This is the fifth annual O-RAN security blogpost from the O-RAN ALLIANCE’s Security Working Group, or WG11, describing the current state and plans for O-RAN security.
Throughout 2024 WG11 has continued maturing the O-RAN security specifications to account for the all too real threats to a modern RAN. Along with threat actors outside telecom networks looking for holes in the perimeter, 2024 documented an increase in successful attacks on telecom perpetrated by malicious insiders acting as agents of nation states. WG11’s 2020 decision to assume a zero trust environment for O-RAN deployments drives the development of O-RAN security requirements that will provide operators comprehensive protection against the increasing reality of sophisticated insider attacks.
The highlights of WG11 work in 2024 are a maturity analysis of O-RAN’s zero trust architecture (ZTA), specification of security requirements that protect the artificial intelligence (AI) and machine learning (ML) integral to operating an O-RAN deployment, publication of each of the four O-RAN security specification documents in each O-RAN publication train, preparation of these four documents for European Telecommunication (ETSI) publication, and establishment of a coordinated vulnerability disclosure (CVD) process for managing O-RAN vulnerabilities, along with the initial steps toward developing the O-RAN Security Assurance Program.
WG11 collaborates with the other O-RAN work groups to define the security requirements for the architecture elements, interfaces, network functions, and data as defined in Figures 1 and 2 below. These figures show the O-RAN detailed and abstract architecture views for the O-RAN defined interfaces (A1, O1, O2, E2, Y1, R1, Open Fronthaul, O-Cloud Notification, O-Cloud Accelerator Abstraction Layer (AAL), and the interface to external systems) and architecture elements (SMO, Non-Real Time RIC, Near-Real Time RIC, O-CU-CP, O-CU-UP, O-DU, O-RU, O-eNB, O-Cloud, xApp, and rApp). rApps and xApps execute within the Non- and Near-Real Time RICs respectively, while the AAL APIs are available to O-RAN network functions (NF) instantiated on the O-Cloud.
O-RAN security promises to deliver mobile network operators (MNO) an Open RAN that meets and exceeds industry expectations for an open, interoperable, and secure system including integration with their ZTA infrastructure such as SIEM/SOAR systems, PKI, and Identity and Access Management. Additionally, the focus on threat analysis and testing provides MNOs a framework for assessing risk and for testing security.
WG11’s four specification, testing and analysis documents were each updated in the O-RAN ALLIANCE March, July and November publications. The O-RAN Security Requirements and Controls Specifications [2] added new requirements for O-Cloud software image integrity and authenticity, authentication and authorization requirements for the O-Cloud acceleration abstraction layer, O2 authentication and authorization, O-Cloud security policies, O-Cloud secure environment, automated certificate management support for all NFs, input validation of data on the Fronthaul S- and C-Planes, Near Real Time RIC input validation on the E2 interface, optional support for IEEE 1588 TLV, optional support for MACsec on the Open Fronthaul C-, U- and S-Planes and PTP interfaces, AI/ML security requirements, A1 authentication and authorization, certificate revocation list support, and storage exhaustion detection for physical network functions.
Normative requirements for LDAP, OAuth 2.0 access tokens, and MACsec were added to the O-RAN Security Protocols Specification [3] and the existing SSH, TLS and DTLS requirements were updated. Significant for TLS is the mandatory requirement to support TLS 1.3.
A significant number of tests in the O-RAN Security Test Specifications [4] were updated and clarified including security protocol & API validation, common network security tests for O-RAN architecture elements, system and software security evaluations for O-RAN architecture elements, Open Fronthaul, security test of xApps, application instantiation deployment by O-Cloud, executive environment protection, and end-to-end security test cases.
The O-RAN Threat Model and Risk Analysis [5], which drives the development of O-RAN security requirements, now includes an analysis of over 160 distinct threats to the O-RAN interfaces, network functions, and other architecture elements. In 2024, WG11 identified new threats against a shared O-RU, cached application data, AI/ML, local O-RU user management, inconsistent log formats, O-Cloud, A1 interface, Open Fronthaul, PNFs, and Near Real Time RIC. Additionally, work has been initiated to improve the threat structure to align with STRIDE, providing a more comprehensive threat categorization and analysis.
Tables 1 and 2 summarize the state of O-RAN security with the significant 2024 updates bolded.
Table 1: O-RAN Interface Security
Two clarifications about the table are important. First, 802.1X port-based network access control (PNAC) provides authentication of the device plugging into a network port and controls access to send/receive network traffic. 802.1X PNAC [6] does not provide authenticity of data flowing across the C-plane, U-plane, S-plane, and M-plane interfaces between the O-DU and O-RU.
Second, the 3GPP Access Stratum (AS) Control Plane and User Plane messages transported via the Open Fronthaul U-Plane (LLS-UP) are confidentiality and integrity protected by Packet Data Convergence Protocol (PDCP). PDCP security controls remain in place when the message traverses the Open Fronthaul U-Plane. PDCP is specified by the 3GPP in TS 33.501 [7].
Cross-platform or transversal requirements apply to all O-RAN architecture elements and interfaces. 2024 saw the introduction of new security requirements for secure deletion of data, application decommissioning, security log management, certificate management, application security, and trust anchor provisioning. Table 2 lists the mandatory O-RAN requirements for each category of transversal requirements, with details provided in [2].
Table 2: O-RAN Cross-Platform Security Requirements
Since beginning its work in 2020, WG11 has assumed that O-RAN deployments would operate in a zero trust environment where an attacker is always assumed to be present. This assumption drove the O-RAN security requirements for continual authentication and authorization, protection of data at rest and in transit, and security event logging. As zero trust evolved to zero trust architecture (ZTA) with the publication of NIST’s Zero Trust Architecture [8], WG11 incorporated NIST’s seven tenets of zero trust into its development of O-RAN security requirements.
In 2024, WG11 published this approach in Zero Trust Architecture for Secure O-RAN [9] and kicked off an initiative to evaluate the maturity of the O-RAN zero trust architecture.
The O-RAN ZTA technical paper provides an analysis of the applicability of the seven NIST ZT tenets to O-RAN, the current state of O-RAN security requirements for confidentiality, integrity, availability, and authenticity to protect the cloud infrastructure, cloud-native architecture elements, interfaces, and data. It concludes by laying out the path to strengthen these requirements as new threats and new security technologies evolve.
The O-RAN ZTA maturity evaluation is a comparison of the O-RAN security requirements against the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM) [10]. ZTMM offers a framework for organizations implementing cybersecurity modernization initiatives by outlining a phased and incremental approach for the effective implementation of a ZTA across four stages: Traditional, Initial, Advanced, and Optimal, as illustrated in Figure 3. Emphasizing a comprehensive perspective, the model introduces five critical pillars for Zero Trust: Identity, Devices, Networks, Applications & Workloads, and Data. Each pillar is supported by distinct Pillar-specific Functions, delineating specific requirements that should be maintained across the four stages. The model also incorporates Cross-cutting Functions, which traverse all pillars and evolve throughout the four stages. These cross-cutting functions encompass Visibility and Analytics, Automation and Orchestration, and Governance.
The 2024 maturity assessment, led by the ZTA Work Item team, compared the O-RAN security standards to the ZTMM initial stage using the following methodology.
The detailed results, documented in the most recent publication of the O-RAN WG11 Study on Zero Trust Architecture for O-RAN technical report [11], showed that most of the O-RAN assets have security requirements consistent with the initial stage of the ZTMM. Identified gaps include automated access management and secure deployment processes. Closing these gaps and identifying requirements needed to achieve the advanced or optimal stages will be undertaken in 2025 and beyond.
AI and ML applications running as xApps and rApps in the Near- and Non-Real Time RICs are a key architecture component of O-RAN, enabling dynamic response using both local and global information. Without protections on the AI and ML, the xApps and rApps can be compromised, leading to data leakage and degraded, or even denied, service. In 2024, the AI/ML Work Item team analysed the threats to AI/ML in O-RAN using the 2023 OWASP Top 10 Machine Learning Security risks [12] and the 2021 AI/ML ENISA report on securing ML algorithms [13]. The threats and attacks identified by OWASP and ENISA include input manipulation, data poisoning, model inversion, membership inference, model stealing, AI supply chain attacks, transfer learning attacks, model skewing, output integrity attacks, and model poisoning. The analysis added 39 new threats to the O-RAN WG11 Threat Model and Risk Analysis technical report.
