Methodology for Vulnerability Assessment in 5G Networks – the RAN Module Case Study (D22c)
Open Radio Access Network (Open-RAN) technology introduces disaggregation of RAN network functions, offering enhanced flexibility for extending hardware and software. The network may then be built through the integration of components from different providers. Providing assurance in such a complex environment is critical as the user cannot rely on the security of the solution offered by one network equipment provider anymore.
The talk refers to results of the security evaluation of the O-DU (O-RAN Distributed Unit) component, which is a logical module responsible for implementing L2 network layer functionalities. The evaluated O-DU is a software product, and the evaluation process has been performed in accordance with EN 17640 “Fixed-time cybersecurity evaluation methodology,” while vulnerability assessment was performed based on the methodology described in the supportive document “NDcPP: Evaluation Activities for Network Device cPP,” which is in full accordance with EN 17640 requirements.
The talk shows conclusions and recommendations resulting from vulnerability assessment, intended for both evaluators and vendors of O-RAN components. More generally, it is relevant to the 5G community, showing them that the evaluation can be quick and not as expensive as it is often argued.