While awareness of 5G-related cybersecurity risks is high among enterprises, more needs to be done to prepare, according to a new report from AT&T’s cybersecurity unit, which suggested implementing tools like virtualization and automation.
In AT&T’s most recent Cybersecurity Insights Report, based on a survey by 451 Research, nearly three-quarters of respondents indicated medium-high or high level of concern in terms of the potential impact of 5G on security and 76% expect brand-new security threats to emerge from 5G.
The communications market was most concerned, with 54% expecting 5G to have a very significant impact on the network that might require a new security stack or an entirely new set of processes, compared with 42% of respondents overall.
The survey was conducted in August and September 2019 and polled 704 security professionals located in North America, India, UK, and Australia, from organizations with at least 500 employees and across sectors such as manufacturing and construction, communications, financial services, and technology, among others.
5G is unique in that security features are baked into the 3GPP 5G standard, including stronger over-the-air encryption and subscriber identity privacy to help ensure 5G devices are connecting to the right network, but AT&T said standards alone are not enough to handle all business security needs.
With 5G comes more avenues for cyber-attacks on enterprises due in part to the potential for a larger attack surface and a greater number of connected devices, AT&T noted.
In terms of what enterprises are worried about, the aforementioned issues ranked highest for top security concerns, with 44% citing a larger attack surface due to the massive increase in connectivity, and 39% naming concern over a greater number of devices accessing the network, followed by the need to extend security policy to IoT devices (36%). See the graph below for other concerns respondents cited as top security concerns regarding 5G.
Frequency of top 3 security concerns for enterprises related to 5G. (AT&T Cybersecurity Insights Report 2019)
Most surveyed are getting ready for 5G-related security changes, with 16% already implementing changes and 38% expected to start within the next 6 months. Another 35% said they will start in the next 1-2 years. Still, three-quarters believe current security policies will either continue to be effective as 5G rolls outs (22%) or will need tweaks, but without major changes (53%).
Lack of virtualization plans
One factor the report called out was the lack of virtualization included in enterprises’ 5G plans, as only 29% said they plan to implement security virtualization and orchestration during the next 5 years.
“Most of the transitions in networking have been about faster speeds or increased capacity. 5G introduces more complex networking and is being delivered with virtualization in mind,” wrote the authors. “The latter appears to be a crucial gap in the way enterprises are preparing for 5G.”
AT&T has been a vocal proponent of virtualization and software-defined networking, and is on track to hit a previously set a target of having 75% of its own telecom network virtualized by 2020.
AT&T noted businesses can take advantage of things like software-defined networking (SDN) and network functions virtualization (NFV) to make their enterprise network nimbler and more responsive to threats.
“Virtualized security can be deployed quickly to arbitrary network locations, and when a new type of attack is discovered, the network’s ‘immune system’ can respond immediately by spinning up a security element such as a firewall,” the report continued. “The key is that this response can be automated.”
Virtualization provides flexibility so enterprises can update security policies against new attack strategies, according to AT&T, and enables them to universally apply security changes across its footprint.
The challenge of authentication and certification of the large number of new devices connecting to networks was a top concern for 80% of respondents, but only one-third plan to implement tighter network access controls in the next 5 years, while 37% are planning new systems for device authentication.
“When it comes to device certification, even if standards become stronger, it seems a given that most manufacturers, eager to keep costs low, will satisfy only the bare minimum requirements,” said AT&T. “We can expect IoT devices to continue to have vulnerabilities such as factory-default passwords, so enterprises will want to take some responsibility for safeguarding against rogue devices.”
As devices connect from more locations, including Multi-access Edge Computing (MEC) nodes, enterprises are embracing a zero-trust security model, according to the report. Nearly 70% have either already implemented (21%) or are in the process of doing so (47%).
“Multi-edge computing in 5G creates a situation calling for distributed security controls,” according to AT&T. “This again emphasizes the importance of security virtualization, which security practitioners can use to help avert attacks that suddenly materialize at the edge.”
AT&T acquired privately-held threat intelligence firm AlienVault in 2018, and earlier this year combined it with the carrier’s cybersecurity consulting and managed security services portfolios to form the new AT&T Cybersecurity division.