Spotlight on Tech

Who’s keeping Open RAN secure?

David Soldani
SVP, Innovation and Advanced Research, Rakuten Mobile
Rakuten Mobile
October 26, 2022
minute read

The use of Open RAN in 4G/5G networks is growing as more MNOs trial the technology and start to convert their networks. In addition, Open RAN will be the default technology for 6G networks. This growth and acceptance make it imperative that cyber security defenses can keep systems and services secure.

Open RAN deployments benefit from a disaggregated security scheme with each layer of the solution featuring its own security assurance specifications. Best practices are developed and maintained by experts at industry standards bodies. Let us look at how Open RAN deployments are secured and who maintains the standards and evaluation schema.

Open RAN momentum and benefits

In recent years, Open virtual RAN (vRAN) – or simply: Open RAN – has become a force within the mobile telecom industry, offering several benefits to operators, most notably: lower cost. There is no turning back now on this technology. According to a 2022 report by Dell’Oro, the overall RAN market is expected to top $45 billion by 2030, and Open RAN is projected to account for more than 20 percent of total RAN by then.

Rakuten Mobile’s success with the technology is showing the way. The company has built a nationwide 4G/5G network from scratch in Japan exclusively using Open RAN. Rakuten Mobile now manages more than 300,000 cells deployed with a team of only 250 people. This speed and ease of deployment make a strong case for adopting Open RAN technology.

Open RAN threat landscape

As Open RAN becomes more widely deployed, it is imperative to secure this critical infrastructure.

Bad actors will target (Open) RAN deployments to steal data or disrupt services. As shown in Figure 1, attacks can come from many directions – from the user equipment through to the operations and management layer and from the Internet.

Open RAN threat landscape
Figure 1. Open RAN threat landscape.

To protect from hacking threats, Open RAN takes advantage of established security protocols governed by industry technical specification bodies – most notably 3GPP, O-RAN Alliance and GSMA.

3GPP & O-RAN Alliance SCAS: Protect interfaces

3GPP and O-RAN Alliance have worked together to establish a zero-trust model and provide a series of security assurance specifications (SCAS) meant to protect the open interfaces and other attack vectors that come with Open RAN. The areas protected include:

  • Communications between virtual network functions (VNF)
  • The framework needed for the radio intelligent controller (RIC)
  • The platform used for hosting network functions

There are more than 20 SCAS available at the 3GPP specification website already. The O-RAN Alliance’s Security Work Group has developed 7 SCAS to mitigate the potential threats and vulnerabilities of Open RAN.

GSMA NESAS: Testing for threats

To eliminate the prospect of threats being snuck in on telecom equipment only to be activated when the network is live – the Global System for Mobile Communications Association (GSMA) has created Network Element Security Assurance Scheme (NESAS).

NESAS provides one universal and global security assurance framework that facilitates improvements in the network equipment security levels across the mobile industry.

Using 3GPP technical specifications, NESAS defines security requirements that provide direction to engineering teams on how to secure the network function software they are writing. NESAS also provides test cases to run on network equipment to ensure the functionality of all the SCAS. There are two aspects to NESAS:

  • NESAS Development and Lifecycle Assessment Methodology - defines audit and assessment process for vendor development and product lifecycle process under the GSMA NESAS
  • NESAS Development and Lifecycle Security Requirements - defines security requirements for vendor development and product lifecycle process under the GSMA NESAS

Two examples of high-assurance Open RAN security

When implementing SCAS and complying with the GSMA NESAS, a baseline hacking resilience level is reached for Open RAN components. Additional security attention is needed when deploying the components on cloud-native platforms. Both the initial deployments of CNFs and the continuous updates through DevSecOps pipelines need to be secured, as we explain next.

1. CNF security

A cloud-native network function (CNF) is a network function designed and implemented to run inside containers. CNFs inherit all cloud-native architectural and operational principles, including Kubernetes (K8s) lifecycle management, agility, resilience and observability.

In Open RAN, the disaggregated architecture and containerized approach to running virtual centralized units (vCUs) and distributed units (vDUs) is designed to be easily installed and to interoperate with existing system components. This entire system runs on commercial off-the-shelf (COTS) hardware bringing many benefits to carriers, particularly in terms of the total cost of ownership (TOC), automation and innovation.

Here are some suggestions on how to improve the security posture of cloud-native platforms by deploying appropriate safeguards and best practices, which allow the reduction of exposure to potential cyber threats and timely responses to intrinsic vulnerability coming along with the introduction of the new technologies.

The virtualization infrastructure utilizes the very mature security features built into the host operating system, Kubernetes container platform, containers and images.

Figure 2 shows the security features built into this foundational software platform starting at the infrastructure layer and proceeding to Kubernetes layer, container layer and application layer. Kubernetes has time-tested standards for all these layers that are managed by an open-source consortium ensuring comprehensive security features and fast response to emerging threats.

The Cloud Native Computing Foundation (CNCF) provides a list of essential tests for obtaining a CNF Certification. The security tests listed on the CNCF website give a general overview of what each test does, a link to the test code for that test, and links to additional information when relevant/available.

Open RAN security is built into the virtualization layers.
Figure 2. Security built into the virtualization layers.

2. DevOps security

DevSecOps stands for development, security and operations. It is a new approach to secure the DevOps process. It integrates security as a shared responsibility throughout the entire software development lifecycle, as shown in the figure below.

A diagram of DevOps security

In a Kubernetes cluster, the deployment of Open RAN instances comprises the build, deploy and runtime stages, and you need to properly address security and observability at all stages.

Teams across operation, platform, networking, security and compliance are the teams in charge of the seamless deployment and operation of the applications and network microservices.

Only a strong collaboration between these teams will ensure efficient and effective DevSecOps, as security and observability are a shared responsibility of all the teams involved, as not a single organization can mitigate all current and future risks alone.

6G to be cloud-native and secure by design

Open RAN and broader network disaggregation trends are carrying over into 6G, which is expected in the year 2030. Standards bodies involved in planning the technology have formed next-generation research groups (nGRGs) to develop 6G standards. The main technical specification body for Open RAN is the O-RAN Alliance, and it has formed its own nGRG to research the role that an open and intelligent vRAN will play in 6G. The direction these nGRG’s are taking now indicates that 6G will be the first wireless generation to be designed based on virtualization and open interfaces.

This will make Open RAN the default option for building networks and provide better support for the technology and improve Open RAN’s interoperability, network visibility, innovation and cost-effectiveness benefits.


As of today, there have been no reports of the hacking of an Open RAN deployment, but that is no reason to celebrate or let down our collective guard. Indeed, it’s more important than ever to focus on security as Open RAN grows in popularity.

There is a good security infrastructure in place with time-tested technologies to protect Kubernetes and the main industry bodies working together to protect the Open RAN interfaces and deployments. Working together as an industry, we can help keep these vital networks protected.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Open RAN

How can Symphony help?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Notice for more information.