Open RAN Security Fundamentals | O-RAN Security Training

Open RAN Security Fundamentals | O-RAN Security Training

A common issue raised about Open RAN security revolves around challenges created by shifting to a disaggregated or “open” environment.

Open RAN security is an important matter because an unprotected management interface provides an easily exploitable vulnerability in the RAN.

The benefits of Open RAN include diversifying the supplier ecosystem, introducing new innovation models, lowering total cost of ownership (TCO) and unlocking new revenue opportunities in private cellular networks and shared/wholesale neutral hosting.

However, the downside is the security issues such as providing a larger attack surface, increased risk of misconfiguration, and immature specifications that are not secure by design.
Additionally, Open RAN could lead to new critical dependencies in cloud components.

Analysts feel the most concerning Open RAN security risk in 5G is the cloud. Other than the risks associated with moving to cloud infrastructure, the single biggest cybersecurity challenge is getting the vendors to step up their game.

Experts in this field recommend that telecoms working with Open RAN vendors be prepared to manage deliverables through proper contracts and service level agreements.

According to IEEE, a hardware-related issue that can pose additional challenges is that the design code used to create platform semiconductors is often proprietary, but must also be reviewed and verified. And, even if it’s open, the process of reviewing hardware design code is much more complex than reviewing software code.

Many feel, that Open RAN complexity is actually at the heart of the security concerns. For one thing, the containerization and microservice architecture is somewhat different to what the industry is used to with RAN. There’s also complexity introduced through the increasing number of players in the ecosystem.

The Open RAN industry is fragmented with many competing implementations, and it still needs to consolidate. And as systems engineers know, the complexity in any single implementation does present security risk.

Open RAN has been trending with the onset of 5G. Open RAN helps service providers avoid vendor lock-in while encouraging vendor diversity. Service providers don’t want to deploy single-vendor solutions for their radio access networks, where equipment and software are provided by a single vendor.

Open RAN Security Fundamentals | O-RAN Security Training by Tonex

Open RAN Security Fundamentals, O-RAN Security Training is a 2-day course that provides a solid introduction to Radio Access Network (RAN), Open RAN 101, O-RAN architecture, virtualization, O-RAN security features, O-RAN vulnerabilities and operation and deployment security options.

Open RAN Security Fundamentals covers the security of disaggregated and open RAN architectures: all aspects of interoperability of open hardware, software, and interfaces for cellular wireless networks.

Security principles of Open RAN implementation are discussed: disaggregation of software from hardware which allows Radio Access Network (RAN) software to run on any common hardware platform such as those based on Intel x86 and ARM architectures. Security features of  Application Specific Integrated Circuits (ASICs) and Digital Signal Processors (DSPs) are covered. ASICs, DSPs and FPGA provide the nodal specifications and open, interoperable modules.

Learn security considerations for several key technical aspects of Open RAN (O-RAN):

• Multi-vendor management
• Open Fronthaul connecting radios to base station equipment
• RAN application framework comprising rApps and xApps
• Artificial Intelligence/Machine Learning (AI/ML) for RAN optimization
• Other general network considerations including open-source software, virtualization, and a cloud based 5G core network.

Learning Objectives

After completing this course, the participants will be able to:

• Learn about the fundamental concepts of Open RAN (O-RAN) systems
• Sketch the O-RAN network architecture and O-RAN components
• Discuss security architecture and procedures for O-RAN
• Explain O-RAN security issues, attacks and mitigation
• Learn about O-RAN pentesting and ethical hacking method using GNU Radio, hackRF one, PortoPack HackrRF One and other mechanisms (Demos and Hands-on activities)
• How to implement security on O-RAN
• Overview of O-RAN confidentiality, integrity, authentication, intrusion detection and prevention
• List  O-RAN attack vectors and security key hierarchy

Course Modules

Introduction to Open RAN (O-RAN)

• O-RAN Alliance Network Architecture
• CP (Control Plane)
• O-CU (Open CU)
• O-DU (Open DU)
• O-RU (O-RAN Radio, Open RAN Remote Unit)
• M-Plane (Open Fronthaul Management Plane)
• UP ( User Plane)
• O-RAN Alliance rApps and xApps
• RAN Intelligent Controller (RIC)
• Open Source software benefits and software risks
• Legacy System vs. O-RAN Security
• O-RAN Risk Management Tasks

O-RAN Security Considerations

• O-RAN Security Threat Modeling and Remediation Analysis
• Threat Models
• Threat Surfaces
• Threat Agents
• Potential Vulnerabilities

