European Union publishes report on Open RAN security

European Union member states, with the support of the European Commission and ENISA, which is the EU Agency for Cybersecurity, have published a report on the cybersecurity of Open RAN.

The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. It states that Open RAN could allow greater diversification of suppliers within networks in the same geographic area, which could contribute to achieving the EU “5G Toolbox” recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier.

However, according to EU member states, the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. The report notes that the risks of the Open RAN concept include a larger attack surface and more entry points for malicious actors, an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing. The report also highlights that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design.

Margrethe Vestager, executive VP for Europe Fit for the Digital Age, said: “Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure. Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realized.”

Thierry Breton, commissioner for the internal market, added: “With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report.”

To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions, in particular:

-Using regulatory powers to be able to scrutinize large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment;

-Reinforcing key technical controls such as authentication and authorization, and adapting the monitoring design to a modular environment where each component is monitored;

-Assessing the risk profile of Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators, and extending the controls and restrictions on MSPs (Managed Service Providers) to those providers;

-Addressing deficiencies in the development of technical specifications: the process should satisfy the World Trade Organisation (WTO)/Technical Barriers to Trade (TBT) founding principles for the development of international standards and security deficiencies should be addressed;

-Including Open RAN components into the future 5G cybersecurity certification scheme, currently under development, at the earliest possible stage.

The report recommends a cautious approach to moving towards this new architecture, noting that any transition from and coexistence with existing, reliable technologies should be done by allowing sufficient time and resources to assess risks in advance, implement appropriate mitigations and clearly define responsibilities in case of failure or incident.

In January 2020, the European Commission had announced a joint “toolbox” of mitigating measures agreed upon by EU member states to address security risks related to the rollout of 5G technology.

Through the toolbox, the member states are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures.