NESAS Briefing for ENISA Art 13a Open Day Feb 2020 James Moran – Head of Security [email protected] [email protected] +44 (0)20 7356 0600 HQ - London, United Kingdom GSMA Confidential
Aug 19, 2020
NESASBriefing for ENISA Art 13a Open DayFeb 2020
James Moran – Head of [email protected]
[email protected] +44 (0)20 7356 0600 HQ - London, United Kingdom
GSMA Confidential
2
Need for Security Improvements Recognised
Hard coded default passwords on network equipment (NE)
Weak physical security of Small Cells
Insecure design of NE and insufficient segregation
Incomplete hardening of NE during integration
Hardening of systems disappeared during release upgrade
Security patches not installed even though they were available
3
Need for Alignment to Achieve Real Improvement
Different security assurance requirements for:
• Every single MNO and vendor relationship where operators define requirements
• Every country where security assurance of network equipment is regulated
Risks
Co
nseq
ue
nces
Vastly different requirements across operators and countries
Increased effort to meet all requirements
Impossible to satisfy all demands due to conflicting requirements
Increasing cost of network equipment
Little actual security improvement
4
Why now?
Number and complexity of 3GPP defined network functions ever growing
Regulators, rightly, expect security assurance for mobile networks
Increasing demand for consumer protection from stakeholders
Security levels left to individual operators to agree bilaterally with vendors
Absence of mobile industry standard for network equipment security unhelpful
5
Industry Action Required
Built-in security in network equipment
Culture to consider security in all stages of development, deployment, and maintenance
Objectively measurable level of security
The Mobile Industry needs to Shape the Future Cognizant of External Stakeholders Needs
6
Motivation Behind NESAS
Industry identified the need to encourage secure product development and lifecycle management for mobile infrastructure
Concept developed long before geopolitical interest in 5G infrastructure grew to current levels
Underlying goal to avert fragmented security requirements across the world
Need for a scheme to provide a common global baseline on top of which operators or national agencies may put additional security requirements
Objective is to provide an industry-wide security assurance framework to facilitate improvements in security levels across the whole industry.
7
Network Equipment Assurance Scheme (NESAS)
NESAS is
A scheme to provide a baseline security level for 3GPP defined functions
Evolving and will be able to be strengthened / extended
Flexible by giving network vendors a choice of auditors and test labs
Monitored by an oversight board to ensure relevance and industry needs are met
NESAS is not
A certification scheme
A guarantee that a product is free from vulnerabilities
A solution for end-to-end security assurance
Concerned with network deployment, configuration and interfaces
A replacement for operators or national security requirements
8
NESAS & Where it fits
Define Design Develop Deploy Decommission
StandardsBodies Vendor
Operator
• Addresses the ‘Input’ side of the supply chain• Aims to raise confidence in network products that operators ‘deploy’• Evaluates the product (via test lab) AND the process used to develop it (via audit)
MaintainOperate
9
NESAS Collaborative Scheme
3GPP
SA3
3GPP
WG3GPP
WG3GPP
WG
Network Functions Security Assurance Specification
GSMA defines
NESAS specifications
governs
NESAS governance
NESAS scope:
• Vendor processes
requirements &
audit methodology
• Test laboratory
accreditation
• Dispute resolution
NESAS governance:
• Define security
requirements
• Maintain NESAS
• Appoint auditors
• Run dispute
resolution
SCASes for
Network
Products:
• Security
requirements
• Test cases
3GPP
Defines product security requirements and test cases1
Specified in Security Assurance Specifications – 13 published
GSMA
Defines methodologies and process security requirements
Appoints auditors and lists test labs
1. https://www.gsma.com/security/nesas-security-assurance-specifications/
10
NESAS Elements
Security assessment of vendors’ development and product lifecycle processes
Accreditation of security test laboratories, in accordance with ISO 17025, to undertake product evaluations
Product evaluations by competent test labs using standardised security requirements and test cases
11
Product Development Security Assessment
Equipment Vendor
Network Product Development Process
Idea Development Testing
Network Product Lifecycle Processes
End of LifeProduct
Launch
Change
Management
Update/
Upgrade
Shipping
GSMA
Auditor
appoin
ts
applied
applied
writes
Audit Report
Publishes
audit
summary
(optional)
X
12
Product Development and Lifecycle Requirements
Implementation
Design
Maintenance
ProcessAudit
Security by Design
Version control Change tracking
Source codereview Security
testing
Staffeducation
Informationsecurity
Build processand environment
Vulnerability informationand remedy
Softwareintegrity
Documentation
Source codegovernance
Continuousimprovement
SecurityFix Security
point of contact
13
Test Lab Accreditation
NESAS Security Test Laboratory
Testing
Recognised
ISO 17025
Accreditation
Body
Subject
Matter
Expert
collaborate
accredits
3GPP
SA3
applie
d
Test
Procedures
Equipment Capabilities Expertise
GSMAdefines
applie
d
14
Product Evaluations
Audited Equipment Vendor
Network
Product
builds creates
NESAS Security Test Laboratory, ISO 17025 accredited in the context of NESAS
Evidence
sends ships
Test
Procedures
creates
Testing and Evaluation
evaluates
Evidence Network
Product
Evaluation
Report
writes+
d
eliv
ers
Audit Report
sends
ap
plie
d
15
System Security
3GPP Functions
Hardening
ProductTest
Test for each security function in the specification
Data and information protection
Availabilityand integrity
Authenticationand authorization
Operating systemand web servers
Traffic separation
Avoid web servercompromise
Prevent remotecode execution
Reduce backdoorexposure
Product Test Requirements
16
Documents that make up NESAS
FS 13Network Equipment Security Assurance Scheme – Overviewan overview document that describes NESAS and that provides references to the other relevant documents, which describe the different aspects and processes of NESAS in greater detail
FS 14Network Equipment Security Assurance Scheme - Security Test Laboratory Accreditation defines the requirements for NESAS Security Test Laboratory accreditation and sets the standard against which accreditation is to be assessed and awarded
FS 15Network Equipment Security Assurance Scheme - Product Development and Lifecycle Accreditation Methodology Describes the audit and accreditation process for vendor product development and lifecycle management and how to avail of it.
FS 16Network Equipment Security Assurance Scheme - Vendor Development and Product Lifecycle Security Requirements Defines the security requirements that must be satisfied by equipment vendors wishing to have their product development and lifecycle management processes assured
17
• Security assurance scheme accepted and funded by industry
• Single scheme that is globally relevant
• Low barrier for innovation and entering markets
• Cost effective scheme that drives security gains
• Extensible as needed
• Reuses mature models to deliver security gains
17
Benefits
• Raise confidence and trust in equipment
• Increase transparency and comparability of security levels on offer
• Industry defined requirements decreases the need for individual security requirements
• Provides reference requirements for use in procurement RFPs
• Avoids duplications / fragmentation
• Common set of assurance requirements
• Lowers duplication of work and security testing needs
• Highlights vendor ability to achieve/maintain security levels
• Encourages security by design culture across the entire vendor community
• Reduces workload responding to operator procurement processes
General Operators Vendors
18
Get products and processes assessed and provide results
Equipment Vendors
Demand NESAS in tender processes from vendors
Operators
Consider referring to NESAS in telecoms regulation
National Authorities
Getting involved
GSMA Member Confidential
https://www.gsma.com/security/network-equipment-security-assurance-scheme/
https://www.gsma.com/security/supply-chain-toolbox/