Open RAN is mostly secure, finds government report

According to a new report sponsored by the governments of the US, Japan, Australia and India, open RAN technology isn't any worse – or better – than traditional RAN, when it comes to security.

"The use of Open Radio Access Networks (open RAN) does not fundamentally alter the security risk landscape for telecommunications, compared to more traditional RAN. Most security threats analyzed in the report affect both traditional network deployments and open RAN deployments, with only four percent found to be unique to open RAN," according to a summary of the new report. "Mitigation measures make it feasible to ensure equivalent levels of security between traditional and open RAN deployments."

The findings are noteworthy in light of ongoing debates within the global wireless industry over the technological capabilities of open RAN. The report adds further support to political efforts to position open RAN technology as a Western brace against the rise of Chinese 5G equipment vendors like Huawei and ZTE.

The 165-page report was commissioned and financed by the Ministry of Internal Affairs and Communications of Japan and was prepared in cooperation with partners including an unnamed mobile network operator. The report was developed in the "Quad Critical and Emerging Technology Working Group," which was created in 2021 as part of the initial "Quad summit" among the leaders of Australia, India, Japan and the US.

In the US the report was released by the NTIA, the agency responsible for advising the White House on telecommunications and information policy issues.

"The report demonstrates that open RAN offers important cybersecurity advantages, that risks sometimes attributed to open RAN are common to traditional RAN deployments as well, and that these risks can be mitigated and managed through the recommendations presented in the report," explained the NTIA in its notice about the report.

The details

In the report summary, the authors noted that open RAN is about the same as traditional, classical RAN when it comes to security. "Open RAN is expected to increase the network 'attack surface' by a small degree compared to traditional RAN," they wrote.

Figure 1: (Source: NicoElNino/Alamy Stock Photo)

The authors offered a more precise take in the full report: "A total of 4% of the analyzed security threats are considered unique to open RAN."

In explaining how they arrived at their conclusions, the authors said they evaluated specifications from the 3GPP and the O-RAN Alliance. They also provided the parameters of the model they used to assess the risk of security threats.

"The O-RAN Threat Modeling and Remediation Analysis is the basis for the threat modeling and risk analysis described in this document," they wrote. "It focuses on an analysis of the O-RAN security threat modeling and its remediation measures based on the ISO 27005 standard which provides guidance for risk management."

The authors continued: "It has also identified relevant security stakeholders, critical assets that include the O-RAN components and interfaces to be protected within the O-RAN system, and threats against the O-RAN components considering threat agents who may manifest a threat and potential vulnerabilities that may be exploited."

The latest security developments

The report comes as the industry continues to struggle with the implementation – and ramifications – of open RAN, which promises to upend the development of wireless networks by freeing operators to mix and match equipment through interoperable interfaces. Such technology could create major competition for established vendors like Ericsson and Nokia, which built their businesses around closed interfaces in traditional, classical RAN products.

Thus, it was no surprise when Ericsson issued a warning over open RAN security in 2020. Since then Ericsson officials have proclaimed the company's support for open RAN, but some industry participants continue to express reservations about incumbent vendors' support for a technology that's potentially disruptive to their positions.

Amid that debate, some open RAN proponents are putting security at the center of their sales pitch. Dish Network in the US, for example, discussed its approach to network security well in advance of its rollout of an open RAN 5G network.

But the topic of security is far more relevant on the international, geopolitical stage. The US, Japan, Australia, India and other countries are taking an increasingly active stance against the rise of China. And Huawei and ZTE – two leading 5G equipment suppliers – are at the forefront of China's growing presence in the global telecommunications industry.

The US and its allies have argued increasingly that Huawei and ZTE pose a security risk to mobile network operators, asserting that the companies' equipment would pave an entryway for Chinese spies. The Western governments are hoping that open RAN will foster a market for domestic suppliers as an alternative to Chinese vendors.

Related posts:

— Mike Dano, Editorial Director, 5G & Mobile Strategies, Light Reading | @mikeddano