Evolving to a

strong Cloud RAN

security posture

ericsson.com
/en/ran/cloud
2 Ericsson | Evolving to a strong Cloud RAN security posture

Minimizing threats
to 5G Cloud RAN
critical infrastructure

Abstract US National Institute of Standards by considering new threat analysis

5G deployments in the cloud bring the and Technology’s (NIST) zero-trust from the US Department of Homeland
promise of greater efficiency, agility, and architecture (ZTA) to protect from Security’s (DHS) Cybersecurity and
flexibility, however, the cloud expands internal and external threats. The Infrastructure Security Agency (CISA),
the 5G attack surface and introduces Cloud RAN deployment model the European Union Network and
new threats to critical infrastructure. influences the risk assessment, and Information Security Agency’s (ENISA)
Mobile network operators (MNOs) the responsibilities of stakeholders Network and Information Systems (NIS)
are accountable for the security implementing each security control, Cooperative, and others, to provide
posture of their cloud deployments. including vendors, MNOs, and cloud recommendations for securing Cloud RAN
A strong Cloud Radio Access Network service providers implementing deployments. It also provides an overview
(RAN) security posture requires a each security control. of the Ericsson Cloud RAN security
defense-in-depth approach, with This paper builds upon the analysis posture, explaining the product security
the goal of achieving secure critical from Ericsson’s summer 2021 paper, and features that enhance the overall
infrastructure built upon the “How to enable security in Cloud RAN”, security posture of the cloud deployment.
3 Ericsson | Evolving to a strong Cloud RAN security posture

Introduction

Ericsson Cloud RAN will enable MNOs to evolve seamlessly toward cloud-native
technologies and open-network architectures, with the goal that MNOs can deploy
secure cloud-native networks anywhere, on any cloud and server platform.¹

The Cloud RAN solution has built-in and the Ericsson Intelligent Automation Open RAN for the MNO are that it
measures that provide a strong security Platform (EIAP), a service management enables new deployments and
posture, as provided by Ericsson’s and orchestration platform that can host capabilities, including:
purpose-built RAN and Transport security-specific rApps. • utilizing the same hardware for
portfolios. This is important, since different applications
Cloud RAN and traditional RAN An overview of Open RAN • high reliability and flexible scaling
may be deployed in parallel by MNOs Open RAN, including Cloud RAN3 and of compute resources provided by
in so-called bluefield deployments.2 O-RAN,4 has open and interoperable the cloud infrastructure
The goal for securing RAN, whether interfaces built upon 3rd Generation • improved network automation
Cloud RAN or purpose-built RAN, Partnership Project (3GPP) standards, capabilities and optimized
is to protect the availability and high enabling RAN intelligence through performance with the Non-RT RIC
performance of the network and artificial intelligence/machine learning. • deployment of RAN equipment
communication services while also Cloud RAN uses the 3GPP Release 15 (R15) from different vendors in the
ensuring confidentiality, integrity and higher layer split (HLS) with the RAN same geographical area
availability. Achieving these goals in compute disaggregated into a central
Cloud RAN requires a defense-in-depth unit (CU) and distributed unit (DU), Open RAN also provides benefits with
approach, in which security is enforced with open management and automation regards to enhanced security, including:6
for all network communications and in interfaces, and a non-real-time RAN • use of open-source software enabling
each layer of the cloud stack, along with intelligent controller (non-RT-RIC) that transparency and common control
dependencies between cloud layers. includes rApps.5 O-RAN, as specified by • open interfaces ensuring transparency
The Cloud RAN security solution is built the O-RAN Alliance, modifies the 3GPP RAN and use of standard, interoperable,
upon a ZTA to enable MNOs to mitigate architecture with the addition of the lower and secure protocols
external and internal threats. In addition, layer split (LLS) and near-real-time-RAN • disaggregation, enabling supply chain
Cloud RAN applications will support security intelligent controllers (Near-RT-RICs). resilience through vendor diversity
automation and intelligence through These Open RAN terms are explained • use of AI/ML enabling visibility and
the Ericsson Security Manager (ESM) further in Figure 1. The benefits of intelligence to achieve greater security

