FCC CSRIC OKs Report on Supply Chain Security Best Practices
The FCC’s Communications Security, Reliability and Interoperability Council approved two reports Wednesday, on best practices to improve communications supply chain security and on security vulnerabilities in hypertext transfer protocol (HTTP). CSRIC also got updates from its other working groups. Neither report was immediately available.
The supply chain report looks at the changing “paradigm” for telecom providers. “There have been some technical advancements in the communications service providers’ networks that include both vertical and horizontal disaggregation of both hardware and software,” said Todd Gibson of T-Mobile, co-chair of the Managing Software & Cloud Services Supply Chain Security WG. The most important offerings today are software, platform, infrastructure and communications as a service, he said.
These offerings are “not all-new to the cloud service providers, but they are new in the 5G system,” Gibson said. “These capabilities allow for the communication service providers to select the best in breed software resulting in multivendor deployment,” he said: “The adoption of open source software has almost permeated all software code bases that are being delivered to the software consumers. Open source software is proving to be instrumental in accelerating software development.”
The legacy model involved a single vendor providing the hardware and the software, Gibson said. “Today’s new software supply-chain model has become significantly more complicated,” he said. The report urges making software more secure, he said.
The software bill of materials (SBOM) on each package needs to improve, Gibson said. “SBOMs need to be machine-readable for scalability and for automating security scanning,” he said. They should include end-of-life and end-of-support data, he said: “What is the end-of-life date for that particular software? Can we have any software running in our network that has been deemed end-of-life or end-of-support? That needs to be on each software component.”
China passed a law last year restricting vendors from disclosing software vulnerabilities until after a patch is released, Gibson said. “This new law will allow adversaries more time to compromise vulnerable platforms prior to the software consumers even becoming aware that the new vulnerability exists,” he said.
“5G is a departure from traditional wireless networks,” said Brian Daly, AT&T assistant vice president and co-chair of the 5G Signaling Protocols Security WG, which wrote the HTTP report. “It really is not the next evolution of 4G,” he said. “It is a completely new architecture with new technology.” The core uses HTTP/2 while some support systems may use HTTP/1, Daly said. “That raises concerns about known vulnerabilities in the HTTP protocol,” he said.
The report identifies the vulnerabilities, and a second, due next June, will look at how to mitigate them, Daly said.
The report approved Wednesday looks at outside attacks, which would be “somebody on the internet being able to get access into a network function within a 5G core network,” said WG co-Chair Travis Reutter, Metronet director-network management. An inside attack is “someone gaining access to the resources of a carrier and using that access within their network, whether it be part of their management system or some other capabilities that the carrier might have, and using that to laterally move into accessing one of the network functions,” he said.
CSRIC is next scheduled to meet in December in what's expected to be its first in-person meeting since the start of the COVID-19 pandemic.