Addressing 5G security with threat modeling

5G is fundamentally different from 4G, LTE, or any other network the telecommunications industry has ever seen before. It promises data rates 100 times faster than 4G, network latency of under 1 millisecond, support for 1 million devices/sq. km., and 99.999% availability of the network. The rollout of 5G will reach one-third of the global population by 2025, and the U.S., South Korea, and China are already on the forefront of 5G deployment.

But the benefits of the 5G network can also inadvertently enable attacks (such as DDoS attacks from compromised IoT devices) if proper security precautions aren’t taken. Securing 5G requires a holistic approach and deep security expertise. This blog post explores the first step that needs to be taken to secure 5G, and future posts will cover the next steps essential for 5G security.

5G security concerns

Along with tremendous promise, the 5G rollout also comes with a number of security concerns: 

• Network functions virtualization (NFV). NFV enables network slicing by replacing network functions on appliances such as routers, load balancers, and firewalls with virtualized software instances that run on commodity hardware. Virtual network functions (VNFs) are utilized to run these functions as packaged software that sits on virtual machines (VMs). Virtualization can lead to vulnerabilities such as denial of service and malware.
• Software-defined networking (SDN). A complementary technology to NFV, SDN utilizes network management to separate the control plane from the forwarding plane. SDNs enable programmable network controls and abstract the underlying infrastructure from the apps and network services. Centralized and controllable, SDNs provide the agility required to adapt to the evolving needs of 5G microservices. However, SDNs are susceptible to attacks such as forwarding device attacks, control pane threats, API vulnerabilities, counterfeit traffic flows, and more.
• Microservices. The 5G core consists of a service-based architecture, and microservices are essential in the development of this architecture. Microservices are considerably more flexible, customizable, and agile than monolithic applications, and they are faster to develop and easier to maintain. Microservices are often deployed over multiple VMs and/or clouds—which also means a much wider attack area. The APIs that link microservices can also be used to launch attacks, and applications that are built by coupling microservices evolve and change rapidly, increasing the risk of vulnerabilities being deployed into production.

Additionally, the cloud, virtualization, containerization, edge computing, and DevOps all play a vital role in the era of 5G:

• The scale, elasticity, agility, responsiveness, and rich software functionality required for 5G applications and microservices can only be achieved in the cloud. Lower capital and operating expenses are additional benefits of being in the cloud.
• Today NFV is done on VMs, and they will continue to be utilized in a 5G environment.
• Containers will shoulder a bulk of the load in building and deploying 5G microservices. They also offer the agility to spin up or spin down microservices and enable the DevOps culture that is necessary in the 5G era.
• The 5G network promises latency as low as 1 millisecond, and 5G-powered applications will rely on low latency. Ultra-low latency can only be met by distributed edge computing that is closer to the end user. 

These technologies and methodologies provide flexibility, cost savings, ultra-low latency, high bandwidth, and agility, but they significantly increase the attack surface and add complex attack avenues that are harder to defend. 

An expanded attack surface

As mentioned earlier, 5G offers a much wider attack surface and a combination of new attack avenues, including:

• Millions of connected devices with considerably less security features
• Weaker mobile/Wi-Fi/landline connectivity
• Software-based NFVs with a higher number of software vendors and potentially more supply chain issues
• Distributed edge computing
• IoT, which requires updating software on millions of connected devices that are inherently not as secure
• Reliance on cloud vendors for configuration
• Unsecure container images, virtual networks for communication between containers, privileged flags, and isolation from hosts

5G also supports numerous mission-critical use cases such as smart cars, telemedicine, remote surgery, and more. For these use cases a lack of security is simply not an option—it could lead to potential loss of human life. Adding to this, the regulatory body of 5G (3GPP) has not yet mandated security features for network operators. 

How threat modeling addresses security concerns

Given the multitude of new factors involved with 5G networks, the crucial first step in securing 5G is building a comprehensive threat model. 

Threat modeling allows you to assess the risks facing your application along with the consequences of not addressing those risks. A good threat model enables security engineers to prioritize risks and address them according to the level of severity. Threat modeling experts leverage their experience to look beyond a simple predefined list of attacks and think about new types of attacks that may not have been a consideration for 4G or LTE networks. 

Steps to developing a threat model for 5G:

1. Define the different network and user side assets that are at risk of being attacked.
2. Create a list of potential internal and external threat actors for each individual asset.
3. Identify the actions that the threat actors could take to breach the assets at risk.
4. Analyze the factors and form a list of threats prioritized by likelihood of success and risk to the business.
5. Create an action plan to mitigate the identified threats. 

After a threat model is formulated, the next step in securing 5G is to perform penetration testing based on the findings of the threat model. The next blog post covers the aspects of penetration testing, including a 5G core, radio access network, microservices, and user applications perspective.