As the Future Network Programmes conclude, UKTIN is working with DSIT to reflect on the government-funded projects, outlining the key outcomes and the lessons learned to help improve future telecoms initiatives.
The UK’s increasingly complex and connected telecom systems pose numerous security challenges, including data breaches, DDoS attacks, and insider threats.
These risks can have serious consequences, such as financial loss and reputational damage. The UK lost a staggering £44bn in revenue due to cyberattacks during 2020-2025 Howden Insurance has found. DSIT reported last year that half of businesses in the UK and around a third of charities had experienced cyber security breaches or attacks in the previous 12 months. The credit ratings agency placed the telecom sector in the ‘very high’ category for cyber risk at the end of 2024, up from ‘high’ in 2022: increased digitalisation and weak risk mitigation are among the contributory factors.
DSIT is committed to protecting our shared virtualised resources – and its funded projects are a part of this.
What has been your biggest challenge to date?
Dave Happy, co-author and security lead of the Dorset Open Network Ecosystem (DONE) project said: “Having had to dramatically reduce the scope of our ambition. I think we could have achieved a lot more given additional time. This is a dynamic market in which the government is keen to see the UK play a leading role, and it’s frustrating that just as you see results coming in you have to put the brakes on! R&D progress does not typically arrive in a nice linear way – and sometimes not at all. That is simply the nature of the beast. But when results do come, try to maximise the benefits. There is no perfect solution to this challenge I fear.”
Brian Grant, Technical Consultant at the DONE project, said: “One of the challenges we see in Open RAN is interoperability and feature implementation, and whether the features are available. The specifications say that they should be there and how they should operate but when you get into it, whether they are there is a different matter.”
Mahesh K. Marina, Professor of Networked Systems in the School of Informatics at the University of Edinburgh (PerceptRAN), said: “Monitoring the visibility across the whole system and being able to do that efficiently. Detecting anomalies effectively was also challenging.”
Ankit Verma, a Software Engineer at Microsoft (PerceptRAN), said: "One of the key challenges we faced was managing data transfer from the edge to the cloud. It’s crucial to implement best-in-class cloud security features while running telco workloads in the cloud and ensuring a secure end-to-end pipeline.”
Bridgette Bigmore, CTO at UK Telecoms Lab, said: “Our number one challenge has been ensuring operators and vendors are aware of vulnerabilities we have identified and act promptly to close them down. Alongside this, we’ve struggled to find the right people with the right mindset, with both breadth and depth of skills across security, telecoms, IT, and software.”
What have you learned?
Happy observed: “Assumptions you might make about expected features and functionality interworking smoothly according to the relevant technical standards might not be correct. It’s accepted that the O-RAN Alliance has worked hard on standards and specifications. However, adopting these standards is slow and patchy, particularly around xApp development and security. It’s fair to say that Open RAN has failed to deliver on the early hype, particularly around the RIC and intelligent automation in the RAN.”
Grant contributed: “Our biggest learning was the inconsistency across the XApp interface and platforms. We looked at several open sources and watched procurement seminars, and the interface towards the XApp is not specified. The onboarding process is very different for each vendor that we looked at. From a developer's point of view, this makes it very difficult. You will probably have to rewrite your application depending on what platform you end up on.”
Marina said: “The O-RAN setting is unique and off-the-shelf methods often do not work. The data we need is very different and challenging. To get visibility across the system, you need new tech. On top of that, to leverage that data, we had to tailor our design. We did not anticipate this at the beginning. We learned a lot about existing methods and found that false alarms, in particular, are a major concern.”
Verma continued: “Also the modern 5G fronthaul, which connects the base stations to radio units in cellular networks, is designed to deliver microsecond-level performance guarantees using Ethernet-based protocols. Unfortunately, due to potential performance overheads – and misconceptions about the low risk and impact of possible attacks – integrity protection is not considered a mandatory feature in the 5G fronthaul standards. We present a novel class of powerful attacks and a set of traditional attacks, which can be fully launched from software over open packet-based interfaces, to cause performance degradation or denial of service to users over large geographical regions. This raises a major concern and a need for security improvements in the 5G fronthaul network.”
Bigmore added: “Far too much to put into one article! But, if I have to choose, I’d say the pace of evolution and market demand driving priorities. We started this journey to build a fully representative tier 1 mobile network to test ORAN functionality. Our scope has already broadened to include fixed and mobile, digital voice and other areas of connectivity and as a result, a new attack plane has been introduced. Unfortunately, we can’t do everything. We prioritise imminent threats to the UK’s connectivity networks, driven by our geopolitical environment and market demand. Telcos haven’t adopted ORAN as quickly as anticipated but this could change – technology can be rapidly developed and implemented based on external factors. Our priorities should be determined by innovation and socioeconomics.”
What advice would you give to others hoping to deploy connectivity securely?
Happy commented: “WG11 has been very prescriptive about “secure by design” and mutual authentication of O-RAN components and encryption of data at rest and in-flight, however, if these principles are not adhered to (which they haven’t been in some of the examples we have looked at) the threat surface of disaggregated components and vulnerability to attacks from within is significant. As for other considerations, assume that it's the people who are the biggest problem, not the technology; be aware that the security landscape is constantly evolving, with more legislation due later in 2025; and if possible, have a partner or partners who are already security specialists, just as we did.”
Grant continued: “Understand what you mean by secure. When a customer wants their network to be secure, you must ask, ‘From whom? And for what?’. You need a threat model.”
Marina added: “Monitoring is a key component for anybody deploying secure networks. It is also best to keep up-to-date with the cloud computing world and what is happening within the O-RAN ecosystem. I also think digital twins are incredibly important; they can offer a means to assess the security of the software before it is deployed. They are a tool that provides a sandbox environment to enable secure networks. Likewise, testing interfaces and methodologies for compliance is crucial.”
Bigmore said: “Lead with a secure-by-design mindset. Secure technology through standards and good architecture. Perhaps most importantly, follow Ofcom’s groundbreaking TSA guidelines. Always choose prevention, where possible. It is much more effective than reactive action.”
