By Dr Stanley Shanapinda (presenter at Risk and Cyber Week 2020)
THE adage goes, ‘If you fail to plan you plan to fail’. Nowhere is this more relevant than when it comes to the cyber risks ushered in along with the promises of the 5G revolution. To plan and to do so effectively, today’s cyber-security professional must have the foresight to prepare against emerging threats. Then much like a juggler, the act of balancing the costs against the benefits follow.
(1) Integration
There is no doubt that integrating previous generations of mobile networks with 5G is cost efficient. The trick, however, is to ensure these financial gains are not outdone by future cyber incidents. Integrating 5G with legacy networks multiplies the risks as it creates a complex environment. It is key for the cyber security professional to manage the integration process as way of guaranteeing security and trust in this large-scale environment. To effectively manage this risk, one can never test the systems enough – re-think your testing practices.
(2) Collaboration
5G will be connected to IoT devices made by a myriad of manufacturers and sold by vendors. Each party will make its individual contribution in the form of intellectual property to what is essentially the 5G assembly line. This, to connect all the support software and the hardware so they operate seamlessly. Collaboration is immensely beneficial, but poor service level standards may compromise desired outcomes, such as the peak time availability of 5G services to end users. Partners are best advised not to over promise the service components they provide, but to test services and only make promises based on verifiable outcomes, in legally binding service level agreements that contain clearly spelt out responsibilities and accompanying penalties.
(3) Open API
An open application programming interface promotes innovation and makes for a compelling business case when it comes to the programmability offered by 5G. For this reason, the growth of 5G will rely on the expanded growth of APIs. However, different layers of the network are exposed to exploits – the internetworking interface can be exposed to security risks due to a poorly designed API. The Network Equipment Security Assurance Scheme (NESAS), is defined by both 3GPP and GSMA and can help ensure compliance with ‘security by design’ principles. But that is only if the cyber-security professional plans to and nudges the vendor towards the voluntary adoption of NESAS requirements. Have a chat with the supply chain management team about doing so.
(4) Lawful interception
Mobile networks are obliged to install lawful interception capabilities to comply with judicial warrants. This helps to ensure public safety by assisting national security and policing functions. The flip side is, and there is always a flip side, a vendor that has access to the core network poses a potential threat by having the ability to manipulate the interception capability. The audit logs can be bypassed, and the misuse may not be detectible. This scenario needs to be well sketched out in any interception capability plan that has been submitted to relevant authorities thereby giving assurance that the potential weaponisation of interception and manipulation of information is treated effectively.
(5) GPS location positioning
The global navigation satellite system has enabled geo-location precision for applications and will power driverless cars. And as the race to space heats up, by jamming the network radio frequency, the core network and the location services functionality is at risk of being disrupted. Jamming occurs when an illegitimate radio signal plays the strongman and simply overpowers a legitimate radio signal. The result is that the location services functionality fails to transmit messages to the core network and its services. Such an intentional disruption can also interfere with the transport layer and render it unavailable and interfere with the geo-positioning system. A wider strategy of active spectrum monitoring can be considered to detect jammers. An automated process may be preferable.
Wrapping up
Consider the likelihood of these cyber risks by using an attack tree analysis in a cross functional team that you will establish for your organisation. Start today with a simple conversation.
Stanley Shanapinda (PhD Computer Science, UNSW Canberra) is a Research Fellow at La Trobe University Melbourne, Australia. Stanley has over 17 years of experience in the ICT sector, and as a lawyer, CEO, researcher, lecturer and author, having worked in Namibia, South Africa, Brazil and Australia. He is the author of the 2020 book ‘Advance Metadata Fair - The Retention and Disclosure of 4G, 5G and Social Media Location Information, for Law Enforcement and National Security, and the Impact on Privacy in Australia’. He researches and teaches Cyber Risk Management and Compliance, and Cybersecurity Governance under the Cybersecurity Master’s Program.
LEARN MORE: Dr Shanapinda will be presenting at AISA's Risk and Cyber Week virtual conference, which runs from November 9-13. His topic is "Getting an eagles eye view – enhancing the cyber situational awareness legal mandate, to counter hybrid threats and cyber warfare".
REGISTER NOW >> https://bit.ly/2F2X3gi