By Dave Grady
Chief Cybersecurity Evangelist, Verizon Business Group
Cybersecurity leaders are paying close attention to the advent of 5G, working to understand if and how 5G will change the ways they secure their organizations. A recent Verizon-HIMSS survey of healthcare industry IT and security leaders, for example, found that 46% expect 5G to “pose new cybersecurity risks.”
Security professionals may want to download this comprehensive technical white paper on 5G security from Verizon, but for a quick overview of this topic, we recently spoke with Alex Schlager, Verizon’s Executive Director of Security Services. Following are excerpts from our Q&A.
Q. Let’s say I’m a CISO and I know 5G is coming. Should I be concerned about the security of that connection, even before I think about the potential impact of 5G on the rest of my security program?
A. I think a healthy degree of concern is always appropriate, but one of the big differences with 5G is that a lot of the learnings we took from 3G and 4G when it comes to security have been embedded into the 5G architecture. The standard, which was created by the 3rd Generation Partnership Project (3GPP), is really centered on security. So there is a large number of new capabilities and architecture concepts that have been built into 3GPP, and therefore into 5G, to help network transport be inherently more secure.
5G also enables Zero Trust, which, put simply, is the concept that no component of the network can execute any action or transmit any data to another entity without being authenticated first and authorized to do so.
Additionally, 5G incorporates comprehensive encryption standards and encryption methodologies, so data is secured and encrypted in transit.
Q. Will 5G amplify the cybersecurity threats organizations are already facing?
A. 5G itself doesn’t introduce new risks; it is simply a means of transporting IP traffic. However, enterprises need to understand the risks associated with the new use cases that 5G enables. What is the worst-case scenario of that use case?
Let’s take an extreme example: autonomous vehicles. 5G and mobile edge computing (MEC) will be instrumental in supporting autonomous vehicles and next-level smart- city solutions. Smart cities and autonomous driving go hand in hand, because vehicles will be depending on the telemetry they receive from smart-city appliances.
So the worst case for autonomous driving is the vehicle being hijacked. In the best-case scenario, the vehicle is just disabled. In the worst case, the breach causes an accident.
You could argue that this is an extreme use case from a breach or exploit perspective, but the way we work with our customers is to work backwards from the use case. We have identified the use case and articulated the worst possible scenario. We now understand the risk that a breach would cause, and we work backwards to understand how strong the security posture for this use case has to be—and also how rapidly we’d need to detect and respond to such a breach. You will have use cases with different levels on the risk scale. You could have mobile 3D manufacturing enabled by 5G and a breach there could have a financial impact by halting production, but the impact is less severe to human life than with an autonomous vehicle being compromised. Again, it’s about working backwards through the use cases.
Q. 5G is poised to blow open the doors for innovation, and some are concerned that it could make the “rogue IT” challenge harder to manage, with business lines rushing 5G-enabled tools and processes into production. If you don’t have a fundamentally strong security governance program now, with proper oversight of the deployment of technology, is it going to be a problem as 5G becomes widely adopted?
A. Yes. Very prominent breaches, which have received media coverage over the last few years, have changed the landscape in that the companies that were breached are not perceived as victims anymore. If you think back four or five years, the companies that were breached presented themselves as victims, and there was very little discussion as to how diligent they had been in protecting their environment and their customers’ data.
Looking forward, there’s an expectation that there will be enough maturity in security programs, as well as regulatory pressure, to not enable use cases without having verified and demonstrated that they can protect them accordingly.
Q. Say an organization has made significant investments in its security infrastructure—security incident and event management (SIEM); endpoint protection; security orchestration, automation and response (SOAR); firewalls, etc.—does 5G make all of these prior investments obsolete?
A. No, it will not make them obsolete. If you look at the 5G security stack, you will see 90% of the technologies that we already have today, such as endpoint protection, endpoint detection and response, Zero Trust–based mechanisms, software-defined perimeter (SDP) with medium to very strong encryption for the payload, even things like quantum key distribution. Where a lot of innovation needs to happen is in the area of detection. The 5G use cases, to a large degree, are related to real-time interactions, due to 5G’s extremely low latency. So the need to detect a breach in near real time greatly increases.
Security starts here.
Let us help you take a strategic approach to data protection and the security of your network and mobile devices.
Q. How should CISOs be preparing for 5G?
A. When it comes to security, this is a perfect opportunity to abandon our historical approach of building security from the bottom up and hoping that it’s good enough. It’s time to really flip the logic and say “I want to start with the use case; I want to determine the risk exposure and the worst-case scenario that that use case presents. How do I protect these use cases to a minimum degree proportional to the risk, and how do I enable a very fast and effective detection capability?” If you look at all these new use cases, they represent a lot of potential disruption for private citizens—and for corporations, because consumer trust is paramount. And we will not achieve consumer trust if we can’t demonstrate that we can detect compromises and protect those 5G-enabled environments accordingly.
To learn how Verizon partners with enterprises to help protect against today’s cyberthreats and prepare for what’s next, visit enterprise.verizon.com/en-au/products/security/.