GSMA NESAS Life Cycle and Product Testing
Cybersecurity for cross-sector mobile phone networks
NESAS, which stands for Network Equipment Security Assurance Scheme, is a cross-industry scheme that was jointly defined by the 3rd Generation Partnership Project (3GPP) and GSM Association (GSMA) in order to strengthen confidence in the IT security of a wide range of mobile phone network systems and components. The testing of these network devices is carried out by independent testing services providers on the basis of firmly defined evaluation frameworks and security catalogues. In addition to product security, the aspect of security over the entire product life cycle is also audited in a complementary procedure.
Lab and auditor – Two sides of the same coin
With over 25 years of experience in evaluation and testing of IT security, TüViT is a renowned and strong partner for manufacturers of network components in mobile phone networks of the latest generation.
For many years we have been operating a highly efficient hardware and software laboratory in Essen. Today, this know-how and our testing methodology form the basis for technical product testing according to 3GPP-defined Security Assurance Specifications (SCAS). With respect to NESAS, our laboratory has all the requirements for extended ISO 17025 accreditation at its disposal.
And that is not all. TüViT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
TüViT is officially the first - and so far only - test center for NESAS CCS-GI. ?? ??
This is now (as of 15th July 2022) proven in black and white by the certificate of recognition from the German Federal Office for Information Security (BSI). From now on, clients can engage us to test mobile communications components in accordance with the national certification scheme for 5G mobile communications equipment. ?? Learn more about NESAS: security evaluation
The audit process in detail
The Network Equipment Security Assurance Scheme (NESAS) is a security framework that consists of two interconnected test aspects. The test focus and approximate procedures relating to how we carry out testing in each section can be found by those who are interested on the following tabs.
Produkt Life Cycle Audits
Auditing based on the requirements of the GSM Association (GSMA)
Step 1: The document review:
Within the framework of the life cycle audit performed by TüViT as an experienced audit company, all sites of a product manufacturer that are involved in development and production are initially audited on a document basis. The scope of the audit covers a large number of subject areas and comprises the design, development, implementation, testing and maintenance processes of manufacturers.
Step 2: On-site audits:
As soon as the documentation situation can be certified as sufficient, on-site audits are carried out at all sites involved in the life cycle. Within this framework, the results of the document review are verified in situ.
The audit report:?
The resulting audit report from both evaluation steps provides proof of a successfully completed life cycle audit based on the GSMA requirements. It also serves as input for the following security evaluation of network components based on the 3GPP safety catalogs. TüViT offers both auditing components from a single source – an efficiency gain for everyone! More on the security evaluation?security evaluation.
领英推è
Security Evaluation of Network Components
Product testing according to the 3GPP-defined security test cases
Step 1: The basic test case:
The product testing part is strongly oriented towards the actual test object, i.e. the respective network component. The basic test case catalog TS 33.117 is a fixed test component in all cases. As is the case with the other test case catalogs (SCAS catalogues), it contains detailed instructions on which test scenarios are to be performed as part of the test and how they are to be documented.
Step 2: The supplementary catalogs:
Depending on the product type, the security evaluation is also carried out on the basis of other supplementary catalogs. Across all product types, NESAS comprises 12 product-specific supplementary case catalogs.
Many years of experience in the testing business, test tools that have been developed in-house and cooperations with renowned partner companies in the 5G environment enable TüViT to test a wide range of network products in accordance with all test case catalogs anchored in the NESAS scheme.?
We test these network products: 5G RAN ++ gNodeB ++?5G Core UDG ++?UDM ++?UNC ++?UPCF ++?LTE eNodeB ++ and many more
Frequently asked questions (FAQ):
Q: Is NESAS a certification scheme?
No, the NESAS program does not certify any network products.?Once the audit has been completed, manufacturers receive a transparent audit report that states whether the audit was successful. On request, companies that display interest in certification are provided with support by the TüViT test center for the certification process on the basis of other schemes (Common Criteria, TüViT SQ, etc).
Q: Do differences exist between the auditor and the security testing laboratory?
Yes, the auditing of the product life cycle and the security audit of the product can be carried out by different laboratories. The NESAS auditors appointed by the GSMA carry out the assessment of the product life cycle. The NESAS laboratories focus on the evaluation of network products based on the SCAS test case catalogs.?TüViT offers both services from a single source.?
Q: How are life cycle reports and product tests related to one another?
The audit report of the life cycle audit is required as input for the test laboratory for product testing. During product testing, the points identified in the audit report are verified and the result is documented together with the test results in a product test report.