Serving up secure IoT with network slicing security

Our societies now rely on connected devices to an ever-increasing extent. Known more commonly as the Internet of Things (IoT), these connected devices – often with limited protection, easy physical access, and sometimes even insufficient updates – are becoming an increasingly attractive target for attackers.

As a key enabler of IoT, network slicing is a feature of 5G which allows a wide range of different needs to be served on a single physical network. Each slice can be optimized for a specific use case.

Why is network slicing security relevant for IoT?

IoT use cases range from environmental monitoring to industrial automation. Each scenario comes with its own needs in terms of networking, scalability and security. These challenges range from a need to manage massive number of devices, deliver the coverage and also conserve energy. Other challenges, such as with industrial control and automotive control, require very reliable and low latency communications.

It is difficult to optimize the mobile network to serve these sometimes unique and very different requirements efficiently. Network slicing makes it possible, because each slice can be optimized for a specific use case.

We have worked with partners from industry and academia in the 5G!Pagoda project, a  collaboration between EU H2020 and Japan, on network slicing concepts beyond 5G, and in the EU H2020 project Anastacia specifically on IoT security.

Let us look at a few examples as to how network slicing security can help to protect and improve the reliability of IoT networks.
 

Examples of network slicing security

First of all, network slicing provides isolation between the slices, both in terms of traffic and resources. While traffic isolation also can be provided by Virtual Private Networks (VPN), resource isolation requires support from the network. Isolating resources and control in addition to user traffic plays an important role in protecting critical systems from DoS attacks. For example, if IoT devices of a particular kind, all having a common vulnerability, are placed in one slice, the scope of a potential attack can be limited. As a consequence, the more slices we have, the better the resources are isolated. In the extreme case, we could have dedicated slices for specific services, tenants, geographical areas and device classes.

Slices can be customized with different security mechanisms and policies. For example, there may not be any need to offer direct internet connectivity to devices in a slice where the services are provided as virtual network functions (VNFs) within the slice. Each slice can operate with different security functionality, such as firewall configurations, access policies, packet inspection, etc. that has been customized for the given services. Slices can provide their own charging and authentication schemes.

Second, if devices with similar behavior and characteristics are allocated to the same slice, it is easier to observe the typical behavior and detect anomalies and changes in behavior and traffic patterns. For instance, a device in an IoT slice whose traffic no longer matches IoT traffic patterns might trigger a warning.

As a reaction to threats, we have also studied mechanisms for transferring a device from one slice to another. This, combined with the possibility to dynamically create new slices, allows a security function to isolate devices to a separate slice. For example, once suspicious behavior has been observed, the affected devices could be transferred to a quarantine slice, which may be a replica of the original slice with certain modifications. This slice may be configured with more strict firewalls, restricting traffic to specific destinations, lower bandwidth, firewalls, and/or inspection functions for deeper analysis. Instead of completely blocking the device, we can allow it to operate under tighter restrictions.  In particular, we can adjust the tradeoff between performance and security dynamically: in the normal case, the service is implemented with a slice optimized for performance and scalability. When there is a reason to increase the security requirements, a slice optimized for security is adopted.

In the longer term, we can envision the support for connecting a device to multiple slices simultaneously. Once the mobile operating system is aware of slices, isolation can be extended all the way to the application. Techniques like enclaves could at some point be feasible on mobile devices too. In an extreme walled garden scenario, an application may communicate with a corresponding application slice in the cloud, without any access to and from the public internet. While this certainly improves security, the suitable level of openness and isolation remains to be discussed.

Exhibiting network slicing security at IoT Week 2019

Key results from the ongoing 5G!Pagoda and Anastacia projects were recently demonstrated at the 2019 IoT week.

The 5G!Pagoda project presented a scenario, whereby the slicing infrastructure allows for a large number of slices to be dynamically deployed and managed in a scalable manner. This enables slices dedicated to very specific use cases, and even specific to enterprises and applications. For example, a car manufacturer might deploy a network slice connecting its cars, while a water utility could connect its valves and meters. Each slice has its own associated resources, such as bandwidth, and can be customized with application servers at the edge and in the cloud. We showed a demo of an emergency scenario, where a high-priority slice is dynamically deployed and has guaranteed bandwidth in a congested network.

Anastacia presented a security framework for detecting threats and autonomously reacting to those threats using Software Defined Networking (SDN) and by deploying appropriate Virtualized Network Functions (VNF). In particular, we introduced the method of seamless transfer of misbehaving devices to a quarantine slice.

Find out more

Visit our future network security page to find out more about our research into security technologies.

If you have a few more minutes, I also recommend visiting the 5G Pagoda or Anastacia Project websites to read more about the technical solutions of the projects.