5G is the latest in a series of evolutions in public mobile networking, with widespread coverage and access on a subscription basis. 5G networks are characterized by improved capabilities across a variety of measures, including throughputs, latencies, numbers of devices, and battery life. 5G is used to attach small special purpose devices comprising the Internet of Things (IoT) to the Internet, and the important and growing number of services provided by the World Wide Web. IoT devices are often sensors, and 5G access to their data is envisioned to play important roles in medicine, manufacturing, and smart cities. Gartner notes that the number of 5G IoT devices will expand from today’s 3.5 million units to 49 million in 2023.
This supercharged information highway is envisioned to play an important role across several industries, ranging from medicine to manufacturing. Major advances in 5G, including new core network features will make it easier to customize the network at a wide variety of locations. Core network features to support new applications are also present, ranging from network slicing to support for programmable networks. Support for programmability may include software defined network (SDN) switches, network function virtualization (NFV) nodes, and many-core data plane processing devices. The combination of customized virtual infrastructures and programmability permits customization at a wide variety of network locations.
Emerging 5G mobile wireless networking technologies are slated to dramatically increase in both scale and speed, enabling much faster access to data collected from billions of connected devices. This new flexibility offers many benefits, but at the same time introduces novel security challenges.
Standards processes are used to maintain interoperability required for a public network, and while many of the components and component behaviors of 5G have changed little from predecessors such as 4G and LTE, the standards for the most futuristic 5G features are those most in flux. Today’s proprietary 5G technologies make it difficult to achieve the transparency necessary for security-related risk analysis and mitigation. This lack of security assurance makes it harder to deploy these technologies for defense capabilities. These futuristic features also present the greatest risk to US national security , as networks are simultaneously critical infrastructure and the means used for cyberespionage and cyberwarfare.
“The rapid increase in the scale of 5G networks, as well as issues from unmanaged or forgotten Internet of Things (IoT) devices and unwanted interactions between network slices, create security risks that must be addressed,” said DARPA program manager, Dr. Jonathan Smith.
One of the 5G Application areas is the new Cellular Vehicle-to-Everything (C-V2X) networks that will pave the way for automated driving. C-V2X will enable connectivity between vehicles, infrastructure, and surrounding devices. Direct communication between vehicles provides information about what is happening in parts of an intersection not visible to the driver, over the crest of a hill, or on the freeway beside or behind the driver’s own car. In addition, the technology will increase energy efficiency and reduce emissions. Overall, traffic becomes smoother and more efficient. While great for consumers, it provides oppurtunities for hackers to employ automobiles or IoT nodes to carry out their attacks on networks serious security and life threat. The share of 5G-connected cars will grow from 15% in 2020 to 94% in 2028, when 5G will be heavily used for C-V2X, Gartner projects.
In June 2020, The US Federal Communications Commission (FCC) formally designated China’s Huawei and ZTE Corp. as national security threats, citing their close relationship with the Chinese government. The decision means that US carriers can no longer use money available under the FCC’s Universal Service Fund (USF) to purchase 5G — or any other — equipment, services, or systems from either of the two Chinese equipment manufacturers or any of their subsidiaries and affiliates. The US Department of Defense and other government agencies previously announced decisions to discontinue use of technologies from Huawei and ZTE equipment from their networks. “Both companies have close ties to the Chinese Communist Party and China’s military apparatus,” FCC chairman Ajit Pai said in a press statement. “Both companies are broadly subject to Chinese law obligating them to cooperate with the country’s intelligence services.”
DARPA created the Open, Programmable, Secure 5G (OPS-5G) program to tackle many of the security challenges facing future wireless networks. OPS-5G will explore the development of a portable, standards-compliant network stack for 5G mobile networks that is open source, and secure by design. The program seeks to enable a “plug-and-play” approach to various network software and hardware components, which reduces reliance on untrusted technology sources. The goal of OPS-5G is to develop open source software and systems that can enable more secure 5G as well as future generations of networks beyond 5G.
Open, Programmable, Secure 5G (OPS-5G) program
One of the many benefits of 5G is powering a vast and growing ecosystem of IoT devices. The security across these devices, however, is disparate, as is their size, weight, and power (SWaP). Today, IoT security features are viewed as optional, which does not bode well for their use within defense systems. To bolster security around this growing mesh of technologies, OPS-5G will explore the development of cost-effective SWaP-conscious cryptography with scalable security protocols. The program will look to existing technologies to support this process, like the many-to-many end-to-end encryption protocol developed by researchers at the University of California, Berkeley, called Joining Encryption and Delegation for IoT.
