Rakuten Mobile: Don't be 'roadkill' – secure open RAN now

NEW YORK CITY – OPEN RAN NORTH AMERICA – Open RAN security is a bit of a chicken and egg situation. Service providers could wait for complete security specifications from the O-RAN Alliance and risk falling behind competitors' deployments of open RAN.

Or, they could work alongside standards bodies while baking in their own security in their open RAN networks. Rakuten Mobile CISO John Carse sides with the latter option.

While invested in the development of security standards for open RAN, Rakuten Mobile isn't wasting any time in deploying the technology. "We can't just stop everything because we don't have a piece of paper that says everything that you should probably possibly do," Carse told Light Reading.

Figure 1: (L to R) Mike Dano, Light Reading; Scott Poretsky, Ericsson North America; John Carse, Rakuten Mobile.
(Image source: Kelsey Ziser, Light Reading)

The O-RAN Alliance created working group 11 to address security in open RAN. (Carse told Light Reading that his colleague at Rakuten is co-chair on the working group.) Ericsson North America's Scott Poretsky, who spoke on a panel with Carse, is a voting member of WG11. Poretsky stressed the need for security standards in open RAN to ensure that features such as RAN core data sharing are secured.

"There's a fallacy that open equals secure and no security professional would ever say that," said Poretsky.

That being said, open RAN does benefit from security built into 5G. "We had no security in 1G, almost no security in 2G, did a [slight] increase in 3G, a little bit of an increase to 4G security now and 5G is way up here," said Poretsky.

In addition, "Open RAN uses the 3GPP 5G air interface so it is inheriting all of the security features from 3GPP," he said.

Successfully securing open RAN networks requires an emphasis on preventative measures against potential threats versus a more reactive strategy, Rakuten's Carse explained. If service providers are more reactive than preventative in their approach to open RAN security, they'll be "roadkill."

"If you have a strategy of securing your technology by only focusing on patching or hardening, I think you're going to be at a wash, maybe roadkill, as the attacks change more over time," said Carse. "So having a really good detective capability is probably worthwhile to include in your arsenal of ways in this framework to identify, prevent, detect, respond and recover."

However the cycle times for "reporting, patching, and keeping the [security] software up to date" can impact network availability and performance, explained Carse. Service providers can face a bit of a trade off when balancing preventative security measures while ensuring network performance and availability for customers. Ultimately, it's about identifying security threats as quickly as possible and preventing further network penetration, he explained.

Building in a zero-trust architecture to open RAN should be another main priority, added Ericsson's Poretsky. He also recommended the industry read the NSA and CISA's recent report on securing 5G core cloud infrastructure.

"As CISA is advising, we need to protect against external threats, which is our traditional way of securing, and also protect against internal threats now that are introduced by this migration to the cloud," said Poretsky, director of security for Ericsson North America.

Poretsky explained that opening up 5G interfaces means service providers have more vendor choices in open RAN, but network functions and interfaces initially lacked security specifications.

However, Rakuten's Carse said the industry can't wait on open RAN deployments while security standards are being ironed out.

"Just because we haven't come to consensus on the right way to do X or Y or Z doesn't mean that it's a free for all and that everything is the wild wild west, and that you can't trust the security inherent in a system," Carse told Light Reading.

Even when specifications are available, there are different business objectives that organizations have to consider when deploying their security systems in open RAN networks, added Carse. Plus, since Rakuten's open RAN network relies on commodity hardware, it's much easier to update security in the software as needed, he said.

"Whatever specification comes back, it's software, I'll change it, right? We can adjust," he said.

Related posts:

— Kelsey Kusterer Ziser, Senior Editor, Light Reading