1、 0 5G CYBERSECURITY STANDARDS Analysis of standardisation requirements in support of cybersecurity policy MARCH 2022 5G CYBERSECURITY STANDARDS March 2022 1 ABOUT ENISA The European Union Agency for Cybersecurity,ENISA,is the Unions agency dedicated to achieving a high common level of cybersecurity

2、across Europe.Established in 2004 and strengthened by the EU Cybersecurity Act,the European Union Agency for Cybersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products,services and processes with cybersecurity certification schemes,cooperates with Member States and EU

3、bodies,and helps Europe prepare for the cyber challenges of tomorrow.Through knowledge sharing,capacity building and awareness raising,the Agency works together with its key stakeholders to strengthen trust in the connected economy,to boost resilience of the Unions infrastructure and,ultimately,to k

4、eep Europes society and citizens digitally secure.More information about ENISA and its work can be found here:www.enisa.europa.eu.CONTACT For contacting the authors please use erika.magonaraenisa.europa.eu For media enquiries about this paper,please use pressenisa.europa.eu.AUTHORS Franois Cosquer,F

5、ranois Zamora,Alf Zugenmaier EDITORS Erika Magonara,Sawomir Grniak ENISA ACKNOWLEDGEMENTS ENISA would like to thank Ms.Elbieta Andrukiewicz and Mr.Jordi Batalla for their support to the study,reviews and comments.LEGAL NOTICE This publication represents the views and interpretations of ENISA,unless

6、stated otherwise.It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulation(EU)No 2019/881.ENISA has the right to alter,update or remove the publication or any of its contents.It is intended for information purposes only and it must be accessible free of charg

7、e.All references to it or its use as a whole or partially must contain ENISA as its source.Third-party sources are quoted as appropriate.ENISA is not responsible or liable for the content of the external sources including external websites referenced in this publication.Neither ENISA nor any person

8、acting on its behalf is responsible for the use that might be made of the information contained in this publication.ENISA maintains its intellectual property rights in relation to this publication.5G CYBERSECURITY STANDARDS March 2022 2 COPYRIGHT NOTICE European Union Agency for Cybersecurity(ENISA)

9、,2022 This publication is licenced under CC-BY 4.0“Unless otherwise noted,the reuse of this document is authorised under the Creative Commons Attribution 4.0 International(CC BY 4.0)licence(https:/creativecommons.org/licenses/by/4.0/).This means that reuse is allowed,provided that appropriate credit

10、 is given and any changes are indicated”.For any use or reproduction of photos or other material that is not under the ENISA copyright,permission must be sought directly from the copyright holders.ISBN 978-92-9204-568-5 DOI 10.2824/700472 5G CYBERSECURITY STANDARDS March 2022 3 TABLE OF CONTENTS EXE

11、CUTIVE SUMMARY 6 1.INTRODUCTION 8 1.1 DOCUMENT PURPOSE AND OBJECTIVES 8 1.2 OVERVIEW AND STRUCTURE OF THE STUDY 8 1.3 TARGET AUDIENCE AND PREREQUISITES 9 2.SCOPE,DEFINITIONS,AND CONVENTIONS 10 2.1 THE 5G ECOSYSTEM 10 2.1.1 5G technological and functional domains 10 2.1.2 Technology lifecycle process

12、es 12 2.1.3 5G Stakeholders 13 2.1.4 5G Security domains,objectives and measures 15 2.2 TAXONOMY OF DOCUMENTS CONSIDERED 16 3.POSITIONING AND ASSESSMENT OF REFERENCE DOCUMENTS IN THE 5G ECOSYSTEM 18 3.1 METHODOLOGY FOR THE ASSESSMENT OF COVERAGE 18 3.2 CONSOLIDATED RESULTS 18 4.IDENTIFICATION OF GAP

13、S IN STANDARDISATION 21 4.1 METHODOLOGY FOR THE IDENTIFICATION OF GAPS IN THE EXISTING LITERATURE 21 4.2 ASSESSMENT OF COVERAGE AND IDENTIFICATION OF GAPS IN STANDARDISATION 21 4.3 OVERVIEW OF GAPS BY SECURITY DOMAIN 27 4.4 OBSERVATIONS ON THE GAPS IN STANDARDISATION 29 4.5 ADDITIONAL LEARNINGS AND