These 39 threats were analysed using the STRIDE model [14] to determine the threat type and the impact, which led to new security requirements being added to the O-RAN Security Requirements and Controls Specifications [2]. The requirements include
The O-RAN ALLIANCE has established a public program for researchers to report vulnerabilities found in O-RAN specifications and prototype software available from O-RAN Software Community (OSC). [O-RAN CVD Program]
Since September 2024, O-RAN WG11 and the Testing and Integration Focus Group (TIFG) have been collaboratively defining the O-RAN Security Assurance Program to evaluate the security and robustness of O-RAN architecture elements and systems based on the O-RAN Security Test Specifications. Additionally, WG11 and TIFG are actively developing all necessary materials for the program, including the Security Implementation Conformance Statement (ICS), the evaluation methodology, Security Assurance Specifications (SCAS), and other essential components.
2025 is expected to be another productive year for WG11. The ZTA work item will look to close the gaps identified by the 2024 maturity assessment and to evolve existing requirements to Advanced or even Optimal stage. The new Continuous Security Monitoring WI team will evaluate new O-RAN security requirements, such as the collection of additional data and real time streaming of security data to service provider SIEM/SOAR systems. Two other new WI teams, Security Configuration Management and Post-Quantum Cryptography (PQC), will develop requirements for security configuration management and plan for the adoption of PQC. The first European Telecommunications Standards Institute (ETSI) and Alliance for Telecommunications Industry Solutions (ATIS) publication of the O-RAN security specifications is expected later in 2025. WG11 will continue to enhance the security tests in the O-RAN Security Tests Specifications and publish the first version of the O-RAN Security Assurance Program.
[1] O-RAN.WG1.OAD-R003-v08.00: “O-RAN Architecture Description”
[2] O-RAN Security Requirements and Controls Specifications, version 11.0, O-RAN Alliance, February 2025.
[3] O-RAN Security Protocols Specifications, version 11.0, O-RAN Alliance, February 2025.
[4] O-RAN Security Tests Specifications, version 9.0, O-RAN Alliance, February 2025.
[5] O-RAN Security Threat Modeling and Risk Assessment, version 5.0, O-RAN Alliance, February 2025.
[6] "IEEE Standard for Local and Metropolitan Area Networks--Port-Based Network Access Control," IEEE Std 802.1X-2020 (Revision of IEEE Std 802.1X-2010 Incorporating IEEE Std 802.1Xbx-2014 and IEEE Std 802.1Xck-2018), 28 Feb. 2020, doi: 10.1109/IEEESTD.2020.9018454.
[7] 3GPP TS 33.501: "Security architecture and procedures for 5G System"
[8] NIST Special Publication 800-207, "Zero Trust Architecture", August 2020, https://doi.org/10.6028/NIST.SP.800-207
[9] “Zero Trust Architecture for Secure O-RAN,” https://mediastorage.o-ran.org/white-papers/O-RAN.WG11.ZTA%20for%20Secure%20O-RAN%20White%20Paper-2024-05.pdf
[10] Zero Trust Maturity Model (ZTMM), version 2.0, US DHS CISA, April 2023.
[11] “Study on Zero Trust Architecture for O-RAN,” version 2.00, O-RAN ALLIANCE, February 2025.
[12] OWASP Top 10 Machine Learning Security Risks, 2023 https://owasp.org/www-project-machine-learning-security-top-10/
[13] ENISA: “Securing Machine Learning Algorithms”; https://www.enisa.europa.eu/publications/securing-machine-learning-algorithms
[14] STRIDE Threat Model, Microsoft, Threats - Microsoft Threat Modeling Tool - Azure | Microsoft Learn, last visited January 3, 2024.
[15] 3GPP TR 21.905: “Vocabulary for 3GPP Specifications”
by O-RAN ALLIANCE’s Security Work Group (WG11)