OpenRAN and Security: A Literature Review
Given the interest of mobile operators, investors, and other stakeholders to learn more about OpenRAN, Strand Consult is pleased to release a new report “OpenRAN and Security: A Literature Review”. While OpenRAN has received significant press and policy attention, there is relatively little scientific, empirical, and academic analysis of the topic. Strand Consult reviews the literature that does exist which includes academic papers by German and Taiwanese engineers, an official technical security review by European authorities, and some white papers and blogs by OpenRAN trade associations.
We at Strand Consult has nothing against OpenRAN. However we want to create the transparency at the O-RAN Alliance, and some of its members have pushed back. Indeed Strand Consult’s transparency concerns are shared by policymakers in the EU and US, notably the House of Representatives Foreign Affairs Committee.
Here are 10 points from the report “OpenRAN and Security: A Literature Review”:
- The Third Generation Partnership Project (3GPP) has developed the 5G standard with major innovations in security including but not limited (1) Distributed Denial of Service (DDoS) detection and mitigation, (2) stronger encryption, (3) improved security protocols for roaming, (4) “zero trust” enhancements for core network architectures (5) applications programming interfaces (APIs) which require verification from everything to which they connect, (6) cloud security, and (7) network slicing. An important question is whether and to what degree OpenRAN includes these elements and/or other elements.
- There are no “net new” security benefits with OpenRAN. It has no unique security standards or capabilities which are not already present with existing 5G RAN technologies.
- Open-source software, whether in OpenRAN or classic RAN, does not necessarily make a network more secure.
- OpenRAN presents significant new risks because of the introduction of multiple vendors, components, and interfaces each with different grades of security, quality, and product development. While OpenRAN potentially offers some benefits such as reducing dependency on some suppliers, it comes with costs, tradeoffs, and exposure to a new set of risks and dependencies. For example, reliance on equipment providers would be exchanged for reliance on cloud service providers.
- A frame of reference is important with any new product or service where security risks are significant. In this way, OpenRAN security could be examined with the framework like that of automobile, for example the European New Car Assessment Programme (Euro NCAP). This voluntary, non-profit car safety performance provides a rating of 0-5 stars for cars. There is not star rating for OpenRAN, but it is likely to be low given the limited deployments OpenRAN technologies and its nascent product development.
- The most significant document on OpenRAN security to date was recently published by the European Union in concert with the security authorities of the 27 member states and the EU’s Cyber Security agency ENISA. A straightforward read of 31 pages, it is the only official, authoritative report on the topic and notes about a dozen security risks of OpenRAN. These risks relate to introducing new vendors, interfaces, and components, loss of control for network operators, and lack of maturity of technical specifications and hence products.
- Security reports on OpenRAN have not appeared yet from the US, UK, India or Japan, though officials from these countries have touted OpenRAN. Reportedly the US government has Open RAN security assessments underway.
- The report “OpenRAN and Security: A Literature Review” includes an extended discussion on technical security associated with technology produced by Chinese firms. This section covers malicious hardware, software and components, data theft and exfiltration, and unethical and illegal business practices. This is important because many Chinese firms are involved in the O-RAN Alliance, especially founder China Mobile which has a seat on every sub-committee. More than a dozen O-RAN Alliance members appear on the Entity List of the US Department of Commerce because of national security concerns.
- It is not clear how OpenRAN security will overcome supply chain risk. The supply security elements of 5G are important but are not necessarily secured through standardization. Network operators must rip and replace equipment from Huawei and ZTE because of security risk. Chinese equipment is as a unique threat to 5G networks and can only be managed by excluding it from the network. OpenRAN proponents have not yet addressed this key security conundrum, the assertion that OpenRAN can reduce reliance on Chinese vendors while its is in part designed and produced by Chinese vendors.
- The report also documents that US trade associations and government officials have touted OpenRAN and its security benefits without providing empirical evidence or technical demonstrations.
Strand Consult’s goal is to create objectivity and transparency about the actors promoting OpenRAN so that mobile operators, investors, and other stakeholders can make informed decisions. See Strand Consult’s OpenRAN library with dozens of reports and research notes.
With its new and report “OpenRAN and Security: A Literature Review”, Strand Consult provides valuable information to mobile operators, investors, and other mobile industry stakeholders. Contact Strand Consult today to order your copy of the report “OpenRAN and Security: A Literature Review.”