By Dr. Torsten Staab, PhD, RTX Principal Technical Fellow
From September 5th to September 8th of 2023, Billington Cybersecurity hosted its 14th annual Cybersecurity Summit in Washington, D.C.
Among my fellow Raytheon executives, I was given the honor of joining senior leadership from the U.S. government and its allied partners, along with other industry and academic partners to discuss some of today’s most pressing national security issues. On the second day of the conference, I myself participated in a panel discussion titled, “Breakout C4: The Enhanced Threat Surface of 5G/6G & IoT,” which explored the implications of telecommunication capabilities on cybersecurity as true 5G networks and several billion more internet-connected devices become a reality. Detailed below are some of my insights regarding this topic and the key points that were discussed during the panel.
It is estimated that the number of internet-connected IoT devices could reach 30 billion by 2030. With an exponential increase of commercial and industrial IoT devices and systems, concerns have been naturally raised regarding IoT vulnerabilities. These can include a wide range of different threats, such as a lack of secure update mechanisms, use of components from questionable suppliers, weak or hardcoded passwords, unprotected Application Programming Interfaces (APIs), unencrypted data transfer or storage, insufficient data privacy protections, and lack of device management. And as we begin to more widely deploy, embed, and rely on interconnected IoT devices and sensors, the basic building blocks needed to improve security must be upleveled. Such security measures should include Zero Trust by design and promote secure boot, secure firmware and application updates, continuous authentication and authorization, secure communications, data encryption (at rest and in transit), and configurable data privacy. These building blocks will help reduce potential attack vectors and will make it much harder for adversaries to exploit IoT devices, connected infrastructure, and end users. It is also important that the focus is not only on cyber-hardening of the IoT devices or sensors. Securing the surrounding IoT ecosystem and components, such as mobile apps and cloud-hosted services that interact with IoT devices and services like home security cameras and Alexa-type voice assistants, is equally important.
Considering these ongoing and expansive cyber threats in the IoT domain, there is widespread recognition that preventative actions need to be taken. In July, the FCC, along with a host of partnering companies, announced a late 2024 Cyber Trust Mark labeling program for interconnected IoT and home automation devices, such as home network routers, appliances, security cameras, and other products. The goal of the program is to help consumers quickly assess the security level of an IoT product or service without requiring them to be a cyber expert. Modeled after similar product security programs in other countries such as Singapore, the new US Cyber Trust Mark program is expected to help consumers with their IoT device purchasing decisions. The program is also expected to help motivate IoT device manufacturers to voluntarily add more security to their offering and allow them to use the US Cyber Trust Mark to help differentiate their offerings.
In relation to enhanced 5G/6G threats and attack surfaces, network slicing is often part of the conversation. Network slicing, for example, allows a network operator to “slice” a 5G network into multiple logical and independent networks and provide fine-grained control over who gets priority network access and how much bandwidth each user, application, and service gets to consume. Advanced networking capabilities like slicing, however, also considerably increase the implementation complexity and attack surface 5G/Future G networks. The official 5G standard specification did not provide sufficient guidance on how to implement features such as network slicing securely. As a result, many 5G implementations have fallen victim to sophisticated denial of service, side channel, and man-in-the-middle attacks. To help address these shortcomings, the NSA and CISA recently released security considerations for the implementation of 5G network slicing. In their recommendations, they address some identified threats to 5G standalone network slicing and outline specific practices for the design, deployment, operation, and maintenance of network slices.
The implementation and operation of next generation networks and advanced capabilities such as network slicing will also require network operators to implement and rely more on algorithmic and AI/ML-driven decision making. The increased use of AI/ML in the operation of networks will also require a significant change in how these advanced networks are secured. For example, 5G/Future G networks will also have to address and counter known AI/ML-related vulnerabilities and attacks, such as data poisoning and adversarial attacks. Independent of network-specific vulnerabilities such as network slicing or AI/ML operations, however, the Zero Trust mantra of “Never trust, always verify!” should always apply.
To help reduce cyber-attack surfaces and to combat continuously evolving IoT- and 5G/6G-related cyber threats, suppliers, manufacturers, service providers, and users must work closely together to cyber-harden their components, devices, networks, and services.
After all, cybersecurity is a team sport.
About the Author
Dr. Torsten Staab serves as Chief Innovation Officer for Raytheon’s Cybersecurity, Intelligence, & Services business unit and Chief Technology Officer for Raytheon Blackbird Technologies, Inc. He is also an RTX Principal Technical Fellow, a role in which he also supports RTX’s other businesses Collins Aerospace and Pratt & Whitney.
Staab has an extensive background in software and systems engineering and cybersecurity. He is a recognized subject matter expert in areas such as Zero Trust Security, data analytics, machine learning, distributed systems and laboratory automation. He has contributed to more than 50 publications and has received five patents with 9 pending.
He received a Diplom Informatiker (FH) degree from the University of Applied Sciences in Wiesbaden, Germany. In addition, he also holds Master of Science and Doctorate degrees in Computer Science from the University of New Mexico.