The security collaboration group therefore brought together representatives from Liverpool 5G Create, 5G CAL, Project Vista, West Mercia Rural 5G, 5G Wales Unlocked, AMC2, 5G Connected Forest, MANY, Factory of the Future and 5G Festival alongside DCMS to explore this all important but complex subject. As the 5GTT programme drew to a close, Peter Whale from UK5G hosted a workshop with the group to tease out some of the key learnings that would be of interest and value to others. In this article, we summarise the main takeaways:
Security strategies for 5G networks
As with any network, basic principles of security apply, and consideration needs to be given during the design phase to which parties, individuals and automated functions require access to the network and connected applications. Typical questions to consider include: how long is access needed for and how much access is required? Who has responsibility for controlling and monitoring that access over time?
There was much discussion in the workshop about the value of taking a layering approach, where security domains are split out, with threat analyses and risk assessments carried out for each layer or zone. For the 5G CAL project for instance they identified three zones: the autonomous vehicle, the 5G network and the teleoperation station. They used a tool called THREATGET from the Austrian Institute of Technology to automatically analyse and issue a threat report for each zone.
This process, alongside the implementation of sufficient controls, can help to minimise risk from, and of, any type of intrusion. Ste Ashton, referring back to one of the very first projects - Worcestershire 5G - identified that even back in 2017 they took a stance of “secure by design” to both network and applications and the work they did with Kinetic has led to the development of some products.
There was some discussion around standards that can be used to shape and guide security strategies for 5G deployments. Specifically, the ISO 27000 family of information security management standards is a series of mutually supporting information security standards that can be combined to provide a globally recognised framework for best-practice information security management. The mainstay of the series is ISO 27001, which sets out the specification for an ISMS (information security management system). Other projects stated that they had looked more to ISO 31000,a family of standards relating to general risk management. And of course there are more specific standards and specifications that might align to your particular use cases, for instance 5G CAL looked to PAS11281 which talks specifically to connected autonomous ecosystems.
Open communication and dialogue around security were also identified as key. Be honest and transparent about what your network can deliver and the capabilities it can offer, and equally what it can’t do. Users can then make informed decisions about how this can work with their existing processes and procedures.
Think beyond the network
A theme throughout the collaboration endeavours was a strong sense that just securing the 5G network itself is not sufficient. Alex Mavromatis from the Bristol Smart Internet Lab reflected tha the 5G Logistics project had worked entirely with private networks and they had dedicated a lot of time and energy to understanding impacts of applications on their networks. With sensors connecting to the 5G network, and that data then being fed into machine learning models, they realised that security needed to be end-to-end from sensors to the ML models. “It doesn’t really depend on the network,” he explained, “it’s more the design. Even when the network is secure, there are still strategies that need to be deployed to make sure the applications are too”.
Peter Whale summarised:
“often with technology IT systems, the lower down the stack you are, the more generic capability you've got. And I guess the risk is that at the sharp end - the application end - that if it's not locked down you've got lots of potential vulnerabilities through extra capabilities, creating more attack vectors.”
Several observed that as is often the case when it comes to security, decisions are a series of tradeoffs and that the most secure option when it comes to applications could restrict networks from being fully exploited. Representatives from the West Mercia Rural 5G project noted that when working with care homes the only way they could manage the security risk, within the constraints of the project, was to fully lock down the devices being deployed, so they could only be used for one specific use case. It was identified that this creates an undeniable tension: having multiple devices that a care home worker has to use for different use cases is not practical, despite offering a lower risk threat. There is clearly a balance to be had between stifling and securing enabling innovation.
The choice between public and private networks
The vast majority of projects in the 5GTT programme deployed private 5G networks, some for the convenience of control it offered, some - especially the rural projects - for necessity and some to test the capabilities of private versus public networks. One benefit often highlighted for private networks is security; with dedicated SIMs for whitelisted devices, they provide confidence that only devices you know and permit can connect to your network.
Tom Allen from Cuba Ultra however provided an interesting alternative perspective. The 5G Wales Unlocked project worked with project partner BT to deploy use cases on commercially available 5G networks in Blaenau Gwent and Monmouthshire and for them, security was a core part of that decision. “We deliberately picked a commercial network partner rather than build a private network”, Tom explained, “because you can then rely on their security overlays within the 5G and commercial networks, which are incredibly strong…It does save a lot of effort and time trying to cover all of that off”.
Others noted that the security when it comes to private networks can be complex. Andy Mackenzie, referring to the work on the Worcestershire 5G project remarked that “when you're bringing big companies’ data onto a private network, it can get really quite messy quite quickly regarding what rules you apply, at what point, and what protections you put in, at what point”.
An important reminder therefore that while private networks may better suit the needs of certain organisations they are not without complexities, and public networks are still incredibly secure, with 5G itself inherently more secure than both Wi-Fi and previous cellular generations.
Physical security matters too
An interesting observation is that when it comes to security we should be thinking not just about cybersecurity but also the security of the physical layer of the hard infrastructure, whether that be a mast or a comms room. Similar sentiment was raised at the recent Smart Junctions showcase event where panellists remarked that cybersecurity could only take you so far if you had for instance an uncontrolled number of people with access to the roadside cabinet.
