The United States Department of Labor’s Cybersecurity and Infrastructure Security Agency released a new strategy for securing critical infrastructure as it relates to 5G technology. CISA’s 5G Strategy is designed to advance the development and deployment of a secure and resilient 5G infrastructure.
“The promise of 5G is undeniable, but with 5G technology posed to underpin a wide range of critical infrastructure functions, it’s vital that we manage these risks adequately and promote a trusted ecosystem of 5G componentry,” said CISA Director Christopher Krebs in a press release. “CISA is committed to working with partners to build a resilient 5G infrastructure, and this strategy identifies a roadmap of how we will bring stakeholders together to achieve this.”
The 5G strategy establishes five strategic initiatives that align with the National Strategy to Secure 5G, which was developed by the Trump administration to guide the development, deployment, and management of secure and reliable 5G communications infrastructure.
The first initiative is to support 5G policy and standards development by emphasizing security and resilience in order to prevent threat actors from maliciously influencing the design and architecture of 5G networks.
“The development of 5G policies and standards serve as the foundation for securing 5G’s future communications infrastructure,” the strategy says. “Those entities that shape the future of these policies and standards position themselves as global leaders and help facilitate secure deployment and commercialization of 5G technologies. To prevent attempts by threat actors to influence the design and architecture of 5G networks, it is critical that these foundational elements be designed and implemented with security and resilience from the start.”
The second initiative of the 5G strategy is to expand situational awareness of 5G supply chain risks and promote security measures in an effort to prevent malicious or inadvertent vulnerabilities within the 5G supply chain.
“Between untrusted components, vendors, equipment, and networks, 5G supply chain security is under constant threat,” the strategy says. “For example, while certain 5G equipment may be from a trusted vendor, supporting components manufactured or handled by untrusted partners or malicious actors could negate any security measures in place. These compromised components have the potential to affect the connectivity and security of transmitted data and information.”
The third initiative is to partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments and ensure they are void of legacy vulnerabilities and untrusted components.
“Before moving to a standalone infrastructure, the first iterations of 5G deployment will work alongside existing 4G LTE infrastructure and core networks,” the strategy says. “While 5G architecture is designed to be more secure, 5G’s specifications and protocols stem from previous networks, which contain legacy vulnerabilities. For example, the overlay of 4G and 5G networks has the potential for a malicious actor to carry out a downgrade attack, where they could force a user on a 5G network to use 4G in order to exploit known vulnerabilities against them. These inherent vulnerabilities, along with new and unidentified risks, will require the collaboration of industry and government to develop and communicate security enhancements to support secure 5G deployments.”
The fourth initiative of the 5G strategy is to encourage innovation in the 5G marketplace to foster trusted 5G vendors in order to address risks posed by limited competition and proprietary solutions.
“As 5G is deployed, there is an emphasis on ensuring that state-influenced entities do not dominate the 5G marketplace,” the strategy says. “To address this concern, CISA will work with its partners to support R&D initiatives and prize programs that result in secure and resilient 5G technologies and capabilities. By supporting these types of efforts, CISA will help drive innovation and establish a trusted vendor community for the future of 5G.”
The final initiative is to analyze potential 5G use cases and share information on identified risk management strategies to ensure that new vulnerabilities introduced by deployments of 5G technology are clearly understood and managed.
“The enhanced capabilities of 5G technologies will support an array of new functions and devices, introducing a plethora of potential use cases. With the potential for the connection of billions of devices on a network, also known as massive Machine-Type Communication (mMTC), applications like smart cities will require increased security to safeguard connected devices from potential threats and vulnerabilities. To ensure the security and integrity of these devices, CISA will communicate known vulnerabilities and risk management strategies for use cases associated with securing the Nation’s critical functions.