The value of certification schemes from a MNO perspective - Sergio Cozzolino
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Bruxelles, 25th May 2022
TIM Group
The value of certification schemes from a
MNO perspective
EU CyberAct 22
Sergio Cozzolino
TIM - Uso Interno - Tutti i diritti riservati.
Agenda
• Certification schemes as common framework for
the Telco industry
• GSMA Certification schemes: NESAS-SAS
• The main benefits adopting a certification scheme
• Conclusions
TIM - Uso Interno - Tutti i diritti riservati.
Agenda
• Certification schemes as common framework for
the Telco industry
• GSMA Certification schemes: NESAS-SAS
• The main benefits adopting a certification scheme
• Conclusions
TIM - Uso Interno - Tutti i diritti riservati.
“Certification” schemes: high complexity for secure networks
NESAS governance
3GPP • Define security
3GPP requirements
TSG3GPP • Maintain NESAS
TSG • Appoint auditors
TSG • Run dispute resolution
NIS-CG
Technical Specification
Groups
CSA • Define network security and
resilience requirements on
CSA risk categories: 5G and fiber networks;
• Basic
• Substantial • contribute to unified
3GPP
• High
standards;
GSMA • identify toolbox of
TSG SA3
appropriate, effective risk
• Self- Assessment
• Third party evaluation management measures;
• National Cybersecurity
Certification Authority • enforce tailored and risk-
SCAS
NESAS based certification schemes
NESAS scope
SCASes for • Vendor processes
Network Products requirements & audit
• Security Requirements methodology
• Test cases • Test laboratories
accredition
• Dispute resolution
Ensure effective assurance testing for
equipment, systems and software and
support specific evaluation arrangements
TIM - Uso Interno - Tutti i diritti riservati.
Agenda
• Certification schemes as common framework for
the Telco industry
• GSMA Certification schemes: NESAS-SAS
• The main benefits adopting a certification scheme
• Conclusions
TIM - Uso Interno - Tutti i diritti riservati.
NESAS principles
• Vendor product and development lifecycle process requirements are taken from
FS.16
• NESAS auditors are independent 3rd parties, are selected by a defined authority, and
meet defined eligibility criteria
• Vendor assessment is a prerequisite to product evaluation
• On-site audit duration is of the order of four to five days Network
equipment
• Test labs are accredited to ISO 17025
• Product evaluation is performed against standards, the SCASs
• Summary reports (not only certificates) are published for transparency
TIM - Uso Interno - Tutti i diritti riservati.
NESAS elements
Security assessment of vendors’ development and product lifecycle
processes
NESAS Development and Lifecycle Assessment Methodology – FS.15
Describes the assessment and audit process for Vendor Development and Product Lifecycle Processes
NESAS Development and Lifecycle Security Requirements - FS.16
Defines security requirements for an Equipment Vendor’s Development and Product Lifecycle Processes
NESAS Audit Guidelines – FS.46
Describes guidelines, tips and information on how to prepare for and carry out a Vendor Development and Product Lifecycle Process
audit
Accreditation of security test laboratories, in accordance with ISO/IEC
17025, to undertake product evaluations
NESAS Test Laboratory Accreditation – FS.14
Defines the requirements for NESAS Security Test Laboratories and sets the standard against which accreditation is to be assessed and awarded.
Product evaluations by competent test labs using standardised security
requirements and test cases
NESAS Product and Evidence Evaluation Methodology – FS.46
Establishes how the product and evidence evaluation is done at the procedural and operational level
TIM - Uso Interno - Tutti i diritti riservati.
Vendor Process –Product Development/Assessment
• Launch FS.16 REQ-01
• Concept definition
• Development • Changes FS.16 REQ-02 Vendor processes assessment
• Update …….
• Testing
• Delivery • End of life
0 1 2 3
Dev. Lifecycle
process process
Product Product
Audit results can be
A development lifecycle
process process
supplied (FS.15) to
Product Product Conformance Independent Audit Report GSMA and a summary
development lifecycle Claim audit report published on
process process NESAS website
Equipment Vendor Equipment Vendor Audit Team Audit Team writes
defines security- assesses and independently audits Audit Report and
related processes declares conformity to vendor processes agrees it with
NESAS requirements Equipment Vendor
Preparatory step Self-assessment Independent audit
A
It could be applied to multiple The vendor issue a Vendors can select which appointed auditing
network products and multiple Conformance Claim company they wish to perform audits Prerequisite for
processes providing evidence of independent audit:
filled and signed
compliance Conformance Claim
TIM - Uso Interno - Tutti i diritti riservati.The role of Test labs
• Test lab contacts recognised ILAC member ISO/IEC 17025 accreditation body with a request to be ISO/IEC 17025
audited and accredited
• After ISO/IEC 17025 accreditation has been achieved the test lab informs GSMA and provides copy ISO/IEC 17025
certificate, referencing NESAS
• A test lab should demonstrate relevant knowledge and capabilities with telecom equipment and networks including
security architecture, interfaces, protocols, interaction procedures and messages, typical attack surfaces, attack
patterns and vulnerabilities
• GSMA publishes test lab details on NESAS website (8 recognized labs March 22)
• Test labs evaluate a network product according to one or several 3GPP SCASs
• Test labs also evaluate Compliance Evidence that products were developed in adherence to audited processes
• Process defined for how a security test laboratory can become accredited in accordance with NESAS
NESAS Security Test Laboratory
Testing
Recognised
ISO 17025
Accreditation accredits
Body
Test Equipment Capabilities Expertise
Procedures
collaborate
Subject
applied
applied
Matter
Expert
defines GSMA
3GPP
SA3
TIM - Uso Interno - Tutti i diritti riservati.Use of Vendor Assessment Results
Equipment The audit report contains results of the security tests and
Vendor evidence evaluation provided to vendor
provides – Company names and contact details of test lab and vendor
– Description of product e.g. software, hardware, interfaces, data,
services and scope
– Product name, version and description of product configuration
– Version of GSMA document FS.47, evaluation methodology, followed
– Details of the location(s) at which the evaluation was performed
Audit Report Audit – Description of the test environment
Summary
Report – Timeline of the evaluation activities
– List of SCAS documents, and versions, used
– Details of product or system component elements not have been
tested
– Details of product and operational documentation provided by the
Nation State Other Entity Mobile Network GSMA public vendor
Authority Operator Web Site – List of all test cases, test names and test results executed
– Description of test cases executed and documentation used to do so
– Details of vulnerability testing undertaken and tools used
– NESAS Audit Report version and list of evidence examined
• Demonstrate capability to create secure
products
TIM - Uso Interno - Tutti i diritti riservati.eSIM: RSP Certification process
TIM - Uso Interno - Tutti i diritti riservati.TIM - Uso Interno - Tutti i diritti riservati.
eSIM: eUICC Certification process
TIM - Uso Interno - Tutti i diritti riservati.eSIM: EUM Certification process
TIM - Uso Interno - Tutti i diritti riservati.Agenda
• Certification schemes as common framework for
the Telco industry
• GSMA Certification schemes: NESAS-SAS
• The main benefits adopting a certification scheme
• Conclusions
TIM - Uso Interno - Tutti i diritti riservati.….from certification schemes to products evaluation
TIM - Uso Interno - Tutti i diritti riservati.Certification schemes: main stakeholders
NESAS scheme
Official/Governmental
Compliance
Equipment/Platform Equipment/Platform information security Agencies
/Product Vendor#A /Product Vendor#B and Regulators
Security
reinforcement Endorsment of
NESAS scheme as
Reduced costs
baseline
based on common
Standards set of security
Compliance requirements Interoperability/
interworking National
security Requirements
Mobile Network Operators
MNO’s security
Requirements
TIM - Uso Interno - Tutti i diritti riservati.Certification schemes: how are used by MNOs
• Certifcation and compliance with the main schemes are part of the procurement process of each MNO
• Even if MNOs refer to NESAS there is no certification of equipment vendors or network equipment unless they
refer to CABs (as recognised authorities).
