What are the software security implications of 5G?

Thierry Bonhomme, former CEO of Orange Business Services

Thierry Bonhomme is a renowned expert in the telecommunications industry, having served for over 30 years at Orange Group including most recently as CEO of their B2B branch until 2018 (Orange Business Services.) He was in charge of the development of the division that provides telecommunications and IT services around the world, and also held leadership roles related to research and development. He holds an engineering degree from the Ecole Polytechnique and Ecole Nationale Supérieure Telecommunications. Thierry Bonhomme has recently joined TrustInSoft as an independent board advisor in 2020.

 

In the next 2-5 years, what would be, in your opinion, the major, disruptive trends in the telecoms market?

The telecommunications industry is in many ways similar to other industries, in that the main trends seen in the rest of the industries exist also for telecommunications. However, nothing compares to the digital transformation taking telecom companies and their customers by storm.

This digital transformation, which is all about flexibility, adaptability, agility, and scalability, is profoundly changing industries, and particularly the mobile network operators, enabling them to become more efficient. This means being able to adapt strategies and executions to a very unpredictable and constantly changing environment, which is relatively new and valid more than ever today with the COVID-19 crisis. This digital transformation is built upon a collection of new technologies such as AI, IoT, Cloud, Analytics, and the modernization of the infrastructure. What makes things even more interesting for the operators is that they should try to support the digital transformation of their customers both in B2C and B2B. For B2C customers, this transformation is basically « more of the previous » so more bandwidth, more services. For B2B, the transformation is more impactful because it will require a lot of new skills and competencies mainly based on software development. And this is one of the challenges the operators will need to face, as they were previously specialized in hardware (like boxes and associated services).

The catalyst for this digital transformation is of course 5G. The public benefits are quite well known: drastically higher speed, capacity, and reliability/low latency. What is more known to the specialists is that 5G introduces a separation between control plan and data plan. Data circulates on very standardized infrastructures, whereas the control functions are completely softwarized and based on elements that could be virtualized and as well developed in what we call a cloud-native infrastructure, thus reducing the need for hardware.

“Software is eating the world,” said Mark Andreessen from Andreessen Horowitz, and the operators are discovering it is very true for them as well, while thinking their business could be protected by barriers to entry, like the cost of the infrastructure.
Technologies will be based on software development capacities as well as software-defined infrastructure and 5G which is combining more or less all the technologies I mentioned for digital transformation.

5G is supposed to generate many new use cases. Which would be the most impactful in your opinion?

One of the main differences between 5G and previous generations of cellular networks lies in 5G’s strong focus on machine-type communication and the Internet of Things (IoT). The capabilities of 5G thus extend far beyond mobile broadband with ever-increasing data rates. In particular, 5G supports communication with unprecedented reliability and very low latencies, and also massive IoT connectivity. This paves the way for numerous new use cases and applications in many different vertical domains.

But 5G answers first a basic challenge of the operators: in order to support the ever-increasing traffic in the mobile telecoms business, due to more and more content available, operators need to take action on three fronts: building new radio sites, acquiring new spectrum, and enhancing the technologies to make them more efficient in terms of bits per hertz per second / spectral efficiency. Content streaming, sharing, and deliverability are growing very fast, but spectrum is limited, and it’s difficult to increase the number of sites in a given city or developed country.

Coming back to what will change with 5G, there are three revolutionary transformations with 5G: mMTC (massive Machine Type Communications), URLLC (Ultra-Reliable Low Latency Communications), and eMBB (enhanced Mobile Broadband). Behind these complicated acronyms lie three topics:
mMTC is all about capacity for large amounts of machines and being able to manage many objects in a limited area. At its peak, 5G is supposed to support more than 1 million objects per square kilometer. For operators, this means they will be able to manage very large amounts of devices in a given area without degrading the quality of service.

URLLC is enabling ultra-reliable and low latency services. With less than 10 milliseconds latency, not detectable by human brains, industries will get an immediate response in automation, robotics, or medical use cases, which is not possible with current wireless solutions.

Finally, the eMBB functionality will allow up to 10 times more bandwidth than 4G and will provide services comparable to the fiber. Obviously this will help the consumption of content streaming or remote gaming services, in higher resolutions. This will also enable what we call fixed wireless access, which is the capacity in relatively isolated locations where you don’t have fiber to provide fiber-like bandwidth and services.

But the most disruptive implication of 5G is that operators will be able to adapt and dedicate services for specific clients or industries, what we call the verticals: agriculture, healthcare, education, automotive, transports, industry…. This is made possible with the virtualization of network services, edge computing, and network slicing.

Combinations of new standards within the 5G core network will allow interaction between partners, developers, industries, and the operators for developing new applications directly using the network-provided functions. This will provide many opportunities in the healthcare ecosystem, mission-critical world, and factory transformations. The combination of new technologies and initiative will give way to innovation, for example, the massive machine-type communication, leading to a transformation in manufacturing and production towards a more adaptable environment, known as Industry 4.0.

Do you think 5G will have a positive impact on the adoption of IoT and why?

