Security Experts:

Industry Reactions to Alliance for Open 5G Systems: Feedback Friday

More than 30 technology and telecom companies announced this week that they have formed a new alliance, the Open RAN Policy Coalition, that calls for open and interoperable 5G systems.

The alliance promotes the adoption of open and interoperable Radio Access Network (RAN) solutions — this includes 5G technology — in an effort to “create innovation, spur competition and expand the supply chain for advanced wireless technologies.”

Multiple vendors providing the different components of a mobile network makes it easier for operators to manage their network and upgrade infrastructure, while also making it easier to address security threats — in case vulnerable network equipment needs to be replaced or protected in response to a threat.

Industry reactions to launch of Open RAN Policy Coalition

Founding members of the alliance include Airspan, Altiostar, AT&T, AWS, Cisco, CommScope, Dell, DISH Network, Facebook, Fujitsu, Google, IBM, Intel, Juniper Networks, Mavenir, Microsoft, NEC Corporation, NewEdge Signal Solutions, NTT, Oracle, Parallel Wireless, Qualcomm, Rakuten Mobile, Samsung, Telefónica, US Ignite, Verizon, VMWare, Vodafone, World Wide Technology, and XCOM-Labs.

The alliance was launched amid a global debate over the deployment of 5G networks, with the United States and other countries banning Huawei over concerns that it could be using its equipment to spy for the Chinese government.

SecurityWeek has reached out to several companies, including some members of the new alliance (Intel, Oracle and Juniper Networks provided comments), to find out more, particularly about security aspects. We have also reached out to Huawei, but the company did not want to comment.

And the feedback begins…

Benny Porat, Co-founder and Chief Technology Officer, Claroty:

“The real promise of 5G is not just that it will provide us with faster download speeds and better streaming services on our mobile devices, it will also totally transform how we leverage our cellular connectivity. For example, 5G will be extended to support smart cities, smart factories, distribution centres etc.

 

It’s not uncommon for new technologies or even policies to be introduced and rolled out before the security implications have been fully addressed and assessed. No one wants to give malicious actors more avenues of attack, however when security becomes an afterthought that is what happens. This is what we all, as an industry and across international borders, need to avoid with the wider adoption of 5G wireless systems.

 

Being restricted to a single supplier for 5G means governments and organisations may be forced to choose between unlocking a modern functionality that many systems have never realised and, putting those systems at a heightened risk in terms of cyber and operational security. In our current environment, I believe having an alliance that looks to ensure a robust supply chain and prevent any one company from dominating the space is an admirable initiative. This initiative is still embryonic, and kinks will have to be worked out, but one of the first issues to address is how the alliance will ensure that this open-standards system adheres to basic cyber and OT security hygiene practices and regulatory requirements. This means there needs to be clear directives, objectives and requirements in terms of the different technologies, with no ambiguity, so that all involved are 100 percent aware of what is deemed acceptable when it comes to meeting the minimum security levels that are expected from their contributions to the wireless ecosystem. Open systems are great, but everyone needs to adhere to the rules of the open system if it is going to work.”

Drew Schmitt, Incident Response Consultant, Crypsis Group:

The 5G wireless technology promises fast, flexible, and highly available network connectivity to a very large population. In the United States, the desire for 5G connectivity is clear, and so is the desire for open standards that are not limited to any one vendor, hardware, or software. The Open RAN Policy Coalition provides an opportunity to focus on important concepts such as interoperability, standardization, and, perhaps most of all, security.

 

As it stands today, we are limited by our various vendor and carrier implementations of wireless networking. We often get critical security updates as they deem necessary and do not get much of a say in how quickly vulnerabilities and other security concerns are addressed. For the most part, if we don't like what we have, we have one (potentially) viable option: change the vendor or carrier. The Open RAN Policy Coalition has a very rare opportunity to change the status quo and allow consumers and companies to take security into their own hands while utilizing the radio technology, hardware, and software that fits their wants and needs.

 

Open standards and competitive bidding could significantly change the landscape of wireless technologies and provide a key focus on security considerations, which may not be the case if we are limited to a single vendor or carrier implementation. With the proposals outlined by the alliance, security can be on the forefront of standard definitions, along with performance, flexibility, and interoperability. This is an opportunity to show that security is best integrated into the foundation of a standard, protocol, or technology, and that it does not have to come at a cost. The "many eyes on" approach to an open-standards system has the opportunity to create an environment that produces creative and timely solutions to security challenges while still maintaining the highest levels of performance and flexibility.

 

More smart people working together for the benefit of technology seems to be a good approach to me.

Heather Paunet, Vice President of Product Management, Untangle:

Open standards for new technologies have long since been established within the technology industry. The main foundation of any open standards is to ensure that no one entity is able to completely monopolize a new technology. Open standards also mean sharing of ideas and technology, which can spur collaboration, competition, and expansion within the technology at hand. In this case, 5G RAN is being addressed as technology operators and manufacturers become closer to fully functional global rollouts.

 

The concept set forth by the Open RAN Policy Coalition, creating open and interoperable interfaces between radio, hardware, and software components needed for wireless carriers to upgrade their cell towers and networks to support 5G speaks volumes compared to the days of old. In the past, the idea that each piece of technology - radio, hardware, and software - needed to be sourced from a single vendor mirrored the times. Now, with such a global reach, opening the next technology revolution to everyone makes sense.

 

With multiple key players working together and building an open accessible community on which to base open standards for RAN, the ultimate technology delivered by all parties is going to be better. Harnessing the power of all who contribute to the standards of this new technology, especially with the powerhouse founding members attached to the Open Ran Policy Coalition means the most innovative minds and engineers will contribute to the future of these standards. Security within open standards can benefit from the experience and knowledge from multiple vendors who, while working on new RAN technologies, also know from many perspectives how to engrain robust security into these technologies.

 

With any new technology there are many security concerns that should be discussed and addressed. While many hands (and eyes) can build stronger standards, it takes only one malicious person to find and exploit vulnerabilities. Within this Open RAN Policy Coalition, the ability to use multiple hardware, radio, or software pieces interchangeably, gives wireless providers the ability to replace suspicious hardware, update patches across their network, and pivot hardware as needed.

 

A key aspect of open standards when thinking about security is an element of trust. For example, if an American company owned all the technology for 5G networks, we might find that other countries may be reluctant to deploy that technology due to them wondering what could be going on inside the closed system. Once there are open and interoperable standards, multiple vendors from multiple geographical locations will have defined the technology, and can build their own components to interoperate with it. The inner workings and interoperability of that technology have been defined together, which will build trust once systems are later deployed.

Tom Quillin, senior director, Security and Trust Policy, Governments Markets and Trade, Intel:

“Transforming network infrastructure from edge to core is key to realizing the full value of 5G. Intel is offering an unmatched portfolio for 5G infrastructure spanning ASICs, structured ASICs, FPGAs, processors and switches, and our products support both workload optimized RAN as well as virtualized RAN for the range of deployment scenarios. As part of our leadership work in 5G, Intel has also been active in a wide range of 5G standards and interoperability efforts including 3GPP, O-RAN Alliance, and the Telecom Infra Project.

 

Extending cloud computing to the RAN can provide enhanced security that benefits suppliers and network operators and even end users. There have been decades of R&D into virtualization by hardware suppliers like Intel, and by trusted OS and virtualization suppliers, around how to load, manage, monitor and isolate cloud-based workloads, grounded in a hardware root of trust. A cloud-based architecture also enables rapid, elastic deployment of critical security resources where needed. As needs and business conditions dictate, sensors in a 5G Open RAN deployment can be configured to dynamically and instantly deploy additional compute resources for encryption or authentication. If a network operator identifies a vulnerability in the 5G stack, the fix could be as simple as deploying a software patch. Lastly, 5G enables Mobile Edge Computing (MEC) which makes it possible to increase security monitoring at the edge, reducing the risk of distributed denial of service (DDoS) and enhancing the ability to dynamically deploy defenses at the edge.”

