There are advanced and persistent security threats coming from nation states. The intent behind these threats is not just financial. It’s to disrupt the public perception that our infrastructure is secure. The default attitude of most Americans is that the systems we rely on every day—the energy grid, transportation, the banking system, water supplies—are all extremely reliable. We expect that if we turn on the tap to make coffee in the morning, the water will flow. That if we have a flight booked for a noon departure on a Friday, that the plane will be in the air with you on it within that time frame, or close to it. That if we stop at an ATM to access some cash, it’s going to function correctly and disperse some twenty-dollar bills.
That faith in reliably operational public infrastructure remains largely intact. Yet increasing waves of ransomware attacks and data breaches are beginning to sow doubts—especially among IT security professionals who are in position to observe these incidents up close, and who work to counter them as part of their jobs. The Colonial Pipeline hacking incident in the Spring of 2021 wasn’t the first ransomware attack to hit U.S.-based infrastructure, but it certainly got a ton of media coverage. And it also got the undivided attention of motorists up and down the eastern seaboard who suddenly couldn’t buy fuel when the pipeline and hundreds of gas stations shut down in the days following the initial attack.
More than any other incident, the Colonial breach fixed ransomware cyberattacks in the media and the public mind as a growing danger. That perception has only been reinforced as waves of additional ransomware attacks targeting hospital facilities and local government entities continued to surge into 2022. The Guardian reports that the number of ransomware attacks on healthcare organizations increased 94% from 2021 to 2022, according to a report from the cybersecurity firm Sophos. More than two-thirds of healthcare organizations in the U.S. said they had experienced a ransomware attack in 2021, the study said, up from 34% in 2020. Another report from Sophos documented that state and local governments confronted a spike in ransomware attacks during 2021, with nearly 6 in 10 organizations getting hit, up from one-third in 2020.
Why Is This Happening? Nation State Interests.
A favorite saying among diplomats for many years has been a quote from Charles de Gaulle that “no nation has friends, only interests.” In recent years, it has become abundantly clear that the Putin regime in Russia is interested in destabilizing western democracy. With a somewhat weak economy almost entirely reliant on oil exports, Russia understands that the tools at its disposal to realize this destabilization are limited. They can withhold oil exports from the West—which appears to be on the table as the U.S and its European NATO allies continue to support Ukraine in its efforts to deter Russian aggression—but would have to endure the resulting domestic economic damage. Or, at much lower cost, they can direct hackers within their intelligence sector to meddle in elections, and foster gangs of digital criminals who carry out cyberattacks and ransomware in the U.S. and globally.
It remains to be seen how the Ukraine conflict and the petroleum gamesmanship plays out. But there is no doubt that Russia has both dedicated state-sponsored organizations (i.e., operated by Russian intelligence services) carrying out hacking operations, as well as independent cybercrime groups that it allows to operate within its borders. The Dark Side organization that carried out the Colonial Pipeline exploit is just one of many hacker groups widely assumed—for a multitude of reasons—to be based in Russia. To be sure, Russia is not alone here. An organization known as HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least early 2021. Another group, known as OilRig, is a suspected threat group sponsored by Iran that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, but is most well-known for attacking energy, chemical and telecommunications infrastructure within other Middle Eastern countries the Iranian regime regards as adversaries.
Soft Targets vs Hard Targets
It’s worth taking a step back here to consider why organizations like local government entities, hospitals and public/private infrastructure providers are so heavily targeted by hackers. In the case of public entities and hospitals, it’s often the case that these organizations are not positioned to spend heavily on security technology, or budget to maintain a large, dedicated IT staff. If you’re a cybercriminal in Eastern Europe, what’s a more easily attainable objective: hacking into a Fortune 500 corporate entity with a CISO and a dedicated IT security team numbering in the dozens? Or a rural county government with a single IT person who struggles to maintain up-to-date antivirus protections on staff laptops? The Fortune 500 entity is certainly a potentially more lucrative target, but the chances of a successful breach at the county are far higher. The similar conundrum for large public/private infrastructure providers—like the Colonial Pipeline or airports, shipping facilities, and other types of campus-oriented organizations like warehouses and manufacturing facilities—is that as they adopt IoT technologies, become more digitized and add hundreds of new endpoints to their networks, their attack surfaces balloon.
