FYUZ 2022: Rakuten Symphony publishes ‘definitive’ guide to OpenRAN Security

Just as the Telecom Infra Project (TIP) OpenRAN Project Group opened its FYUZ event in Madrid and published an OpenRAN Release 2 roadmap to show the detailed technical requirements of the communications standard, operator Rakuten Symphony has released its own documentation addressing one of the key issues that could stand in the way of the comms software’s success: security.

TIP member Rakuten Symphony has been at the forefront of OpenRAN development, as well as part of a partnership with Virgin Media O2 to drive OpenRAN services in the UK.

In August 2022, the partners announced that their joint multi-supplier OpenRAN deployment was entering the field phase, commencing with the activation of the first live sites in Virgin Media O2’s commercial network.

The multi-supplier OpenRAN system deployment on macro-sites in the UK is said to be notable for being in a brownfield network and baselined on the existing Telco Cloud supply chain to maximise future synergies.

The company’s new publication, A definitive guide to OpenRAN security, has been released in the wake of what the company said is sustained industry dialogue questioning the security of OpenRAN networks.

The guide details the potential planes of attack and recommended strategies to mitigate risk from a total software system, configuration and operational perspective. It is based on Rakuten Mobile’s Open RAN implementation in Japan, which is said to be the largest such deployment in the world.

The company believes that the information, strategies and principles shared in the guide can form the foundation for secure OpenRAN networks anywhere.

The guide fundamentally acknowledges that while risk remains a persistent presence and always will, management, not avoidance, represents the best path forward. It also cedes that OpenRAN security isn’t as simple as relying on interoperability standards. Rakuten Symphony instead advocates for an approach that evaluates industry best practices, collaboration and innovation, and sets the best security and privacy strategies based on individual regulatory and market context.

“Is Open RAN secure? It depends on who you ask, and that is a major problem,” said Tareq Amin, CEO of Rakuten Mobile and Rakuten Symphony.

“Rather than endlessly debate misinformation meant to spread doubt about the security of next-gen networks, we are openly sharing a definitive guide any mobile operator can adopt as the foundation of a successful security strategy for OpenRAN. As these new networks are deployed en masse by new and incumbent operators alike, we want to move the industry past a conversation focused on ‘if’ to a more helpful one focused on ‘how’.”

The guide also reviews security requirements unique to OpenRAN telecom assets, including new infrastructure, network functions, interfaces and critical data. OpenRAN network vulnerabilities and how they can be exploited by attackers are covered in detail before presenting nine security principles that form the basis for Rakuten Symphony’s proposed approach.

The guide then expands into greater detail specific to establishing a secure cloud-native platform for OpenRAN network functions, trust between OpenRAN network functions, secure management of OpenRAN networks and container security.

“3GPP and the O-RAN Alliance provide base blueprints and design principles for securing telco-specific functions and interfaces through security controls which must be implemented by vendors and operators to reach a high level of hacking resistance, in particular for the IT and cloud systems underpinning modern networks,” said Nagendra Bykampadi, head of security architecture and standards at Rakuten Symphony, co-chair of O-RAN Alliance Security Work Group (WG11) and main author of the guide.

“When implementing these controls, vendors and operators can borrow knowledge and experience from related cloud-powered industries, and we are sharing what we know today to help contribute to the global security of new networks.”