CSRIC 5G Report Includes Exam of ORANs, Private Network Risks

The Communications Security, Reliability and Interoperability Council easily approved three reports by its working groups Wednesday, including on risks to stand-alone 5G networks from new standards by the 3rd Generation Partnership Project (3GPP) and on standard operating procedures for emergency alerts. None was immediately made available by the FCC.

The Managing Security Risk in Emerging 5G WG’s report notes past CSRICs did a lot of good work in this area and the FCC should support past recommendations, said WG Chair Farrokh Khatibi, Qualcomm director-engineering. The report recommends attention to all the work in progress on supply chain security, a recurring focus of the commission and others, he said: “This is a very important topic and 3GPP is working on as we speak” as are other groups, he said. The report calls for additional CSRIC work on network slicing, he said.

Another area for future work is the security of nonpublic networks, like those being opened by businesses or on factory floors, Khatibi said. This is “a hotly discussed topic” at 3GPP, he said. Another topic for further work is the security of access technologies, including fiber, satellite and different types of wireline connections, he said.

“The first recommendation to industry is please make sure you follow recommendations from previous CSRICs,” Khatibi said. The report looks at particular concerns raised by legacy protocols, including vulnerabilities of the home location register, the database that contains information about subscribers of a wireless network, and the home subscriber server, which centralizes such information. The report looks at open radio access networks, the subject of a Monday FCC forum (see 2009140054). “There is a little bit of misconception that open-source architecture means that there’s going to be introduced security risks,” Khatibi said: “That is not the case” and ORANs would improve security.

A report by the Alert Originator Standard Operating Procedures WP focuses on ways to address and avoid false emergency alerts, said CSRIC member Mark Annas, emergency services administrator for the Riverside, California, Fire Department. The report examines elements “that should be included in alert message that retract or correct false alerts,” he said: “This targets the specific scenario of a false alert and was included based on recent real-life events.” Examples include the January 2018 false missile emergency alert in Hawaii (see 1801160054).

“The false alert handling recommendations will decrease stress in both the alert personnel and public by reducing the number of false alerts and bringing a more automated structure to the reaction following a false alert,” Annas said. The WG recommends stakeholders “have both a communication and technological-connection strategy to enable consistent coordination if your primary method is interrupted,” Annas said. Other communications tools, including Government Emergency Telecommunications and Wireless Priority Services, should be part of the process, he said. The report says stakeholders should be able to “smoothly implement a switchover to or integration of those additional communication channels,” he said.

The 911 WG examined ways to mitigate risks, “the larger threat landscape” and how government and industry can work together. There’s little risk from voice calls to 911, said Tim Lorello, CEO of SecuLore Solutions, who presented the report. “As you go into multimedia and providing other kinds of data information from an end user,” callers “can actually become an attacker,” he said: There are other interconnections between 911 centers and outside centers that can become “potential attack surfaces.”