A recent report from the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Office of the Director of National Intelligence, warns of three major threat vectors that can potentially imperil 5G networks.

The report, titled Potential Threat Vectors to 5G Infrastructure, details outcomes from the 5G Threat Model Working Panel, which was launched under the National Strategy to Secure 5G to analyze weaknesses in 5G infrastructure. The panel examined current 5G projects for possible risks, identified, and created mock situations for 5G implementation. They then determined the risks, which include the following.

Policies and Standards

Within the policies and standards threat vector category, the report found a pair of sub-threat vectors related to open standards and optional controls when creating the foundation for 5G infrastructure. Standards developed by “adversarial nations” that include “untrusted technologies and equipment that are unique to their systems” could contain untrustworthy technology that might hinder competition and interoperability. The report also found that adopting optional security controls help to protect networks from hackers.  

“Nation states may attempt to exert undue influence on standards that benefit their proprietary technologies and limit customers’ choices to use other equipment or software,” the report states. “There are also risks associated with the development of standards, where standard bodies may develop optional controls, which are not implemented by operators. By not implementing these subjective security measures, operators could introduce gaps in the network and open the door for malicious threat actors.”

Supply Chain Risks

The report points to the 5G supply chain as a second vector threat, especially because the race to sell new devices creates a large market for counterfeiters. The report states that bad actors can use supply chains to “exploit information and communications technologies (ICTs) and their related supply chains for purposes of espionage, sabotage, foreign interference, and criminal activity.” 

Supply chain sub-threat vectors include components passed on from third-party suppliers, vendors, and service providers. Because flaws and malware introduced early in development are tricky to spot, lead developers may mistakenly approve flaws or malware. Malicious actors could later exploit these vulnerabilities. 

5G Systems Architecture

Despite IT and communication companies ramping up 5G security, cyber criminals can still exploit “both legacy and new vulnerabilities”. 

“For example, the overlay of 4G legacy and 5G architectures could provide the opportunity for a malicious actor to carry out a downgrade attack, where a user on a 5G network could be forced to use 4G, thereby allowing the malicious actor to exploit known 4G vulnerabilities,” according to the report. 

Additionally, 5G networks are utilizing a larger range of information architectures than ever before. Features of such architectures include configuration, spectrum sharing, software-defined networking, and multi-access edge computing. This can give hackers a greater ability to target systems and networks. For example, a firmware vulnerability could allow a hacker to penetrate the multi-access edge computing (MEC), swipe private data, and alter and even deny access to data.

5G Networks

As technology continues to evolve toward 5G, it’s vital for technical professionals and industry leaders to understand how to deliver on the 5G vision while meeting consumer demand for higher communication speeds. Is your organization ready? Consider training your team with 5G Networks, a three-course program from IEEE and Nokia.

Connect with an IEEE Content Specialist today to learn more about the program.

Interested in learning more about 5G for yourself? Visit the IEEE Learning Network today!

Bridging the 4G/5G Gap

Prepare your organization for 5G, the next generation of wireless network technology. The IEEE two-course program, Bridging the 4G/5G Gap: Telecommunications Roadmap for Implementation, provides a historical overview of 4G/5G technology, identifies what is needed for 5G integration in a 3G/4G world, and showcases the scientific evidence surrounding wireless facilities’ impact on property value and human health, and more.

Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.

Interested in the course for yourself? Visit the IEEE Learning Network.

Resources

Kanowitz, Stephanie. (18 May 2021). 5G infrastructure faces foundational threats. GCN.

Currently, 200 million digitally “connected vehicles” are traversing the world’s roadways, according to a recent white paper from the 5G Automotive Association (5GAA). By 2024, real-time traffic updates will be possible thanks to road infrastructure that will be digitally connected. By 2026, advanced vehicle-to-vehicle (V2V) capabilities will help bring automated vehicles another step closer to reality.

Today’s vehicles contain more software than ever before, as well as a constellation of automotive systems in their power locks, brakes, windows, entertainment, steering, and other features. Future vehicles will come equipped with advanced autonomous capabilities and driver-assistance systems (ASAD) that will make them even more complex. 

These developments are happening rapidly. According to the research firm Frost & Sullivan, over 18 million new autonomous vehicles will be road-ready by the end of the decade. However, without appropriate regulations and advanced security features, these vehicles can become easy prey for hackers. With this in mind, many governments and automakers have already begun to take cyber security seriously. 

