The Current State of Open RAN Security: A Preview
The Network X caught up with Patricia Diez Munoz, Global Security Director for Networks and Systems at Telefonica Group ahead of her speaking engagement at Network X on all things security, including Open RAN and NTN. Patricia will be speaking on the topic of The Current State of Open RAN Security, in an exciting panel discussion moderated by Heavy Reading, and joined by Orange Group.
At Network X, you will be talking about Open RAN security. Could you give us a snapshot of what you will address and Telefonica’s relevant work on this?
I would talk more about a cloudified architecture, which is where the market is heading to.
The analysis of the security in Open and Cloud RAN usually concludes that it may be compromised mainly by the basics of the technical solution that, on one hand, are essential for it, but that, on the other, are not significantly different of those used in any other cloud environment. None of these and other security concerns (that are not exclusive of Open RAN) are being ignored, and all of them are being addressed by Telefónica and the rest of the industry through different initiatives like the O-RAN Alliance and the Open RAN Memorandum of Understanding (G5-MoU).
As of result of the collaboration of the operators who signed the G5-MoU, a White Paper of the assessment of Open RAN security was published in March 2022 that summarises the view on Open RAN and security of the main European operators, including Telefónica. The White Paper identifies four technological pillars in order to ensure that Open RAN implements state-of-the-art security procedures.
Additionally, Telefónica is specifically involved in other activities.
As part of the G5-MoU, Telefónica is leading the Security Group where we have published in June the Open RAN Technical Priorities Release 4 which is an update of the documents published in June 2021 (Release 1), March 2022 (Release 2) and April 2023 (Release 3) respectively. Just for context, each release has prioritised different aspects of Open RAN development. Release 1 focused on the main scenarios and technical requirements for each of the building blocks of a multi-vendor RAN. Release 2 mainly focused on intelligence, orchestration, transport, and cloud infrastructure, addressing also the energy efficiency goals and targets to support sustainable Open RAN. Release 3 mainly focused on developing requirements on SMO and RIC building blocks and enhancing other areas such as Cloud infrastructure, O-CU/O-DU, and O-RU, addressing also the security topic to support more secure Open RAN. The fourth release of the technical priorities has primarily focused on developing further requirements on SMO especially related to AI/ML framework, interworking with traditional RAN and slicing management, and on Security with MoU operator vision about the Zero Trust approach and requirements for certification.
How will security be managed in-life for O-RAN software upgrades and onboarding new rApps or xApps to ensure privacy, manage any risk from open-software software and prevent security vulnerabilities/backdoors within new code?
Not just for Open and Cloud RAN but for other technologies and In-house developments, we have implemented in Telefónica a DevSecOps process, with a focus on security integration from the early stages to the final implementation, including the specific security tools and tests where applicable. By introducing early security measures, it is possible to prevent and detect security issues quickly, before they become serious threats.
For those who don't know, DevSecOps is an extension of the DevOps methodology resulting from adding security (Sec) team processes and testing, which are integrated throughout the development lifecycle. This methodology prioritises security from the beginning, implementing practices and tools that allow for proactive and continuous detection and mitigation of risks and vulnerabilities.
Continuous integration (CI), continuous delivery/deployment (CD), and continuous testing (CT) (CI/CD/CT) are essential components of DevOps, and DevSecOps accelerating code release and deployment processes.
CI is referred to in-house developments. When the application comes from a 3rd party and we cannot control this stage, we force to follow strict security requirements and controls included in the contract. And of course, we establish a complete e2e security governance on the applications we deploy in production. This will include such rApps and xApps.
In addition, we follow Open RAN security specifications to implement the new interfaces securely and perform periodical security tests over final implementations.
What precautions will you take to safeguard ML models used for rApp and/or xApp inference processes to prevent attack? Will there be levels of full autonomy in order to build trust and security?
Again, this is not specific for rApps and /or xApps, but all the final solutions using AI models (not just ML/DL but GenAI). We have been studying the different threats and specific attacks to such models and it is quite important the data used for the training and the training itself to prevent certain attacks. We have created a set of specific security requirements for our supply chain, and specific security requirements for the deployments in order to protect the solutions.
Security tools are evolving too, to be able to protect against more sophisticated attacks that leverage on AI techniques. We have to be up to date.
What additional percentage of cost and effort does security for open RAN and virtualized architectures add, compared to traditional architectures?
This is not specific for Open / Cloud RAN as we are introducing virtualisation in different network domains. For me, the most important is the re-skilling of the network security teams, to acquire the needed knowledge, not just in virtualization and cyber security but AI.
Satellite communications will, relatively, soon become native to terrestrial networks. How is Telefonica preparing for NTNs and security?
We already have satellite communication networks deployed in rural environments where it is difficult to deploy both fixed and mobile networks. When it comes to security, we apply the principle of security by design (logical and physical security) and we take care of the security of our supply chain by including security requirements in all our processes and linking them by contract. And, once implemented, we apply security governance or if it is a managed service, we define SLAs and security controls we want over the service.
What are you most looking forward to regarding your speaking engagement and attendance at Network X?
Networking and understanding the trends in all technologies as to secure something you need to know and understand it in deep.