk of attacks on Internet of Things (IoT) networks, a wider attack surface and a lack of security by design in 5G hardware and firmware.

These are among the findings of a new report released today by Information Risk Management (IRM), a UK-based cybersecurity company of Altran, the global leader in engineering and R&D services.

The report, titled Risky Business,is based on a survey of senior cybersecurity and risk management decision makers at 50 global companies across seven major industry sectors: automotive, communications, energy, finance/public sector, software/internet, transport and pharmaceuticals. The study was conducted between July and September of this year.

Eighty-three percent of survey respondents said 5G developments will create cybersecurity challenges for their organizations, suggesting that the new technology will bring heightened risks. “The acceleration to market of 5G and lack of security considerations are causing concern,” the report states. “The vulnerabilities in 5G appear to go beyond wireless, introducing risks around virtualised and cloud native infrastructure.”

The study also found that 86% of respondents expect artificial intelligence (AI) to have an impact on their cybersecurity strategy over the next five years, as AI systems are integrated into core enterprise security functions. The top three AI applications that respondents said they would consider implementing as part of their cybersecurity strategy are network intrusion detection and prevention, fraud detection and secure user authentication.

AI in cybersecurity is a double-edged sword,” the report explains. “It can provide many companies with the tools to detect fraudulent activity on bank accounts, for example, but it is inevitably a tool being used by cybercriminals to carry out even more sophisticated attacks.”

In late August, for example, The Wall Street Journal reported that criminals using AI-based software had successfully mimicked a German CEO’s voice and had duped the head of a UK subsidiary into sending €220,000 ($243,000) to a fraudulent account. It is being dubbed one of the world’s first publicly known cyberattacks using AI. “We are likely to see more of this as the technology develops,” the report warns.

Commenting on the potential impact of 5G and AI on cybersecurity, Charles White, CEO of IRM, cautioned: “A lack of awareness of these technologies’ security implications can have far reaching consequences. At best an embarrassing fine and at worst a fatal blow to the bottom line. Now is the time for enterprises to work closely with their cybersecurity teams to design and develop 5G and AI products that place cybersecurity front and center.”

The study also found:

  • A growing number of C-level executives recognize the challenges facing enterprise security teams. Ninety-one percent of respondents said that increased cybersecurity awareness at the C-level has translated into their decision-making. But most cybersecurity decisions are still based on cost – and not on the safest solutions to put in place, according to respondents, indicating a lack of understanding of the financial and reputational impact of cyberattacks.
  • There is a worrisome lack of awareness of the Networks & Information Systems Directive/ Network & Information Systems Regulations, which is a piece of legislation setting a range of network and information security requirements for Operators of Essential Services (OES) and Digital Service Providers (DSPs). The survey found that 30% of respondents are unaware of the NIS Directive/Regulations, and of the 70% who are aware of the legislation, over a third (about 25% overall) have failed to implement the necessary changes.

IRM is at the heart of Altran’s recently formed World Class Center for Cybersecurity, which offers an extended portfolio of global solutions to protect next-generation networks and systems. With sites in North America, France, the UK and Portugal, the WCC for cybersecurity specializes in working with some of the world’s largest organizations to combat cyber challenges introduced by Industry 4.0.

To download a copy of the report, please visit https://www.irmsecurity.com/risky-business-2019-download.

read more