The Department for Science, Innovation and Technology has published a white paper that articulates some of the high-level cyber security insights identified, by NCC Group for DSIT, in a review of a cross section of the 5GTT projects in the programme. It also aims to identify good security approaches that future projects should consider when planning similar deployments of 5G technology.
UKTIN spoke to David Pedley, a 5G Technical Delivery and Security Lead advising the UK Government.
- Why was the 5G Testbeds and Trials (5GTT) Security Report created?
In essence, the key point was to understand how the 5GTT Projects supported the understanding of security practices within 5G ecosystems. It was about looking at the projects and gathering common insights from the government-funded work.
All of the projects had very different scopes, spread over a range of use cases and environments. Although security of 5G systems wasn’t the focus, most projects had valuable security learnings.
The paper covers the period of November 2019 to 2021, when the 5GTT projects were running and there were questions around networks. Was there confidence in the systems? What could be learned from these projects? What might be necessary for organisations to put in place to enhance their 5G system security? The idea of the paper was to report back to DCMS, and now DSIT, considering any gaps as well as learnings.
There were two outputs from this activity. The first was an internal DSIT paper and the second was a public whitepaper, which includes the broader publicly-sharable insights.
We wanted to build on existing 5G security gap analysis reports delve further into the 5GTT projects, analysing the work that supported the closing of security gaps. There is a lot to be learned in looking at past projects and this report will be useful to the industry as a whole.
- What were the findings?
Security is a very broad topic, which can be daunting, especially for small organisations running on a tight budget. We found that security quickly became fundamental for the projects. It was useful to see how soon the projects needed to put together fairly robust security procedures. One of the key things is that we are not just talking about technology but the people and processes: how do companies operate with other consortium members?
Reassuringly, most of the activities the projects followed to manage risks were based on best practices that are widely known in the industry. By applying this knowledge, you can manage most risks in and around developing, testing and deploying 5G systems.
Making security front and centre early should be a priority. Having the right governance is key here. Projects that did that benefited greatly. There is more cost in implementing this later on.
So, how does one build a secure environment? There is value in understanding the practicalities and sharing information. Dealing with data privacy was a major topic for these projects, for example. Organisations that are new to 5G and the associated use cases, might not be fully aware of how to handle data privacy with these associated systems. These testbed projects made aspects such as this visible and allowed us to capture and share the experiences and any potential solutions.
- What do the findings mean for the government, industry and any current innovation projects?
Fundamentally, it is about building up the confidence of security within 5G ecosystem. I distinctly remember the fog around how to build a secure 5G network: where do we start? At the end of this piece of work, which is covered by the reassurances of the report, the path is clearer. This is the value of running testbed environments and exploring security challenges. By doing this, we are supporting the securing of 5G networks. There is a long list of lessons learned and it’s great to know where gaps have been closed and new questions have arisen (for example, one of the recommendations was the need for stronger guidance for secure private networks). This has been fed back into government and will impact future initiatives, with DSIT already having run the Call for Information on the uses and security of Private Telecommunications Networks within the UK.
- What is the one thing you’d like people to know about security?
Fundamentally, it’s important to have confidence in the security you apply to your networks and organisation. It is therefore vital to continue these explorations. Government-funded programmes such as 5GTT, FRANC, FONRC and ONE are fantastic for that and provide this welcome opportunity to test real-world situations to build evidence that supports the efficacy of security practices and applications in technology. This is a value that is highlighted by NCSC’s CTO Ollie Whitehouse in his blog post Landing at the NCSC (glad I brought my towel). Thankfully, the appetite for understanding security in 5G is rapidly increasing. The more we learn, the stronger the ecosystem will get. It’s very easy to focus on a product security and perhaps not think about the wider picture. But we need to question things such as who is involved with a solution and where our information is being stored, It’s not just about the technology but the people and the processes around the tech. Security from the outset is absolutely crucial.