Leading Network Transformation
Interview with Nagendra Bykampadi, New O-RAN ALLIANCE Security Focus Group Co-Chair
Altiostar Director of Product Management and Security Standards Nagendra Bykampadi was recently voted the new co-chair of the O-RAN ALLIANCE Security Focus Group (SFG). Nagendra brings more than 24 years of experience in the wireless industry to this position. In this interview, Nagendra shares more details on the role and what he would like to accomplish.
1. What is the role of the O-RAN Alliance Security Focus Group (SFG)?
The SFG has the overall responsibility for security and privacy in O-RAN systems.
SFG performs analysis of potential threats to these systems. Based on the threat and risk analysis, the SFG determines the security and privacy requirements for O-RAN system and specifies the security architectures and protocols.
In addition, the SFG is responsible for development of O-RAN Open Source Community (OSC) security guidelines and requirements, security requirements for a cloud platform, and development of an O-RAN security testing framework specification similar to 3GPP’s security assurance specification.
2. How does O-RAN relate to 3GPP in terms of security?
Since O-RAN ALLIANCE builds on 3GPP’s 5G NR architecture, it benefits from 3GPP’s advanced security features such as enhanced user identity privacy based on Subscription Concealed Identifier (SUCI), end-to-end protection of communication between the UE and gNB based on encryption and integrity protection over the air interface, and finally IPSec based security of gNB interfaces including the E1 interface between CU-CP and CU-UP and the F1 interface between CU and DU.
Figure 1: 5G Open RAN Security Architecture
The SFG’s responsibility is to define a security architecture for the new interfaces and functions developed for the O-RAN architecture. This enables operators to deploy an O-RAN based mobile network that’s secure by design based on standardized security mechanisms and industry best practices.
3. What are your new responsibilities?
As a lone co-chair representing the vendor community, my role will be that voice that represents the vendors and all ecosystem partners in the SFG. O-RAN’s open, disaggregated and virtualized architecture enables many new suppliers to be involved in developing a standardized architecture. From a security point of view, it is important that SFG takes advantage of the expertise that these new suppliers bring to the discussion.
I would further like to use my experience in 3GPP to adopt and implement in SFG some of the best standardization practices and processes that have worked very well in 3GPP.
4. What’s your assessment of the current level security in O-RAN?
Open, standardized interfaces remove vulnerabilities or risk that comes with proprietary and potentially untrusted implementations. Transparency provides an operator full visibility and control over the cloud environment and network in general. The disaggregation of O-RAN allows for deployment of containerized network functions that can be more resilient and adaptable, including through the ability to deploy security updates at massive scale more quickly and at lower cost than otherwise possible.
As a focus group responsible for security and privacy in O-RAN, SFG’s role is to define security for the new interfaces and functions that’s defined by O-RAN ALLIANCE for the O-RAN architecture. SFG has kicked off multiple Work Items (WI) to study and propose security requirements to further fortify O-RAN. Several of these WIs are close to completion and SFG will release very clear recommendations on the required security measures.
5. What are your priorities during your tenure as co-chair?
Broadly speaking I am looking at two areas where I can contribute – a) working with the other co-chairs in executing the roadmap and delivering on the mandate that SFG has signed up for, and b) using my experience in 3GPP SA3 to bring structure and required processes in how SFG does things. These are in-addition to actively driving Work Items (as rapporteur, for example) that are crucial for the overall security of O-RAN.
6. Can you shed some light on SFG’s accomplishments so far and its roadmap for future releases?
SFG has been working on a number of security topics to develop a standardized and interoperable set of solutions that enable O-RAN to meet (and exceed) security expected by 5G network operators and users.
It has made tremendous progress in defining security solutions for many of the O-RAN interfaces, which are based on industry best practices such as TLS 1.2 and IPSec.
SFG has also accomplished much towards securing the Open Fronthaul (FH) interface. Securing the Open FH interface between O-RU and O-DU is by far most critical due to latency requirements. I am proud to say that various participants in SFG have done a great deal of work in securing C/U/S-plane traffic on Open Fronthaul.
- To begin with, we are specifying use of IEEE 802.1X-2020 Port-based Network Access Control (NAC) to restrict access in point-to-point LAN segments within the Open Fronthaul network. A corresponding O-RAN specification covering this security aspect is expected to be released by Q3’21.
- Subsequent O-RAN releases will include security measures for protecting C/U plane traffic and IEEE 802.1AE MACSec is one of the potential measure considered for this. We are also going to work closely with IEEE/ITU-T to explore use of IEEE 1588 native PTP security mechanism to secure S-plane (PTP) messages on Open FH.
SFG has a clear roadmap ahead of it – several key areas have been identified for next phase of specification work. These include security for Near-RT RIC and Non-RT RIC, Security assurance specifications for O-RAN (to complement 3GPP’s SCAS) and Lifecycle Management for O-RAN software.
7. Considering the current threat landscape, what is Altiostar’s approach on securing its products?
Altiostar’s approach on security is based on two pillars –
a) adopting and implementing standardized security solutions defined by standardization bodies such as O-RAN ALLIANCE and 3GPP, and
b) incorporating relevant security best practices and security principles that ensure that our software products implement security by design throughout the whole development and product lifecycles.
Figure 2: ORAN security enablers
“Security by design” involves inserting specific security checkpoints throughout the Software Development Life Cycle (SDLC) that defines how our software is built. This ensures that security is considered at every stage of the SDLC – right from the initial requirements gathering phase, until the point our software is pushed out of our build environment to the operator-owned registry. Some of these checkpoints include adhering to secure coding practices, CI-integrated image scanning for detecting vulnerabilities and digital signature-based image signing.
We also work closely with cloud infrastructure ecosystem partners to implement cloud security measures that are critical for securing container-based workloads in the production environment. Some of these measures include secure configuration of the cloud platform based on Center for Internet Security (CIS), 3GPP SCAS recommendations, and implementing necessary runtime security measures based on native cloud infrastructure capabilities.
Altiostar is committed to producing containerized software that is built based on established security best practices and principles.