The O-RAN ALLIANCE Security Focus Group Progresses in Defining O-RAN Security Solutions

The O-RAN ALLIANCE Security Focus Group (SFG) is committed to creating O-RAN specifications that enable mobile network operators to deploy and operate an open RAN that meets and exceeds industry expectations for an open, interoperable, and secure system.

The first announcement dated Oct 24, 2020, introduced SFG activities and its roadmap. The announcement highlighted SFG focus areas, potential security controls and target timelines.

Since then, the SFG has made tremendous progress in defining security solutions for many of the O-RAN interfaces and functions. This announcement is the second in the series and gives an update on SFG progress on the key topics identified in the first one.

A primary aspect of O-RAN specifications is to provide specifications for open and interoperable implementations of radio access networks that are consistent with 3GPP mobile network specifications. This also applies to the focus of O-RAN's security work. The SFG intent is to make O-RAN security specifications that are consistent with 3GPP specifications. Similar to the 3GPP, the O-RAN ALLIANCE accepts that operational aspects are outside the scope of the technical specifications and operators must take further measures to reduce risks to their networks. If changes to improve security are needed in 3GPP specifications, those changes would best be made directly through 3GPP processes and specifications for broader applicability.

The SFG continues to focus its priorities on areas that will make O-RAN implementations as secure or more secure than closed proprietary implementations. The O-RAN open and modular architecture has the inherent challenge of creating security requirements and specifications for its new interfaces, and that is the focus of much of our work. While these added interfaces may appear to create new attack surfaces, many of these interfaces also exist in non-open RAN implementations, where there are no explicit descriptions or requirements for their implementations of security. The O-RAN version of these interfaces can be more secure than proprietary implementations by avoiding potential reliance on "security by obscurity" and instead creating implementations that explicitly and openly address those challenges through requirements, designs, specifications, and test cases.

The SFG work is captured in four security specifications that are the pillars of the O-RAN security architecture. Currently available SFG specifications were approved in July 2021 and are accessible on the O-RAN ALLIANCE web site at https://www.o-ran.org/specifications.

‍

O-RAN Security Threat Modeling and Remediation Analysis 2.0

This document is a risk-based threat modeling and remediation analysis used for managing risks and for building an effective O-RAN security architecture. O-RAN SFG conducted a risk-based security analysis in accordance with ISO 27005 to help define an effective O-RAN security architecture that manages and decreases risks to the overall O-RAN system. The risk assessment process has three main parts: risk identification, risk analysis and risk evaluation. The assessment identifies the assets to be protected, the potential vulnerabilities in O-RAN components, and potential threats associated with those vulnerabilities that could compromise O-RAN assets. The analysis both drives the development of O-RAN security requirements and provides security principles, which vendors and operators should address when building a secure end-to-end O-RAN system. Finally, it provides a risk assessment framework that can be used to assess the criticality of threats based on their potential to occur and the amount of damage inflicted.

‍

O-RAN Security Requirements Specifications v1.0

This document specifies the initial security requirements per O-RAN Interface and per O-RAN component. Requirements address confidentiality, integrity, and availability protection by considering key controls such as authentication, authorization, replay protection, least privilege access control, and zero-trust among others. V1.0 of this document contains:

• Confidentiality, Integrity, Replay protection and Authentication mandatory requirements for A1, O1, O2, E2 interfaces.
• Least Privilege Access Control on O1 interface enforcement with IETF RFC- 8341 Network Configuration Access Control Model (NACM) requirements.
• Authentication and Authorization based on IEEE 802.1x Port based Network Access Control requirements to control network access in point-to-point LAN segments across the Open Fronthaul interface.
• Optional support for TLS 1.2+ and PKIX for mutual authentication on the Fronthaul M-Plane (Reflected in O-RAN WG4 Open Fronthaul Management Plane Specification v7.0 - July 2021 (O-RAN.WG4.MP.0-v07.00))

‍

O-RAN Security Protocols Specifications v2.0

‍

This document specifies security protocols used by O-RAN compliant implementations. It defines implementation requirements for SSH, IPSec, DTLS, TLS 1.2, TLS 1.3 and NETCONF support over secure transport.

The SFG and O-RAN Technical Steering Committee (TSC) have recently approved (November 2021) additional security specifications documents that will be published after securing the final approval. These new documents will cover:

‍

O-RAN Security Tests Specifications v1.0

This new specification document provides description of the Security Tests which validate security functions, configurations and security protocols requirements and is the first step toward verifiability of O-RAN security requirements. It contains sets of tests to validate proper implementations of security protocols as defined in O-RAN Security Protocols Specifications (SSH, TLS, DTLS and IPSec). Tests for O-RAN components related to transversal requirements defined in O-RAN Security Requirements are specified for Networks Protocols and Services, DDoS attack protection, password protection policies and vulnerability scanning.