Figure 1: Open RAN Technologies

Open RAN O-RAN OpenRAN

Industry term for Open Radio Refers to O-RAN Alliance Refers to initiatives driven by
Access Network architecture. architecture to make RAN TIP’s OpenRAN Project Group
A RAN with open interoperable open, intelligent, virtualized,
interfaces, RAN virtualization, and fully interoperable
and large and AI-enabled RAN

RAN terminology

Cloud RAN vRAN

Cloud RAN is a virtualized RAN that is designed to be Technical approach to run RAN functions as
cloud native, built in a future-proof architecture and disaggregated software on a common hardware
incorporating key elements such as microservices, platform, generating additional RAN architecture
CI/CD and containerization flexibility, platform harmonization and simplification

1
Cloud RAN - 5G RAN - Virtually everywhere – Ericsson
2
Bluefield deployments in telecommunications – Ericsson
3
Ericsson Cloud RAN | Networks | Main Catalog | Ericsson
4
www.o-ran.org/
5
“Intelligent security: How the SMO can enhance the security posture of Open RAN”, Ericsson, June 2022
6
O-RAN Alliance, Technical Paper, June 2021
4 Ericsson | Evolving to a strong Cloud RAN security posture

Accountability for
securing Open RAN

The key stakeholders in cloud deployments are the cloud service provider
and its customer – the cloud consumer.

The MNO, as the cloud consumer, deploys “The cloud service provider is cloud infrastructure, or the cloud
5G critical infrastructure in hybrid and responsible for security of the cloud service provider infrastructure
public clouds. The MNO may also choose and the cloud consumer is responsible deployed on-premise of the MNO.
to deploy a private cloud to achieve the for security in the cloud”. While the The Cloud Security Alliance (CSA) has
highest level of security gained from cloud service provider may be delegated identified the additional security risks
asset ownership, deployment control, responsibility by the MNO, it is the MNO with hybrid clouds and has formed the
and network visibility. The Cloud Shared who is accountable for the security posture CSA Hybrid Cloud Security Working Group.11
Responsibility Model (CSRM) is a helpful of the 5G RAN and core deployment, Security responsibilities must be clearly
cloud industry tool to determine which as reported in US DHS CISA’s “Security defined and specified in the cloud service
stakeholder has security responsibility Guidance for 5G Cloud Infrastructures”.10 agreement. The MNO is always responsible
at each layer of the cloud stack. Figure 2 The assignment of responsibility for protecting sensitive data and properly
shows the Ericsson version of the CSRM is further complicated in hybrid cloud configuring security tools, network
and similar versions from Microsoft Azure,7 environments. This is because the functions, interfaces and APIs. This
AWS8 and GCP9 are publicly available. hybrid cloud may be a mix of private Ericsson paper12 provides considerations
The CSRM can be summarized by the cloud and public cloud, a private cloud and recommendations for MNOs to securely
following cloud industry phrase: within a cloud service provider’s public deploy in hybrid and public clouds.

Figure 2: Cloud Shared Responsibility Model

Security within service delivery models

Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS)

Human access Cloud consumer Cloud consumer Cloud consumer

Data Cloud consumer Cloud consumer Cloud consumer

Application Cloud consumer Cloud consumer Cloud service provider

Operating system Cloud consumer Cloud service provider Cloud service provider

Virtual networks Cloud consumer Cloud service provider Cloud service provider

Hypervisors Cloud service provider Cloud service provider Cloud service provider

Server and storage Cloud service provider Cloud service provider Cloud service provider

Physical networks Cloud service provider Cloud service provider Cloud service provider

7
Shared responsibility in the cloud, October 2022
8
AWS, Shared Responsibility Model
9
Google Cloud Platform: Shared Responsibility Matrix, April 2019
10
Security Guidance for 5G Cloud Infrastructures, US DHS CISA, October 2021
11
Cloud Security Alliance, Hybrid Cloud Security, May 2021
12
5G security for public and hybrid clou deployments, S. Poretsky, H. Akhtar, and P. Linder, Ericsson, September 2022
5 Ericsson | Evolving to a strong Cloud RAN security posture

