How confident are you in the security of your Open RAN software?

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Nimal Gunarathna, Head of CybersecurityServices at Fujitsu Network Communications, explores the importance of Software Bill of Materials in securing Open RAN networks.

In recent times, the landscape of telecommunications has undergone a transformational shift with the emergence of Open Radio Access Network (O-RAN) architecture. Its promise of greater flexibility, reduced costs, and increased innovation has garnered the attention of governments, businesses, and consumers alike. With the U.S. National Telecommunications and Information Administration (NTIA) taking significant steps by allocating funds through the Public Wireless Supply Chain Innovation Fund, Open RAN is poised for rapid expansion. However, as the technology evolves, so do the risks.

The Software Bill of Materials (SBOM) plays a crucial part in O-RAN network security. While an SBOM does play a pivotal role in monitoring the licensing and origin of software components, its purpose and benefits extend beyond just license compliance. Leveraging SBOM insights can enable the implementation of robust ‘zero trust’ policies, while also uncovering potential cybersecurity vulnerabilities. Yet, how can a mobile network operator (MNO) or other organization compile and maintain an up-to-date SBOM to enhance security and resilience in the dynamic O-RAN environment?

The O-RAN Revolution

Because O-RAN architecture allows MNOs to mix and match components from different vendors, this groundbreaking approach fosters competition and innovation while reducing vendor lock-in. Moreover, the potential to reduce costs and increase agility enables delivery of affordable and reliable connectivity to underserved areas, closing the digital divide. The potential benefits of O-RAN are indisputable, but they come with a caveat: increased security risks.

The flexibility that O-RAN provides also presents opportunities for cyber-attacks and various exploitations by malicious actors. To safeguard the integrity and security of O-RAN networks, it’s crucial to employ a robust security strategy. For today’s MNO, the SBOM should be at the heart of this strategy to provide enhanced clarity, openness, responsibility, and control over the software supply chain.

Significance of the SBOM

An SBOM is a comprehensive inventory that details all the software components, libraries, and dependencies used in a given application or system. Utilizing an SBOM enables identification of components that conform to regulations, industry standards, and best practices. This helps MNOs monitor and oversee the components of applications while facilitating early detection and mitigation of security vulnerabilities, harmful packages, and compliance deviations. It’s imperative to keep the SBOM up-to-date when a significant application update occurs, leveraging a specialized SBOM generation tool for this purpose.

In the context of O-RAN, an SBOM acts as a roadmap, providing complete transparency into the software elements comprising the network. Understanding what software components are present is the first step in securing any system.

A well-compiled SBOM is instrumental in identifying vulnerabilities within the system. By maintaining an up-to-date inventory of all software components, including origins and versions, operators can swiftly respond to security advisories and patches. This proactive approach can help mitigate potential risks before they are exploited by cybercriminals.

Unlike traditional, proprietary infrastructure, it is the nature of O-RAN networks to rely on components from various vendors. An SBOM assists in vendor accountability by clearly delineating the origin of each software element, helping to develop a trusted supply chain. In case of a security breach or a vulnerability exploit, pinpointing the responsible party becomes more straightforward, facilitating efficient incident response and resolution.

In an era of stringent data protection regulations and cybersecurity standards, such as GDPR and NIST, maintaining an SBOM can be a regulatory requirement. It serves as evidence of due diligence in ensuring the security and privacy of user data. Failure to comply with these regulations can result in severe penalties and reputational damage.

Third-party security assessments and audits are common in the telecommunications industry. A comprehensive SBOM can streamline these processes, providing auditors with the necessary insights to evaluate the network’s security posture effectively. This can expedite approvals, reduce costs, and enhance trust among stakeholders.

SBOM Compilation and Maintenance Best Practices

Now that we’ve established the importance of an SBOM in O-RAN security, what are the best practices for easily and reliably creating and maintaining an O-RAN SBOM?