Standards and Regulations

The United Nations Economic Commission for Europe (UNECE) is in the process of developing automotive cybersecurity regulations. Known as WP.29, the regulation would enhance cyber security and software updates in vehicles. It will be mandatory for all vehicle manufacturers in the European Union beginning July 2024. While manufacturers in Korea and Japan have agreed to comply with WP.29 within their own timelines, manufacturers in North America won’t be required to adhere to them.

Additionally, the International Organization for Standardization (ISO) is working on ISO/SAE 21434, a standard that aims to establish “cyber security by design” from the initial phase of a vehicle’s design. The organization is also working to establish ISO 24089, a standard that would regulate software updates in vehicles.

Five Top Cyber Security Threats for Automakers

In order to ensure their designs are safe from cyber security threats, vehicle manufacturers have five main concerns they will need to consider, according to Security Intelligence. These include:

  1. Complexity: Future vehicles will come equipped with interconnected architectures containing embedded telecommunications that will make them challenging to secure.
  2. Attacks on the power grid: Recently, research has demonstrated that it would be possible for hackers to disrupt the power grid or trigger a blackout by attacking multiple electric vehicles that are charging at the same time. To prevent this, standards will need to be developed that require vehicles to undergo testing and come equipped with cyber security features.
  3. Mobile devices: Increasingly, mobile phones are being used to control the various functions and features of connected vehicles such as windshield wipers, locks, and heat/air-conditioning. These devices pose a range of security threats, such as when a user inadvertently downloads malware, fails to update their operating system, or has a faulty password. If a hacker manages to take control of their phone, it wouldn’t be difficult for them to take control of the vehicle.
  4. Untrained employees: In order to ensure cybersecurity is secure across all facets of a vehicle’s design, every employee engaged in the design process must be adequately trained in cyber security.
  5. Securing financial features: Since many hackers will likely be motivated to steal financial information from drivers, special attention must be given to financial security features such as payment for fuel, tolls, and subscriptions.

Change is often difficult, but vehicle manufacturers will need to adjust to international regulations and standards in order to gain the public’s trust. By getting a head start in the process now, they can ensure their vehicles are safe when they’re ready to hit the roads.

Protecting Vehicles

As the automotive industry continues to work on intelligent and autonomous vehicles, there is a need to better comprehend the safety and security of this connected technology. Automotive Cyber Security: Protecting the Vehicular Network is a five course program that aims to foster the discussion on automotive cyber security solutions and requirements for not only intelligent vehicles, but also the infrastructure of intelligent transportation systems.

Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization. 

Interested in the course for yourself? Visit the IEEE Learning Network.

Resources

Dhami, Indy. (2 October 2020). Top 5 Threat Vectors in Connected Cars and How to Combat Them. Security Intelligence. 

Grau, Alan. (28 September 2020). Cybersecurity is Imperative for Connected Cars. Electronic Design.

Kohler, Arndt. (24 September 2020). Automotive Cybersecurity: New Regulations in the Auto Industry. Security Intelligence. 

O’Halloran, Joe. (10 September 2020). Connected vehicle association makes call for wireless spectrum to develop use cases. ComputerWeekly.com.

While large-scale corporations likely have provisions in place for cyber threats, many smaller enterprises simply believe they’re too small to face cyber attacks, leaving them extremely vulnerable.

Under-investment in skills development coupled with a massive spike in outsourcing for more than a decade has left the industry with a growing shortage of skilled cyber security specialists. There’s now escalating demand for cyber security skills and a shrinking pool of resources – a shrinking pool that is able to demand ever higher rates, making essential cyber security unaffordable for all but the largest and most successful companies.

But before you forego cyber security for your company, consider the alternative.

Devastating Consequences

The consequences of a cyber attack, particularly for a small and medium-sized enterprises (SMEs), can be devastating. Loss of revenue is the primary cause of irreversible damage, from the theft of sensitive financial information and loss of suppliers. Subsequently, the costs for recovering and reinstating business could be huge, particularly with the loss of suppliers.

Company reputation is also impacted by a cyber attack. If consumers and suppliers believe cyber security is not a priority, they’ll look elsewhere for services.

And when you consider the potential fines involved, breaches to sensitive consumer information can lead to insolvency procedures for SMEs.

