Operators Say EC Cybersecurity Criticisms of ORAN Will Be Addressed

The EC addressed security threats of non-ORAN 5G networks in 2020 by creating a toolbox of mitigation measures, the report noted. The toolbox recommended mobile operators avoid or limit their dependency on a single vendor. ORAN, with its increased interoperability among components from different suppliers, could enable more diversification of suppliers within networks in a geographic area, the EC said. It also offers other potential improvements, such as network visibility via the use of open standards and interfaces that could make auditing and security testing easier.

But the ORAN concept is "still under development and its security at an early phase of maturity," so the extent of cybersecurity opportunities isn't clear, the EC said. It's uncertain whether ORAN multivendor interoperability based on open standards and interfaces will be reached soon, whether there will be a market with a choice of different RAN components from different suppliers, or whether mobile network operators will choose a mix-and-match approach to suppliers.

"Cybersecurity is a significant challenge for the Open RAN concept in general," the EC said. The possibility of having multiple suppliers exacerbates many of the security risks of 5G networks and expands the attack surface in the RAN part of the network. Among these risks, there would be more entry points for malicious actors and a higher risk of inconsideration of networks: "Overall, a cautious approach to moving towards this new architecture is recommended."

Asked whether EC security worries could hamper operators in their drive toward ORAN, GSM Association Chief Technology Officer Alex Sinclair emailed, "Security is critical to mobile telecommunications networks and, to address these concerns, the mobile industry is committed to building security resilience as explained in the GSMA's annual Mobile telecommunications Security Landscape report." The industry has a long, proven track record of developing new secure network technologies and believes efforts to develop ORAN specifications "are carefully considered and the roadmaps for implementing Open RAN solutions will be robust and security-centric." Operators and vendors know security is crucial to making the technology a success, he added.

The industry will overcome cybersecurity challenges, resulting in an enhanced RAN supply chain, Sinclair said. The GSMA network equipment security assurance scheme provides a framework for facilitating security audits of key network elements. The association also has an interest group, "5G era," that's focused on open networking, including ORAN developments, plus a 5G security task force on industry-wide security priorities, he said.

The report "is the first and only official security assessment of OpenRAN made by authorities," emailed Strand Consult's John Strand. "Neither the US regulator FCC nor the US authorities [in] NTIA ... have done the same work." The ORAN challenges described in the document aren't EU-specific and must be dealt with by whoever wants to use the technology, he said.

Many of the so-called "new security risks" have been discussed previously, Strand said. Part of the concern arises from O-RAN Alliance being a young organization whose priority has been getting products ready, and which doesn't have the same focus on safety as does the work of the 3rd Generation Partnership Project, he said. "I have no doubt that there are some, especially in the Open RAN community, who are not happy with the report," he said. "It's 'the moment of truth'" for ORAN. Regulators and operators worldwide can use the findings in their work: "This is important reading for American operators and authorities like FCC and NTIA."