Maintaining a high level of security for all 5G use-cases will be a huge challenge whereas the attack surface will deeply increase. Those were the insights shared by Emmanuel Lugagne Delpon, Group CTO and Senior Vice President, Orange, in an exclusive interview with Telecom Review.
Orange CTO highlighted the difference between 4G networks and 5G networks and how the 5G standard provides security improvements compared to the previous generation. When asked about what “secure” means to him, he said that it means having taken a full set of actions to maximize the confidentiality, integrity and availability of networks.
5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that need to be addressed before 5G networks are launched. As the CTO of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G?
Indeed there are several concerns raised about security and 5G, and they reflect the expectations and the hope that we have in 5G. As 5G will be vital for the entire society, the security aspects of 5G are of upmost importance.
First on the 5G standard itself, the 3GPP Phase 1 specification provides significant improvement from security perspective compared to 4G standard. The potential risks that have been identified in 2G,3G and 4G, that were highlighted in many security conferences, are now well-covered by the standard and the standard is flexible enough to introduce in the future new security features if needed. There is a 3GPP working group for that purpose. Therefore, I feel that we did the necessary improvements of the 5G standard for the initial launches but also prepared a solid basis for further improvement.
For example, during the last months, several articles have been published related to security issues, mainly focused on AKA (Authentication and Key Agreement) protocol and paging messages. These attacks are difficult to implement on 4G networks and not directly applicable to 5G.
Moreover, many security issues related to IMSI-Catcher are based on the fact that IMSI (International Mobile Subscriber Identity) passes in clear format in certain radio messages. In 5G, the identity is encrypted so this type of attack is not possible anymore.
A second topic is the security of services using 5G, and the security of virtualized networks.
5G network will be a critical asset for many usages: automotive, more generally transport but also healthcare, energy, industry and so on. Many of these services will make use of network slicing and virtualization. So to maintain a high level of security for all these use-cases or usages will be a huge challenge whereas the attack surface will deeply increase.
I believe the answers to these challenges come from 2 different approaches. One is security by design. We all know within the industry that security has to be addressed from the very early phase of the design of the system for 5G security mechanisms have indeed been natively embedded within the 5G architecture and will continue to be developed (identity and access management, interface and storage encryption, integrity controls, security orchestration…). Another answer to the security concerns of the virtualized networks resides in the test and learn approach. Virtualized networks are already deployed, not as largely as they will be with 5G, but this allows to master it before it is widely used, before complexity increases.
What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA?
There is no single answer to this question, because there are different expectations from different stakeholders, and because security encompasses different aspects - mainly confidentiality, integrity and availability.
Being compliant with regulation is a no brainer. We are fully compliant with the local rules in each and every country where we operate.
Another step is adopting recommendations from various bodies, and the GSMA falls into that category. It is a good complement to the governmental regulation.
Finally being secure means having taken a full set of actions to maximize the confidentiality, integrity and availability of our networks. We do our part - through audits for example - but that cannot be achieved by a single company; it is a shared responsibility between 3rd party service provider, telco, and vendors. Orange works with all actors for improving the security of the mobile network.
We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process?
First I would like to remind our track record. Our networks, 2G, 3G and 4G have been until now very safe. 5G will build on this and benefit from the experience gained. Our SoC (security operation centers), responsible of global monitoring (security and functional) are currently assessing relevant tools and processes to complement the current monitoring, e.g. for low latency services.
As for other topics, one way to improve security and verifiability is to study and test security with various partners. On connected cars, we are involved in a European collaborative project that will trial connected motorways, in a multi-country configuration. That trial is not dedicated to security topics, but will globally help the European industry to progress on the requirements of connected vehicles, and how to answer them.
We also work with the vertical industries to help them develop their own security mechanisms embedded in their applications. For instance, to react properly when there is a loss of mobile service, whether this is due to malicious action, network outage or just being out of coverage.
For how long does the 5G network need to be secure and what category of threats is it tailored towards combating? Some industry experts believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint?
Security has been improving on each generation of mobile network but also within the lifetime of each generation. It will be the same for 5G and security will evolve over time as the threats evolve. In 5G, the “security by design” principle is a key element and standardization prepares a basis for a couple of years. The 5G standard plans different steps and each of them brings a new set of security features.
In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks?
Among the various challenges, there is one that I would like to remind that is not the most sophisticated, not the newest, but will be emphasized with 5G. It is managing the very huge numbers of devices, the huge volumes of traffic. We expect a lot of traffic, from a large variety of devices, and potentially DDoS traffic generated by a lot of compromised devices. In parallel, infrastructure becomes more and more complex and generates a lot of log/information. Finding relevant information (Indication of Compromise) in such a flow will be a real challenge. Artificial Intelligence will be useful, but also a part of that challenge.