Search papers, labs, and topics across Lattice.
This paper introduces a zero-trust supply-chain assurance rubric tailored for O-RAN RIC applications, addressing the unique security challenges introduced by third-party applications in Open RAN environments. The rubric provides a lifecycle threat model, maps threats to O-RAN security baselines with corresponding supply-chain evidence, and defines an operator-facing assurance profile with incremental onboarding levels. Case studies demonstrate the rubric's utility in supporting Accept/Escalate/Block decisions during RIC app onboarding.
Securely onboarding third-party apps in Open RAN just got easier: a new zero-trust rubric offers explicit Accept/Escalate/Block decisions.
Open RAN enables third-party xApps and rApps to be onboarded and updated at operational cadence, creating a software supply chain that spans developers, CI systems, registries, onboarding pipelines, and runtime enforcement points. This preprint proposes a zero-trust supply-chain assurance rubric for O-RAN RIC applications. It makes three contributions: first, an app-centric lifecycle threat model for RIC applications across build, signing, publication, onboarding, runtime, and update or rollback stages; second, a WG11-aligned threat-control-evidence mapping that relates lifecycle threats to O-RAN security baselines and complementary supply-chain evidence; and third, an operator-facing assurance profile that combines secure software development practices, SBOM transparency, and SLSA-style provenance into incremental onboarding levels. Analytical case-study walkthroughs and a minimal evidence-checking workflow illustrate how the rubric can support explicit Accept, Escalate, or Block decisions during RIC app onboarding. The evaluation is intended to assess applicability rather than deployment-scale performance; empirical measurements of operational overhead, decision consistency, and detection coverage are left for future work.