Traditionally, RANs have been considered of trust must be established with secure undetected presence inside a network to
secure because the operator deploys their storage of credentials, to build a trust steal sensitive data over a prolonged dwell
hardware at their facility and on their chain up the layers of the cloud stack to time. Threats to Open RAN deployments in
network, which they manage. This enabled the application and across interworking hybrid and public clouds must be assessed
MNOs to protect their RAN with perimeter network functions. to ensure 5G critical infrastructure in the
security, as the greatest risks from threats The cloud has an increased risk of cloud is secure from internal and external
were external to the network. Open RAN internal threats from insiders, lateral threats. This is a new paradigm for securing
enables RAN migration to hybrid and movements, multiple tenants, and shared the RAN and it requires a new risk analysis
public clouds where RAN will be running resources. An advanced persistent threat with the pursuit of a ZTA. As US DHS CISA
on third-party hardware, at a third-party (APT) is a sophisticated, sustained advises for 5G-critical infrastructure
facility, on a third-party network and cyberattack in which an external actor, deployments in the cloud – “Assume the
managed by that third party. A foundation typically a nation-state, establishes an adversary is already inside the network”.13

13
Security Guidance for 5G Cloud Infrastructures, US DHS CISA, October 2021
6 Ericsson | Evolving to a strong Cloud RAN security posture

Cloud RAN
Deployment models

Legacy baseband implemented as a purpose-built RAN

provides layers 1 through 3 of the radio protocol stack.

The evolution of RAN to disaggregated, on commercial off-the-shelf server of Cloud RAN with near-edge sites,
virtualized, cloud-native functions hardware, enabling RAN deployments locating the virtualized CU closer
has enabled Open RAN to be deployed at edge sites or central sites. 3GPP R15 to the centralized hub data center and
in private-, public-, and hybrid-cloud HLS disaggregates baseband functions far-edge sites, locating the virtualized
environments. These comprise: into the virtualized CU, with layer 2 PDCP DU closer to the radio sites. Service
• Layer 1, which includes Radio and layer 3 protocols deployed in central management and orchestration (SMO)
Frequency (RF) and physical layer (PHY). locations, and virtualized DU with layer 1 is deployed at a data center to provide
• Layer 2, which includes Medium Access and layer 2 MAC and RLC protocols visibility and intelligence for orchestration
Control (MAC), Radio Link Control (RLC), deployed at the cell site. LLS provides and automated policy control of RAN
and Packet Data Convergence further disaggregation as the DU is functions. The cloud service provider’s
Protocol (PDCP). split into a DU and radio unit (RU). infrastructure may be deployed on-site
• Layer 3, which includes Service Data In the LLS configuration, the O-DU at the premisesof the MNO. Alternatively,
Adaptation Protocol (SDAP) and supports layer 2 MAC and RLC protocols the MNO may deploy its workloads on
Radio Resource Control (RRC). and layer 1 PHY-high RAN functions cloud infrastructure at the cloud service
including scrambling, modulation provider’s data center and near-edge
Open RAN, including Ericsson and precoding. The RU supports and far-edge data centers closer to the
Cloud RAN, is based upon the layer 1 PHY-low functions, including cell site, in various deployment options,
virtualization and cloudification beamforming and RF. as shown in Figure 3, and discussed
of RAN baseband functions. These Multi-access edge computing (MEC) further in a separate Ericsson paper.14
functions evolved from purpose-built provides computing and storage resources The deployment of private networks
hardware deployed at cell sites to for networking functions and applications for industrial use cases, another category
disaggregated functions that can be running on top of cloud infrastructure. in which Cloud RAN can be attractive,
implemented in software to operate Hybrid cloud facilitates MEC deployments will be covered in a future paper.

