NESAS · 2020. 2. 19. · NESAS Briefing for ENISA Art 13a Open Day Feb 2020 James Moran –Head of Security [email protected] [email protected] +44 (0)20 7356 0600 HQ - …

NESASBriefing for ENISA Art 13a Open DayFeb 2020

James Moran – Head of [email protected]

[email protected] +44 (0)20 7356 0600 HQ - London, United Kingdom

GSMA Confidential

2

Need for Security Improvements Recognised

Hard coded default passwords on network equipment (NE)

Weak physical security of Small Cells

Insecure design of NE and insufficient segregation

Incomplete hardening of NE during integration

Hardening of systems disappeared during release upgrade

Security patches not installed even though they were available

3

Need for Alignment to Achieve Real Improvement

Different security assurance requirements for:

• Every single MNO and vendor relationship where operators define requirements

• Every country where security assurance of network equipment is regulated

Risks

Co

nseq

ue

nces

Vastly different requirements across operators and countries

Increased effort to meet all requirements

Impossible to satisfy all demands due to conflicting requirements

Increasing cost of network equipment

Little actual security improvement

4

Why now?

Number and complexity of 3GPP defined network functions ever growing

Regulators, rightly, expect security assurance for mobile networks

Increasing demand for consumer protection from stakeholders

Security levels left to individual operators to agree bilaterally with vendors

Absence of mobile industry standard for network equipment security unhelpful

5

Industry Action Required

Built-in security in network equipment

Culture to consider security in all stages of development, deployment, and maintenance

Objectively measurable level of security

The Mobile Industry needs to Shape the Future Cognizant of External Stakeholders Needs

6

Motivation Behind NESAS

Industry identified the need to encourage secure product development and lifecycle management for mobile infrastructure

Concept developed long before geopolitical interest in 5G infrastructure grew to current levels

Underlying goal to avert fragmented security requirements across the world

Need for a scheme to provide a common global baseline on top of which operators or national agencies may put additional security requirements

Objective is to provide an industry-wide security assurance framework to facilitate improvements in security levels across the whole industry.

7

Network Equipment Assurance Scheme (NESAS)

NESAS is

A scheme to provide a baseline security level for 3GPP defined functions

Evolving and will be able to be strengthened / extended

Flexible by giving network vendors a choice of auditors and test labs

Monitored by an oversight board to ensure relevance and industry needs are met

NESAS is not

A certification scheme

A guarantee that a product is free from vulnerabilities

A solution for end-to-end security assurance

Concerned with network deployment, configuration and interfaces

A replacement for operators or national security requirements

8

NESAS & Where it fits

Define Design Develop Deploy Decommission

StandardsBodies Vendor

Operator

• Addresses the ‘Input’ side of the supply chain• Aims to raise confidence in network products that operators ‘deploy’• Evaluates the product (via test lab) AND the process used to develop it (via audit)

MaintainOperate

9

NESAS Collaborative Scheme

3GPP

SA3

3GPP

WG3GPP

WG3GPP

WG

Network Functions Security Assurance Specification

GSMA defines

NESAS specifications

governs

NESAS governance

NESAS scope:

• Vendor processes

requirements &

audit methodology

• Test laboratory

accreditation

• Dispute resolution

NESAS governance:

• Define security

requirements

• Maintain NESAS

• Appoint auditors

• Run dispute

resolution

SCASes for

Network

Products:

• Security

requirements

• Test cases

3GPP

Defines product security requirements and test cases1

Specified in Security Assurance Specifications – 13 published

GSMA

Defines methodologies and process security requirements

Appoints auditors and lists test labs

1. https://www.gsma.com/security/nesas-security-assurance-specifications/

10

NESAS Elements

Security assessment of vendors’ development and product lifecycle processes

Accreditation of security test laboratories, in accordance with ISO 17025, to undertake product evaluations

Product evaluations by competent test labs using standardised security requirements and test cases

11

Product Development Security Assessment

Equipment Vendor

Network Product Development Process

Idea Development Testing

Network Product Lifecycle Processes

End of LifeProduct

Launch

Change

Management

Update/

Upgrade

Shipping

GSMA

Auditor

appoin

ts

applied

applied

writes

Audit Report

Publishes

audit

summary

(optional)

X

12

Product Development and Lifecycle Requirements

Implementation

Design

Maintenance

ProcessAudit

Security by Design

Version control Change tracking

Source codereview Security

testing

Staffeducation

Informationsecurity

Build processand environment

Vulnerability informationand remedy

Softwareintegrity

Documentation

Source codegovernance

Continuousimprovement

SecurityFix Security

point of contact

13

Test Lab Accreditation

NESAS Security Test Laboratory

Testing

Recognised

ISO 17025

Accreditation

Body

Subject

Matter

Expert

collaborate

accredits

3GPP

SA3

applie

d

Test

Procedures

Equipment Capabilities Expertise

GSMAdefines

applie

d

14

Product Evaluations

Audited Equipment Vendor

Network

Product

builds creates

NESAS Security Test Laboratory, ISO 17025 accredited in the context of NESAS

Evidence

sends ships

Test

Procedures

creates

Testing and Evaluation

evaluates

Evidence Network

Product

Evaluation

Report

writes+

d

eliv

ers

Audit Report

sends

ap

plie

d

15

System Security

3GPP Functions

Hardening

ProductTest

Test for each security function in the specification

Data and information protection

Availabilityand integrity

Authenticationand authorization

Operating systemand web servers

Traffic separation

Avoid web servercompromise

Prevent remotecode execution

Reduce backdoorexposure

Product Test Requirements

16

Documents that make up NESAS

FS 13Network Equipment Security Assurance Scheme – Overviewan overview document that describes NESAS and that provides references to the other relevant documents, which describe the different aspects and processes of NESAS in greater detail

FS 14Network Equipment Security Assurance Scheme - Security Test Laboratory Accreditation defines the requirements for NESAS Security Test Laboratory accreditation and sets the standard against which accreditation is to be assessed and awarded

FS 15Network Equipment Security Assurance Scheme - Product Development and Lifecycle Accreditation Methodology Describes the audit and accreditation process for vendor product development and lifecycle management and how to avail of it.

FS 16Network Equipment Security Assurance Scheme - Vendor Development and Product Lifecycle Security Requirements Defines the security requirements that must be satisfied by equipment vendors wishing to have their product development and lifecycle management processes assured

17

• Security assurance scheme accepted and funded by industry

• Single scheme that is globally relevant

• Low barrier for innovation and entering markets

• Cost effective scheme that drives security gains

• Extensible as needed

• Reuses mature models to deliver security gains

17

Benefits

• Raise confidence and trust in equipment

• Increase transparency and comparability of security levels on offer

• Industry defined requirements decreases the need for individual security requirements

• Provides reference requirements for use in procurement RFPs

• Avoids duplications / fragmentation

• Common set of assurance requirements

• Lowers duplication of work and security testing needs

• Highlights vendor ability to achieve/maintain security levels

• Encourages security by design culture across the entire vendor community

• Reduces workload responding to operator procurement processes

General Operators Vendors

18

Get products and processes assessed and provide results

Equipment Vendors

Demand NESAS in tender processes from vendors

Operators

Consider referring to NESAS in telecoms regulation

National Authorities

Getting involved

GSMA Member Confidential

https://www.gsma.com/security/network-equipment-security-assurance-scheme/

https://www.gsma.com/security/supply-chain-toolbox/