German Study Warns 5G Open RAN Is Not Secure by Design

A risk analysis conducted on behalf of Germany’s Federal Cyber Security Authority (Bundesamt für Sicherheit in der Informationstechnik, BSI) has concluded the Open Radio Access Network standards of the O-RAN Alliance could represent a major security risk because they have failed to incorporate ‘security by design’. The aim of the study was to conduct a risk analysis into how well the Open RAN standards would satisfy German requirements for confidentiality, integrity, accountability, availability and privacy. These requirements were derived from three distinct perspectives: the needs of a typical 5G user, the needs of a 5G network operator, and the needs of the nation-state.

The executive summary of the BSI study states (my translation from the German):

As a result of the risk analysis, it was found that a large number of the interfaces and components specified in O-RAN entail medium to high security risks. This is hardly surprising, since the current development process of the O-RAN specifications is not based on the paradigm of “security/privacy by design/default” and the principles of multilateral security (minimum trustworthiness assumptions with regard to all parties involved) were not taken into account.

The authors make a series of security recommendations and criticize the failure to incorporate adequate security into previous generations of networks:

It is important that security improvements are now included in the specification in order to avoid a security debacle like the one that occurred with the development of the 3GPP standards.

The seriousness of the current failings should not be underestimated.

…the O-RAN specifications should be revised with a significantly stronger security focus before they are first applied in practice.

The authors argue that history shows it is cheaper and safer to design for security at an early stage because of the problems created when trying to graft security on to a fundamentally insecure framework.

…the initial indications are that the O-RAN Alliance will increase the scrutiny given to the topic of security in future. It remains to be seen how far this will actually go. Past experience shows that adding security measures at a late stage leads either to very high costs or to unsafe solutions or — not uncommonly — to both. The development of the 3GPP standards are a good example of this… Attempting to correct these errors in subsequent versions of the [3GPP] standards has been costly and often led — most especially because of the need to deliver compatibility — to solutions that remained insecure.

The goal of the O-RAN Alliance is to make RAN components interoperable so they can be sourced from a greater range of suppliers. They want to facilitate the use of a combination of software and generic components that will allow networks to pivot away from relying on dedicated processor chips that lie at the heart of 5G systems currently made by Ericsson, Huawei and Nokia. Increased technology specialization has also led to increased concentration of power amongst the leading network manufacturers whilst smaller rivals have been unable to compete.

Countries like the USA desperately want Open RAN to become a viable option for their 5G networks. The US government is unwilling to accept networks built by China’s Huawei, but this leaves them with even fewer prospective suppliers, and little hope of nurturing new manufacturers within their own borders unless Open RAN reduces barriers to entry. Open RAN is also supported by Germany’s top three mobile operators, Deutsche Telekom, Vodafone and Telefónica.

A wide variety of Open RAN security improvements are sought by the authors of the BSI study, including the following.

  • Implement zero trust/multilateral security
  • Prescribe optional backup on the transport layer
  • Use the TLS communications encryption protocol instead of SSH2
  • Restrict the potential impact of denial of service attacks on interfaces
  • Implement a firewall-friendly design
  • Require safe programming languages like Rust be used for xApps and rApps automation
  • Mandate user authentication for the O-Cloud platform of nodes using the O-RAN architecture

There are many other weighty recommendations, which highlights the extent to which this study believes security is badly underspecified in the current Open RAN standards.

Cold War 2 is generating a lot of heat for governments that struggle to explain why consumers can only have the best and fastest 5G networks at the risk of relying on foreign network manufacturers. Access and control of radio networks is fundamental to network security, whether the focus is on safeguarding an individual’s privacy or protecting the security of the nation. This leads to tension with the segment of society that cares more about carrying the most advanced toys in their pockets than the compromises needed to ensure security. However, the national strategic objectives that are driving Cold War 2 would be fatally undermined if new network suppliers only become viable at the cost of downgrading security.

The BSI Open RAN risk analysis was produced by Secunet and written by experts from the Barkhausen Institute and the Advancing Individual Networks group. You will find the full text (in German) by looking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.