Network elements used to support virtualization and the 5G network concept of application-customized “slices” share resources to achieve cost-effective performance. Amongst other risks, this resource sharing creates potential timing channel vulnerabilities. Opaque system ownership, operator policies, and software provenance also present security issues for 5G networks. Currently, a multitude of large vendors provide carrier hardware, software, node provisioning, and more to enable 5G technologies. OPS-5G will explore breakthrough approaches for the enablement of secure network slices to provide security across the network resources provided by and shared with unknown entities. The program will explore novel ways to make trusted networks out of infrastructures with untrusted components.
Finally, OPS-5G will aim to address security challenges posed by 5G’s programmability by hardening the execution. 5G is expected to have 60-600 billion nodes by 2023, which radically increases the risk of network attack. To increase network resiliency and enable faster adaptation to threats, OPS-5G will explore the development of programmable elements of 5G specifically for defense.
The signature security advantage of open source (OS) software is increased code visibility, meaning that code can be examined, analyzed, and audited manually and, more fruitfully, with automated tools by multiple parties. Another benefit is open source software’s portability, which allows the software to run on both OS and proprietary hardware. This decoupling of the hardware and software ecosystems makes it easier to introduce innovations while raising the difficulty of some malicious attacks. Further, it helps open the 5G market to smaller players and innovators.
The goal of OPS-5G is to develop open source software and systems that can enable more secure 5G as well as future generations of networks beyond 5G. However, creating open source software elements typically requires the collaborative development of well-defined standards. The standards creation process can be slow and arduous – one that a rapidly-progressing technology such as 5G can’t afford. To help accelerate the development of 5G-relevant open source software from standards, OPS-5G will explore the use of machine translation to increase code development velocity and help make standards easier to understand.
DARPA, Linux Foundation team for government 5G in Feb 2021
The Linux Foundation (LF), the nonprofit organization enabling mass innovation through open source, today announced it has signed a collaboration agreement with the Defense Advanced Research Projects Agency (DARPA) to create open source software that accelerates United States government technology research and development innovation.
Under the agreement, DARPA and the LF will create a broad collaboration umbrella (US Government Open Programmable Secure (US GOV OPS) that allows United States Government projects, their ecosystem, and open community to participate in accelerating innovation and security in the areas of 5G, Edge, AI, Standards, Programmability, and IOT among other technologies. The project formation encourages ecosystem players to support US Government initiatives to create the latest in technology software.
The project will launch as a standard open source project with neutral governance and a charter similar to other projects within the Linux Foundation. Additionally, the agreement enables collaboration with upstream and downstream communities such as LF Networking, LF Edge, and Zephyr, among others, to build on a secure code base for use by the US Government.
“DARPA’s use of open source software in the Open Programmable Secure 5G (OPS-5G) program leverages transparency, portability and open access inherent in this distribution model,” said Dr. Jonathan Smith, DARPA Information Innovation Office Program Manager. “Transparency enables advanced software tools and systems to be applied to the code base, while portability and open access will result in decoupling hardware and software ecosystems, enabling innovations by more entities across more technology areas.”
“We are eager to ally with DARPA and its intent to accelerate secure, open source innovation and US competitiveness across breakthrough technologies,” said Arpit Joshipura, general manager, Networking, Edge, & IOT, the Linux Foundation. “This partnership enables transformational change across open software and systems, leveraging the best shared resources across the ecosystem.”
The new US GOV OPS umbrella will include the Open Programmable Secure- 5G (OPS-5G) program as its first project, currently in formation with the help of DARPA, the US Navy and additional performers. The goal of OPS-5G is to create open source software and systems enabling secure end to end 5G and follow-on mobile networks. OPS-5G will create capabilities to address feature velocity in open source software, mitigating large scale Botnet of Things (BoT), network slicing on suspect gear, and adaptive adversaries operating at scale.
DARPA’s Dr. Jonathan Smith will be presenting at the upcoming Open Networking and Edge Executive Forum (ONEEF) a virtual event taking place March 10-12. This special Executive Edition of Open Networking & Edge Summit, the industry’s premier open networking & edge computing event, will feature executive leadership across the networking and edge ecosystems sharing their visions with a global audience in the Telco, Cloud and Enterprise verticals.
