Progress on Network Equipment Security Assurance Scheme
https://huaweihub.com.au/huaweis-5g-passes-first-phases-of-nesas/
The global mobile communications industry has thrived over the last thirty or more years because of one thing more than any other – the adoption of globally developed and accepted standards.
By adopting globally accepted technical specifications that are independently developed and maintained, our industry has been able to achieve massive economies of scale in our equipment that has helped deliver affordable communications around the world.
That’s one of the reasons we at Huawei are so proud that the global industry body the GSMA has announced that Huawei’s 5G technology has passed the first phase of its globally recognized Network Equipment Security Assurance Scheme (NESAS) – signifying to operators that are 5G kit is safe and secure to use.
Of course, every technology vendor will claim their kit is safe and secure, but it is only by allowing your product development and product lifecycle processes to be assessed, and your kit to be thoroughly tested by a scheme like NESAS that those claims can ever be independently verified.
NESAS is an industry-defined voluntary scheme through which vendors subject their product development, lifecycle processes and network equipment to a comprehensive security audit and testing against the currently active NESAS 1.0 release and its security requirements.
The NESAS, jointly defined by Generation Partnership Project (3GPP) and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry.
It defines security requirements based on 3GPP technical specifications and an assessment framework for secure product development and product lifecycle processes; and security evaluation scheme for network equipment, using the 3GPP defined security assurance specifications (SCAS) and test cases.
The NESAS is widely supported by security authorities around the world – oincluding the European Network and Information Security Agency (ENISA) in EU, the National Cybersecurity Agency of France (ANSSI) and the Federal Cyber Security Authority (BSI) in Germany – and industry organizations, globally.
The NESAS 1.0 release was finalized in October 2019 and since then two European firms (ATSEC and nccgroup) were selected by GSMA; Huawei, Ericsson, Nokia and ZTE openly support NESAS as a unified cybersecurity certification framework for mobile network equipment, and more than ten network operators have requested NESAS compliancy, before deploying 5G equipment in their countries.
Nokia, Ericsson, Huawei and ZTE have undergone an assessment and independent audit of their development and product lifecycle processes, in compliance with GSMA NESAS, to evidence how security is integrated into their design, development, implementation, and maintenance processes.
The second phase of NESAS will involve vendors submitting network equipment products to qualified test laboratories for evaluation, according to the NESAS evaluation scheme for network equipment.
The NESAS 1.0 framework was approved in October 2019 and the NESAS specifications will be further improved by the end of this year to meet the security assurance level in compliance with the EU Cyber Security Act. The current proposal incorporates: Penetration Tests, Cryptographic Analysis and Software Engineering, in alignment with the best industry standards and practices.
Furthermore, the NESAS – defined for mobile systems security – fully validates the characteristics of mobile communication services, in terms of threat analysis and modelling, and significantly simplifies the Common Criteria (CC), featuring short accreditation and evaluation time, and low cost, and meeting the development needs of new technologies, such as cloud, digitization, and software-defined everything.
The CC and companion Common Methodology for Information Technology Security Evaluation (CEM) are intended for the IT industry and define no equipment test specifications for mobile communication in product process (PP).
Moreover, the CC cover the general R&D process and lifecycle management audit, but lack of specialty on telecommunication such as 5G, and suffer from complicated accreditation, long period, and high cost.
Currently the industry is actively contributing to integrate the SCAS and NESAS, jointly defined by 3GPP and GSMA, certification and accreditation frameworks with the upcoming EU Toolbox and new Certification Scheme.
In particular, the German national cyber security authority (BSI) is working together with ENISA to adapt the 3GPP SCAS-GSMA NESAS model to the new European Cyber Security Act and achieve a high common level of cybersecurity across the Union in cooperation with the wider community.
In the process of evaluating security of digital solutions and ensuring their trustworthiness, the ENISA’s goal is to achieve a cyber-secure digital environment across the EU, where citizens can trust ICT products, services and processes through the deployment of certification schemes in key technological areas.
The 3GPP SCAS-GSMA NESAS process offers a significant reassurance about the security status of the entire portfolio of a vendor and any failure at any stage of the NESAS represents a significant setback for the vendor concerned.
As Huawei has repeatedly argued, we believe that schemes like NESAS provide the exactly right template for all countries to follow when they are evaluating Cyber-Security risks – there simply has to be a unified way to approach these issues globally.
That is why Huawei Australia recommends that the Australian Government – with the Australian Cyber Security Centre (ACSC) – establishes a close collaboration with ENISA and international industry partners – such as the 3GPP and GSMA – on 5G security specifications and network equipment security assurance scheme.
The Australian Federal Government should be a major player among those organizations, support the continuous evolution of the 3GPP 5G technical specifications with evolving usage scenarios, adopt the GSMA NESAS/3GPP SCAS for testing and evaluating telecoms equipment, and enforce a certification and accreditation process, against a predetermined set of security standards and policies, for security authorization in Australia.
David Soldani is Chief Technology Officer at Huawei Australia
References
https://www.gsma.com/security/network-equipment-security-assurance-scheme/
https://huaweihub.com.au/australias-cyber-security-still-more-work-to-do/
https://huaweihub.com.au/huawei-australia-should-be-a-global-cybersecurity-leader/