By: Stephen Buck
As we hit the mid-year mark, most communications service providers (CSPs) may have exhaled a sigh of relief to have withstood the coronavirus pandemic relatively unscathed. Even under enormous strain, such as when European operators experienced a 70 percent spike in traffic demand during the European pandemic peak, CSPs were able to maintain network connectivity. According to a member survey by the International Financial Group, part of the World Bank Group, operational performance was normal during the first half of the year, with service levels exceeding 99.95 percent. But a second, more sinister wave of risks may be just around the corner for CSPs.
In the rush to respond to stay-at-home orders, enterprises and consumers have quickly adopted the use of IoT devices to support remote working, learning, and caring. In healthcare, IoT devices are being used for remote patient monitoring, telemedicine and to support digital diagnostics. For example, the US saw a spike in the use of smart thermometers, which can help epidemiologists predict where an outbreak may soon occur. In retail, autonomous robots are being seen as a solution to maintain clean floors and deliver goods in grocery stores, big-box retailers, malls, and airports—showing how the digital transformation of some industries has accelerated more in the past six months than it has in a decade. As IoT adoption increases, now is the time for service providers to critically assess the security implications of IoT devices connected to their network.
In fact, the risks to network security are already abundant. A Mobileum poll of 90 global communications service providers found that 61 percent said network security threats have increased, and 75 percent experienced new or emerging incidences of fraud since the beginning of the COVID-19 outbreak.
According to Gartner, the worldwide number of IoT-connected devices is projected to increase to 43 billion by 2023, an almost threefold increase from 2018. In five years, the attack plane of a CSP’s network has grown exponentially, as billions of IoT devices flood the market. However, in IoT’s case, millions of these devices will be connected to the network with limited or outdated security firmware. For example, it has been three years since a security vulnerability was first identified in the Zigbee low-power IoT protocol that is used in many smart lights and other IoT products, and it is still yet to be fully rectified. This shows the pervasiveness of unsecured IoT devices being connected to a CSP’s network, and with the firepower to launch a DDoS attack by a simple flick of the light switch. As we see IoT devices become more mobile and autonomous, they will also need to roam between networks and be powered by network slices, each with their own security requirements. This new risk profile of IoT devices shows that the old approaches to network security are no longer adequate.
Not only does IoT security involve managing diverse hardware, firmware, and operating systems, it may also require managing 2G, 3G, 4G/LTE and 5G communications protocols. Today’s multi-generational networks are based on different signaling protocols that create different security risks. For instance, 2G and 3G networks run on the SS7 protocol, while 4G relies on Diameter, both of which lack built-in security features such as encryption and sender authentication and are more prone to spoofing.
5G networks have taken positive steps by building upon proven 4G security mechanisms, with enhancements for encryption, mutual authentication, integrity projection, and privacy. However, 5G’s built-in cybersecurity features cannot roll back the clock and plug the existing vulnerabilities found in the other networks. This is particularly pertinent as 5G coverage remains dispersed, and traffic will continue to traverse between 2G, 3G and 4G/LTE networks for the foreseeable future. While 5G may prove more secure, the same trust cannot be given when traffic crosses different networks.