SIMalliance is the global non-profit organisation that promotes the essential role of a dedicated tamper resistant hardware module in delivering secure mobile applications and services across all devices that access wireless networks. Earlier this year it drew up a high level analysis of the main potential market segments where 5G will have a transformational impact and assessed the diverse security requirements for those markets.
The results were laid out in a marketing white paper, An Analysis of the Security Needs of the 5G Market. The paper focuses on four main segments for 5G: massive IoT, critical communications, enhanced mobile broadband and network operations (which underpins the three other areas). These are the segments defined by standardisation body 3GPP, which is working on 5G technical standards.
Across these segments, threats range from cloning in massive IoT, to denial of service in critical communications to man-in-the middle attacks in enhanced mobile broadband and to many, many more.
The massive IoT segment in particular, and its close neighbours the critical machine type communications and vehicle-to-X sub-segments are extremely broad, covering not just M2M but consumer based services too. Typical use cases are highly varied and may include drones, driverless cars, home appliances, some wearables and machine type communications including metering, sensors and alarms.
Clearly this is a very broad selection of use cases. As a result, operational and security requirements will vary.
Security requirements in this segment will be based around devices, the network and backend. That means that following high level types of security requirements can be distinguished:
- Network access security
- Network application security
- Service layer security
- Authenticity, Integrity and confidentiality of data transmitted at different network layers.
Communications may be either:
- long range, low power, low bandwidth and infrequent or
- focused on speed.
Devices may connect to the network either directly or indirectly, for example via a gateway.
Data may encompass geolocation data, sensor data such as meter readings and private consumer data. Location and privacy protection for data must be enforced, for example in the case of a meter, to ensure that a thief cannot determine whether the premises are unoccupied.
In use cases such as smart metering the data transferred needs to be protected against manipulation, because, compared to voice communications, data can be more easily attacked and modified. Since the value frequently comes from the integrity of the data, integrity protection becomes more important for 5G IoT.
Because these devices are connected to the network, if they lack adequate security, they could be used as an entry point to the network for attackers who may have little interest in the device or service itself.
There is also a risk of equipment cloning, leading to abuse of the network resources, or equipment hijacking leading to potential massive attacks to overload the network, resulting in denial of services. Carefully managing the identity and integrity of the device and securing the authentication to the network is therefore key to ensuring a good network quality of service.
Managing initial network connectivity securely will require secure provisioning of unique device and user identities for both network and service level access, network and service authentication credentials and communication cryptographic keys as well as application identifiers.
Managing identities on the network will require identification of the application and corresponding application provider. It will also need secure storage of the unique identity on the device.
Mutual authentication of the device and network will also be necessary (it has been mandatory since 3G) as may mutual authentication for applications back to their service platforms.
In other sectors needs will differ too. For example, critical communications will require much more frequent authentication than IoT and will often involve far more sensitive data. In enhanced mobile broadband and in critical communications, performance demands may open the way to enhanced and highly efficient security mechanisms.
So it is fairly clear that according to the demands of the segment, a broad range of security solutions or changes in feature sets of those solutions will be needed. That’s precisely why SIMalliance proposes that dedicated tamper resistant hardware may offer value in many aspects of 5G.
Of course there is a significant risk of falling too short, if we only look to the security and privacy challenges on the device side. A compelling concept for 5G must provide a solid proposition for the end-to end perspective that copes with the mission-critical aspects of interoperability and with scalability challenges.
What is certain, however, is that it is vital to build security into 5G from the outset, for what is not built in from the beginning cannot easily be added later on.
SIMalliance has already started work on a follow-up security requirements paper that will be published later in 2016. Industry engagement is sought on this initiative, to ensure that there are many voices, representing differing requirements, involved in fine tuning the vision of the role hardware based device security will play in protecting 5G networks and the many new services which will be deployed across the various market segments.
For more information on SIMalliance and the work it is doing to define security requirements of 5G, please visit http://simalliance.org