14、OBSERVATIONS 29 5.RECOMMENDATIONS 31 5.1 ADOPT A PROGRESSIVE APPROACH TO 5G STANDARDISATION 31 5.2 HAVE A BROADER VIEW ON THE CREATION OF NEW REFERENCES 31 5G CYBERSECURITY STANDARDS March 2022 4 5.3 FOSTER THE MATURITY AND THE COMPLETENESS OF THE IDENTIFICATION AND ASSESSMENT OF RISK 31 5.3.1 ENISA

15、s methodology for sectoral cybersecurity assessment 32 5.4 FINAL OBSERVATIONS 32 6.BIBLIOGRAPHY 33 A.1 DOCUMENT TYPOLOGIES DEFINED BY THE EU REGULATION 37 A.2 DOCUMENT TYPOLOGIES DEFINED BY ISO 37 A.3 REFERENCING THE 5G TECHNICAL AND FUNCTIONAL DOMAINS 39 A.4 REFERENCING THE STAKEHOLDERS 39 A.5 REFE

16、RENCING THE EXISTING LITERATURE 42 A.6 DETAILED MAPPING 50 D1-GOVERNANCE AND RISK MANAGEMENT 51 SO 1-Information security policy 51 SO 2-Governance and risk management 52 SO 3-Security roles and responsibilities 53 SO 4-Security of third-party dependencies 53 D2 -HUMAN RESOURCES SECURITY 55 SO 5-Bac

17、kground checks 55 SO 6-Security knowledge and training 56 SO 7-Personnel changes 57 SO 8-Handling violations 57 D3 -SECURITY OF SYSTEMS AND FACILITIES 58 SO 9-Physical and environmental security 58 SO 10-Security of supplies 60 SO 11 Access control to network and information systems 61 SO 12-Integri

18、ty of network and information systems 63 SO 13-Use of encryption 64 SO14-Protection of security critical data 65 D4-OPERATIONS MANAGEMENT 66 SO 15-Operational procedures 66 SO 16-Change management 66 SO 17-Asset management 68 D5 INCIDENT MANAGEMENT 69 SO 18-Incident management procedures 69 SO 19-In

19、cident detection capability 70 SO 20-Incident reporting and communication 71 D6-BUSINESS CONTINUITY MANAGEMENT 72 SO 21-Service continuity strategy and contingency plans 72 5G CYBERSECURITY STANDARDS March 2022 5 SO 22-Disaster recovery capabilities 73 D7-MONITORING,AUDITING AND TESTING 74 SO 23-Mon

20、itoring and logging policies 74 SO 24-Exercise contingency plans 75 SO 25-Network and information systems testing 76 SO 26 -Security assessments 77 SO 27-Compliance monitoring 78 D8-THREAT AWARENESS 79 SO 28-Threat intelligence 79 SO 29 -Informing users about threats 80 5G CYBERSECURITY STANDARDS Ma

21、rch 2022 6 EXECUTIVE SUMMARY The ambition of this report is to outline the contribution of standardisation to the mitigation of technical risks,and therefore to trust and resilience,in the 5G ecosystem.The 5G ecosystem considered in this report is a multi-dimensional space encompassing not only tech

22、nological and functional domains,but also the related technology lifecycle processes and stakeholders.This report focuses on standardisation from a technical and organisational perspective.Considerations of the effectiveness of specific standards and of the strategic aspects related to 5G security,a

23、lthough important,are outside the scope of this report.Accordingly,this report:Collects standards,specifications and guidelines1 relevant to the cybersecurity of the 5G ecosystem that had been published,either as drafts or in their final versions,by September 2021;Positions them within the defined 5

24、G ecosystem by assessing the extent to which they address security objectives;Identifies gaps in standardisation by comparing the existing literature against an ideal situation of cybersecurity robustness and resilience,where standardisation addresses the necessary technical and organisational secur

25、ity aspects;Formulates recommendations on standardisation in the area of 5G cybersecurity.The report collects and analyses more than 140 documents and positions them across 150 security measures.The main observations that can be derived from the analysis are the following.All in all,available standa

26、rds,specifications and guidelines are general.They can be applied consistently to the 5G technical and functional domains and related lifecycle processes only after being tailored accordingly.5G-specific standards,specifications and guidelines are available to a greater extent to the stakeholders of

