Open RAN is secure and ready for deployment

Open Radio Access Networks (RAN) standards, products, and solutions are mature and ready for deployment. Open RAN’s security posture has significantly improved over the past few years to the level expected by mobile network operators, as evidenced by announcements around the globe¹.

Open RAN specifications from the O-RAN ALLIANCE², referred to as O-RAN, open the RAN in multiple ways to promote an abundant multi-vendor ecosystem:

1. The Lower Layer Split (LLS) disaggregates the Open Radio Unit (O-RU) and Open Distributed Unit (O-DU) with an Open Fronthaul (FH) interface between them.
2. Decoupling of Service Management and Orchestration (SMO) using a service-based architecture (SBA).
3. Third-party rApps in the Non-Real Time RAN Intelligent Controller (Non-RT RIC) and third-party xApps in the Near-RT RIC.
4. O-Cloud for cloud hardware and software infrastructure that support O-RAN Cloud-native Network Functions (CNFs) at the application layer.

While Open RAN is the disaggregation of the RAN with the goal to enable a multi-vendor ecosystem, it introduces new network functions and interfaces that present interoperability and security challenges.  Industry has collaboratively and successfully addressed these challenges in multiple fora, including the O-RAN ALLIANCE³, ATIS⁴, ACCoRD⁵, and 3GPP:  

• O-RAN ALLIANCE has made significant progress to strengthen its O-RAN security specifications⁶ to secure the Open FH interface, SMO, Non-RT RIC, and O-Cloud. 
• 3GPP specified security for Xn, F1, and NG interfaces. 
• Alliance for Telecommunications Industry Solutions (ATIS), in collaboration with its industry members, published its Open RAN Minimum Viable Profile (MVP) in 2024 to establish a “minimum set of technical requirements, common across all North American operators, to foster the development and integration of Open RAN”⁷. The Open RAN MVP includes security requirements, based upon O-RAN ALLIANCE security specifications for secure deployment in North America operator networks.
• US Department of Commerce National Telecommunications and Information Administration (NTIA) established the Acceleration of Compatibility and Commercialization for Open RAN Deployments (ACCoRD) project⁸ with many industry participants, including AT&T, Verizon, and Ericsson.

The telco industry is well along in the journey to secure O-RAN to protect mobile critical infrastructure from sophisticated attacks, including Advanced Persistent Threats (APTs). The O-RAN security posture is now at the level expected by mobile operators.

Pursuit of ZTA for O-RAN

O-RAN has a strong, deployment-ready security posture built upon O-RAN ALLIANCE security specifications in pursuit of a Zero Trust Architecture (ZTA)⁹ to defend against internal and external threats. The goal is to protect against adversarial lateral movement across a network and up-down the cloud stack.  Recent Advanced Persistent Threats (APTs) present in telecommunications and utilities networks have highlighted the need to have a ZTA in critical infrastructure, which have demonstrated the initial attack vector on critical infrastructure is often not the primary target. The role of ZTA to protect against APTs is addressed further in Evolving the security posture of 5G networks and How Ericsson defends against cyber threats to networks.

O-RAN ALLIANCE follows four basic principles of ZTA for communications networks:

1. Each network function is a resource secured as a micro-perimeter, providing access management, data protection, and system availability. 
2. Confidentiality and Integrity protection are provided for data in transit on external and internal interfaces and data-at-rest. 
3. Authentication and authorization are enforced on a per-session basis for external and internal subjects with the principle of least privilege. 
4. Continuous monitoring, logging, and alerting are implemented to detect and respond to security events.

Specified O-RAN security controls

The O-RAN Security Requirements and Controls Specification (SRCS)¹⁰ address confidentiality, integrity, authentication, authorization, and availability for O-RAN network functions and interfaces, as shown in Figure 1. 

Figure 1. O-RAN Logical Architecture [O-RAN Architecture Description (OAD) Technical Specification, O-RAN ALLIANCE]

The security requirements comprehensively cover the O-RAN architecture for the SMO, Non-RT and Near-RT RICs, rApps and xApps, O-CU-CP, O-CU-UP, O-DU, O-RU, O-Cloud architecture elements and A1, O1, O2, R1, Open FH interfaces with the following specified security controls¹¹:

• Data-in-transit on the O-RAN Open FH M-Plane, O1, O2, and R1 interfaces is protected using Transport Layer Security (TLS) 1.2 and TLS 1.3. The O1 and Open FH M-Plane interfaces permit use of Secure Shell (SSH) v2. 
• For the interfaces with TLS, mutual authentication is supported using mutual TLS (mTLS) 1.2 and mTLS 1.3 with certificate management provided by Certificate Management Protocol (CMP) v2. 
• Authorization is supported using OAuth 2.0, NETCONF Access Control Model (NACM), and Lightweight Directory Access Protocol (LDAP) with Start TLS where specified for each interface. 
• As the O-RAN goal is to achieve a ZTA to protect against internal and external threats, TLS, mTLS, and OAuth, are also required for internal SMO communication between SMO Services (SMOSs), between rApps, and between SMOSs and rApps in the SMO’s service-based architecture. 