Threats against O-RAN system

• Threats against O-CLOUD
• Threats to open-source code
• Physical Threats
• Threats against 5G radio networks
• Threats against ML system
• Protocol Stack Threats
• Coverage matrix of threats
• Network Functions and Applications
• Service Management and Orchestration (SMO)
• Non-RT RIC and rApps
• Near-RT RIC and xApps
• Cloud computing platform
• O-Cloud comprising a collection of physical infrastructure nodes that meet O-RAN requirements to  host the relevant O-RAN functions (such as Near-RT RIC, O-CU-CP, O-CU-UP, and O-DU), the  supporting software components (such as Operating System, Virtual Machine Monitor, Container  Runtime, etc.) and the appropriate management and orchestration functions
• O-RAN Security Requirements Specifications
• O-RAN Security Protocols Specifications
• O-RAN Security Tests Specifications

Security Issues with Multi-Vendor Management

• Issues with Supply-Chain Security
• Software and Hardware Components
• Component Lifecycle
• Open Fronthaul Security
• Open Fronthaul Security Objectives
• Confidentiality and integrity of mobile subscriber data
• Open Fronthaul to transport 5G air interface messages
• Authenticity for Open Fronthaul
• rApps / xApps Security Considerations
• Open Source Software (OSS) Security
• Virtualization and Cloudification Security
• Distributed Denial-of-Service (DDoS)
• Applications of AI and ML in O-RAN Security
• Published Attacks on AI/ML in RAN
• Cloud Shared Responsibility Matrix
•  Virtualization, Cloud and DDoS References
• Cloud Shared Responsibility Matrix

Analysis of Multi-vendor Security Roles and Responsibilities

• Mobile Network Operator (MNO)
• HW/ Network vendor
• HW/ Network administrator
• NF vendor
• NF administrator
• Virtualization/Containerization hardware infrastructure provider
• Virtualization/Containerization hardware infrastructure administrator
• Virtualization/Containerization software infrastructure provider
• Virtualization/Containerization software infrastructure administrator
• System tester

Analysis of O-RAN Security Principles

• SP-AUTH Mutual Authentication
• SP-ACC Access Control
• SP-CRYPTO Secure cryptographic, key management and PKI
• SP-TCOMM Trusted Communication
• SP-SS Secure storage
• SP-SB Secure boot and self-configuration
• SP-UPDT Secure Update
• SP-RECO Recoverability & Backup
• SP-OPNS Security management of risks in open-source components
• SP-ASSU Security Assurance
• SP-PRV Privacy
• SP-SLC Continuous security development, testing, logging, monitoring and vulnerability handling
• SP-ISO Robust Isolation
• SP-PHY Physical security
• SP-CLD Secure cloud computing and virtualization
• SP-ROB Robustness

O-CLOUD Architecture Security

• The SMO components managing and orchestrating the O-Cloud software
• Federated O-Cloud Orchestration and Management (FOCOM)
• Network Function Orchestrator (NFO)
• Infrastructure Management Services (IMS)

Analysis of Attack Surfaces

• AAL (Accelerator Abstraction Layer)
• CNF (Containerized Network Function)
• IMS (O-Cloud Infrastructure Management Services)
• RIC (RAN Intelligent Controller)
• SMO (Service Management and Orchestration)
• VNF (Virtualized Network Function)
• VNFs/CNFs: O-DU, O-CU, O-RU, Near RT-RIC/xApps
• Images repository with its interface to O-Cloud
• Virtualization layer: Hypervisor and/or Container Engine, Host OS
• Hardware resources including compute, storage, network, and hardware accelerator manager
• O-Cloud API
• O2dms and O2ims interfaces
• NFO and Federated O-Cloud O&M (FOCOM) within the SMO

Analysis of O-RAN AI/ML Use Cases

• Traffic Steering
• QoE and QoS Optimization
• Massive MIMO Optimization
• RAN Slice SLA Assurance
• Context Based Dynamic Handover Management for V2X
• Flight Path Based Dynamic Unmanned Aerial Vehicle (UAV) Resource Allocation

Workshop 1: Analysis of O-RAN Security Vulnerabilities 

• Security vulnerabilities exploited through attacks against Confidentiality, Integrity, and Availability:
• O-RAN specific vulnerabilities
• Unauthorized access to O-DU, O-CU-CP, O-CU-UP and RU to degrade RAN performance or execute broader network attack (Availability)
• Unprotected synchronization and control plane traffic on Open Fronthaul Interface (Integrity and Availability)
• Disable over-the-air ciphers for eavesdropping (Confidentiality)
• Near-RT RIC conflicts with O-gNB (Availability)
• x/rApps conflicts (Availability)
• x/rApps access to network and subscriber data (Confidentiality)
• Unprotected management interface (Confidentiality, Integrity, Availability)
• CP UL or DL messages can be injected for attack on UP (Availability)

Workshop 2: Overview of Security protocols specifications for O-RAN compliant implementation

• SSH (Secure Shell)
• TLS (Transport Layer Security)
• Support NETCONF (Network Configuration Protocol) over secure Transport
• DTLS (Datagram Transport Layer Security)
• IPsec