Last week the European Commission published the report Cybersecurity of Open Radio Access Networks which analyses the cybersecurity implications of Open Radio Access Networks (RAN). It includes background on the technology, an assessment of security risks, and guidance for implementation. The report is significant as it represents perhaps the only official government assessment of OpenRAN.
While the governments of US, United Kingdom, India and Japan promote OpenRAN, they have not yet published any official, authoritative security studies on the technology. The European Union report was developed by the Network and Information Systems (NIS) Cooperation Group which includes the security authorities of the 27 EU-member states and ENISA, the EU Agency for Cybersecurity.
The OpenRAN cybersecurity report is an appendix to and expansion of the EU tool box for 5G Security, the set of robust and comprehensive measures for a coordinated EU approach to 5G network security. The report is not a position paper which argues for or against a policy. Rather, it is practical, technical approach to ensure that OpenRAN aligns with the EU 5G 3GPP tool box.
In essence the new OpenRAN report performs a similar function to the “European New Car Assessment Programme” (Euro NCAP) the voluntary, non-profit car safety performance rating of 0-5 stars. Such methodologies help governments, firms, and consumers assess risk and perform mitigation. Together, the EU member state´s report on OpenRAN security and the tool box can create secure 5G network deployments.
EU Perspective on Security
The OpenRAN Security report grew from a 2019 effort to investigate security risk of 5G networks.
At the time, the NIS Cooperation Group identified and prioritized nine concrete risks of strategic importance from the EU perspective. These risks remain relevant to OpenRAN and can vary by deployment.
The EU OpenRAN report offers a security assessment with three sections: impact of OpenRAN on identified risks, new risks, and security opportunities. This outline makes it easy to understand the security challenges with OpenRAN and how to add or remove risk.
The report highlights the tradeoffs of OpenRAN. While there are benefits on one side, there are challenges and constraints on the other. For example OpenRAN can solve some structural diversity challenges, but creates new ones. Dependency shifts from one part of the value chain to another, for example from existing RAN providers to cloud suppliers. This set of interdependencies does not necessarily translate into desired “vendor diversity” and as such, the report calls for a broader approach beyond 5G value chain.
OpenRAN Security Risks
The EU report identifies seven “new security risks” and concludes that Open RAN amplifies three of the existing 9 risks, which among others includes deficiencies in the technical specifications process and dependency on cloud providers. The report explains that threat surfaces and vulnerabilities expand in Open RAN functions and interfaces because of an increased number of suppliers, components, and some data processing (e.g. real-time location data of users connected to the network). For example, fronthaul interfaces could be exploited to carry out denial-of-service attacks and interception or tampering attacks. This can compromise availability, confidentiality and/or integrity. By opening certain interfaces, Open RAN can give access to information flows to new third-party applications.
The report also observes deficiencies in the O-RAN technical specifications development process. It suggests that security has not featured at the forefront of the O-RAN Alliance’s technical specifications development process and that the still-maturing O-RAN specifications could lead to insecure products.
Moreover key decision rights within the O-RAN Alliance are not necessarily conferred to the Board, which is composed only of a subset of the members and only of MNOs. The stringent provisions of the O-RAN Alliance Adopter License Agreement might hamper the transfer of information and knowledge between adopters and non-adopters, making discussions outside the O-RAN Alliance more difficult.
The report warns of new or increased dependency on cloud service/infrastructure providers. For example, as virtualisation and cloud services grow, there is a risk of MNOs becoming dependent on a small number of cloud service/infrastructure providers, which could lead to supplier lock-in. In addition, networks relying on the same cloud provider could exacerbate vulnerabilities.
Strand Consult observes that these risks have been discussed before. The O-Ran Alliance is a young organization primarily focus on bringing products to market with security being secondary. 3GPP is an older, most established standards development organization focusing on security from the beginning of the technology development.
