Security Risks with Private 5G Networks in Manufacturing Part. 3

Security Risks with Private 5G Networks in Manufacturing Part. 3

We can see signs of increased activity in areas of business that use 5G around the world. 5G technology will usher in new personal services through smartphones, and it will also play a large part in industry. The option of Private 5G lets private companies and local governments have their own telecom infrastructures. However, the "democratization of communications" entails its own risks that have not yet been made clear. To identify these risks, Trend Micro performed tests using an environment modeled after a steelworks with 5G equipment. In this third installment, we will describe the four penetration routes and three signal interception points identified in these tests, and we will discuss attack scenarios that exploit these weaknesses.

By: Yohei Ishihara October 29, 2021Read time: 5 min (1565 words)

Subscribe

Trend Micro carried outa field testto shed light on the potential security risks involved with implementing Private 5G. We investigated the potential for cyber attacks using a testbed modeled after a steelworks. The three highlights of our experiment are as follows:

1. An open Private 5G system has four possible penetration routes.
2. There are three signal interception points in the core network.
3. The core network can be used as a springboard to attack the manufacturing site.

Let's look at each one in more detail below.

Four penetration routes

It is imperative to understand that if an organization migrates to open options for the hardware and software that make up the core network and radio access network, this configuration bears the same risk for vulnerabilities as an open IT environment. Recently, many companies are building PoCs with a view to implementing a full-scale Private 5G configuration going forward. However, only a rare number of cases include cyber security in the list of items to verify. Owing to the nature of the general-purpose servers and open-source software that make up the Private 5G network, the infrastructure could house severe vulnerabilities if due thought is not given to security when installing the network. If the manufacturing environment is deeply intertwined with the mobile communication system, it may not be easy to apply patches since the manufacturing site may prioritize availability as a matter of policy. As such, it is crucial to watch out for potential vulnerabilities.

Four potential penetration routes

① CN hosting server
As Private 5G grows more and more mainstream going forward, we can expect organizations to use general-purpose servers to host their core networks with the aim to cut costs. We also used a regular x86 server to host the core network inour field test. As the trend toward open infrastructure continues, it is imperative to be vigilant of potential vulnerabilities being exploited in the core network hosting server. This is a crucially important area with respect to building the core network environment in a Private 5G configuration, considering that we are seeing an increase in both users and vulnerabilities in Linux OS.

② VM/Container
It is also imperative to consider the vulnerabilities in containers and other virtualized environments. At Trend Micro, we are aware of a type of attack called "container escape" in which the attacker can go through the container to infiltrate the host server. Container technology will play a big role in 5G core networks, and container images are largely made up of open-source packages such as SQL database engines and programming languages. As such, these packages require the same kind of precautions for code that was downloaded from an external source: Looking up who made the libraries, and reviewing the code to make sure it is not malicious. Considering that it is crucial to work closely with the system integrator when building a Private 5G configuration, the user organization (and asset owner) must proactively request the system vendor and integrator to implement security measures in the container environment.

③ Network infrastructure
Another avenue for infiltration is the network infrastructure, including routers and firewalls. Private 5G solutions use switches, routers, and other networking equipment in the core network. It is crucial to manage and mitigate vulnerabilities in this equipment just like for any regular IT system.

④ Base station
Base station security research still has a way to go at the moment, but we found some vulnerabilities with our tests. We escalated these vulnerabilities with the vendor, who said that this issue could only be found in the model sold for testing and not in the regular product. However, verification environments often include important documents and intellectual property, so it is crucial to secure the same level of security for equipment in the verification environment as in the production environment. In any case, we strongly recommend that the owner of the base station carries out penetration tests on site, and to check that the base is sufficiently protected and that there are no similar vulnerabilities in the production environment.

These are the four potential penetration routes that we identified in our research. These vulnerabilities in Private 5G configurations may not necessarily be exposed on the Internet for cyber attackers to access, though it is crucial to remember that vulnerabilities and attack methods can be shared widely as infrastructure becomes more open.

Three signal interception points

Once an attacker has got into the core network through one of the routes described above, they will go to the next phase: Intercepting and tampering with data. Inour test, we identified three interception points within the user plane that processes user data (Fig. 2).