27、 the telecommunication sector than for other stakeholders(e.g.audit organisations and stakeholders in the connected devices industry).5G-specific standards,specifications and guidelines cover to a greater extent the run phase of a technology lifecycle,whereas other phases would need tailoring.Existi

28、ng knowledge bases on cybersecurity threats and IT-security guidelines can be used for 5G cloud native architectures and architectures relying on APIs(Application Programming Interface).Although these families of software are well known to the IT industry,their use is quite recent and constitute dri

29、vers of the cloudification of the telecom sector.The existing literature does not allow for end-to-end trust and resilience in the 5G ecosystem.For example,guidelines for 5G-specific tools and key performance indicators could be needed to ensure a common understanding of 5G protection and of end-to-

30、end trust and resilience.Concerning gaps in standardisation,the report finds that only the areas of governance and risk management as well as the security of human resources present moderate gaps e.g.related to sector-specific risk management.The other areas considered(e.g.operations management,1 Se

31、ction 2.2 explains the taxonomy used by the document.For convenience the report refers to all considered documents alternatively as standards,specifications,guidelines,existing literature,reference documents.5G CYBERSECURITY STANDARDS March 2022 7 business continuity management and incident manageme

32、nt)present major gaps in standardisation.Still,this report recommends the adoption of a progressive approach to 5G standardisation,which should consider several elements such as the usefulness and necessity of new standards and their link with strategic objectives.It also notes the importance of fos

33、tering the maturity and the completeness of the identification and assessment of risk by harmonising risk assessment practices in a way that is inclusive of all stakeholders in the 5G ecosystem.Finally,this report stresses that,while the technical and organisational standards analysed can contribute

34、 to the security of 5G,they should not be treated as an exhaustive list of measures guaranteeing security.There are risks that are not covered by standards,for example residual risks whose cost is neither borne by nor attributable to a specific stakeholder,such as societal risks resulting from netwo

35、rk malfunctions.Indeed,the complexity of 5G calls for a comprehensive vision of trust and of resilience that goes beyond standardisation.This vision should be future-proof and not dependent on the variability of assets and configurations in the network.5G CYBERSECURITY STANDARDS March 2022 8 1.INTRO

36、DUCTION 1.1 DOCUMENT PURPOSE AND OBJECTIVES The ambition of this document is to outline the contribution of standardisation to the mitigation of technical risks,and therefore to trust and resilience,in the 5G ecosystem.Accordingly,the objectives of the document are:to provide an overview of standard

37、s,specifications and guidelines2 relevant to the cybersecurity of the 5G ecosystem and that had been published,either as drafts or in their final versions,by September 2021;to facilitate the positioning and to assess the applicability of any reference document in the 5G security environment;to formu

38、late recommendations on standardisation in the area of 5G security.The document focuses on standardisation from a technical and organisational perspective.Considerations of the effectiveness of specific standards and of the strategic and policy aspects related to 5G security,although important,are o

39、utside the scope of this report.Note on the relation to other on-going work on 5G cybersecurity carried out by ENISA:this report is not intended to pre-conceive any work related to the drafting of the European cybersecurity certification candidate scheme on 5G networks.1.2 OVERVIEW AND STRUCTURE OF

40、THE STUDY Businesses and institutions participate in several activities concerning 5G networks and 5G-dependent processes:their design,construction,operation,introduction to the market,use,audit and even certification.Altogether,with various degrees of importance,they contribute to the Digital Singl

41、e Market.The EU Cybersecurity Strategy3,published in 2020,reinstates the importance of trust and resilience in the Union,to be sustained in the long run for societal purposes and at a systemic scale.Therefore,cybersecurity risks and the capabilities for their mitigation need to be considered also fr

42、om a systemic perspective.To this end,the analysis proposed in the report is based on a 5G Ecosystem defined as a multi-dimensional space comprising not only 5G technological and functional domains but also the related technology lifecycle processes and stakeholders.The conceived ecosystem is also u

43、nderpinned by a security dimension.The ecosystem and its components are described in detail in Section 2 Scope,Definitions and Conventions.After having defined the 5G Ecosystem,the document:collects existing cybersecurity standards,specifications and guidelines,and positions them within the defined

