Last week, one of the biggest events in the telecom industry took place once again: the Mobile World Congress organized by GSMA. Following a two-year hiatus due to its forced cancellation in 2020, technology vendors and mobile network operators (MNOs) where keen to show off what they had been working on. By the looks of it, two technological developments prevailed: shifting increasingly many resources to the public cloud and migrating radio access networks (RAN) to Open RAN deployments.
Articles previously featured on Cybersecurity Magazine investigate the security implications of cloud deployments and how to manage them. This story, however, looks at how the principles of Open RAN affect security of the network and the transported data.
“Open” as in “Openly accessible”
The term Open RAN is generally used to refer to radio access technology and components that are compliant to openly accessible specifications, such as those developed by the O-RAN Alliance or the Telecom Infra Project (TIP). While these two bodies have quite different focus areas, they are both working towards disaggregated and interoperable RAN solutions, be it through the creation of open specifications, open-source software, or promoting cross-vendor testing and verification.
While open access alone does not guarantee a technology is inherently secure, it certainly facilitates a broader review process amongst stakeholders and allows for scrutiny form external security research.
Another step required for ensuring interoperability between disaggregated RAN components is relying on as little specialized hardware as possible. Instead, large parts of an Open RAN are fully software-defined, running on standard operating systems (OS) and Commercial-Off-The-Shelf (COTS) computing hardware.
Reducing dependencies to specialized technology not only goes a long way to reduce cost, but it can also have benefits for security. Vulnerability assessment processes can be streamlined, security configurations of common applications and services can be captured in playbooks, and some components may even be hardened once and then re-used repeatedly, such as OS images. These are just some examples of many ways to eliminate exceptions by centrally managing repetitive security tasks.
Marrying Hardware and Software
Traditional RAN deployments are vertically integrated, meaning that one entity, i.e. the RAN supplier, ensures RAN hardware, software, and management systems work together as they should. This is crucial for security, as any weakness in the communication between the individual entities opens the door to attackers.
With Open RAN, roles and responsibilities are shifting. Instead of one entity supplying a ready-made solution, it is multiple parties looking after their isolated piece of the cake. The responsibility for the end-to-end security design now lies with the MNO, including such fundamental aspects such as trusted boot, identity and access management, and credential provisioning.
Depending on the business strategy and internal capabilities, MNOs may choose to outsource some of these responsibilities to system integrators. While that is certainly a viable option, it also adds another layer of indirection even though Open RAN promises to provide MNOs with greater control over their network deployments. Identifying what to control and establishing clear responsibilities between the different entities accordingly will therefore be one of the most important steps for MNOs in the transition to Open RAN.
Operating Software-defined Deployments
Operations and Maintenance (OAM) is one of the phases in the system lifecycle in which Open RAN is likely to yield the greatest security benefits. Greater visibility due to virtualized deployments, state of the art log correlation and analysis capabilities, the ability to utilize common security assessment and management tools – there is huge improvement potential simply due to the fact that RAN networks are becoming more like common IT ecosystems.
Additionally, the ability to quickly create and tear down virtual network elements allows network operators to rethink the rollout of new software updates and configuration changes. Whereas it is not uncommon for upgrade cycles to be several months long in traditional deployments, they may be dramatically shortened in a purely software-defined ecosystem. Many testing steps are ripe for automation and even the verification of KPIs in production may be performed on a small subset of users before deciding whether to rollout an update on scale or revert to a previous known good state. Again, the degree to which these benefits will materialize for MNOs will depend on the division of roles and responsibilities between software developer, system integrator, as well as operator, and how much control the latter actually holds.
In this article, we looked at Open RAN from a high-level security perspective. As with any novel technology, there are not only benefits or drawbacks. This new way of developing and deploying access networks clearly brings opportunities to improve overall security over vertically integrated solutions, particularly during operation and maintenance. At the same time, ensuring adequate protection throughout the design and integration phases is a responsibility that no longer lies solely with the RAN supplier, but with MNOs themselves. The increased control over the innerworkings of the system inevitable comes with a greater responsibility as well.