However the report from ENISA, the EU Agency for Cybersecurity, recommends a stronger role for governments in regulating Open RAN suppliers, and addressing deficiencies in the development of technical specifications. It says the standards process from groups such as the O-RAN Alliance need to satisfy the World Trade Organisation (WTO)/Technical Barriers to Trade (TBT) founding principles for the development of international standards as well as addressing security deficiencies.
The report found that Open RAN can provide greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier.
Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualisation and cloud-based solutions.
However, it also points out that the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. The risks include a larger attack surface and more entry points for attacks, an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing. The report also notes that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design. Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.
To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions.
These include using regulatory powers to be able to scrutinise large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment. It also recommends reinforcing key technical controls such as authentication and authorisation, and adapting the monitoring design to a modular environment where each component is monitored.
The risk profile of Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators also needs to be assessed.
“Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure,” said Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age. “Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”
“With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report,” said Thierry Breton, Commissioner for the Internal Market. “It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities,” he said.
Guillaume Poupard, Director General of France’s National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group’s effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges.”
Overall, the report recommends a cautious approach to moving towards the new architecture.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.