44、5G ecosystem(Section 3 Positioning and Assessment of Reference Documents in the 5G Ecosystem);identifies gaps in standardisation by comparing the existing literature against an ideal situation of cybersecurity robustness and resilience,where standardisation addresses the necessary technical and orga

45、nisational security aspects;and(Section 4 Identification of Gaps in Standardisation).2 Section 2.2 explains the taxonomy used by the document.For convenience the report refers to the documents analysed as,alternatively,reference documents,references,existing literature or standards,specifications,gu

46、idelines.3 https:/ec.europa.eu/commission/presscorner/detail/en/IP_20_2391 5G CYBERSECURITY STANDARDS March 2022 9 formulates recommendations on standardisation in the area of 5G cybersecurity(Section 5 Recommendations).1.3 TARGET AUDIENCE AND PREREQUISITES This work is intended for the stakeholders

47、 in the 5G ecosystem,in particular standardisation working groups,industry stakeholders and national cybersecurity agencies across the European Union.The reader is invited to get familiar with the concepts of information security risk management as documented in the ISO/IEC 27005 international stand

48、ard,as well as the concepts developed in the following documents:ENISA,Guideline on Security Measures under the EECC,2020,ENISA,5G Supplement to the Guideline on Security Measures under EECC,2021,ENISA,Threat Landscape for 5G Networks,2019,ENISA,Security in 5G Specifications,2021,ENISA,EU Coordinate

49、d Risk Assessment of 5G Networks Security,2019,ENISA,Methodology for Sectoral Cybersecurity Assessments,2021.An overview of the standardisation organisations active in 5G is contained in ENISA report Security in 5G specifications4.4 https:/www.enisa.europa.eu/publications/security-in-5g-specificatio

50、ns 5G CYBERSECURITY STANDARDS March 2022 10 2.SCOPE,DEFINITIONS,AND CONVENTIONS This section provides the concepts and definitions used to build the 5G Ecosystem introduced in Section 1.2 Overview and Structure of the Study.This ecosystem provides a methodological framework in which it is possible t

51、o locate the standards,the specifications and the guidelines relevant for a given stakeholder group,at a given step of the technology lifecycle,for a given block of the 5G technical architecture.2.1 THE 5G ECOSYSTEM As introduced in section 1.2 Overview and Structure of the Study,the 5G ecosystem is

52、 composed of the following dimensions.Figure 1:The dimensions of the 5G ecosystem Building blocks of the 5G Ecosystem Definitions 5G Technological and functional domains Essential functions of 5G networks and the related supporting asset categories,representing 5G technical components and the scope

53、of their interactions.Technology lifecycle processes Processes applied to the lifecycle of 5G services and of 5G-dependent vertical industrial processes.5G Stakeholders Entities(either public or private)that are related to 5G networks and vertical industries.5G Security domains,objectives and measur

54、es Security dimension of the 5G ecosystem,represented through the security domains,objectives and measures of the ENISA Guideline on Security Measures under the EECC and its 5G supplement.2.1.1 5G technological and functional domains The current section outlines the essential functions of 5G network

55、s and the related categories of supporting assets considered in this report.The 5G technological and functional domains considered are largely based on the set of planes,functional blocks and process blocks of the widely acknowledged representation of the generic 5G architecture depicted in the ENIS

56、A report ENISA Threat Landscape for 5G Networks Updated 2020,which in turn relies on the architecture of the 3GPP Technical Specification 23.502(Release 16).They have been selected because they offer a synthetic overview of 5G technology and 5G-related processes.For the purpose of this study,only th

57、e major blocks depicted in Figure 2 have been considered.5G CYBERSECURITY STANDARDS March 2022 11 Figure 2:The 5G technological and functional domains as represented in ENISA Threat Landscape for 5G Networks Updated 2020 Figure 3:The 5G technological and functional domains considered by the current

58、study G Technical and functional domains Definition 5G Use Cases End-to-end services based on 5G,characterised by how they use and/or transmit data.Example:Vehicle-to-everything,eMBB,mMTC,URLLC.Multi Access Edge Computing(MEC)Services Multi-access computing services used to bring computation and con

59、nectivity closer to the end-user in order to meet the requirements for data transmission speed and latency.Physical infrastructure Set of premises including hardware and software for computation,storage,transmission,as well as the related technical environment(energy,air conditioning,cable paths,civ

