The NSA and CISA jointly released a landmark report last month covering security considerations for Open RAN (radio access network). Zscaler is a member of the Enduring Security Framework (ESF) Open RAN Working Group that contributed to the security assessment where concerns were highlighted and advice offered to Open RAN designers and implementors.
The objective of the work is for the industry to step up innovation around 5G, edge, and radio technologies while mitigating their cybersecurity concerns.
We caught up with Dr. Ken Urquhart, Global Vice-President of 5G at Zscaler and a member of the working group, to better understand the announcement.
Editorial Team: Let’s start with the 30,000-foot view. Please explain Open RAN (aka O-RAN) radio and baseband technology and why the market, as research firm Dell’Oro puts it, is “accelerating at a torrid pace” this year?
Ken: A radio access network (RAN) connects mobile devices to “everything” – to telecommunications networks, the internet, enterprise data centers, the cloud, etc. In the past, a limited number of providers delivered RAN technology as integrated hardware and software solutions, and they delivered them almost exclusively to large telco operators. Open RAN solutions are now being developed to enable federal and commercial entities to diversify their supply chains, avoid vendor lock-in, reduce costs, and offer new opportunities to innovate.
An open, multi-vendor RAN ecosystem, powered by cloud services and software, is deemed critical for 5G innovation by both the federal government and the industry. Consider the value of cloud-scale economics applied in this context. You use software in place of custom or specialized chips and hardware, and a lot of that software can be derived from open source projects. Your hardware requirements then simplify to commercial off the shelf (COTS) that can also be sourced from multiple vendors.
Editorial Team: What is the significance of the ESF Open RAN assessment, and how will it help pave the way toward the industry goals for O-RAN?
Ken: The assessment established a baseline for the security risks of adopting an Open RAN system for radio access. 4G/5G applications that use Open RAN, including defense, smart cities, smart power grids, and autonomous vehicles make O-RAN security vital. The newly released CISA/NSA Open RAN Security Assessment recommends steps including decoupling software and hardware layers and encrypting data passing between components. There are also specific defenses for AI/ML – including using more complex training approaches and multiple algorithms the results of which can be cross-checked and used interchangeably to prevent compromise. Open RAN will fuel game-changing 5G innovation; the key is building security right in from the start.
Editorial Team: You contributed considerations for AI/ML in O-RAN for applications called rApps and xApps. What are these, and what kind of automation and use cases are critical?
Ken: AI and ML are newcomers to RAN. O-RAN designers are using those technologies to drive greater operational efficiencies and enable new use cases over the available radio spectrum since radio bands are limited. AI/ML are also key to making up for the elimination of custom and specialized chips and hardware. Yet bad actors will work to exploit the sometimes too-easily fooled algorithms and attack the O-RAN. Many of the issues facing Open RAN deployment can be mitigated by deploying a zero trust architecture from a FedRAMP-authorized SASE leader.
Editorial Team: One such way to fool algorithms is through data poisoning attacks. What are they?
Ken: Despite the power of AL and ML, it can be fooled. Sometimes very easily depending on the algorithm and the inference approach. For example, researchers have shown how state-of-the-art image classifiers can be tricked by small changes in the pixel colors of an input image. You can accomplish something similar in Open RAN by introducing small variations to the radio signals sent from a mobile device to an Open RAN radio. Data poisoning refers to an attacker influencing the data used to train an AI algorithm so it will misclassify certain attacker-chosen input at a later time or create failure across broad ranges of input at runtime. These attacks can produce undetectable back doors and can be very subtle – so subtle that humans can’t detect them. For it to work, it requires the corruption of the learning process or intimate knowledge of how an algorithm interprets its output (which can be easy if the AI algorithm comes from an open-source project).
It’s worth noting another threat to AI/ML called an input attack. What is different here is that the attacker does not need to corrupt the AI system in any way, just the data sent to the AI for classification. You can explore these, and the more sophisticated attacks, by clicking through the links in the appendix of the NSA-CISA report.
Editorial Team: Speaking of zero-trust access on private 5G networks, Nokia recently expanded its Mission Critical Industrial Edge (MXIE) solution to include Zscaler capabilities. What is the significance, and what does it mean for IIoT and 4IR?
Ken: Up to now, the security of radios and telco networks were the operator's responsibility, rather than the responsibility of the hardware or software component manufacturers. In our 5G/Open RAN world, any enterprise can conceivably build and operate a private telco network. Nokia is one supplier of equipment needed to realize private 5G. Zscaler partnered with Nokia to secure the provider’s industrial and IoT edge capabilities. Its ecosystem-neutral MXIE solution powers industrial applications like autonomous robots and augmented and virtual reality. It will use Zscaler Private Access to add zero trust security to secure mission-critical, ultra-low-latency edge workloads in addition to OT and IIoT systems.
Zscaler has been working in 5G/edge for some time, running multiple 5G stand-alone cores in-house, and protecting them using zero trust; and we are expanding into zero trust for V-RAN and O-RAN protection. Stay tuned.
What to read next