We are pleased to share with you all an interesting article contributed by Anand R. Prasad who is information security leader experienced in developing successful businesses with over 20 years of proven professional track record.
Anand R. Prasad Chairman of 3GPP security working group (SA3) and Chief Advanced Technologist at NEC |
|
This is final part of the article on 5G IOT security based on talks I have given on the topic since last year.
In this part I present rest of the security considerations for 5G IOT on spectrum, security credentials, devices, services, business, user space and more. Once again, on purpose I do not discuss about global activities on 5G IOT and security.
Note that the discussion is about security considerations for 5G and not about security solutions or attacks.
Spectrum
Higher GHz bands with very different characteristics are expected to be used in 5G. Cognitive radio will come in picture and there will be aggregation as well as usage of unlicensed bands.
Depending on the range of higher GHz bands used, the radio characteristics will change significantly. Example is millimeter bands, i.e. 30 GHz plus, where line-of-sight is needed and radio is impacted by atmospheric conditions like attenuation due to humidity or oxygen. Thus cells will be smaller, high mobility will be difficult and it will be possible to confine signal within a confined area. Such radio characteristics could be considered for security design.
Cognitive radio will mean that different devices with different priorities will exist that will require good means of authorization to access he radio.
Aggregation of licensed with unlicensed band or technology, already available today, requires consideration of authentication, key hierarchy, integrity, confidentiality, replay protection and authorization.
Security Credentials
There could be change in security credentials and how they are stored. One can consider three different forms of storage (1) secure hardware environment as we have today in the form of UICC that is commonly known as SIM card, (2) embedded secure hardware environment, e.g. a UICC or similar device is implemented in a modem, this brings us to something like embedded SIM and (3) some form of software.
Each of the three have different implications on business model and security. The 3rd method of storage will make the mobile operator completely independent of any party for storage medium but there can be severe security implications as the security credentials could be easily compromised. Still, software could be considered as on option for businesses where the cost of devices and services provisioned are say in the order of few cents. In such cases some amount of loss would not have huge implication on overall business, here faster means of attack identification and automated control mechanisms could be applied – this brings us to things like machine learning or artificial intelligence (AI) but surely there will be further enhancements towards technologies that we have not yet seen.
Provisioning of security credentials over the air will become essential, resetting to factory default credentials might be needed; basically several aspects of credential management will be expected, potentially, beyond what we have seen today.
End Devices
Change here is in-terms of huge variety from smart-phones to types of IOT devices, wearables, VR devices and AR devices. Open source coming more in picture for devices as well and reachability from Internet.
The last bit, reachability directly from Internet will mean devices being prone to cyber-attacks as we see today in personal computers arena or the Information Technology (IT) world.
Devices with long battery life (say 10 years) that are expected to work at very low data rates will face other security issues. It is possible that the cryptographic algorithm implemented in such device will be cracked during the device lifetime or device will end up being used for purpose other than originally expected, both of these can lead to successful attacks on the device. We should expect that such devices will be cheap and all algorithms will be hard encoded thus both business wise and technically it will not be possible to change the algorithms or device functionality to counter the attacks.
Open source devices could cause several issues especially if all protocol layers and all parts of the device are accessible to the user. An attacker with such device could, for example, misuse the control plane protocols that will lead to a variety of attacks on the mobile network. Now, how will subscription and device authentication take place?
As devices by themselves will not be capable of provisioning adequate security, the network will have to come in picture to secure the devices and services. The network can support in terms of security by monitoring the traffic, analyzing the traffic for potential security issues by various means including machine learning or AI and taking actions as per the policy of user or operator – privacy and security trade-off will have to be considered here. Thus, from the very beginning, the network could be designed to cater for security requirement of specific types of devices or services.
Services
Variety of services, devices and source of services are expected. Provisioning of any type of service will require at the least authentication or proper authorization otherwise misuse should be expected.
Over the top (OTT) services are already there that have the potential of leading to potential cyber-attacks through malware, phishing etc. Sponsored data should be a source of revenue for mobile operators but misuse here leads to operator making financial loss.
Public safety security work has been done extensively in 3GPP for cases like device to device communication as well as situations where the radio network is not connected to the core network. Such security solutions will also be required in 5G from the very beginning and might go well beyond public safety into consumer arena.
Business
We are already seeing change in business model of mobile operators. One such change is in the form of APIs being made available for third parties to launch services over the mobile network. Thus network resources essential for mobile network functioning could become accessible for attacks – the attacker is now able to come deeper in the network than ever before.
With 5G in picture we will also see operators getting in partnership with other companies to provision the services. This would mean that the partners would own the subscribers while the operator would be responsible for correct usage of the licensed spectrum. Here the authenticating party will also be the partner and not (only) the operator. Thus a whole set of security requirements also associated to the partner will have to be fulfilled including authentications, key management and the rest.
User Space
5G will have much deeper penetration in the society, from those literate in ICT to those who will use ICT for the first time. “Things” will also get connected.
The security implications from this perspective is huge. Millennials in general are technology savvy and understand the implications of security and privacy but those who have never been connected will not have any understanding. Thus the overall security solution for 5G will have to cater for all types of users and at adequate price level so that security becomes reachable to all.
Other Aspects
Some security aspects hinted or not covered above need consideration, like:
Concluding
There are couple of points that we can observe from the discussion above. For 5G to function properly we will need security standardization, like authentication, confidentiality and integrity of messages etc. We will also need security besides those provisioned by the standard, like monitoring, analysis, control etc.
It will be essential to take care of baseline security, i.e. security for OS, TCP/IP stack, password management, logging etc. Security assurance, i.e. testing of network functions and live network, also forms a part of baseline security. One could consider embedding of security assured certification in the network functions or protocols to automate the proof of level of expected security. At the same time, it will be essential that 5G solutions provision means for rapid changes in-case of vulnerability or attack identification, i.e. waiting for patch cycle becomes unnecessary.
New technology development will be required as mentioned throughout the article. This includes cryptographic algorithms, security credentials and storage as well as monitoring and analysis technologies. Particularly we will need improved analysis technologies embracing machine learning and AI that will have negligible false positive without human intervention.
Even after everything, it will be essential that the network also provisions security as a service. This security provisioning by the network will become a new form of profitability for the value-chain as it will truly make security a business driver of mobile networks - secure network as a service - embracing the fact that one size does not it all!
|
||