60、il works infrastructures,etc.).Virtualised Infrastructure Computing,storage and networking capacities on demand.Radio Access Network(RAN)Logical and hardware components making up the functions of the radio access network.It includes mainly distribution units and control units for radio access.Multi

61、Access Edge Computing(MEC)Infrastructure Infrastructure related to the decentralisation of cloud functions(storage of data and computing)located closer to the user or edge device.5G Core Network,Network Function(CN NF)Central part of the 5G infrastructure which enables new functions related to multi

62、-access technologies.Its main 5G CYBERSECURITY STANDARDS March 2022 12 purpose is to deliver services over all kinds of networks(wireless,fixed,converged).Data Network(DN)Connectivity to external data,content,services and other resources available outside the 5G network.The data network is also used

63、 to interconnect different 5G networks,operators and providers.Transport Part of the network ensuring the connectivity between the access and core networks.Management and Orchestration(MANO)Software,operations tools and the related environment used to automate operations that relate to the lifecycle

64、 of the infrastructure and service components.2.1.2 Technology lifecycle processes Lifecycle processes can be regarded as the heartbeat of all activities based on digital technologies.This section defines the scope of the technology lifecycle processes considered in the 5G ecosystem.They are the pro

65、cesses related to the lifecycle of 5G services and of 5G-dependent vertical industries.To keep the analysis simple,the methodology selects some of the processes listed in GSMA,GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0,2021.Such processes are considered in a technology env

66、ironment including(but not limited to):5G technologies given their underlying technological bricks from cloud-native and service-based architectures,their orchestration and their automation,their components running on top of virtualised infrastructures requiring orchestration and automation.The cons

67、idered processes encompass the phases shown in Figure 4 below.Figure 4:The phases of the technology lifecycle processes considered in the 5G ecosystem Phase Definition Think All activities related to the design of a service,the design principles of an infrastructure,as well as the study of their tec

68、hnological and operational options.The main deliverables of this phase are(for example)anticipation studies,benchmarks,opportunity studies,high-level designs and initial risk assessments.Build All activities that prepare and execute the building phase of a service,including the integration of the so

69、ftware parts,connectivity,application interfaces,data flows and related protocols.When security is integrated within the Build process,the corresponding milestones consist in checking the robustness of the architecture,its attack surface and updating the risks accordingly.Test All activities that ve

70、rify the compliance with specifications,robustness or resilience prior or after the go-live phase,also including auditing at any phase of the lifecycle.Run All activities including the continuous delivery of services,performance and fault management,problem management,customer support,etc.Update Act

71、ivities that relate to the process also referred to as Transition,consisting in identifying capacity needs,requirements for software updates,patch installation,needs for robustness,adjustments to software and equipment 5G CYBERSECURITY STANDARDS March 2022 13 configurations,and the on-demand provisi

72、oning capabilities when a customer purchases a service.End of Life The sequence of steps towards decommissioning or the end of the lifecycle of a service component.In this context,it is to be noted that the lifecycle processes apply to a variety of areas and stakeholders beyond 5G products alone.The

73、se lifecycle processes are applicable to systems other than 5G products,such as IT systems used to operate,test,orchestrate,automate,and develop service bricks.The figure below is an example showing where security steps can be implemented in the lifecycle processes to enable robustness and resilienc

74、e from an end-to-end perspective.Figure 5:Representation of the lifecycle processes considered in the 5G ecosystem 2.1.3 5G Stakeholders The 5G ecosystem relies on several stakeholders that play different roles in its security at different levels.The set of stakeholders selected for this document fo

75、cuses on entities(either public or private)that are related to 5G networks and vertical industries.The set has been adapted from the EU Coordinated Risk Assessment on 5G Networks Security and the ENISA Threat Landscape for 5G Networks Updated(2020),as they encompass both the stakeholders and their r

76、ole with regards to 5G.They are depicted in the following table.Figure 5:The categories of the 5G stakeholders considered in the 5G ecosystem Stakeholder category Definition 5G Service customer or consumer Entities that use services that are offered by a service provider(SP):in the context of 5G,the

77、se would be,for example,vertical industries and their private networks.In addition,consumers of 5G services without a business-relation with a 5G service provider(for example,end users)are included in this category.This category may implement standards,specifications and guidelines to achieve the se