Figure 3: RAN deployment configurations

Cell site Far-edge Near-edge Data center

Purpose-built RAN Basedband RAN

Cloud RAN option 1 RU, vDU, vCU management

3GPP R15 HLS RAN

RU, vDU vCU
Cloud RAN option 2 management

Cloud RAN vDU

RU SMO
option 3 vCU

Cloud RAN
RU vDU vCU SMO
option 4

14
What’s next for RAN, Ericsson, 2022
7 Ericsson | Evolving to a strong Cloud RAN security posture

Cloud threats
to Open RAN

As 5G Core and Open RAN migrate to the cloud, it is important to

consider cloud threats when performing a risk analysis, particularly
for the deployment of critical infrastructure in the cloud.

Open RAN has an expanded attack • resource sharing with other tenants Karsten Nohl, an industry-recognized
surface due to its additional functions, • broader use of open-source software ethical attacker, demonstrated in his
interfaces, and cloud deployment • use of insecure third-party hardware recent video23 at the MCH Hackers
models.15,16,17,18,19,20 Open RAN Conference that exploits can be
deployments in public and hybrid Deployment in an MNO’s on-premise performed on an Open RAN system
clouds also have an expanded threat private cloud can reduce risks from running in a cloud-native environment
surface due to increased risk from these threats. without properly secured configuration
internal threats and APTs, as shown The German Federal Office of of the operating system, container
in Figure 4. ENISA’s NIS Cooperative Information Security (BSI) Open RAN run-time, and orchestration. The O-RAN
Report on Open RAN Cybersecurity21 Risk Analysis22 identified high risks in Alliance’s Working Group 11 (WG11)
identified 5G Core and Open RAN O-RAN deployments due to optional is evolving security specifications to
as having increased risk of internal use of critical security controls, address these risks24 with Ericsson
threats in the cloud due to: specification of weak protocols as a leading contributor.25
• greater dependency on cloud and cipher suites, assumptions
service providers of internal trust, missing protections
• lack of defined security roles from denial of service attacks, and lack
across stakeholders of cloud security controls for O-Cloud.

Figure 4: Expanded threat surface for 5G cloud deployments

5G critical infrastructure

Cloud migration/deployment

Expanded threat surface

5G critical infrastructure

Advanced persistent threats (APTs)

Shared resources

Hybrid and
Third party and open-source software
public clouds

Third-party hardware

15
Security Considerations of Open RAN, S. Poretsky and J. Boswell, Ericsson, August 2020
16
Security Considerations of Cloud RAN, S. Poretsky and J. Jardal, Ericsson, September 2021
17
O-RAN Alliance, June 2021
18
Open RAN Risk Analysis, Germany BSI, Federal office of Information Security, English Translation, February 2022
19
Report on Open RAN Cybersecurity, ENISA NIS Cooperative Group, May 2022
20
Establishing a Strong Security Posture for Open RAN, Scott Poretsky, SCTE Cable-Tec Expo 2022, September 2022
21
Report on Open RAN Cybersecurity, ENISA NIS Cooperative Group, May 2022
22
Open RAN Risk Analysis, German Federal office of Information Security (BSI), November 2021. English version available February 2022
23
“OpenRAN – 5G hacking just got a lot more interesting“, Karsten Nohl, MCH (May Contain Hackers), July 2022
24
O-RAN Alliance WG11, October 2022
25
Ericsson – a leader in the O-RAN Alliance, Ericsson, September 2022
8 Ericsson | Evolving to a strong Cloud RAN security posture

The importance of
multi-layer security

Each layer of the cloud stack must be protected from external

and internal threat actors who could exploit vulnerabilities.

