It is early days for 5G. Yet the many and varied players who together form the Internet of Things industry do appear to have a clear vision of services that they hope 5G will facilitate. Much remains to be determined however on the technical front with standardisation activities just beginning.
One thing is clear though. Security and privacy will remain fundamental requirements, particularly since the changes 5G are expected to bring are likely to broaden the range of attractive attack targets.
Indeed, a wider range and an increasing number of types of actor and device with differing security postures will become involved, requiring superior attack resistance to new types of threat. The use of cloud and virtualisation may become more prevalent. Trust models will change.
That means that security methods currently applied to 4G and below will most likely have to be extended both to meet the performance and power efficiency requirements and lifespan of 5G and to match and exceed the high levels of trust and security previous generations of telecommunications technologies have enjoyed.
Massive IoT is one of the main application segments for 5G identified by standardisation body 3GPP. As a segment, it is especially broad, covering not just M2M but consumer based services too and as a result it will pose a wide range of technical and security requirements.
It is likely to consist of an ecosystem of billions of potentially very low cost devices such as sensors or trackers. Typical use cases may span home appliances, some wearables and machine type communications including metering, sensors and alarms.
As a result, operational and security requirements will vary. For example, communications generally will be long range, low power, low bandwidth and infrequent. However, in neighbouring segments such as critical machine type communications, covering drones, and vehicle-to-X, speed will be essential.
Some industrial devices may only send a few bytes of data once a day, without any urgency concerning speed of sending or response. Driverless cars on the other hand may communicate continuously while in use with very high speed and low latency requirements.
Data is likely to encompass geolocation data, sensor data such as meter readings and private consumer data. Location and privacy protection for data must be enforced to ensure for example in the case of a meter or a home monitoring system that a thief cannot determine if the premises are occupied are not.
Devices may be connected to the network either directly or indirectly, for example via a gateway. How this is done may have implications for security requirements.
Security requirements in this segment will be based around devices, the network and backend. That means that following high level types of security requirements can be distinguished:
- Network access security
- Network application security
- Service layer security
- Authenticity, Integrity and confidentiality of data transmitted at different network layers
These requirements will include secure authentication to network resources and security, integrity and confidentiality of network data.
Appropriate certification and qualification will be an important prerequisite in many use cases for those providing such devices – for example Germany already requires smart meter certification – and this is a trend that is likely to spread.
In use cases such as smart metering the data transferred needs to be protected against manipulation, because, compared to voice communications, data can be more easily attacked and modified.
But in IoT the value comes from the integrity of the data, so integrity protection becomes especially important for 5G IoT. In particular mechanisms previously developed in 3G and 4G to primarily protect voice need to be enhanced.
The service layer security necessary has to be based on the nature of the service rather than the constraints of the device. However, at this point, some of the newer entrants to the sector seem either to be unaware of the need for anything more than negligible security, irrespective of the service, or unwilling in the start-up phase to commit to the cost of implementing adequate security. This has led to a rash of headlines and critiques about security breaches.
Because these devices are connected to the network, if they lack adequate security they offer the possibility of being used as a way in to the network for attackers, who may have little interest in the device or service itself except as an entry point.
Managing initial network connectivity securely will require secure provisioning of:
- Unique device and user identities for both network and service level access
- Network and service authentication credentials
- Communication cryptographic keys
- Application identifiers.
The content of the securely provisioned data will likely depend on the devices’ location as well as agreements between integrators, service providers and mobile network operators.
Managing identities on the network will require identification of the application and corresponding application provider. It will also need secure storage of the unique identity on the device.
Mutual authentication of the device and network will also be necessary (it has been mandatory since 3G) as may mutual authentication for applications back to their service platforms.
There is also a risk of equipment cloning, leading to potential massive attacks to overload the network leading to denial of services. Carefully managing the identity of the device and securing the authentication to the network is therefore key to ensuring a good network quality of service.
As with all the major classes of use case defined by 3GPP: massive IoT, critical communications, enhanced mobile broadband and, underlying all these segments, network operations, massive IoT poses a range of security challenges and requirements.
SIMalliance believes for all these reasons that it is vital that security is built into 5G from the outset. It has just published a marketing paper An Analysis of the Security Needs of the 5G Market outlining its view of the security needs of each 5G segment. It is now starting work on a follow up technical security requirements paper that will be published later in 2016.
Industry engagement is sought on this initiative, to ensure that there are many voices, representing differing requirements, involved in fine tuning the vision of the role hardware based device security will play in protecting 5G networks and the many new services which will be deployed across the various market segments.
For more information on SIMalliance and the work it is doing to define security requirements of 5G, please visit http://simalliance.org/