By: Rajiv Pimplaskar
The complexities of adhering to the National Institute of Standards and Technology (NIST) standards and the Purdue model has become even more challenging with the advent of 5G. While 5G does have built-in security—as specified by the 3rd Generation Partnership Project (3GPP)—it poses a new danger of expanding the attack surface with smaller cell sizes, shift to Open Radio Access Network (O-RAN) and more business-centric use cases. A key strategy to safeguard 5G critical infrastructure is to augment its security framework with “stealth networking.” This approach was first developed by special forces and the intelligence community and is now also popular within law enforcement and the digital forensics world. Source and destination relationships as well as sensitive data flows across the public cloud and the Internet are obfuscated with a next-gen virtual private network (VPN). Stealth networking adds “defense in depth,” making it virtually impossible for a bad actor to detect—let alone target—the operational technology (OT) estate in the first place. Stealth networking is also capable of complementing conventional cyber safeguards and control assertions as specified by NIST, the Purdue Model and IEC 62443 standards, which can typically kick in later along the kill chain.
As critical infrastructures have come under persistent and nation-state motivated attacks around the world, cybersecurity for ICS SCADA systems is undeniably paramount. NIST guidelines, the Purdue Model and IEC 62443 standards establish best practices for IT and OT networks as well as addressing use cases where the boundary needs to be crossed. These models delineate the need for network segmentation and communication control as well as the use of perimeter firewalls.
5G has security built into the standards itself and could represent a new era of transformation for critical infrastructures, offering significant improvements over previous generations like 3G, 4G or LTE. The industry body that sets standards for mobile communications, 3GPP, has added new capabilities for 5G via the Service and System Aspects working groups that include enhanced subscriber privacy and authentication, greater interface protection, and enhanced integrity protection of user traffic. While they are more secure, 5G rollouts are characterized by small cell deployments due to outdated regulations, excessive fees, prolonged processes to obtain permits, and lengthy procurement cycles. Private 5G adoption is accelerating within the U.S. in part due to the availability of Citizens Broadband Radio Service (CBRS) frequency band which enables organizations to use the 3.5 GHz to 3.7 GHz radio spectrum to build wireless networks based on 4G LTE and 5G cellular technologies. However, this unrestricted capability does not exist worldwide, and several sovereign countries consider radio spectrum as a national asset necessitating bureaucratic carrier negotiations and fees.
These issues, coupled with a massive increase in numbers of IoT devices, vulnerabilities within the public fiber infrastructure, and higher use of virtualization and cloud services, have dramatically expanded the attack surface and intensified the need for advanced security.
5G use cases within critical infrastructures span multiple sectors including manufacturing, retail, healthcare, utilities, agriculture, mining, and oil and gas. 5G capabilities can revolutionize warehousing, distribution, supply chain, asset management, and transport as well as smart city planning. These varied use cases range from real-time data collection to digital twin, AR-guided work instructions, predictive maintenance, connected and automated guided vehicles, connected workers, and worker safety.
3GPP’s open interoperability also facilitates the rise of O-RAN, where multiple vendors come together at the edges of the network in a virtualized and disaggregated manner. This disaggregation facilitates time to market for 5G buildouts worldwide. However, security remains a key concern due to the inherent expansion of the threat surface, as