The O-RAN ALLIANCE Security Work Group, or WG11, continues developing O-RAN specifications that enable mobile network operators to operate an open RAN that meets and exceeds industry expectations for an open, interoperable, and secure system. 2022 saw the promotion of the Security Focus Group (SFG) to a Work Group, further emphasizing the O-RAN ALLIANCE’s focus on security by design.
WG11 provides public updates, through announcements, on the O-RAN security specification process. The first, dated Oct 24, 2020, introduced WG11 activities and its roadmap. The Dec 29, 2021 announcement described the focus areas, potential security controls and target timelines to complete security specifications. This third announcement highlights the new security features, requirements, and security roadmap for the next 12 months.
Figure 1 shows the O-RAN architecture, which is the scope of O-RAN security, including the O-RAN defined interfaces (A1, O1, O2, E1 and Open Fronthaul), and the O-RAN components (Service Management and Orchestration (SMO), Non-Real Time RIC, Near-Real Time RIC, O-CU-CP, O-CU-UP, O-DU, O-RU, O-Cloud and O-eNB).
WG11’s work is captured in four security specifications that form the pillars of O-RAN security. The July 2022 WG11 updates to the specifications are publicly accessible on the O-RAN ALLIANCE web site.
This post outlines the mandatory and optional controls on interfaces, the universal requirements on all components, and the areas of active study.
Table 1 is a snapshot of the mandatory interface security controls enforcing authenticity, confidentiality, integrity, authorization, data origination, and replay prevention. Details can be found in O-RAN Security Requirements Specifications 4.0, O-RAN Security Protocols Specifications 4.0, and O-RAN Management Plane Specification 9.0.
Authorization for the E2 interface is being developed in collaboration with the Near-Real Time RIC and E2 interface work group. PDCP requirements are specified by the 3GPP in TS 33.501.
Table 2 lists the optional security controls on the open fronthaul interfaces with details in O-RAN Security Requirements Specifications 4.0. WG11 is currently working with other O-RAN work groups to mandate support of IEEE 802.1X.
Universal requirements apply to all O-RAN elements and in some cases will make certain aspects O-RAN more secure than traditional RAN deployments. Table 3 lists the mandatory O-RAN requirements for each category of universal requirements with details in O-RAN Security Requirements Specifications 4.0.
The O-RAN ALLIANCE web site also has WG11 studies on the Near Real Time RIC and xApps, the Non-RT-RIC, and the O-Cloud that are driving the development of security standards in these areas. Table 4 provides a quick reference of the new security work underway and how it will improve O-RAN security.
Built on the foundation of the O-RAN Security Tests Specifications 2.0, O-RAN Security Test Specification 3.0 provides test specifications for common network security test, e.g., network protocol fuzzing guideline; software composition analysis, e.g., Software Bill of Materials (SBOM) verification; Open Fronthaul Point-to-Point LAN Segment security verification based on 802.1x port-based network access control; and O1 interface Network Configuration Access Control (NACM) verification. Vendors and operators can use these tests to assess the security of their products and deployments. New security tests are added to the specification as new security requirements are developed.
The O-RAN ALLIANCE will continue to work towards the vision of a fully open and intelligent RAN through the definition of innovative use cases and a secure network architecture that can be deployed commercially with interoperable, verified multi-vendor solutions.