The data, containers and applications, perimeter-based security controls such as access. Sensitive data at-rest and in-motion
container run-time engine and firewalls, web application firewalls (WAF), should be encrypted using strong cipher
orchestration, host operating system, and by identity and access management suites. Implementation of these security
and infrastructure layers share common (IAM) at the lower layers of the cloud controls for a ZTA aligns with guidance from
vulnerabilities. Insecure APIs, weak stack. Internal threats to the cloud can the US DHS CISA’s “Security Guidance for
encryption, security misconfigurations be mitigated through a ZTA approach 5G Cloud infrastructures”,29 which is built
and exposed credentials may compromise at the higher layers of the cloud stack upon the following four pillars:
confidentiality, integrity and availability with three main characteristics: 1. Prevent and detect lateral movement
of data and network functions. The 1. The protect surface is perimeter-less or 2. Securely isolate network resources
software layers above the infrastructure narrowed to micro-perimeters, rather 3. Protect data-in-transit, in-use and at-rest
can use open-source software with than relying upon traditional perimeter 4. Ensure integrity of infrastructure
persistent vulnerabilities inherited defenses that protect against only
from other projects. In a multi-tenant external threats.26 A secure 5G cloud deployment is built
environment, there are known attacks 2. There is no implicit trust granted to an upon a foundation of secure software
such as container escape, host escape, asset based upon ownership, physical development processes. Development
and shared resource exhaustion, in location, or network location.27 security and operations (DevSecOps)
addition to the risk of data exposure 3. The risk analysis assumes the adversary and continuous integration/continuous
and data leakage to other tenants. is already inside the network.28 deployment (CI/CD) provide built-in
Sensitive data with weak encryption can security and rapid security updates.
be exposed through unauthorized access to An effective ZTA builds upon Industry best practices for cyber hygiene,
data-at-rest and man-in-the-middle (MitM) continuous monitoring, logging and such as security configuration validation
attacks on data-in-transit. alerting at all layers of the cloud stack. and software updates for critical
It is important that a higher level of A network designed for a ZTA has vulnerabilities, should be components
security baseline is applied to operate micro-segmentation to separate of a strong security posture in the cloud.
5G-critical infrastructure in the cloud. traffic, micro-perimeters to have This approach helps to ensure that
When selecting security controls using granular access based upon the 5G cloud deployments meet the level of
a risk-based analysis, it is essential principle of least privilege, container security expected for critical infrastructure.
to consider both external and internal isolation to isolate attacks, and tenant In addition, deployments should follow
threats. External threats to the cloud isolation. Each layer of the cloud stack, CIS Benchmarks for securing Kubernetes,
can be mitigated by using traditional as shown in Figure 5, should have secure Docker and Linux.30

Figure 5: Multi-layer cloud security

Common cloud Security controls

Sensitive data
vulnerabilities and exploits and mitigations

• container escape Open RAN or Core Open RAN or Core • continuous monitoring, logging and alerting
• host escape container application container application • tenant isolation, container isolation,
• shared resource exhaustion API exploits micro-segmentation and micro-perimeters
• open-source exploits • principles of priviledge
Container runtime engine and orchestration
• data leakage • automated identity and access
• unauthorized access • multi-factor authentication (MFA)
• man-in-the-middle (MitM) • PKI-based mutual authentication
Host OS
• weak encryption • data encryption using strong ciphers
• exposed credentials • threat detection and response (TDR)
• security misconfigurations • DevSecOps and continuous
Infrastructure
• DDoS integration/continuous deployment (CI/CD)

NIST SP 800-207 Zero Trust Architecture (ZTA), US DoC NIST, September 2020
26, 27

28
Security Guidance for 5G Cloud Infrastructures, US DHS CISA, October 2021
29
Security Gzuidance for 5G Cloud Infrastructures, Parts 1-4, US DHS CISA.
30
CIS Kubernetes Benchmark, CIS Linux Benchmark, CIS Docker Benchmark
9 Ericsson | Evolving to a strong Cloud RAN security posture

The benefits of Ericsson

Cloud RAN Security

Ericsson’s Cloud RAN solution is designed to be deployable on

any cloud platform and will support 3GPP standard interfaces
and O-RAN automation interfaces.

