Open RAN security is a collaborative endeavor

For open RAN to succeed at scale, it is vital that the industry works collaboratively to address security challenges, finds the latest Heavy Reading Open RAN Operator Survey.

Operators, regulators and customers have never been more focused on mobile network security. In countries where part of the rationale for open RAN is to replace suppliers considered to be high risk vendors, security has an even higher profile. And in all markets, the critical nature of the services expected to run over 5G raises the stakes further.

News coverage on Light Reading shows how security is a live issue with far-reaching implications for the deployment and operation of open RAN. Consider the following examples:

The Heavy Reading survey asked operator respondents for their views on open RAN security. Of the 82 respondents working at 39 different operators, nearly half (49%) believe open RAN will be "harder to secure than an integrated RAN solution." Just 23% say open RAN "will be more secure due to greater visibility and the ability to harden each layer," and 22% say "open RAN security will be equivalent to integrated RAN." The primary analysis, therefore, is that open RAN security is viewed as challenging.

At the same time, a combined 45% think open RAN security will be "as secure" (22%) or "more secure" (23%) than equivalent integrated RAN solutions. These findings indicate that many in the industry believe a way forward can be found. This is positive and encouraging for open RAN. The finding should be read with a note of caution, however. The "future" period is not defined in the question – is it one year or five? – and there is a likelihood that respondents are overly optimistic in their assessment, as is typical of professionals working actively on new network technologies.

Figure 1: Which statement do you most agree with regarding the security of open RAN solutions in the future? n=82
(Source: Heavy Reading)

Which statement do you most agree with regarding the security of open RAN solutions in the future? n=82 Source: Heavy Reading There are valid arguments that both open and closed systems have security advantages and disadvantages. An architecture using new, open interfaces presents a larger attack surface and is therefore a security challenge. The potential to use different vendors on each side of an interface means that each vendor combination must be tested and verified prior to deployment and must be monitored during operation over a period of years.

In a single-vendor system RAN solution, there is a single responsibility and fewer partners, in theory reducing the risk. The charge against single-vendor deployments, however, is that because there is less visibility into these systems, there are fewer opportunities to identify and fix vulnerabilities.

The argument that greater visibility will help secure open RAN is persuasive in principle but needs some investigation. The "more eyes" strategy has been shown to be effective in some open source software projects – the speed and frequency at which Linux developers release security patches is the canonical example. But also, there are cases where this is approach has not worked as well and has resulted in widespread problems – for example, the recent log4j zero-day vulnerability that went undetected for several years.

The importance of security to 5G networks – and to the services on those networks – calls for a high level of due diligence in software and hardware development, supply chain management and maintenance and monitoring over time. Clearly, establishing and maintaining best practices for supply chain security will be a challenging and ongoing task in open RAN systems.

In the open RAN case, security will rely on an active community of suppliers, developers, testers and security experts working constantly to identify threats and maintain protection. The challenge the industry really needs to grapple with is first, does that community exist now? And then, even more important, will it be there over the long term?

Industry groups such as the O-RAN Alliance's Security Focus Group (SFG) and the GSM Association's Network Equipment Security Assurance Scheme (NESAS) can play an important role in galvanizing the ecosystem and ensuring an ongoing focus on this critical issue. For open RAN to succeed, it is vital that the industry works collaboratively to address security.

To download a copy of the 2021 Heavy Reading Open RAN Operator Survey, click here.

— Gabriel Brown, Principal Analyst, Heavy Reading

This blog is sponsored by Ericsson.