Private 5G networks aren’t immune to cyber attacks

(Image credit: Future)

Last year, UK mobile operators started down the path to 5G migration and have stepped it up this year, with some beginning to deploy their own 5G standalone networks. This is a defining moment for the industry as it begins to shed previous generations of networks. At the same time, private 5G networks are gaining traction amongst businesses who want to custom build their own.

The demand for private 5G networks is rising with the global market size expected to reach $920 million in 2020. Security, reliability and strategic control are considered the key drivers for the growing demand amongst enterprises. Unlike a public network, a private 5G network can be configured to cater to a particular enterprise’s specific needs. 

"As hackers have more attack vectors to exploit, the threat landscape becomes a bigger plain for security teams to man."

Dmitry Kurbatov.

Whilst private networks are nothing new, 5G is set to be the real game changer as it will be a driver for sophisticated 5G use cases such as the Internet of Things (IoT). However, this also elevates the threats faced by these networks. Unlike previous-generation networks, the 5G business model will capture more data across multiple devices. As hackers have more attack vectors to exploit, the threat landscape becomes a bigger plain for security teams to man.

The next five to seven years will see an explosion of 5G private networks catering to different industries such as automotives, ports, mines, manufacturing and a plethora of mission-critical services. For example, Centrica Storage and Vodafone partnered recently to build the “gas plant of the future”, providing a 5G-ready mobile private network (MPN) for the facility, which will be the first of its kind in the UK’s oil and gas sector. 

Creating custom networks

In some cases, enterprises work with mobile operators on their private deployments, but in others they have taken out the “middleman” to completely develop and run their own private networks. Some markets such as the UK, Europe (France, Germany, Finland, Sweden) and the US are allocating dedicated, licensed spectrum to enterprises so they can build their own network and manage their own security without relying on external operators.

In theory, a private 5G network will be more secure because the business will be able to set up its own security policies rather than relying on an outside provider. However with more power and control comes more responsibility to keep these dedicated networks secure. Although enterprises can define their own security implementations rather than trusting mobile network operators (MNOs), the underlying protocols are the same and thus will be subject to the same security issues. Therefore, an organisation’s ability to cope with these added risks and challenges will be  entirely based on  the level of skill of security teams to set up the infrastructure and security measures. 

Cyber security considerations

Cybersecurity must be top of the agenda for all enterprises deploying private mobile networks. This is particularly the case if enterprises are building their own networks without the assistance of MNOs. If enterprises are working with mobile operators and system integrators then a line of responsibility needs to be drawn to ensure all bases are covered between both parties.

Depending on the route to deployment, the CISO of the enterprise and/or mobile operators building the private network will need to consider the following: 

  • How will they secure their tailored and custom built private network? Remember this network has been made specifically for a business and so the security measures themselves will need to reflect the make-up of that particular network. 
  • Do we have visibility of the traffic on these networks? How can they decipher between legitimate and illegitimate users?
  • Security should be in the DNA of the business’ network architecture - which stands for Device, Network and Applications. So what steps are they taking to ensure all these elements are properly secured? 

"To get the return on this investment, it's important to make sure security is part of the design stage and not an afterthought."

Dmitry Kurbatov.

Research by SNS Telecom & IT indicates that spending on private mobile networks built on LTE and 5G technologies will balloon from $4.7 billion by the end of 2020 to nearly $8 billion by 2023. To get the return on this investment, it's important to make sure security is part of the design stage and not an afterthought. Especially as a lot of money is being pumped into these projects which are unique to  each business and therefore cannot be repurposed for other businesses. Security should not just be a tick box exercise, but should constantly be re-evaluated and tweaked through real-time assurance and proactive service monitoring to detect illegitimate traffic and cover all data points.

Signalling security is a niche discipline and so if enterprises are building their own custom mobile networks, mitigating the risks will ultimately  fall on cyber security teams and their level of expertise in this area. Internally, security teams do not have the capabilities to constantly keep pace with a shifting threat landscape. Working with third parties which become an extension of in-house security teams is a way to bolster resource and threat intelligence.

Careful planning is a must

Without careful planning, security vulnerabilities that are neglected can be enough to impact performance, especially if critical systems and processes are dependent on IoT devices to run. Think of a “smart factory” environment, sensor and automated machinery vulnerable to DDoS attacks will halt operations and have a domino effect; not just risking the bottom line but life if compromised operations pose a threat to Health & Safety. Therefore, security measures need to cover both traditional forms of communication but also extend to demanding IoT capabilities. 

Having an isolated and closed network does not mean its shut off from external threats. With a massive commercial opportunity to gain £15.7bn in additional revenue as a result of 5G adoption by 2025, businesses cannot afford to let the source of their operations, systems and processes to be susceptible to attacks. With private 5G networks becoming more popular, it's vital that enterprises put their security where their money is to really capitalise on the value-added from their very own dedicated networks.  

Dmitry Kurbatov

Dmitry Kurbatov holds a degree in information security of telecommunications systems from Moscow Technological University (MIREA). He worked as a network engineer for system integrators from 2006 and joined Joined Positive Technologies in 2010.  After developing an automated security analysis system, he switched to telecom security, researching a range of vulnerabilities in network equipment, including errors in data transfer network design, protection of signalling protocols (SS7, Diameter, GTP), through to IoT security. Since 2014, he has been Director of Telecom Security at Positive Technologies.