Of the many emerging trends in the technology space, few others get as much attention as Fifth Generation (or 5G) networks. Likewise, few other trends generate as much concern. But as promises of extensive, worldwide 5G networks become more realistic and tangible, so do industries’ concerns about providing robust cybersecurity in a 5G world.
Why does 5G present such a concern for the future of cybersecurity? It’s not all bad. The rollout of 5G networks around the world promises to revolutionize industries like automotive, medical, and telecom, among countless others. 5G networks will enable a larger ecosystem of IoT and connected devices than ever before. Unfortunately, with the many benefits generated from greater numbers of devices and greater heights of speed also comes untold security vulnerabilities. For example, AT&T’s Cybersecurity Report details some of the top cybersecurity concerns that 5G networks bring, including: “1) Larger attack surface due to the massive increase in connectivity; 2) Greater number of devices accessing the network; 3) Insufficiency of perimeter defenses.”
A world intricately laced with 5G networks will have more connected devices communicating with one another. This expands the available attack surface for hackers, creating fertile ground for them to step in, compromise devices, and infiltrate everything from smart cities to connected vehicles to medical devices. These new risks introduced by the proliferation of 5G networks are in addition to the already numerous cyberthreats that plague 4G networks - and researchers from Purdue University point out that these risks apply not just to the networks themselves, but to the many diverse industries they service - everything from automotive to healthcare. Particularly, 5G presents a striking concern for the utilities industry, as more connected IoT networks only increase vulnerability for attacks. Due to the critical role of power and infrastructure in society and these industries’ growing reliance on connected systems, they are ripe targets for a variety of attack vendors, such as insider, outsider, and supply chain attackers - and the motivations for attack are plentiful. From state-level attacks to financial and theft motivations, attackers seek to infiltrate these critical infrastructures via their many connected devices. By gaining access to a wastewater plan, for example, attackers could adjust settings to cause contaminated water - or shut down power for entire cities. For example, just last year, attackers targeted the North Carolina utility, the Onslow Water and Sewer Authority. Vindictively planning the attack during the aftermath of Hurricane Florence, the attackers demanded ransom after encrypting databases and locking out employees. This year, Siemens and the Ponemon Institute released a study that surveyed 1726 utility professionals responsible for securing cyber risks in Operational Technology environments at electric utilities (with gas, solar, wind assets) and water utilities. Fifty-six percent of respondents revealed they had experienced at least one shutdown in the last year, and 54% reveal that they expect an attack on critical infrastructure within the next twelve months.
What’s most concerning is industries’ seemingly underwhelming response to this growing trend - despite the well noted-security risk. AT&T’s report states that, “while 72.5% of security professionals worldwide rate their level of concern for the 5G’s impact on security as high or medium-high, only 22% said they believed their current policies are ready for 5G.”
This lack of immediate response to the cybersecurity threats of 5G may be due in part to financial restrictions. A study from Information Risk Management (IRM) (called Risky Business) notes that most companies’ cybersecurity decisions are determined based on cost - not the level of safety they provide. First, this implies that too many companies don’t appear to fully comprehend the gravity of the financial disasters that can succeed cybersecurity attacks. It also raises serious concerns about the future security of industry: While cheaper cybersecurity solutions may seem like a sufficient route for the short term, as we rapidly approach a world that is fully ensconced in 5G, we will need cybersecurity solutions that are firmly robust.
One approach that is attracting support from diverse industries seeking a new solution to cybersecurity is the flash-to-cloud approach. While many service providers rely on a connected device’s OS (operating system) or processor to deliver security, the flash-to-cloud approach moves the root of trust to the flash memory of the device and creates a secure channel between the gated flash memory in the end device and the trusted management system residing either in the customer’s cloud or premises, so, even if the device’s software of processor is compromised, the device will remain secure.
Since typical attacks manipulate the flash memory of the connected device to create persistency that survives a restart operation, having a hardware root-of-trust protects the device’s firmware and critical code, such as executables, calibration, and boot, from any unauthorized changes.
The flash-to-cloud defense also moves the control from the vulnerable device, such as security camera, sensor or smart meter, to a trusted entity in the cloud or data center, creating a secure channel between the cloud and the flash memory. Only trusted and validated commands and updates, coming from the data center can modify the flash memory. Reliable alerts and status reporting, coming from the root-of-trust, enable a trustworthy outlook, management, and device-level control of the entire distributed network.
Furthermore, flash-to-cloud embedded protection guarantees a lifetime defense that spans from device manufacturing and supply chain, through onboarding, to operations, over the air updates until end-of-life. This protection blocks malicious and even accidental code modifications, regardless of network or physical access to the device and regardless if the attacker is an outsider or insider.
Many industries are beginning to see the flash-to-cloud approach as an ideal solution to the many cybersecurity challenges presented by 5G, because the approach is not only effective but affordable. By eliminating upfront security investments, the flash-to-cloud approach can deliver companies with the robust cybersecurity needed to withstand the threats of a 5G world within a cost structure that is economically manageable. This can stop epidemic attacks that can spread fast.
5G networks will soon be all around us, touching nearly every industry from the cars we drive in, to the cities we live in, to all of our energy and water utilities. Without a guaranteed, reliable, and robust cybersecurity solution, we are at risk to fall victim to an entire new host of security threats, and there are few other approaches that can promise protection other than the flash-to-cloud approach.
Yoni Kahana, VP Business Development, NanoLock Security, brings more than 20 years of experience in managing, leading and developing large-scale projects in secure telecommunications and embedded systems, from idea-stage to completion in R&D, product and business environments. Yoni brings extensive cybersecurity experience, with specific expertise in securing embedded and connected devices in connected vehicles and IoT devices. Prior to NanoLock, Yoni was the Product Cybersecurity Group Manager for General Motors (GM), where he managed the Israeli Cybersecurity Group responsible for securing crucial elements in the car. He also was a Security System Team leader and Security System Product Engineer at Qualcomm and served as an officer in the Israel Defense Forces (IDF) in an elite unit where he led and developed cybersecurity solutions.