78、curity objectives for the safe use,deployment and operation of 5G networks and/or services.5G CYBERSECURITY STANDARDS March 2022 14 Telecommunications sector(Telecom)This category encompasses entities that are responsible for the manufacture,deployment and operation of 5G networks,such as:Mobile Net

79、work Operators(MNOs):entities providing mobile network services to users,operating their own network,if necessary with the help of third parties Suppliers of mobile networks:entities providing services or infrastructure to MNOs in order to build and/or operate their networks(both telecom equipment m

80、anufacturers and other third-party suppliers,such as cloud infrastructure providers and network infrastructure providers and managed services providers)Service providers(SP):entities that design,build and operate services using aggregated network services.Examples include communication service provi

81、ders offering traditional telecom services,digital service providers offering digital services such as enhanced mobile broadband and IoT to various vertical industries,or network slice as a service(NSaaS)providers offering a network slice along with the services that it may support and configure.Vir

82、tualisation infrastructure service providers(VISP):entities that provide virtualised infrastructure services and design,build,and operate virtualisation infrastructure(s).The infrastructure comprises networking(e.g.for mobile transport)and computing resources(e.g.from computing platforms).This categ

83、ory may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Datacentre services providers(DCSP)Entities that provide data centre services and that design,build and operate their data centres.A D

84、CSP differs from a VISP by offering raw resources(i.e.host servers)in rather centralised locations and simple services for consumption of these raw resources.A VISP rather offers access to a variety of resources by aggregating multiple technology domains and making them accessible through a single A

85、PI.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Connected devices industry This category includes manufacturers of connected devices and related service providers,meanin

86、g entities providing objects or services that will connect to 5G networks(e.g.smartphones,connected vehicles,e-health)and related service components hosted in a 5G control plane as defined in a service-based architecture or mobile edge computing.This category may implement standards,specifications a

87、nd guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Cybersecurity assessment This category includes entities that assess the security of 5G networks and systems e.g.auditing companies and accredited 5G laboratories.This category a

88、udits the implementation of standards,specifications and guidelines.Cybersecurity information exchange This category includes entities that share threat intelligence and incident-related information,for example information sharing and analysis centres(ISACs)and cyber security incident response teams

89、(CSIRTs).5G CYBERSECURITY STANDARDS March 2022 15 This category may implement standards,specifications and guidelines to securely exchange cyber-intelligence.Standards development organisations(SDOs),associations,alliances This category encompasses entities that develop and promote the adoption of s

90、tandards,specifications and guidelines,for example,GSMA and 3GPP.Research and innovation organisations This category encompasses entities contributing to R&D and innovation tasks related to all kinds of innovative actions in areas related to 5G,including verticals.It also includes open source organi

91、sations or communities providing technological support and guidance in the development of 5G functions and services,as well as public-private partnerships and innovation programmes.This category exposes gaps in standardisation and creates innovations that can lead to advancements in standardisation

92、by acting as starting points of new standards,specifications and guidelines.Explanatory notes:5G vertical industries working at the Think phase of the lifecycle have been included in the category Research and innovation organisations.5G vertical industries using 5G services have been considered as s

93、ervice customers,whereas verticals delivering services to the customers in their own sector have been considered as service providers.Open-source organisations have been included in the category Research and innovation organisations when considered for their development activities at the Think phase

94、 of the lifecycle.They have been included in the category Suppliers of MNOs when considered for their support to technologies in production.2.1.4 5G Security domains,objectives and measures This section outlines the security dimensions of the 5G ecosystem used in this report.In the absence of an equ

95、ally comprehensive framework,the report uses the security domains,objectives and measures found in the ENISA Guideline on Security Measures under the EECC and its 5G supplement.The former concern security in general,the latter concern 5G.Although they target mainly operators,the domains and measures

96、 set out in the documents above have been used as an analytical framework.Still,it is important to stress that the security measures used are not to be considered as the totality of the measures necessary for the mitigation of cybersecurity risks in 5G.Security objectives and measures could be added

97、 for any sectoral risk assessment covering a subset of the 5G ecosystem.The table below shows the security domains and objectives taken into consideration.The mapping of the reference documents is further broken down into security measures in Annex 6 Detailed mapping.Figure 6:Security domains and ob

