This week, we have a guest post from Majid Ali, Principal Cyber Security Consultant at NTT Security.

5G is a hot topic right now. After all, it promises to transform how organizations operate. Adoption will be varied but there is definitely an increased and concentrated effort from organizations that have historically struggled with a reliable internet connection to look into the potential use cases of 5G. 

Let’s take a typical manufacturing business as a prime example. It operates vast plants covering acres of land and where running network cable has always been a challenge, so it is this type of business that has a strong case for using 5G. 

Regardless of industry though, there is no doubt that as more and more devices connect to 5G, a wealth of data will be generated – from operating system information all the way through to user activity and behavior. Over time, organizations will rely on 5G to collect vast amounts of data in various formats, which will enable them to leverage advancements in AI technology that can translate data sets into more meaningful information.  

One could be forgiven for getting caught up in the hype yet, with so many positives and promises around 5G, do we have anything to worry about? The simple answer? Yes. 

With any great advancement, comes the risk of someone wanting to cause harm – be that for ego, financial gain, state sponsored espionage or rogue actors all wanting the same thing – knowledge. The ability to know what is occurring, how it occurs and when it occurs provides these actors a means to launch sophisticated attacks to gain access to your data.

So what should providers be doing to combat this emerging threat? The first step is to think like an attacker. Threat modeling is an invaluable process that will allow organizations and individuals to map out attack vectors and provide adequate countermeasures. 

The STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) threat modeling process from Microsoft is a great starting point for looking at 5G attack vectors and mapping them to the relevant areas within the STRIDE model. A more technical explanation of threat modeling can be found here.

Secondly, acknowledging that 5G will no doubt leverage components of its predecessors – the 3G and 4G networks. Therefore, attacks attributed to those older networks may allow a malicious individual to move laterally across networks to get to the intended target, which reinforces the importance of businesses thinking like an attacker so they can stop them.  

Lastly, a unified collaborative effort must occur between providers, government bodies and independent organizations to enhance well-established standards such as the European Telecommunications Standards Institute (ETSI) and 3rd Generation Partnership Project (3GPP) to address the growing threat landscape when it comes to 5G implementation.

The bottom line is that security and privacy concerns must be a driving force behind organizations’ plans to enable 5G devices to collect and share data. 5G brings great opportunities but it brings significant risks too – and these mustn’t be ignored.