By 2021, 5G could deliver a spectacular range of potential benefits and use cases to network operators and service providers. This will create functional and technical needs for higher speeds, lower latency and greater power efficiency, and herald more actors and device types and greater use of the cloud and virtualization. However, these opportunities also bring more security threats and a greatly increased attack surface.
During 2016, SIMalliance examined the five major market segments for 5G — network operations, massive IoT, critical communications, enhanced mobile broadband and vehicle to X — to identify a wide range of threats, which we used to draw up security requirements and potential mitigations. The result is incisive recommendations that will help 5G meet its potential, securely.
Slices and virtualization — a network of networks
In a 5G future, mobile operators will need to cut costs because of increased data volume levels combined with a decreased average revenue per connection. To achieve this, they will turn to network function virtualization and network slicing, both for cost and technical reasons.
Hence, 5G technology could be built around a “network of networks” involving network slicing and mobile edge computing, with mission-critical elements that must not be shared between network slices to avoid a compromise on one slice affecting others.
This means 5G brings security requirements that greatly add to those of earlier generations, as well as new threats and a greatly expanded attack surface.
Protecting the network
5G network subscriptions will be protected by a network authentication application (NAA) within the device for network identification, authentication and encryption. The device identity and the identity stored in the NAA should be separate and independent from each other, as in earlier generations where the IMEI and IMSI/keys were stored in separate logical entities.
Any secure tamper-resistant entity storing the NAAs must be capable of being (and should be) audited and certified by a third party and functionally tested against a suitable industry-agreed functional compliance suite.
Massive IoT and critical communications in particular pose specific functional requirements that affect security.
Low power, long life and remote provisioning
Some areas of massive IoT may require low power consumption. New efficient algorithms, authentication policies and protocols that consider lower power consumption should be evaluated and a hibernate state may require support.
Secure access to remote provisioning should always be available and must meet requirements for secure out-of-the box connectivity with zero configuration.
In IoT, devices may remain in use for up to 15 years with only periodic connection to the network, oversight and upgrade. Their security must be built to last. Equally, many devices will be simple and low cost, but security must match the value of the data rather than the initial bill of materials cost.
Securing critical communications
In critical communications, solutions must meet requirements for ultra-low latency, high throughput and high reliability.
With standardization at an early stage, robust and, crucially, proportionate security must be built in from the outset and must protect subscribers, devices and their communications as well as the integrity of the network itself, whatever the use case.
Investing in security now is an insurance policy for the future of 5G to avoid hidden costs arising later from countering attacks on insufficiently protected high-value data. It is clear that the wrong decision about security today will prove a false economy in the future.
Learn more in our technical paper “5G Security — Making the Right Choice to Meet your Needs,” downloadable from the SIMalliance website.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.