EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published a report on the cybersecurity of Open RAN. This new type of 5G network architecture will in the coming years provide an alternative way of deploying the radio access part of 5G networks based on open interfaces. This marks another major step in the coordinated work at EU level on the cybersecurity of 5G networks, demonstrating a strong determination to continue to jointly respond to the security challenges of 5G networks and to keep abreast of developments in the 5G technology and architecture.
EU citizens and companies using advanced and innovative applications enabled by 5G and future generations of mobile communication networks should benefit from the highest security standard. Following up on the coordinated work already done at EU level to strengthen the security of 5G networks with the EU Toolbox on 5G Cybersecurity, Member States have analysed the security implications of Open RAN.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure. Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”
Thierry Breton, Commissioner for the Internal Market, added: “With 5G network rollout across the EU, and our economies' growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report. It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe's 5G networks of Open RAN lead to new vulnerabilities.”
Guillaume Poupard, Director General of France's National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group's effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges."
The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. Through greater interoperability among RAN components from different suppliers, Open RAN could allow greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier. Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualisation and cloud-based solutions.
However, the Open RAN concept still lacks maturity and cybersecurity remains a significant challenge. Especially in the short term, by increasing the complexity of networks, Open RAN would exacerbate a number of security risks. Those risks include a larger attack surface and more entry points for malicious actors, an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing. The report also notes that technical specifications, such as those developed by the O-RAN Alliance, are not sufficiently mature and secure by design. Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.
To mitigate these risks and leverage potential opportunities of Open RAN, the report recommends a number of actions based on the EU 5G Toolbox, in particular:
Using regulatory powers to be able to scrutinise large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment;
Reinforcing key technical controls such as authentication and authorisation, and adapting the monitoring design to a modular environment where each component is monitored;
Assessing the risk profile of Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators, and extending the controls and restrictions on MSPs (Managed Service Providers) to those providers;
Addressing deficiencies in the development of technical specifications: the process should satisfy the World Trade Organisation (WTO)/Technical Barriers to Trade (TBT) founding principles for the development of international standards and security deficiencies should be addressed;
Including Open RAN components into the future 5G cybersecurity certification scheme, currently under development, at the earliest possible stage.
As regards preserving and consolidating EU capacities in this market, a technology-neutral regulation to foster competition should be maintained. In this framework, EU and national funding for 5G and 6G research and innovation could be used to support opportunities for EU players to compete on a level playing field. Beyond the RAN, it is also important to address potential dependencies or lack of diversity across the whole communication value chain for the diversification of supply.
Overall, the report recommends a cautious approach to moving towards this new architecture. Any transition from and coexistence with existing, reliable technologies should be done by allowing sufficient time and resources to assess risks in advance, implement appropriate mitigations and clearly define responsibilities in case of failure or incident.
The timely deployment of secure 5G networks is a high priority for the European Union. To contribute to this objective, EU Member States, with the support of the European Commission and ENISA, have developed a concerted approach to the cybersecurity of 5G networks. Through this concerted approach, EU Member States jointly assessed the main risks related to 5G networks (‘EU Coordinated risk assessment') and defined a comprehensive and risk-based approach in the form of the EU 5G Toolbox adopted in January 2020. The EU 5G Toolbox recommends a set of common risk mitigating measures.
The EU 5G Toolbox includes strategic and technical measures and corresponding actions to reinforce their effectiveness. Key measures of the EU 5G Toolbox include strengthening security requirements, assessing the risk profiles of suppliers, applying relevant restrictions for suppliers considered to be high-risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and having strategies in place to promote the diversification of suppliers and avoid dependencies.
To continue and deepen the EU coordination process on 5G cybersecurity, the EU Cybersecurity Strategy of December 2020 identified three key objectives: (1) ensuring further convergence in risk mitigation approaches across the EU, (2) supporting continuous exchange of knowledge and capacity building, and (3) promoting supply chain resilience and other EU strategic security objectives.
As part of these key objectives, the NIS Cooperation Group will continue to monitor and assess issues related to new trends and developments in the 5G supply chain. As Open RAN is a market trend in the evolution of 5G and 6G architectures, Member States have decided to conduct an in-depth analysis of the security implications of Open RAN to complement the coordinated risk analysis on 5G.
For More Information
 Recital (2) of the Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation.