Skip navigation
Like what you’re reading?

Exploring the evolution of RAN security management

In the coming years, we anticipate an increase in the architectural complexity of radio access networks (RAN). At the same time, cyber threats will continue to evolve, making security management increasingly critical. In this blog post, we explore the latest technology trends and perspectives that will enable effective security management and protect against future threats.

Researcher Concepts Security

Researcher on the security aspects of RAN at Ericsson

Exploring the evolution of RAN security management

Researcher Concepts Security

Researcher on the security aspects of RAN at Ericsson

Researcher Concepts Security

Contributor (+1)

Researcher on the security aspects of RAN at Ericsson

In the ever-evolving world of technology, it's no surprise that the security landscape is constantly shifting. The main reason lies in technology evolution, but also the appearance of new threats looming on the horizon. With technologies like accelerated computing and Artificial Intelligence (AI), or the move towards cloud-native architectures, the telecom industry is undergoing radical transformations.

However, along with these opportunities, new security risks also arise.
To protect against known and unknown threats, we need to evaluate and mitigate security risks associated with these new technologies. As telecom systems expand their feature sets and reach, so does their attack surface. This calls for extending the currently predominant compliance-based approach and incorporating a risk-based approach to security. Ultimately, we would like to be able to defend against relevant telco-related threats , whether they are already known or yet to be identified.

On top of the technology landscape, regulatory requirements (for example, EU General Data Protection Regulation and NIS2 Directive, or UK Telecommunications Security Code of Practice) or policy frameworks (for example, NIST Cybersecurity Framework ) address concerns around data privacy, integrity, the confidentiality of communications, and the correct implementation of key architectural and operational principles. Telecom organizations rely on standards from organizations like 3GPP, O-RAN, NIST, and GSMA to define the technology measures and security frameworks for RAN. As we look towards the future, these standards are expected to become even stricter with the advent of 6G.

For service providers and vendors like Ericsson, security isn’t just a checkbox, but a must-have, to remain compliant with the latest standards and regulations. In today's interconnected society, everyone - from the standardization ecosystem to telecom vendors and service providers – needs to step up and work together to ensure robust security measures. Another priority is to make it easier for service providers to meet regulatory requirements. Security cannot be considered an afterthought, especially considering that telecom networks are mission-critical infrastructures. Plus, offering enhanced security measures can help service providers stand out and monetize their services, especially with customers who care about security.

Sophisticated threats ahead

As the RAN grows more complex, the threat landscape follows in dynamicity and sophistication. For instance, a recent report from the OWASP foundation recommends organizations to identify threats that malicious actors can deploy at scale using large language models (LLMs) and Gen AI. This recommendation applies to the telecom world as well.

Technological advancements have significantly lowered the barrier for carrying out successful attacks in this domain. The telecom industry is also moving towards openness, disaggregation, and virtualization, which opens innovation opportunities. But it also introduces a higher number of entry points and makes the system more dynamic, leading to even more security challenges.

When we think about the threats to RAN, the air interface emerges as the main target for attackers in the foreseeable future. The availability of low-cost software-defined radios and open source 5G UE stacks, has increased the feasibility for malicious actors to meddle with radio transmissions posing risks to the confidentiality, integrity, availability, and privacy of transmitted data. These attacks include signaling storms, protocol abuse, and IMSI catching, also known as stingrays.

However, RAN security can’t just be about the air interface. Cloud and disaggregated deployments, if not properly secured, can be easy entry points for attackers. Intellectual property theft, resource abuse, and compromising other tenants sharing the same infrastructure are potential risks. Transport networks have similar vulnerabilities, where attackers may exploit weak points to intercept sensitive traffic or compromise networking devices. And there are additional risks around orchestration and management processes. Configuration errors, adversarial attacks on machine learning (ML) automation, and data tampering by insiders or third parties can compromise the overall security.

So, in the face of evolving threats, how can we effectively defend against them?

One key aspect lies in the implementation of robust security management processes enabled by technology that facilitates decision-making among the people.

