The nightmare on 5G street – IoT is coming and we don’t know how to secure it

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Charl van der Walt, Chief Security Strategy Officer at SecureData looks at some of the security implications that come with the advent of the 5G/IoT era.

There is no doubt that 5G and the Internet of Things (IoT) will revolutionise the ease with which life is lived, business is conducted, manual tasks are performed, and data is analysed. For industry, these innovations will provide a great leap towards quicker and more profitable business, and for the most part, that is a good thing. What is worrying, however, is that IoT security is already developing an unsavoury reputation for being terrible. 5G is likely to be a huge enabler of all kinds of IoT, which will only exacerbate this issue.

Once 5G becomes the standard network we all use, the likely result is that we will all be connected, at all times, wherever we are, and at ridiculous speeds. Given our dismal track record with security for ‘traditional; IT, this is a big challenge, and if left unaddressed, is going to be a lot of headaches at all levels of industry and society. The political, physical, and technical ramifications of 5G and IoT adoption will need to remain front of mind as businesses prepare for the 4th Industrial Revolution.

What are the risks for industries looking to adopt 5G?

The harsh reality is that consumers and industry alike have become obsessed with connecting things to the internet that we never really needed to before. Fridges, cars, pacemakers – you name it, and it’s probably already connected to the web. But we forget that every time we add anything to the internet, there are inherent security risks that aren’t considered, and therefore cannot be completely controlled. With 5G on the horizon, this always-on obsession of ours is going to become a BIG problem in terms of our own security. In short, where the opportunity for innovation exists, we also expose ourselves to cyber risk.

And it might actually be as bad as it seems. Against this backdrop, the US government is considering deprecating the widespread amount of Internet-connected Supervisory Control and Data Acquisition systems (SCADA) used by companies in telecommunications, water and waste control, energy, transportation – the list goes on. So high is the risk of connected technologies, that the US government is promoting deployments of “analog and non-digital control systems”. Unfortunately, the risk is already there, with reports of the very real hacking of control systems within the US national grid.

What about those risks at policy level?

Along with the technical risk of IoT systems, we need to consider the role that 5G itself will play as the main infrastructure for IoT and 4th Industrial Revolution (4IR) economies that we are building. The control of 5G, and therefore the power over it, gives countries and companies that are building and maintaining these networks a big head-start over those that aren’t. This power-struggle is already being played out on the global stage with the antagonism we are seeing between the US and Huawei. There is also a knock-on effect being seen with a continued resistance to Huawei and other Chinese companies, such as ZTE, elsewhere in the Western world.

The concern is that if 5G infrastructure is to become the new superhighway for connectivity, that infrastructure may be built and controlled by a foreign state that does not have our best interests at heart. This would essentially place control of the digital economy under the influence of that foreign state, whether directly or through a vassal company.

In security terms, any state-sponsored actors – criminal, intelligence, military or otherwise – would no longer have a need to attack systems running on a network, or place backdoors to gain access, or control the network itself. They will already have that power, whether we like it or not.

A simple mindset to adopt to solve a complex problem

What we need to remember is that even with the best security in the world, we can only ever partially mitigate any risk that comes with connectivity. This said, there are a number of security aspects within the IoT and 5G that should be front of mind.

The first is that every new piece of technology increases an attack surface. The IoT is estimated to be made up of 20.4 billion devices in use by next year, and this number is set to increase exponentially. Secondly, security debt is inherited, and any cost savings made or shortcuts that an IoT vendor took in the manufacturing process will end up being the end-user’s problem. This could be as fundamental as not ensuring that unique and secure passwords are set, managed and readily changed, for example. Finally, CIOs and CISOs will need to consider very carefully how patching is going to work, especially if an IoT network is very large or widely dispersed. Vulnerabilities can occur at any level of the stack, from an application all the way down to the hardware used. The ability to patch at all these levels for security must be considered critical, even for very simple systems.

The security threat to the IoT is real. The only real tangible response in the UK has been the NCSC making steps to address the issues posed by the rise in IoT devices and the potential for security fallout in its Security by Design review. Although this primarily concerns consumer devices, it holds true to wider industry as well. These new rules will help ensure that passwords on new devices are unique and not set to factory defaults. Additionally, any sensitive data transmitted over apps or devices must be encrypted as standard.

While this is a good start, there is some way to go before we can rest relatively easily. Ultimately however, for any IoT manufacturer or 5G connectivity provider, it’s important to think security first, rather than rushing out to market with a device or network that paints a picture of superior connectivity, but is really a security nightmare.

 

Charl SecureDataCharl van der Walt is the Chief Security Strategy Officer at SecureData, and has a background in offensive security and penetration testing. Charl has given courses and lectures for companies and universities the world over and has been a regular on the Infosec conference circuit. He has been a security training advisor to the US DoD for over 5 years, has acted as a network security consultant for the Commonwealth Games and co-authored numerous security books.