Ericsson’s Cloud RAN offering has passed the independent Network Equipment Security Assurance Scheme (NESAS) audit, making it fully compliant with the security requirements defined by global standards organizations 3GPP and GSMA.
The NESAS audit was successfully completed in November 2021, with Cloud RAN as the latest Ericsson offering to pass it, following earlier compliance by Ericsson Core, Transport and Radio Access Network (RAN) portfolios.
NESAS was introduced in recent years to provide a common security assurance framework for secure product development and product lifecycle processes across the mobile industry. Conformance with NESAS is an integral part of Ericsson’s Security Reliability Model, SRM.
Per Narvinger, Head of Product Area Networks, Ericsson, says: “With 5G rollouts accelerating across the world, 5G network security is rapidly becoming a key topic among regulators, authorities, service providers and their consumer and business customers. Security is a key cornerstone in the design of our products and with the software and hardware disaggregation, it is even more important that security is built in from the start. I am therefore pleased that Cloud RAN is now confirmed NESAS-compliant as it adds another layer of credibility and trustworthiness to our Ericsson radio access network (RAN) portfolio.”
Cloud-based RAN deployment is an important step towards a more open RAN architecture. The deployment can provide inherent security advantages such as isolation and geographical redundancy. However, the cloud also introduces new security risks that must be considered, according to an Ericsson technical paper Security Considerations of Cloud RAN.
In addition to traditional attacks against the RAN and Core, vulnerabilities in the cloud infrastructure, including microservices, container engines, host operating system, and third-party hardware can be exploited in cloud-based RAN and Core deployments.
Ericsson Cloud RAN complies with the GSMA NESAS – Development and Lifecycle Security Requirement version 2.0. The products in scope for this audit are:
- Central Unit-Control Plane (CU-CP) – a logical node hosting the Radio Resource Control (RRC) and the control plan part of the Packet Data Convergence Protocol (PDCP)
- Central Unit-User Plane (CU-UP) – a logical node hosting the user plane part of the PDCP and the Service Data Adaptation Protocol (SDAP)
- Distributed Unit (DU) and RAN Service Discovery
Ericsson’s NESAS compliance processes underwent a complete audit by a GSMA-approved, independent auditor.