The O-RAN ALLIANCE Security Focus Group (SFG) is committed to creating O-RAN specifications that enable mobile network operators to deploy and operate an open RAN that meets and exceeds industry expectations for an open, interoperable, and secure system.
The first announcement dated Oct 24, 2020, introduced SFG activities and its roadmap. The announcement highlighted SFG focus areas, potential security controls and target timelines.
Since then, the SFG has made tremendous progress in defining security solutions for many of the O-RAN interfaces and functions. This announcement is the second in the series and gives an update on SFG progress on the key topics identified in the first one.
A primary aspect of O-RAN specifications is to provide specifications for open and interoperable implementations of radio access networks that are consistent with 3GPP mobile network specifications. This also applies to the focus of O-RAN's security work. The SFG intent is to make O-RAN security specifications that are consistent with 3GPP specifications. Similar to the 3GPP, the O-RAN ALLIANCE accepts that operational aspects are outside the scope of the technical specifications and operators must take further measures to reduce risks to their networks. If changes to improve security are needed in 3GPP specifications, those changes would best be made directly through 3GPP processes and specifications for broader applicability.
The SFG continues to focus its priorities on areas that will make O-RAN implementations as secure or more secure than closed proprietary implementations. The O-RAN open and modular architecture has the inherent challenge of creating security requirements and specifications for its new interfaces, and that is the focus of much of our work. While these added interfaces may appear to create new attack surfaces, many of these interfaces also exist in non-open RAN implementations, where there are no explicit descriptions or requirements for their implementations of security. The O-RAN version of these interfaces can be more secure than proprietary implementations by avoiding potential reliance on "security by obscurity" and instead creating implementations that explicitly and openly address those challenges through requirements, designs, specifications, and test cases.
The SFG work is captured in four security specifications that are the pillars of the O-RAN security architecture. Currently available SFG specifications were approved in July 2021 and are accessible on the O-RAN ALLIANCE web site at https://www.o-ran.org/specifications.
This document is a risk-based threat modeling and remediation analysis used for managing risks and for building an effective O-RAN security architecture. O-RAN SFG conducted a risk-based security analysis in accordance with ISO 27005 to help define an effective O-RAN security architecture that manages and decreases risks to the overall O-RAN system. The risk assessment process has three main parts: risk identification, risk analysis and risk evaluation. The assessment identifies the assets to be protected, the potential vulnerabilities in O-RAN components, and potential threats associated with those vulnerabilities that could compromise O-RAN assets. The analysis both drives the development of O-RAN security requirements and provides security principles, which vendors and operators should address when building a secure end-to-end O-RAN system. Finally, it provides a risk assessment framework that can be used to assess the criticality of threats based on their potential to occur and the amount of damage inflicted.
This document specifies the initial security requirements per O-RAN Interface and per O-RAN component. Requirements address confidentiality, integrity, and availability protection by considering key controls such as authentication, authorization, replay protection, least privilege access control, and zero-trust among others. V1.0 of this document contains:
This document specifies security protocols used by O-RAN compliant implementations. It defines implementation requirements for SSH, IPSec, DTLS, TLS 1.2, TLS 1.3 and NETCONF support over secure transport.
The SFG and O-RAN Technical Steering Committee (TSC) have recently approved (November 2021) additional security specifications documents that will be published after securing the final approval. These new documents will cover:
This new specification document provides description of the Security Tests which validate security functions, configurations and security protocols requirements and is the first step toward verifiability of O-RAN security requirements. It contains sets of tests to validate proper implementations of security protocols as defined in O-RAN Security Protocols Specifications (SSH, TLS, DTLS and IPSec). Tests for O-RAN components related to transversal requirements defined in O-RAN Security Requirements are specified for Networks Protocols and Services, DDoS attack protection, password protection policies and vulnerability scanning.
The new version provides a deep analysis of the Fronthaul interface which includes refined details and new threats to the Open Fronthaul Control and Synchronization planes.
This document adds mandatory support for TLS 1.3 to comply with National Institute of Standards and Technology’s (NIST) directive to have support by January 1, 2024.
This document adds:
Those four documents are regularly updated and revised to reflect evolving threats and attack vectors, and to specify new security requirements, controls, and related test cases.
The SFG has identified risks through threat modeling and risk analysis and is collaborating with other O-RAN Working Groups (WG) on additional security enhancements. These include:
In addition to these ongoing work items, SFG has identified workstreams to tackle Certificate Management, Application Life Cycle Management, and guidelines for secure contribution and use of open-source software. With those action plans the O-RAN SFG is on track to deliver a baseline of security specifications that will cover most of the O-RAN architecture by mid-2022. Progress will be published in an announcement in March-April 2022 after the approval of the next set of specifications.
The O-RAN ALLIANCE will continue to work towards the vision of a fully open and intelligent RAN through the definition of innovative use cases and a secure network architecture that can be deployed commercially with interoperable, verified multi-vendor solutions.
O-RAN ALLIANCE Security Focus Group Co-chairs:
Sebastien Jeux (Orange) and
Nagendra Bykampadi (Altiostar)