The EU has published a report on the cybersecurity of Open RAN, a 4G/5G (maybe even 2G?) network architecture the European Commission says will provide an alternative way of deploying the radio access part of 5G networks over the coming years, based on open interfaces. The EU noted that while Open RAN architectures create new opportunities in the marketplace, they also raise important security challenges, especially in the short term.
“It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realized,” the report said.
The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. Namely, through greater interoperability among RAN components from different suppliers, Open RAN could allow greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier.
Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualisation and cloud-based systems.
However, the Open RAN concept still lacks maturity, which means cybersecurity remains a significant challenge. Especially in the short term, by increasing the complexity of networks, Open RAN could exacerbate certain types of security risks, providing a larger attack surface and more entry points for malicious actors, giving rise to an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing.
The report added that technical specifications, such as those developed by the O-RAN Alliance, are not yet sufficiently secure by design. This means that Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.
The EU recommended the use of regulatory powers to monitor large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment.
Technical controls such as authentication and authorization could be reinforced and a risk profile assessed for Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators. The EU added that including Open RAN components into the future 5G cybersecurity certification scheme, currently under development, should happen at the earliest possible stage.
Following up on the coordinated work already done at EU level to strengthen the security of 5G networks with the EU Toolbox on 5G Cybersecurity, Member States have analysed the security implications of Open RAN.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure. Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”
Thierry Breton, Commissioner for the Internal Market, added: “With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report. It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities.”
Guillaume Poupard, Director General of France’s National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group’s effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges.”
Finally, a technology-neutral regulation to foster competition should be maintained., with EU and national funding for 5G and 6G research and innovation, so that EU players can compete on a level playing field.
On September 18th, the European Commission (EC) released a recommendation on how all 27 European Union (EU) member states could ensure a timely and more cost-effective way of deploying very high-capacity broadband connectivity infrastructure and develop a “joint approach” to 5G rollouts. The EC says that 5G is the most fundamental block of the digital transformation and an essential pillar of the recovery.
The EC says “the timely deployment of 5G networks will offer significant economic opportunities for the years to come, as a crucial asset for European competitiveness, sustainability and a major enabler for future digital services.”
The EC’s joint approach to 5G is by means of a “toolbox” that defines best practices, including “realistic measures” to assign radio spectrum for 5G networks under investment-friendly conditions. The Commission aims to facilitate the deployment of very high capacity fixed and wireless networks “by, for example, removing unnecessary administrative hurdles and streamlining permit granting procedure.”
The objective is to agree on a toolbox by March 30, 2021. The commission has requested each member state provide it with a roadmap for implementation by April 30, 2021, reporting back by the same date the following year. Please refer to detail timeline in Next steps below.
In parallel, and closely linked to this Recommendation, the Commission proposed a new Regulation for the European High Performance Computing Joint Undertaking to maintain and advance Europe’s leading role in supercomputing technology to underpin the entire digital strategy and to ensure the Union’s competitiveness in the global setting.
The commission said the proposal “would enable an investment of €8 billion in the next generation of supercomputers – a substantially larger budget compared to the current one.” The EC noted that the COVID-19 crisis “has shown that connectivity is essential for people and businesses,” and that “very high capacity networks” have been enabling remote working and schooling, healthcare, and personal communication and entertainment. The EC said the pandemic “has changed the economic outlook for the years to come. Investment and reforms are needed more than ever to ensure convergence and a balanced, forward-looking and sustainable economic recovery.”
Executive Vice-President for a Europe fit for the Digital Age, Margrethe Vestager, said:
“Broadband and 5G connectivity lay the foundation for the green and digital transformation of the economy, regardless if we talk about transport and energy, healthcare and education, or manufacturing and agriculture. And we have seen the current crisis highlight the importance of access to very high-speed internet for businesses, public services and citizens, but also to accelerate the pace towards 5G. We must therefore work together towards fast network rollout without any further delays.”
Commissioner for the Internal Market, Thierry Breton, added:
“Digital infrastructures have proven to be crucial during the pandemic to help citizens, public services and businesses get through the crisis and yet recent investments have slowed down. At a time when access to broadband Internet represents both a fundamental commodity for Europeans and a geostrategic stake for companies, we must – together with Member States – enable and accelerate the rollout of secure fibre and 5G networks. Greater connectivity will not only contribute to creating jobs, boosting sustainable growth and modernising the European economy, it will help Europe building its resilience and achieve its technological autonomy.”