OpenRAN Security Opportunities
The EU report highlights security opportunities, though this will depend on many factors including the future development of OpenRAN and how it is implemented. New opportunities present new risks. Moreover, some counter-risks are associated with those potential opportunities. Therefore, the assessment related to security opportunities remains more speculative than the one related to security risks.
The report reflects that for some opportunities to be realized, the OpenRAN interfaces need to be mature, robust, and standardised. Their specifications must be developed with standards organizations requirements like accessibility to information and transparency. Moreover, standards must be accepted by the industrial and regulatory ecosystems. Deploying Open RAN presupposes that network operators and regulators will audit these networks and systems to ensure compliance, which is not certain. The potential use of open source in Open RAN may also require visibility to software sourcing and codes.
Strand Consult observes that there is no “net new” security equilibrium from OpenRAN. Whatever opportunities OpenRAN presents comes with risk. However needed, solutions to problems can create new challenges. The EU report has looked at these opportunities closely, including supplier diversity, interoperability, and system integration.
The report observes the potential of Open RAN, and in several aspects not uniquely dependent on O-RAN, to enable the emergence and use of more suppliers in the RAN coupled with a disaggregated RAN, interoperable interfaces, and an increased use of open source and commercial off-the-shelf (COTS) hardware that could help reduce the risks related to dependency on a single supplier. However, the market could also reconsolidate around a small number of suppliers, system integrators and cloud service/infrastructure providers, thus negating the proposed goal of “vendor diversity.” New entrants might prioritize time to market or adopt a free-rider attitude, reducing incentives to invest in security. Furthermore, dependencies deeper in the supply chain of critical components (e.g. chips) may still exist.
On interoperability, the report observes that more components with open interfaces increases interoperability in the RAN. Open RAN could also bring more flexibility and dynamic networks with the ability to swap subcomponents out as required without the need to replace the entire RAN. System integrators will have a central role to ensure smooth integration and interoperability.
On the other hand, the increased number of suppliers also presents challenges for interoperability testing, maintenance of releases as well as liability issues, causing potential delays, for example in network repair measures.
Guidance on Toolbox implementation for Open RAN deployments
The most important section for those working with security within telecommunications infrastructure and especially OpenRAN is the section “Guidance on Toolbox implementation for Open RAN deployments”. This section describes how the EU’s 5G tool box relates to 3GPP 5G.
The EU 5G Toolbox forms an important baseline for 5G security and can be applied to OpenRAN. Notably Open RAN could increase diversification of suppliers and interoperability in the RAN but it comes with other risks. The report notes that while all the EU Toolbox measures remain relevant, some may be even more important in Open RAN deployments, and in some cases may require adjustments in their actual implementation to mitigate the risks. The measures may be implemented through national and/or other regulatory authorities, depending on the situation. Some measures may be directly introduced or reinforced at national level (e.g. as part of the existing regulatory framework and powers of competent authorities), while others may require further action or joint action depending on the competence. Relevant actors will also assess whether they have the resources to enforce the measure or require further support.
Trade and security policy
To date, various government agencies of the US, UK, India, and Japan have issued glowing pronouncements on OpenRAN. After all, many firms from these countries are keen to enter the OpenRAN space. By contrast, the EU is considered more reserved, with some interpreting its lack of enthusiasm as de facto favor for European vendors. That explanation is too simple, particularly when sourcing for 5G networks is already global. The more likely explanation is that the EU has merely waited for the security assessment before touting a new technology. Indeed the security authorities of US, UK, India and Japan have not yet published any report, and if they do, the respective official view of OpenRAN could become more nuanced.
In any event, the EU position reflects analysis from security authorities and therefore takes a sober, forthright analysis which also recognizes opportunities to change existing power centers in the 5G value chain. New players could shift global and regional dependencies. The report notes,
“Open RAN could bring some opportunities for EU-based suppliers, including small and medium-sized enterprises (SMEs) and start-ups, to specialise in some areas and play a role in the Open RAN market. Already established EU suppliers could be well placed to take on the role of system integrators. However, non-EU players are also strongly positioned to play a role in this market as either suppliers, notably on the software level, or system integrators. This could lead to new or increased dependencies in the mid-to long-term. Therefore, the presence of EU players could benefit from being strengthened through investment and support for research and development (R&D), while respecting competition rules.”
