IoT Security in a 5G World: Leveraging complexity at scale
By Joyce Deuley
There was a predictably large turn out at this year’s CTIA to discuss the impressive impact of 5G and the capabilities it will provide. Not only will 5G dramatically increase network speeds, but it opens numerous doors for IoT deployment as well as innumerable vulnerabilities.
In light of October’s “Mirai” distributed-denial-of-service (DDoS) attacks on IoT devices—as well as the large-scale attacks waged against companies such as Twitter, Tumblr, Spotify, Amazon and Netflix, the idea of having a zero-latency network that hosts a myriad of unprotected devices is especially terrifying. Even more so now because the how-to documentation has become open sourced. However, there are ways to prevent those kind of attacks that Jay Srinivasan, Sr. Director of Engineering at Infiswift, discussed in his IoT Evolution article, “Stopping Mirai DDOS: What Consumers & Developers Can Do.” But more than that, DDoS attacks are not the only security threat to be concerned with; Akamai Technologies just released new research, wherein its Threat Research team has identified recent attacks on IoT devices via a decade-plus old OpenSHH vulnerability. Meaning that IoT devices must become resilient to both new and old methods of attack.
And when we consider the scale of IoT connections as well as traditional issues with security, (e.g. lack of customer knowledge or awareness), things can look even more tenuous. Thankfully, there were several leading security specialists at the “Securing the Foundation of a 5G World” panel discussion that were able to shed some light on the lack of IoT security and what that means for us going forward. With Rita Marty, Executive Director, Cloud & Security, AT&T Chief Security Officer as the panel moderator, the panel consisted of: Angela McKay, Director, Government Security Policy & Strategy, Microsoft; Gary Davis, VP & Chief Consumer Security Evangelist, Intel; Drew Morin, Director, Federal Cyber Security Technology & Engineering Programs, T-Mobile USA; and Jim Hunter, Chief Scientist & Technology Evangelist, GreenWave Systems.
The security panel recognized that 5G possesses an overwhelming amount of potential to essentially create a whole new architecture, a “clean slate,” if you will. But it also acknowledged that 5G also possessed equal or proportional susceptibility to exploitation. That said, security is going to be…difficult at best. Ironically, the root of 5G’s security issues, Davis explained, stemmed from the very characteristics that make 5G desirable (i.e. zero latency and the ability to connect to a large number of devices). According to Davis, if we were to “fast forward to 2020,” where we had “billions of connected devices and… a tech that has zero latency, which can send data at unprecedented speeds,” then one inevitable consequence would be a huge security challenge—and that is putting it mildly.
As 5G is an emerging technology, there are a lot of things to be considered—like the fact that 5G networks aren’t just about connectivity, but also the mission-critical applications and markets they support, and who is ultimately at risk and how best to mitigate that risk. Ultimately, the panelists did an excellent job of addressing these conncerns, as well as identifying the positive opportunities that seem to run parallel to the inherent vulnerabilities of 5G networks.
When asked about the advantages and challenges, GreenWave’s Jim Hunter was quick to respond, saying it was the “first time we’re seeing the evolution of computer involved with communication. Now we see baked-in technology.” However, according to Hunter that doesn’t mean that we need to create a “one-size-fits-all” security standard for 5G networks. Instead, he posited that security standards would continue to be siloed [to some degree within markets], but that “these measures” would need to be taken and exchanged back and forth. “The value is in the data and the insights, and you won’t get that across one vertical, you need that cross section,” he concluded.
In addition to that, Angela McKay stressed that the industry must take an agile approach to solving security issues and improving overall resiliency: “The place we are in now, big tech providers, is a service-managed network. When you move into 5G, you’ll have non-IT traditional companies building code, and you’ll have the number of vendors involved in delivering those services.” In order to achieve sufficient agility and collaboration, McKay maintained that the industry would have to “be responsive to the dynamic nature of the risk environment,” evaluate “this-service-requires-this-kind-of-service V.S. another” and how that could change. Additionally, McKay urged the industry to “Be more agile, do risk-based deployment of apps and services based on attributes and machine learning you can get out of the cloud environment.”
Fog computing, intelligence at the edge, artificial intelligence, and machine learning are all about putting more advanced computational powers in-field hardware and the network, itself, in order to improve data analysis, security via remote updates, and self-healing capabilities. For Hunter, “Fog… is absolutely right. It works better when it scales from the ground up… The network is computing, and then computing is happening in the network. It’s more network than ever. It’s not just us changing, it’s the entire globe that needs to shift at the same time…there’s about 360 IoT shows around the globe.”
Drew Morin, however, focused more on edge devices than networks: “It has always been, ‘Let me protect the edge device, and I’ll let the firewalls protect you with the center being gooey and delicate.’ [But now,] we’re going to have intelligence at the edge that the network will have to adjust for. All of these things will enable the core components… [that are] handling the switching processing and translating [of] what’s going on in the network…[to] cut off whatever slice and kill it, and then do forensics on it.” Other aspects to consider are the regulatory environments, who organizations will need to turn to, who the authorities are, and what additional requirements will need to be met while moving further up the stack. According to Morin, “We, as an ecosystem, need to look at the rule book and start off with a new plan and a new vision. It’s a fun, radical time.”
Despite Davis’ warning that securing 5G networks and IoT deployments would be a “cat-and-mouse game”, it isn’t all doom and gloom. From McKay’s perspective the risks implied with 5G networks also possessed a great amount of opportunity. What the industry would need to do, she advised, is identify what inhibitors challenged them and allowed them to actualize “those opportunities,” as well as really embrace the notion that they were “not fully realizing the security opportunities that are on the horizon.”
If the industry thought that wide-scale IoT development and adoption looked like the Wild West in terms of aggressive pioneering and an inherent “make-it-work” mentality, then their approach to 5G network security would have to be very similar. It’s not so much, the “every-man-for-himself” aspect, but the collaboration that is born out of adversity and perseverance that is natural to exploration. To agree with McKay, “Complexity is the challenge,” but, the opportunity is in “managing that complexity” together.
(For more information on how the race to 5G is shaping up, please read Consuelo Azuaje’s article in The Connected Conversation).
*Originally published in James Brehm & Associates’ E-newsletter, The Connected Conversation. To read the full issue, click HERE.