Cybersecurity for cross-sector mobile phone networks
The Network Equipment Security Assurance Scheme, or NESAS for short, is a cross-industry scheme that is jointly defined by the 3rd Generation Partnership Project (3GPP) and GSM Association (GSMA) in order to strengthen confidence in the IT security of a wide range of mobile phone network components. The testing of these network devices is carried out by independent testing services providers on the basis of firmly defined evaluation frameworks and safety catalogs. In addition to product safety, the aspect of safety over the entire product life cycle is also audited in a complementary procedure.
Lab and auditor – Two sides of the same coin
With over 25 years of experience in IT security, TÜVIT is a renowned and strong partner for manufacturers of network components in mobile phone networks of the latest generation.
For many years we have been operating a highly efficient hardware and software laboratory in Essen. Today, this know-how and our testing methodology form the basis for technical product testing according to 3GPP-defined Security Assurance Specifications (SCAS). With respect to NESAS, our laboratory has all the requirements for extended ISO 17025 accreditation at its disposal.
And that is not all. TÜVIT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
The benefits to network equipment and component manufacturers
- Proof of IT security compliance with respect to relevant stakeholders such as network integrators and wireless network operators
- Manufacturers visibly document their development, maintenance and product safety functions
- Internationally uniform security requirements enable benchmarking in global distribution
- The avoidance of globally inconsistent security requirements and conformity fragmentation facilitates the development process of secure network products
The audit process in detail
The Network Equipment Security Assurance Scheme (NESAS) is a security framework that consists of two interconnected test aspects. The test focus and approximate procedures relating to how we carry out testing in each section can be found by those who are interested on the following tabs.
Produkt Life Cycle Audits
Produkt Life Cycle Audits
Auditing based on the requirements of the GSM Association (GSMA)
Step 1 – The document review:
Within the framework of the life cycle audit performed by TÜVIT as an experienced audit company, all sites of a product manufacturer that are involved in development and production are initially audited on a document basis. The scope of the audit covers a large number of subject areas and comprises the design, development, implementation, testing and maintenance processes of manufacturers.
Step 2 – On-site audits:
As soon as the documentation situation can be certified as sufficient, on-site audits are carried out at all sites involved in the life cycle. Within this framework, the results of the document review are verified in situ.
The audit report:
The resulting audit report from both evaluation steps provides proof of a successfully completed life cycle audit based on the GSMA requirements. It also serves as input for the following security evaluation of network components based on the 3GPP safety catalogs. TÜVIT offers both auditing components from a single source – an efficiency gain for everyone! More on the security evaluation security evaluation.
We review these subject areas: CM System ++ Source Code Checks ++ Employee Training Courses ++ Software Integrity & Security ++ Software Security Tests ++ Security By Design ++ Document Accuracy ++
Security Evaluation of Network Components
Security Evaluation of Network Components
Product testing according to the 3GPP-defined security test cases
Step 1 – The basic test case:
The product testing part is strongly oriented towards the actual test object, i.e. the respective network component. The basic test case catalog TS 33.117 is a fixed test component in all cases. As is the case with the other test case catalogs (SCAS catalogs), it contains detailed instructions on which test scenarios are to be performed as part of the test and how they are to be documented.
Step 2 – The supplementary catalogs:
Depending on the product type, the security evaluation is also carried out on the basis of other supplementary catalogs. Across all product types, NESAS comprises 12 product-specific supplementary case catalogs.
Many years of experience in the testing business, test tools that have been developed in-house and cooperations with renowned partner companies in the 5G environment enable TÜVIT to test a wide range of network products in accordance with all test case catalogs anchored in the NESAS scheme.
We test these network products: 5G RAN ++ gNodeB ++ 5G Core UDG ++ UDM ++ UNC ++ UPCF ++ LTE eNodeB ++ and much more
About NESAS
The Network Equipment Security Assurance Scheme (NESAS) is a cross-industry, international security framework penned by the 3rd Generation Partnership Project (3GPP) and the GSM Association (GSMA) with the participation of globally operating telecommunications network operators, manufacturers, vendors and industry partners.
As a common basis, NESAS – together with other mechanisms – is aimed at contributing to an increase in the IT security level across the mobile communications industry by evaluating the security requirements of network components through independent, accredited testing services providers.
The security framework is divided up into two sub-areas that build on one other. Based on the security requirements and an evaluation framework of the GSMA, the entire product development and product lifecycle process of a network component and the manufacturer sites involved in it are audited. In a second stage, the security assessment of network devices is carried out using 3GPP-defined security test cases.
The integration of the first sub-area into the second audit level enables an efficient audit sequence. Measurable results also promote transparency in the security protection levels of the industry.
Frequently asked questions (FAQ):
No, the NESAS program does not certify any network products. Once the audit has been completed, manufacturers receive a transparent audit report that states whether the audit was successful. On request, companies that display interest in certification are provided with support by the TÜVIT test center for the certification process on the basis of other schemes (Common Criteria, Trusted Product and the like).
Yes, the auditing of the product life cycle and the security audit of the product can be carried out by different laboratories. The NESAS auditors appointed by the GSMA carry out the assessment of the product life cycle. The NESAS laboratories focus on the evaluation of network products based on the SCAS test case catalogs. TÜVIT offers both services from a single source.
The audit report of the life cycle audit is required as input for the test laboratory for product testing. During product testing, the points identified in the audit report are verified and the result is documented together with the test results in a product test report.
Tel.: +49 30 2007700 66
Fax: +49 30 2007700-99
e.behrendt@tuvit.de
Tel.: +49 201 8999-645
Fax: +49 201 8999-666
m.wagner@tuvit.de