O-RAN was designed to create a wider vendor landscape for the radio access network (RAN), basically the antennas, software and the server close to it. In the past, large vendors were selling fully integrated solutions. Now with O-RAN those integrated solutions were split into smaller software and hardware pieces, with APIs between them. Most of them are software (except the Radio Unit) and can be potentially put into the cloud.
This enables three things:
those different pieces can be provided by different vendors i.e., new and smaller vendors may enter the market
the RAN can be customized better to the use case wrt to latency, bandwidth etc.
it is possible to put a large part of the RAN software into the cloud and scale it according to the actual load of the network
While this sounds all very enticing from a technical and business perspective, the question comes up, how secure is O-RAN. Especially for critical infrastructure providers (e.g., according to the European NIS2 directive) security is a key requirement for private and public networks.
For this one must go back a bit. In the last years, there were many acquisitions and mergers between telecommunication vendors e.g., Alcatel, Lucent, Siemens, Marconi, Nortel. This left the market with very few vendors. In addition, the political climate changed, and Chinese vendors were not accepted, reducing the potential supplier pool further. In 2018 O-RAN was kicked-off, but at the same time 5G commercial rollouts and deployments started. This put the O-RAN development under high pressure to deliver fast. Security came in 2020 in the form of a Security Focus Group (SFG), which then later became the Working Group 11 (WG11). In 2021/2022 security really took off as several governments and entities published reports on the security gaps in O-RAN e.g., German BSI, US CISA & NSA, EU ENISA, US FCC CSRIC.
So where are we now in terms of security?
In general, it can be said, that the following is understood and “done”:
Security Requirements
Threat Modeling
Security Protocols
Test Specifications
What is not done, but at least to some degree studied, recognized and scoped:
O-Cloud Security
Security of Log Management
Security for Service Management and Orchestration (SMO)
Security for Application Lifecycle Management
Security for Shared O-RAN Radio Unit (O-RU)
Security for Near Real Time RAN Intelligent Controller (Near RT RIC) and xApps
Security for Non Real Time RAN Intelligent Controller (Non RT RIC)
Those above don’t have detailed solutions and the current work is often still in “high level requirement” level i.e., nothing an implementer can program in an interoperable way (and as O-RAN is supposed to be a vendor mix & match interoperability is essential).
What is not yet on the horizon, but definitely needs attention:
Application layer filtering for messages e.g., from xApps/rApps or between core and RAN
Usage of secure hardware for cloud and O-RAN security e.g., secure updates
Software Bill of Material (SBOM) guidelines for O-RAN
Secure Ecosystem Management for trusted xApps/rApps
OAuth Authorization Details
O-RAN is on the right track and large steps have been made also in terms of security, but security is a long road, and many further steps still need to be taken. Those steps are essential, else there are many risks e.g., location tracking, DoS or traffic redirection and interception. We can help you evaluate your individual security and compliance needs and match it with the existing risks and available countermeasures.