A conceptual framework for RAN security management

Drawing from our research, we can envision a conceptual framework outlining the activities within the scope of security management. The framework is based on the activities referenced by the famous NIST Cybersecurity Framework but tailored to RAN specifics. We have also drawn inspiration from the NATO CCDCOE blueprint for security automation and risk orchestration, expanding its scope to RAN security management activities as per Figure 1. Its primary responsibilities might include:

  • Continuous risk assessment: Security management activities are risk driven. This involves the continuous identification and management of assets, including exposure, vulnerabilities, and associated costs.
  • Protection against threats: Implementation of robust security measures to shield the system against potential threats. Continuous monitoring and enhancement of implemented security controls to ensure their effectiveness.
  • Proactive threat detection: Employing advanced threat intelligence techniques to proactively identify potential threats, and monitor traffic for suspicious activities.
  • Quick response and recovery: In the event of an attack, swift response and effective incident management are critical. These include containing the threat, conducting incident investigations, mitigating the impact, and implementing measures to prevent future occurrences.
  • Continuously reporting the security status and compliance: Regular reporting on the security status and compliance of managed network functions, infrastructures, platforms, and operational services is essential. This enables stakeholders to make well-informed decisions regarding security measures and risk mitigation strategies.

However, just laying out these activities isn’t enough for RAN, as its defining factor is its high-performance needs. It's not just about meeting security goals; effectively managing operational costs and resources is equally important. Balancing security requirements with other operational priorities that might clash is a tough challenge. This is where automation comes in as a pivotal technology to achieving equilibrium among all these diverse demands.

Figure 1: RAN Security automation and risk orchestration blueprint

Figure 1: RAN Security automation and risk orchestration blueprint

Current limitations and wanted position

Before we start thinking about the future, let’s look at the current situation from an operational perspective.

First and foremost, the shortage of skilled cybersecurity professionals and workforce is a big concern. This ongoing issue remains unresolved, with no immediate resolution in sight. Automation is one key component to deal with this issue. By streamlining security processes and improving decision-making, automation effectively compensates for the lack of skilled personnel.
Even though security automation already exists in various forms to manage complexity, it’s limited due to its dependence on predefined policies. This means the policies can’t handle unforeseen scenarios that weren’t considered during their design phase. Furthermore, the way different cases, policies, and infrastructures are all linked together makes it less flexible.

To overcome these challenges, we strongly advocate for a shift from the current static and compliance-based security model towards a dynamic run-time security management model. This model relies on intelligent decision-making and automated orchestration across all RAN components. By embracing this approach, the security posture can dynamically adapt to the situational changes, ensuring optimal protection.

This advanced level of automation will be backed by advanced analytics tools, AI/ML algorithms, and real-time threat intelligence. These tools will empower the RAN to effectively withstand the increasingly sophisticated threat landscape.

A possible set of wanted capabilities for RAN security management include:

  1. Automating the provisioning and scaling of security controls: Ensure seamless deployment and scalability of security measures.
  2. Streamlining the decision-making process of security operations teams: Provide intelligent insights and risk-driven recommendations , enabling security operations teams to efficiently prioritize vulnerability mitigation and patch management.
  3. Reducing both the time-to-detect and the time-to-respond to various attacks: Rapid detection and response are crucial in minimizing the impact of security incidents and maintaining a coherent security posture.
  4. Maintaining compliance with security requirements and best practices: Adhering to regulatory standards and industry best practices ensures a robust security posture and instills trust in stakeholders.
  5. Striking a balance between security guarantees and their impact on both service and business requirements: Security measures should not unduly impact resource usage, latency, bandwidth, energy consumption, or overall operational expenses.
  6. Compensating for workforce shortages and knowledge gaps: Automation acts as a force multiplier, augmenting the capabilities of cybersecurity teams and alleviating the strain caused by workforce shortages.

A fast, efficient, and predictive RAN security management

In striving for fast, efficient, and predictive RAN security management, our goal is to enable normal operations even in the face of potential attacks. A resilient system should quickly identify and tackle ongoing threats to stop their spread throughout the network. By reducing the time it takes to react to threats, we can minimize their impact on network operations.
Our first intuition is that predictive analysis will undoubtedly play a larger role in achieving the desired resilience levels. Our second intuition is that automation will be key in helping security operations to scale and respond quickly.

The three examples below show how predictive and automated systems can bring significant value to RAN security management in the short, medium, and long terms.

