EU: Open RAN Brings Cybersecurity Opportunities for 5G networks

Brussels - EU

Open RAN can bring potential cybersecurity opportunities for 5G networks, according to a new report published by the EU Agency for Cybersecurity, provided certain conditions are met. This new type of 5G network architecture will give an alternate option to implement the radio access element of 5G networks using open interfaces in the years to come.

Open RAN might provide better variety of vendors within networks in the same geographic region by allowing greater interchange among RAN components from various suppliers, according to the report. This might help the EU 5G Toolbox advice that each operator should have a multi-vendor plan in place to minimize or restrict any large reliance on a single provider.

The adoption of open interfaces and standards in Open RAN might help boost network visibility, minimize human mistakes through increased automation, and increase flexibility through virtualization and cloud-based solutions.

This EU report, Cybersecurity of Open Radio Access Networks, could be a significant step forward in the EU’s coordinated effort on 5G network cybersecurity, indicating a strong commitment to continue to cooperatively address the security problems of 5G networks and keep up with changes in 5G technology and design.

Thierry Breton, EU Commissioner for the Internal Market
“There are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated,” said Thierry Breton, EU Commissioner for the Internal Market.

“With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks,” said Thierry Breton, EU Commissioner for the Internal Market. “That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report. It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities.”

Mitigating Cybersecurity Risks

The Open RAN concept is still in in its infancy though. Open RAN would exacerbate a number of cybersecurity issues, particularly in the short term, by increasing network complexity. These concerns include a wider attack surface and more entry points for hostile actors, a higher chance of network misconfiguration, and the possible impact of resource sharing on other network activities. Technical requirements, such as those produced by the O-RAN Alliance, are also not sufficiently mature and secure by design, according to the report. Open RAN may result in new or increased critical dependencies, such as in the components and cloud areas.

To mitigate these cybersecurity risks and leverage potential opportunities of Open RAN, the EU report recommends a number of actions based on the EU 5G Toolbox, in particular:

  • Using regulatory authority to scrutinize mobile operators’ large-scale Open RAN deployment plans and, if necessary, limit, ban, or set certain criteria or conditions for the supply, large-scale deployment, and operation of Open RAN network equipment.
  • Reinforcing key technical controls such as authentication and authorization, and adapting the monitoring design to a modular environment where each component is monitored.
  • Assessing the risk profile of Open RAN providers, external Open RAN service providers, cloud service/infrastructure providers, and system integrators, and extending MSP (Managed Service Provider) rules and limits to those providers.
  • Addressing flaws in the production of technical specifications: the process should adhere to the fundamental principles of the World Trade Organization (WTO)/Technical Barriers to Trade (TBT) for the development of international standards, and security issues should be addressed.
  • Including Open RAN components as soon as feasible in the upcoming 5G cybersecurity certification methodology, which is presently in development.

EU: ‘Take it Slowly’

In addition, a technology-neutral framework to stimulate competition should be maintained in order to preserve and consolidate EU capacity in this sector. EU and state financing for 5G and 6G research and innovation might be utilized in this context to provide chances for EU players to participate on an equal footing. For supplier diversification, it would also be necessary to address possible dependencies or a lack of variety across the whole communication value chain.

Overall, the EU report advises taking it slowly while implementing this new design. Any transition from and coexistence with existing, dependable technologies should be done with enough time and resources to identify risks ahead of time, implement suitable mitigations, and clearly define responsibilities in the event of failure or incident.