The Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC) has been busy assessing and identifying security risks for 5G wireless services, which present newfound risks unique to the technology, an NRMC official said April 22.
During FCW’s Planning for 5G Security event, Dan Dagher, supply chain risk management initiative lead at NRMC, discussed what new security risks 5G presents and what his team is doing to combat them.
One unique security issue 5G presents is the development of policy and standards, Dagher said.
According to Dagher, there are “malign influences and standards development as the technology becomes more complex,” that will “influence the design and the architecture of 5G technologies” to benefit companies. This way, companies can influence standards to benefit themselves or to “make the controls more or less optional in standard implementations,” he said.
“Another unique security issue is supply chain security issues,” Dagher said. “Equipment that’s produced or handled by untrusted parties presents more of a risk to malicious or inadvertent introduction of vulnerabilities. Now you have a lot of counterfeit components out there, we’re working on that right now, and you have the insertion of malicious software and hardware. And those are just some examples of vulnerabilities.”
“Even if ICT components are purchased from trusted companies, the company may maintain production facilities in other areas, or overseas areas, which may introduce a second or even third-tier supply chain risk,” he added. “And so those are unique to this specific 5G area.”
“You have 5G systems architecture,” he continued. “These architectures enhance security, but the growing variety of ICT components and increasing the use of mission-specific devices like IoT, for example, will lead to complexities within the system architecture that could introduce vulnerabilities.”
As for network slicing, Dagher said “they’ll all open the door for new avenues of exploitation. The technology provides for the overlay of 4G and 5G architectures, and it may provide for opportunity for malicious actors to carry out downgrade attacks. So, there are 5G systems architecture unique threats that we’re just not sure of yet.”
Dagher went on to say that there might not be new tools developed to mitigate these 5G security risks, but instead current security tools will most likely be adapted to serve 5G technologies.
“When you look at all the benefits that 5G can bring, we have established security tools in place, we just need to modify them for what 5G can bring. I think OpenRAN is going to be something where we might find new tools cropping up, but we’re not there yet,” Dagher said. “You mix 5G components with prior generation in non-standalone networks, and that may bring new vulnerabilities we’re just not aware of yet. But for right now I think we’re where we need to be, we just need to make sure we cover the 5G spectrum.”
OpenRAN refers to a developing wireless industry standard for radio access network interfaces that support interoperability between equipment made by different vendors.