With potentially vulnerable IoT devices attached to the 5G infrastructure, along with important data flowing continuously between these devices, both private and public sectors must team up to prioritize security measures, says Dick Bussiere, Technical Director, APAC, Tenable in an interview with CIO AXIS.
CIO AXIS: Why does 5G require new approaches to cybersecurity that emphasizes greater collaboration between private and public sectors?
Dick Bussiere: The increased speed and increased device density that 5G offers changes the playing field and brings boundless opportunities for greater and more interconnectivity between intelligent devices. It also increases the value of the network to society in general as the criticality of a network is proportional to the number of devices attached to it. With potentially vulnerable IoT devices attached to the 5G infrastructure, along with important data flowing continuously between these devices, both private and public sectors must team up to prioritize security measures. When both parties actively form strong partnerships, they can stay on top of securing the most critical assets.
CIO AXIS: 5G devices will become more interconnected. Smart TVs, door locks, refrigerators, speakers, and even minor devices like digital thermometers can become network weaknesses. What are the consequences of cyber attacks on intelligent devices?
Dick Bussiere: History has shown us time and time again that every widely adopted connectivity technology will be seen as an opportunity by threat actors. As more intelligent devices connect to a network, everyone one of those devices serves as a threat actor.
Attacks against IoT devices are widely documented. The Mirai botnet, which impacted internet-connected cameras, quickly comes to mind.The common denominator of these attacks is insecure code, insecure device configuration, or insecure communication channels and infrastructure housing the data.
CIO AXIS: What steps can organisations take to insert cyber resilience into the 5G development and operations lifecycle?
Dick Bussiere: To fully embrace the benefits of 5G, holistic security policies that can protect IT and OT environments need to be embedded throughout the development lifecycle. Collaboration within the industry can help manage risks effectively. 5G security policies must include sharing of threat intelligence, security methodologies and interoperability within sectors.
CIO AXIS: Earlier cellular technologies had fewer directly attached intelligent devices, which made it easier to do security checks and upkeep. 5G’s dynamic software-based systems have far more network intersections. What are the implications on network security and how can organisations protect themselves from it?
Dick Bussiere: Smart environments with multiple access points broaden the available threat surface. Significantly, it is important to understand that most IoT devices attached to a 5G infrastructure (or any other Cellular network) are effectively directly attached to the Internet. So they need to protect themselves, and poorly implemented devices cannot. Such devices can form a direct path from the internet into an organisation’s private networks. Bad actors can then use these devices to pivot to the IT environment, thence on to penetrate the OT environment or vice versa across the network.
Many organisations lack basic visibility of their IT and OT infrastructures and do not take basic cyber hygiene countermeasures. This allows a multitude of bad actors to exploit vulnerabilities undetected. The biggest challenge facing the security teams tasked with managing this complex, sensitive and expanded attack surface is visibility. We cannot rely on costly, error-prone manual network inventories that are out of date soon after they are collected. Instead, automated solutions are needed to inventory and baseline converged IT/IOT//OT systems. These systems will facilitate a unified, risk-based view detailing what is exposed, where and to what extent across combined IT and OT environments.
CIO AXIS: 5G will soon be adopted by all sectors including manufacturing. The costs of developing and implementing security technology often do not motivate all manufacturers of intelligent devices to focus on cybersecurity. This is especially true for low-end products. Why should manufacturers create and follow robust cybersecurity policies to protect IT and OT environments?
Dick Bussiere: Many connected devices are shipped with existing vulnerabilities within pre-installed apps and firmware, which puts users at great risk. What’s worse, in some cases, devices can’t be auto-updated which puts the onus of patching vulnerable devices on the end-user. Putting the onus on end-users to resolve these flaws presents critical security gaps and leaves home and enterprise networks exposed. In other words, when it comes to IoT, an end-user can’t be expected to be the system administrator of their own teapots. Manufacturers of IoT devices, therefore, have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought.
Organisations using these devices may choose to not trust them and use them in an isolated manner.