EU raises 5G Open RAN security and competition concerns

Business news |
By Nick Flaherty

A report from the EU on the cybersecurity of Open RAN  highlights the security risks of combining devices from different suppliers and pushes for more regulation of the supply chain.

Open RAN 5G network architectures are providing an alternative way of deploying the radio access part of 5G networks based on open interfaces, and networks are already rolling out.

However the report from ENISA, the EU Agency for Cybersecurity, recommends a stronger role for governments in regulating Open RAN suppliers, and addressing deficiencies in the development of technical specifications. It says the standards process from groups such as the O-RAN Alliance need to satisfy the World Trade Organisation (WTO)/Technical Barriers to Trade (TBT) founding principles for the development of international standards as well as addressing security deficiencies.

The report found that Open RAN can provide greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier.

Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualisation and cloud-based solutions.

However, it also points out that the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. The risks include a larger attack surface and more entry points for attacks, an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing. The report also notes that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design. Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.

To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions.

These include using regulatory powers to be able to scrutinise large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment. It also recommends reinforcing key technical controls such as authentication and authorisation, and adapting the monitoring design to a modular environment where each component is monitored.

The risk profile of Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators also needs to be assessed.

“Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure,” said Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age. “Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”

“With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report,” said Thierry Breton, Commissioner for the Internal Market. “It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities,” he said.

Guillaume Poupard, Director General of France’s National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group’s effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges.”

Overall, the report recommends a cautious approach to moving towards the new architecture.

Cybersecurity of Open RAN; EU Toolbox on 5G Cybersecurity

Related Open RAN articles

Other articles on eeNews Europe



Linked Articles
eeNews Europe