How To Secure 5G — And The Internet Of Things Too

Internet of Things connectivity

The coronavirus has forced us to embrace the connected age in ways we might not have dreamed of a few short months ago. Work from home, play games (online) from home, bank from the comfort of your couch — because the bank branches are closed, of course.

The questions remain, though, as 4G gives way to 5G, as hackers target us with new attack vectors as commerce and daily life go increasingly online … is the infrastructure underpinning it all robust enough — and is it safe?

Jonathan Knudsen, senior security strategist at Synopsys, said in an interview with PYMNTS that a secure, standardized security framework can help various ecosystems move toward 5G with confidence.

Some high-level numbers show the appeal of 5G. The wireless technology is between 10 to 100 times faster and more data rich that the 4G that we are accustomed to.

If there’s been one positive of the coronavirus pandemic, it’s been that, as Knudsen said, the internet has worked — so far at least.

“We’ve really never had to test of it on this scale,” he said of the tech backbone that underpins all manner of devices. “The design of this, this thing dates back to the early ‘70s and we’re still running on this essentially very old technology.”

We’re a long way from flying cars, smart highways and predictive maintenance, but telemedicine is quickly becoming the norm, at least when it’s possible to have low latency and high security.

As Knudsen said, looking ahead, beyond the lure of speed on the 5G network, there is more capacity. There also will be more devices, of course, that will run on the network.

“From a cybersecurity standpoint, things haven’t really changed that much,” he said, “so, the challenges remain the same.” As he told PYMNTS, the key challenge is to make sure that the systems and devices are better than reasonably secure before they go on the 5G network in the first place. That challenge is intensifying as 4G gets ready to give way to 5G.

Adding devices boosts vulnerability, he said. Each one of those devices represents a possible point of attack for hackers and fraudsters. There are hundreds of millions of devices now that can, conceivably, be compromised, in some way — and there will be billions of devices in the future.

The challenges of cybersecurity, he said, are the same whether from the standpoint of a manufacturer building an Internet of Things (IoT) device or from a healthcare company that is building devices that will be used by providers or a telecom company building network equipment.

“The key question,” Knudsen said, “is how do you build that system or device in a way that minimizes risk?”

The Secure Development Cycle

To do that — to build devices and at the same time design them so that risk is (largely) mitigated — the key is to focus on what he termed a secure development life cycle.

That’s easier said than done, because OEMs may be focused on basic functionality, against a backdrop where margins are slim.

But, he said, as any given tech ecosystem becomes more reliant on software, consumers are becoming more demanding on what they expect from the technology they buy — from baby monitors to mobile phones.

The individual customer may not hold much sway over tech firms — but their suppliers do. Thus the pressure to raise the bar on security comes in the B2B realm. Knudsen said that “a company that is considering buying 10,000 devices from another firm has some leverage and power. This means if they understand what a secure development cycle looks like, and the things the manufacturer should be doing, then they can ask the right questions and apply that leverage during the procurement process.”

To gain full insight into the vulnerabilities, partnering with firms like Synopsys can help clients build a “threat model” that can identify major software components, assets, threat agents, security controls and corresponding relationships between objects as new devices move through the design stage.

As Knudsen described it, “you figure out if the system as designed helps prevent those vulnerabilities or allows them, and, and what’s the risk? No consumer is ever going to do that. To a large degree, you have to trust your manufacturer.”

Ideally, he said, connected devices should hew to a standard, and to certification, that is uniform across all manufacturers so the consumers purchasing those devices know what they have in hand has met at least minimum thresholds for security (think, for example, of the score-based model seen in Energy Star ratings).

“Having a meaningful certification would be pretty great for everybody,” he said. “Once we have that sort of knowledge, we’ll move on to the next new thing and understand the full potential of what the internet means now.”