Clearly, the need to improve network security—and increasingly, IoT device security—has never been more urgent. But there’s an additional factor that needs to be considered: many of these providers of public/private infrastructure are in the process of either planning for, or are already implementing, 4G and 5G networking technologies. Shipping ports, airports, rail terminals and other entities will in the years ahead swap out current Wi-Fi systems for the far higher speeds and bandwidth provided by 4G/5G. It’s no surprise that many types of enterprises are increasingly interested in owning their own wireless networks to maintain control over their data and network performance—especially entities where industrial IoT applications come into play.
In many ways, 4G/5G networking offers improved security for devices and users than existing Wi-Fi technologies. Today, the most common wireless solution in warehousing and in campus-oriented settings is Wi-Fi. While Wi-Fi is relatively inexpensive, there are some significant drawbacks to relying on it for business-critical applications: latency of several seconds, poor mobility—e.g., handoff between access points (APs) throughout the facility, it is not designed for outdoor coverage, it takes more APs for indoor coverage, bandwidth is high for a small number of devices but degrades significantly when multiple devices are connected.
The most recent iteration, Wi-Fi 6, incorporates encryption and other security features, but Wi-Fi is still widely regarded as less secure than 4G/5G networks. In fact, 4G and 5G solutions provide superior performance to Wi-Fi across the board. Take Betacom’s 5GaaS CBRS 4G/5G private wireless solution—it’s based on LTE technology and designed end-to-end for superior network performance (latency 20-40 milliseconds, bandwidth ~90-270 Mbps) and security. Because we manage the service with 24×7 network and security monitoring, we back the solution with an enterprise-grade SLA. 5GaaS is roughly double the cost of Wi-Fi solutions, but you gain a managed service that offers reliable network coverage, superior network performance, and best-in-class security for business-critical applications. The remaining question for organizations considering rolling out their own 4G or 5G networks, is will these security protections hold fast once millions of users start connecting billions of devices on these networks? There are many reasons to think that they will.
Network Security and the 4G/5G Ecosystem
Built on global standards that have been hardened for years, 4G networks use SIMs/eSIMs and multifactor authentication to help ensure authorized access to the network. 5G adds new protections at the device, radio and core network layers—especially at the DNS layer—to authenticate and isolate devices, making it possible to securely deploy a wide range of machines, robots and sensors to enable Industry 4.0 and industrial IoT business cases.
A private 4G or 5G network offers superior security due to the strong authorization, authentication and access control features. In particular:
- The 5G network uses data encryption and integrity protection mechanisms to protect the data transmitted by the enterprise, prevent information leakage, and enhance data security. Both signaling plane and user plane traffic is encrypted, leveraging the strong and well-proven security algorithms from 4G.
- Adoption of Software-Defined Network (SDN)/Network Function Virtualization (NFV) in the architecture of 5G systems facilitates the virtualization of traditional security functions like firewalls, access authentication, SSL, etc. These services can be deployed with increased flexibility, providing improved security.
- 5G introduces a new network architecture element, the Security Edge Protection Proxy (SEPP). The SEPP protects the enterprise network edge, acting as the security gateway on interconnections between the private enterprise network and outside networks to prevent tampering or eavesdropping.
- Use of Edge Computing supports the ability to localize and isolate data traffic allowing information to be kept entirely within the customer premises for complete control of data flow within the enterprise without dependency on external elements for communication. It is also possible to localize and isolate the ‘control plane’ from the ‘user plane’ for enhanced protection from external attacks.
- For time-critical applications the 5G private network can be transparently integrated into one or more ‘Time Sensitive Network’ bridges to safeguard time-sensitive communications from network attacks. This process ensures correct ongoing operation of both the 5G network and time-critical industrial devices and applications, particularly benefiting use cases requiring 5G Ultra-Low Latency and Reliable Communications.
- A new authentication framework is introduced with 5G, which allows the enterprise to provide secure ‘plug-in’ device authentication procedures. Importantly, this enables an enterprise to manage identity and access from its own protected IT systems.
