Private 5g Networks: Security Considerations for the Health and Care Sector

Private 5G Networks: Security Considerations for the Health & Care Sector
 
Executive Summary
Private 5G networks are a relatively new but growing method of providing connectivity for devices in an enterprise network, from small IoT sensors to autonomous robots to workers laptops. These networks offer a host of benefits beyond what is provided by a typical Wi-Fi network today, they offer greater security and availability, higher speeds and lower latency, reduced energy consumption, and improved mobility of devices, among other benefits.
The supply market for private 5G networks is very buoyant with a range of suppliers and other relevant parties. Traditional public network operators such as Vodafone or Telefonica have significant expertise in designing, building and managing large scale 5G networks and have started to offer this expertise to enterprises wishing to adapt to private 5G in their factories, ports, warehouses, hospitals, and many other use cases. 
It is not just public network operators though that have expertise in this area. Due to the significantly lower barriers to entry for private networks, relative to public networks, there is a large market of smaller, more niche vendors of network equipment who are taking their expertise, products and services to the enterprise market where they can offer value for money solutions directly to the customer, rather than via a network operator as is traditional.
One of the key enablers for private 5G networks is the use of cloud computing, both for running the network functions themselves and also providing high-power and secure compute for critical applications. For example, an autonomous vehicle moving around a factory requires high compute power and this can be provided in the cloud rather than on the vehicle itself. As such we see significant interest in private networks from the major cloud providers such as Amazon Web Services (AWS). They offer compute services designed specifically for 5G networks, such as their Wavelength edge computing service which puts servers as close as possible to the end user, creating that much needed high-compute power with as low a latency as possible.
A broad range of Government departments and other public sector bodies are interested in Private 5G and see it as a great enabler for a ‘digital UK’, improving productivity and making the UK a safe place to work. Ofcom have been a great enabler for private 5G networks with the release of mobile spectrum for private networks while DCMS’s 5G Testbeds and Trials (5GTT) Programme has provided significant value to the sector by funding £200m worth of trials. Ensuring these are developed as securely as possible is extremely important and NCSC are working closely with DCMS and others to support these trials and produce relevant guidance for industries looking at deploying their own private 5G networks.
Standards bodies play a critical role in the development of telecoms technology with the 3GPP being the main body for 5G networks. With specific standards for private 5G networks they are a key enabler for the sector.
As with all technology there are a range of potential security threats and opportunities presented. From simple and secure device to network authentication to encryption 5G networks have a host of security features which makes them a secure option for the enterprise. However, a significant skills gap presents concern around the design, build and management of new private 5G networks while traditional security tools and methods will need to be adapted quickly to a new way of working for private 5G networks and the IoT.
As such, we recommend a series of actions to begin proactively addressing the challenges these present and taking advantage of the opportunity too. We recommend, in priority order:
 
1.    Engaging the telecoms standards community to ensure that Health and Care requirements are being considered in the development of 5G standards.
2.    Engage the private 5G supplier market to ensure that products and services are being developed that will meet the needs of the Health and Care community.
3.    Seek to understand the network roadmaps for Health and Care organisations, to ensure alignment with timescales.
4.    Develop guidance for the design, build and management of private 5G networks within a health and care setting.
 
Given the pace at which private 5G network technology is developing the first two of these recommendations should be started as soon as possible, so that standards, products and services best meet the needs of the health and care community.
 
Finally, private 5G networks present a real opportunity to transform health and care with the proliferation of connected medical devices providing significant value to users from patients to nurses. It is critical though that the opportunity is taken advantage of in a safe and secure way.
 
Introduction
This report is aimed at members of the Health and Care community, and those involved in enterprise IT network development and management, including Cybersecurity. As such it is assumed that readers will have some knowledge and understanding of these areas. This report will focus on the topic of 5G and Private 5G rather than enterprise IT.
 
The aim is to provide readers with an understanding of what private 5G is, the benefits it may provide, to give a feel for what the market looks like, what trials and deployments have taken place so far and what some of the security threats and opportunities may be for the community.
 
In this report we will take readers through an introduction to 5G initially before discussing in more detail Private 5G: what it is, who the key players are, what the key enablers such as spectrum are, and where it is being trialled and implemented. We will then discuss the threats and opportunities it presents for cybersecurity. Finally, we provide some recommendations for actions and next steps to begin addressing threats, taking advantage of opportunities, and enhancing the knowledge and understanding of the technology within the community.
 
