Germany disagrees with the claim that Open RAN (O-RAN) is a more secure alternative to established vendors.
Following a US-led campaign that raised concerns about Chinese suppliers such as Huawei, many governments restricted or banned those vendors from national infrastructure. Removing suppliers who provided equipment across multiple generations has been costly for operators and has delayed network rollouts.
Proponents of O-RAN argue it offers a cost-efficient, interoperable solution that reduces vendor lock-in and increases security by enabling a diverse supply chain.
However, a report from Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) challenges that view and concludes O-RAN currently presents significant security concerns.
The BSI’s analysis warns that combining components from many different suppliers can introduce vulnerabilities and that the current O-RAN specifications lack sufficient security-by-design measures to ensure a robust and trustworthy architecture.
Arne Schönbohm, President of the BSI, commented on the findings:
“As a federal cyber security authority, the BSI observes and accompanies the development process of Open RAN. Therefore, we have commissioned a risk analysis that analyses various affected persons and attacker groups and evaluates the risks to the central protection goals of confidentiality, integrity, imputability, availability, and privacy.
The study demonstrates on the basis of a best/worst case view that the previous Open RAN has not yet been sufficiently specified according to security by design and partially has security risks.
The security improvements should therefore be included in the specifications from the study in order to be able to serve the rapid growth of Open RAN in the market from the outset with sufficiently secure products.”
The BSI commissioned the German cybersecurity firm Secunet to carry out the analysis. The 86-page report, written in German, offers a detailed assessment of threats and potential mitigations.
In translation, the report’s central conclusion is that “medium to high security risks emanate from a multiplicity of the interfaces and components specified in O-RAN.” The analysis highlights that a larger and more heterogeneous set of interfaces increases the attack surface and creates more opportunities for misconfiguration, incompatibility, and exploitation.
Secunet recommends incorporating targeted security improvements into the O-RAN specifications to prevent scenarios similar to past issues that arose during development of other standards such as 3GPP.
The BSI report stresses the need for clearer and stricter security requirements, improved conformance testing, secure default configurations, and stronger supply-chain assurances to reduce risk when deploying multi-vendor O-RAN systems at scale.
A full copy of the original German report (PDF) is published by the BSI and provides the complete technical findings and recommendations.
(Photo by Maheshkumar Painam on Unsplash)
Interested in more expert discussion on cybersecurity? Consider attending events like the Cyber Security & Cloud Expo, which bring industry leaders together to discuss challenges and solutions across cloud and network security.