- Proven SIM/eSIM technologies can also be used for authentication, authorization and access control, efficiently offering higher security than typical approaches using Wi-Fi keys or MAC address controls.
- Improved protection of device identity ‘over-the-air’ including protection against false base stations. 5G networks use a combination of ‘SUPI’, a Subscription Permanent Identifier, and ‘SUCI’ a Subscription Concealed Identity to manage identity of devices. This combination provides privacy preserving protection of device and user identity, ensuring that the true identity cannot be stolen. This control also prohibits moving a 5G SIM from one device to another without changing security keys.
- Network management can be decoupled so that the enterprise can outsource infrastructure management to a managed service provider who can apply their world class knowledge in monitoring and maintaining security to the private network.
All these features and technologies will help public/private infrastructure better secure themselves from nation state actors in the years ahead. But by no means will they offer comprehensive protection from security threats carried out by dedicated teams that can persist in their efforts over many weeks or months. The nature of 4G/5G—massive upgrades in networking speeds and bandwidth—is such that the organizations rolling out their own private 4G/5G networks will essentially become distinct providers of broadband telecommunications. As such, they will need to adopt the proven practices and techniques for securing telecom infrastructure that have evolved over many years. We recommend the following steps and best practices:
1. First and foremost, organizations must conduct a third-party risk and impact assessment. The major telecom network providers usually engage “big four”-style professional services organizations for risk assessments, but spending huge sums isn’t necessary. The Cybersecurity and Infrastructure Security Agency (CISA) conducts free assessments, and that is an excellent place to start.
2. Physically segment the network (also known as air-gapping) so that mission critical applications are separated from the rest of the network.
3. Diversify your cloud providers so there is not a single point of attack/failure.
4. Develop robust recovery plans.
5. Hold your vendors—equipment providers and service providers both—accountable for cybersecurity. SOC 2 compliance is a must.
6. Trust NO ONE. Monitor. Pen test. Audit. A large and vital industry of security service providers has emerged in recent years, with many organizations concentrating on attack surface management, bug bounty campaigns, managed detection and response, and other specialties. It’s smart to work with more than one vendor to engage with a variety of techniques and methodologies.
7. If an attack occurs, share real and complete information about the attack with executives and your board of directors, and where appropriate, with security industry watchdogs like MITRE ATT&CK. Their Framework has become the standard charter for identifying the adversary tactics, techniques and procedures (TTPs) employed in cyberattacks.
8. Be internally transparent about your current state of security health.
9. Run cybersecurity tabletop exercises and include executives in them.
10. Procure cyber insurance.
At first glance, the emergence of the new 5G ecosystem while ransomware attacks by nation state actors and their affiliates are at an all-time high would appear to be something of a perfect storm. At the same time there has been quite a bit of public sector and private sector action recently on stamping out ransomware. The Biden White House has been putting in place several initiatives, among them a State Department effort offering cash rewards for help in uncovering attack networks and individual hackers. Tech giants like Amazon, Microsoft, Google and Apple are teaming with the FBI and its counterparts in Europe to form a Ransomware Task Force dedicated to preventing cyberattacks. It looks like we’re headed in the right direction.
At Betacom, we’re advising our customers that private 4G provides the high performance and maximum security needed for a vast majority of today’s IIoT use cases. 5G technology will roll out in a series of releases throughout the 2020 decade. Until then, there is a large overlap in the advanced 4G features and the early 5G features available today. The real need for advanced 5G features will come in future releases for use cases that require sub-10-millisecond latency and robust bandwidth over 500 Mbps (think of truly autonomous vehicles running on highways or advanced virtual reality applications). In the meantime, there are challenges with 5G. The radio and device ecosystem is not mature, so, as with any new technology, the cost of 5G radios today is roughly 3X more than 4G, and device compatibility can be a challenge. Partly due to the ongoing global supply issues with microchips, the CBRS-enabled 5G device ecosystem isn’t expected to mature until 2024/2025. But for organizations that are ready to make the leap to private cellular technology, Betacom can help you decide the right path and will recommend a network design that optimizes value, performance and the timing of your business requirements for maximum ROI.