US Agencies Publish Security Guidance on Implementing Open RAN Architecture

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on implementing an Open Radio Access Network (RAN) architecture.

A general-purpose document titled Open Radio Access Network Security Considerations, the guidance is based on current knowledge and recommended practices and should apply to a variety of industries.

“Open RAN is the industry term for the evolution of traditional RAN architecture to open interoperable interfaces, virtualization, and big data and AI-enabled intelligence,” the document reads.

An Open RAN architecture, CISA and the NSA explain, opens the door to cloudification and virtualization, while promoting ‘increased competition, vendor diversity, and innovation’ by creating a multi-vendor ecosystem.

Open RAN can increase resiliency and flexibility in telecommunications networks through the adoption of ‘best-of-breed’ solutions from multiple vendors and also takes advantage of the security features of 5G, while offering increased transparency to help identify and address issues in real-time, the document notes.

“The deployment of Open RAN introduces new security considerations for mobile network operators (MNO). By nature, an open ecosystem that involves a disaggregated multi-vendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies integrated via the architecture,” CISA and the NSA note.

The two agencies also point out that service providers will need to address security risks related not only to the use of components from multiple vendors, but also to the use of open source software and new 5G network functions and interfaces.

While not unique to Open RAN, other security considerations that MNOs will need to address include cloud infrastructure, containerization, virtualization, and distributed denial of service (DDoS) attacks, the document reads.

CISA and the NSA also provide considerations on ensuring the security of the network despite the complexity created by using components from multiple vendors, as well as on component lifecycle, cooperation with vendors, and the use of defined Open RAN standards and specifications.

“If a zero-day vulnerability is identified, vendors could release patches at different times. If one vendor’s device is patched in response to a critical vulnerability, and others are not, it could lead to incompatibility of network devices and loss of network service availability. Until all the vendors within a network release a patch for the exploit, the operator’s network may be vulnerable,” the document reads.

Furthermore, the two agencies provide guidance on the security of the fronthaul network (the system of radios on top of cell towers) and network automation applications, and of the expanded threat surface created by open source applications, cloudification and virtualization, and the data sources used for the training of artificial intelligence (AI) and machine learning (ML) algorithms.

“As standards are developed and adopted by equipment manufacturers, software developers, integrators, and mobile network operators, these security considerations may be mitigated through the adoption of standards and industry best practices. Some of the security considerations identified in this assessment are not unique to Open RAN and exist in current closed RAN deployments, both would benefit by mitigating these security considerations,” CISA and the NSA note.

Related: AMTSO Publishes Guidance for Testing IoT Security Products

Related: NSA Publishes Best Practices for Improving Network Defenses

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies