Open RAN Security Considerations
Open RAN is a transformation of RAN based on the pillars of automation, intelligence, cloud, and open and interoperable interfaces, as achieved in Ericsson Cloud RAN, O-RAN, and other solutions for Open RAN. As 5G deployments evolve to the cloud for Core and Open RAN, new security risks must be considered. The cloud increases Open RAN’s attack surface due to dependency on cloud service providers, resource sharing with other tenants, increased risk of security misconfiguration, lateral movement, an internal threat surface broader and greater use of open source software. Open RAN’s promise to provide a multivendor ecosystem for cloud-based deployments must be met with a strong security posture that takes a risk-based approach. This includes Zero Trust Architecture (ZTA) that ensures the confidentiality, integrity, availability, and authenticity of network functions and data are protected from internal and external threats.
Sharing responsibility and accountability for the cloud
The CSP’s responsibilities as a cloud consumer and cloud service provider to provide security at each layer of the cloud vary, with three service models: IaaS, PaaS, SaaS. The cloud shared responsibility model, as shown in Figure 1 below, provides guidance for determining the responsible stakeholder at each layer of the cloud stack for each of the service models. The CSP may delegate some security responsibilities to the selected cloud service provider (or providers in a multi-cloud deployment), as clearly specified in the cloud service agreement. However, the CSP retains responsibility. Changes in risk due to evolving threats, attack vectors, and security control technologies need to be periodically reassessed by all stakeholders. Hybrid clouds present additional security challenges due to the multi-stakeholder environment, including cloud service provider and cloud consumer, with an increased risk of poorly defined or undefined roles and responsibilities at each layer of the cloud. cloud stack.
5G deployments can be considered critical infrastructure for which the CSP is responsible for the security posture of the deployment. the US DHS CISA has advised that “Cloud service providers and mobile network operators may share security responsibilities in a way that requires operators to take responsibility for securing their cloud tenure.” The CSP, as a consumer of the cloud, is responsible for the security posture of the deployment, which drives the need to perform proper due diligence when selecting a cloud provider partner. The CSP retains responsibility for the security posture of 5G deployments in a public or hybrid cloud and, as a consumer of the cloud, must:
- Establish requirements and security controls for cloud deployment
- Perform due diligence on cloud service providers to understand security gaps
- Select the cloud service provider that best suits your security requirements
- Clearly indicate in the cloud service agreement any security responsibilities delegated to the cloud service provider
- Properly configure security controls, whether provided by the CSP, cloud service provider, or a third party.
A commonly used slogan for cloud security is that the cloud service provider is responsible for cloud security and the cloud consumer is responsible for cloud security, which always includes data, devices, and people. . The CSP, as a cloud consumer, is always responsible for security configuration and scheduling/deploying patches and software updates. Security best practices for the cloud consumer to follow include items on this partial list:
- Avoid using weak or default passwords
- Use multi-factor authentication for human access
- Deactivate unused or invalid accounts
- Configure access controls with the principle of least privilege
- Secure Application Programming Interfaces (APIs)
- Use public key infrastructure (PKI) certificates with automated authentication using Mutual Transport Layer Security (mTLS)
- Close unused ports and block unused protocols
- Validate security settings
- Maintain patches and software updates.
SMO to align Open RAN with ZTA
Service Management and Orchestration (SMO) visibility and orchestration capabilities make it an ideal platform for strengthening the security posture of Open RAN cloud deployments, aligning with ATZ built to protect against cyber attacks by external and internal threat actors. AI and machine learning in Open RAN SMO can provide the awareness, threat intelligence, and automated responses needed for an open and secure RAN. The SMO and rApps integrated within SMO’s Non-Real-Time RAN Intelligent Controller (Non-RT RIC) can improve the RAN’s security posture by implementing security use cases to protect against external and internal threats, including advanced persistent threats (APTs). capable of exploiting Open RAN vulnerabilities for lateral movement and reconnaissance in cloud deployments.
