Many organisations are now well versed when it comes to mitigating the cyber risks posed by standard online connectivity and remote connections. But just as organisations have got on top of one issue, another comes along to challenge them. This time it’s the turn of 5G, which has supercharged the level of interconnectivity possible.
5G has the potential to be almost 100x quicker than 4G and will soon be widely available for businesses and consumers alike. Ericsson, for instance, has predicted that by 2024 there will be a staggering 1.5 billion global 5G subscriptions, potentially reshaping the entire business landscape.
The impact will be particularly significant in sectors that are prepared to make use of the internet of things (IoT), as the number of connected devices will massively increase. Businesses need to take steps to consider how 5G may impact their operations, understanding that any new technology brings with it new risks.
Nowhere are these risks more serious than when 5G is integrated with industrial control systems (ICS), as these systems offer a route for attackers to cause destruction in the physical world via online connections. ICS range from simple automated systems, such as air conditioning units, to complex devices which operate autonomously on production lines – if a hacker were to take control of one of these systems, they could potentially cause massive damage to a commercial property facility and even risk to human life.
For instance, we recently observed a cyber-attack on an ICS at a water supply company in Florida. The hacker manipulated a system to alter the composition of the water being processed by the facility – luckily, the attack was noticed before anyone consumed the water but examples like this really drive home the potentially devastating impact these cyber risks pose.
Part of the reason why ICS are now so vulnerable goes back to their original creation. In many cases ICS were designed with business efficiency as a sole priority, with little initial consideration paid to how the connections these devices rely on could be manipulated by cyber criminals. Bearing this in mind, it is plausible that the introduction of 5G could follow a similar trend. Organisations may only focus on the dramatic speed increases made possible by 5G, rapidly incorporating the new technology without understanding that this speed brings with it certain risks.
Another concern is that many ICS may also be functioning on older more vulnerable operating systems, which may experience additional issues when integrated with 5G. 5G will also lead to many industrial devices no longer being air-gapped (housed in separate, unconnected systems), as data needs to be obtained from the connected devices to help them function. Creating these communication channels has the potential to generate routes for malicious actors to exploit and cause damage.
If this situation didn’t already sound complicated enough, the remote working revolution adds further challenges. With employees working away from on-site cyber security systems, hackers may look to target a remote worker and use them as a route into an internal system. 5G makes this issue even more prominent as the technology brings with it more bandwidth and lower latency levels, which require more processing power. Unfortunately, current protective devices like firewalls/VPNs may not be ready to deal with this level of activity, leaving systems even more vulnerable to attacks.
Fortunately for businesses looking to make use of 5G, many of the recommended risk mitigation strategies are based on the same principles as those that are already in use. Networks still need to be segregated and protected, and security controls must remain to ensure the risks are properly mitigated. Since 5G’s higher bandwidths mean more traffic, devices that enable traffic will also need to be revaluated. Standard software like firewalls and VPNs will also continue to be vital at every potential point of entry; but again, these need to be properly updated to deal with the amount of traffic made possible by 5G so they can operate effectively and keep an organisation protected.
Finally, the human element is also crucially important, as employees need to be trained and educated about the risks involved with 5G so they understand the vulnerabilities to look out for and can remain vigilant.
Deploying these strategies will leave businesses in the best position possible when it comes to dealing with the introduction of 5G. The technology will be a gamechanger when it comes to interconnectivity, driving efficiency and improving productivity in many sectors. The key, however, will be for organisations to carefully assess how the technology will impact their company’s risk profile. 5G hasn’t gone through a long period of testing in the real-world so it will be up to each company that utilises the technology to guard against the risks the added connectivity brings.
Tiago Dias, Cyber Consultant, EMEA, FM Global