Oct 26 2020

The Defenses Agencies Need for Internet of Things and 5G Networks

Federal agencies are rolling out more IoT and 5G wireless deployments. What are the best ways to protect such technologies?

Several years ago, the Internet of Things was getting all the buzz in federal IT circles when it came to networking. Today, it’s 5G.

Increasingly, agencies are deploying IoT and 5G wireless networks to support innovative applications and connect devices. However, like all federal networks, IoT and 5G services need to be protected against cyberattacks.

October is National Cybersecurity Awareness Month, and the theme for the fourth and final week is “The Future of Connected Devices,” with a focus on 5G and how the world of connected devices will evolve.

Although these realms of networking are still developing in the federal IT environment, there are clear guideposts that federal agencies can look to in order to protect both IoT and 5G networks.

The National Institute of Standards and Technology has produced a preliminary guide on 5G security; the Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency, has issued its own 5G security strategy.

Meanwhile, when it comes to IoT cybersecurity, in May NIST released a document describing how IoT device manufacturers can enhance security for such devices.

How to Ensure 5G Networks Are Secure

In an April report, the National Cybersecurity Center of Excellence, a part of NIST, note that 5G is going to be a different kind of wireless network technology.

“In previous evolutions of mobile broadband technology, speed and throughput have been the key drivers, but 5G will become a ubiquitous technology, providing new capabilities tailored to specific use case scenarios stemming from industry verticals such as autonomous vehicles, smart manufacturing, and smart cities,” the report notes.

Additionally, 5G networks have a fundamentally different architecture than previous cellular networks, the report adds. Those differences bring elements of enhanced security to the network infrastructure itself. The NCCoE notes that 5G network cores introduce the notion of service-based architecture in cellular networks.

“This modern design is a fundamental shift in how new services are created and how the individual Network Functions (NFs) cooperate,” the report notes. “Not only is the core network decomposed into smaller functional elements, but the communication between these elements is also expected to be more flexible, routed via a common service bus, and almost completely deployed using virtualization and containerization technologies.”

5G core components may be packaged and deployed as virtualized or containerized network functions dependent on commodity compute platforms, the report notes. 5G will also have an increased use of common security protocols, such as Transport Layer Security, Internet Protocol Security and JavaScript Object Signing and Encryption, that include their own sets of recommended practices.

There are other elements of 5G architecture that enhance network security, including subscriber privacy, user plane integrity protection, Centralized Unit/Distributed Unit splits, enhanced authentication and protections provided by native IP-based security protocols, the report notes.

CISA’s 5G strategy document is more operational and lays out strategic initiatives to help secure 5G networks.

Those include supporting 5G policy and standards development by emphasizing security and resilience and expanding situational awareness of 5G supply chain risks and promoting supply chain security measures.

“High-risk vendors and untested components have the potential to increase the susceptibility of the 5G supply chain to unique and complex risks,” CISA notes. “Management of these risks will require timely and actionable 5G supply chain risk management information sharing.”

To defend against these vulnerabilities, CISA will work with the Information and Communications Technology Supply Chain Risk Management Task Force, a public-private supply chain risk management partnership, “to develop a framework for assessing and communicating risks.”

How to Secure IoT Devices and Networks

According to an August Government Accountability Office report, many federal agencies (56 of 90 surveyed) reported using Internet of Things technologies.

Most often, agencies reported using IoT to control or monitor equipment or systems (42 of 56), control access to devices or facilities (39 of 56) or track physical assets (28 of 56) such as fleet vehicles or agency property.

IoT devices are also being used to monitor water quality, watch the nation’s borders and control ships in waterway locks. Furthermore, IoT use by federal agencies may increase in the future, as 25 of the 56 agencies currently using IoT technologies indicated that they planned to expand IoT use in the next five years.

“IoT can also enable the collection and analysis of data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events,” NIST says in its May report.

However, as NIST notes, “IoT devices often lack device capabilities that customers can use to help mitigate their cybersecurity risks, such as the functionality customers routinely expect their desktop and laptop computers, smartphones, tablets, and other IT devices to have.”

As a result, those that deploy IoT solutions “may have to select, implement, and manage additional or new cybersecurity controls or alter the controls they already have.” An agency may not know it needs to alter existing processes to accommodate the unique nature of IoT devices.

“The result is many IoT devices are not secured in the face of evolving threats; therefore, attackers can more easily compromise IoT devices and use them to harm device customers and conduct additional nefarious acts (e.g., distributed denial of service [DDoS] attacks) against other organization,” NIST notes.

Before devices are sent out to agencies or other users, NIST recommends IoT device manufacturers identify expected customers and users and define expected use cases. The report also recommends that manufacturers research their customers’ cybersecurity needs and goals.

Another recommendation is to “determine how to address those needs and goals by having their IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks.” A fourth recommendation involves “appropriately provisioning device hardware and software resources to support the desired device cybersecurity capabilities.”

IoT device manufacturers can also do a better job of communicating cybersecurity risks to those using the devices.

A separate NIST publication, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” notes that a core goal of IoT security is to “prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment.”

Another is to protect the confidentiality, integrity, and/or availability of data that IoT devices collect, store, process or transmit. A third goal is to protect individuals’ privacy impacted by personally identifiable information processing “beyond risks managed through device and data security protection.”

EXPLORE: What are the benefits of next-generation endpoint protection solutions?

ipopba/Getty Images