Security considerations for open virtualised mobile networks

There are many initiatives driving open architectures and virtualised telecoms infrastructure such as Telecoms Infrastructure Project, O-RAN Alliance, Linux Networking Foundation and the Open Networking Forum. The use of software from open source in a range of architectural deployments is rapidly increasing such as a software component running on virtualised infrastructure, to provide virtualised middleware, or within proprietary code implementation.

This blog identifies four areas of importance when considering security and resilience factors for future telecoms: quality of software code, the need for a Software Bill of Materials, preserving a secure root of trust and the need to protect the management plane of any new solutions.    

Newer approaches separate software from (general purpose) hardware using an intermediate virtualisation layer that exposes hardware capabilities in the same architecture used today by internet & cloud companies. The ability to disaggregate the network and use virtualised components offers the potential to lower unit costs, increase vendor diversity, increase flexibility to grow or shrink services and enhance innovation potential. A recent GSMA Whitepaper focussed on the topic of open networking and the security of open source software deployments. It has a companion document that provides a security research summary.  

Code quality and Software Bill of Materials

Open source software has a number of advantages, notably that source code is accessible and subject to inspection, a wide community of developers can contribute and there is potential to accelerate telco cloud implementation. In contrast, there are various best practice steps that aim to ‘make secure software' but none of these are mandated in the open source community whose main focus is functionality1. Code quality is vital and can be developed using established best practices using a Secure Software Development Framework2 and company equivalent development practices.  For open source code developments, the Linux Networking Foundation has developed a Common Infrastructure Initiative3 to promote better open source coding practices. Allied to this, the generation and maintenance of a Software Bill of Materials (SBOM) can help operators build knowledge of their deployed code; particularly important when allied to an awareness of code bugs and security flaws.  

Security root of trust

As solutions become more virtualised, security considerations previously addressed solely by the supplier of the integrated solution become a more obvious security requirement. Preserving the security root of trust from the compute platform, up through virtualisation software and to the applications running on top are vital and become the responsibility of the system integrator / operator.   

It is not sufficient for all layers to be secured separately, the integrated whole must operate securely. Hence, concepts such as roots of trust, zero trust and trust domain separation are really important design and implementation concepts.  

Protect the management plane

The management plane of a network is a very powerful part of network control and configuration of infrastructure. Consequently, protection of management plane security is a priority in order to protect network availability, integrity and confidentiality.  For a more diverse supply arrangement to work securely, it is important to create dedicated segregated, secure, out-of-band management zones for management of operator solutions.  Access to the operator Radio Access Network or Core Networks can be possible through mechanisms such as remote access methods (e.g. Citrix) but these must have strong controls in the own right.   

Whilst this blog has highlighted four important security topics, there is a more comprehensive set discussed in the GSMA Whitepaper.  Please take a read of the GSMA Whitepaper Open Networking & the Security of Open Source Software Deployment and let’s design-in security right now.      

Martin Beauchamp is the Senior Industry Security Analyst at the GSMA’s Cyber Security Department where he works on delivering practical security responses to the evolving threats facing the mobile industry.  

Martin has significant global experience in delivering cyber & security outcomes with industry, government and academic perspectives. He has a strong technical background and nurtures trust relationships to understand solutions to complex cyber security problems. Martin has a broad range of current interests including cyber and open source software security, open networking, equipment supply chain risk, new technology exploitation and risk management.  

Prior to joining GSMA, Martin worked in UK Government on Telecoms Security & Resilience at the Department for Digital, Culture, Media and Sport and in a variety of cyber security roles at BT.  He holds 2 degrees and is a Chartered Engineer.  

To read more from #DiversifyingTelecoms Campaign Week check out our landing page here.