India’s 5G rollout needs to be underpinned by cybersecurity
Following the 5G spectrum auctions in India earlier this year, 5G services were launched in India on October 1. With 5G, manufacturing, energy and utilities, information and communication technology and retail industries are expected to generate $17 billion in incremental revenue by 2030, as per an Ericsson-Arthur D Little study. This is because 5G networks are designed to handle the connection of billions of devices including the Internet of Things and the Industrial Internet of Things (IoT and IIoT).
As revolutionary as the technology is, one thing is certain: history has shown us time and again that as new technologies emerge, cybercriminals aren’t far behind And as organisations — both public and private — gear up to embrace 5G, it is important to identify the cybersecurity challenges and build resilient systems to establish a line of defence.
Today, 5G networks are expected to move away from existing centralised, hardware-based switching to a more distributed, software-oriented digital routing. This software-defined approach to networking is projected to help achieve high performance as it provides tools for programming, traffic control, and network slicing. With 5G software-defined networks hardware enforcement points do not exist for traffic inspection and the control of cyber risks.
Adding to the risk is the fact that functions that were previously performed by dedicated and purpose-built physical hardware are virtualized in 5G, e.g., implemented in software. Since 5G requires internet-facing networks, this expands the threat landscape significantly.
Since 5G networks are expected to be implemented using low-cost, short-range small-cells gateways deployed across cities, the gateways themselves will become targets for threat actors. Additionally, 5G’s spectrum sharing capabilities via multiple ‘slices’ adds to the existing risk as each slice can become an entry point for an attack. Given the dynamic nature of 5G networks, an attacker who obtains control of the software managing the networks can take over the entire network through lateral movement, thus paralyzing core infrastructure that could cause disruption.
5G is expected to increase the connectedness of devices —which adds fidelity, and user convenience and increases efficiency. Here’s the catch — as many of these devices have poor security implementations, and any attack will have consequences in the real world since many of the attached devices are involved in physical activities.
It needs to be kept in mind that securing 5G requires a nuanced approach. Having robust policies to protect OT, people and processes first, then technical solutions become necessary considering the cyber-physical nature of 5G networks. Every party involved in managing and implementing 5G networks needs to consider people in all areas of the organisation on the journey, ensuring that the risks of deploying 5G devices are clear.
With cyber-attacks on 5G networks potentially posing grave threats to daily life, every player in the industry must come together to combat these threats. 5G security policies must include sharing of threat intelligence, security methodologies and interoperability within the wider community, so visibility into critical assets is possible.
Since the private sector in India largely owns and operates most telecom networks, they must partner to ensure security is intrinsically woven into the 5G infrastructure. With a shared risk model, network owners/operators will ensure that the infrastructure is as secure and available as it can be. At the same time, the public sector must assume responsibility for the security of the applications it uses.
Besides, gaining visibility into 5G networks is critical. Understanding the scale of vulnerabilities requires owners, operators and users of 5G infrastructure to work together to bridge the exposure gap. A risk-based method helps gain comprehensive visibility across the attack surface. It equips organisations to anticipate threats and prioritise preventative efforts. It also enables better communication of cyber exposure risk leading to better decisions on cybersecurity strategies.
Once 5G is widely available, both security teams and threat actors will experience a swift learning curve while navigating this new technology. The speed and reach will connect businesses more than ever before, but could also have dangerous ripple effects in terms of increased cyber risk. As we begin to adopt 5G more widely, it’s important that organisations in India keep cybersecurity top of mind, to ensure business and its people are protected.
Dick Bussiere
Dick Bussiere is the Technical Director at Tenable APAC.