Security from the outset for 5G

It is early days for 5G. If you analyse the already considerable amount of media comment on the subject, it is obvious that the industry has a clear vision of services that it hopes 5G will facilitate. What is less clear is the technology - much remains to be determined on the technical front with standardisation activities just beginning.

However, it is absolutely evident that security and privacy must remain fundamental requirements, especially given that the changes foreseen for 5G are likely to broaden the range of ‘attractive’ attack targets.

5G will be transformational

Earlier this year, we set out to provide a high level analysis of the main potential market segments where 5G will have a transformational impact and to assess the diverse security requirements for those markets.

The results were laid out in a marketing paper, An Analysis of the Security Needs of the 5G Market. The paper focuses on four main segments for 5G: massive IoT, critical communications, enhanced mobile broadband, and network operations (which underpins the three other areas). These are the segments defined by standardisation body 3GPP, which is working on 5G technical standards.

Across these segments, threats will vary from (amongst others) cloning in massive IoT, to denial of service in critical communications, to man-in-the middle attacks in enhanced mobile broadband.

As a result, we assert that security requirements will vary too, both at the network access level and at the service level, where demands may range from those posed by low level sensors to those of high-end use cases like real-time remote controls, driverless mobility, and remote surgery.

Securing devices

Across all segments, security requirements will be based around devices, the network and backend. That means that following high level types of security requirements can be distinguished:

  • Network access security
  • Network application security
  • Service layer security
  • Authenticity, integrity, and confidentiality of data transmitted at different network layers

Needs will then differ according to segment around how frequently communication occurs, the amount of data to be managed and communicated, speed and latency, and around how frequent authentication has to be. For example, critical communications will require much more frequent authentication than IoT and will often involve far more sensitive data. Conversely, massive IoT will provide a scenario where devices will communicate infrequently, use low power and may require extended lifespans. In enhanced mobile broadband and in critical communications, performance demands may open the way to enhanced and highly efficient security mechanisms.

In fact, we expect that security requirements in enhanced mobile broadband will be very similar to those in the underlying network operations. However, the full range of security needs that will have to be covered are illustrated by considering the other two segments – IoT and critical communications.

An intricate infrastructure

5G networks are likely to play an even more fundamental role in critical infrastructure than did previous generations of mobile network. They will participate in what will be a highly complex ecosystem, involving drones, cloud driven virtual reality, smart multi node factories, cloud driven robots, public safety, transportation, and e-health. Major players will come from public service providers, MNOs, device manufacturers, infrastructure providers, and chipset providers.

This segment will provide different security requirements at the access and service layers – identification, enrolment, message authentication and non-repudiation, data integrity and key and identity management. Several layers of security may be required, depending on the use case and the type of communication (device to device or device to network) and the result may be a diverse and complex security infrastructure.

Different services will also require different levels of security and security assurance, with e-health and autonomous vehicles for example falling into market sectors with compliance requirements.

Breaches or man-in-the-middle attacks in use cases such as drone deliveries, connected vehicles, remote surgery, public safety, and first-response networks would be detrimental to the image of any company or public body deploying such technologies and therefore security will therefore be treated as paramount in the above area. Appropriate certification and qualification will therefore once again be important in many of these use cases.

The IoT ecosystem

On the other hand, the massive IoT ecosystem is likely to consist of billions of potentially very low cost devices such as sensors or trackers. Typical use cases may span home appliances, some wearables and machine type communications including metering, sensors and alarms.

Some industrial devices may only send a few bytes of data once a month without any urgency concerning speed of sending or response. Driverless cars on the other hand may communicate continuously while in use with very high speed and low latency requirements.

Data is likely to encompass geolocation data, sensor data such as meter readings, and private consumer data. Location and privacy protection for data must be enforced to ensure for example in the case of a meter or a home monitoring system that a thief cannot determine if the premises are occupied are not.

Devices may be connected to the network either directly or indirectly, for example via a gateway. How this is done may have implications for security requirements.

Securing 5G

Changes in the business aspect of the 5G ecosystem and other technological developments will also combine to add to the complexity of the security challenges. In addition, much is yet to be determined, including the need for backward compatibility with earlier generations of communications.

So, it is fairly clear that according to the demands of the segment, a broad range of security solutions or changes in feature sets of those solutions are likely to be needed. That’s precisely why we propose that dedicated tamper resistant hardware may offer value in many aspects of 5G.

Of course there is a significant risk of falling too short, if we only look to the security and privacy challenges on the device side. A compelling concept for 5G must provide a solid proposition for the end-to end perspective that copes with the mission-critical aspects of interoperability and with scalability challenges.

What is certain, however, is that it is vital to build security into 5G from the outset, for what is not built in from the beginning cannot easily be added later on.

We have already started work on a follow-up security requirements paper that will be published later in 2016. Industry engagement is sought on this initiative, to ensure that there are many voices, representing differing requirements, involved in fine tuning the vision of the role device security will play in protecting 5G networks and the many new services which will be deployed across the various market segments.

Paul Bradley, Chairman of the SIMalliance 5G Working Group

Image Credit: Shutterstock/Nata-Lia