Scott Poretsky 00:11
If we can leverage AI ML to decide what security capabilities to turn on where and when, at each place in the network, we can better optimize our security, while still gaining the advantages of a zero trust architecture.
Camille Morhardt 00:31
I’m Camille Morhardt, host of InTechnology and very happy to have with me today, Scott Poretsky, to talk about the next layer down of cybersecurity and artificial intelligence and zero trust architecture in 5G, and telecommunications moving forward. Welcome to the podcast Scott.
Scott Poretsky 00:50
Thank you very much for having me. I look forward to a very interesting conversation.
Camille Morhardt 00:56
And just to rattle off of a little bit about your expertise here, you’re Director of Security in North America for Ericsson; you’re also co-chair of the O-RAN Alliance Working Group 11 for Security–and hold on, folks, if you don’t know what O-RAN is, that’s my first question for him. You are also co-chair of the ATIS 5G Zero Trust Study Group. And in the past, you’ve worked on the FCC Security and Reliability Council, as well as the NSA’s Enduring Security Framework.
So first question would be please tell us what RAN is?
Scott Poretsky 01:32
So you have your mobile device, and it goes over the air and connects to some antenna somewhere– whether it’s on the roof of a building or on a tower; and then from there, you’re able to make a call, send a text, or get out to the internet and start streaming movies on your device. The RAN is the part of the network that takes the information from that antenna and converts it into something meaningful so that it can go to what’s called the 5G core. The RAN takes that information from the antenna and through 3G PP specified functions, converts that into that information that goes to the 5G core, and then sends it out to the internet or to whatever service that you need.
Camille Morhardt 02:20
And RAN literally stands for Radio Access Network.
Scott Poretsky 02:24
Radio Access Network, so it is a type of access onto a larger network.
Camille Morhardt 02:31
So then what is the O?
Scott Poretsky 02:33
Yeah, so the “O” is open. So RAN, traditionally, it’s been a monolithic system of integrated hardware and software. It is standardized, however, being a monolithic system, there has been a few set of vendors who have been able to produce these. The idea is now by opening up the RAN, disaggregating, its functions–really decomposing it into smaller functions–and disaggregating hardware from software, while making it cloud native, we can open up the ecosystem, so that more vendors can participate in building the different sub block functions of the RAN. And one of the major goals of this is to increase supply chain diversity by having more vendors that can build these different sub functions. Now when doing this, however, we’ve created new interfaces between the sub functions.
And as we’re coming now into this area of zero trust architecture, we need to make sure that we secure everything as a micro perimeter and data on those internal interfaces between those sub functions is still secure. And that’s new, traditionally in RAN, we’ve been taking these monolithic functions with the integrated hardware and software and deploying these and an operator’s network in a facility that they control. But now that we’re going cloud-native, and we’re opening up all of these interfaces and creating these new sub network functions, we need to make sure we build in the security so that we can achieve what’s called a zero trust architecture.
Camille Morhardt 04:24
There’s also a new paradigm I’m gonna ask you to explain how that exists for I assume machine learning is a big part of that and why it’s coming about. And then I also want to understand some of the new paradigms for how AI is expected to be used, not just anticipated within 5G, but expected to be used.
Scott Poretsky 04:44
Alright, so one of the advantages of allowing softwarization of the RAN and clarifying this is we can build in more intelligence. Not just orchestration, that’s one way of having automation and intelligence, but also building in AI ML. With the open RAN standards being specified by the O-RAN Alliance, we have something called RICs. These are the RAN Intelligent Controllers. And there’s a non-real time RIC that sits in something called the service management and orchestration. And then there’s the near real time RIC that sits below that.
The RICs, these RAN-intelligent controllers, have AI ML capabilities built into them, so that we can make a more intelligent RAN that responds faster to conditions. It can optimize RAN performance, make the network more sustainable and we can gain higher performance while utilizing less energy becoming more energy efficient using this AI ML in the RICs.
Camille Morhardt 05:52
So can you say more detail around that, like as an example? What is it going to figure out or orchestrate in near real-time that currently is not happening and slowing things down? Or costing energy?
Scott Poretsky 06:07
Yeah, so we could see at a given hour that we’re using a large amount of the RAN resources, but there’s little utilization at that hour just because there’s fewer people in that area. So we could turn that back down and turn it up over in another area rather than operating at maximum capacity all the time in every area. There’s great advantages, cost advantages to this, and also for the environment. But we also have to keep in mind there are security considerations when doing this because there are security risks with AI ML. AI ML is a recognized attack vector. So when we’re doing this, we need to make sure it’s secure.
Remember, our networks are critical infrastructure. So the Department of Homeland Security’s Cybersecurity and Information Security Agency, CISA, they have 16 sectors of critical infrastructure that they manage. The communication sector is one of those sectors. So now we’re talking about opening up critical infrastructure and deploying it on cloud-native technology, and possibly even running on third-party infrastructure in a third-party facility. This introduces opportunity now for any type of threat actor to come into this expanded threat surface, because now there’s more entry points that you’re able to access. And as CISA says, with zero trust architecture, we have to assume the adversary is already in the network. So if we’re doing that, we need to secure these internal interfaces.
Now with AI ML, we’re also using enrichment data that can come from outside the network. So we can have these external sources pulling in AI ML data that we’re using to make decisions in our critical infrastructure. We need to make sure we can trust that AI ML data that we’re importing into the RAN, because this will influence those decisions. We need to make sure it’s trustworthy data, we need to make sure that it’s stored securely. We need to make sure that when we’re pulling that data from a third party they’re following security best practices for protecting AI data. We also need to make sure that interface with the API that we’re importing that data is secure, as well. And APIs are a high security risk. The Cloud Security Alliance has APIs as number two on their list of greatest cloud security threats–number two, ahead of misconfigurations. That just shows how serious API security is. And by the way, number one is identity and access management; we need to make sure that we have that properly implemented, as well. So when the O-RAN Alliance in Working Group 11–which I co-chair–we are making a concerted effort to secure the AI ML that we’re using in Open RAN And we’re making sure our APIs are secure, as well. In addition to securing all of those new internal interfaces that we’ve specified in O-RAN.
Camille Morhardt 09:24
Do you anticipate AI or machine learning or ML being used to actually discover attacks as they’re coming in or discover vulnerabilities one or the other? Or is it just like, you’re worried about it being attacked itself? Is it gonna go on the offensive looking?
Scott Poretsky 09:46
Yeah, this is actually a really insightful question by you. So in the RICs, we have applications, and in the non real time RIC, we have something called rApps, and in the near real time RIC, we have something called xApps. The purpose of having these apps is to further enable smaller software vendors who have specialized expertise to be able to build those software applications and efficiently integrate them into the RAN. So the rApps sit on something that’s called the R1 interface that’s part of service management and orchestration. There can certainly be security, rApps, where we have a security vendor, they specialize in the area of security, they have something innovative for RAN security, they could build an rApp that supports that R1 interface and the security requirements associated with it, to now provide this new security functionality that integrates into the SMO, and is part of the O-RAN solution.
I think this is a great opportunity for software developers and security experts out there; the apps approach is a very nice way to integrate into the RAN using these rApps. And by the way, Ericsson has an rApps developer ecosystem, we have a website that you can go to where there’s developer guidance, and you can become part of the ecosystem to integrate into the Ericsson SMO—that’s service management and orchestration. Our SMO is called the Ericsson Intelligent Automation Platform, the EIAP. And yes, we allow integration of third-party rApps.
Camille Morhardt 11:36
Is part of the way that O-RAN is structured and some of the standards with 5G such that a developer doesn’t need to have deep expertise in Telco infrastructure in order to do some of this orchestration or management? I’m thinking of things like you said, look at energy consumption or perhaps orchestrating different times of day or different workloads. Somebody who might have that expertise, but not have worked on it in the telco space before, is there now an opportunity for them that wasn’t there previously?
