LIVE FROM MOBILE 360 SECURITY FOR 5G, THE HAGUE: Canadian operator Telus highlighted the need for new approaches to network and service assurance in the 5G era, noting greater use of software in next-generation infrastructure increases vulnerabilities.

Carey Frey, the operator’s chief security officer (pictured), explained threats which exist today from organised crime or terrorist groups, among others, are not going to change with the move to 5G. “There are going to be people out there who are motivated to try and break into our networks and to attack the businesses and the customers that are using them.”

However, the method such attackers use will change, he said: “How they do it is by exploiting vulnerabilities in software.” As a result, “we’re going to make 5G increasingly subject to these”.

Delivering a broad solution to protecting software is complicated because businesses are often taking small pieces of code from multiple sources to create an overall system, Frey explained.

For operators, this creates a question around how they assure customers their network is safe. Frey stated enhanced mobile broadband it not a game changer in terms of security, suggesting that if you aren’t able to access videos of cats on YouTube due to a security exploit, it is small fry compared with an attack which interrupts remote surgery.

Different tack
Delivering the kind of assurance necessary for the latter example requires a shift away from current standards-based approaches: “at the very high level of assurance, we’re really talking about mathematically proven guarantees and third-party certification”.

The aircraft industry provides guidance on the direction Frey believes must be taken. He cited the scale of components required to construct an aeroplane as an example, stating the assurances required before people will trust that all are working correctly is a model for the mobile industry in terms of providing “customers with the confidence that they can use that network safely”.

But this raises the question of “how much is good enough”?

“Our comfort zone as a global industry is sort of at the level of standards and basic metric claims. And that’s ok, but honestly they don’t really get the job done for what I think the new level of confidence is that we’re going to be required to produce in order to gain the public’s trust and confidence that we can safely operate this platform in cyberspace.”

Operators in future will need firm assurances from vendors regarding the provenance of software components, including where they came from and how they were designed to work, else there will be no means of assessing if a component is not working correctly and so if it is being used in an attack.

To achieve this, Telus believes a global cybersecurity centre is needed for 5G, which brings together the work of standards bodies and individual regulators to provide a big-picture view covering the devices being used on operator networks; effective deployment of encryption; and access management.

“There are always challenges in operationalising what the standards say, either from the vendor perspective or from the operator perspective”, Frey said.