With fifth-generation wireless networks starting to be deployed this year, the issue of 5G security was in focus at the Mobile World Congress in Barcelona. Unlike upgrades of wireless networks in the past, 5G will deliver not just faster speeds and low latency but also open up a new realm of possibilities such as connected cars and devices.
Despite telcos’ enthusiasm to roll out the network, they are still trying to secure them as much as possible for a better experience. Dr. Ibrahim Gedeon, CTO of Canadian telecom provider, TELUS, spoke to Telecom Review about how TELUS is operating to secure its 5G networks and the cybersecurity challenges operators are facing in their journey to commercially roll out 5G.
Dr. Gedeon stressed that security is not a one-time event but rather an ongoing journey where operators have to constantly invest in cybersecurity measures to keep their networks as secure as possible.
5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that need to be addressed before 5G networks are launched. As the CTO of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G?
I would like to start by saying that 5G is inherently more secure than previous generations. At TELUS, we believe that security includes operational, design and cyber aspects. The fact that 5G disaggregates the various components and localizes the access and part of the traditional core provide operators with major resiliency.
Operationally, TELUS adopts a “secure-by-design” framework, so our plan for 5G is to ensure the sensitive network areas are secured through dual vendors in basic areas and distribution of the control plane of the network. From a cyber point of view, we are actively working with the likes of NGMN and GSMA towards universal testing and threat modelling for continuous strengthening of 5G and our deployment of it.
What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA?
Our relationship with the federal government and agencies like the Canadian Communication Security Establishment (CSE) is very collaborative and based on sound technical analysis. TELUS operates a national infrastructure, and we have a self-imposed responsibility to ensure we operate secure networks. It’s critical that what we deploy is coordinated with CSE.
A secure network for us is simply identifying the areas that carry sensitive control and data, and securing that. Bodies like the GSMA reinforce our plans and design, and acknowledge that creating a global approach will help to reduce the effort and cost for operators and vendors.
We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process?
I believe that the wireless networks, starting with 3G, have become more important for critical traffic, and that has continued with 4G. It will officially “come home to roost” for 5G. As an operator that adopts “secure-by-design” networks and services, our work on security is now in its third generation.
We collaborate on a pan-Canadian level with all operators on the Canadian Security Telecommunications Advisory Committee (CSTAC), a body representing all domestic operators, CSE, and Innovation, Science and Economic Development (ISED) Canada. Also, we are active with NGMN and GSMA on global threat analysis and testing, and we conduct our own independent vendor testing and work with global research universities.
It is important to remember that security is a journey and not a one-time event. 5G introduces new challenges across a wide-range of areas that will require new security measures and continued diligence, whether it’s across authentication and onboarding of IoT and bring-your-own-device scenarios, eSIM and subscriber management, or a transformed RAN—especially given the potential to change radio access to something akin to a plug-and-play component through initiatives like Open RAN. Unfortunately, these scenarios get overlooked and pale in comparison to the 5G security hype that is currently more political than it is technical.
How long does the 5G network need to be secure for and what category of threats is it tailored towards combating? Some industry experts believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint?
As I said earlier, 5G security is a continuous journey and not a one-time event. I subscribe to the view that like-minded operators need to invest in global threat modelling so we can ensure as many use cases as possible are captured and mitigated, and the appropriate standards are developed to address them in advance.
In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks?
I think it’s critical to have global alignment on what areas need to be secured, and these are in constant motion as the 5G ecosystem matures and more services are developed. I believe one of the biggest challenges is going to be the fragmented approach of vendors towards what they define as “secure”—that, in concert with the fact that operators globally have deployed in a unique-enough fashion to render reuse and threat modelling sharing not very effective. So, we are excited about what NGMN published six months ago and what the GSMA is doing to provide a global framework that the operator and vendor community can adopt to protect networks. In my humble opinion, these efforts make 5G by far more secure than its predecessors.