The Commission invites Member States to come together to develop, by 30 March 2021, a common approach, in the form of a toolbox of best practices, for the timely rollout of fixed and mobile very high-capacity networks, including 5G networks. Such measures should aim to:
- Reduce the cost and increase the speed of deployment of very high capacity networks, notably by removing unnecessary administrative hurdles;
- Provide timely access to 5G radio spectrum and encourage operators’ investments in expanding network infrastructure;
- Establish more cross-border coordination for radio spectrum assignments, to support innovative 5G services, particularly in the industry and transport fields.
The Recommendation also sets out guidance for best practices to provide timely access to radio spectrum for 5G as well as ensure stronger coordination of spectrum assignment for 5G cross-border applications. This is particularly important to enable connected and automated mobility, as well as the digitisation of industry and smart factories. Enhanced cross-border coordination will help to provide Europe’s main transport paths, particularly road, rail and in-land waterways, with uninterrupted 5G coverage by 2025. However, until mid-September 2020, Member States (and the UK) had assigned on average only 27.5% of the 5G pioneer bands. It is therefore essential that Member States avoid or minimise any delays in granting access to radio spectrum to ensure timely deployment of 5G.
The Recommendation also highlights the need to ensure that 5G networks are secure and resilient. Member States have worked together with the Commission and the EU Cybersecurity Agency (ENISA) on a respective toolbox of mitigating measures and plans, designed to address effectively major risks to 5G networks. In July, a progress report was published.
Sustainable network deployment for improved connectivity:
The Recommendation also builds upon the Broadband Cost Reduction Directive. It promotes the rollout of high-speed networks by reducing deployment costs through harmonised measures to ensure network providers and operators can share infrastructure, coordinate civil works and obtain the necessary permits for deployment. The Recommendation is calling on Member States to share and agree on best practices under this Directive, to:
- Support simpler and more transparent permit-granting procedures for civil works;
- Improve transparency on existing physical infrastructure, so that operators can access more easily all relevant information on the infrastructure available in a certain area, and facilitate permit-granting procedures, through a single information point in the administration of public authorities;
- Expand network operators’ rights to access existing infrastructure controlled by public sector bodies (i.e. buildings, street lamps and those belonging to energy and other utilities) to install elements for network deployment;
- Improve the effectiveness of the dispute resolution mechanism related to infrastructure access.
Improved connectivity can also minimise the climate impact of data transmission and thus contribute to achieving the Union’s climate targets. Member States are encouraged to develop criteria for assessing the environmental impact of future networks and provide incentives to operators to deploy environmentally sustainable networks.
The Recommendation calls for Member States to identify and share best practices for the Toolbox by 20 December 2020. The Member States should agree on the list of best practices by 30 March 2021.
As announced in its strategy “Shaping Europe’s digital future” in February, the Commission plans two further actions in this area:
- The update of its action plan on 5G and 6G in 2021. The updated plan will rely and expand on the spectrum-related actions in this Recommendation. It will look at the progress made so far, and set new, ambitious goals for 5G network roll-out.
- The revision of the Broadband Cost Reduction Directive. The next steps in this process are the launch of an open consultation in autumn 2020 and of a dedicated study to evaluate the current Directive and assess the impact of several policy options.
The Recommendation will contribute to the achievement of the objectives set out in the Broadband Cost Reduction Directive as well as the European Electronic Communications Code. The Code, which needs to be implemented into national law in Member States by 21 December 2020, aims to promote connectivity and access to very high-capacity networks by all citizens and businesses.
The Commission’s strategy on Connectivity for a European Gigabit Society sets the EU’s connectivity objectives. By 2025, all main socio-economic drivers (i.e. schools, hospitals, transport hubs) should have gigabit connectivity, all urban areas and major terrestrial transport paths should be connected with uninterrupted 5G coverage, and all European households should have access to connectivity offering at least 100 Mbps upgradable to Gigabit speeds.
Other EU Projects and Country Plans:
As announced in June 2020, the EU is funding 11 new technology and trial projects to enable 5G connectivity and pave the way for autonomous driving on main road, train and maritime routes in Europe.
Individual EU member states are also grappling with their own post-pandemic recovery plans. For example, France is earmarking €240 million ($284 million) for fiber networks as part of its €100 billion ($118 billion) stimulus package.