“KSI is a paradigm shift in cyber security – forensic quality instrumentation afforded from the inside out at the data-level, with real-time integrity reporting for critical C-RAN components and applications (even those being managed by machine to machine interfaces). This baseline forensic instrumentation allows your organization to visualize threats and manipulation of C-RAN assets in real-time.” 

– Matthew Johnson, CTO Guardtime

C-RAN is still in the early stages of adoption by telecom operators for controller applications as SaaS on different vendor PaaS, and IaaS. National and International standards bodies such as NIST and ETSI are still also in early stages of C-RAN interface standards for these different service layers and there is a distinct lack of cyber security recommendations and best practices to address threats.  

It is reasonable to assume dependent C-RAN infrastructure will be compromised. Historically, the more important and valuable a customer or service providers intangible assets are, the more likely they will be targeted and compromised.  C-RAN must now consider robust cyber security and forensics methods to address these threats.

As an introduction to these concepts it’s important we start off with the frame for what is taking place in the telecommunications industry. The industry is at an inflection point with tremendous opportunities but also with significant risks.  The cost of adding more processing capacity, new radios and antennas – and the resultant heterogeneous network  has become economically unsustainable and has led to heavy industry costs for upgrade given the massive increases in demand. 

C-RAN is a proposed solution and at the heart of most operator strategies to lower these costs and bring efficiencies but is threatened by security and delivery challenges. Mobile connections are now ubiquitous, mobile social networking applications have skyrocketed, and perhaps even a greater impact will be the demand for mobile video.  

"Mobile video is more than doubling between 2010 and 2015 and devouring available bandwidth – one solution to the bandwidth problem is Cloud Radio Access Networks."

               - Telecommunications Industry Association 2014

What is C-RAN

C-RAN’s promise is to add intelligence to the edge by enabling the operator to allow the network to respond dynamically and on-demand to bandwidth and service load requirements, combining collaborative radio and a real-time cloud infrastructure with centralized, general purpose processing solution(s). 

Many vendors are bringing this concept to market with LTE prototypes – ATT, Intel, Google, and China Mobile to name a few.  Current C-RAN LTE base station architectures roughly abstract to a mixed use of custom applications running on commoditized virtualized infrastructure and running 3GPP compliant software. 

Instead of dedicated hardware in the base station, workload is divided across multiple cores, while remaining compute cycles can be used to provide applications and service on the C-RAN.  Purported benefits include things like comprehensive power management and more importantly – new services can be introduced through software instead of overhauling an entire infrastructure or area deployment with new hardware.  RAN and core processing thereby can be consolidated on the same data center platform.

Centralized baseband processing is afforded by a pool of high capacity processing units and what the industry is referring to as real-time virtualization technology.  Reliable and high-speed optical networks in turn connect centralized baseband processing pools to a now highly distributed radio network (composed of RF units and antennas).  

Innovations and optimizations reduce the number of base station sites and lowers CAPEX and OPEX.  C-RAN promises to utilize resources more efficiently, lowering power consumption yielding higher on-demand flexibility, while offering significant TCO advantages through the consolidation of multiple workloads.  Robust virtualization allows the operator to address the network capacity loads envisioned by the explosion of customer requirements (such as mobile video).

Cloud computing architecture makes this all possible, where commercial off the shelf solutions can be used in different service layers to avoid using customized hardware and software solutions from specific vendors.  However, the radio network controller applications in the cloud-computing environment still require all the software and hardware layers of traditional telecom equipment.  But, hardware virtualization, OS abstraction layers, and middle layers can be provided to the RAN applications through virtual service layers so that it can remain independent of underlying hardware and software components. 

Here is where the ‘rubber hits the road’ for C-RAN.  The integrity of all of these interactions is paramount if the operator is to have any kind of confidence in the deployment, provisioning, and automated adjustment and/or manipulation of services.  Maintaining and assuring the accuracy and consistency of systems and data is as important, if not more than the availability of the system and resources across the cloud’s virtualization environment.  With increased abstraction and reliance on virtualization infrastructure, applications, and API interfaces to the PaaS layer’s machine-to-machine interactions will be paramount.  This is where C-RAN exploiters will likely focus their attacks.

"At Guardtime, we have never known a cloud application NOT to be exploitable."

