Supply chain cybersecurity attacks are the most notorious. They cost companies and their suppliers millions of dollars and tarnish the victims’ reputations for years. This is what happened to the retail giant Target. In 2013, hackers stole customer records and their credit card details. Target had to pay an $18.5 million settlement and spend even more to restore its position in the market.
This didn’t happen because Target didn’t care about its supply chain security. In fact, they had invested a lot of money into state-of-the-art security software. However, there was still a tiny vulnerability. The retailer didn’t segregate their internal network from a portal for third-party vendors. Criminals obtained credentials from an inattentive vendor. Then, they entered the portal and jumped into the retailer’s internal system.
Right now, everyone is talking about the further adoption of 5G. But will 5G protect supply chains from cyber attacks like the one Target experienced? Industry experts believe it may do quite the opposite. 94% expect security challenges to rise.
In this blog post, we’ll discuss the roots of these fears. We’ll describe three 5G use cases that create real cyber threats that can affect any company in a supply chain. At the end, we’ll provide possible security solutions for 5G supply chain security based on the zero trust security model.
Supply chain cybersecurity is an area in supply chain management that aims to prevent and mitigate cyber attacks. Here are the things hackers usually target:
To handle these risks, a company needs a solid cybersecurity strategy. The strategy depends on the type of connectivity technology used.
With the pre-5G connectivity protocols, we deal with a centralized network architecture. Let’s check out what that means in practical terms with 4G.
4G relies on large physical base stations (for example, an eNodeB). Devices connect to the core network via the closest base station. It implies the following characteristics:
The main security risks, as well as security tools, stem from these characteristics. If we want to avoid risks, we need to prevent something dangerous from entering the network. At the same time, it’s hard to segregate applications inside the perimeter. This is why we have the hard shell and soft core cybersecurity model. This model means that the network is strictly controlled (a hard shell), but control within it is loose (a soft core).
The architecture determines the choice of tools. Pre-5G security is ensured by firewalls, tokens, cryptographic protocols, and so on. Such tools create a hard shell around the system and prevent illegal access to it.
5G is different. Its architecture isn’t physical, monolithic, or centralized. So, what is it? Let’s zoom in on 5G in more detail.
What does the 5G architecture mean for supply chain cyber security?
On the one hand, these characteristics protect 5G against risks typical of the other connectivity protocols. A 5G-based network is more software-based. That means that it can be more easily monitored and managed and is less prone to physical tampering. What’s more, every slice can be equipped with extra security tools.
But 5G architecture brings about new risks that require more advanced security tools. These risks include the following:
Now, let’s check out an example of how these threats come about. Imagine a huge warehouse called X somewhere in East Texas. Its managers want to guarantee zero product loss and full tracking for suppliers and customers. To do this, they need more location sensors, video surveillance, and robots, so they’re switching to private 5G.
This changes the X warehouse’s network architecture. Now they have network slices for sensors, CCTV, and robots. They can add extra security tools to each slice. However, this doesn’t mean the warehouse’s system can’t be attacked.
Let’s see what can go wrong.
With 5G, the X warehouse has more capacity and bandwidth, so they’ve bought more devices. The warehouse now has 100 robots, dozens of CCTV cameras, and thousands of sensors. Every group has its own segregated network slice. That means that each of them has dedicated resources to operate well.
To ensure smooth operation, the X warehouse decides to put measures in place that will ensure that system overload is avoided. They want to reduce latencies, no matter how many more devices the warehouse connects in the future. So, they establish load balancers, which optimize traffic between the network slices. Before 5G, they would have had to buy hardware load balancers. Now, they create virtual versions.
This is a cheap and reliable way to reduce latencies. However, from a security perspective, a virtualized load balancer, like a virtualized copy of anything else, poses a risk.
With 5G, the attack surface widens. Now, every slice and virtual function become targets. If they are not properly segregated, an attack on one element can damage the whole system.
A successful attack on any part of a new virtual load balancer can paralyze its work. And that’s not all. If an infected part continues to communicate with the rest of the system, it can bring down the whole network.
