The path forward to a ZTA for Open RAN security
Ericsson has long been at the cutting edge of Open RAN development and security, and the recent election of Scott Poretsky as security co-chair for ORAN WG is the latest in a long line of developments recognizing the company’s commitment to it. Following the publication of the new Ericsson paper, Scott will be speaking on the subject of security at the upcoming Open RAN North America event on Dec 6-7.
But before we look to the future, let us cast our minds back to how we got here.
In 2020, three significant milestones occurred during a six-month period that have paved the way to this point. The first occurred March 2020 when the O-RAN Alliance kicked off the Security Task Group (STG) that was part of Working Group 1 (WG1). A few months later in August, Ericsson published “Security Considerations of Open RAN”, a paper that laid out a plan for ensuring that Open RAN didn’t open the door for new risks in 5G, while recommending mitigations. That was followed shortly afterwards by the publication of US NIST SP 800-207, Zero Trust Architecture (ZTA) to mature zero trust from a concept to an actionable plan.
The Ericsson paper, which discussed how new interfaces and RAN architectural elements could increase the threat surface, quickly became a primary reference for discussions around Open RAN and 5G security risks.
Since that Ericsson paper was published there has been significant advancement to improve Open RAN security, led by the O_RAN Alliance WG11, but the attack surface has expanded further and there is still more to do. Throughout this time, Ericsson has been a leading technical contributor in the O-RAN Alliance to achieve this progress.
The continued rapid pace of developments and deployment of Open RAN and 5G has led to a need to update that paper, with governments and industry asking Ericsson to reassess the current state and what the future will look like. That work is now complete, and “Zero Trust Architecture for evolving Radio Access Networks” paper has recently been published.
In general, Open RAN has security considerations that go beyond the O-RAN architecture, so it is also of vital importance to assess the attack surfaces for Open RAN in hybrid cloud deployments using cloud-native technologies, APIs, and artificial intelligence (AI) and machine learning (ML).
With that in mind, the O-RAN architecture must be specified, built, implemented and operated so that its functions, interfaces and data are all secured with built-in confidentiality, integrity and availability protection against external and internal threats.
The regulatory environment
On March 2, 2023 the White House Office of the National Cybersecurity Director (ONCD) published the US National Cybersecurity Strategy.
It contained two statements that are of particular interest in the world of ORAN security, the first being that “Departments and agencies will direct R&D projects to advance cybersecurity and resilience in areas such as … cloud infrastructure, telecommunication …. used in critical infrastructure” and the second stating that the current US administration is “committed to improving federal cybersecurity through long-term efforts to implement a zero trust architecture strategy and modernize IT and OT infrastructure”.
The goal is to have cloud-based 5G critical infrastructure that is protected from external and internal threats with a Zero Trust Architecture (ZTA) with the following features:
- Network functions and architectural elements are secured as micro-perimeters
- Trust is not assumed for subject, whether any human user or network asset. Authentication and access controls are implemented for external and internal subjects
- Confidentiality and Integrity protection is provided for data in-transit, at-rest, and in-use
- Continuous monitoring, logging, and alerting is implemented to detect security events
The fact that this is the stated position of the US government should not be underestimated – that they see a zero trust architecture as achievable and their advocacy for critical infrastructure brings what needs to be done into sharp focus.
The paradigm shift to Zero Trust Architecture
The new Ericsson paper presents an analysis of the Open RAN attack surface and outlines the progress made in the O-RAN Alliance to enhance the Open RAN security posture, as well as looking to the future.
Taking everything that we have observed and learned into account, the paper recommends implementing a Zero Trust Architecture (ZTA) as the best method of achieving a secure O-RAN network from external and internal threats.
The paper also presents the security posture of Ericsson’s Cloud RAN, which is secure by design in accordance with industry best practices. It has security built-in to meet the O-RAN security specifications and the 3GPP SA3 security requirements.
What is Zero Trust Architecture?
Zero Trust Architecture, built using micro-perimeters or “perimeter-less security”, is an approach that is based on the principle of “never trust, always verify” - put simply, it takes nothing for granted and insists that nothing is trusted by default, even if it is connected to a permissioned network or was previously verified. Ericsson’s Open RAN solution, which includes Cloud RAN software and Ericsson Intelligent Automation Platform (EIAP), are secure by design, using Ericsson’s Security Reliability (SRM) security assurance process and support of security controls that align with a ZTA.
Cloud RAN’s applications security posture provides operators the confidence that their Open RAN deployments are secure, whether deployed on-premises or in a private, public, or hybrid cloud.
Ericsson’s SRM enables a managed, risk-based approach to security and privacy implementation, where requirements are tailored to the target environment and demands. This approach helps meet stakeholder expectations and cater for the rapid evolution of technology and the continuous changes in legislation globally, such as with Open RAN.
Achieving the best by assuming the worst
While it may seem negative to assume the worst from the get-go, doing so is the strength of the concept of ZTA.
Instead of assuming that the network is solid and secure and then waiting for threats and breaches to occur, ZTA does the opposite – it assumes that the attacker is already inside the network.
That starting point changes everything about how we perceive security in the network – no longer do we assume that it is the role of gatekeepers at the perimeter to keep the network secure, and that everything inside that perimeter is safe and protected. Perimeter defenses alone are no longer sufficient as the adversary may already be inside the network and moving laterally. Instead, we assert that internal threats to the network are subject to the same kind of defenses as external threats through a perimeter.
A ZTA architecture never makes any assumptions about trustworthiness – instead, it facilitates access to network resources based on authorization and approval using an identity-centric approach.
When implemented correctly and in accordance with security specifications and industry best practices, a ZTA mitigates both the risk of an external attacker gaining access to the network in the first place, as well as the risk of lateral movement in the network should they do so.
The path to a mature ZTA
No two RANs are alike, and implementing ZTA is affected by how mature the network’s security is. The complexity of a ZTA can also incur time and cost, so a risk-based approach, considering likelihood and impact, should be taken to prioritize implementation of a ZTA in stages. CISA advises not to wait for perfect security, but instead start taking incremental steps toward a ZTA now.
CISA’s Zero Trust Maturity Model (ZTMM) defines four maturity stages to incrementally achieve a ZTA by advancing from traditional (based on traditional perimeter security), to initial (the first steps to defend against internal threats), then advanced (featuring continuous monitoring and automation, and finally to the goal of reaching the optimal level with AI for dynamic policies and automation.
The model also identifies five pillars for zero trust: identity, devices, networks, applications and workloads, and data. Each of these pillars has its own unique pillar-specific functions, and they also share cross-cutting functions that can evolve through the four stages. The three cross-cutting functions are visibility and analytics, automation and orchestration, and governance.
ZTA critical controls for RAN can be implemented in an incremental approach by mapping the controls for each of the pillars to the four CISA ZTMM stages.
Ericsson's secure Open RAN solution
As mentioned above, Ericsson has long been at the forefront of developments in Open RAN, and our portfolio already contains a number of products and solutions that will help pave the way to ZTA.
Ericsson Cloud RAN software and Ericsson Intelligent Automation Platform (EIAP) is part of Ericsson’s Open RAN solution that implements the Open RAN goals of cloudification, intelligence/ automation, and open internal RAN interfaces.
The foundation of ZTA is secure products built upon secure specifications, security- by-design principles, secure software development frameworks, and product security assurance.
Launched 10 years ago, Ericsson’s Security Reliability Model (SRM) is built upon industry best practices and provides governance that ensures security is built into Ericsson’s Cloud RAN, EIAP, and other products.
Ericsson SRM includes many of the ZTA-recommended controls and DevSecOps process, and it covers internal software development, consumption of upstream third-party software (including open-source software), secure coding practices, vulnerability scanning, vulnerability testing, penetration tests, and operations.
The role of the O-RAN Alliance in implementing ZTA
Formed in 2018 and made up of dozens of operators and over 200 vendor companies, the O-RAN Alliance plays a critical role in defining standards for radio access networks.
With the leadership of Ericsson and other contributors, O-RAN Alliance WG11 continues to enhance the O-RAN security posture for each of its assets, including architectural elements, network functions, interfaces, and data in the pursuit of a ZTA.
Ericsson is a major contributor to the security specifications adopted by the O-RAN Alliance and will continue to lead security specifications efforts to ensure the attack surface of Open RAN critical infrastructure is protected from external and internal threats based upon a ZTA.
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.