Cloud RAN will enable automation and Establishing trust in such as MFA and role-based access
intelligence together with the Ericsson 5G cloud deployments control, enforcing the “least privilege”
SMO called the Ericsson Intelligent The zero trust principles described principle. Strong authentication and
Automation Platform. Along with the previously imply that validation needs authorization are enforced using
Ericsson Security Manager, protect and to be undertaken before an entity, certificates. This applies to both human
detect security use cases can be enabled. both human and virtual network users accessing management interfaces,
Ericsson is working with ecosystem function, can be trusted. and automated machine-to-machine
partners, including industry-leading A 5G cloud deployment introduces communications between network
IT infrastructure vendors, to enable more stakeholders and administrators, elements, such as communication
secure cloudification. including third parties, that are involved through the F1 interface between
This section describes the Ericsson in managing infrastructure, which the CU and DU.
Cloud RAN approach to security and increases the risks from malicious Trust also needs to be established
how it enables MNOs to realize a ZTA insiders, creating the need for a ZTA. between the different layers in the cloud
that mitigates the new threats in cloud A network built with a ZTA includes stack, as previously shown in Figure 5.
deployments. Achieving a strong network micro-perimeters with strong In the cloud, hardware and software
security posture requires security authentication and authorization can be sourced from different vendors,
functions and a secure development to enforce trusted access network creating the need to establish a trust
process. As a starting point, Ericsson entities and data. chain anchored on a root of trust (RoT).
has been building the Cloud RAN In Cloud RAN, the node management This is different from purpose-built RAN
security solution and security assurance interface is protected to prevent data where dedicated Ericsson hardware is
processes, based on experiences from from being viewed, modified, or deleted used as RoT. The trust chain is built in
purpose-built RAN deployments of scale, by unauthorized third parties. The the cloud stack and between network
applying DevSecOps best practices. protection is ensured with functions functions using certificate-based

Figure 6: Ericsson DevSecOps practices for a strong security posture

Security assurance Product security

Security by design: Competence

Security masters: Culture
Security risk: Assessements
Secure coding Software integrity check
OSS management Third-party vulnerability assessment

Security functional tests,

including SAST hardening
of software tests Application security functioning
Secure cloud infrastructure

Vulnerability analysis
Ericsson Security Manager:
testing, including DAST
Protect, detect, respond
penetration tests
Signal software security CPIs, Can be integrated with SIEM/SOAR
including hardening guidelines
10 Ericsson | Evolving to a strong Cloud RAN security posture