Similarly, the increasing deployment of small cells on lamp posts and other street furniture, creates new challenges for physical security; equipment is more accessible to potential bad actors - or simple vandalism - than it has been previously. Consideration therefore can be given to how equipment is housed so that it does not overly draw attention. Asset mapping of installed infrastructure could be further a useful route to consider.
The interplay between security and safety
The group discussed at length the interdependencies between security and safety and the extent to which these two priorities should be considered in parallel. Representatives from the 5G CAL project gave the example of their automated lorry use case deployed at the Nissan plant in Sunderland. In this instance, security and safety are intrinsically linked - a rogue actor taking over control of a 40 tonne lorry could have significant and immediate risks to human life. One of the project partners, Coventry University, has been doing some in depth work into the extent to which cybersecurity and safety intertwine, and what implications that then has for deployments.
Reflecting on this, many of the participants in the workshop shared their own experiences of how cybersecurity has a very real impact on physical safety, and it was very much felt that safety is much more reliant on cybersecurity than the other way round. For the manufacturing projects, worker safety is paramount for the sector and a rogue robot could present an immediate safety risk. Offering a different use case but with a similar conclusion, the MANY project spoke about the work they’ve done with the Swaledale Mountain Rescue Team. The integrity of the network is vital to ensure that they are provided with accurate information that enables them to take decisions and mount rescue operations. In such scenarios, safety is the most important consideration and any decisions made regarding cybersecurity must not compromise that imperative. Equally, the impact of degradation in security should also be understood in the context of its impact on safety. In practical terms for instance, the 5G CAL project - which was operating in a live industrial setting - had a safety driver present. So in the worst case scenario of the network being hacked, there was still a physical final line of defence who could take back control of the vehicle.
In some industries - and representatives from AMC2 identified that construction was certainly one - everything starts with safety, so this type of thinking will be ingrained. It was recognised that in some instances security may exist entirely separately from safety and it was felt that trying to wholly integrate the two elements could be an unhelpful exercise - each has it owns ways of thinking, processes and structures - but there was broad agreement that in any instance where a breach to the integrity of a communications system impacts personnel, there is likely to be a relationship that needs to be understood.
It was also felt by the group that with data and connectivity becoming increasingly important to all sectors and scenarios, the interplay between security and safety is likely to become ever greater, whether we’re looking at the construction of a building or an autonomous vehicle service.
Through their research, Coventry University highlighted four potential relationships between security and safety:
- Conditional dependence: a safety measure is needed to satisfy a security measure or vice versa
- Mutual enforcement: where a safety measure can actively help security or vice versa
- Antagonism: where this direct conflict for instance, keeping a fire door locked helps to keep intruders out of a building but risks the safety of those inside the building
- Independence: no relationship
Considering which relationship applies to your organisation during the concept development phase is key. Coventry recommends then establishing synchronisation points so at set stages in the process, safety and security teams can come together to review the interdependencies and identify if there are any issues arising.
Visualising security requirements
Risk assessments were identified as a key way to explore the relationships between security and safety, and for safety-focused industries such as construction and manufacturing, these will be a familiar exercise. For other sectors, it might require a different type of thinking and the need to bring together disparate teams.
This can appear a daunting task and Giedre Sabaliauskaite, Associate Professor at Coventry University shared her belief that there is no “perfect model” to integrate security and safety. They have different processes, standards and requirements so trying to force them together can be problematic. Instead, it’s about being conscious of the interdependencies and recognising the relationship each has on the other.
One way to do this, and to understand security more broadly is through mapping techniques. Andrew Miles shared work that has been undertaken by Liverpool John Moores University to help organisations to visualise their security ecosystem. This innovative tool, which was deployed in the Liverpool 5G Create project was designed to help organisations recognise the importance of security without it becoming “too stifling”. Specifically designed for stakeholders who are not necessarily technical experts, the tool helps to visualise the processes or the complexity of processes that exist between different parties, both technical and procedural, and work out where the risks are - and also where they are not. “It's really successful at visualising complexity and bringing in security as an extra dimension” Miles explained, “managing complexity, visualising complexity and harnessing mature processes inside different organisations, rather than saying that we have to conform to something uniform”.
You can find more details on the visualisation tool here.
There’s being secure and then there’s people believing you’re secure
When it comes to security, the gap between reality and perception can be a hindrance especially when you’re talking about use cases that require end user adoption; consider for instance health and social care. However, it may not just be your end users that you need to educate and reassure.
Several workshop attendees highlighted that throughout the projects it had taken time to convince partners and collaborators - whether that was the NHS, a local authority or customers of a manufacturer - to trust the security of 5G networks. In most instances, this comes down to a lack of understanding and making sure you take the time to really ensure people understand exactly how data passes through the network, who has access to it and where (or if it is stored) is key to avoid misunderstandings and mistrust. There was recognition that oftentimes, things aren’t actually that different when it comes to 5G networks and applications but that taking people on a journey with you is critical and time should be built into any deployment plan to allow for this.
In conclusion, David Pedley, DCMS, recalled that at the start of 5GTT, projects were asking how they could secure 5G networks. He reflected that it was reassuring to have learned that existing processes can be used to secure these networks.