Security specification in Open-RAN incomplete: Quad working group

A working group on technology under Quad has found security specification of Open-RAN (radio access network), which is widely used for 5G services, to be incomplete and called for additional efforts from industry groups to adopt "security best practices".

The Open RAN Security Report of Quad Critical and Emerging Technology Working Group released on Saturday said it is unclear the way O-RAN Alliance selected security guidelines and best practices related to Open RAN Security.

The working group was set up in March 2021 under Quadrilateral Security Dialogue (Quad) between US, India, Australia and Japan to facilitate cooperation around technology standards and explore cooperation on 5G deployment and diversification of equipment suppliers, in close cooperation with the industry.

"Parts of the O-RAN security specification appear to be incomplete. For example, security requirements do not cover all security principles, specified security controls do not cover all security requirements, security controls do not cover all components or interfaces," the report said.

The O-RAN alliance was formed to break the oligopoly of few players in setting up telecom base stations. It helps telecom operators and equipment suppliers access the radio access network data to ensure seamless services to users.

Leading players, including Jio, Airtel, Vodafone, IBM, Apple, Nokia, Singtel, Softbank etc., are part of Open RAN alliance.

The report based on theoretical exercise found no clarity in adoption of security specifications.

"It is often unclear how guidance has been determined or how it relates to other parts of the security specification. For example, no details on how security principles have been derived and how the security controls address the security threats. It is unclear how the O-RAN Alliance selected security guidelines and best practices related to Open RAN security," the report said.

Some reports referred by the working group stated that the Open RAN may increase security risks, especially those associated with disaggregation and openness of the system.

A study by the French Institute of International Relations (IFRI) said in the report the disaggregation of RAN functionalities may result in lower-quality performance due to components provided by multiple suppliers.

"Because not all suppliers are trusted, the performance of the components compared to proprietary solutions and their inherent security vulnerabilities remain in question," the IFRI study said.

The Quad working group said a large number of best practices shows that relevant guidance does exist but they just are not yet in a consolidated form.

"Additional efforts from industry groups will be required to support Open RAN stakeholders to identify and adopt relevant security best practices. This applies in particular to MNOs (mobile network operators), as the absence of a single RAN vendor requires them to take on new security responsibilities in the Open RAN life cycle," the report said.