Open RAN security considerations
Open RAN is a transformation of RAN built upon the pillars of automation, intelligence, cloudification, and open, interoperable interfaces, as achieved in Ericsson Cloud RAN, O-RAN and other solutions for Open RAN. As 5G deployments are evolving to the cloud for Core and Open RAN, new security risks must be considered. The cloud increases the Open RAN attack surface due to dependency on cloud service providers, resource sharing with other tenants, increased risk of security misconfiguration, lateral movement, broader internal threat surface, and greater use of open-source software. The promise of Open RAN providing a multi-vendor ecosystem for cloud-based deployments must be realized with a strong security posture that takes a risk-based approach. This includes zero trust architecture (ZTA) that ensures confidentiality, integrity, availability, and authenticity protection of network functions and data from internal and external threats.
Sharing responsibility and accountability for the cloud
The responsibilities of the CSP as cloud consumer and cloud service provider to provide security at each layer of the cloud varies, with three service models: IaaS, PaaS, SaaS. The cloud shared responsibility model as shown in Figure 1 below, provides guidance to determine the responsible stakeholder at each layer of the cloud stack for each of the service models. The CSP can delegate some security responsibilities to the selected cloud service provider (or providers in a multi-cloud deployment), as clearly specified in the cloud service agreement. However the CSP retains accountability. Changes to risk due to evolving threats, attack vectors, and security control technologies must be periodically reassessed by all stakeholders. Hybrid clouds introduce additional security challenges due to the multi-stakeholder environment, including the cloud service provider and cloud consumer, with increased risk of poorly defined or lack of defined roles and responsibilities at each layer of the cloud stack.
5G deployments may be considered critical infrastructure for which the CSP is accountable for the security posture of the deployment. The US DHS CISA has advised that “cloud service providers and mobile network operators may share security responsibilities in a manner that requires the operators to take responsibility to secure their tenancy in the cloud.” The CSP, as a cloud consumer, is accountable for the security posture of the deployment, driving the need to perform proper due diligence when selecting a cloud service provider partner. The CSP retains accountability for the security posture of 5G deployments in a public or hybrid cloud and as the cloud consumer must:
- Establish security requirements and controls for the cloud deployment
- Perform due diligence of cloud service providers to understand security gaps
- Select the cloud service provider that best aligns with the security requirements
- Clearly state in the cloud service agreement any security responsibilities delegated to the cloud service provider
- Properly configure security controls, whether provided by the CSP, cloud service provider, or a third party.
A commonly used slogan for cloud security is the cloud service provider is responsible for security of the cloud and the cloud consumer is responsible for the security in the cloud, which always includes data, devices, and people. The CSP, as cloud consumer, is always responsible for security configuration and scheduling/implementation of software patches and upgrades. The security best practices to be followed by the cloud consumer include the items in this partial list:
- Avoid use of weak or default passwords
- Use multi-factor authentication for human access
- Deprecate unused or invalid accounts
- Configure access controls with the principle of least privilege
- Secure Application Programming Interfaces (APIs)
- Use public key infrastructure (PKI) certificates with automated authentication using mutual Transport Layer Security (mTLS)
- Close unused ports and block unused protocols
- Validate security configurations
- Maintain software patches and upgrades.
SMO to align Open RAN with ZTA
The visibility and orchestration capabilities of the Service Management and Orchestration (SMO) make it an ideal platform to strengthen the security posture of Open RAN cloud deployments, aligning with ZTA built to protect against cyberattacks conducted by external and internal threat actors. AI and machine learning in Open RAN’s SMO can provide the awareness, threat intelligence, and automated responses needed for a secure open RAN. The SMO, and rApps integrated within the SMO’s Non-Real-Time RAN Intelligent Controller (Non-RT RIC), can enhance the RAN security posture by implementing security use cases to protect against external and internal threats, including advanced persistent threats (APTs) able to exploit Open RAN vulnerabilities for lateral movement and reconnaissance in cloud deployments.
5G cloud deployments should be based upon a ZTA with a foundation of continuous monitoring and logging to detect lateral movement. The SMO can align open RAN deployments with US DHS CISA guidance to secure 5G cloud deployments with the following capabilities:
- prevent and detect lateral movement
- secure isolation of network resources
- data protection
- ensure integrity of cloud infrastructure
The Non-RT RIC is seen as an automation platform for multi-vendor, multi-technology networks through which rApps offer a greater opportunity to create new and innovative automation use cases. rApps are focused on specific functionality to solve complex problems and can be created by the SMO/Non-RT RIC platform vendor, network operator, or third-party, as shown in Figure 2, to run on the SMO and Non-RT RIC framework providing RAN functions such as capacity planning, neighbor relations, self-organizing networks (SON), and security. As the SMO has network-wide visibility from internal and external data sources, its rApps can be purpose-built to provide RAN-protecting security functions, such as RAN anomaly detection, O-Cloud anomaly detection, secure configuration validation, and security compliance monitoring.
SMOs, such as the Ericsson Intelligent Automation Platform, play an important role in the Open RAN security posture. The SMO’s intelligence and its support for rApps enables an ecosystem of purpose-built security functions providing faster and deeper threat detection. rApps are used in conjunction with AI and machine learning models, leveraging data sets and logs fed from other functions in the Open RAN and external data sources. A secure, standardized R1 interface between the SMO, Non-RT RIC, and rApps enables any rApp to work with any SMO and other rApps. Insights from one rApp can serve as input to another to form more complex decisions for detection and response to security events, enabling a group of rApps to compose larger security use cases. This helps ensure secure Open RAN in public and hybrid cloud deployments.
External systems can also provide enrichment data to the SMO to further enhance RAN security use cases. An example of a security automation use case is RAN compliance monitoring to detect misconfigurations and recommend secure configurations. The SMO can provide the flexibility to build in rApps with security information and event management (SIEM) and security orchestration automation and response (SOAR) functionality, plus integrate with external SOAR or SIEM in the security operations center (SOC). When deploying rApps that support RAN security use cases, additional requirements to adequately secure the SMO components and interfaces may need to be considered to ensure secure operations.
Securing the SMO: faster threat detection and the zero trust mindset
While the SMO can enhance RAN security, it must also be properly secured to prevent a threat actor from gaining access to perform reconnaissance or take control of the RAN. A security vulnerability within the SMO could be exploited to serve as an entry point for attacks against Open RAN components and enable lateral movement across the RAN and 5G Core. The SMO also accesses internal and external data stores through APIs, which must be securely implemented.
The SMO must have built-in security controls implemented with a zero trust mindset, in which we assume the adversary is already inside the network, to enhance the Open RAN security posture while also protecting the SMO. It is critical to implement proper mitigations to ensure the protection of confidentiality, integrity, availability, and authenticity of SMO functions, interfaces, and data. Risk assessments need to be performed for user access, interworking, conflict mitigation, AI/ML, and supply chain. Security is a success factor for the integration of third-party rApps due to risks from malicious rApps, rApps with vulnerabilities, and conflicting rApps from multiple vendors.
The SMO’s intelligence and its support for rApps enable an ecosystem of purpose-built security functions providing faster and deeper threat detection, helping to ensure secure Open RAN public and hybrid cloud deployments. The Ericsson Intelligent Automation Platform is Ericsson’s implementation of the SMO components, providing an open service management and orchestration platform that enables MNOs to optimize and secure their networks for delivery of enhanced customer experiences. Ericsson is also leading within the O-RAN Alliance to ensure that the SMO and its Non-RT RIC, rApps, and R1 and A1 interfaces will be secure.
If you’d like to find out more about the broader topic of intelligent security in Open RAN networks please read our newest paper in the Intelligent Automation Guide series; Intelligent Security.
Want to know more?
Read more about the Intelligent Automation Platform
Watch our new Intelligent Automation Platform video
Explore our Intelligent Automation Guide Series
Read more about rApps
Read more about RAN Automation