- Matt Johnson, CTO Guardtime

Code, APIs, and application vulnerabilities and implementation specific flaws will plague these architectures and service layers.  At Guardtime, we have never known a cloud application NOT to be exploitable – and with increased abstraction this is a nightmare scenario for operators managing C-RAN critical communications assets (not to mention their customers utilizing the mobile environment for everything from mobile banking, to social networking, to email, and video).  

The complexity of these interactions, their geographically distributed characteristics, and handover of control for important RAN functions is (in our opinion) unprecedented for services in the cloud.  C-RAN infrastructure is just as vulnerable to the same cloud threats, which include data breaches, data loss, account or service hijacking, insecure interfaces and APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence, and shared/mixed technology vulnerabilities.  

Guardtime outlines these threats in detail in our whitepaper:  Cloud Insecurity and True Accountability.  

Attributable Networks using KSI

To address these threats and the integrity of C-RAN for the operator, imagine the possibility of an ‘Attributable Network’. Attribution means that the properties of important digital assets (privacy data, customer information, etc.) and C-RAN network component software and/or firmware for assets like routers, switches, applications, virtual machines, configuration information, audit and event log systems, and associated network services can be forensically authenticated with three important properties:  evidence of identity, authenticity, and time – that this unique authentication evidence is portable and can be independently verified by anyone without the reliance on cryptographic keys or credentials than can (and will) be exploited.

With KSI-enabled cloud forensics, the realization of a C-RAN deployment, which can guarantee integrity, is now possible at the scale required.  C-RAN assets and their provenance can be authenticated in real-time, anywhere in the world, independent of the service provider. 

For API and application integrity, real-time monitoring from any baseline instantiation (see ‘Clean State Proof’ below) is now possible. KSI signatures are portable and can literally become part of data they are protecting (applications, database entries, virtualization infrastructure, configuration files, credentials, and/or responsible access, authentication, and authorization assets across the C-RAN).

With the forensic quality instrumentation and attribution afforded by KSI signatures and Guardtime solutions for C-RAN, the instant these components are tampered with is the instant you know there has been an integrity breach and that your customers and enterprise environment – your intellectual property – is at risk.

This proof affords the C-RAN operator the ability to trust the provenance and integrity of any network interactions, as well as the C-RAN applications and assets they are managing and/or consuming.

Fundamentally, the signatures generated by Guardtime KSI baseline the state of the C-RAN’s virtualization, object storage, PaaS layer, and M2M infrastructure – Guardtime calls this application of it’s technology to C-RAN ‘Clean State Proof’, highlighting the authenticity, time, and identity of C-RAN critical assets. This proof information can then be sent and escrowed (aggregated) across the network enterprise or across service providers without disclosing the underlying contents of the data the signatures protect.

By collecting, analyzing, correlating and reporting this evidence operators can build a real-time integrity picture of the network and/or important C-RAN applications, APIs, firmware, M2M components, and virtual images.

With this real-time awareness regarding the integrity state of C-RAN asset components, operators seeking to protect the integrity of the services can then make forensically grounded real-time decisions in the event that the C-RAN assets are compromised - quickly identifying the cause and specific component(s) responsible for the loss of integrity.

Subsequently, with this real-time awareness, real-time incident response, real-time data-loss prevention, investigation, and/or C-RAN Continuity of Operations (resilience) is now possible to detect and react (or rollback) to any misconfiguration, network and/or component/application integrity failure.

To quote Jason Hoffman, Ph.D. Head of Product Line, Ericsson Cloud Software  “You can’t be perfect at preventing crime, but you can be perfect at detecting crime”.

KSI is the forensic instrumentation required to provide real-time and continuous protection of C-RAN resources, while offering operators real-time integrity visibility into operations and any machine abstracted dependencies. 

Quantum-Immune Machine Identity Management

Tuesday September 9th - mark the date in your calendar. On that date we will make an announcement which will have profound impact on the world of security. 

PKI was designed for humans to authenticate themselves across insecure channels - not for a world of 50 billion continuously on, continuously communicating machines.  Even more significant for PKI is that the underlying signature algorithm, RSA will be comprehensively broken in a world of practical quantum computers. 

Whatever your view on quantum-computing, the world's leading nation states have put an end of life date on RSA as 2016 - and there is no alternative - yet.  For C-RAN and all machine to machine communications there is an urgent need to rethink identity management  - so tune in on September 9th and listen to what Guardtime's Chief Scientist, Ahto Buldas, and our in-house cryptography team will have to say.  

Further reading: