The move towards 5G is accelerating as enterprises seek greater security, flexibility, and reliability in 5G than earlier cellular, wireless, or wired connectivity. And while the underlying security capabilities of 5G NPN are superior to earlier communications media, they are not flawless. Recent research outlined four attack routes into a private 5G network, three areas where communications network topology presents opportunities to intercept signal traffic, and six methods for attacking the physical process infrastructure via those vulnerabilities. See “Private 5G Security Risks in Manufacturing, Part 3” for details.
The bottom line is that 5G networks are not secure by design. Firms setting up private 5G networks must design and install appropriate tools to encrypt sensitive message traffic, block IT attacks against x86-based servers, and protect OT protocols and equipment from tampering.
Trend Micro and 451 Research, as a part of S&P Global Market Intelligence recently surveyed over 400 individuals in globally-distributed organizations responsible for deploying private wireless networks in mixed IT and ICS environments. Security is the largest concern, with 39 percent citing it as the most important aspect. However, most expect to integrate this with their existing IT network as well as their OT environment. Only 20 percent intend to extend their existing security systems to protect the new private network, while 43 percent intend to deploy additional capabilities from their current IT security vendors. This shows faith in their current vendor selection. The remaining 37 percent are relying on security capabilities built into the new offering, either by the vendor or by their integrator.
These results underscore the criticality of having a robust information security architecture that can extend to the private network and its dependent ICS environment. Without a solid picture of the target environment, most organizations will not be able to evaluate the risk and vulnerabilities this new platform will bring. Only 8 percent of these organizations will evaluate the risk themselves. The rest will rely on a partner or work with a third party or partner. Lacking a well-understood security architecture, these forms will not be able to think critically about the relative risk of their new operational environment.
An architecture is a book of rules describing which capabilities and processes an IT configuration must contain. Unarchitected systems become chaotic and unpredictable. The standards governing product selection and feature use flow from the standards, with formal deviation from standards allowed under well-defined circumstances. This mechanism allows problem diagnosis and vulnerability assessment to proceed reliably. Operational procedures depend on a predictable set of behaviors, and the less well-defined the environment, the more difficult it becomes to solve problems and eliminate faults.
Yet most organizations will not have a clear architecture in place when they begin. This is a serious exposure. Further, most organizations will manage the risk internally, with the degree of reliance on a partner varying by use case:
It seems that risk management will evolve as the organization gains experience running the environment. This “learn-as-you-go” approach is perilous. We encourage organizations that are embarking on their journey to deploy new private networks to take the time initially to define their information security architecture clearly. It is vastly harder to introduce quality into a product that’s been manufactured than it is to design quality from the beginning. Information security is the same.
What do you think? Let me know in the comments below or @WilliamMalikTM.