By the end of 2022, experts say some 13 billion IoT devices will have been deployed, more than two for every human being - and that’s just the beginning; by 2030, over 25 billion IoT devices will be in use.
That’s a lot of devices, and more are on the way, with these devices increasingly being used on private 4G-LTE and 5G networks, which businesses and industry are implementing to manage automation, production, administration, warehousing, data and other tasks. Advanced cellular technology enables companies to use these networks for automated manufacturing, transportation, robots, and other uses; thanks to their near-zero latency capabilities, these networks are optimized to enable connected machines to communicate with each other.
But there is also a new challenge; these cell networks lack the long history of cybersecurity solutions that traditional IT networks have been relying on for decades. This means that along with increased business efficiency, the opportunities for hacker mischief - or harm - are growing exponentially. Given the large number of IoT devices deployed on these private networks - a fully automated factory today has thousands of IoT devices, robots, cameras, sensors, telecom devices, and other connected systems - hackers now have more opportunities to strike, and succeed.
These networks are operational right now adding more and more devices, and hackers already have all the parts to breach them. To fend off attacks on these devices - and the networks they reside on - organizations need new strategies and defenses. Organizations need to realize that the tools they rely upon to protect their IT networks won’t provide sufficient security on the private cellular networks they are deploying. The structure, functions, and processes of 4G-LTE and 5G networks differ sharply from the more established and common Ethernet or wifi networks.
Simply updating IT security systems to protect private networks won’t cut it: IT-oriented malware detection tools or perimeter defense systems won’t recognize the threats, methods of attack hackers use to breach cellular networks and associated devices, anomalies on cellular networks, or indications of breach associated with attacks on 4G-LTE/5G networks and the IoT devices that populate them. Organizations need security systems specifically geared for those networks and devices; and because it’s a private network, it’s their responsibility to defend it.
Hackers, of course, already have the exploits and tools to break into this lucrative expanded market; some of those schemes and exploits have been around for years, and some are new. But unlike in the past, the potential for damage is much greater; with critical equipment now connected on vulnerable private cellular networks, the threat - and effect - of these schemes and exploits grows exponentially.
The fact that these private networks – and the endpoint devices on them, like cameras and sensors – are so vulnerable is unpleasantly surprising to many organizations that go cellular. After all, the advanced security on cellular networks has been widely touted to help reduce exposure to the bad actors who have turned IT networks into security disasters in recent years. But where there is an opportunity to make money, hackers will be sure to take advantage, and here that means targeting these private networks, where many of the same devices are being used - vulnerable to the “traditional” exploits used to attack them - but without a security solution to protect them on the cellular network, which could be compromised by attacks such as these. And there are plenty of vulnerabilities already out there that could enable them to compromise private networks, - just waiting for bad actors to carry out the exploits needed to utilize them. Here are just a few of those vulnerabilities:
Cellular Endpoint Vulnerabilities: The most obvious security threat is often the most overlooked - the smartphones and handheld connected devices employees utilize on the corporate network. A Verizon studyshows that upwards of 40% of all attacks on private networks occur through compromised devices, the result of compromised apps. That same study showed that 85% of employees used their personal devices to access work-related assets, while taking advantage of the corporate network for personal use - like playing games. And all devices are vulnerable; iOS devices, in fact, were found to have more security vulnerabilities than Android devices, researchers found.
Rogue IoT Devices: Hackers couldcompromise an IoT devicethat connects to a private network and load it with malware that would enable them to conduct lateral attacks to reach servers where valuable data is stored - or control systems that production networks are dependent on. They could also engineer an IoT network collapse - bringing production in a facility that utilizes those devices to a halt.
Signaling Storms: A form of cellular denial of service, aSignal Stormcould be initiated by malware that gets loaded onto an IoT or personal device, overloading the bandwidth of devices, the backbone signaling servers, and cloud servers. Depending on the attack, hackers could tie up traffic, essentially shutting down service - and preventing network devices from communicating with command servers, or each other. This could also shut down a factory, water treatment plant or any other facility that relies on IoT devices.
N6 Interface Attacks:While organizations implement advanced cellular private networks largely for their internal use, those networks still need to connect to the outside world - and attackers could use those interfaces (SGi in 4G/LTE networks and N6 in 5G networks) to hack into a private network. Because those attacks come from the internet, hackers would likely be able to easily implement them - but because the attacks will be designed to affect the cellular networks, security tools designed for “regular” IP attacks won’t detect them.
It should be clear by now that what works for IT networks does not work for advanced cellular networks. It’s not only the threats that are different; the anomalies that security systems seek out in order to determine if a threat exists are different as well. Private cellular networks need to be protected as distinct entities, with security systems specific to those networks; “porting” IT security solutions to private cellular networks is not going to sufficiently protect the latter. Organizations need to act now, before it’s too late.