Globally yes, as the value proposal of 5G is rather compatible with what the industry and factories need for their transformation. Many proofs of concept using limited volumes of IoT exist, but it’s not easy to generalize or transition to an industrialized solution and higher volumes, mainly due to the fact that. There are many players and stakeholders involved in the transformation, slowing things down a little.

The promise of IoT is billions of objects connected. I don’t think it will happen within the 5G technology; it is probably a topic for 6G future development, which will happen in 10 years from now. However, in the meantime, even with current 4G and coming 5G, there are still many things that could and need to be invented and provided, to accelerate the digital transformation of the world and will contribute to deploying large volumes of devices.

For 5G, do you think this software is more mission- or safety-critical, than previous software that we had on 4G networks?

Definitely yes! The service provided by 4G was not adaptable or tailored to specific services, users, or locations. You could only design specifications within the core network and that was it. It was one service for all, whatever the use case, client, or context.

With 5G and what is called “the slicing network services”, operators will be able to set up service, latency, throughput, resilience, availability, and reliability dedicated to specific clients, places, or use cases. Technically, it is possible by creating multiple virtualized and isolated logical networks over the same physical network infrastructure.

Moreover, “northbound APIs” exposed by network functions, allow end-user applications to interact with the network functions of the 5G network; for instance, for driving a robot, or Automated Guided Vehicles, or for driving supply chain, etc. It is this network slicing that allows very deep connections between software, which will be developed for the industry of the future, for factories, robots, etc, and 5G.

Of course, there is an impact on safety and security that are driven today mainly by functions separation. While efficient, this is not very flexible or adaptable to use case specifics. On the other hand, in 5G, with direct interaction between the application and network functions, safety and security requirements of these very critical applications are transferred to the end-users within the 5G ecosystem.

To ensure these safety and security requirements are met, it is essential to have direct and efficient interaction and convergence between software developers, to check and provide the verification and validation that what is developed matches the safety and security requirements of the industry and the 5G network.

With all this software becoming available in this 5G context, what would be some of the cybersecurity issues that could originate from devices or end-user applications and that could have negative consequences for 5G users?

One of the risks will be at the interface or interconnection between the 5G and end-user ecosystems that used to be separated. Physical separation was an efficient but very rigid solution for security. When you are trying to interconnect different elements such as 5G network functions with IT local area networks or with industry ERP with the REST APIs, you open the door to new risks. While efficient in terms of new development capacity, it raises the risk for one element to pollute the others, creating potential issues that did not exist with physical separation.

This risk requires a deeper investigation of the compatibility in terms of safety and security between the different contributions of these new services.

Another challenge to be addressed is the difference in managing software deployments.
Having 5G within a given factory means that you will have 5G connectivity modules within the equipment or objects. Frequently, in a mobile network context, you need to update them often to include new features or patch the firmware. But with frequent releases, you are interacting and changing lines of codes in the software of these 5G modules, which was not the case in the past. On the other side, in the industrial world, the components are very stable. The question here is how to manage and make these two previously-separated trends compatible? If there are more interventions, and code updates, there are more risks in terms of process control, including data leakage or other bugs.

According to you, what kind of changes should the equipment vendors make to adapt to these new constraints in developing software that is much more secure and safer?

Because of this new connection between networks and end-users, cooperation between ecosystems that were previously separated is absolutely essential. The capacity for different actors of the value chain to speak a common language, whether that’s between components providers, the machine builders, telecoms operation, IT developers, or system integrators, becomes critical.

Speaking a common language also means sharing testing and validation tools, for example, to address the safety and security topics and I see room for improvement here.
To achieve this cooperation, there is a need to launch very early joint projects based on testing. For example, initiatives such as joint testbeds, joint laboratories or projects could be efficient to take into account upfront and by design safety and security issues and end-to-end customer experience. This would allow developers to avoid working on those topics at the end of the process after realizing there are issues earlier in the code.

A last important challenge to tackle by the ecosystem is data sharing. I am referring to data that will contribute to the general interest and the development of the acceleration of the digital transformation. The ecosystem needs to agree on a common scope to share and use that data.

How do you see TrustInSoft’s contribution to help address the security challenges of 5G efficiently?

5G involves large quantities of software and code at all the stages of the ecosystem, northbound, southbound, and at the network layer.
TrustInSoft is already working with major telecommunication vendors to help them secure the source code behind the network functions.

However, with the massive machine type communication feature of 5G, there will be countless devices with embedded code and firmware, connected to the networks. TrustInSoft has an open window to strongly contribute here. With the mathematical guarantees on the robustness of that code, end-users will be reassured on the security and safety of those devices.

As “software is eating the world”, there will be more and more use cases that will leverage automation in connected factories or autonomous decision making – like in autonomous cars. It is more than ever essential to have a complete understanding and control over the software taking those decisions. Undefined behaviors cannot be tolerated as they can lead to dangerous behaviors or security risks. Trust In Soft’s code analyzer can ensure the absence of those behaviors, leading to 5G technologies being used in a secure way by the different industries.