The prospect of open radio access networks (RANs) has sparked a debate in the telecom industry in recent years. At its core, open RAN is an industry-level standard that defines interfaces facilitating interoperation between equipment vendors and provides network flexibility at a lower cost. It leverages the advantages of network softwarisation and artificial intelligence (AI) to enhance network operations. Open RAN offers a promising path to lower the entry barrier and enable cro­ss-domain innovation within the telecom ecosystem. However, these benefits also entail a host of security risks and impleme­ntation challenges that must be addressed before widespread deployment.

Security risks

In May 2022, the European Union publi­shed a report on open RAN security that highlighted potential concerns. These include a larger attack surface, increased risk of misconfiguration, potential impacts on other network functions due to re­so­urce sharing, and immature specifications that lack secure design. Open RAN could also lead to new critical dependencies on cloud components. Meanwhile, in Febru­ary 2022, Germany’s Federal Office for In­formation Security commissioned a report on open RAN specifications, as laid out by the O-RAN Alliance. As per the report, while the O-RAN specifications provide a few security guidelines, several medium to high security risks can be identified in interfaces and components. Some of the key risks pointed out by experts are:

Expanding threat surface

As more vendors become involved in the open RAN ecosystem, the threat surface area increases, especially through their interfaces. The threat surface expands due to the increased number of suppliers, components and interfaces that form part of open RAN deployments. For example, fr­o­nthaul interfaces could be exploited to carry out denial-of-service attacks, interception or tampering attacks. Such attacks can compromise availability, confidentiality and/or integrity of the network. In addition, by opening certain interfaces, open RAN will give access to information flows to new th­ird-party applications, which raises security issues with regard to data passing thro­ugh the network, such as real-time location data of users connected to the network.

Network vulnerability

Open RAN introduces a higher number of components from different suppliers into the RAN, resulting in an increased risk of va­rying security levels among those components. It is unclear whether newcomers in the open RAN market will prioritise innovation or security in the short term. Given that these components are interconnected, there is an increased risk that one vulnerable component (the weakest link) may compromise the security of the overall network.

Deficiencies in O-RAN specifications

Security has not been given priority in the development process of technical specifications by the O-RAN Alliance. The current immature O-RAN specifications do not include security from the beginning, whi­ch may result in insecure RAN products and gaps in the specifications. In addition, key decision rights within the O-RAN Alliance are with the board, which is a subset of the members and mobile network operators (MNOs). The stringent pro­­visions of the O-RAN Alliance Adop­ter Licence Agreement might hamper the transfer of information and knowledge between adopters and non-adopters, making discussions outside the O-RAN Allian­ce more difficult.

Risks associated with integrated technologies

While virtualisation and cloud platforms help in the better utilisation of hardware re­sources for different applications, they also introduce security risks. Recently discovered vulnerabilities such as Meltdown and Spectre reveal that there could be in­creased security risks in sharing hardware resour­ces. Further, integrating AI with RAN may result in unanticipated conseq­uences as in other domains. Also, the in­c­reasing number of IoT devices requires all RAN deployments to protect themselves against potential attacks from compromised devices.

Implementation challenges


Interoperability is a key factor to be considered while deploying any system inclu­d­ing open RAN. By disaggregating the base station functionality into multiple com­ponents such as radio unit (RU), distributed unit (DU) and centralised unit (CU) based on the open RAN concept, operators can select products from various vendors and customise their networks to suit their own unique requirements. How­ever, this approach of disaggregating the main components and selecting hardware from different suppliers may require operators to repeat interoperability validation and verification each time they introduce new hardware. This can create challenges in acquiring the necessary resources to per­form this task. Also, verification and tro­ubleshooting may cause delays in laun­ching services.


It is expected that initial multivendor op­en RAN networks may not achieve the same level of performance or security as conventional network deployments. Alth­ou­gh the gap to a single-vendor network will na­rrow over time as profiles and testing mature, it is unlikely to reach parity in­s­tantly due to vendor readiness. Further, disaggregating RAN hardware and software can reduce the benefits of purpose-built hardware and optimised software. However, to counteract this minor loss in performance, various hardware accelerators such as field programmable gate array and eASIC are being developed to suit different deployment scenarios based on their characteristics.

Misconfiguration of networks

Virtualisation management and the lack of mature MNO processes throughout the entire life cycle of open RAN deployment can significantly increase configuration com­plexity and the risk of network misconfigurations, resulting in higher fault oc­currences. Moreover, the lack of mature standards can lead to inconsistent and potentially inferior network design and ar­chitecture, which increases the risk of ineffective emergency and continuity mechanisms. Due to the many possible combinations of software and hardware, or combinations of software components, integrating security features may require additional effort and could result in a higher risk of underutilisation of security features. In ad­dition, deploying different releases of the same software in a heterogeneous ma­nn­er can also be problematic.

Carbon neutrality issue

One of the most critical challenges facing operators in the coming decades will be power consumption in RAN, particularly as carbon neutrality goals are set to kick in between 2030 and 2040. Open RAN networks are being built to accommodate inc­reasing volumes of network traffic. Du­ring the initial deployment phases, energy costs will likely increase slightly compared to traditional configurations. However, chipma­kers are now developing and de­signing ch­ip­­sets while still preserving the programmability that open RAN requires. These de­velopments will help optimise the power usage of open RAN equipment, such as CUs and DUs, as open networks mature.

Mitigating risks and challenges

To mitigate these risks and leverage potential opportunities presented by open RAN, industry bodies and experts have proposed various measures. Some suggest using regulatory powers to scrutinise large-scale open RAN deployment plans from MNOs and, if needed, restrict, prohibit and/or impose specific requirements or conditions for the supply, large-scale deployme­nt and operation of open RAN network equipment. It has also been advised to assess the risk profile of open RAN pro­vi­ders, external service providers, cloud service/infrastructure providers and system integrators, and extend the controls and restrictions on mobile service provi­ders to these providers. Network participants need protocols for proper authentication and authorisation, including user identity verification for roaming and cloud servi­ces, security identification for themselves, and identification of network usage behaviour and mobility patterns through machi­ne learning and data analytics. Fur­ther­more, it is important to address the security deficiencies in the development of technical specifications by the O-RAN Alli­ance. Security policies and procedures should be standardised globally.

The bottom line

Open RAN presents tremendous potential and opportunities for the entire telecom ecosystem, especially MNOs and equipment providers. It creates the foundation for automation and virtualised network elements, enabling increased speed and scalability to capture the fast growing 5G market. However, to realise the advantages of these open architectures, several security risks and deployment challenges need to be addressed. This will require the integration of rigorous testing and validation processes from the lab to deployment, and beyond.

In general, a cautious approach to transitioning to this new architecture is recommended. Any move away from, and coexistence with, reliable legacy technologies should be handled by allowing enough time and resources to assess risks in advance, im­plement appropriate mitigation strategies and clearly define responsibilities in case of failure or incident. While seeking cost or performance benefits through open RAN, network operators and other stakeholders should give sufficient attention to ensuring security, which may necessitate significant investments, in addition to existing 5G security measures.