Short-term use case: Consistent security configurations

A predictive system can provision and adapt security controls, such as confidentiality and integrity on the air interface, network policies, access control lists, and internet protocol security (IPsec) tunnels in a RAN environment.

Medium-term use case: Automated detection and response

Predictive capabilities facilitate the automated detection of network intrusions, triggering necessary countermeasures autonomously. This includes isolating affected network segments, updating firewall rules, or notifying the on-duty personnel . This mode of operation not only helps mitigate threats but also minimizes human intervention, saving time and resources.

Long-term use case: Autonomous threat identification

Finally, automated threat modeling and dynamic online risk assessment enable systems to spot new threats or vulnerabilities in real time and adjust security controls as needed. Continuous monitoring of the network and advanced analytics allow for more accurate recognition of threats and add compensating security controls. This approach will ensure the maintenance of an optimal RAN security posture as the threat landscape evolves, and network requirements change.

Security management in RAN: A tale of three layers

Having explored the requirements and use cases for automated security management in RAN, it's now time to understand how security management can integrate with a future RAN architecture. This integration involves three main layers from top to bottom:

Figure 2: the RAN security management architecture and its components

Figure 2: the RAN security management architecture and its components

  1. Security Management: As a standalone entity outside of RAN, the Security Management (SM) is responsible for coordinating security across multiple domains such as RAN, Transport, and Packet Core. The SM interfaces with the lower layer(s) via a well-defined interface which is used to retrieve the domain’s capabilities, push down business objectives, and gather monitoring data connected to the objectives. Depending on the specific implementation, the SM Interface can work based on policies or intents (more on this later).
  2. High-level RAN automation app: Part of the RAN Network Automation Platform (NAP), high-level automation apps oversee specific security tasks within the RAN domain they manage. The NAP is an evolved version of the current Service Management and Orchestration (SMO) framework in O-RAN. The automation apps have various capabilities, including monitoring, analysis, recommendation, prediction, and actuation over a set of RAN networks or platform functions. The automation apps at NAP interact with the RAN logical functions via an evolution of the current O1 interface (O1++ in the figure).
  3. RAN logical functions: Automation logic embedded within RAN network function and their logical implementation enables self-adaptability. All actuation on realized security controls and functions must flow through the responsible service for configuration management, which resides within the NAP.

These layers work together, providing essential services to each other. Decisions and actions flow from top to bottom, moving from high-level and strategic, to granular and concrete configurations. Conversely, metrics and reports flow from bottom to top, aggregating into contextual information that informs strategic decision-making.

The end-to-end security management ensures that everything in different security domains is working together. Meanwhile, the high-level automation apps act as one-stop shops for configuring and managing specific Network Functions within the RAN.

Now that we have looked at the high-level architecture, let’s take a deeper dive and ask our final question:

What are the essential enablers to unlock the full power of automation?

While the landscape is still evolving, our research has highlighted a set of enablers that are emerging as critical factors to shape RAN security management.

These include automation and adaptation, measurable security, AI/ML, and the means of management.

Automation and Adaptation

By adapting to the dynamic landscape, RAN security management can build a security posture that’s both predictive and proactive. But here’s the kicker: to turn this vision into a reality, we need to introduce a host of advanced capabilities, such as advanced analytics, real-time monitoring, and closed-loop automation. While these are already being integrated into RAN business logic for optimization purposes, the big question is how much they can be harnessed for RAN security.

Now talking about the two key concepts:

  • Automation facilitates the execution of processes without requiring human intervention.
  • Adaptation empowers systems to figure out the best strategy based on contextual information.

When we combine these, we get autonomic capabilities, meaning that our system can keep getting better by enhancing its security controls. One popular example is the MAPE-K closed-loop architecture, which combines Monitoring, Analysis, Planning, and Execution (MAPE) components with a Knowledge (K) representation of the system. With this setup, security management can continuously evaluate the security posture of a system and respond to threats intelligently, while also considering other network demands and business goals.

Measurable Security

Measurability is the cornerstone for any kind of automation, including security. Metrics and security scores provide the elementary information to make informed decisions, prioritize fixes, and implement proactive measures to enhance security defenses. They also help streamline the workload for analysts.