Ian Goetz, Chief Architect of Mobile Solutions, Juniper Networks:

There are two main Open RAN technical bodies looking to build on 3GPP specifications to allow Open, disaggregated RAN functions to be created and deployed by both mobile operators and private network systems. The eventual aim is to be able to mix and match functions but, at present, the activity centers around Radio Unit (RU) vendors integrating with other vendors who specialize in the Distributed Unit (DU) and Central Unit (CU). The drivers are the cost of deploying 5G networks when the additional sites required to achieve coverage and capacity parity for existing 4G customers and their usage patterns is prohibitively high, as well as the issues arising from geo-politics and the vendors that can and can’t be used.

 

The Open RAN solutions focus on the RU, DU and CU but as with many systems, they need supporting technology to make them deployable. The CU in the Open RAN requires an Edge Cloud in the operator’s network to allow it to run. This Edge Cloud needs to be in a physically secure location either in a building or cabin. Incumbent operators who have the Local Exchange locations from their old ISDN networks have an advantage here as they have the buildings in the right part of the network.

 

The cloud stack needs to be secured as do the links to that cloud to allow OS updates, Virtualization s/w updates and also updates for the Open RAN functions themselves. The Open RAN Radio Intelligent Controller (RIC) allow 3rd Party RAN applications to run in that cloud as well to offer RAN optimization etc. These also need external access so access control and Firewalling is key.

 

Then there is the issue of protecting the traffic to avoid it being illegally intercepted. In a traditional RAN, there is an IPsec tunnel from the base station to a Security Gateway in the operator’s core network. In Open RAN, this IPsec tunnel runs from the Edge Cloud to the Security Gateway in the core in the normal way but there is also the option to use IPsec on the F1 link from the CU to the DU. Juniper vSRX virtual security platform can be used as a holistic security gateway solution for the Backhaul and X2 Handover links in traditional RAN, to open IPsec traffic securely in Mobile Edge Clouds for services and to Firewall the links for s/w & application maintenance and updates as well as traffic breakout to local networks. It is also used on the F1 interface between the DU and CU in Open RAN. Juniper’s Contrail Cloud solution operates secure connections between servers in the Edge Cloud and also uses micro segmentation to secure service chains in the cloud, preventing compromised virtual functions from accessing areas of the edge cloud that they shouldn’t.

Chris Hazelton, Director of Security Solutions, Lookout:

This alliance raises visibility to the broad ecosystem of suppliers for deploying 5G. Regardless of the motivation, the recent news around Huawei did raise questions like "what are my options." For businesses and government agencies, this is an important signal that 5G momentum will likely increase and they need to be prepared for securing "Bring Your Own Network" (BYON)

 

With 5G, the network on a mobile device may be faster than the network provided by a business or government organization. Users may tether to their mobile phone and they will be operating completely outside the organization's security controls. This will make mobile security an imperative to secure "BYON" to ensure user credentials and protected data are not put at risk.

Jack Mannino, CEO, nVisium:

Standardizing security protocols and standards across major vendors can help decrease integration flaws across the stack. Re-implementing security controls in different ways leads to increased development efforts and increases the likelihood of introducing vulnerabilities or regressions. Developing secure and interoperable 5G systems will help drive adoption and ease the burden on engineering teams implementing security standards.

Travis Russell, Head of Cybersecurity, Oracle Communications CTO Group:

“In today’s cellular networks, the radio access network (RAN) is mostly proprietary. A network operator must purchase hardware and software for several network components from the same supplier, because the interfaces are proprietary and the components will not work with any other supplier. This is an inherent security risk. If that supplier should suddenly be unable to deliver support, the networks using these components would be at risk.

 

Industry continues to eliminate proprietary hardware-based solutions by turning these components into software, so that RAN components are no longer dependent on a particular vendor’s proprietary solutions. This allows new vendors to enter the marketplace and compete to provide open and standardized solutions for the RAN, allowing network operators to choose multiple suppliers for their networks. This also allows some of the RAN functions to be moved to the cloud, a much more secure alternative as they inherit the underlying security advantages, especially in second generation clouds.

 

The Open RAN Coalition supports open and standardized interfaces, and virtualization technology being introduced by various companies (and entities such as the OpenRAN Alliance) provide a path forward to ensure that the world’s 5G networks are not limited to closed RAN architectures. Oracle supports this initiative as one of the charter members of the coalition."

*updated with commentary from Oracle

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.