EU Publishes Report on the Security of Open RAN
The EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published a report on the cybersecurity of Open RAN. The report recommends a cautious approach to moving toward this new architecture.
The European Commission said that this marks another major step in the coordinated work at the EU level on the cybersecurity of 5G networks, demonstrating a strong determination to continue to jointly respond to the security challenges of 5G networks and to keep abreast of developments in the 5G technology and architecture. Following up on the coordinated work already done at the EU level to strengthen the security of 5G networks with the EU Toolbox on 5G Cybersecurity, Member States have analyzed the security implications of Open RAN.
“Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe while ensuring they are secure. Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges so that the promises of Open RAN can be realized,” said Margrethe Vestager, EC Executive Vice-President for a Europe Fit for the Digital Age.
The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. Through greater interoperability among RAN components from different suppliers, Open RAN could allow greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier. Open RAN could also help increase the visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualization and cloud-based solutions.
However, the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. Especially in the short term, by increasing the complexity of networks, Open RAN would exacerbate a number of security risks. Those risks include a larger attack surface and more entry points for malicious actors, an increased risk of misconfiguration of networks, and potential impacts on other network functions due to resource sharing. The report also notes that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design. Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud. To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions based on the EU 5G Toolbox.