5G and risks to critical infrastructure [Q&A]
The speed and bandwidth of 5G means that as the roll out continues a lot of industrial automation equipment will eventually be on the 5G network.
So what can be done to protect the integrity and availability of manufacturing networks and other critical infrastructure? We spoke to Dave Weinstein, CSO of Claroty to discuss the link between 5G and the cyber security of critical infrastructure.
BN: Why is 5G going to be a problem for infrastructure networks?
DW: There ares a couple of reasons for that some are political in nature, some are technological in nature but the short of it is the real promise of 5G is not just that we'll have faster download speeds and better streaming services on mobile devices. Ultimately it's that we can fundamentally transform how our we leverage cellular connectivity.
That really manifests itself in the manufacturing sector. In a world in which 5G is is fully deployed and adopted those industrial control systems are going to be on networks and vulnerabilities in the 5G network therefore, potentially hold those manufacturing operations at risk.
So in the case for example of Huawei, the government of Great Britain has admitted it's a high risk vendor, you potentially subject manufacturing operations as well as supply chains to significant cyber risk.
BN: Why are these risks, so much greater on the 5G given that, for example, Huawei is already part of the 4G network?
DW: The difference is that the 4G network is not running factories so, again it goes back to the whole promise of 5G which is to go beyond just the typical use cases of cellular connectivity. It will be extended to Smart City use cases, to smart factories, to distribution centers and other kind of just in time industries. So, the minute that happens, all of a sudden the risks that today are present on the 4G network, which mainly are calculated in the context of data security and the confidentiality of data, become a question of operational security and integrity.
BN: So it's a compliance risk as well as a security risk?
DW: Take the electric utility industry, for example, which is highly regulated and compliance is often the primary driver behind security departments. The fundamental tension here is between unlocking the efficiency benefits that 5G can offer and balancing those benefits with potential costs of connectivity on a much greater scale which is a risk in and of itself.
Whenever you're introducing more connections you're, potentially providing malicious actors more avenues of attack. When you have a high risk vendor which in my opinion is less of a Huawei problem than it is China problem -- it's about the regulatory and legal framework under which their government operates.
BN: How will the use of open coding standards help to push greater security?
DW: It's more secure because you're able to subject the code to more eyes, more researchers and ensure the integrity of the code base so over time. The bigger issue here is that it's really about competition. By introducing open coding standards you're essentially eliminating the monopoly so that developers can write 5G code for a whole host of hardware manufacturers.
I think what you're seeing in terms of the number of Western telecoms infrastructures coming together, like Ericsson and others is an effort to inject more competition into into the system. So that at the end of the day buyers can have more options in terms of which telecoms provider to go with. So, it's twofold first it's the technical security benefits of open standards. Second it's the competitive benefits of allowing folks to write 5G code for multiple different platforms.
BN: Do you think we’ll see a move towards a Linux-like situation where you've got commodity hardware and the difference in in various manufacturer offerings is primarily in the software and the code?
DW: That's certainly idea and I think it's pretty promising actually because quite frankly, there's not a whole lot of differentiation on the hardware side. The reason Huawei is winning is because they were first movers and they move really fast so they're a couple of years ahead of everyone It's not necessarily a matter of technological superiority, I do think if you take that out of the equation, you still have the, the problem of catching up. But if you start to see competitors team up in that respect, they might be able to close the gap faster than if they all operate independently.
BN: Do Western countries, perhaps need to need to take a step back and slow down a little bit on rolling out 5G until they've got a better handle on some of these issues?
DW: In a perfect world, that would be a great option, but I don't sense much of an appetite for that. I don't think it's politically palatable and I don't think it's economically palatable. There're a lot of eyeballs on 5G. Though, it wouldn't be a bad idea to take a step back there's just a lot of forces, working against that politically and economically. Not to mention the momentum of the investment that companies have made already at this point, so to take the foot off the gas significantly could be a pretty costly endeavor.
BN: So it's a balancing act isn't it between keeping secure and staying ahead of the competition?
DW: It's not uncommon for new technologies to roll out and security typically typically lags behind, either because it's not a priority or it's a resource problem. So, this isn't unlike what happens on a day to day basis in a lot of companies and governments, the difference is it's just massive scale, and the consequences are more geopolitical.
BN: Does the limited hardware capacity of IoT devices make them harder to secure?
DW: It's so easy, in many cases, to adopt the technology and the time to value its so short there's less opportunity to have a conversation about taking care of it. This is a trend that we witness on a daily basis. We are exclusively focused on operational technologies but in many operational technology environments like factories you're finding more and more IoT devices. And these are your typical commercial grade IoT devices, just performing a specific task or for the organization. It presents significant security risk to the organization, because the consequences of an attack are more toxic, offering more ways to get in, more, more hot points on which to maneuver undetected. Many of these devices that they're plugging in and the addresses are completely unmonitored, shadow IoT.
BN: What do enterprises need to do today to ensure that they are prepared for 5G and stay protected?
DW: They need to think strategically about their 5G infrastructure partners. Projects like these can come with the near term benefits and long term risks. Organizations need to be really attentive particularly with respect to the partners that they're selecting because it's going to be a long term relationship.
They also need to be intentional about why they're adopting it. In some of my conversations with organizations there hasn't been a whole lot of deep thought around why this direction, other than because it to be the shiny object at the moment. You want to make sure that you have a true and an intentional strategy about why you want to adopt it today. But you also need to think what that's going to look like for your business three years from now, five years, 10 years, it’s a long term relationship.
On the more technical side organizations really need to understand when they do adopt 5G what's on their network. They need to have even more visibility to all the devices they I have so thatthey can manage them from a security perspective. It's going to take a really active active security program to manage the risks such that the benefits are not outweighed by the costs. So, as organizations add more and more IoT devices to networks they need to actively manage those and make sure they have full visibility to everything that's happening.
Image Credit: panimoni / depositphotos.com