The X warehouse wanted to make each parcel’s journey visible to customers from the moment it left the warehouse. To do this, they equipped their robots with QR-scanning terminals. Now, a robot scans a QR code on a parcel and the information goes into a database from which it can be easily retrieved at any moment. 5G enables hundreds of robots to scan tens of thousands of parcels.
Now, everyone within the supply chain can track the status of the parcel in real time. It’s also easier to track it in the warehouse itself. As a result, the company is approaching zero undelivered parcels and same-day delivery.
But what about security?
Like with virtualization, the biggest 5G strength—supporting more devices—is also its main challenge. Many of these devices are not secure by design. In most cases, it’s a trade-off made by vendors: they’re limited by the not-so-great computing and battery capacities of their devices. A vulnerable device is a soft target for hackers. Once a cyberattack happens, it impacts the overall network security.
QR terminals are usually very simple and lack effective security tools. This helps a hacker attack the system. For example, they can trick the terminal into downloading an infected program. After that, malware takes control of the terminal—and the robot too. Now, hackers can access mission-critical applications and services.
The warehouse doesn’t exist separately from the other companies in the supply chain. X communicates with delivery services and other suppliers. This communication helps keep the customer aware of the status of their order.
The X warehouse has put 5G and strong security tools in place to protect their network. However, other companies have a different approach to security. They use 3G and 4G with less advanced protocols. What’s more, some of them haven’t yet implemented strong security tools.
What can go wrong in this use case?
Negligence on the part of one supplier may affect the other partners. Attackers can find this weak link in the supply chain and exploit the vulnerability.
For example, imagine there’s a sorting center in the supply chain that still uses 3G. They haven’t updated their security practices in years. The hackers obtain their access credentials to the supply chain system—a database with QR codes. After they have accessed this, the hackers infect the whole supply chain, including the X warehouse’s network.
Earlier, we mentioned that deploying 5G upgrades security policies. The software-based nature of 5G makes the physical perimeter disappear. Operators have to treat internal threats as seriously as external risks, so the hard shell and soft core doesn’t apply here.
That’s why the new zero trust architecture (ZTA) model comes into the spotlight. ZTA treats every element as a potential target. If every element is threatened, then every element needs protection. No matter if it’s a third-party device, a physical endpoint, or a layer—nothing and no one can be trusted and everything should be verified.
We’ve prepared some recommendations to help you improve your 5G supply chain security risk management based on the ZTA security approach.
IoT devices are often insecure by design. 5G has introduced many new connected devices, like terminals, headsets, glasses, and more. These may have even poorer security features and make for easy targets.
We recommend buying IoT devices with an integrated hardware root of trust. This is typically burnt into gadgets during the manufacturing stage. The root of trust ensures that only trusted nodes enter the network.
A root of trust isn’t sufficient for an IoT device to connect to a 5G network and its network slices. Supply chains need other authentication mechanisms for devices at the network entry level and within it. The most efficient mechanisms so far include the following:
Further 5G deployment will lead to growing traffic volumes. Companies can no longer rely on humans to supervise it all. So, they can switch to automated and virtualized security controls. Businesses can also add machine learning and other forms of AI for more intelligent threat detection. This technology can replace humans and improve risk mitigation.
Logging and filtering mechanisms would check the environment and changes within it. For example, such a mechanism may provide a detailed report or a high-level dashboard view. It will track trust status, network flows inside the system, and so on.
The detection of anomalous behavior can trigger various actions, including the following:
First, the mechanisms help the network to continue working even in the event of an attack. Second, they make sure that it won’t spread and take down the entire network.
5G presents many new opportunities for supply chains and upgrades user experience. Unfortunately, new opportunities come with new risks. 5G unlocks extra vulnerabilities that hackers can exploit to damage the whole supply chain. It’s essential to consider all the possible risks before switching to 5G.
If you want to secure your supply chain in the 5G era, contact Softeq.