By Anke Henrich
The fifth generation of mobile communication is expected to reduce the latency for Industrie 4.0 applications significantly. But this also places huge demands on companies who are attacked to act quickly. What does 5G mean for IT security? And who is liable?
We asked two experts from Blomberg-based Phoenix Contact, the world market leader in connection and automation technology: Frank Hakemeyer (Director Communication Interfaces) and Dr. Lutz Jänicke (Product & Solution Security Officer).
Mr. Jänicke, Mr. Hakemeyer, experts estimate that annual losses due to cyberattacks run to more than USD 600 billion and warn of illegal business models like "cybercrime-as-a-service"*. Will 5G and 'network slicing' - virtual networks run in parallel based on a shared physical infrastructure - increase the risks of data theft and blackmail even further?
Hakemeyer: In my view, the question of the transmission technology used is not relevant. Ultimately, when data is sent to its destination via the internet using any media, the data connection should always be secured, e.g. using a VPN tunnel. Today, mobile networks almost always feed data into the internet. 5G will be no different, with the exception of isolated, local campus networks. When it comes to network slicing, I think we face different challenges.
Hakemeyer: At the moment, the communication connection via a base station can fluctuate a lot. If there is a soccer game at the stadium on a Saturday, the small pumping station behind the stadium might not get enough coverage because the resources are being used elsewhere. The idea of a network slice is that the user is assigned a virtual resource. We have to hope that the service level agreements (SLA) for these types of virtual resources are tailored to the users' requirements.
What responsibilities will the manufacturers, operators, providers and end customers of 5G networks have? Attackers will also attack devices and applications.
Dr. Jänicke: The operator bears responsibility. If a 5G network is to be used in-house as a replacement for Wi-Fi, one has to operate it oneself or outsource the task to a telecommunications provider, with whom all security questions then have to be contractually agreed - just like today, ideally. In practice, however, it is mainly small companies that lack experience. Dealing with security weak points is a particular challenge.
What do you mean?
Dr. Jänicke: We observe that manufacturers act when they uncover security weak points. In practice it is a different story: Companies often fail to react quickly to problems and to apply even remedies that have long been known about.
What you describe sounds like gross negligence. Why does this happen?
Dr. Jänicke: A lot of people have the motto: "Never change a running system." New versions are not installed as quickly as they should be, because the person responsible has to weigh up the risk of malfunction with the security risks and usually has insufficient information on both risks. At obviously sensitive points, the persons responsible are usually aware of the dangers. But hackers can also use less obvious opportunities to gain initial access to a system. Using a 5G network operated by external experts can therefore be an advantage compared to suboptimal internal operation.
Will 5G increase the significance of "security by design"?
Hakemeyer: It is already becoming increasingly important. In the past, automation products were equipped with industrial technologies and adapted to specific requirements. Today, the entire sector is increasingly using mainstream technologies, for example those based on Windows and Linux, in order to benefit from economies of scale in the consumer industry. The same goes for mobile technology. From 1G to 4G, we had to take what consumer technology offered. For the first time, 5G gives us the opportunity to help shape the standardization of a mobile technology through international working groups.
How will you at Phoenix Contact in rural Blomberg initially deal with 5G?
Hakemeyer: We will take it up as soon as possible. Phoenix Contact needs 5G at our site to optimize our own production and, of course, to develop and test communication products and demonstrate them to customers. Our rural location is not a disadvantage here. When it comes to our own, isolated network, there are few other interested parties (neighbors) who would also want to use these resources. And when it comes to the public network, the beautiful hilly landscape here provides ideal locations for mobile transmission stations with a good range.
The German market is more fragmented than the American or Chinese markets, for example. That reduces the potential profit for 5G providers. Could you give us your best guess at when 5G will be available for use across Germany, at least at a low frequency spectrum?
Hakemeyer: I would say we are looking at four or five years. It will happen bit by bit. After the respective standard releases, the chips first have to be designed and then the module integration take place before we can install the technology in automation products and provide them to our customers. But we would be happy just to see 4G reception available everywhere in Germany.
*Source: Together with the Center for Strategic and International Studies (CSIS), McAfee has published the third edition of the global report "Economic Impact of Cybercrime - No Slowing Down". According to the study, cybercrime costs companies worldwide almost USD 600 billion every year.