authentication. For Cloud RAN, Applications store data, such as keys, To better withstand overload and
the trust chain relies on a secure cloud credentials and configuration files in potential overload attacks, such as
infrastructure that utilizes secure boot the infrastructure’s run-time persistent distributed denial of service attacks,
operations and secure instantiation of volume. Kubernetes supports encryption Cloud RAN products can be deployed
cloud-native functions (CNFs) that at rest for this data, but the encryption with high availability and redundancy.
have validated digital signatures. key requires protection from malicious Redundant instances can be deployed
Ericsson Cloud RAN software is insiders. It is recommended for the MNO in the same data center or the
signed digitally in the Ericsson CI/CD to use a Bring Your Own Key (BYOK) second instance may be deployed in
flow according to ETSI SOL 004 after approach to improve key management a geographically separate data center,
passing quality checkpoints, as described and control to maintain provenance ready to take over, minimizing the impact
in Figure 6, such as open source SW scans, and assurance.32 on availability whether a single instance
static application security testing (SAST), Cloud RAN offers the possibility to or an entire data center goes down.
dynamic security testing (DAST). It can keep this encryption key to the storage Given that security functions are in
be validated during on-boarding and at service inside the application’s built-in place, another key to secure deployments
the instantiation by a trust-anchor file key vault. The Cloud RAN CNF can is for the MNO to use and maintain
from Ericsson, containing the signing be integrated with a centralized a consistent and secure configuration.
root certificate that has been pre-loaded key management service (KMS) Ericsson Cloud RAN pods are delivered
in the infrastructure. This ensures that from the infrastructure to manage with a secure-by-default configuration
the software originates from Ericsson encryption keys. The centralized KMS and tested on a hardened infrastructure.
and is not manipulated or changed. enables use of an external hardware An example of pod hardening is to have
security module to provide additional maximum limits defined for CPU and
Data protection in the cloud protection for cryptographic keys and RAM to avoid starvation of other pods in
The assumption that an attacker is operations. Backup and restore the same cluster and to ensure that no keys
already inside the network implies functionality ensure that it is possible or secrets are part of the pod/container
that data in transit needs to be to restore the running Cloud RAN images. The Cloud RAN software is
protected on all interfaces and application to the previous state by verified with SELinux and comes with
data-at-rest needs to be protected creating a protected backup file containing default settings for pod security, name
in storage on all network functions. keys and configuration data. Access spaces, and network policies. Ericsson
The foundation of Cloud RAN control and monitoring of data access recommends hardening the cloud
security is provided by 3GPP security and usage are other essential functions platform based on the CIS benchmarks.33
specifications. External interfaces for protecting data that needs to be In the more complex and dynamic
between the network elements, configured in the cloud platform. cloud deployment, the risk of security
such as CU and DU, use 3GPP-required misconfiguration increases. This increases
security protocols for encryption and Ensuring high availability the need for automation that ensures
integrity protection with strong cipher on a shared platform both the cloud platform and the telco
suites.31 Cloud RAN will also provide Even though a cluster is completely application follow the intended security
protection between the interfaces inside disconnected from the internet, it may baseline and policies. The MNO security
the application, with encryption and share the underlying cloud infrastructure operation center (SOC) can use a security
integrity protection of the communication with other tenants. information and event manager (SIEM)
between pods. The pod, which is the Shared resources introduce new or security orchestration, automation
smallest execution unit in Kubernetes, attack vectors in 5G cloud deployments. and response (SOAR) to efficiently
is the smallest trust zone, establishing To mitigate these risks, micro-segmentation collect and analyze log data from their
the ZTA micro perimeter. The Cloud RAN techniques should be configured to digital assets in one place, in order to
application has built-in automated provide isolation between the host ensure compliance with the baseline.
internal certificates and key management and Cloud RAN network functions, The Ericsson Cloud RAN applications
to support the protection of the pods and between network functions to will support security automation and
anchored on an RoT. prevent one compromised container intelligence through the ESM and
Cloud RAN will support the following from impacting other containers the EIAP, which as a SMO can host
security protocols for confidentiality and running on the shared platform. security-specific rApps.34 The ESM
integrity protection of data in transit on Micro-segmentation implies security and EIAP can interwork with an external
external and internal interfaces: controls and policies are implemented SOAR or SIEM in the MNO SOC to also
• Control plane (F1, E1, N2): DTLS v1.2 to logically divide the deployment into allow visualization of the Cloud RAN
• User plane (N3, F1, Xn): IPsec distinct security segments down to the data there.
• Air interface (CU to UE): PDCP, RRC, individual workload level. Cloud RAN For compliance monitoring,the security
802.1x authentication applications provide separation baseline automation functionality provides
• O&M interfaces CM/PM/FM/file between different traffic types a repeatable process for:
transfer: TLS v1.3, FTPES, LDAPS, (control/user/management plane) • systematic selection of technical security
SNMPv3 as well as separation of fronthaul, and privacy policies and controls
• Internal interfaces inside application midhaul, and backhaul interfaces. • automatic enforcement toward the
(pod-pod): TLS v1.3 using built-in Having several isolation layers network context
certificates and key vault adds protection and provides • continuous compliance monitoring
security in depth. after initialization

31
3GPP TS 33.501
32
Options for Key Management in the Cloud | CSA (cloudsecurityalliance.org)
33
CIS Kubernetes Benchmark, CIS Linux Benchmark, CIS Docker Benchmark
34
Why SMO provides an ideal platform for intelligent Open RAN security, S. Poretsky and J. Jardal, Ericsson, June 2022
11 Ericsson | Evolving to a strong Cloud RAN security posture

Enabling a
secure supply chain

The increased use of open-source software in cloud deployments

has many advantages but also requires proper handling to mitigate
inherent risks in the supply chain.

Attack vectors may compromise a forums, and stipulates requirements in

trusted manufacturer’s software, the sourcing and inbound supply stage to
hardware, or established open-source ensure that the third-party products and
libraries. To prevent supply-chain sources are properly scrutinized before
attacks, Ericsson drives activities across being included in the product. During
all parts of the CI/CD flow, referred to the R&D product development phase,
as “Secure by Design” or DevSecOps, DevSecOps principles are applied, as
as shown in Figure 6. The security culture described in Figure 6, including activities
among the people at Ericsson is supported like source code checks, secure code
by our Security Master Model, which analytics (SAST, DAST), and penetration
ensures security competence in tests by an in-house dedicated Ericsson
all teams, from design to deployment red-team simulating attacks as carried
and support. Ericsson has created out by hackers. Finally, in the MNO
its Security Reliability Model (SRM)35 deployment and operation phase,
to ensure a common approach to product mitigations, or software patches of newly
security and privacy cross-company, found vulnerabilities existing in deployed
providing guidance and alignment software, are managed by a dedicated
with external demands.36 Ericsson Product Security Incident
The SRM framework includes the Response Team (PSIRT).37 In November
management of open-source software. 2021, Ericsson Cloud RAN portfolio passed
It starts with the selection of third-party the Network Equipment Security Assurance
sub-suppliers and open-source software Scheme (NESAS) certification.38

Figure 7. Ericsson Security Reliability Model

Suppliers Source Develop Deliver Customers

Security Reliability Model

Compliance and Deployment

Functions Assurance
documentation and operations

The Ericsson Security Reliability Model

35, 36

37
Ericsson Product Security Incident Response Team (PSIRT)
38
Ericsson Cloud RAN passes GSMA’s NESAS security audit
12 Ericsson | Evolving to a strong Cloud RAN security posture

Conclusion

Open RAN deployments, including development organization have

Cloud RAN and O-RAN, in public been made to achieve strong network
and hybrid clouds, have an expanded security. Ericsson is building Cloud RAN
threat surface due to increased risk security solution and security assurance
from internal threats caused by the processes based on experiences from
introduction of third parties in a purpose-built RAN deployments
multi-tenant environment. The CSRM of scale, and collaborating with
is a helpful tool for stakeholders to leading IT infrastructure vendors.
determine who has security responsibility Cloud RAN application software
at each layer of the cloud stack. Each provides functionality to protect data on
layerof the cloud stack must be protected internal and external interfaces. Support
from external and internal threat actors, is provided for establishing trust through
who can exploit common vulnerabilities mutual authentication, automating
to compromise confidentiality, and securing configurations, and data
integrity and availability of data streaming to enable threat detection
and networking functions. and automated configuration compliance.
The Ericsson Cloud RAN security In addition, Ericsson’s Cloud RAN offering
solution will enable secure Open RAN passed the independent NESAS audit,
deployments striving toward ZTA to making it fully compliant with the security
mitigate external and internal threats. requirements defined by global standards
Significant investments across the organizations 3GPP and GSMA.
About Ericsson Ericsson enables communications service providers
and enterprises to capture the full value of connectivity.
The company’s portfolio spans the following business
areas: Networks, Cloud Software and Services,
Enterprise Wireless Solutions, Global Communications
Platform, and Technologies and New Businesses.
It is designed to help our customers go digital,
increase efficiency and find new revenue streams.
Ericsson’s innovation investments have delivered
the benefits of mobility and mobile broadband to
billions of people globally. Ericsson stock is listed
on Nasdaq Stockholm and on Nasdaq New York.
www.ericsson.com

Ericsson The content of this document is subject 2/287 01-FGB 101 0990 Uen
SE-164 80 Stockholm, Sweden to revision without notice due to © Ericsson 2022
Telephone +46 10 719 0000 continued progress in methodology,
www.ericsson.com design and manufacturing. Ericsson
shall have no liability for any error or
damage of any kind resulting from the
use of this document