How secure is Open-RAN for mobile private networks? What are the responsibilities of campus network solution providers and operators and what steps are taken to ensure the security of Open-RAN based networks in the future? We have all the answers for you in our interview with Nikolai Strasding, Unit Manager Cyber Security Consulting & Information Security Manager at COCUS.
Thank you for joining us today to discuss the security of Open-RAN in mobile private networks. Over the last few years, concerns have arisen about the security of Open-RAN compared to traditional cellular networks. How would you respond to these security concerns?
Thank you for the opportunity to address these concerns. First of all: Open-RAN is used in conjunction with 3GPP 5G networks, which are designed with security in mind and utilize multiple layers of security measures to ensure the protection of networks and user data. The 3GPP network generations are proven secure since decades – there have been no major security challenges with these networks since the introduction of 3G.
You state that a basic building block that comes with Open-RAN is already well proven. But what are the differences between traditional cellular networks and Open-RAN? Could you please highlight what is new in Open-RAN?
Both Open-RAN and traditional cellular networks have their own security challenges and strengths. The advantage of Open-RAN is that it is a flexible and customizable solution, allowing for a more tailored approach to security. Additionally, the intention of Open-RAN allows for a more transparent and collaborative approach to security, with a larger community of experts working to ensure the security of the network.
What steps are taken to ensure the security of Open-RAN based networks in the future?
We are continually working to improve the security of Open-RAN networks. This includes ongoing investment in research and development, regular software updates to address vulnerabilities, and collaboration with industry experts and customers to stay ahead of emerging security threats. Our goal is to provide secure and reliable networks for our customers, and as a TISAX certified company we take this responsibility very seriously.
How does this relate to studies and reports flagging security concerns regarding Open-RAN? For example, there has been the study issued by German BSI in 2021, raising concerns about the Open-RAN security.
We take the feedback seriously and had a deeper look into the study. It is important to understand the methodology of the study to interpret the result. The study was reviewing the security aspects of the Open-RAN standards in 2021 and not a concrete implementation of it. This is an important difference, as the standard for Open-RAN is still evolving and due to this naturally has gaps or leaves options. Also, the study was assuming a public network set up for the risk evaluation, which differs significantly from a campus network situation.
How does the difference in the network usage and operational model impact the findings?
The study assumes different distinct stakeholders with different protection needs: The end user, the network operator and also the state as regulatory or law enforcement entity. It also assumes that the Open-RAN network can be operated by a 3rd party, which is not identical with the mobile network operator. This implies for example, that a theoretical risk arises for the end user, when end user traffic becomes accessible for the Open-RAN and / or network operator. Now, in a campus network setting, the user is usually identical to the operator, so that the risk is becoming significantly lower or is even completely irrelevant.
The study flags high risks from insider attacks. Does this apply for campus networks? Does this apply for campus networks?
Yes and no: In general, insider attacks are prevalent in almost every IT infrastructure. People are required to administrate and operate IT platforms and networks and depending on the number of privileges required for this purpose, there is a risk of misuse or mistakes. The risk can only be lowered by the implementation of organisational or detective measures and automation. Here, Open-RAN does not differ from other systems including traditional, proprietary cellular networks.
Coming back to the risks identified in the BSI study: What nature do they have?
The authors of the study emphasize the security-by-design principle: The standard should from their perspective leave no room for mistakes in the implementation of the network leading to vulnerabilities. This is a very reasonable approach in general and we support the principle. Now unfortunately, standardisation processes are difficult, as different players have different views on possible implementations. This leads to optional elements in standards. The same is happening in 3GPP, where you find several optional elements in the security architecture. By the way: Since 2021, the Open-RAN standards have evolved and some of the issues flagged have been improved in the meantime. The non-mandatory character of some security features in the standard, however, does not imply that any or most concrete implementations will be insecure.
What are from your perspective the responsibilities of campus network solution providers? How should they deal with the potential risks?
First of all, clear advice is to implement all optional security features. This allows campus network operators to configure the network in a way, that is considered as “best case” in the BSI study. If you have a closer look into the study, a best-case implementation does not reveal significant risks for confidentiality, integrity, accountability and privacy, even in the more complex public network scenario. Risks remain in terms of availability, which do not differ significantly from availability risks of any other wireless network. The radio part of the network should always be planned for resilience.
And what is your advice for campus network operators?
The configuration of the network should follow standard security hardening principles: Activate all security features by default and deactivate only after risk assessments. If a company wants to forgo a security feature in favour of performance, this can be an acceptable potential risk in a campus setting. However, this would have to be examined individually and decided by the business owner.
So, is your conclusion that the BSI study is inaccurate?
No, the study is important to identify issues which could become problematic if the implementation is not done with due care, especially in a public network setting. In general such feedback facilitates the secure implementation of Open-RAN and helps to drive the standardisation process towards even higher level of security. When a security issue is identified, we work with our partners and customers to address it promptly and effectively. Additionally, Open-RAN allows for a larger community of experts to review the issues and identify improvements.
Are there other studies reviewing the Open-RAN security? What is their conclusion? What is their conclusion?
Yes there are, for example a study conducted by University of Passau. Their conclusion is that Open-RAN is at least as secure as traditional, proprietary solutions, if not more secure. Part of the assumed security of proprietary solutions is “security-by-obscurity”, which in general is not a recommended approach to securing solutions.
With Open-RAN the solution and thus the attack surface is much more transparent allowing to define the security controls for the individual critical points. Also, the standards adopt best-practice principles from other domains such as cloud security.
So your concluding sentence is: Open-RAN is secure?
Yes, if correctly implemented, we believe that campus networks using Open-RAN and 3GPP 5G network elements can be considered as the most secure option to implement mobile networks in a campus setting.