‍

O-RAN Security Threat Modeling and Remediation Analysis v2.1

The new version provides a deep analysis of the Fronthaul interface which includes refined details and new threats to the Open Fronthaul Control and Synchronization planes.

‍

O-RAN Security Protocols Specifications v3.0

This document adds mandatory support for TLS 1.3 to comply with National Institute of Standards and Technology’s (NIST) directive to have support by January 1, 2024.

‍

O-RAN Security Requirements Specifications v2.0

This document adds:

• Mandatory support for TLS 1.2+ and Public Key Infrastructure X. 509 (PKIX) for mutual authentication on the Fronthaul M-Plane (Will be reflected in O-RAN WG4 Open Fronthaul Management Plane Specification v8.0)
• Transversal requirements and tests cases (see Security Tests Specifications above) for Networks Protocols and Services, DDoS attacks protection, password protection policies and vulnerability scanning.
• Software supply chain security support in the form of Software Bill Of Material (SBOM) requirements for every O-RAN software delivery following NTIA guidance.

Those four documents are regularly updated and revised to reflect evolving threats and attack vectors, and to specify new security requirements, controls, and related test cases.

‍

‍

Ongoing work items

The SFG has identified risks through threat modeling and risk analysis and is collaborating with other O-RAN Working Groups (WG) on additional security enhancements. These include:

• Securing the O-Cloud: WG 6 and the SFG are tackling security challenges related to O-Cloud environments. To address the security of O-Cloud, the roles, and responsibilities of users likely to interact with the O-Cloud will be defined. The O-RAN Security Threat Model and Risk Analysis framework will be used to provide a security risk assessment of the different O-Cloud deployment models, e.g. Private, Public, Hybrid, Community, to help O-RAN stakeholders assess the risks that they may face in different O-RAN cloud deployments. The SFG will use the output from these efforts to security requirements, controls, and good practices for enhancing the security of O-Cloud.
• Securing the Fronthaul interface and its participating Network Elements: SFG and WG4 are tackling specific threats toward Synchronization, Control and User planes and investigating solutions to secure these planes. SFG has proposed use of IEEE 802.1X Port based Network Access Control (PNAC) protocol to protect these messages on the Fronthaul. It is also considering possible application of IEEE 1588 TLV security profiles for protecting S-plane messages, and IEEE 802.1AE MACSec for protecting Control and User plane messages.
• Securing the Near-Real-Time Radio Intelligent Controller (Near-RT RIC) platform, xApps, and related interfaces: SFG and WG3 are analyzing a list of key issues in the Near-RT RIC and xApps including isolation compromises, malicious A1 policies, ML vulnerabilities, data compromises, the trust model for 3rd party applications, Near-RT RIC APIs authentication and authorization, and the secure onboarding of xApps.
• Securing the SMO Non-Real-Time RIC (Non-RT RIC) and rApps: A recently created Work Item, involving SFG and WG2 experts, has been created to tackle security of the Non-RT RIC, rApps and their related interfaces. They will follow a risk-based approach with identification of threats actors, attack surface, potential exploits and their impacts. Controls will then be specified targeting PKI with X.509 certificates, multifactor authentication, Role Based Access Control, and logging strategy.
• Specifying the security test strategies and test cases: A specific SFG work item is dedicated to updating the Security Test Specifications document with tests cases for the newly created security requirements and controls and to collaborating with O-RAN Test and Integration Focus Group (TIFG) on a new security badging technical procedure.  
• Updating the O-RAN risk analysis with likelihood scores according to ISO 27005 standard with consideration of Zero Trust Architecture (ref NIST SP 800-207) (to be completed by March 2022), thus providing accurate vision of risks with combination of their potential impacts and likelihood. The scoring exercise is to be periodically updated to account for mitigation provided by newly defined security specifications.

‍

‍

A Path Towards Baseline O-RAN Specifications

In addition to these ongoing work items, SFG has identified workstreams to tackle Certificate Management, Application Life Cycle Management, and guidelines for secure contribution and use of open-source software. With those action plans the O-RAN SFG is on track to deliver a baseline of security specifications that will cover most of the O-RAN architecture by mid-2022. Progress will be published in an announcement in March-April 2022 after the approval of the next set of specifications.

The O-RAN ALLIANCE will continue to work towards the vision of a fully open and intelligent RAN through the definition of innovative use cases and a secure network architecture that can be deployed commercially with interoperable, verified multi-vendor solutions.

‍