Technical Areas and Program Structure
Challenges addressed by OPS-5G’s Technical Areas (TA) are:
(1) Decreasing the time required for updates to OPS-5G open source software in response to new versions of the 5G standards;
Open-source software development typically lags commercial software development because of the portable nature of open-source software, which requires the definition and software implementation of a hardware abstraction layer (HAL). This open-source versus commercial software disparity in “feature velocity” inhibits open-source software deployment in fast-paced markets . OPS-5G TA1 will focus on accelerating open source software development with machine translation of 5G standards documents. 5G standards are maintained online as a set of electronic documents and updated as needed. As operational 5G software must be standards compliant, updates in standards spur new software development.
The high degree of structure present in these standards documents enables machine extraction of information relevant to software implementations including software structure, service interfaces, timing parameters, flow diagrams, and protocol graphs. This extracted
information provides a foundation for automated compliance testing, partial proofs of correctness, protocol execution integrity checks, and other critical aspects of software development.
The Independent Test and Evaluation (ITE) and TA1 teams will collaborate to define a sufficiently powerful and flexible formal representation for 5G standards. The ITE team will provide a ground-truth translation of these natural language documents into the representation, and TA1 performers will be evaluated on their ability to accurately translate from natural language (NL) standards documents.
(2) Achieving a usable scalable “zero-trust” security architecture for devices ranging from IoT sensors to servers. The architecture should have a minimal impact on size, weight and power (SWaP), and price;
5G will drive substantial growth in networked devices. The size, weight, and power (SWaP) characteristics of such devices will vary tremendously, ranging from tiny battery-powered Internet of Things (IoT) sensors to substantial computing systems. The goal of TA2 is to develop techniques and security architectures enabling security at scale across devices with widely disparate SWaP. A security architecture provides methods to preserve desired levels of confidentiality, integrity, and availability across the set of systems spanned by the architecture. On larger platforms, such as those in the 5G core, services, protocols, hardware support, and administrative resources are
available to detect and remediate problems.
IoT devices, on the other hand, may be severely resource-constrained (e.g., battery-operated), cost-limited, and unattended, while meeting
mission requirements for multi-year operational lifetimes. Improvements in processing time and battery life from low-cost hardware support for security primitives such as in-silico entropy sources and encryption, as well as those required for roots of trust such as Trusted Platform Modules (TPMs), Titanxix, Subscriber Identity Modules (SIMs) and e-SIMsxxi, have resulted in their presence in many microcontroller and microprocessor systems. Given needs such as trusted initialization of a nodexxii, TA2 submissions must identify hardware support presumed by their proposed solutions.
Adding a new, networked device to a household with many existing devices, such as security cameras, shows the need for cross-scale security approaches. Starting from a basis of zero trust (“the network cannot be trusted”), a zero trust architecture is based upon the principle of least privilege. Roots of trust, as described above, may be used; proposers are encouraged to avoid overdependence on their presence. As trust is established amongst nodes, the network security architecture can then bind devices together using delegated authorities to control their roles (e.g., by not sharing security camera outputs with unauthorized users). IoT devices may be bought, sold, loaned, and relocated; thus solutions must remain secure in both long-term emplacements and in situations where trust relationships are dynamic and short-lived.
To be successful, proposers to TA2 must describe and justify security architectures that operate across all scales of nodes and networks, minimizing use of 5G core network services, and maximizing use of mobile edge computing (MEC) to avoid performance bottlenecks from shared central services. Architectures should support low-cost, unattended, long-lived, battery-powered sensors, which will be the smallest, cheapest, and most numerous devices in the 5G ecosystem. Of particular relevance are cryptographic operations, which typically demand high levels of power. The TA2 metric is cost-effective security; costs are measured using battery life relative to a baseline as a metric for SWaP. The Government will use penetration test scores devised by the Government Independent Test and Evaluation (ITE) team to gauge network and device security.
(3) Mitigating new attack surfaces (such as side-channels) introduced by virtualization and slicing; and
The performance requirements of mobile networks vary by customer and use. For example, video streaming demands completely different latency, bandwidth, and delay variability (jitter) than tele-operation. Playback of stored video can overcome the majority of timing challenges
using an elastic buffer at the user device, while interactive tele-operation cannot tolerate the delays inherent in playback from a large buffer. Thus, a 5G network slice intended for content distribution must be provisioned differently than a slice used for tele-robotic surgery.
Network slicing overlays virtual networks across multiple enterprises, and thus may use infrastructure that is untrustworthy, under-provisioned or even adversarial . Slice virtualization security risks thus include timing side-channels used to extract information
from activities occurring in co-resident slices.
The TA3 metric is capacity. Side-channels, like covert channels, are impossible to eliminate completely. Reducing the side channel capacity is a measure of the effectiveness of performer solutions in isolating a “secure slice” from co-located slices that might be used by adversaries to
extract information leaked, for example by accidental cache pollution. The capacity measure is solution-agnostic, and proposers may suggest additional metrics or milestones.
TA3 approaches may also include so-called “moving target” defenses, where the network infrastructure is periodically altered as a method of blunting attacks and information extraction. If such an approach is used, proposers must clearly and explicitly state the expected effects on
analysis of the capacity metric used by the ITE to evaluate TA3. For example, if a degree of redundancy in network paths is necessary for slice provisioning or re-provisioning in a TA3 solution, that expectation must be clearly stated. Measures of redundancy, such as average or
minimum in-degree or out-degree for graph nodes, should be clearly and explicitly stated by proposers. Additionally, the risk if the assumption is not met must also be discussed.
(4) Changing programmability from a threat vector to an enabler of security at scale
Technologies such as Network Function Virtualization (NFV), Software Defined Networking (SDN), etc., allow customization of networks by injecting code on-demand to meet evolving sets of requirements. Accelerating network evolution is a central goal of OPS-5G as well. OPS-5G’s ability to evolve is achieved via use and management of SDNs, NFVs, and emerging data plane capabilities.
The consequences of introducing programmability with insufficient attention to malicious actors and their capabilities is illustrated by the addition of scripting languages to web browsers. Initially intended to customize local behavior of downloaded Web content for presentation by a web browser, the execution of programs of unknown provenance has opened hosts to a multiplicity of security threats. OPS-5G’s TA4, Principled programmable defenses, seeks to develop techniques that use programmability, and the resulting network adaptability, as a means to increase security. In particular, TA4 focuses on (1) innovative approaches leveraging programmability to ensure that in-network code is trustworthy; and (2) concrete demonstrations of programmable networking’s advantages for network defense.
Ultimately, the goal of TA4 is to maintain availability of the 5G infrastructure and its services in spite of active threats to its availability by malicious actors, and to use the programmable elements of the OPS-5G infrastructure to defend against compromised elements outside the
control of the OPS-5G software. TA2 will provide a network security architecture that makes injection and propagation of malware within the IoT very difficult
Cybersecurity tool maker Kryptowire has won a four-year, $7.3M contract to help the Defense Advanced Research Projects Agency conduct research and development activities on 5G mobile network security. Kryptowire will perform work under DARPA’s Open, Programmable, Secure 5G initiative which seeks to establish an open-source system to support subsequent next-generation networks such as 6G communications, the Department of Defense said Tuesday.
According to DARPA, the OPS-5G effort is meant to drive research into standards-compliant 5G network stacks to support automated functionalities and internet of things applications. The agency noted that it plans to use a “plug and play” concept for the 5G network and use portable systems to “decouple the hardware and software ecosystems” while preventing supply-chain attacks. DARPA received 40 bids for the cost-plus-fixed-fee contract through a competitive, broad agency announcement-based process and will obligate $884K in fiscal 2020 research, development, test and evaluation funds at the time of award.
Perspecta Labs Wins 2 DARPA Awards to Boost 5G Security in Oct 2020
Solutions provider Perspecta Inc.’s innovative applied research arm, Perspecta Labs, has received two awards on the Defense Advanced Research Projects Agency’s Open, Programmable, Secure 5G program. The awards, which represent new work for the company, support work to improve security of 5G networks. They have a combined ceiling value of $25 million and a 4-year period of performance if all options are exercised. Although emerging mobile wireless networking technologies could revolutionize an array of industries, they also up the risks of supply chain attacks, said Petros Mouchtaris, president of Perspecta Labs.
The expected deployment of 5G networks poses a significant security risk because of the proliferation of foreign and untrusted hardware devices. The OPS-5G program aims to improve 5G security through the creation of an architecture that decouples hardware and software ecosystems. Under the program, Perspecta Labs is to design, develop, integrate and demonstrate a security solution that scales for devices ranging from internet of things sensors to servers, and will incorporate a set of techniques to deliver real-time, distributed defense in depth cybersecurity for 5G, 6G and beyond.
