5G is in the spotlight not only because it offers society certain opportunities but also because it poses a new set of cybersecurity challenges. Tangible examples are recent news reports about excluding certain suppliers from the 5G infrastructure. This blog describes the main opportunities that 5G presents for digitisation and the new cybersecurity risks that it represents. It also offers two key recommendations for addressing those risks.
1G made mobile telephony possible. 2G introduced a new dimension by allowing us to send text messages. 3G marked a huge shift in customer experience: suddenly, we could browse the web on our mobile phones. 4G was an iteration of 3G that boosted data transmission and video streaming speeds. Now, 5G represents a giant leap forward that will change connectivity on a massive scale.
One of the factors driving the need for 5G is the growing demand for data use and connectivity worldwide. Expectations are that mobile data traffic will have increased by a factor of five by 2024. Among other things, this means that in densely populated areas, today’s 4G technology will not be able to keep up with the rising volume of data traffic. 5G’s faster speed and higher capacity can meet this demand.
The first commercial 5G networks are now being rolled out, with the initial focus being on enhancing customer experience in the smartphone target group and creating fixed access points to deliver fast internet in remote areas. But this is only the beginning. 5G’s true value lies in the new opportunities it offers. It can make industries, regions and cities smart and connected, with technology that is both sustainable and efficient. It will facilitate the digitisation of the business market, allowing industries to reinvent themselves by using technology to modernise their processes.
5G design is based on three sets of use cases defined by the 3GPP Group as part of its SMARTER (Study on New Services and Markets Technology Enablers) project. The three sets of use cases are:
a) Ultra-Reliable Low-Latency Communications (URLLC)
Building block for resilient critical applications such as autonomous vehicles, military gear, medical applications and manufacturing equipment. It features a high standard of infrastructure resilience and an extremely low latency network (˜1ms).
b) Enhanced Mobile Broadband (eMBB)
The broadband internet of the future that will allow direct streaming of ultra-high-definition video, virtual reality applications and the embedding of artificial intelligence. The 5G bandwidth is between 1 and 10 Gbps, whereas the maximum 4G bandwidth is about 0.3 Gbps. In reality, 5G is up to 100 times faster than 4G.
c) Massive Machine Type Communications (mMTC)
Highly scalable, energy-efficient and long-term applications, such as sensors, smart metering/grids, smart homes and smart cities. 5G is designed to handle more than twenty devices per square metre. It accomplishes this with low-power, wide-area network coverage, ensuring that a mobile sensor can operate on a single battery for about ten years.
New applications also raise the need for adequate information security. The 5G threat landscape is complex because it combines the 5G stack with traditional IP-based threats, legacy 2G/3G/4G systems, and threats introduced by virtualisation technology. Various studies, including the ENISA Threat Landscape for 5G Networks, provide in-depth analyses of technical and other threats. The biggest security challenges stem from innovations at the core of 5G technology and the emergence of a new supply chain of multiple individual software vendors. In the global context, one important factor is a lack of trust in the small group of 5G core infrastructure suppliers. Specific challenges are:
a) New supply chains and heavy reliance on software vendors
5G makes use of Software Defined Network technology (SDN) and Network Function Virtualisation (NFV), entailing a shift from hardware specialisation to specialisation within the software stack. While this makes software patch updates easier, it also clears the way for many new developers to venture into the 5G market. The degree of reliance on and the quality of these software vendors thus determine the robustness and security of 5G applications. Critical factors in this respect are the software development life cycle (SDLC), secure coding principles, and assurances concerning software vendors’ security management processes.
b) Proliferation of devices and their data
5G makes it possible to conceive of many new applications involving devices that collect, transmit or manipulate data (e.g. the Internet of Things). It is important to control the proliferation of such devices, as well as their data and access paths. Authorisations, segmentation and monitoring are just a few examples of measures meant to address the robustness of 5G applications directly.
c) Replacement of the ‘core’ network to offer new functionalities
Network slicing is a 5G technique whereby a single physical network is segmented into multiple virtual ones, making it much easier to roll out different services. Within the context of 5G technology and its critical applications, the resilience and security of certain core network components (such as base stations) will be more important than ever.
At the same time, there are only a few vendors who can supply this core infrastructure. There is currently much discussion of the potential risks and threats that vendors pose to the 5G core network. That discussion is not confined to the Netherlands; countries around the world are examining the extent to which they are willing to depend on certain suppliers. The Netherlands has now decided that its 5G core network will exclude equipment from a country ‘that intends to misuse or disable a Dutch electronic communications network or service’. Of the roughly four existing vendors – Huawei and ZTE in China, Nokia in Finland and Ericsson in Sweden – only China is controversial from a cybersecurity viewpoint. In essence, this means that the Netherlands will not use Huawei or ZTE equipment in its 5G core network.
The security threats are challenging but not insurmountable. Our first recommendation is to consider in advance what security risks the roll-out of 5G may pose. One option is to perform a 5G cybersecurity risk assessment that examines governance, architecture, cyber-resilience and supply chains. The outcome of the analysis can be used to develop targeted measures tailored to the specific application context.
Our second recommendation is to always use zero-trust architecture as the basis for a 5G roll-out. In a zero-trust network, applications and data streams are strictly segmented, identifiable access is issued on need-to-know basis, and deviations from expected behaviour are subject to explicit monitoring. By combining zero-trust principles with a set of targeted measures based on a 5G risk assessment, you can address, monitor and correct specific 5G cybersecurity risks.
As companies pivot toward a digital business model, exponentially more data is generated and shared among organizations, partners and customers. This digital information has become the lifeblood of today’s interconnected business ecosystem and is increasingly valuable to organizations—and to skilled threat actors. Business digitization also has exposed companies to new digital vulnerabilities, making effective cybersecurity and privacy more important than ever.
Wondering what we can do for you? Read more >
© 2015 - 2020 PwC. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.