5G Poses Security Risks to Public Safety Networks, Stakeholders Say

Public safety networks use the same underlying technologies as networks in any other sector, including IoT and 5G, Abley emailed. The same best practices mostly apply in all sectors, but some characteristics are unique to public safety and next generation 911, he said. The industry carries "the concept of a shared root of trust, which enables interoperability," he said. "We have a lot to learn from other industries, such as critical infrastructure that have deployed similar trust networks."

New public safety radio networks employing commercial public mobile radio technology such as 3G, 4G and 5G "have basically identical security issues," emailed European Telecommunications Standards Institute Senior Telecom Engineer Daniel Voisard. The security architecture of emergency radio systems must "be carefully crafted, managed and maintained according to predefined requirements." ETSI reported in August on such IoT devices.

Concerns about security risks from 5G are "well-founded" and must be addressed, said Ambassador Minna Kivimaki of the current EU Finnish Presidency at an Oct. 9 briefing. EU members, with the European Commission and the European Network and Information Security Agency, introduced a report on coordinated risk assessment of such networks based on national cybersecurity reviews. The risk-based analysis is another step forward in developing a "community of trust" in the EU, said Security Union Commissioner Julian King. It encompasses all sectors, including public protection and disaster relief, and will be followed with an action plan by year's end.

The biggest vulnerability to public safety networks "is not old-school, Hollywood-style hacking" but the "human factor," said NENA's Abley. There's "a cottage industry for ransomware insurance marketing to government" because there are so many cases where the software has been placed into computer systems through a human vulnerability, he said.

Such cases "can be mitigated by basic cyber-security hygiene," which isn't high-tech or sophisticated, Abley said. Basic things like password and credential management and recognizing phishing attacks can stave off a major attack. The National Institute of Standards and Technology has guidelines and NENA is involved in ongoing technical and standards development in cybersecurity for 911-related things, he said.

Radio transmission "is inherently susceptible to radio interference," said Voisard. Preventing jamming attacks can be improved by technical and operational measures, he added: Transmissions in densely covered areas "are increasingly robust due to cell and frequency handover opportunities leading to reduced success of jamming attacks."

Scenarios targeting 5G networks worry EU governments, their report noted. They are: (1) Local or global network disruption that affects availability. (2) Spying on traffic or data in the 5G network architecture. (3) Modification or rerouting of traffic/data in the 5G infrastructure, affecting confidentiality and/or integrity. (4) Destruction of or changes to other digital infrastructures or information systems through the 5G networks.

Significant technological changes in how networks are run add opportunities for exposure to security problems, King said at the briefing. A major focus is on the digital supply chain, where 5G will increase reliance on third-party suppliers, which must be thoroughly vetted. Fifth-generation increases chances of intentional and unintentional software back doors, while supplier activities raise the specter of interference from, say, non-EU countries into European systems.

Wireless companies monitor, protect, diagnose and fight potential cyberattacks in real time, and policymakers "should promote flexible, technology-neutral solutions and focus on cyber threat information sharing with appropriate liability protection for today's 4G LTE and tomorrow's 5G networks," noted a 2018 CTIA paper. The group didn't comment last week.