The Role of Network Security in Open RAN and the Implications for 5G Non-Terrestrial Networks
July 24th, 2023Open RAN Architecture Changes the Game
The next generation of cellular networks, 5G-Advanced, is set to be drastically different in terms of how the infrastructure is built and deployed. One of the most radical changes relates to how the architecture embraces virtualization and cloud-native features, with functionality implemented in software, such as with cloud-native network functions (CNFs). This is a stark departure from previous generations, in which virtualization and containerization did not form an integral part of the architecture. Cloud-native, in particular, is a key technology that will be used throughout 5G networks, from the mobile-access edge computing (MEC) to the core, including the Radio Access Network (RAN). A critical aspect of cloud-native is that it can use commodity hardware and run on commercial off-the-shelf (COTS) servers, rather than having to use proprietary components, making it more cost-effective.
Open RAN pushes this concept even further, allowing for the 5G RAN to be built entirely on open and interoperable hardware and software solutions. In many ways, this means the design of 5G is opening up to new vendors outside of the traditional telco space that have virtualization expertise. Virtualized RAN is set to allow more flexibility through the ability to deploy, configure, and update network functionality fairly easily.
New Security Considerations/Opportunities
From a security perspective, Open RAN poses both challenges and opportunities. It opens up a critical infrastructure that was traditionally closed and proprietary, with the assumption that this somehow made it more secure. A trite argument is that relying on software and using open-source components expands the threat landscape by multiplying potential threat vectors because everyone, including threat actors, can hunt for and exploit vulnerabilities much more easily than a closed system. While this is true to some extent, the same argument can be said of security professionals, who can also hunt for vulnerabilities and patch them more easily than before. The more valid counter-argument is that technology benefits from being open source because there is greater visibility, and therefore more independent security testing, as it is exposed to the open community.
Perhaps the most important security consideration is that there is already a large body of open-source software-based security technologies that have a mature and well-established place in the IT world. While Open RAN may be a new concept in cellular technologies, security virtualization in IT is not; plenty of open-source security tools have been developed for virtualized and containerized environments, both from security vendors and the open-source community.
Further, standards development bodies, such as ETSI, the Internet Engineering Task Force (IETF), Open Platform for NFV (OPNFV) and ONAP, among others, have issued their own specifications and standards on virtualization and security, some of which are at least almost a decade old. While there is a large body of existing resources that can be leveraged to secure Open RAN, work needs to be done to adapt it to the 5G context, but it’s hardly as if the wheel needs to be reinvented. Today, there are additional organizations researching security within Container Network Functions (CNFs) specifically, including the 3rd Generation Partnership Project (3GPP) SA3, GSMA, the European Union Agency for Cybersecurity (ENISA), and the Next Generation Mobile Networks Alliance (NGMN Alliance). Consensus around best practices and trusted implementations will certainly be achieved.
There is a great opportunity now to embed security deep within Open RAN’s network architecture. As an incipient technology, there is scope to properly assess and integrate a security-by-design and zero-trust architecture. Even challenges such as resource sharing that may introduce data risks, multi-vendor environments that can make security policy coordination difficult, or even supply chain risks introducing compromised hardware and software can be effectively mitigated through trusted design and continuous security validation.
Implications for 5G Non-Terrestrial Networks
The satellite ecosystem currently is a mixed bag as it relates to virtualization in 5G. 3GPP approved the adoption of non-terrestrial network (NTN) mobile and satellite elements in its Release 17; so, from a normative perspective, there is an official role for satellite communications within 5G networks. But in practice, this may prove difficult to implement.
While satellites could potentially support 5G backhaul in theory, and can be compatible with Open RAN (e.g., Geostationary Orbit (GEO) operator Hughes Network Systems, which has already tested this), there are some significant obstacles in the way. Latency, and to a lesser extent, data bandwidth, could be a challenge to handle, especially for time-sensitive communications. Further, ground stations are needed for in-country data sovereignty, which could be a major issue for telcos from a data security perspective. But some of the challenges stem from the satellite operators themselves.
The ecosystem is fragmented, dominated by closed and proprietary satcom systems, even among new Low-Earth Orbit (LEO) and Medium-Earth Orbit (MEO) entrants. While the interoperability that open source can offer is enticing, clearly it is not on the priority list for satcom operators. There is little incentive currently to adopt, as the majority of revenue is currently derived from consumer-based connectivity subscriptions. The 5G enterprise opportunity, as viewed by terrestrial operators on the ground, is not a vision that is as clear cut for satcom operators.
Consequently, this will make virtualization adoption within a 5G context a difficult sell, and interoperability between terrestrial and non-terrestrial stakeholders challenging, dimming the potential for an Open RAN-like ecosystem to expand into space.
So, what does this mean for 5G satcom security? At best, if an agreement can be reached on common virtualization technologies between terrestrial and NTN operators that align with 3GPP’s work, then security designs can be integrated across the board, leveraging standardized security virtualization technologies.
At worst, each satcom operator decides to build its own proprietary version of virtualized RAN elements, and security through obscurity reigns. What is clear today is that the satcom industry needs to think long and hard about its 5G journey, and that means seriously evaluating the role of virtualization and open source within that.
While it currently plays a role as a simple backhaul for cellular base stations (through ground base transceiver stations), if the satcom industry wants to take advantage of NTN mobile, it will need to adopt more 3GPP standards than simply transmitting and receiving communications over the right interfaces; this means it will likely need to be more modular. VS
Within that scenario, security needs to be a critical part of that consideration right at the start; and while satellite dimensions will be limited and operators will have different operational criteria, virtualization and open source could offer innovative new ways of addressing those constraints. Short of evolving, the opportunities that 5G, and Open RAN within that, could offer may never materialize. VS