The purpose of the EU 5G tool box is risk assessment, not enterprise promotion. The understanding of risk changes through time. For example, in the rush to realize Europe’s green agenda, consumption of EU-based fossil fuels was reduced while incubating green technologies.
Many policymakers believed that Russian gas was an acceptable substitute for the transition
However, policymakers’ calculations were wrong. Not only does the green transition require more time and resources than expected, but that the consumption of Russian gas has needlessly empowered a dangerous dictator. Reliance on Russian gas has weakened EU energy security and has harmed citizens with price increases on related goods. Now that Russia has invaded Ukraine and threatens global stability, firms and citizens conclude that the cost of doing business with Russia is not worth the benefit. Over 1000 US and EU firms have ceased operations in Russia, if not pulled out all together.
Similarly, policymakers argued that reliance on China for manufacturing of information technology products would be a net positive. However policymakers did not account for security and that Chinese actors could exploit their equipment for surveillance and intelligence. Moreover, the money that China earns from being the world’s workshop is funneled in large part to modernization of its military such that it can challenge the US, UK, Japan, NATO and so on. As such, when Western networks operators purchase Chinese equipment they must now account for the risk of intrusion, surveillance, and theft of valuable information on networks. Such a risk now exceeds any benefit of working with many Chinese supplies, hence the restrictions adopted on Huawei, ZTE, Hikvision, and other Chinese suppliers. See Strand Consult’s research note Understanding the Market for 4G RAN in Europe: Share of Chinese and Non-Chinese Vendors in 102 Mobile Networks.
It is understandable that policymakers want a solution to the Chinese security problem and Huawei’s dominance. Like any headache which one wants to go away immediately, policymakers have welcomed shortcut, magic wand solutions. OpenRAN thus emerged with proponents asserting that their novel technology could innovate out of the problem. The US proposed $1 billion in subsidies for OpenRAN. India, Japan, and the UK have joined the bandwagon as well. Indeed the UK included OpenRAN as part of its stronger telecoms supply chain principles.
One scholar suggests a critical view in the article The geopolitical hijacking of open networking: the case of Open RAN, that the effort is mere policy entrepreneurship, co-opting the ambiguous notion of openness to exclude foreign trade rivals.
In any event, however welcome such a concept, OpenRAN alone will not correct dependence on China or fix the Chinese security problem. Indeed OpenRAN equipment is made in China and is built on O-RAN Alliance specifications, which incorporate leading Chinese industrial actors. Moving to secure networks will require much more than OpenRAN, and even OpenRAN itself presents important risks.
Notably Chinese companies are involved in 3GPP but not in the privileged positions such as the O-Ran Alliance board. The O-Ran Alliance was formed in 2018 by uniting the US xRAN Foundation and China’s C-RAN. Indeed many of the members appear on the U.S. Entity List, a designation that a certain actor presents such a threat to US national security that it cannot access controlled US technologies. However the key different between O-Ran Alliance and 3GPP is that the O-RAN Alliance allows veto power to certain members like China Mobile. Moreover 3GPP has full transparency per WTO requirement, which the O-Ran Alliance does not. The transparency ensures that every element of 3GPP standards are public and disclosed.
To put it very simply, there are many countries and governments that want to promote OpenRAN from an industrial policy point of view. These countries have made a security assessment of OpenRAN, though they consider Chinese vendors like Huawei and ZTE as a security threat. The only serious assessment made of the security challenges associated with OpenRAN comes from the EU.
Delivering secure networks will likely require a range of technological solutions and approaches, not the proffered silver bullet of OpenRAN. Wisely the EU report favors technological neutrality and respect to the World Trade Organization’s competition rules.
Other research relevant OpenRAN security
Some important research precedes the EU study. While not necessarily endorsed by the German government, the Federal Office for Information Security (BSI) commissioned the Barkhausen Institute to perform a study of the security of O-RAN Alliance specifications. It provides a risk analysis based on different actors (the attacker, a 5G network end user, the 5G network operator, and the nation state), offering best and worst-case scenarios. It concludes that OpenRAN specifications are not defined sufficiently to “security by design” principles:
As part of a Presidential executive order for supply chain security, the US Departments of Commerce and Security co-published the paper “Assessment of the Critical Supply Chains Supporting the U.S: Information and Communication Technology Industry.” The report does not discuss OpenRAN explicitly but observes security risk in “open” technologies noting
“The nature of the current ICT software ecosystem creates several security risks. The ubiquitous use of open-source software can threaten the security of the software supply chain given its vulnerability to exploitation. Furthermore, the complexity of the ICT supply chain has led many Original Equipment Manufacturers (OEMs) to outsource firmware development to third party suppliers, which introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”
Another paper, Open RAN Security in 5G, was published by the US advocaat organization OpenRAN Policy Coalition. In four pages, the paper restates the value of 3GPP security standards for 5G which are already built into RAN technologies. It suggests OpenRAN could potentially add value with new ways to organize security information, but this is unlikely to be unique to OpenRAN.
The O-Ran Alliance Security Task Group published a blog, The O-RAN Alliance Tackles Security Challenges on All O-RAN Interfaces and Components. It observes that there are security risks in OpenRAN technology which its members are studying.
Notably there is little to no academic, peer-reviewed literature on OpenRAN and security, so the EU report is welcome to further understanding of the topic.
The EU’s “Report on Cybersecurity of Open RAN” is an easy read of 31 pages and offers a valuable addition to the 5G tool box. Other countries should take note as they evaluate their position on the technology. The key takeaways are
- OpenRAN is not a technical standard: it is a technological approach of open interfaces, cloudification, and automation.
- Open RAN offers another avenue to diversification. While 3GPP already allows for geographic diversification of suppliers, Open RAN allows for diversification within a given geography.
- As a network architecture paradigm, Open RAN is not a specific standard or single approach. There are several Open RAN concepts, ideas and initiatives, and several technical specifications, developed and advocated by several different groups, each taking a slightly different approach and using different specifications.
- Many features or applications for OpenRAN already exist in 3GPP 5G technology.
- The softwarisation, cloudification, and virtualisation (and therefore the disaggregation) of the network functions in the RAN, as well as the application of machine learning and AI are cross-cutting trends in 5G networks, not specific to the Open RAN paradigm. The introduction of open interfaces, which is specific to Open RAN, is one of the factors allowing vendor diversification.
- OpenRAN is a technology architecture born in the O-RAN Alliance, a new organization. It does not have the same focus on security as technical standards organizations like 3GPP or ENISA.
- Open RAN has important security vulnerabilities which do not necessarily outweigh benefits of vendor diversity.
- Security is not the priority of the O-RAN Alliance’s technical specifications development process.
- A technologically-neutral approach is better for public policy. It is up to market actors to select 3GPP RAN or OpenRAN.
- Open RAN could bring some opportunities for EU-based suppliers but non-EU players, including Chinese ones are also strongly positioned to lead in OpenRAN.
Like the car safety assessments of Euro NCAP, the EU’s report provides an objective, non-biased assessment of Open RAN security. Open RAN can earn more stars in the future, but being a nascent technology, it likely earns just one star today.
For more than 25 years, Strand Consult has debunked the many myths of mobile industry hype. Its report Debunking 25 Myths of OpenRAN, Strand Consult provides valuable information to mobile operators, investors, and other mobile industry stakeholders on OpenRAN.