By Ari Mahairas, 2020Partner and Director of Security for SL Green Realty
5G is a hot topic in our digital society but has been met with mixed feelings from businesses and consumers since its conception. One of the biggest questions being thrown around is how 5G affects Internet of Things (IoT) and Operational Technology (OT) devices. To the average consumer, it means faster data speeds, lower latency, and greater network capacity. For business, it’s the next generation in data movement impacting all sectors, including commercial real-estate.
As the 5G roll-out continues, there has been a wave of efforts in helping consumers and organizations alike understand how it will benefit them. On the business front, 5G’s capacity to increase the amount of data that can be moved at an exponential rate is revolutionary. By way of comparison, the average speed of 3G connections is 3 megabits per second (Mbps), (30 times faster than 2G), 14Mbps for 4G (5 times faster than 3G), and 50 Mbps for 5G. To put this in perspective, to download a 2-hour movie, it would take approximately 26 hours using 3G, 7 minutes on 4G, and 6 seconds on 5G. In addition to the increase in speed, another benefit is the increase in the number of devices that can be and is expected to be connected to the internet. By some estimates, the number of IoT devices expected to be connected worldwide is estimated at nearly 31 billion by 2025. This technological advancement will no doubt provide for great opportunities in business efficiency. However, there are always two sides to a coin. With more data comes more responsibility and the risk of greater security exposure – in both a cyber capacity as well as a physical one.
But how do the two link together?
The cyber status
When rumors of 5G first emerged, all eyes turned to IoT devices. Naturally weak in terms of security, IoT devices have a bi-directional flow of receiving and transmitting information. Traditionally, the real-estate of an IoT device was limited due to its physical size; therefore, baking in security was not a priority for manufacturers. For example, a device may hold a default password, but it doesn’t allow the password to be updated – ergo, weak security.
Compounding IoT with 5G is, therefore, a cause for concern amongst businesses – and rightly so. In addition to the increase attack surface created by the billions of IoT devices that are connected, the speed in which data is transmitted, and the software the 5G ecosystem heavily relies on, all elevate the risk of exploitation. If appropriate technical due diligence and risk mitigation processes are not implemented regarding the software 5G uses, it will only be a matter of time before the effects of a massive compromise is realized.
Additionally, weak links between the cellular networks and Wi-Fi could endanger an entire system. Let’s take a warehouse environment as an example. The data might be communicating inside the warehouse via WiFi, but IoT sensors attached to a forklift moving crates from a container to a truck may switch over to a 5G network to provide the information used to project real-time deliveries. In this scenario, if the network being used was compromised and the data altered, all connected corporate devices could be exploited which may result in no less than business disruption and revenue, not to mention reputational damage.
This increased risk becomes even clearer in Supervisory Control and Data Acquisition (SCADA) systems, which incorporate OT devices typically used in the management of critical infrastructure like water and wastewater systems or electric grids. The United States identified 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security. It’s quite possible to imagine a scenario where the compromise of one critical infrastructure sector may lead to the compromise of another and begin a cascading effect that will be difficult to contain. Bottom line, if the OT devices and the 5G network they are connected to are compromised, the risk of a catastrophic event becomes real, for both business and individuals. This is where the line blurs between cyber and physical security.
From the cyber plains to the physical world
When we think of physical security, we picture key cards, body scanners and burly security guards staring us down. While trivial in its description, this all links to access control – a major part of all security initiatives – both cyber and physical based.
Take proximity cards for example, some companies now use smart phones as alternate access control devices. Operating on Bluetooth, when the device is held near the proximity reader, the system verifies the application, communicates data to the access control panel which, if validated, sends the data back authorizing access. There you have it, cyber and physical security merge into one.
This could apply to any infrastructure using IoT and 5G devices, including data analytics or surveillance systems. In any scenario where there is a physical location in the picture, once the digital security is compromised, it quickly becomes a material physical security issue as well.
Understanding the attacks
Now that we know what’s at stake, we can start to formulate our risk mitigation strategy. And to establish a strong defense, we need to understand what we’re up against.
Ransomware is undoubtedly one of the biggest threats to organizations today, but at least we can begin to understand the motivation behind it – a big pay-out. The most dangerous threats are the ones where this driving force is less clear.
But there is always a reason – unlike in the past, attackers today would rarely launch a major campaign ‘just for the fun of it.’
When physical security comes into it, there are usually three forms of hackers. Firstly, there are the ones who wish to lock down a system as part of a ransom attack. Secondly, we enter nation-state territory, where a physical location potentially holds a person or a datafile of interest. And finally, the terrorists. This group are growing far more sophisticated and technically savvy and could be capable of strategizing a coordinated attack using the two sides of security. Very similar to nation-states using malicious cyber activity as a tool to prepare the battlefield prior to placing boots on the ground, as was seen in the 2008 Russo-Georgian War.
Supply chains are also often a primary target for criminals seeking to disrupt cyber and physical security. Taking out warehouses or manufacturers within a chain or compromising software used by businesses could lead to complete collapse and devastation.
Keep mitigation in mind
It’s important to remember that a threat does not become a tangible risk without a vulnerability. For example, an apartment in an urban area with open windows has virtually no risk of a bear climbing into the apartment. The vulnerability exists because the windows are open, but the lack of bears in the city means no threat of a bear attack. However, if we apply the same conditions to a mountain-based property – where bears inhabit – the risk becomes real because the vulnerability (open window) and the threat (bear nearby) are both present.
In all contexts – whether an office building, supply chain, or city apartment – mitigating the risk means identifying and eradicating any vulnerabilities. Where 5G is involved, it’s vital that the software it uses and the infrastructure it relies on is regularly monitored and scanned for weaknesses, especially knowing IoT and OT devices will be present.
5G – and all generations to come – has the potential to revolutionize business, increase efficiencies, and make our lives easier. But only if cyber and physical security strategies can keep up. To do so in this fast-paced, complex environment, let’s not forget the lessons of 9/11. We must understand the gravity of the threat and cannot allow ourselves to be found guilty of a failure of imagination.
Aristedes (Ari) Mahairas is the Senior Vice President (SVP), Chief Security Officer for SL Green Realty, the largest commercial Real Estate Investment Trust (REIT) in New York City, where he provides strategic and operational leadership to its executives and oversees all security, technology systems, and safety functions. Ari is also a partner at 2020Partners, a leading cybersecurity collective. Prior to joining SL Green, he served as the Special Agent-in-Charge (SAC) for the Counterintelligence and Cyber Divisions of the FBI’s New York Office. Prior to his entry into the FBI, SAC Mahairas served as a Police Officer in New York City. He received a Bachelor of Arts degree in Political Science from Baruch College and his Juris Doctor from New York Law School.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.