Introduction to 5G
5G is the fifth generation of mobile network technology, it is an emerging technology designed to be the successor of 4G. 5G has been developed to meet a growing demand for three main requirements: high speeds, low latency, and the number of connected devices. These requirements stem from a series of forecasted use cases based on other emerging technologies.
 
The increased network capacity of 5G creates a host of opportunities surrounding the Internet of Things (IoT) as a 5G network can support an increased number of connected devices compared to previous generations of cellular network technology. A 5G network can provide connectivity for approximately a million IoT devices within a half-mile radius. 5G boasts speeds of up to 10 Gbps which is up to 10 times what is possible on 4G networks. Latency is possible down to 1ms, compared to 30+ms for today’s 4G networks.
 
There are some key services within 5G networks that are of interest for this report: Network Slicing and Edge Computing.
 
Network slicing is a type of networking virtualisation architecture that allows a single network connection to be divided into multiple virtual networks. Each “slice” of the network can be allocated specific resources and configurations based on the requirements of the use case. Some services may require higher data speeds and very low latency, and as such can be run on high compute power equipment, whereas other services may value service reliability over latency and speed and may be configured to utilise other, perhaps cheaper, network services.
 
Edge computing is the practice of bringing application, computation functions, and data storage geographically closer to the end users and/or the IOT endpoints that need to interact with the applications. For 5G use cases running on relying on low latency it is often important that 5G is coupled with edge computing in order to support the low latency requirements.
 
5G networks are relatively early in their development with deployments of public networks being only 1 – 2 years old with significant development still to come as standards develop and operators switch from 3G and 4G in to 5G-focussed operators. (Note that 2G networks are likely to be in operation longer than 3G).
 
 
Introduction to Private 5G
A private 5G network (sometimes referred to as non-public network) provides dedicated services for a defined closed group of devices. The 5G private network is deployed on the organisation’s premises such as a hospital or a campus. Private networks have a range of benefits that may make them desirable for a business.
 
Since a private network covers a smaller area than a public network it is more feasible to have complete coverage of the area with 5G access points being placed closer together thus being capable of having stronger local coverage than a public network. The ability to have an area packed more densely with access points also provides speed benefits. If data is stored locally then latency when accessing or storing data will be greatly reduced. This could be extremely important in some use cases that rely on real-time interaction or extremely low latency. Another performance benefit to private networks is the ability to prioritise traffic from specific user/device groups, this means that an organisation could prioritise users that rely on time critical use cases for the 5G network, those users would see improved speeds and increased bandwidth. 5G private networks are also capable of hosting low latency and ultra-reliable low latency cloud-based applications inside the organisation’s premises.
 
Operating on a private network gives the company independence from network providers, allowing full control over the network configuration and operating methods. Security policies can be implemented in line with the organisations requirements. A cellular private network is significantly more secure and reliable than a wi-fi network. If configured and maintained correctly a private network has the potential to provide more a reliable service than a public network as any uncontrollable external factors are removed.
 
There are also benefits such as improved handover between access points when compared to others such as Wi-Fi where there is not a seamless handover as a device moves around between access points. This is critical for some use cases such as autonomous vehicles in factories or perhaps connected medical devices in a hospital.
 
Private 5G networks are relatively new with many deployments being in quite controlled trial-like environments. We discuss these deployments throughout this report. Private 5G has a lot of development still to come and is expected to increase significantly over the next 5-10 years.
 
State of the Market
Public Network Operators
As would be expected many of the public network operators such as Vodafone, Telefonica, and BT are very interested in private networks, particularly where there is a cellular element, given their experience and market position. Public operators have offered private network services to customers for some time, starting with 4G networks. However, adoption of private 4G networks has been minimal. This is generally due to the capabilities being very similar and, in some cases, less than those of more traditional fixed networks such as wired LANs and Wi-Fi combined with a generally fixed nature of enterprise IT requirements i.e. fixed computing. It is only recently that more mobile connectivity has been required with the proliferation of smartphones and tablets, and importantly the Internet of Things (IoT).
 
There are a number of potential advantages to using a public network operator when deploying a private 5G network. The primary advantage being that you benefit from the providers existing public network which reduces costs and deployment timelines. However, depending on the exact deployment this may be at the detriment to security and quality of service. You also benefit from the significant expertise within these companies whose day job is to plan, deploy and manage cellular networks.
 
An interesting aspect of public network operator interest and involvement is that it is not limited to operators of that country. For example, there is interest in and some initial deployments of private networks in the UK by operators from other countries such as the USA. For example, Verizon (a US-based operator) have deployed their first private 5G network in Europe at the Port of Southampton.
 
Equipment Vendors
A particularly interesting aspect of private 5G networks is that unlike public networks they do not require a large network operator to build, run and maintain them. As such we see significant deployments of private networks by equipment vendors themselves, cutting out the network operator.
 
Equipment vendors, which includes both hardware and software, have significant expertise in designing, deploying and running networks. However, there are some challenges with using only equipment vendors such as being locked into a single supplier as typically one vendor will design and build a network using all of their own network equipment as much as possible. You also lose some of the advantages of using a large public operator such as being able to utilise their wider public network and future developments there.
 
Despite some of these challenges they have continuously proven themselves to be very capable and cost effective in deploying private networks. It’s estimated that some 80% of private 5G deals have been led by non-public network operators such as equipment vendors themselves.
 
There are a significant number, potentially thousands, of equipment vendors with around half a dozen sharing the majority of the market and a long tail of smaller vendors. These smaller vendors are deploying some interesting technology and use cases such as with Dense Air deploying a private 5G network at the Milbrook Test Ground to use as a test bed for new connected and autonomous vehicles. A little less headline worthy but very much as interesting is FreshWave’s design, deployment and management of a large scale private cellular network across a holiday park using a newly available shared spectrum license.
 
Standards Bodies
Standards bodies play a critical role in the development of telecoms technology. They set the standards by which equipment vendors build their products and network operators build their networks. Invariably there is some development and implementation of proprietary technology such as protocols and interfaces but in general all telecoms follow common standards.
 
There is one main standards body within telecoms that is heavily involved in the development of private 5G networks: the 3rd Generation Partnership Project (3GPP). 
The 3GPP covers cellular telecoms technology, including the radio access network, core network and service capabilities, which provide a complete system description for mobile telecoms. A partner organisation, the European Telecommunications Standards Institute (ETSI) is also a key player but as its standards form a part of 3GPP standards we will include them as one organisation for this report.
 
3GPP uses a system of ‘releases’ which provide developers with a stable platform for the implementation of features at a given point and allows for the addition of new functionality in subsequent releases. The most relevant releases for private 5G networks are 15, 16, 17 and 18.
UK Government Bodies
There is significant interest in 5G in general across a broad range of government departments and other public sector organisations, all with specific aspects they are looking at from regulating it to using it in their organisation. For this report we will look at Ofcom, DCMS and NCSC. It’s worth noting that in our research we found that a large number of public sector organisations were interested in 5G but were not necessarily relevant for this report, for example, the Home Office are interested from a crime prevention and prosecution perspective.
 
Ofcom are the UK’s communications regulator and are critical in enabling the telecoms industry. One of their key enablers is the licensing of spectrum and making some spectrum available without license i.e. license-exempt, for example the 2.4 and 5 GHz spectrum that is widely used by Wi-Fi devices is license exempt. Ofcom recently released two new types of spectrum license specifically aimed at the growing private cellular network market. These being ‘local access’ and ‘shared access’.
 
The Department for Digital, Culture, Media and Sport (DCMS) are leading the UK’s approach to improving connectivity and building a ‘digital UK’. As such DCMS have developed a wide range of initiatives to drive forward the development of 5G which includes a push in to private 5G networks for enterprises. One of their largest and most successful initiatives has been the 5G Testbeds and Trials (5GTT) Programme for which some £200m has been allocated. One of the trials under this programme of work is the Liverpool 5G Health and Social Care Testbed. This trial set up a private 5G network across a part of the city in order to test a range of health and care services such as ‘safe house’ which uses a variety of sensors to detect a fall in a vulnerable persons home. Other projects under the 5GTT Programme have built private 5G networks for transport, manufacturing, tourism and agriculture.
 
The National Cyber Security Centre (NCSC) are also heavily involved with the DCMS-led 5GTT Programme and work closely with them on the security strand of the programme which includes specific projects but also looks across all of the other projects to ensure that the Programme overall follows and incorporates security best practice and informs the development of policy and guidance in this area. Much of NCSC’s public guidance focusses on the public network operators where they have produced very good guidance on specific threats to 5G networks. There is an increasing focus on private networks through the Critical National Infrastructure sector where they provide specific advice and guidance and support policy and regulation. For example, as a result of an emerging want for local authorities to investigate Smart City technology they developed the ‘Connected Places Cyber Security Principles’, much of which is highly relevant for the Connected Medical Device community and those exploring private 5G networks.
 
