Appledore’s Francis Haysom says traditional RAN vendors are “poisoning the waters” when it comes to evaluating open RAN security objectively.
Francis Haysom, partner and principal analyst at tech consultancy Appledore Research, thinks a lot of unfounded FUD (fear, uncertainty, doubt) surrounds open RAN, generated mainly by the big traditional vendors trying to protect their vested interests.
It’s hardly a unique view, particularly among proponents of the nascent technology, but he’s also adamant that this vendor-generated FUD is “poisoning the waters” when it comes to evaluating open RAN security objectively. In Haysom’s opinion, speaking to Light Reading, open RAN poses no more of a security risk than closed RAN, and that specific questions about “open RAN security” are missing the point.
“What is it about open RAN that is fundamentally different to any other network software system?” asks Haysom. “The answer is nothing apart from the word ‘open.’ Just like closed RAN, open RAN is made up of software, hardware and interfaces. They both have the same security solutions and they are all only as good as the software development and testing of those systems.”
What about the larger attack surface?
“Yes, the new O-RAN Alliance fronthaul interface between the RU [radio unit] and DU [distributed unit] slightly increases the attack surface of the RAN but not in a major way,” asserts Haysom. “It’s no more a vulnerability than the open interface between the CU and the DU, or between the core and the RAN, which are all potentially multi-vendor and both defined by 3GPP.”
3GPP standards, of course, underpin traditional RAN interfaces and security measures, while the O-RAN Alliance develops open RAN specs. The two organizations are working together closely to define security solutions and a “zero-trust” model in an open RAN environment. Both Nokia and Ericsson say they are fully committed members of the O-RAN Alliance.
Haysom similarly insists that open fronthaul vulnerabilities are no greater than those found in proprietary CPRI (common public radio interface) and enhanced CPRI (eCPRI) interfaces for traditional RAN fronthaul. “Of far more importance,” adds Haysom, “is that the functionality of the RU, DU and CU – which sit either side of the interface – are increasingly about software, which is possible to compromise.”
Open RAN security upsides
The Appledore analyst flags approvingly the security perspectives of David Soldani, SVP of innovation and advanced research at Japan’s Rakuten Mobile, a greenfield (and flagship) open RAN operator. Soldani says that “openness” can be more help than hindrance on security. His blog post “Who’s keeping Open RAN secure?” illustrates some of his views.
“Soldani’s argument is that open RAN can take advantage of standard best IT security practice and allow ethical ‘white hat’ hackers to see into systems, something which is not possible with traditional RAN, and can solve problems ‘zero day,'” he says.
“Although the SMO [service management orchestration] and the RIC [radio intelligent controller] introduce more interfaces in an open RAN environment, it also importantly enables you to buy from the best and for software developers to differentiate, including in securing the functions.”
He adds, “If I want to attack a major vendor’s eCPRI interface, I can probably remain more secret [compared with an open RAN attack] as only that vendor would be able to see this. When networks are open a wider community can look at how to fix a vulnerability, rather than operators being restricted to an Ericsson, Huawei or a Nokia. It’s a very different mindset.”
Neither, says Haysom, should traditional vendors be put on a software pedestal over startups, whose applications can be more easily onboarded in an open and software-based RAN environment than on closed RANs. “Everything that has software on it and has interfaces and is built on hardware will always carry some form of security risk,” he emphasizes. “Software is never perfect.”
Proprietary cloud RAN solutions, he continues, are “equally as secure or not secure as open RAN,” with the same important caveat: it’s much harder to monitor and address attacks on closed systems than it is on open networks.
A TIP perspective
Abdel Bagegni, open RAN technical program manager at Telecom Infra Project (TIP), agrees there’s a danger of wrongly concluding that the nascent tech necessarily poses more of a security risk than closed RAN.
“Open interfaces typically have the potential to increase the security risk of a system since the solution will involve multiple vendors and software providers, but this doesn’t mean that the closed RAN is more secure,” he told Light Reading. “With the right security measures in place, an OpenRAN [TIP nomenclature] system can have the same or even exceed the security level of a closed RAN.”
To illustrate his point, Bagegni makes an analogy between Windows (read closed RAN) and open-source Linux (open RAN). “While Windows OS thrives on a raft of security features, many organizations still use Linux for mission-critical applications as they believe they are in control and are aware of all of the security measures they’re implementing,” he says.
Security, naturally enough, is a key work item of the Open RAN MOU Group, formed by TIP participants Deutsche Telekom, Orange, Telefónica, Telecom Italia and Vodafone.
“The MOU’s focus on RAN security is on the open fronthaul (O-FH) since it is the most exposed interface,” says Bagegni. “The Release 4.0 technical requirements [issued June 2024] reflect the necessity of that, with 57 [O-FH) security features updated and the introduction of an additional 18 security requirements.”
The Open RAN MOU, notes Bagegni, is encouraging the O-RAN Alliance to use the GSMA NESAS (network equipment security assurance scheme), which covers equipment that supports functions defined by 3GPP.
RAN security questions still to answer
If there is an understandable caution about open RAN security among brownfield operators, observes Haysom, it comes back to that “very different mindset” of dealing – potentially – with multiple vendors and not having that “one throat to choke” if anything goes awry. It’s a step into the unknown.
“Operators will have to take on greater responsibility when it comes to continuous testing of software, but current lab testing and verification of the modern telco is typically designed for ‘boxes’ that are infrequently changed in the network,” he says.
Bagegni adds that the O-RAN Alliance still falls well short in addressing a wide range of security test cases when compared with 3GPP.
“Traditional RAN vendors would apply the security requirements from 3GPP and other bodies and utilize the test cases from these bodies to prove compliance,” he says. “Open RAN needs many more test cases to be able to demonstrate the same level of security compliance. Hence, the Open RAN MOU is encouraging O-RAN Alliance WG11 [the alliance’s security work group] to take the lead and work on closing this gap.”
Bagegni says the testing gap mostly resides in the open fronthaul interface, but large gaps can also be found in other O-RAN Alliance interfaces. These include the O1 interface (which connects the SMO to RAN managed elements) and the A1 interface (which enables communication between real-time and non-real-time RICs), and the recently added Y1 interface, which enables RAN analytics information exposure from the near real-time RIC.
“The RAN security space is not settled within industry despite a lot of efforts being made,” concludes Bagegni.
 
				 
													





 
							 
							