Round Up Of New Reports On OpenRAN Security

No improvement over the status quo, just a new set of risks

The Cybersecurity and Infrastructure Security Agency (CISA) National Security Agency (NSA) and published Open Radio Access Network Security Considerations last month to evaluate the proposed benefits and security considerations associated with implementing an Open RAN architecture. It observes, "By nature, an open ecosystem that involves a disaggregated multi-vendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies... The deployment of Open RAN introduces new security considerations for mobile network operators." The bottom line is that security is about tradeoffs. Mobile operators still need to assess risk, albeit in new domains.

The official report of the European Union noted similarly. Written in concert with the security authorities of the 27 member states and the EU's Cyber Security agency ENISA, the report The Cybersecurity of Open Radio Access Networks detailed a dozen security risks with the technology. It observes there are no "net new" security benefits of OpenRAN, no special security standards or capabilities. However there are significant new risks with the introduction of multiple vendors, components, and interfaces each with different grades of security, quality, product development and so on. While some benefits could be achieved by OpenRAN in reducing dependency on some suppliers, it comes with tradeoffs and exposure to a new set of risks and dependencies.

Mathilde Velliet, a Research Fellow at French Institute of International Relations and whose doctorate explores the US tech policy in response to China threat under the Obama and Biden administrations wrote “Open” Telecom Networks (Open RAN): Towards a Reconfiguration of International Competition in 5G? It describes the difficulties that OpenRAN presents for Europe in terms of technological maturity, security, performance, transparency of the specification process, increasing dependence on foreign suppliers, and implications for EU sovereignty and resilience. The OpenRAN proposition is further complicated by cloud solutions delivered by oligopolistic market players Google, Amazon, Microsoft, and in emerging countries, Huawei.

Hacking just got more interesting

May Contain Hackers (MCH) is an annual gathering of the global hacking community to share knowledge, technological advancements, experiments and values. At the recent event cryptographer and security expert Karsten Nohl, Chief Scientist from Security Research Lab in Berlin, described how OpenRAN opens new hacking avenues, the paradigm shift of security from big vendor systems to specialized vendors in cloud environments, and the security vulnerabilities of real world networks.

Emerging Markets: First 5G, Then OpenRAN

An important new book 5G, Cybersecurity and Privacy in Developing Countries by River Publishers (Editors Knud Erik Skouby and Idongesit Williams, Aalborg University, Denmark; Prashant Dhotre from MITADT University, India, and Kamal Hiran, Sir Padampat Singhania, University, India) explores 5G and its expectation to achieve social development goals in countries and regions where universal accessibility to information communication technologies lags. Cybersecurity emerges as a critical challenge in these environments, not least because of the risk and vulnerabilities that come with greater usage and accessibility, but the acute lack of human capital for the IT domain. This book and a new report by Strand Consult examine claims that the technologies can cut capital expenditure by as much as half, leapfrog mobile standards, connect the unconnected, and ensure secure equipment.

The OpenRAN value proposition is the promise of lower cost and greater flexibility with by mixing and matching different equipment suppliers in a mobile network, a proposed alternative to turnkey, end-to-end network systems. However OpenRAN solutions don’t self-assemble. Costs savings in hardware must be coupled with an expenditure on an army of engineers and system integrators to configure solutions. This is a special challenge for emerging markets as people with IT skills migrate to industrialized countries where they can earn more.

The reality may be that OpenRAN has value in specific situations and applications for certain market segments - once the network has been built with regular RAN equipment from a variety of vendors. This means that OpenRAN is not a substitute for the basic building blocks of equipment from regular RAN providers. Operators must still purchase antennas, basebands, remote radios, small cells, macro cells, phase shifters, and so on.

Moreover, OpenRAN solutions do not come into play until the mobile operator has upgraded to 4G or 5G. This will likely take some years in emerging markets in which many subscribers still use 2G and 3G and who do not have the purchasing power to upgrade to a 5G device, to say nothing of the lack of a reliable, affordable supply of energy, a prerequisite for many elements of next generation networks.

Additional challenges described with the OpenRAN in emerging markets include immature technological development; insufficient standardization, limited product portfolio, vendor mix complexity, nascent system integration, superfluous sophistication, limited install base, and limited service development.

Lire l'article sur le site de Forbes.