Can we afford to keep ignoring Open RAN security?
I’m skeptical of ‘futurists’. Work closely enough with the development of technology solutions and you’ll know that the only certain thing about the future is that it’s constantly changing. For example, few ‘futurists’ predicted the Covid-19 outbreak that brought the world to a standstill in 2020. Many, however, had spent hours waxing on about how 5G technology was to change the trajectory of human evolution, telling tales of what would be possible with ultra-high speed, ultra-low latency connectivity. Me included.
Of course, 5G will enable many of these promised use cases, and many others we haven’t even dreamed of yet, but have the prophets been proven true? Has 5G changed the world?
The answer, of course, is not yet. We simply haven’t yet achieved the levels of scale required for 5G to realize its potential, but some aspects of the transition to 5G are going well. Despite a global pandemic, deployment has continued to move at a decent pace with 5G now available in almost 2,000 cities across more than 70 countries. This healthy and continued expansion is made possible by a solid, and constantly evolving, 5G standard.
However, other aspects have moved slower. The cybersecurity provisions of 5G standards have lagged behind in their maturity and fit for purpose, with gaps still remaining to be filled. This is not entirely surprising. Both private and public players face a significant challenge in securing 5G networks, especially with the increased complexity represented by new developments like Open RAN.
As a measure of this challenge, the European Telecommunications Standards Institute (ETSI) only released its first Open RAN standard in September of this year. Even more tellingly, it included no cybersecurity requirements. Open RAN functions are governed by the existing cybersecurity specifications in the 5G standard, but none more.
This is a major concern. Open RAN is likely to become a major part of 5G development in the future and ensuring its security needs to become a priority.
The Radio Access Network (RAN) is a critical component of any broader mobile network setup. It includes base station equipment, cell towers and radios, which work in unison to convert wireless signals into the various data formats that end users ultimately engage with. The RAN is what connects your devices to other parts of the network, and ensures the wireless signals travelling invisibly through the aether arrive on your device in the form of text, voice or video.
A conventional RAN configuration, as is used in 3G and 4G networks, for example, is built on proprietary hardware and software resources developed by a single vendor. These components are not interoperable — that is, they cannot function in agreement with equipment built by alternative suppliers. This ‘ vendor-locked ‘ arrangement means mobile network operators (MNOs) are limited to the supply schedules and component offerings of their contracted vendor.
Commercially, this arrangement has long favoured the supplier, with operators seeking cost efficiencies and technological agility complaining of their limited options. Security has also been positioned as a major drawback of traditional proprietary infrastructure. This reasoning gained significant traction during the Trump era and drives the Federal Communications Commission’s (FCC’s) ‘rip and replace’ program to do away with network gear from firms like Huawei and ZTE. The security argument against vendor lock-in points to the risks of being tied to suppliers, such as Chinese firms, whose products are suspected of security flaws.
The commercial argument is driving industry change. The O-RAN Alliance, whose specifications underpin ETSI’s standard released in September, is the most influential of a number of bodies campaigning for an “open” network architecture that disaggregates RAN functions, relies on interoperability of network components, and paves the way for MNOs to lower equipment costs and improve network performance through increased competition among network suppliers.
Ostensibly, this diversity of supplier base should encourage greater network security too. A more open RAN architecture should increase transparency across the network, granting operators more freedom and responsiveness in addressing vulnerabilities or incursions in real time. And, where a particular vendor’s products are shown to be compromised, the operator can quickly and easily swap them out for alternatives.
Theoretically, then, market economics should also favour suppliers who are able to deliver superior security. As declared by the DoD, “…this market-based approach represents a sustainable model for accelerating critical 5G innovation while spurring the growth of domestic supply chains based on trusted and secure vendors.”
But in most cases cybersecurity’s relevance to the bottom line is not immediately obvious and commercial motivations stand to win out against security considerations. This friction is not easily apparent when, as in the case of increasing interoperability and supplier diversity, both causes appear to be served by the same course of action.
But, the final test of this union is in the actual selection of those supplier products and services and, beneath that, the reliability and security competence of different vendors. When it comes down to it, can we confidently assume that network operators — which include many smaller local outfits lacking the capital and operational budgets of larger national players — will always choose the most secure option over the cheaper one with more favourable terms?
A key theme here is virtualization. One of the defining characteristics of the move to 5G is the virtualization of network functions previously assigned to hardware. This is not a basic technological development, it is an evolutionary leap. By unmooring network functions from physical hardware we liberate the full potential of integrated technologies like cloudification, edge computing, and AI/ML automation. But this move relies on a shift to a software-driven ecosystem which is inherently more hackable than a hardware-based system that includes software services.
I have previously discussed the significance of virtualization in relation to Open RAN in detail, including the evolution from traditional RAN architecture through centralized (C-RAN) to virtualized (vRAN) and Open RAN (oRAN). The move to a disaggregated and virtualized system offers many operational advantages, which are necessary if we are ever to see the promised benefits of 5G at scale.
But it also increase the attack surface of the network and invites greater complexity in supplier management. The more suppliers there are, the more difficult, time-consuming and expensive it becomes to vet them and their products, while many supply chains cross borders and originate in countries beyond the network operator’s own territory.