O-RAN is a dynamic environment where software components are frequently updated. To ensure that your SBOM remains accurate and up-to-date, implement continuous monitoring mechanisms to automatically detect changes in the software landscape. Software management tools help MNOs keep up with changes in SBOM formats, the software industry, and regulations. Various tools are available, such as Anchore (Syft/Grype), Fossa or Mend, and software practices like DevSecOps  can also simplify this task.

Leverage automated tools for SBOM generation, such as those offered by GitHub and GitLab. These tools can scan the network and generate comprehensive inventories quickly, reducing the chances of human error and improving efficiency. To generate an SBOM, use source or binary tools to examine artifacts and associated sources, such as manifests, metadata, and lock files. An SBOM can be generated at the source code stage.

Likewise, SBOM creation can be automated using a software composition analysis (SCA) tool, an open-source tool, or a plugin within a continuous integration/ continuous delivery (CI/CD) pipeline. SCA tools analyze a software product to identify third-party components and licenses, whereas binary analysis tools analyze software metadata and build artifact information to generate an SBOM.

Following are some tools that can automate SBOM creation:

Other tools include CycloneDX Maven plugin, Kubernetes BOM, SPDX SBOM generator and Syft.

As new software components are added or existing ones are updated, be sure to promptly update the SBOM to reflect these changes. Regularly review and validate the SBOM to maintain its accuracy, and follow these steps to keep it up to date:

With the proper tools, MNOs can automatically generate SBOMs, connect them with application security scanning tools, and update them continuously. In this way, SBOMs allow you to keep track of the security vulnerabilities of each component of the application to make sure everything is up-to-date and secure.

It’s essential to conduct regular audits of your SBOM to ensure its accuracy, verifying that all software components and dependencies are correctly documented and up-to-date. The Ortelius open-source project aims to create a central SBOM audit trail of shared data using a governance catalog that tracks changes in components over time. The Ortelius ‘snapshot’ produces an audit trail that shows recent changes.

Integrating an SBOM into an information system audit helps auditors grasp the organization’s software landscape and spot security concerns, such as outdated or unauthorized components, as well as verifying software compliance with security regulations and standards. By uniting SBOMs with audits, MNOs enhance software security, safeguard data against cyber threats, and bolster trust in system security, while lowering the risk of breaches.

Establish a collaborative ecosystem with your vendors and encourage them to provide detailed SBOMs for their components. This collaborative approach ensures that all parties have a vested interest in maintaining a secure network.

Develop a robust patch management strategy to prioritize and apply patches promptly when vulnerabilities are identified. Your SBOM should help identify affected components and dependencies, making the process smoother.

Invest in cybersecurity training for your staff to help them stay current on known vulnerabilities and cyber threats. Importantly, ensure that your team understands the significance of the SBOM and how it contributes to overall network security.

Secure Peace of Mind

By following these best practices, MNOs and other network operators can enhance the security posture of their O-RAN architecture and mitigate potential risks that need to be addressed. The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have published a paper titled “Open Radio Access Network Security Considerations” that expands on the benefits and security considerations associated with implementing O-RAN architecture.

The adoption of O-RAN architecture presents unparalleled opportunities for the telecommunications industry. Still, it comes with the responsibility of safeguarding the networks and user data from evolving software vulnerabilities and cyber threats. By compiling and maintaining an up-to-date SBOM, network operators can enhance their security posture, promptly identify vulnerabilities, and meet regulatory requirements. Implementing best practices such as continuous monitoring, automated tools, regular audits, collaboration with vendors, and robust patch management are vital steps toward securing O-RAN networks effectively.

As Open RAN continues to evolve and expand, the industry must remain vigilant in its commitment to security, and the SBOM is a crucial tool in achieving this objective. The SBOM is not just a document; it’s a shield that protects the integrity of these revolutionary critical networks, ensuring that the promises of connectivity and innovation are realized without compromising safety and security.

Nimal Gunarathna, P.Eng., is a certified security expert and senior leader at Fujitsu with two decades of experience in governance, risk, compliance and security architecture spanning across IT, ICT, OT, cloud and virtualization environments.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.