Scott Poretsky 12:12
I think so. It’s certainly beneficial to have an understanding of the RAN, because you will integrate into the SMO which then has all of those interfaces to the different RAN functions–the open centralized unit, the OCU, the open distributed unit, the ODU, and then also to the ORU. So it is in the interest of the developer to understand these different RAN network functions that are there. But I really think there is opportunity now for software vendors, who have expertise in certain functionalities to now start building these for RAN when they didn’t have that opportunity before. And that’s one of the advantages now of opening up the RAN ecosystem and having what we call Open RAN.
Camille Morhardt 12:58
Can you talk a little bit about the difference fundamentally, in cybersecurity between previous generations, like 4G, and future generations are coming, 5G and 6G and beyond?
Scott Poretsky 13:11
Yes, so each generation of mobile technology has been more secure than the one prior to it. 5G is more secure than 4G, with things like what are called the soupy and the sookie and a SEP. So there’s all of these different acronyms that are real functions that have made 5G more secure.
6G, I anticipate will follow the same track and will be more secure than the prior G. We will see as 6G evolves, and it becomes even more cloud native than 5G, we will have cybersecurity specific to cloud security built in the 6G. And even more importantly, that zero trust architecture now, we’re seeing being thought of to be built into the 6G standards as those evolve.
Camille Morhardt 14:06
Hmm. And where do you see the use of machine learning or artificial intelligence advancing and 6G?
Scott Poretsky 14:13
Oh, we’ll heavily rely upon it–so AI, ML, and cloud everywhere in 6G. It will be very important though, that we keep an eye on security, as well. We’re all in a rush to get the new latest shiny thing working so we can all use it. But of course, being a cybersecurity professional, I always say let’s also think about securing that. And if we can build in security, it results in not only a higher security posture but lower cost as well. Because if you go back after the fact and try to Lego brick on security, then you’re adding cost and you’re adding complexity. Now fortunately, with 6G we’re really seeing, now, this mindset to build in a zero trust architecture and building an AI ML securely, and make sure that all of our network functions are secured as micro perimeters. And we protect all of our data, data in transit, data in use and data at rest.
Camille Morhardt 15:19
Why do we need to use AI in this orchestration? I mean, why can’t a regular algorithm manage the load balancing and the different activities? What is it learning, actually, that’s unique and differentiated?
Scott Poretsky 15:36
Well, with AI, we can be more dynamic. And this is particularly important with policy, because we’ve been at a point that we have relied traditionally on what’s called static policy. So you pre-configure in your network static policy and that’s the way it lives until an operations person goes in and changes it because they received some work order somewhere. Well, by having AI built into the system, wherever possible, we now move away from that static policy, and have what’s called dynamic policy, where you don’t need to wait for a work order and have some operator go in and manually change that static policy. With dynamic policy, the system is able to learn and change that policy on its own, by the conditions that have been set.
Camille Morhardt 16:26
And what kind of policies? Give me a handful of policies would it be dynamically changing.
Scott Poretsky 16:33
So I’ve mentioned a few times this ZTA, acronym. ZTA, the zero trust architecture can be expensive, there’s a lot to do. There’s twelve different critical security control groups. There’s seven tenets we need to follow from NIST, there’s four principles for zero trust in 5G that come from CISA, there’s a lot to do. And it will take time to implement all of this. But when it’s there, it may also be processing intensive, this is a lot to monitor. Part of zero trust architecture is continuous monitoring and response. So just think about looking at everything all of the time.
But now, if we can leverage AI ML to decide what security capabilities to turn on, where and when, at each place in the network, we can better optimize our security, while still gaining the advantages of a zero trust architecture. And this also is consistent with sustainability. Because sometimes security and sustainability can work against each other in conflict, because we need to turn on all of these power-hungry security features, that hurts our sustainability. But now with AI, we can create a better balance there, so we can get to the security we need with the sustainability we’re trying to achieve.
Camille Morhardt 18:06
Thank you for eloquently summarizing why this podcast contains technology, sustainability, and cybersecurity, because they really do all go together sometimes, actually, quite frequently.
Scott Poretsky 18:17
Yeah, they do.
Camille Morhardt 18:19
What kinds of things are the working group or different standards bodies arguing about right now? What are some of the major contentions?
Scott Poretsky 18:28
I’d actually say right now, where there’s the most debate is in the zero trust architecture. How far do we want to go? How far do we want to take it? Because it is complex, there’s a lot of features, and it will take time. But as I remind my colleagues in Working Group 11, there’s something called the zero trust Maturity Model. CISA advises we get there gradually over time, and they have four stages to get to a zero trust architecture, there’s traditional–traditional is the way we’ve been doing it. That’s the traditional perimeter security. So we have this big perimeter with all of our network functions inside of it and all of our data inside of it, and just secured at the perimeter. Perimeter security no longer works, because we have very sophisticated adversaries that are able to get in. So now what do we do? And that’s where we need to have that zero trust architecture that protects everything inside the network.
Let’s get there gradually, through the stages, get to a zero trust architecture from going from traditional to what’s called Initial and then the next one’s Advanced. And then the fourth one is the holy grail. That’s Optimal, zero trust architecture. That’s where we want to get to and CISA advises, don’t wait for perfect, don’t wait for optimal because in the meantime, you will be breached or you will be hacked and you’ll end up with ransomware or something just as catastrophic. Don’t wait for perfect. Start incrementally going through the stages now, adding the different security features on that march towards the zero trust architecture.
Camille Morhardt 20:13
So you’ve mentioned that communications is one of the sixteen critical infrastructures that the US government considers to be critical. So what happens, if it’s hacked? What happens if all of the security fails, and something goes down and major portions of cellular network are disabled or frozen? Is there, like, a contingency plan or resiliency plan? Help us feel a little better about the steps that are being built in that space.
Scott Poretsky 20:45
So there’s a lot of focus right now on resiliency in our communications networks; this work is being done in a number of different bodies, vendors pay very close attention to this. Also, many vendors now are looking at how they can better secure their products. Certainly, Ericsson has been leading the way here, we’ve taken security of our networks very seriously, understanding the responsibility that we are building critical infrastructure for societies around the globe. So we’ve been building in the security in our software development processes, in the features we support, and in the operationalization of the products, as well, so that security teams with our customers can also use our products to monitor the situation. So I think we’ll see the vendor community as a whole continue to raise that security posture.
Camille Morhardt 21:43
Has the government or different standards bodies laid out requirements for resiliency, as well as requirements for security?
Scott Poretsky 21:51
Yeah, so there are agencies involved here, great references, or CISA, NIST, and even the FCC for communications networks. So that work is being done there.
Camille Morhardt 22:04
What am I not asking you that I should in this space?
Scott Poretsky 22:10
How will we know when we have a security event going on in the network? Because you can’t get to a zero trust architecture unless you have visibility. And this is one of the key things that’s pointed out in the NIST tenants and also the CISA guidance for 5G cloud infrastructure: you need to have that visibility. And it’s called continuous monitoring and logging. This needs to be built in.
And as we’re thinking about sustainability, too, we also need to consider how much to continuously monitor and log and where to do that and what to look for. So there are tradeoffs here, but we also need to have that feedback loop into our dynamic policy, as we’re detecting events. Because we need to be able to respond and recover when we detect an event. And from that detection, use our AI ML to determine the level of impact. How would we score this, that would dictate how we want to automatically respond and orchestrate that response. So this all comes back together is one big feedback loop that starts with that visibility.
Camille Morhardt 23:28
And that’s part of what Working Group 11 is working on?
Scott Poretsky 23:35
That’s right. We are pursuing a zero trust architecture for RAN and we really think the O-RAN Alliance would be the first standards body that specifies zero trust architecture for RAN. And this will help have a very strong security posture in Open RAN.
Camille Morhardt 23:53
Scott Poretsky Thank you. You are co-chair of the O-RAN Alliance Working Group 11 for Security and also Director of Security for North America for Ericsson. Thank you for your time explaining this.
Scott Poretsky 24:10
Camille, it was great to speak with you and have this conversation. I’m always happy to share cybersecurity, talk with anyone who’s interested.