In the realm of system management, the saying "what cannot be measured cannot be improved" definitely holds true. However, we have to admit that it’s not always easy to come up with widely accepted security metrics, especially when dealing with the qualitative nature of certain security aspects. For example, how do we measure trust in a system component or a hardware platform?

Our approach to making security measurable starts with the definition of the overall security requirements and goals. Once this foundation is available, it’s then possible to identify the relevant security metrics that back up the goals and move to cut down the uncertainties around how to measure them. We also anticipate challenges in minimizing subjectivity to make data-driven decisions more straightforward.


From augmenting decision-making to empowering protection capabilities, AI and ML have the potential to transform security management. In our proposed architecture, these technologies can be integrated at different levels, from being embedded within security-specific RAN Network Functions to providing higher-level automation within Network Automation Platforms.

Of course, service providers can use predictive analysis to identify and mitigate different threats in real time. But in our vision, the role of AI/ML goes beyond just decision-making. By understanding the broader environmental factors, they can provide the necessary context for making security decisions. It’s also crucial to highlight the need for explanability in AI and ML algorithms, particularly when making security decisions, to ensure transparency and instill trust in the automation processes.

Examples from our research at Ericsson demonstrate the use of AI/ML to protect against distributed denial of service (DDoS) attacks, jamming, protocol attacks on the air interface, and the deployment of false base stations (FBS). Early detection and appropriate countermeasures have a net positive effect on the resilience of our system.

Striking the right balance between a fully automated and human-driven environment remains a challenge. Service providers must carefully analyze their security and organizational requirements to find the sweet spot that aligns with their unique situation.

Means of management: Policies versus intents

When it comes to the management of automation, the methods employed to convey the instructions to the system are an important part of the overall solution. Two popular yet fundamentally different approaches are policy- and intent-based management.

Policy-based management operates through imperative programming rules, providing explicit descriptions of how the system should be configured based on known capabilities. Policies follow an Event-Condition-Action (ECA) structure, where specific actions get triggered based on certain conditions. This approach is currently favored in most contexts.

On the other hand, intent-based management, a newer approach, uses declarative programming to define system goals and expected outcomes, letting the system adapt in dynamic environments. This method maps high-level business requirements into specific configurations, cutting down the need for defining detailed policies or rules. In the security context, such requirements are the high-level ambitions – usually defined in the security governance and risk management processes – that need to be mapped into the key security management activities identified by NIST (e.g., protect, detect, respond).

Although each approach has its advantages and limitations, it looks like the future of mobile network architectures will be leaning towards intent-based management, fueled by the need for automation. Right now, a hybrid approach that mixes policy-based and intent-based management seems more balanced, benefiting from the strengths of both methods. The hybrid model can ensure that security governance goals are achieved through intent-based management, while security policies are enforced via policy-based management.

Key highlights

Wrapping up this blog post, let’s sum up the key insights on the evolution of the security management in RAN:

  1. The RAN security landscape will be influenced by emerging technologies, regulatory requirements, and advanced security threats. This requires a proactive and adaptive security approach.
  2. Automation in RAN security management will play an increasingly important role in addressing complexity and bridging workforce skill gaps. The shift towards decision-making at runtime will enhance the cyber-defense posture of RAN.
  3. The integration of advanced analytics tools, real-time monitoring, and autonomic capabilities will strengthen resilience in the face of attacks.
  4. Security automation capabilities will be integrated across different parts of the RAN architecture and must work together seamlessly.
  5. Achieving measurable security is critical for successfully automating security. This involves being able to define security requirements and goals and establish metrics to assess security performance.
  6. AI/ML technologies will support decision-making processes and automation by providing better environmental insights.
  7. The likely future of security management in RAN lies in a hybrid approach that combines policy-based and intent-based management. This allows service providers to optimize security measures while aligning with business goals.

While the future landscape of RAN security may pose challenges, we are convinced that embracing the road to automation in security management will empower us to face the unknown with confidence and resilience to transform obstacles into opportunities for growth.

As we look ahead, we will witness the realization of these and see the extent to which they have been achieved.

Acknowledgement: The authors thank Anu Puhakainen and Prajwol Nakarmi for their helpful comments.

Want to know more?

The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.