10 October 2020

CLTC Report: “Security Implications of 5G Networks”


A new report published by the Center for Long-Term Cybersecurity, “Security Implications of 5G Networks,” explores how the widespread adoption of fifth-generation (5G) cellular service will both bring potential improvements in security — and also expose new risks.

Authored by Jon Metzler, a lecturer at the Haas School of Business at UC Berkeley and founder of consulting firm Blue Field Strategies, the paper draws upon research and interviews conducted over a two-year period with support from a CLTC grant. The paper aims to help network operators — and their customers and partners — prepare for new risk vectors opened by 5G service, in terms of service models or network deployment models, at a critical moment in the development of 5G. “The long-lasting nature of network investments means that supplier selection decisions will have implications for decades,” Metzler writes.

Network operators around the world are rapidly expanding 5G service, and this new technology is expected to have significant advantages over prior generations, including increased speed, reduced latency (the time lag experienced by the user between a query and response), and the ability to “slice” wireless spectrum to support different applications. Yet 5G also has potential to introduce new security concerns by introducing greater diversity in suppliers, increased densification in network devices, and other factors.

The paper aims to help policymakers understand the economic and operational implications of 5G network deployment, including the switching costs of replacing suppliers and the site access needed to deploy robust, pervasive 5G networks; and to highlight security benefits of deploying both 5G RAN (which provides the wireless interface with customer devices and manages related radio resources) and core (which handles authentication, switching, interface with other networks, etc.)

As detailed in the executive summary, the paper highlights the following key points:

Networks persist. Network technologies, and suppliers, are used for decades once deployed. The switching costs that result from changing suppliers extend beyond capital investment. They also include re-training and changing operational practices. “Rip and replace” costs include these training and migration costs, and the transition itself may open security risks.

5G service will support a more diverse set of applications than traditional mobile service offered to consumers. This will add new value to 5G service as compared to prior generations. It will also raise the consequences of service outages. In this paper, this is referred to as “value at stake.”

More diverse applications may mean more heterogenous suppliers, including device and service partners outside of the traditional set of operator suppliers. While mitigating supplier dependencies (single points of failure), working with unfamiliar suppliers may open new risk vectors. This will require operators or their partners to be able to test and verify new device partners quickly to validate their security practices.

The three types of spectrum band (high-band or mm-wave; mid-band; and low-band) allocated to 5G have different implications for network topology. Mid-band and high-band service will necessitate significant densification of operator networks. This densification may open greater operational and physical access risks than do traditional cellular networks. Further, the increase of cell sites required with network densification will require robust network monitoring capability, and the ability to update and patch software on small cells and customer premise equipment.

5G networks have at least three security benefits relative to prior generations: improved authentication; distributed core; and network slicing, dividing a single network into different “slices” while using the same wireless spectrum and physical network infrastructure. Realizing these benefits requires deploying both 5G RAN and 5G core. These benefits are compelling reasons for customers to investigate 5G-only service.

Based on the above, Metzler’s paper recommends that:

Operators, their partners, and their customers investigate the viability of 5G-only service;

Operators and their partners develop the ability to rapidly deploy software updates, including security patches, to small cells, customer premise equipment, and other connected devices;

Operators and their partners develop the ability to rapidly test and verify devices from new partners from outside of the traditional telecom ecosystem;

Policymakers act to facilitate rapid deployment of 5G networks, including implementing policies to facilitate cell site acquisition;

Policymakers recognize the role of global standards bodies; of rapid standards development; and the economic value of globally harmonized standards.

“For a variety of factors, such as spectrum holdings, there has been variance in how operators have gone to market with 5G service, especially when compared with prior generations,” Metzler explains. “While this variance is potentially frustrating for consumers and device makers, it is perhaps fortunate from a security perspective. Each new market allows operators to hone their craft and become more efficient with the next rollout. The market is still early in its development. It is the author’s hope that the recommendations in this paper can be of value to operators as they build out their 5G services.”

No comments: