Security Implications of 5G Communication in Industrial Systems

Security Implications of 5G Communication in Industrial Control Systems

Introduction

The integration of 5G into industrial control systems (ICS) is altering the threat landscape by replacing previously isolated, deterministic, and physically secure environments with wireless, highly dynamic, and externally accessible communication channels. This work introduces SWICS, a discrete-event simulation-based ICS testbed with fully virtualized 5G mmWave networking, enabling reproducible investigation into the security impact of 5G on ICS operations. The authors systematically analyze process resilience, effectiveness of traditional intrusion detection mechanisms, and the susceptibility to new wireless-based attack vectors under controlled channel variations.

SWICS: Design and Validation

SWICS simulates a realistic bottle-filling plant, comprising multiple PLCs, sensors, actuators, and an HMI interconnected via either traditional wired Ethernet or a simulated 5G mmWave channel.

Figure 1: SWICS simulates a bottle-filling plant, integrating 5G communication for all control components.

Validation demonstrates that SWICS accurately reproduces the process physics and control loop dynamics, matching prior industrial simulation testbeds while improving realism by introducing sensor noise and implementing accurate liquid flow based on Torricelli's law.

Figure 2: SWICS’s sensor behavior closely matches the reference simulation, with increased realism in bottle filling characteristics.

5G integration leverages ns-3's mmWave module, deploying a dense, stationary topology typical for industrial use-cases (e.g., factory floor with line-of-sight gNB and multi-antenna nodes), and configurable to model optimal and degraded channel conditions. The determinism of the simulation ensures that experimental differences are attributable exclusively to the communication channel or attack vector under study.

Threat Model and Experimental Methodology

Two attacker models are considered. The first is a network-level insider, able to perform canonical ICS attacks (DoS, MitM, injection, suppression) by observing and manipulating packets. This capability persists in wireless deployments given the low adoption, or weakening, of integrity-protection/intensive security due to sub-ms latency requirements. The second is a purely external adversary, limited to RF-level attacks, capable of passive spectrum analysis or active jamming.

Figure 3: Attacker models for wired (a) and 5G (b) deployments, demonstrating the increased accessibility of wireless ICS channels.

Three deployment scenarios are compared: wired Ethernet, 5G under good channel conditions (5G-GC), and 5G with intentionally degraded conditions (5G-DC). Attacks are scheduled with identical timing and physical process states, ensuring valid attribution of systemic differences.

Channel Effects on Process Integrity and Attack Impact

The resilience of the ICS under attack varies significantly between deployment scenarios. Baseline (benign) performance is comparable between Ethernet, 5G-GC, and 5G-DC due to robust control logic and high polling rates.

However, under adversarial impact:

• DoS Attacks: Wired and 5G-GC exhibit minimal process disruption; 5G-DC dramatically amplifies attack consequences, with increased queueing, packet loss, and command delays leading to critical failures such as liquid spills and conveyor halting.
• MitM Attacks: 5G-DC introduces additional critical events due to channel-induced jitter and delayed control actuation, exceeding the failure rate of wired or 5G-GC deployments.
• Injection/Suppression: Effects depend on timing interactions with legitimate control signals; increased channel-induced variability in 5G-DC can both suppress or inadvertently amplify attack outcomes.

  Figure 4: Conveyor belt speed—stability under benign and attack conditions across Wired, 5G-GC, and 5G-DC; attacks are most disruptive in the degraded 5G channel.

Erosion of Legacy Intrusion Detection Capabilities

ICS security often relies on network anomaly detection premised on deterministic communication patterns. SWICS demonstrates that 5G channel variability undermines the fundamental assumptions of such detectors:

• Timing-based Detectors: Larger, multi-modal inter-arrival time distributions in 5G-DC erode model specificity, tolerating—or missing—malicious deviations.

  Figure 5: Distribution of inter-arrival times under Wired, 5G-GC, and 5G-DC: increased channel jitter widens benign timing bounds, reducing detection power.

• Alerting/Detection Quality: Both timing- and sequence-based detectors exhibit high rates of false positives under channel variability, and can fail to distinguish attacks from benign operation. Cross-condition deployment (training under one channel state, deploying under another) catastrophically increases alert noise, rendering the detection function nonviable.

  Figure 6: Alert behavior of communication anomaly detectors degrades sharply when trained and deployed under channel quality mismatch.

Expansion of the Attack Surface: Wireless-specific Attacks

The shift to 5G opens ICS to RF-localized attacks, for which physical access or complex network compromises are no longer prerequisites:

• Passive Reconnaissance: External spectrum monitoring enables adversaries to fingerprint process cycles and identify event timing, supporting follow-on targeted disruption.

  Figure 7: External attackers can recover process timing and operational states by passively monitoring 5G spectrum.

• Jamming: Both constant and reactive jamming attacks are empirically effective against 5G-enabled ICS, with MIMO beamforming allowing low-power, directional jamming that matches or exceeds the impact of high-power undirected attacks, all while being significantly stealthier.

  Figure 8: Jamming impact on ICS: directed jamming causes severe, process-halting disruption at half the power of undirected jamming, threatening ICS availability.

High-power or proximity jammers increase jitter and packet loss, frequently forcing safety interlocks to halt the process, thereby directly threatening the most critical security property—system availability.

Theoretical and Practical Implications

The evidence shows that, while optimal 5G channels can match wired network resilience, channel degradation creates unanticipated multiplicative effects on attack impact and undermines the efficacy of traditional anomaly detection. The practical implication is that modern ICS deployments must not only integrate advanced security controls tuned to dynamic channel conditions but also address fundamentally larger and less controllable attack surfaces due to wireless exposure.

Future research must explore:

• New intrusion detection paradigms robust to time-varying, non-deterministic traffic.
• End-to-end security protocols capable of sub-ms integration.
• Complementary physical-layer (e.g., RF-fingerprinting, spread spectrum, MIMO filtering) and organizational (e.g., perimeter extension, physical hardening) measures.
• Expanded simulation and real-world studies with diverse ICS topologies and control tasks using testbeds such as SWICS.

Conclusion

The transition to 5G-based ICS fundamentally reframes the attack and defense equilibrium. This work, through SWICS, exposes the need for next-generation security controls that explicitly account for channel-induced non-determinism, and wireless-specific threats. Legacy security architectures designed for static, wired environments are insufficient in the 5G-enabled industrial context—especially for ultra-low latency and mission-critical applications. Robustness to wireless-specific attacks and resilience strategies must become first-class design objectives in the ongoing evolution of industrial cyber-physical systems.