Proper Provisions

Putting the proper provisions in place will help ensure preparedness in the face of a cyber attack. For starters:

  • A backup procedure will speed up recovery. If company files are encrypted, it’s easier to restore and get back up and running.
  • Updating systems regularly is key to minimizing vulnerabilities in the company’s network. Make sure all computers run on the latest installation process and communicate the necessity for doing so, particularly to staff who ignore update notifications.
  • Employee training on cyber security is essential. Accidental clicks on harmful emails are primary entry points for hackers, so staff must be trained in identifying phishing emails.
SMEs cyber security system update cyber threats to small enterprise

Ultimately, as breaches become the new norm, a strong cyber security policy will aid in a long and successful future for any size company.

Where to Start with Your Enterprise Security

Get the cyber security training your organization needs now to stay secure. IEEE’s Cyber Security Tools for Today’s Environment is an 11-course cyber security training program designed to help businesses improve security techniques. Register today to get this for your company, or explore our other courses on the subject here.

Resources

Kennedy, J. (1 Mar 2018). Cybersecurity skills shortage. CSO

Wall, E. (1 Mar 2018). Cyber security threats and provisions for SMEs. IT Pro Portal

Following several recent high-profile cyber attacks, it is more critical than ever for organizations to evaluate their cyber defenses and ask themselves a number of basic cyber security questions to assess their vulnerability.

Each year brings new technological developments that improve people’s lives. At the same time, these advances also introduce new cyber security threats and more attack surfaces.

Moreover, dwindling resources, slow budget growth, increasingly hostile threats, the evolution of the Internet of Things, and expanding ransomware are major reasons why it is becoming more difficult to keep up with the changing threat landscape. Such reasons highlight the need for renewed organizational attention to cyber security. Is your organization vulnerable to a breach or cyber attack?

To evaluate readiness, here are some of the cyber security questions every business should be asking.

  • Do You Require Employees to Use Strong Passwords?
    Weak passwords cause of more than half of all data breaches, yet just 24% of small businesses enact policies requiring employees to have a strong password. It is critical to have a strict password policy in place to protect your network.
  • Are Your Employees Required to Change Their Passwords Regularly?
    Employees must be required to change their passwords regularly to protect data. Nearly 65 percent of businesses do not strictly enforce their password policy, despite having one in place.
  • When Possible, Does Your Business Use Two-Factor Authentication?
    Wherever possible, you should add an additional layer of data security by enforcing two-factor authentication, such as SMS authentication.
  • Are Employees Using Their Personal Smartphones for Work Purposes?
    Personal phones and devices significantly increase the chance of malware attacks when employees use them on the office network.
  • Do You Back Up Your Files?
    A cyber attack can make confidential files completely inaccessible. Protect them by keeping local backups of all critical files and storing copies on an offsite server.
  • Does Every Company Device Have Antivirus and Malware Software Installed?
    Make sure your organization installs the most up-to-date versions of antivirus and malware software on all organizational devices, and that they run properly.
  • Do You Limit the Number of Employees with Administrative Access to Only Those Who Need it?
    Administrative access rights should be assigned sparingly and given only to those employees who absolutely need it to conduct their jobs. Additionally, employees who are granted admin access must be trained and well-educated on security issues.
  • Do You Encrypt Databases and Customer Information?
    Without encryption, your organization’s sensitive data and customer information is accessible to hackers. To reduce data vulnerability, take steps to ensure all your information is encrypted.
  • Have You Trained Your Employees to Recognize Phishing Emails?
    Phishing emails account for nearly half of all cyber attacks, and employees often fail to spot them. It is crucial that every business train their employees to not respond to suspicious emails.

How does your organization prepare to handle a cyber attack? Are you looking for ways to strengthen your organization’s cyber security? If you identified gaps in any of these areas, IEEE provides cyber security and ethical hacking training to help organizations prepare. Learn more about organization pricing and request a quote here.

References:

Bose, Shubhomita. (2017, August 28). 11 Cyber Security Questions Every Small Business Should AskSmall Business Trends.

Gillin, Paul. (2017, January 30). Two-Factor Authentication: A Little Goes a Long WayIBM Security Intelligence.

IEEE Cybersecurity Vulnerability Navigator, 2017.

Lindros, Kim. (2016, September 7). A Small Business Guide to Computer EncryptionBusiness News Daily.