Security
In the section we will discuss some of the strategic security threats and opportunities presented by the introduction of private 5G networks in a health and care setting where CMDs may be connected to that network. We will not look at specific tactical issues such as weaknesses in specific protocols or general cybersecurity concerns such as supply chain issues.
 
Opportunities
5G networks, as discussed, are heavily based on a single set of standards which are thoroughly developed by a well-established community of developers and other interested parties. There is a specific group with 3GPP, the TSG SA3, that defines the requirements and specifies the architectures and protocols for security and privacy within 5G networks. This group have specified, for example, control and user plane separation, integrity protection (i.e. the network is able to determine the integrity of messages. The group also run a vulnerability disclosure process where vulnerabilities can be reported and resolved.
 
There is a large and well-developed supply base and expertise within the cellular telecoms industry which helps to reduce risks associated with supply chain diversity and having the appropriate skills and knowledge to design, build and operate secure private 5G networks.
 
Cellular networks make use of unique user identifiers to authenticate users and allow them to connect to the network. In 5G networks this is known as the Subscriber Permanent Identifier (SUPI). This makes the management of users simple and secure, with no requirement for passwords or other potentially insecure methods for authenticating on to a network.
 
All user data within a 5G network is encrypted and devices are subject to mutual authentication i.e. both the device and network authenticate. This means that data within the 5G network is confidential, only when it leaves the network e.g. on to the Internet, does it lose this encryption.
 
Given that most private 5G networks will use licensed spectrum, as discussed earlier in the report, there is significantly reduced risk from interference that is present with other network technologies such as Wi-Fi or Bluetooth. Interference can reduce the reliability and availability of networks which is of concern when potentially life-critical medical devices are connected. There is anecdotal evidence of members of the public bringing their own Wi-Fi dongles into healthcare settings and causing significant interference issues with the enterprise network.
 
Threats
Skills gaps across both the supplier and enterprise IT teams is another security threat. With the combination of cellular networks and more traditional enterprise IT being so new there are gaps in knowledge and skills on both sides. Private 5G networks are very different to traditional fixed IT networks, in terms of architecture, language, management and operation, and as such it’s likely that teams will not have the required knowledge to design, build and operate private 5G networks in a secure manner. Similarly, vendors and system integrators for private 5G may are unlikely to have the knowledge of enterprise IT requirements and what they need in order to safely secure their network and the data within it. These skills gaps present a threat.
 
The types of devices likely to be connected to a private 5G network are also of concern. There are likely to be low-complexity devices connected, including future medical devices, which are not capable of having any real security features such as agent-based endpoint protection and discovery, or even software and firmware updates. The scale of these devices also presents challenges as networks go from managing thousands of devices to managing potentially 10s or 100s of thousands. This means that traditional security tools such as SOARs and SIEMs may need to be adapted, if they work at all with devices connected to private 5G networks.
 
Recommendations
In this section we propose a number of actions to begin proactively considering and preparing for the potential impacts of private 5G networks on the Health and Care community. These are unlikely to be exhaustive actions but should form a good basis to start. They are presented in a recommended priority order and given the pace at which the technology is developing should be started as soon as possible.
 

1. Engage with the 3GPP standards community.

As the 3GPP standards have so much influence on the development of 5G networks it is important that they consider all of the requirements from the sectors which may make use of 5G. Given the relatively recent development of private 5G networks and their use in health and care settings the standards bodies are unlikely to have detailed knowledge and understanding of what this sector needs from them. Engagement will provide significant value for both the Health and Care and standards communities.
 

1. Engage the private 5G network market

Having early engagement with network operators and vendors will enhance the understanding of both the Health and Care community and the market, ensuring both can develop a mutually beneficial relationship. This will allow the telecoms market to build products and services that best meet the requirements of the Health and Care community.
 

1. Understand the network roadmaps for Health and Care organisations 

By understanding the roadmaps for these organisations, policy can be proactive in its activities and work to appropriate timelines in line with these organisations. Knowing which organisations are considering 5G networks, how advanced they are in this, and when they anticipate action the policy teams ensure it is proactive in its actions.
 

1. Consider developing guidance for the implementation of private 5G networks.

As health and care organisation begin considering private 5G networks they may need specific guidance to ensure that they are implemented securely. This should include best practice in adapting processes, tools, technology and people. This guidance can likely be based on the NCSC Connected Places guidance and following lessons learnt from the DCMS/NCSC 5GTT Programme. ​