Skip to Content

Adopting zero trust for private 5G

Arthi Krishna and Kiran Gurudatt
20 Feb 2024

For organizations across the world, 5G has the potential to drive digital transformation and unlock new business opportunities, whether that’s connecting factories across vast areas or optimizing new energy sites like wind farms. However, as organizations embrace 5G, they must also address the escalating cybersecurity threats that come with this technological evolution.

Traditional security models, which rely on perimeter-based defenses and implicit trust built within the industrial network, are ill-equipped to handle the dynamic and distributed nature of 5G networks. This is where zero trust security principles come into play.

Defining zero trust

Zero trust assumes that an attacker may already be present within the network, and a constant cycle of validation needs to be in motion to prevent further infiltration and lateral movements. It offers a proactive and adaptive approach to security, emphasizing continuous verification and strict access controls to mitigate risks and ensure the integrity of 5G networks.

For Industrial enterprises deploying private 5G networks, a zero-trust approach means that all access to 5G networks should be explicitly authenticated, authorized, and monitored, and access privileges should be continuously reviewed. No access should be granted implicitly or by default.

Zero trust for Private 5G Networks

Our strategy for implementing zero trust in private 5G networks aligns with the vendor-agnostic Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Framework, addressing security across five pillars of zero trust. By leveraging the right technology and methodology, Capgemini recommends an approach based on zero trust principles for secure deployment of 5G technology in OT networks.

The implementation of robust protection and seamless operations needs to cover all five key pillars:

  • Identity: Define and enforce granular access control policies for industrial users, allowing specific users to perform specific tasks on a specific asset. These policies should consider contextual requirements such as the time and location of a user’s request.
  • Devices: Validate the end devices and ensure that the trust level of the devices is assessed. Policies need to be enforced to allow the segmentation of devices based on 5G network-specific identities e.g. Subscription Permanent Identifier (SUPI)/Subscription Concealed Identifier (SUCI). Policies should support device identity matching and context-based segmentation that allows the grouping of devices based on device type, cellular identities, location, along with the quality of service (QoS), latency, bandwidth, redirection, etc.
  • Networks: Zero trust requires a clear separation of communication flows for network control and application/service tasks. For organizations using private 5G networks, a secure communication channel should be established when communicating with different locations, in addition to enabling secure remote access so that only those with the correct authentication and authorization credentials are allowed on the network.
  • Applications and Workloads: The OT environment hosts various applications that are used for different purposes, such as data collection, process monitoring, and product creation. Access to these applications over a 5G network should be governed by access control policies that enforce application control, thereby minimizing the attack surface at ingress and egress. Policies should also be able to detect workload vulnerabilities and misconfigurations and enable application control based on operator-specific/standard slices.
  • Data: Data protection should include measures to protect sensitive industrial information and prevent data loss. Data protection must be supported for both data at rest and data in motion, taking into account data classification and file types. Data flowing from one industrial site to another and to remote users must be inspected for data leakage, and measures must be taken to restrict access to unmanaged devices and unknown users.

Key industrial 5G security use cases aligned with the zero-trust framework include:

  • Network segmentation: Improve digital perimeter resilience by enforcing, micro-segmenting, and grouping devices based on device type (CCTV, mobile), vendor, location, QoS, or 5G cellular identities (SUPI/SUCI).
  • Secure remote access: Enforce zero trust-based access controls and offer secure remote access to industrial environments deploying 5G assets for internal and third-party users.
  • Policy enforcement for slices: Apply security policies per network slice or group of slices assigned for various applications, based on their slice ID and thus prevent unauthorized data transfer and block various malicious activities inside industrial environment.
  • Security monitoring using 5G SOC: Security monitoring of various 5G powered industrial devices (sensors, robots cameras drones end user phones, laptops) in a 5G security operation center (SOC) that offers centralized visibility along with other features such as incident management, vulnerability, and compliance management.

Conclusion

Implementing Zero trust for private 5G networks involves several key essential steps that include defining all the key assets to be protected such as applications, devices, data, etc, documenting the traffic flow over the 5G networks and defining fine grained policies that determine access to resources along with logging and monitoring, that provide key insights into network activity. Effectively implementing zero trust across all levels can greatly enhance the security posture of OT networks leveraging 5G technology.

By embracing zero trust principles and integrating them into the fabric of 5G networks, organizations can mitigate risks, protect sensitive data, and ensure the integrity of their networks in an increasingly interconnected and dynamic digital world.

You can learn more about our approach and our partners by joining us at Mobile World Congress in Barcelona between 26–29 February 2024.

Author

Aarthi Krishna

Vice President, Cybersecurity Services, Capgemini

Kiran Gurudatt

Director, Cybersecurity, Capgemini