Open radio access network (O-RAN) is the latest buzzword in the telecom sector. By enabling automated and accelerated provisioning of network capa­city and services, greater control over the development of enhanced network servi­c­es, the opportunity to work with best-in-class suppliers, and re­du­ced network equipment and operating expenses, these networks offer telcos grea­ter flexibility. Further, the technology is cost efficient as it reduces the operators’ reliance on exclusive vendors and decreases the expenditure incurred on infrastructure. Moreover, open networks can help diversify and reinvigorate the supply chain by promoting competition and innovation. For instance, operators can focus on building and operating a RAN based on mix-and-ma­tch components from different vendors.

Owing to the various advantages of the technology, operators across the globe as well as in India are warming up to the idea of building O-RAN architectures.

While O-RAN has several benefits, there are also certain risks in its deployme­nt. Owing to the interoperability feature of O-RAN, testing of these networks is also riddled with challenges. Thus, as the industry evolves towards O-RAN networ­ks, it is important that a risk-based ap­p­roach is adopted along with efficient testing strategies in order to adequately add­ress the security concerns regarding this new technology.

A look at the security and testing challenges faced while working with open networks…

O-RAN testing and measurement – A key challenge

The creation of seamless and flexible in­teroperability in a multivendor, open eco­system introduces new test, management and integration challenges that require diligence and cooperation. The key challe­nges that operators need to address while considering O-RAN are interoperability, ownership accountability, troubleshooting and isolation of problems, and managing and orchestrating all multivendor virtual network functions and physical network functions on a common cloud infrastructure, which may also be multivendor.

Further, the number of test cases operators and network equipment manufacturers need to go through and the amount of testing required is much greater with O-RAN as compared to traditional RAN. Th­is is because of a larger combination of ve­ndors under the O-RAN system, which dramatically increases the cycle time for tes­ting every software release, every reg­res­sion and implementing testing automation.

To address these challenges, an open test and integration centre (OTIC) has been established in Berlin, Germany, as a collaborative hub for commercial O-RAN development and interoperability testing. The operator-led OTIC initiative benefits from the support of global telecom organisations with a shared commitment to verification, integration, testing and validation of disaggregated RAN components.

The OTIC lab provides a structured environment with common test platforms and practices that enable software develo­pers, equipment manufacturers and system integrators to verify functional compliance with O-RAN Alliance specifications. The lab enables interoperability of disaggregated 5G access infrastructure eleme­nts to be fully validated prior to network de­ployment. However, operators must take responsibility for multivendor, disaggregated elements and make sure they undertake collaborative efforts to maintain quality of experience standards for O-RAN. Further, telcos need to integrate robust multivendor testing processes from the lab to the field and beyond, to fully realise and reap open network architecture benefits.

Security challenges

Security is an essential aspect for any technology, and the threat surface area increases as more vendors are brought into a RAN, especially through their interfaces. Vir­tualisation and the use of cloud platforms help better utilise hardware resour­c­es between different applications. How­ever, it can also introduce security risks. In fact, recently discovered vulnerabilities such as Meltdown and Spectre reveal that th­ere could be increased security risks wh­en sharing hardware resources.

Industry analysts have highlighted that since O-RAN can be implemented as a multivendor network, each one of the app­0lications can come from a different ven­dor. This sourcing of applications from mul­tiple places gives rise to a situation wh­ere each application exposes an application programming interface (API) to the services it provides and this opens up avenues for potential security risks.

Further, since O-RAN network dep­loy­ment would be heterogeneous, some apps would reside on cell sites, others in an operator’s private cloud and some outside of the operator’s private cloud, such as on an HCPcloud. Analysts note that this deployment strategy breaks the prevailing security model, in which the operator RAN is secured via a security perimeter. Such a deployment strategy assumes a zero-trust network.

According to Ericsson, in the case of virtualisation and cloud environments, there are many layers that need to be considered to ensure that the trust chain is maintained between applications and the underlying hardware. The authentication process is the base for establishing a secure communication channel, but it must trust the layers underneath to attest that the node, layer or data set has not been compromised. Further, as there are different layers between the hardware and its security functions and the application, one needs standardised interfaces and APIs to use the hardware security functions and allow them to attest to and validate the layers above.

Mitigating security risks

In order to tide through the security challenges posed by O-RAN, it is imperative to adopt industry best practices. Industry experts have expressed that operators sh­ou­ld adopt an end-to-end strategy to add­ress API security, including the authentication of APIs and segregation of duties, and the use of hardware-secured asset tags and other methodologies. Further, data protection should be enabled in real time using modern vulnerability assessment and threat management technologies such as advanced infrastructure security protection and threat analysis. Network participants need protocols for proper authentication and authorisation, including user identity verification for roaming and cloud services, security identification for themselves, and identification of network usage behaviour and mobility patterns via ma­chi­ne learning technology. Moreover, security policies and procedures should be standardised at the global level.

Participants also need standardised polices for data storage, management and fraud detection and response. Another im­portant concern is ensuring the safety of the physical supply chain, which can be accomplished by holding vendors responsible for the security of the products and services delivered. Essentially, communication service providers and other key participants need shared playbooks outlining categories of risks, mitigation actions and teams responsible for carrying out remediation. Time is a critical factor in responding to attacks, and the playbook reduces uncertainty and response time.

The way forward

With O-RAN, telecom networks will utilise solutions from multiple vendors. Thus, it will become challenging for both op­erators and equipment manufacturers to ensure interoperability, manageability, optimisation and end-to-end performance of disparate components. Ensu­r­ing that the components sourced from diff­erent ve­­n­dors work together seam­less­ly has be­co­me a top priority. Intero­per­abi­li­ty testing can be challenging, especially for distributed units (DUs), due to high flexibility in protocol implementations and the need for tight synchronisation with radio units (RUs). Testing solutions that provide broad capabilities to cover RUs from different vendors are critical to succeed at O-DU interoperability testing. Mo­reover, there is a possibility of en­co­un­t­ering incompatible configurations from multiple possible combinations of software and hardware.

Besides increasing operators’ expenses on testing in a multivendor environment, troubleshooting is likely to become difficult as operators will require vendor-independent validation and troubleshooting to resolve network performance issues, which might not be the case in traditional single-vendor networks. The industry has taken several initiatives such as forming alliances of vendors and operators to test and validate interoperability in a controlled and managed environment.