Cybersecurity of 5G networks: EU publishes report on the security of Open RAN

On May 11, 2022, the EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, presented a report on the cybersecurity of Open RAN. Building secure 5G networks is a high priority for the European Union. To contribute to this goal, the EU Member States, with the support of the European Commission and ENISA, have developed a concerted approach to the cybersecurity of 5G networks, which is described in the EU 5G Toolbox adopted in January 2020.

Open RAN is a new 5G network architecture that is intended to provide an alternative way of providing the radio access part of 5G networks based on open interfaces in the coming years and will thus provide a further building block in the coordinated work at EU level on the cybersecurity of 5G networks. Through greater interoperability between RAN components from different vendors, Open RAN can enable greater diversification of vendors within networks in the same geographic area. In this way, Open RAN technology could make a significant contribution to fulfilling the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit greater dependence on a single vendor. Open RAN could also increase the visibility of the network thanks to the use of open interfaces and standards, reduce human error through increased automation and increase flexibility through the use of virtualization and cloud-based solutions.

However, the recently published report found that today’s Open RAN systems could still have potential security vulnerabilities under certain conditions. In the short term in particular, Open RAN would exacerbate a number of security risks due to the increasing complexity of networks. These risks include a larger attack surface and more entry points for malicious actors, an increased risk of network misconfiguration and potential impact on other network functions due to resource sharing. The report also found that technical specifications such as those developed by the O-RAN Alliance are not sufficiently mature. Open RAN could therefore lead to new or increased critical dependencies, for example in the area of components and cloud.

To mitigate these risks and exploit potential opportunities of Open RAN, the report recommends a number of actions based on the EU 5G toolbox, in particular:

  • Strengthening key technical controls such as authentication and authorization and adapting the monitoring design to a modular environment in which each component is monitored;
  • the individual assessment of the risk profile of Open RAN providers, external service providers in connection with Open RAN, cloud service/infrastructure providers and system integrators;
  • the rapid rectification of deficiencies in the development of technical specifications and
  • the early inclusion of Open RAN components in the future 5G certification system for cybersecurity

Overall, the report therefore recommends a cautious approach and the transfer of existing mobile radio infrastructures to the Open RAN architecture in order to minimize potential security risks in the expansion of 5G networks.