98、jectives in the Guideline on Security Measures under EECC and its 5G Supplement Security domains(D)Security objectives D1 Governance and risk management Information security policy Governance and risk management Security roles and responsibilities Security of third-party dependencies D2 Human resour

99、ces security Background checks Security knowledge and training Personnel changes 5G CYBERSECURITY STANDARDS March 2022 16 Handling violations D3 Security of systems and facilities Physical and environmental security Security of supplies Access control to network and information systems Integrity of

100、network and information systems Use of encryption Protection of security critical data D4 Operations management Operational procedures Change management Asset management D5 Incident management Incident management procedures Incident detection capability Incident reporting and communication D6 Busine

101、ss continuity management Service continuity strategy and contingency plans Disaster recovery capabilities D7 Monitoring,auditing,and testing Monitoring and logging policies Exercise contingency plans Network and information systems testing Security assessments Compliance monitoring D8 Threat awarene

102、ss Threat intelligence Informing users about threats 2.2 TAXONOMY OF DOCUMENTS CONSIDERED To facilitate the analysis,this report relies on a taxonomy comprising three categories of documents.Each of the documents considered is assigned to one of the categories below,according to its related definiti

103、on:Standard:a technical specification,adopted by a recognised standardisation body,for repeated or continuous application,with which compliance is not compulsory5.The standards considered are documents produced by a standardisation body(international,national or European),and whose content include(b

104、ut is not limited to)requirements,principles,description of frameworks or processes and codes of practice.ICT Technical specification:a technical specification in the field of information and communication technologies6.ICT technical specifications are referred in this document as specifications.Gui

105、delines and Best Practices:documents that explain,interpret and simplify standards or standardisation deliverables.These can include user guides,abstracts of standards,best practice information and awareness-building actions,strategies,and training programmes7.For convenience,the report refers to th

106、e documents analysed as,alternatively,reference documents,references,existing literature or standards,specifications and guidelines.5 Standardisation bodies as defined by Regulation(EU)No 1025/2012,2012),Article 2 paragraph(1)6 Understood as ICT technical specification as defined by Regulation(EU)No

107、 1025/2012,2012),Article 2 paragraph(5)7 Definition adapted from Regulation(EU)No 1025/2012,2012)Chapter IV,Article 15,paragraph 1 Alinea(f).The reference to European standards and standardisation deliverables has been deleted as the current report refers also to non-European documents.5G CYBERSECUR

108、ITY STANDARDS March 2022 17 Although these categories have been identified solely for the purpose of the study,they are based on the EU Regulation on European standardisation(Regulation(EU)No 1025/2012,2012)and of the International Standardisation Organisation(ISO).A reminder of the exact definition

109、s is given in Annexes 1 and 2 on the taxonomy for standards.Cybersecurity standards provide an important range of contents:requirements applicable to ICT-related domains of technology or processes,requirements for management systems,frameworks and guidelines on security controls about what to do.In

110、turn,reference documents helping the implementation and the how to do things relate to specifications,guidelines,and best practices.The documents analysed in this report are listed in the Annex 5 Referencing the Existing Literature.An important part of the 5G-related documents in this study are refe

111、rred in the report from ENISA Security in 5G Specifications(2021).5G CYBERSECURITY STANDARDS March 2022 18 3.POSITIONING AND ASSESSMENT OF REFERENCE DOCUMENTS IN THE 5G ECOSYSTEM 3.1 METHODOLOGY FOR THE ASSESSMENT OF COVERAGE This section provides the methodology to position existing standards,speci

112、fications and guidelines in the 5G ecosystem and to assess the extent to which they address the 5G security environment.It consists of the following steps:Using ENISAs literature and complementary knowledge of the Expert Group missioned for this study,relevant documents are sampled and grouped into

113、consistent clusters(shorthand)made up of a selection of standards,specifications,and guidelines.The documents analysed are listed in the Section 6 Bibliography.These clusters are mapped against each security domain,objective and measure of the 5G ecosystem as described Section 2.1.4 5G Security doma

114、ins,objectives and measures.The relevance and the completeness of the clusters is then analysed from the perspectives of the three remaining dimensions of the 5G ecosystem,that is its stakeholders(Section 2.1.3 5G Stakeholders);its technical and functional domains(Section 2.1.1 5G technological and

