The new architectures taking over telecom networks have inherent security risks, federal cyber authorities said, which means operators and vendors face additional complexity in threat mitigation and defense.
The open interfaces, open source software, cloud-native functions and disaggregated components championed by open radio access networks encapsulates the broader transitions already underway in many networks. Public cloud is jarring networks much like it has IT infrastructure, and the security implications of those transitions are plentiful.
The open RAN framework, still in its infancy, is a growing evolution away from the tightly integrated hardware that powers most wireless networks today. It allows operators and enterprises to mix and match parts and software from a much deeper pool of vendors.
The cloud plays a central part in open RAN. Dish Wireless, which is still building a network in the U.S. from scratch on open RAN principles, claims to be the first operator running its network entirely in the public cloud.
Many of the security risks recognized by CISA and the NSA aren’t unique to open RAN but rather 5G network security, cloud and IT infrastructure at large.
“By nature, an open ecosystem that involves a disaggregated multivendor environment requires specific focus on changes to the threat surface area at the interfaces between technologies integrated via the architecture,” the National Security Agency and Cybersecurity and Infrastructure Security Agency.
The Open Radio Access Network Security Considerations document published earlier this month by the NSA and CISA details guidance that operators, vendors and enterprises should follow to overcome common risks.
The guidance covers security considerations for network fronthaul and backhaul, open source software and network virtualization. An untested and disjointed supply chain is the recurring theme, and security concern, the agencies detailed.
“The more software you introduce, the higher probability of vulnerabilities that need to be patched,” Anshel Sag, principal analyst at Moor Insights & Strategy, said via email.
“If a zero-day vulnerability is identified, vendors could release patches at different times. If one vendor’s device is patched in response to a critical vulnerability, and others are not, it could lead to incompatibility of network devices and loss of network service availability,” the document said.
“Until all the vendors within a network release a patch for the exploit, the operator’s network may be vulnerable,” CISA and the NSA wrote.
The guidance will likely make security a bigger focus in telecom, according to Sag, and the industry might establish tiers of security standards for different applications.