Securing the 5G Core: Challenges and Solutions
I'm a networking and telecom guy, so I may be biased. But I'm steadfast in my belief that few technologies have had as profound an impact on so much we do at work and in our personal lives as 5G networks.
When you think of edge computing, mobility, the internet of things (IoT), software-defined networking (SDN), and virtualization, you're in the sweet spots of what 5G networks can enable. Without doubt or debate, 5G networks are critical infrastructure in the era of Digital Everything.
And, as critical infrastructure that controls, manages, and enables so much of what we do every day, we have to take care—fanatical care, in fact—to ensure that we are securing the 5G core in the most robust, reliable manner ever. Does that sound too over the top? Not if your organization relies on 5G core networks for lightning-fast data transmission, easy connectivity, and incredibly low latency for use cases that wouldn't even exist without 5G technology.
Why Securing the Core Matters
For those readers who are neither network architects nor network security experts, let me give you a sense of what 5G core is all about and why securing it is a no-compromise situation.
5G core is the software engine that drives a 5G network—particularly the mobile networks we rely upon for so much. The 5G core comprises various critical functions that let 5G networks do their thing, such as network function virtualization and SDN, network automation, edge computing, network security, and support for IoT device connectivity.
Imagine what happens when those functions are unavailable because hackers have infiltrated and infected the core. It's a miserable scenario I don’t want my company to ever be in.
One of the trickiest parts of securing the 5G core is that we're talking about a cloud-native architecture with loosely coupled components, which differs greatly from earlier-generation networking architectures. While the cloud-native approach has many exciting benefits, it makes security more complex. And I probably don't have to tell you that increasing complexity expands vulnerabilities and attack surfaces for hackers.
How To Do It
The funny thing is that while having a 5G core network represents a major step forward in delivering reliable, high-performance, resilient connectivity, the process of securing it isn't that much different from securing 4G LTE or 5G—at least philosophically. You still have to firewall appropriately, employ techniques like network segmentation, and ensure logical isolations between parts of the network that are not tightly coupled.
There are other strategic issues to consider when building and deploying the right security framework for 5G cores. A major requirement is a commitment to multilayered defense that handles a multitude of security vulnerabilities which may pop up in different parts of the core. This layered approach has to be implemented in a manner that goes beyond just a technical framework; it also needs security processes for identifying, preventing, and remediating the impact of vulnerabilities. And, of course, it needs well-trained people on the technology staff and among the many end-user organizations that depend on a secure 5G core.
The biggest differences lie in the 5G core software. For instance, 4G technology was not cloud-native, so its software components were tightly coupled. However, 5G core components are loosely coupled, which allows easier scalability and more accessible maintenance and troubleshooting.
This requires an in-depth knowledge and appreciation of the differences in the main components of legacy and new technology. It also demands that organizations think about new ways to streamline security vulnerability identification processes and train teams to spot risks and limit their impact.
What Gets in the Way
Sounds like a solid plan, right? As former heavyweight boxing champion Mike Tyson once said, "Everyone has a plan until they get punched in the mouth." The same could be said for a seemingly well-designed security plan that has to withstand the reality of unexpected and often unforeseen attacks.
One of the first things you need to remember is that not all providers of 5G cores (and their implementations) are the same. You need to ensure that the core is based on a mature implementation of the cloud-native infrastructure and that it results from a well-thought-out refactoring of their earlier core technology. Pay attention to how the modules are isolated within the software package.
It's also important to have a reliable, robust, and multifunctional vulnerability detection-and-response framework. In many cases, spotting, patching, and isolating vulnerabilities is where the game is won and lost.
Let me give you an example of how these problems can play out in the real world. Let's say you've identified a vulnerability, and you need to patch it in a specific module of the core. Back in the days of tightly coupled, monolithic core software, if you patched the vulnerability, you could also often patch most, if not all, of the rest of the modules and then test the system to ensure the modules continued to work together cohesively. Now, with a loosely coupled architecture like 5G core, patching one component may have unexpected ripple effects on other components, including security. Ideally, a set of regression tests catches any negative impacts, but we are not currently there, and it is one of the reasons 5G core isn’t used across the board yet.
The Beauty of the Zero Trust Model and Other Defense Measures
At times, I wonder what we would have called Zero Trust if we'd left it up to the marketing teams. After all, Zero Trust sounds so … negative and judgmental. But that's OK. In fact, I like the idea of sending a strong message about its essential nature when it comes to protecting the 5G core.
One of the reasons I like Zero Trust—or the approach of questioning trust assumptions—for 5G core is that it's much more than a technical blueprint. It has a philosophical bent to it, which says that we will leave no stone unturned. We'll take nothing for granted because the implications of a breach impacting 5G networks can be devastating. With the increasingly dynamic and interconnected nature of some key 5G use cases, like supply chain management and software development, it's better to have a Zero Trust mindset to prevent exploitation of security vulnerabilities.
Zero Trust is also essential when it comes to other potential vulnerabilities for 5G core. One is the now-cemented use of bring your own device (BYOD) policies and the transition to hybrid and remote work. When I think about how to account for these now-essential workplace practices, my answer is simple: Zero Trust. That's because people are one of the most fragile links in the security chain. Trends like BYOD and remote work have improved employee productivity and satisfaction, but they also have introduced new risks that could be exploited to infiltrate the 5G core.
We didn't have to think about this until recently, but it's now a critical element of our security planning. We've taken steps to further secure remote systems, such as using tokens to prevent people from getting unauthorized access. It is important to consider these requirements for not only employees but also contractors and consultants.
IoT is another important area where Zero Trust and other means of securing the 5G core are vital. We are now analyzing and investigating the full spectrum of the IoT value chain, all the way down to who is making the chipsets that go into IoT devices.
We've dramatically stepped up our monitoring of traffic for IoT devices so we can detect and block threats faster, earlier, and more thoroughly. And then, to complicate matters even more, we've had to deal with bring your own IoT device. (I can't even imagine how to construct an acronym for that.) We have customers using their own IoT devices on our 5G network, and we are working closely with them to understand where they are getting those devices and how they are being used—and which network services they are accessing.
In some cases, we have to tell people that we can't allow a certain device on the network because we can't adequately protect them. Not only does that make good sense from an operational perspective, but it has compliance implications. Government regulators are keenly interested in ensuring IoT is used properly in networked environments, especially given the immense popularity and widespread adoption of 5G technology.
Next Steps Toward Better Security and Improved Confidence
Ensuring consistent, reliable, and efficient security for 5G core networks is a must-do-right proposition. There is no "pretty much secure" for these environments. So, what should your organization do to make that requirement a reality?
- Do everything possible to apply security best practices from the start. Think of this as "shifting left" on the familiar mantra: people, processes, and technologies. An important step is to understand and adopt well-supported and broadly applied security frameworks; NIST is an excellent framework to consider, but there are others as well.
- Expect to be attacked and that its potential impact could approach devastation. You have to plan for the worst, so make sure everything is in place: processes, tools, training for your people, and incident response. Move quickly to isolate the attack because the time between detection and action makes all the difference between exposing a lot of your customers to this threat or perhaps just a few—or none at all.
- Develop and adhere to a good communication plan—one that has input from all relevant stakeholders, including security, IT, business teams, C-suite executives, and even the board. It should include what's required from a regulatory and legal perspective and what is important to clients, partners, and law enforcement. This plan should include step-by-step details of what needs to be done, who needs to do it, and when it needs to be done.
The promise and potential of 5G technology has exceeded many expectations, and it continues to grow and expand. But if we can't properly and efficiently secure the 5G core, do we risk losing all the great capabilities 5G provides us?
Working together, we can make 5G core security rock-solid and give our customers and users confidence that all digital assets will be safe and secure.
Mike Irizarry is executive vice president and chief technology officer at UScellular, one of the largest full-service wireless carriers in the United States.