5G Security? It's an Open and Shut Case

Posted Apr 2018

The first deployments of 5G networks are shaping up to be based on the non-standalone 5G new radio (NR) specification. These services will use a 5G radio network and a 4G core network, to deliver enhanced mobile broadband. Non-standalone 5G will present faster networks for consumers but won’t yet enable next-generation use cases like mass IoT.

The 5G Standalone (NSA) is expected to arrive later this year and networks will get really interesting as they begin to be connected to other networks, and in the case of 5G, when you connect them to many billions of IoT devices.

And therein lies the challenge. Because, if 5G is to be really successful for the operator community, it will need to be an open network, not a closed one. It will need to be a network with multiple interconnects with multiple different types of networks, devices and organisations.

What’s more, it will also need to be easy for all those networks and organisations to connect to the 5G network using simple APIs. That will be the best way for the market to grow exponentially and take advantage of the enormous capacity that 5G can provide.

But the concept of an open network that is easy to connect to, is almost the exact opposite of what a network designed with the highest levels of security has in mind. For 5G, the network literally does have to be both open and shut.

Because, if we are going to enable 5G networks to carry vital data from billions of connected IoT devices, or control connected cars, or guide remote surgery – then we had better make sure that the information flowing across the network is properly protected from interference at source as well as right throughout its journey.

Therefore, the security barrier for a 5G network has to be at the point of interconnect – rogue agents and fraudsters must be prevented from connecting to the network in order to disrupt, divert or manipulate traffic.

The current release of the 5G standard, release 15, does not include security protection on the network interconnect. However, working alongside the GSMA’s Fraud and Security Group we and others have contributed to the Security Edge Protection Proxy (SEPP) which seeks to determine what that interconnect security should look like and what it should cover.

Importantly, the SEPP approach has now been endorsed by the 3GPP so the race is on to figure out how it should work and get the full SEPP security specification defined in time for it to be included in Release 16 of the 5G spec next year.

There’s no doubt mistakes were made in earlier generations of mobile technology. Especially when it comes to the security of the interconnect. That is why we have the issues today with SS7 signalling fraud.

Across the world, the commercial pressures to launch new technology and solutions took priority over other considerations. But the mobile world has changed exponentially since those earlier networks – especially when it comes to mobile data. We live in a mobile-first world and awareness of the need for improved cyber security is heightened across the board.

Which means, if we can get the SEPP specification right and implemented in time, then 5G could be the first mobile network to be released with the highest possible levels of security in place from the start. We can break the cycle of commercialism first and security second. Because this time, when we consider the alternative, it becomes clear that failure is not an option.