Also, the more disaggregated a network is, the more component interfaces there are to act as entry points for malicious attacks. And, when most of these products are either software or software-driven, the challenge increases exponentially, because we need to consider the DNA of the software itself. In a development environment in which so much software is based on open-source code, finding vulnerabilities and attack opportunities becomes considerably more difficult.
While Open RAN only accounts for a portion of the network, it represents a major share of capital investment. This alone should be enough to focus MNO efforts on ensuring Open RAN is a secure system. The increased agility and flexibility promised by oRAN won’t be realised if safety and reliability cannot be achieved. But the challenge is significant. Cybersecurity experts across the world are working at ensuring features like cloudification, virtualization and software supremacy do not open 5G networks to attack, but these are novel technologies and security methods are still evolving. Not only do Open RAN configurations need to contend with these same challenges, which apply to 5G networks more generally, they also have the added pressure of keeping open interfaces, which are unique to Open RAN, safe for the network and, ultimately, the end user.
Most large-scale 5G deployments globally are still likely to implement ‘traditional’ RAN architecture, with very few operators moving assertively towards oRAN in the short term. In the United States, for example, only DISH is deploying Open RAN across its entire network, and even that roll out has been repeatedly constrained by teething problems. So, it appears we still have some time to work out the best way to approach Open RAN security, but this is a new and quickly evolving concept. Development is happening at speed, and at the moment security considerations are not receiving the same amount of attention as commercial promises. The risk that security is left behind is increasing, and the potential fall out could be severe.
By reducing supplier vendor dependency, Open RAN should also reduce cybersecurity risks compared to conventional RAN setups. However, as pointed out by the Network and Information Systems (NIS) Cooperation Group, there are a number of risks that are amplified in Open RAN.
The first issue is one of maturity. Open RAN network design and its concomitant security standards are simply not mature enough yet and rushing into deployment could invite disaster. With the increasing complexity of multiple suppliers and innumerable software sources and combinations, the potential for inadequate security provisions increases.
Furthermore, opening standards for interfaces in the RAN invites a broad diversity of new vendors, thereby increasing competition, which is one of the key commercial incentives for MNOs. But having more vendors increases supply chain risks, while the quality and security rigour of the components created by these new suppliers is currently unknown. If Open RAN cybersecurity is not more explicitly spelled out in 5G standards, there’s nothing to ensure that new network components will be safe.
In addition to amplified risks, there are numerous potential risks that would be unique to oRAN, the first being a significantly expanded threat surface. One area of focus is the Open Fronthaul, a crucial aspect of oRAN architecture, which, as defined by the O-RAN Alliance, sees the disaggregation of the distributed unit (located in the base station) and the radio unit. Communication between these components will need to happen in real time via interoperable connections, but these real-time interfaces add an extra dimension of potential vulnerability. As suggested by the Cybersecurity and Infrastructure Security Agency (CISA), the Open Fronthaul is specifically vulnerable to DDoS attacks, and the first line of defence is network access control. So, cryptographic security mechanisms for these real-time interfaces become crucial to the integrity of the Open Fronthaul networks, but at the same time these networks “push the boundaries of high-speed performance and the ability of cryptographic security mechanisms to keep up, all while keeping unit deployment and operational costs down.” As a result, “These cryptographic security mechanisms require further industry study and consideration.”
It is in light of concerns around Open Fronthaul that the recent ETSI announcement of its first 5G standard is especially disappointing. That standard is specifically formulated for Open Fronthaul and would have been an ideal opportunity to set the bar for security of fronthaul networks, yet there were no such specifications. The concern, of course, is that this instead sets the tone for a mode of release in which commercial expediency (getting standards to market to allow for development of hardware and software components) outpaces security considerations.
Another development specific to Open RAN is in the form of network automation applications known as rApps and xApps, which further expand access by allowing different vendors to contribute to the RAN app ecosystem. The EU Open RAN security report correctly points out that these new functions will “require additional security controls and measures to be put in place between each and every function to avoid new security threats being introduced.”
These applications will initially be used to manage AI/ML operations in the network, though these AI/ML functions will themselves be new potential attack vectors. AI/ML algorithms are also susceptible to “data poisoning attacks” in which corrupted or misleading data is fed into the system, causing the algorithm to make false assumptions and move into chaotic or unpredictable behaviour. However, securing such algorithms against data poisioning is still a fairly new area of study.
With its disaggregated structure that allows for multi-vendor engagement in a more competitive landscape, Open RAN is an extremely promising area of development in 5G technology. However, by raising the number of suppliers providing an increased number of products and services in a larger number of categories, the complexity of an oRAN network will far exceed that of its predecessors.
Will MNOs be equipped to implement these new infrastructures in a way that keeps networks and their users safe? With the support of standards bodies committed to delivering robust and secure guidelines, there’s no reason this shouldn’t be possible. Until now, industry associations and authorities have been clear and confident about the need to employ best practices in making sure Open RAN networks are secure.
But we have seen little in practice.
Tremendous amounts of energy and resource are being invested in building out 5G standards for global network deployment. The time to include cybersecurity provisions in those standards is now.
Originally published at https://5g.security on November 18, 2022.