On 27 June 2017, screens went black across the Copenhagen headquarters of A.P. Møller-Maersk. Maersk is one of the world’s biggest shipping companies, with revenue of almost US$39 billion in 2019 and operations covering 600 ships that transport around 20% of global shipping. Suddenly, all of its giant operations had to completely shut down when its computer networks went offline.
Maersk had just become one of the most prominent victims of NotPetya, a global ransomware attack, which seems to have originated in Ukraine. According to the White House, it caused around US$10 billion in damage when companies like Maersk (alone losing US$300 million), along with factories, ports, and hospitals, were forced to shut down.
These types of crippling attacks on critical infrastructure might become ever more prevalent in the future. And a new way in which they could spread is through mobile networks that are connecting factories, hospitals and logistical hubs together. The next NotPetya might be spread through a 5G network.
Definition of cyber security
The EU Cyber Security Act of 2019 defines cybersecurity as: “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats”. It can therefore encompass a variety of attacks, from phishing to DDOS attacks, and involve a variety of actors, ranging from criminal to politically-motivated groups.
With respect to 5G, one major future threat is the disruption of the networks and cyber-physical infrastructure that large parts of Western economies and society may become dependent on.
Vulnerabilities of 5G-networks
5G networks will connect a range of industries and verticals, such as mobility, factories and hospitals, that have previously only been connected in a limited way. The result of this is the “attack surface” for potential malicious actors increases, as well as the possible impacts of attacks. An attack on this type of critical infrastructure has the possibility of doing much more damage than the level existing cyberattacks have been able to achieve so far.
5G networks will move away from centralised hardware-based architectures and protocols of routing data traffic, to distributed ones that are software-defined. Additionally, the substantial expansion of bandwidth that makes 5G possible, creates additional avenues of attack. Low-cost, short-range, small-cell antennas deployed throughout urban areas become new physical targets, and the “tactile internet” might also become a battleground.
At the same time, the movement of, and access to, vastly higher quantities of data, broadens attack surfaces. With the fast growth of IoT devices caused by an “explosion” of consumers, the existence of a big surface presents a security threat. Together with the increased attack surface, the supply chain complexity and lack of vendor diversity also pose security risks.
The European cybersecurity agency ENISA made the following threat landscape for 5G, listing the possible ways in which 5G networks could be breached.
One way a 5G network could be breached is a so-called supply chain attack. Here attackers would compromise the software of a vendor, which could then be spread in the broader 5G networks of the operators, possibly through an automatic software update.
One example of such a supply chain attack in another area is the Solarwinds hack. Here, attackers managed to infect the Orion network-monitoring software of the company Solarwinds, which was used in a range of large companies and government institutions. By doing this, they could, in turn, access the networks of all these institutions, infecting at least 18,000 networks in the process.
The EU toolbox for 5G-security defined five main threat categories for 5G networks.
These risks are quite diverse – they can range from a simple misconfiguration of the network, or a badly-designed vendor product opening up vulnerabilities, all the way up to criminal groups, and even states, exploiting 5G. A high-level risk would, for example, be the disruption of essential services (like electricity) due to telecom networks being compromised.
The growing digitalisation of the economy and society as a whole has also triggered changes in warfare. With the use of digital attacks aimed at disrupting vital computer systems becoming more common during the last few decades, the world has, in parallel, experienced the emergence of cyber warfare.
5G increases the complexity of cyber warfare because ambiguous, ever-present and cheap 5G-enabled devices can be hacked, weaponised, or repurposed for warfare. For example, drones (as IoTs), can both be used as delivery drones, but also could be repurposed and used for warfare (e.g. hacking a fleet of delivery drones and turning them into a swarm of attack drones).
The response of the EU member states, especially those reported in the media, has so far mainly focused on Chinese vendors.
- European countries like France, Sweden and the UK have chosen to completely, or in part, exclude Chinese vendors from their 5G networks.
- The telecom industry, particularly the operators, has been pushing for higher technical security standards, without excluding specific vendors. Here, the fear is that less competition in the market will drive up prices and slow down innovation. Besides this, they also argue it will be costly and unwieldy to remove Chinese equipment from networks. Telecom operator representative GSMA for example, claimed that excluding Huawei from European markets would increase the price of European 5G network by €55 billion, and delay the rollout by 18 months. UK operators BT and Vodafone also said it would cost billions of pounds to remove Huawei equipment from their networks, after the UK took steps to exclude the Chinese vendor from their market.
Ensuring Cybersecurity of 5G networks extends beyond choices around the nation of vendor origin. Concerns including the security and resilience of critical infrastructure and services are met by a range of corresponding actions from the EU at different levels. The European Commission serves in a supporting role here, where the member states decide on the actions themselves.
Some of the means, actors, and guidelines with which the European Commission supports the member states include:
The EU toolbox on 5G security,
The Directive on security of network and information systems,
Cybersecurity competence centres,
EU agencies such as ENISA,
Norm-setting activity and the cyber sanctions regime,
Cooperation with international organisations, and third countries.
The way telecom standards are made is an important component in strengthening the security of mobile networks – if there are vulnerabilities in the standards, they potentially compromise the entire network. This is why the European Commission also strongly engages with the standard-setting processes.
Experts from the European Commission, ENISA and member states provide oversight of the standardisation initiatives.
They support and influence standard-setting discussions at the international level, such as with 3GPP. This overlaps with what other countries, such as China, are doing to promote their own interests in these bodies.
Standardisation-related projects funded by the EU via 5G-PPP.
Promoting security by design.
Open standards are another way security could be improved through standardisation. They are currently primarily being developed for “economic” reasons, but at the same time they could hinder possible security risks that could be “hidden” in closed standards. In general, telecom equipment works according to closed technology. For example, a base station from a vendor might have proprietary software already installed on it from the same vendor. It would therefore be difficult to use a different company’s software for that piece of hardware. Open standards want to combat this by improving interoperability and allowing operators to use and combine generic hardware and software that isn’t subject to vendor lock-in.
The success of the O-RAN, or Open Radio Access Networks, an initiative aiming at opening up the technology tied to radio access networks, encourages an increase in manufacturers producing equipment that satisfies unified, global standards. Beyond the need for open standards, there is a need for open-source monitoring tools, as well as open-source APIs. By making things open source, more people could check these systems to improve their security.
In conclusion, a range of actions are possible, and some already being taken, to improve the security of 5G networks. In turn, these might help prevent attacks from compromising the critical infrastructure we depend on.