CISA, NSA publish report on O-RAN security considerations

0
46


The two agencies noted that the deployment of O-RAN introduces new security considerations for mobile network operators

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), through the Enduring Security Framework (ESF), have published a paper about the security considerations in regards to the implementation of Open RAN (O-RAN) architecture.

The ESF’s Open RAN Working Panel focused on security considerations for multiple technical aspects of O-RAN: Multi-vendor management, open fronthaul that connects radios to base stations, a new RAN application framework comprising rApps and xApps, the use of artificial intelligence/machine learning (AI/ML) for RAN optimization, and other general network considerations including open-source software, virtualization and a cloud-based 5G core network. 

“Security considerations always emerge in new open systems aiming for improved cost, performance, and supply chain benefits,” said Jorge Laurel, ESF project director. “Open RAN shares these security considerations too, and, with continuing efforts by the Open RAN ecosystem, they can be overcome.”

“Open RAN is an exciting concept, one that opens up several doors to innovation, improved network performance, and a more diverse and competitive cyber ecosystem,” said CISA Acting Assistant Director Mona Harrington. “However, with those benefits come the potential for additional security concerns. As a community, we must work together to not only identify these concerns but also develop the practices and architecture to mitigate them,” she added.

CISA and NSA also noted that some of the security considerations identified in the paper are not unique to Open RAN and exist in current closed RAN deployments, while others are exclusive to Open RAN architecture. 

“The deployment of Open RAN introduces new security considerations for mobile network operators. By nature, an open ecosystem that involves a disaggregated multi-vendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies integrated via the architecture. In addition to addressing security considerations related to integrating components from multiple vendors, service providers will continue to deal with other considerations related to use of open source applications and new 5G network functions and interfaces whose standards are still under development,” the document reads. “Additionally, MNOs will need to address security considerations related, but not unique to Open RAN, such as cloud infrastructure, virtualization, containerization and distributed denial of service (DDoS) attacks.

“The identified security considerations in this assessment are ones present at this point in time, as Open RAN standards are being developed by standards bodies. As standards are developed and adopted by equipment manufacturers, software developers, integrators, and mobile network operators, these security considerations may be mitigated through the adoption of standards and industry best practices,” the paper adds.

The two agencies also noted that security considerations always emerge in new open systems aiming for improved cost, performance, and supply chain benefits.

“Open RAN shares these security considerations too, and, with continuing efforts by the Open RAN ecosystem, they can be overcome,” the report says.