Threat Modeling for O-RAN Cyber Risk, Governance, and Accountability
Files
TR Number
Date
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The vision to accelerate the commercialization of Open RAN (O-RAN) creates many opportunities for more flexible and cost-effective networks and use cases, but also presents security challenges. Prioritizing security as a critical component of this commercialization, rather than ‘‘good enough’’ protection, is paramount. Splitting the Radio Access Network (RAN) into different, disaggregated functions creates a larger attack surface. As O-RAN drives network component disaggregation and deployments shift from single-vendor to multi-vendor configurations, clear responsibility for asset protection is not just beneficial—it is foundational. Without well-defined roles, the complexity of securing critical infrastructure increases, leading to potential gaps, inefficiencies, and heightened risk exposure. A transparent framework ensures accountability, streamlined security coordination, and effective risk mitigation, making it possible to fortify resilience while enabling innovation and collaboration across diverse vendors. Various single-vendor deployments may use different frameworks to evaluate their security protocols. Shifting to multi-vendor deployments may cause new or existing security risks to emerge due to gaps between different security testing frameworks used throughout the Fifth Generation (5G) O-RAN lifecycle. Due to this potential for security gaps, we offer a Responsible, Accountable, Supports, Consulted & Informed (RASCI) chart as a starting point for what should be a multi-stakeholder series of engagements, which ultimately leads to an objective clarity of assigning risk responsibilities. We also review some of the threats to 5G ORAN as described by two popular 5G threat modeling frameworks, MITRE’s 5G Hierarchy of Threats ™ (FiGHT) Framework and O-RAN AllianceWorking Group (WG) 11 Threat Modeling and Risk Assessment Technical Report, that are most affected by unclear risk responsibilities, and detail how our suggested risk responsibility framework would help secure against these threats.