O-RAN threat analysis is documented in the O-RAN Threat Modeling and Risk Assessment document¹² as performed using STRIDE model¹³: Spoofing (authentication), Tampering (integrity), Repudiation (non-repudiation), Information disclosure (confidentiality), Denial of Service (availability), and Elevation of privilege (authorization). Test cases are provided for each specified security control in the O-RAN Security Test Specification (STS)¹⁴. O-RAN ALLIANCE’s Work Group 11 (WG11) for security is continuing to advance the security posture as O-RAN’s architecture further evolves with AI/ML, APIs, and a service-based architecture for SMO.

Ericsson is leading to secure O-RAN

It is important to have O-RAN security standards and Ericsson is leading O-RAN security standardization at the O-RAN ALLIANCE, but vendors of O-RAN products must implement those standards. The Ericsson Open RAN solution, with Cloud RAN, Cloud-Native Infrastructure Software (CNIS), and Ericsson Intelligent Automation Platform (EIAP), provides security that meets the O-RAN ALLIANCE specified security requirements.  EIAP is Ericsson’s SMO product for visibility, intelligence, and automation across the O-RAN deployment. It enhances the goal of a multi-vendor Open RAN by providing secure on-boarding and run-time operation of rApps. Ericsson’s rApp Certification Service enables a rich ecosystem of third-party rApps and ensures third-parties design and build secure rApps with R1 interface compliant with O-RAN specifications to validate readiness to integrate with EIAP¹⁵.

A set of implemented product security features alone is not enough to build a secure network. The best defense against APTs is to build-in security during the design, development, and operations phases for networks and networking products.  Product suppliers building O-RAN products with standardized security features must also follow secure software development processes, implement security assurance, and harden the system following best practices. In the operations phase, continuous monitoring for visibility of potential exploits coupled with real-time AI-based attack detection strengthens the network’s security posture to better defend against sophisticated APTs.  

At Ericsson, we systematically incorporate security into all relevant aspects and phases of our end-to-end products value flow for secure software development. Our efforts in this area follow a well-established internal control framework known as Ericsson Security Reliability Model (SRM)¹⁶  Ericsson aligns our organization, processes and systems to industry and regulatory standards, including GSMA’s Network Equipment Security Assurance Scheme (NESAS). The NESAS conformance results for Ericsson’s purpose-built Cloud RAN products are posted at GSMA | NESAS Conformance Results - Industry Services.

Ericsson Security Manager (ESM) is a powerful tool to help mobile service providers operationalize security management as well as implement best practices for system hardening. With ESM, Ericsson provides the critical capabilities required to defend against APTs and their lateral movement. Ericsson cyber defense solutions offer tools to operationalize security management to effectively mitigate APTs in mobile networks¹⁷. Managing security configurations together with early detection of APTs prevents tactics such as initial access and lateral movement and gives the security team time to respond before data can be exfiltrated to attacker-controlled infrastructure.

O-RAN is deployment ready

The telco industry is continuing its pursuit of a ZTA to defend against external and internal attacks, including APTs, based upon the assumption that the adversary is already in the network, because, as recent events have demonstrated, they are. The foundation of ZTA across an end-to-end network is to secure products built upon secure specifications, secure-by-design principles, secure software development frameworks, and product security assurance.  The O-RAN ALLIANCE has made tremendous progress to strengthen O-RAN’s security to achieve a security posture at the same high level as traditional networks. 

Ericsson’s O-RAN ALLIANCE compliant products enable operators to achieve this high level of security.  Ericsson implements O-RAN ALLIANCE security specifications in its Cloud RAN, CNIS, and EIAP products. These products are secure-by-design using Ericsson’s secure development process with support for standards-based security controls. This enables operators to achieve a ZTA in their networks. Ericsson will continue to lead product security and security standardization at industry bodies, including the O-RAN ALLIANCE and 3GPP.

Read more:

• Evolving Open RAN security
• Open RAN (O RAN)
• Intelligent Security
• Referenced O-RAN ALLIANCE specifications can be downloaded

References:

1. AT&T to Accelerate Open and Interoperable Radio Access Networks (RAN) in the United States through new collaboration with Ericsson
2. O-RAN Downloads
3. O-RAN ALLIANCE Security Update 2025
4. Open RAN Minimum Viable Profile
5. Open RAN Progress Report: Major Milestones in 2024 - Ericsson
6. O-RAN Security Requirements and Controls Specifications v11.0, O-RAN ALLIANCE, O-RAN Downloads
7. Open RAN Minimum Viable Profile
8. Home Page | National Telecommunications and Information Administration
9. SP 800-207, Zero Trust Architecture | CSRC
10. https://www.o-ran.org/specifications
11. O-RAN Security Requirements and Controls Specification (SRCS), O-RAN ALLIANCE
12. O-RAN Threat Modeling and Risk Assessment Technical Report, O-RAN ALLIANCE
13. The STRIDE Threat Model | Microsoft Learn
14. O-RAN Security Test Specification (STS) Technical Specification, O-RAN ALLIANCE
15. EIAP Ecosystem for automation applications - join now - Ericsson
16. The Ericsson Security Reliability Model – security by design
17. How Ericsson defends against cyber threats to networks