Open radio access networks for 5G creates numerous opportunities for innovating telecommunications and cultivating a vendor ecosystem for wireless networks, but a security mindset can’t be an afterthought.
The U.S. Department of Defense offered a brief explanation of radio access networks in a June 2022 announcement before trumpeting the launch of the 5G Challenge event to accelerate the adoption of open interfaces, APIs, interoperable component and multi-vendor solutions toward developing an open 5G ecosystem.
In the announcement, the agency wrote that if RANs are “traditionally vendor-locked, vertically integrated telecommunications architectures that enable wireless communications, such as 4G, 5G and subsequent generations of communications technologies,” then Open RAN removes those walls around the gardens by disaggregating RAN architectures and enabling advanced 5G networks.
SEE: What is open RAN? (TechRepublic)
A joint report by the NSA and CISA on open RAN security considerations offers a hot take on the superhighway of Open RAN and applications for AI, augmented and virtual reality, and billions of connected devices:
To implement the capabilities of 5G, Mobile Network Operators are looking at ways to adopt open, virtualized and cloud-based Radio Access Networks that will allow them to achieve greater network flexibility, reliability and the ability to quickly implement new service types as 5G use cases are discovered. To realize these 5G benefits, MNOs are moving away from traditional, proprietary RANs that use purpose-built hardware and software to an open hardware and software-based ecosystem called Open RAN.
In a previous post, we looked at some of the risks inherent in opening up these networks, but there are also major benefits that accrue with securing Open RAN in concert with enabling new uses.
SEE: How 5G and AI will work together (TechRepublic)
Benefits of 5G security and shifting left
In December 2022, the National Telecommunications and Information Administration under the Department of Commerce kicked off a public comment period for the $1.5 billion Public Wireless Supply Chain Innovation Fund to expand the activities of U.S. companies in the 5G technology stack. Experts say advances will have been for naught if the risks that come along with these opportunities can’t be addressed in concert with innovation.
Ethical hacker Gavin Millard, vice president of market insights at the cybersecurity exposure management company Tenable, explained that applying a DevOps-centric “shift left” approach to code-defined networks is a crucial means of keeping risk at bay while benefiting from the many virtues of Open RAN.
“It gives people building code the responsibility for the code,” he said. “When you shift left, what you are doing is verification early in the process; the developer is both creating the code and assessing the ability and security of the libraries and software being leveraged in that platform. I am running tests as I build.”
He said that it allows for rapid deployment with security, making it possible to spot things like misconfiguration issues early on or identify other minor hiccups that may become major problems as you deploy.
“It also lets you validate software as it’s being deployed and spot vulnerabilities in libraries, which, just like we saw with the Log4J exploit, can lead to catastrophic issues,” Millard said. “Shifting left and deploying rapidly and quickly, you can identify those libraries and address them in a timely manner.”
IoT risk looms large with Open RAN
As noted in a recent Brookings paper by Tom Wheeler, former FCC chairman, and David Simpson, professor at Virginia Tech, the U.S. app economy benefited massively from the advent of 4G LTE because of a strong wireless network, device standards and interfaces.
“If the U.S. is to likewise lead in the IoT-enabled smart economy, that home field must be secure,” Wheeler said. “Failing to address cyber risk appropriately will slow U.S. deployment of advanced 5G capabilities, suppress use case demand signals, impair the ability to protect intellectual property, chill 5G investment and expose critical infrastructure to increased risk of catastrophic failure.”
Though IoT security standards may be forthcoming, the IoT industry is not self-regulating, making the connected devices a kind of Wild West, Millard noted. He said manufacturers of these devices do not typically achieve a kind of “triangle of development” for IoT — quick, cheap and secure — so devices represent a permeable threat surface. This was amply demonstrated by the proliferation of the Mirai botnet that first appeared in 2016, causing a massive internet outage in Europe and the U.S.
“What we will see is those devices becoming targets because they are generally not as secure,” Millard said. “Mirai is Japanese for ‘future’ for a reason: We will see a massive proliferation of 5G devices. If they aren’t secure by design and not following best practices, Mirai is a glimpse of what the future will be. If I can create a piece of malware that goes out to hyperconnected very fast devices, I could do all kinds of damage.”
He offers a compelling example: One could mail a device to an employee in a large organization whom one knows is on vacation — a little device with 5G and Wi-Fi. One could then connect to the 5G network and move across the environment, exfiltrating data. The company may be monitoring the perimeter for massive exfiltration of data but not a hotspot exfiltrating terabytes.
Similar to IT/OT convergence, modern, open architecture with software defined networks for wireless is a path Open RAN follows in part by leveraging existing libraries and reconnecting them. Vulnerabilities in those libraries and repositories require much greater vigilance in the build process.
Read more about 5G with a look at its history and five key trends to watch in 2023.