is being actively addressed within the O-RAN Alliance. Zero-trust architectures will play a crucial role in helping secure the new frontier of 5G critical infrastructure. These architectures will help organizations meet the latest security requirements and keep pace with challenges associated with the expanded attack surface in the context of NIST 800-82 and IEC 62443 standards.

Nation-state threats can overwhelm
conventional defenses

According to research by Venafi, 64 percent of businesses suspect they have been targeted or impacted by nation-state attacks and 63 percent doubt they would ever know if their organization was hacked by a nation-state. Internet Protocol Security (IPsec) using Internet Key Exchange (IKE) and Transport Layer Security (TLS) cryptographic protocols operate at the session layer (layer 5) of the OSI model and are designed to provide communications security over a computer network. Once the client and server have agreed to use IKE (or TLS), they negotiate a stateful connection by using a “handshaking procedure” with an asymmetric cipher to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a symmetric cipher. Applications generally use TLS as if it were a transport layer, even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.

IPsec and other underlying protocols operate at the session layer (layer 5) of the OSI stack. This means that the Network and Transport layer (layers 3 and 4) have to be set up before encryption is set up. This opens the door for an adversary to eavesdrop as source and destination relationships of the traffic and flows of interest can be reverse engineered across conventional networking providing deep insight into the public cloud setup, identifying privileged users, and organizational IT and OT relationships. Those adversaries can then intercept, harvest, or even disrupt those flows with a Man in The Middle Attack (MiTM).

Nation-state actors can exploit host nation ISPs and public cloud to run sophisticated MiTM attacks such as Steal Now Decrypt Later (SNDL) or Harvest Now Decrypt Later (HNDL). Traditional zero-trust approaches stop at the network and are largely ineffective against such nation-state actors.

Defense-in-depth with stealth networking

The deployment of a “stealth networking” strategy will be an important step in providing an effective and enhanced defense against future cyber-intrusions. Stealth networking builds upon the concept of managed attribution, which is utilized extensively within the intelligence community. As its name implies, attribution is the assigning of an identity to some visible entity or activity. Managed attribution is the active process for shaping online identifiers. It’s what allows you to control what conclusions others draw about the identity of a user or online resource. In other words, it’s the active process of creating visible information that will lead the adversary to the desired conclusions.

Stealth networking can enable communication across the public cloud and Internet with private IP addresses. Firewall architectures can be secured by enabling outbound access and provide only a “silent fail” to port scans or “TCP Listen” calls deployed by threat actors. Finally, the source and destination will not be known by either side, leading to traffic obfuscation and concealing information and flows of value.

Stealth networking can be expanded to also enhance protection of data in transit with dynamic virtual active/active multipath networks with rolling encryption keys and granular access controls. In addition, orchestration, control, and data planes can be separated, thereby further protecting data flows from potential interception and future analysis. This can protect against advanced MiTM nation-state attacks like SNDL or HNDL. Proper micro-segmentation, access control and device posture checking can also be implemented to prevent unauthorized access.

The types of next-gen networks I’ve discussed here can enhance resiliency and performance even within a contested or congested environment, enabling service providers to offer better SLAs. The network can finally become automated and self-healing with dynamic routing and management capability with smart deflection and redirection of traffic from impacted resources and network nodes to mitigate against availability issues and distributed denial of service (DDoS) attacks. Importantly, performance can be enhanced, even across high latency, low bandwidth environments, enabling alternative communication pathways such as mobile hotspot, ADSL, broadband, satellite, MPLS, LTE, and others to maintain business continuity—even in the face of primary network disruption.