5G cloud deployments should be based on an ATZ with a foundation of continuous monitoring and logging to detect lateral movement. The SMO can align open RAN implementations with the US DHS. CISA Orientation to secure 5G cloud deployments with the following capabilities:
- prevent and detect lateral movement
- secure isolation of network resources
- Data Protection
- ensure the integrity of the cloud infrastructure
The Non-RT RIC is seen as an automation platform for multi-vendor, multi-technology networks through which rApps offer a greater opportunity to create new and innovative automation use cases. rApps focus on specific functionality to solve complex problems and can be created by the SMO/Non-RT RIC platform provider, network operator, or a third party, as shown in Figure 2, to run on the framework. SMO and Non-RT RIC providing RAN functions such as capacity planning, neighbor relations, self-organizing networks (SON), and security. As the SMO has network-wide visibility from internal and external data sources, its rApps can be specifically designed to provide RAN-protective security features such as RAN anomaly detection, O-Cloud anomaly detection, configuration validation safety and security compliance monitoring. .
SMOs, such as Ericsson’s Intelligent Automation Platform, play an important role in Open RAN’s security posture. SMO’s intelligence and its support for rApps enable an ecosystem of purpose-built security features that deliver faster and deeper threat detection. rApps are used in conjunction with artificial intelligence and machine learning models, leveraging datasets and logs fed from other functions in the Open RAN and external data sources. A standardized and secure R1 interface between SMO, Non-RT RIC and rApps allows any rApp to work with any SMO and other rApps. Insights from one rApp can serve as input to another to make more complex decisions for detecting and responding to security events, allowing a group of rApps to compose larger security use cases. This helps ensure secure Open RAN across public and hybrid cloud deployments.
External systems can also provide enrichment data to the SMO to further enhance RAN security use cases. An example of a security automation use case is RAN compliance monitoring to detect misconfigurations and recommend safe configurations. The SMO can provide the flexibility to incorporate rApps with security information and event management (SIEM) and security orchestration and response (SOAR) automation functionality, as well as integrate with external SOAR or SIEM in the security operations center ( SOC). When implementing rApps that support RAN security use cases, additional requirements may need to be considered to adequately secure SMO components and interfaces to ensure secure operations.
SMO Protection: Faster Threat Detection and Zero Trust Mindset
While the SMO can enhance the security of the RAN, it must also be adequately protected to prevent a threat actor from gaining access to reconnaissance or take control of the RAN. A security vulnerability within SMO could be exploited to serve as an entry point for attacks against Open RAN components and allow lateral movement across the RAN and 5G Core. The SMO also accesses internal and external data stores through APIs, which must be implemented securely.
The SMO should have built-in security controls implemented with a zero-trust mindset, where we assume the adversary is already inside the network, to improve the Open RAN’s security posture while also protecting the SMO. It is critical to implement the appropriate mitigations to ensure that the confidentiality, integrity, availability, and authenticity of SMO functions, interfaces, and data are protected. Risk assessments are required for user access, interoperability, conflict mitigation, AI/ML, and supply chain. Security is a success factor for integrating third-party rApps due to the risks of malicious rApps, rApps with vulnerabilities, and conflicting rApps from multiple vendors.
SMO’s intelligence and its support for rApps enable an ecosystem of purpose-built security features that deliver faster and deeper threat detection, helping to ensure secure Open RAN hybrid and public cloud deployments. The Ericsson Intelligent Automation Platform is the implementation of Ericsson’s SMO components, providing an open service orchestration and management platform that enables mobile network operators to optimize and secure their networks to deliver enhanced customer experiences. Ericsson is also leading within the O-RAN Alliance to ensure that SMO and its RIC, rApps, and non-RT R1 and A1 interfaces are secure.
If you’d like to learn more about the broader topic of intelligent security in Open RAN networks, read our most recent article in the Intelligent Automation Guide series; Smart Security.
You want to know more?
Read more about the intelligent automation platform
Watch our new Smart Automation Platform video
Explore our series of intelligent automation guides
Read more about rApps
Learn more about RAN automation