• The majority of MNOs define their own security requirements which cover also interoperability and interworking
between network equipments provided by different vendors. These are not usually covered by the NESAS scheme
• End to end security is not part of the scheme and it’s up to the MNO to self-assess their own network
infrastructure configuration. In some cases as part of national requirements they need to obtain additional
certifications by accredited national laboratories.
• MNOs can take more informed decisions on equipment vendor and product selection based on NESAS audit
reports and evaluation reports.
• It is generally acknowledged that the absence of undocumented functionality (e.g. backdoors, malware, etc.)
cannot be proved in network equipment cannot be guaranteed and this is also the case for NESAS.
TIM - Uso Interno - Tutti i diritti riservati.Network evolution O-RAN scenario
SMD
SW Development
RIC
services
Operating Systems
CU Network
Network
Deployment
Integration
Processors DU And
Transport Platform
Operation
Accelerators Edge Server Test
Central O-Cloud
Automation
RF Semiconductors RU SW
Edge O-Cloud Test
Equipment
RF Components RU HW RU
Sub-sub-components Subcomponents & services Network Components Network Operations
TIM - Uso Interno - Tutti i diritti riservati.Network evolution O-RAN scenario
• SW and HW decoupling as well distributed edge nodes and open solutions is part of the strategy of the majority of
MNOs.
• The configuration scenarios could be different even if referring to the same element components.
• Complexity due to open and cloud-based architectures is combined with transparency of new open interfaces to allow
increase scrutiny and monitoring of vulnerabilities and failures.
• A risk-based threat modeling and remediation analysis has been conducted within the O-RAN Alliance in line with ISO
27005 for building an effective security O-RAN architecture
• A Zero Trust Architecture (ZTA), as defined in NIST Special Publication 800-207, assumes no implicit trust between O-RAN
components and any other parts of the infrastructure.
• The O-RAN SFG (Security Focus Group) has already deployed:
• O-RAN Security Requirements Specifications v2.0
• O-RAN Security Threat Modeling and Remediation Analysis 2.1
• O-RAN Security Protocols Specifications v3.0
• O-RAN Security Tests Specifications v1.0
and additional security docs are in progress (e.g. O-Cloud,API security, Application Life Cycle Management, Security
logging, AI/ML security,….)
The next releases of NESAS/NIS should take into account the O-RAN scenario to provide a broader and secure architecture
modelling based on the network evolutions
TIM - Uso Interno - Tutti i diritti riservati.Agenda
• Certification schemes as common framework for
the Telco industry
• GSMA Certification schemes: NESAS-SAS
• The main benefits adopting a certification scheme
• Conclusions
TIM - Uso Interno - Tutti i diritti riservati.Conclusions
• Certification schemes are a baseline of common security tests, and a collaborative approach is necessary to achieve
security levels which satisfy all the stakeholders (equipment vendors, operators, national regulators and authorities,
and mobile users)
• The risk of conflicting local/national requirements emerging poses even greater difficulty for equipment vendors
seeking to produce products for a global market. This fragmentation has the potential to significantly raise the level
of effort and cost for MNOs
• The complexity of the various 5G usage scenarios requires a consolidated and integrated approach to prepare the
next move towards smart end-to-end security for future connected systems that will serve a plethora of vertical
domains and applications across various market sectors provisioned through logical and self-contained network
slices (supported by platforms) running on multiple administrative domains and for which the level of security
offered would be a key acceptance factor.
• The upgrade of schemes should be aligned to the latest networks evolutions (e.g. ORAN) to guarantee continuous
protection and security by design infrastructure implementations
• MNOs should contribute to unified standards; identify toolbox of appropriate, effective risk management measures;
enforce tailored and risk-based certification schemes to achieve network security and resilience requirements on
5G and fiber networks
TIM - Uso Interno - Tutti i diritti riservati.Thanks
TIM - Uso Interno - Tutti i diritti riservati.You can also read