DARPA puts $30M toward ONF’s Aether 5G Connected Edge Cloud platform in Dec 2020
In Dec 2020, Open Networking Foundation (ONF) announced that ONF’s Aether 5G Connected Edge Cloud platform is being used as the software platform for the $30M DARPA Pronto project, pursuing research to secure future 5G network infrastructure. DARPA is funding ONF to build, deploy and operate the network to support research by Cornell, Princeton and Stanford universities in the areas of network verification and closed-loop control. ONF will enhance and deploy its open source Aether software platform as the foundation for the Pronto research work, and in turn the research results will be open sourced back into Aether to help advance Aether as a platform for future secure 5G network infrastructure.
Aether – 5G Connected Edge Cloud Platform
Aether is the first open source 5G Connected Edge Cloud platform. Aether provides mobile connectivity and edge cloud services for distributed enterprise networks as a cloud managed offering. Aether is an open source platform optimized for multi-cloud deployments, and it simultaneously supports wireless connectivity over licensed, unlicensed and lightly-licensed (CBRS) spectrum. Aether is a platform for enabling enterprise digital transformation projects. Coupling robust cellular connectivity with connected edge cloud processing creates a platform for supporting Industrial Internet-of-Things (IIoT) and Operational Technology (OT) services like robotics control, onsite inference processing of video feeds, drone control and the like. Given Aether’s end-to-end programmable architecture coupled with its 5G and edge cloud capabilities, Aether is well suited for supporting the Pronto research agenda.
Aether Beta Deployment
ONF has operationalized and is running a beta production deployment of Aether. This deployment is a single unified cloud managed network interconnecting the project’s commercial partners AT&T, Ciena, Intel, Google, NTT, ONF and Telefonica. This initial deployment supports CBRS and/or 4G/LTE radio access at all sites, and is cloud managed from a shared core running in the Google public cloud.
The University campuses are being added to this Aether deployment in support of Pronto. Campus sites will be used by Pronto researchers to advance the Pronto research, serving as both a development platform and a testbed for use case experimentation. The Aether footprint is expected to grow on the university campuses as Aether’s 5G Connected Edge Cloud capabilities are leveraged both for research on additional use cases as well as for select campus operations.
A growing ecosystem is backing Aether, collectively supporting the development of a common open source platform that can serve as an enabler for digital transformation projects, while also serving as a common platform for advanced research poised to help unlock the potential of the programmable network for more secure future 5G infrastructure.
“At Google Cloud, we are working closely with the telecom ecosystem to help enable 5G transformation, accelerated by the power of cloud computing. We are pleased to support the Open Networking Foundation’s work to extend the availability of 5G and edge capabilities via an open source platform.”
Shailesh Shukla, VP and GM, Networking, Google Cloud
“Cornell is deploying Aether on campus to bring private 5G/LTE connectivity services with edge cloud capabilities into our research facilities. We expect private 5G/LTE with connected edge cloud to become an important and integral part of our research infrastructure for many research and operational groups on the campus. We also see the value of interconnecting a nation-wide leading infrastructure with Stanford, Princeton and ONF for collaborative research among university researchers across the country.”
David Lifka, Vice President for Information Technologies and CIO, Cornell University
“Princeton University is deploying Aether on campus in the Computer Science Department in order to support the Pronto research agenda and offer it as an experimental infrastructure for other research groups. This deployment will enable private 5G/LTE connectivity and edge cloud services and will complement https://p4campus.cs.princeton.edu/. We plan to also explore how some of our mission critical production use cases can be supported on a private 5G Connected Edge Cloud.”
Jay Dominick, Vice President & CIO, Princeton University
“Ciena is pleased to be an early collaborator on the ONF’s Aether project. We have an Aether site running in our 5G lab in Montreal, and we are excited by the prospect of helping enterprises leverage the 5G and edge cloud capabilities of Aether to help build transformative solutions.”
Stephen Alexander, Senior Vice President and Chief Technology Officer, Ciena
“Intel is an active participant of the ONF’s innovative Aether project to advance the development of 5G and edge cloud solutions on high volume servers. ONF has been leading the industry with advanced open source implementations in the areas of disaggregated Mobile Core, e.g. the Open Mobile Evolved Core (OMEC), and we look forward to continuing to innovate by applying proven principles of disaggregation, open source and AI/ML with Aether, the Enterprise 5G/LTE Edge-Cloud-as-a-Service platform. As open source, Aether will help accelerate the availability of innovative edge applications. Aether will be optimized to leverage powerful performance, AI/ML, and security enhancements, which are essential for 5G and available in Intel® Xeon® Scalable Processors, network adapters and switching technologies, including Data-Plane Development Kit (DPDK), Intel® Software Guard Extensions (Intel SGX), and Intel® Tofino™ Programmable Ethernet Switch.”
References and Resources also include: