May 4, 2026
Top 7 Strategies for 5G and Legacy Wireless Coexistence
read now
BREAKING NEWS: Firecell and Accelleran Merge to Deliver Sovereignty-Compliant Industrial Private 5G Learn more
Private 5G networks power industries but come with serious security risks. Red teaming, a method that simulates real cyberattacks, goes beyond finding weak points – it shows what happens if those points are exploited. This is critical for industrial 5G, where breaches can disrupt production or cause safety issues.
Key takeaways:
Red teaming is essential for staying ahead of attackers and ensuring industrial 5G networks remain secure and reliable.
Red teaming is a form of ethical hacking that imitates the methods used by real-world attackers. It replicates the tactics, techniques, and procedures (TTPs) of genuine threat actors but in a controlled and non-destructive way. Jon Clay, Vice President of Product Management at Trend Micro, describes it perfectly:
Red teaming means safely simulating real attackers to test security, uncover weaknesses, and help organisations strengthen defences before genuine threats strike.
In the context of industrial 5G networks, red teaming goes beyond traditional IT systems. It spans critical components like the Core Network (including IMS and HSS), the Radio Access Network (RAN/gNodeB), and industrial protocols such as Modbus and DNP3. A major focus is on the intersections between IT and operational technology (OT) systems, identifying how attackers could move from compromised business systems to critical production controllers.
Unlike basic vulnerability scans that merely highlight unpatched software, red teaming shows the real-world impact of a breach. This could involve manipulating physical processes, damaging equipment, or bypassing safety systems. Sarah Lee from Number Analytics highlights its depth:
Telco pen testing goes beyond conventional IT assessments, diving deep into signalling protocols, subscriber databases, and radio access networks (RAN).
This thorough testing is vital for industrial 5G setups, where the risks are greater, and the attack surfaces are more complex.
Industrial 5G networks demand customised red teaming to protect vital production environments effectively.
The integration of IT and OT through 5G significantly increases the potential attack surface. These networks connect business systems with critical production assets, making them prime targets for advanced threat actors. Groups like Sandworm and Volt Typhoon, known for targeting critical infrastructure, use ICS-specific techniques, with cyberattacks rising by 30% in 2024. Mission-critical sectors are particularly vulnerable, facing three times the number of incidents.
The importance of red teaming is clear from the numbers: 81% of organisations report improved security after conducting these exercises. Given that human error causes 95% of security breaches, thorough testing – especially involving social engineering – is crucial.
Red teaming also helps validate an organisation’s defences by assessing how quickly teams can detect and respond to simulated attacks, such as lateral movements and protocol exploits. Frenos sums it up well:
OT red teaming is the closest you can get to understanding how an attacker would target your facility – without suffering a real incident.
Common Industrial 5G Vulnerabilities and Mitigation Strategies
Private industrial 5G networks come with their own set of security challenges. These vulnerabilities, if left unchecked, can compromise critical production environments. Below, we delve into some key risks that highlight the importance of robust security measures and red teaming exercises.
The Radio Access Network (RAN) is a key component of industrial 5G networks, but it brings multiple security concerns. Open RAN architectures, which separate the Central Unit (CU) and Distributed Unit (DU), open up risks in the open fronthaul interface (LLS). This design choice, while flexible, creates exploitable gaps.
One notable threat arises from GTP-U tunnelling exploits. For example, CVE-2021-45462 demonstrates how attackers can use specially crafted packets to bypass security checks. In some cases, a zero-length, type=255 GTP-U packet can trigger a critical denial-of-service (DoS) attack on the User Plane Function (UPF), leading to severe network disruptions.
Another key issue is the lack of encryption on the N3 interface. Operators often avoid using IPsec to maintain high throughput, which leaves traffic exposed. As Salim S.I., Senior Staff Researcher at Trend Micro, explains:
Operators are reluctant to deploy IPsec on the N3 interface because it is CPU-intensive and reduces the throughput of user traffic.
This vulnerability allows attackers to intercept and manipulate industrial protocols like Modbus/TCP and MQTT. For instance, they could alter sensor readings – such as temperature or pressure – while masking these changes from audit logs. Such actions could result in physical damage or operational failures.
These risks in the RAN infrastructure are just the beginning. The core network also presents a host of vulnerabilities.
The core network, which manages authentication, mobility, and policy for connected devices, is another critical area of concern. A breach here can ripple through the entire industrial environment. Hema Kadia, Founder and CEO of Tecknexus, highlights the danger:
Compromise of control-plane functions can impact every connected device.
In one field test at a steelworks, attackers compromised a core network host server, enabling them to manipulate Modbus/TCP commands and disable safety alerts. This demonstrates how a single breach can have far-reaching consequences.
Cloud-native architectures further complicate matters by increasing the attack surface. These architectures rely heavily on APIs and service-based interfaces, which can be exploited if not properly secured. For instance, container escape attacks allow attackers to move from a compromised container to the host server, potentially gaining control over the entire network.
Yohei Ishihara, Security Evangelist at Trend Micro, points out another critical flaw:
5G systems do not support encryption by default. Data can be intercepted or tampered with if it is sent… as plaintext.
Trend Micro’s research has identified multiple penetration routes and interception points within private 5G core networks. Weak separation between the control plane, user plane, and management domains further exacerbates the risk, enabling attackers to move laterally once they breach a single boundary.
These issues are compounded when third-party integrations are introduced.
Third-party integrations bring additional vulnerabilities that can compromise industrial 5G networks. Unencrypted industrial protocols, such as MQTT and Modbus/TCP, and flaws in third-party open-source software create opportunities for attackers. Without strict security measures, these integrations can become weak links in the network.
General-purpose servers and open-source software, often used in private 5G networks, can harbour severe vulnerabilities if security isn’t prioritised during installation. Yohei Ishihara warns:
Owing to the nature of the general-purpose servers and open-source software that make up the Private 5G network, the infrastructure could house severe vulnerabilities if due thought is not given to security when installing the network.
Organisations frequently rely on third-party system integrators to design and deploy their private 5G configurations. If security requirements are not explicitly outlined and verified, critical gaps can emerge. Ishihara advises:
It is crucial to work closely with the system integrator when building a Private 5G configuration, the user organisation (and asset owner) must proactively request the system vendor and integrator to implement security measures in the container environment.
Below are some common attack methods, their sources, and recommended mitigation strategies:
| Attack Method | Risk Source | Mitigation Strategy |
|---|---|---|
| MQTT Hijacking | Unencrypted 3rd-party telemetry | Use MQTTS, certificate pinning, and strong passwords |
| Modbus/TCP Hijacking | Lack of protocol encryption | Implement VPNs between remote sites and control networks |
| Container Escape | Vulnerable open-source packages | Vet external libraries and request proactive vendor security |
| SIM Swapping | Unauthorised UE/SIM use | Bind specific SIM cards to authorised hardware devices |
Addressing these vulnerabilities is essential for creating effective red teaming exercises and ensuring the security of industrial 5G networks.
Running red team exercises for industrial 5G networks involves more than just testing for vulnerabilities. Here, the focus extends to safeguarding physical safety and maintaining operational continuity, making preparation and execution absolutely critical.
Before diving into a red teaming exercise, it’s essential to establish a strong groundwork. Start by mapping out your network architecture using the Purdue model (Levels 0–3). This involves cataloguing assets like PLCs, RTUs, HMIs, and gNBs. Once that’s done, employ threat modelling frameworks such as MITRE FiGHT and MOTIF to pinpoint potential attack tactics tailored to 5G networks. Clearly define your learning goals – whether you’re examining risks like prompt injection, testing for model bias, or evaluating failure modes. Determine whether the focus will be on the model, the broader application stack, or the surrounding infrastructure.
Assembling the right team is just as important. Bring together experts from diverse fields, including ML specialists, security engineers, behavioural scientists, and domain experts, to address both technical and operational challenges. At the same time, ensure testing is conducted in a safe environment. Steve Wilson, author of The Developer’s Playbook for Large Language Model Security, highlights the importance of this approach:
Traditional security measures, while necessary, are often insufficient to address complex LLM-specific vulnerabilities. A red team, with its holistic and adversarial approach, becomes crucial in identifying and mitigating these threats.
To protect live systems, use isolated test environments. Configure your 5G Core to block weak configurations, such as those requesting null encryption (EEA0) or null integrity (EIA0), to prevent bidding down attacks. Additionally, ensure all User Equipment (UE) devices encrypt their Subscription Permanent Identifier (SUPI) into a Subscription Concealed Identifier (SUCI) before transmitting data.
Dedicated platforms can simplify these preparations, providing a controlled environment for thorough testing.
Once preparations are complete, tools like Firecell’s infrastructure can make red teaming even more effective. Firecell’s private 5G solutions offer a controlled environment for testing, with options tailored to different scales.
Firecell’s private 5G stack, which includes the 5G Core Network and Radio Access Network (RAN), offers a secure environment for testing areas like authentication, session management, and data routing. The infrastructure also supports network slicing, enabling teams to test the security of isolated data environments for critical operations. As Firecell explains:
Security in private 5G networks is a step above what’s available in public networks. With advanced encryption, dedicated spectrum, and network slicing capabilities, private 5G networks offer a fortified environment for sensitive data.
Firecell’s deployment process includes a Testing and Optimisation phase, where vulnerability assessments and stress tests help identify potential weaknesses in the 5G Core and RAN before the network goes live.
Effective simulations go beyond standard vulnerability scans, replicating full adversary campaigns. For example, MIT Lincoln Laboratory showcased detection strategies using low-cost hardware during a field campaign. As Nicholas Smith from MIT Lincoln Laboratory explains:
Detection facilitates jamming. Once adversaries detect a signal, they can jam it. Because the SSB is periodic in time and frequency, it is quite easy to detect and then jam.
Your simulations should include industrial protocols like Modbus, DNP3, and OPC UA, alongside 5G-specific protocols. Testing IT/OT boundary breaches can help verify alert triggers. Firecell’s site survey data can also aid in identifying signal obstacles and pinpointing optimal monitoring equipment locations to detect rogue gNB activity.
During these exercises, track all activities, including failures, to uncover emerging risks. Set clear success metrics, such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), to measure how effectively your Blue Team responds. For high-risk scenarios like ransomware or safety system bypass, use a digital twin or lab kit to avoid disrupting live production environments.
The insights gained from these simulations are invaluable for refining detection and response strategies.
Red team exercises are only effective if their findings are shared and applied quickly. This is where purple teaming steps in. It combines offensive and defensive strategies, creating a collaborative approach to strengthen security efforts. Let’s dive into how purple teaming sharpens detection and how blue teams can build on these insights to bolster defences.
Purple teaming brings red and blue teams together by having the red team simulate specific tactics, techniques, and procedures (TTPs), while the blue team adjusts defences in real time. As Pierre Ceberio and Joachim De Bats from Thales put it:
Purple Teaming is not an exercise in discovering new technical vulnerabilities… Its real role is strategic: to validate the real effectiveness of existing defences and improve, in a concrete and measurable way, the ability to detect and respond to realistic threats.
This method is particularly effective for securing industrial 5G networks. It validates tools like SIEM, EDR, and NDR in operational settings and reduces dwell time – the critical period an attacker remains undetected – by refining detection capabilities through immediate collaboration. For every TTP tested, teams document whether it was blocked, detected, or missed, helping to identify gaps in logs or detection rules. Moreover, regulations like the Digital Operational Resilience Act (DORA) and TIBER-EU will require purple teaming for systemic entities starting in 2025. These collaborative insights create a solid foundation for blue team improvements, discussed next.
Using the insights gained from purple teaming, blue teams can strengthen their defences by incorporating offensive TTPs into their security measures. The MITRE ATT&CK framework, particularly the ICS matrix, is a valuable tool for identifying threats and mapping defensive coverage against potential attack paths. Simulated attacks and ongoing training help blue teams refine their security measures further. By 2023, industrial environments were expected to account for at least 40% of all cyberattacks, highlighting the urgency of these enhancements.
Additionally, establishing real-time feedback loops – where red teams document every tool and command used – enables blue teams to verify detection and blocking capabilities on the spot. This fosters continuous learning and shared improvement across teams.
After implementing red teaming exercises, it’s crucial to measure results systematically and monitor continuously to close any security gaps. Key metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are essential for evaluating how effectively your Security Operations Centre (SOC) identifies and reacts to simulated threats targeting 5G and industrial protocols. Additionally, tracking IT/OT alert triggers and false positive rates ensures detection systems are accurate and reliable.
Another important measure is the identification of exploitable routes, such as lateral movement paths between IT and OT systems or segmentation issues that allow unauthorised access. Operational impact metrics, including recovery times, production downtime, and safety instrumented system (SIS) bypasses, also play a key role in assessing vulnerabilities. As Frenos aptly puts it:
You don’t know how vulnerable you are until you simulate a real attack.
