Germany doesn’t agree with the assessment that Open RAN (O-RAN) provides a more secure alternative to certain vendors.
A US-led campaign warning that Chinese vendors such as Huawei pose a security risk led many governments to ban or restrict the use of such equipment in national infrastructure. The exile of vendors that have provided equipment for multiple generations of networks has been costly for operators and set back their rollouts.
O-RAN has been hailed as the solution to deliver cost-efficient, secure, and interoperable equipment that avoids the “lock-in” of the legacy vendors.
A report from Germany’s Federal Office for Information Security (translated to English, or Bundesamt für Sicherheit in der Informationstechnik – abbreviated as BSI – in German) claims that O-RAN is anything but secure.
Germany’s report warns that mixing products from various suppliers is likely to cause problems and that not enough work has been done on the standards side to ensure that O-RAN is secure.
Arne Schönbohm, President of the BSI, said:
“As a federal cyber security authority, the BSI observes and accompanies the development process of Open RAN. Therefore, we have commissioned a risk analysis that analyses various affected persons and attacker groups and evaluates the risks to the central protection goals of confidentiality, integrity, imputability, availability, and privacy.
The study demonstrates on the basis of a best/worst case view that the previous Open RAN has not yet been sufficiently specified according to security by design and partially has security risks.
The security improvements should therefore be included in the specifications from the study in order to be able to serve the rapid growth of Open RAN in the market from the outset with sufficiently secure products.”
The report was outsourced to cybersecurity firm Secunet to produce. At 86 pages long, and entirely in German, it provides some hefty reading.
Translated into English, what perhaps summarises the report best is that “medium to high security risks emanate from a multiplicity of the interfaces and components specified in O-RAN.”
Secunet recommends that “security improvements are now included in the specification to avoid a security debacle like the one that occurred with the development of the 3GPP standards this time.”
A full copy of the report in German is available here (PDF)
Want to hear more about cybersecurity from leading experts in the space? Check out the Cyber Security & Cloud Expo taking place in Amsterdam on 23-24 November 2021.