We take a look at the findings of a report published by the EU Agency for Cybersecurity which delve into the cybersecurity of Open RAN. We hear how to mitigate risks associated with this and how to leverage potential opportunities of Open RAN.
EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, recently published a report on the cybersecurity of Open RAN. This new type of 5G network architecture will, in the coming years, provide an alternative way of deploying the radio access part of 5G networks based on open interfaces. This marks another major step in the coordinated work at EU level on the cybersecurity of 5G networks, demonstrating a strong determination to continue to jointly respond to the security challenges of 5G networks and to keep abreast of developments in the 5G technology and architecture.
EU citizens and companies using advanced and innovative applications enabled by 5G and future generations of mobile communication networks should benefit from the highest security standard. Following up on the coordinated work already done at EU level to strengthen the security of 5G networks with the EU Toolbox on 5G Cybersecurity, Member States have analysed the security implications of Open RAN.
“Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure,” said Margrethe Vestager, Executive Vice President for A Europe Fit for the Digital Age. “Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”
Thierry Breton, Commissioner for the Internal Market, added: “With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report. It is not up to public authorities to choose a technology, but it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities.”
Guillaume Poupard, Director General of France’s National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group’s effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges.”
The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. Through greater interoperability among RAN components from different suppliers, Open RAN could allow greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier. Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation and increase flexibility through the use of virtualisation and cloud-based solutions.
However, the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. Especially in the short term, by increasing the complexity of networks, Open RAN would exacerbate a number of security risks. Those risks include a larger attack surface and more entry points for malicious actors, an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing. The report also notes that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design. Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.
To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions based on the EU 5G Toolbox, in particular:
- Using regulatory powers to be able to scrutinise large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment.
- Reinforcing key technical controls such as authentication and authorisation and adapting the monitoring design to a modular environment where each component is monitored.
- Assessing the risk profile of Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators, and extending the controls and restrictions on MSPs (Managed Service Providers) to those providers.
- Addressing deficiencies in the development of technical specifications: the process should satisfy the World Trade Organisation (WTO)/Technical Barriers to Trade (TBT) founding principles for the development of international standards and security deficiencies should be addressed.
- Including Open RAN components into the future 5G cybersecurity certification scheme, currently under development, at the earliest possible stage.
As regards preserving and consolidating EU capacities in this market, a technology-neutral regulation to foster competition should be maintained. In this framework, EU and national funding for 5G and 6G research and innovation could be used to support opportunities for EU players to compete on a level playing field. Beyond the RAN, it is also important to address potential dependencies or lack of diversity across the whole communication value chain for the diversification of supply.
Overall, the report recommends a cautious approach to moving towards this new architecture. Any transition from and coexistence with existing, reliable technologies should be done by allowing sufficient time and resources to assess risks in advance, implement appropriate mitigations and clearly define responsibilities in case of failure or incident.