4 Oct 2022

Although the wider adoption of 5G, together with faster connection speeds and improved bandwidth, opens up new prospects for telecom service providers, it also poses new risks in terms of network security.

This article explains how telcos can make their newly-established 5G networks as well as telecom software solutions more impenetrable and secure.

Implement robust device authentication protocols

5G is set to spur a wide-scale adoption of connected devices in the business and consumer spheres. But apart from new revenue opportunities, the influx of IoT devices, designed with limited computational abilities and little to no in-built security, presents a security concern to network operators.

This complication, however, was anticipated during 5G development, and the network was supplied with the new authentication framework. Building on 4G’s cryptographic primitives and security characteristics, it allows for non-SIM-based credentials, such as token cards, certificates, and pre-shared keys, in addition to traditional physical SIM cards.

Three mutual authentication protocols

Moreover, 5G offers telecom operators to choose between three mutual authentication protocols—5G-AKA, EAP-AKA, and EAP-TLS, compatible with both mobile phones and SIMless devices.

1) 5G authentication and key agreement protocol

5G-AKA protocol uses asymmetric randomised encryption, making it immune to IMSI-catcher attacks

But because of the unique specifications of each protocol, the choice needs to be thorough. The novel 5G authentication and key agreement (5G-AKA) protocol, built for purpose by 3GPP, is understandably making waves at the moment.

This challenge-response authentication method uses asymmetric randomised encryption, making it immune to IMSI-catcher attacks, and stands out with improved roaming security features that prevent billing fraud. However, due to its novelty, 5G AKA is not fully studied, and some researchers have already recognised security shortcomings in the protocol, which render it vulnerable to linkability attacks.  

2) EAP-AKA

EAP-AKA is an older AKA-based challenge-response authentication protocol with the same level of security properties as 5G-AKA but differs from it in some technicalities, such as message flow and key derivation.

3) EAP-TLS

The addition of non-AKA-based authentication protocol EAP-TLS in 5G is a positive innovation, even if its use is limited to private networks or IoT environments. EAP-TLS uses a fundamentally different certificate-based mutual authentication model, which removes the need to store a large volume of long-term keys in the home network, as in the case of 5G-AKA and EAP-AKA.

But on the other hand, EAP-TLS comes with a certificate management overhead and has security vulnerabilities that can be exploited when the infrastructure is misconfigured.

Upgrade legacy security controls

The onset of 5G is bringing about the escalation of DDoS attacks in number, scale, and complexity

The pivot to 5G and environment virtualisation not only creates new security challenges for telcos but also exacerbates some all-time threats. That’s why providers are encouraged to upgrade their existing safeguards.  

First and foremost, the onset of 5G is bringing about the escalation of DDoS attacks in number, scale, and complexity, so telecom operators, who have been hackers’ primary targets over the years, need to enhance their protection even more in 2022.

Blackholing

Blackholing, or rerouting suspicious traffic into a “black hole” and thus dropping it from the network, is the most common DDoS mitigation measure in the telecom industry.

The tactic would be efficient if not for one fatal flaw; it destroys both malicious and legitimate traffic, which in the highly connected nearest future can have disastrous consequences for a smart hospital, factory, or city.

Machine learning detection mechanisms

So in preparation for 5G, operators can pivot to a more preserving tactic of DDoS mitigation involving scrubbing centres and dedicated facilities where DDoS-generated traffic is analysed and legitimate traffic is separated and forwarded back to the original destination.

To minimise the traffic downtime, which can reach up to 30 minutes, telecoms can adopt machine learning detection mechanisms to discern malicious traffic in a fraction of the time an infosec specialist needs.    

Backing up data

Providers are advised to implement automated malware monitoring and detection engines into each network slice

Due to the pivot to vertical connectivity, the telecom industry also puts itself in the firing line of high-scale ransomware attacks targeting consumers. Against this backdrop, the importance of backing up customer and device data as well as making it inaccessible to third parties with encryption cannot be stressed enough.

Other than that, providers are advised to implement automated malware monitoring and detection engines into each network slice, tailored to the type of devices it serves, instead of a single, one-size-fits-all solution.       

Manage security compliance       

In addition to following the 3GPP standards while deploying their 5G networks, telecom companies looking to partner with enterprises across industries and geographies need to be mindful of other relevant cybersecurity regulations. 

1) Regional laws

In the EU, the GDPR is the major regulation defining data protection and privacy. Since it applies to the IoT device's lifecycle, telecom operators with plans to venture into vertical connectivity must follow it.

Such network providers also need to take into account the Cybersecurity Act, an EU-wide cybersecurity certification framework for ICT products, services, and processes.

ePrivacy Regulation

ePrivacy Regulation is currently under discussion, focusing mostly on electronic communications

There is also the Toolbox on 5G Security issued by the European Commission for EU member states as a recommendation for telecom companies to strengthen their 5G deployment security. Although the regulation is voluntary, it is implemented on a national level, so service providers are expected to comply with it.

Beyond this, the ePrivacy Regulation is currently under discussion, focusing mostly on electronic communications. When passed, it is expected to strengthen communications security while also opening up new business opportunities for telcos.

Internet of Things Cybersecurity Improvement Act

In the US, there was no single federal IoT legislation until the Internet of Things Cybersecurity Improvement Act was signed into law at the end of 2020.

The Act requires the National Institute of Standards and Technology (NIST) to develop security standards for managing federal government smart devices, and despite its narrow focus, it is highly anticipated to have a wide-ranging impact on IoT device manufacturers, connectivity providers, and industrial IoT security overall. NIST hasn’t released the final version of its guidelines yet, but telcos developing service offers in the US are advised to keep them in mind.   

IoT cybersecurity initiatives

In contrast, despite being at the forefront of IoT development, the Asia-Pacific region does not have substantial public or private IoT cybersecurity initiatives.

Still, considering the rising importance of smart devices in the services sector and manufacturing as well as an alarming growth in cyberattacks against IoT, countries are highly likely to start drafting and enacting relevant laws in the nearest future.

2) Industrial guidelines

While most industries usually conform to national data privacy and security laws, other sectors are handling sensitive data that follow their regulations.

Healthcare

For IoMT connectivity providers to comply, it’s necessary to build specific data transmission and storage

Healthcare is a sector with one of the most rigorous data security laws aimed at protecting patients' health information; HIPAA in the US, PDA in some EU countries, and DISHA in India.

For IoMT connectivity providers to comply, it’s necessary to build specific data transmission, storage, and integrity safeguards together with sophisticated access control mechanisms into their services.

Banking and finance

Another industry with established data security guidelines is banking and finance. PCI DSS, a universal standard mostly focusing on payment data security, also contains hardware and software security policies.

They touch upon device communication encryption, specific protocols and standalone device security measures, and recommendations for IoT application development.

Final thoughts

Like any emerging technology, 5G is a disruptor, so telcos should implement it carefully, paying special attention to the security of their networks and telecommunications software solutions.

In particular, organisations should adopt more advanced device authentication protocols, modernise outdated security controls, and manage relevant cybersecurity regulations.