Traditional OT penetration testing often covers only a small portion of an environment – around 5–8% – due to safety constraints. In contrast, simulation-based red teaming with digital twins can achieve complete coverage, offering a far more comprehensive assessment. These metrics are invaluable for refining defensive strategies, particularly in purple and blue teaming efforts, ensuring industrial 5G security measures tackle the most critical risks.
With the constant evolution of threats, regular testing is essential to stay ahead. The rapid pace of 5G development, combined with AI-driven attack methods, makes continuous or on-demand testing – ideally monthly or quarterly – a necessity. Bishop Fox highlights this urgency:
The technology’s rapid development cycle requires ongoing vigilance to identify new vulnerability classes.
Digital twin environments provide a safe way to validate security patches and configuration changes before they are deployed. This approach prevents operational downtime while ensuring that fixes effectively block potential attack paths. Leveraging XDR platforms and GenAI-powered threat detection can significantly reduce breach lifecycles, with AI-assisted systems showing a 108-day improvement in response times. Prioritising remediation efforts based on operational impact, rather than just technical severity, ensures that measures focus on preventing production disruptions and addressing safety risks unique to 5G and OT environments.
Red teaming exercises are a critical component for safeguarding industrial private 5G networks, where even brief downtime can lead to costly disruptions. By uncovering vulnerabilities in areas like network slicing, containerised cores, and API integrations, organisations can address weaknesses before attackers exploit them. This type of proactive testing is becoming increasingly important, especially given the current shortage of skilled professionals in the field. Collaboration between red, blue, and purple teams ensures that offensive insights are directly applied to enhance detection systems and develop automated response strategies tailored to 5G-specific risks.
According to ABI Research, there is a 70% shortage of telco security experts, underscoring the urgency of effective red teaming. This skills gap makes teamwork even more essential, as it allows for the sharing of expertise in mobile protocols like GTP, PFCP, and HTTP/2, which differ significantly from traditional IT security protocols. Moreover, with 85% of mobile operators still running legacy 2G/3G networks alongside 5G, a collaborative approach becomes indispensable for addressing both modern and legacy signalling threats simultaneously.
Firecell provides private 5G solutions designed for industrial environments such as manufacturing, logistics, ports, and airports. Their turnkey networks combine military-grade security with seamless LAN integration, offering a strong foundation for conducting red teaming exercises. The Orion Labkit, starting at €11,900, allows organisations to perform controlled security testing in a safe environment before implementing protections in live networks.
Frequent testing – ideally on a monthly or quarterly basis – paired with AI-driven threat detection can significantly reduce breach lifecycles, cutting them by as much as 108 days. As Bishop Fox highlights:
While 5G offers significant security improvements over previous cellular generations, its registration protocol contains exploitable vulnerabilities that require immediate attention.
To address these risks effectively, organisations must implement strong technical countermeasures. This includes enforcing robust cryptography, deploying SUCI for user privacy, hardening network function interfaces, and automating detection processes with XDR platforms. By combining Firecell’s secure infrastructure with systematic red teaming and cross-team collaboration, industrial organisations can achieve the resilient and dependable 5G networks their operations demand.
An industrial 5G red team exercise needs to dive deep into the private 5G network, examining both the core network and the radio access network (RAN). Key focus areas should include network slicing vulnerabilities, spectrum access issues, IoT device management, and physical security risks. It’s also crucial to test for cyber threats like DDoS attacks and ransomware, as well as weaknesses in IoT devices. This comprehensive approach helps uncover flaws across technical, physical, and operational layers, strengthening the network’s overall resilience.
To safely test the security of a private 5G network, simulated attack scenarios can be carried out in a controlled environment rather than on the live network. This involves setting up a testing environment that closely replicates the actual network. By doing this, potential vulnerabilities can be identified without causing any disruption to ongoing operations. Penetration testing and vulnerability assessments are typically conducted in isolated lab settings, ensuring that production systems remain untouched and secure during these evaluations.
Key metrics to watch are real-time threat detection accuracy, response times to security incidents, and the decrease in successful cyberattacks. These numbers highlight how well integrated threat intelligence, AI-powered defences, and security protocols are working to safeguard your 5G network.