115、functional domains);and the related technology lifecycle processes(Section 2.1.2 Technology lifecycle processes).The results of the mapping and of the assessment are described in the section Annex 6 Detailed Mapping.A summarised version is contained in section 3.2 Consolidated Results.3.2 CONSOLIDAT

116、ED RESULTS The detailed analysis underlying this report concerns more than 150 security measures and more than 140 documents which were identified and selected from the available literature.This detailed and in-depth analysis is provided in section Annex 6 Detailed Mapping.Given the volume of inform

117、ation and the level of detail,the current section only contains a summary table,representing the consolidated findings by security domain.A high-level assessment of the extent to which the analysed literature addresses a given security domain for each of the dimensions of the 5G ecosystem(i.e.stakeh

118、olders,technological and functional domains,and technology lifecycle processes)is also provided.Some details may not be obvious in the consolidated results.For example,All under the column Coverage of Stakeholders means that the literature analysed is considered relevant for every entity in the ecos

119、ystem.The specific degree or depth of relevance for each category of stakeholders,technological and functional domains,and technology lifecycle processes is tackled in the detailed mapping.5G CYBERSECURITY STANDARDS March 2022 19 Figure 7:Summary of the coverage of existing literature by security do

120、main Security domain Taxonomy of applicable documents Coverage of the dimensions of the 5G ecosystem Observations Stakeholders 5G Technological and functional domains Technology lifecycle processes D1 Governance and risk management Standards All All All The documents referred to are,to some extent,r

121、elevant to all dimensions of the 5G ecosystem.However,they are not specific to 5G.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes.Such an effort requires

122、skills and expertise.Furthermore,fragmentation in implementation should be avoided.D2 Human resources security Standards All All All The documents referred to are to some extent relevant to all dimensions of the 5G ecosystem.However,they are not specific to 5G.To get their full value,each stakeholde

123、r category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes.Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided D3 Security of systems and facilities

124、Standards Specifications Guidelines Telecommunications sector DCSPs All Run Although general,the documents referred to are especially relevant for the telecommunications sector and DCSPs.Also,they are relevant to all technological and functional domains.They can be tailored with minimal effort to a

125、5G-specific context in the Run phase.Tailoring to the Think and Build phases would require significant effort by the stakeholders.D4 Operations management Specifications Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommun

126、ications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fr

127、agmentation in implementation should be avoided.D5 Incident management Standards Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a

128、significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the 5G CYBERSECURITY STANDARDS March 2022 20 Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.

129、D6 Business continuity management Standards Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to

130、the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.D7 Monitoring,auditing,and testing Standards Telecommunications sector All Run

131、 The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle pro

132、cesses(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.D8 Threat awareness Guideline Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telec

133、ommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires practice.Furthermore,fragmenta

134、tion in implementation should be avoided.5G CYBERSECURITY STANDARDS March 2022 21 4.IDENTIFICATION OF GAPS IN STANDARDISATION 4.1 METHODOLOGY FOR THE IDENTIFICATION OF GAPS IN THE EXISTING LITERATURE This section presents existing literature addressing each security domain in accordance with Section

135、 2.1.4 5G Security domains,objectives and measures from the perspective of the stakeholder considered in accordance with Section 2.1.3 5G Stakeholders and points to the areas partly covered by existing literature as well as those covered to a limited extent or not at all.The identification of these

136、areas relies on expert assessment by the authors of this report.They have assessed the extent to which the existing literature addresses an ideal situation where 5G technical and organisational cybersecurity risks are mitigated and adequate controls to ensure security are performed thanks to availab

137、le standards,specifications,and guidelines.This is therefore the reference against which gaps in standardisation have been identified.4.2 ASSESSMENT OF COVERAGE AND IDENTIFICATION OF GAPS IN STANDARDISATION The assessment of the coverage of the standards,specification and guidelines considered,as we

138、ll as the identification of the gaps in standardisation,is conveyed in the form of a table(Figure 9),which follows the colour coding below:Figure 8:Colour coding for the representation of the gaps Colour code Definition Existing literature The green cells show the existing literature addressing each

139、 security domain from the perspective of the stakeholder considered.Moderate Gap The yellow cells indicate the areas where moderate gaps in standardisation have been identified.A gap is identified as moderate when the existing literature addresses the domain partly,meaning that moderate effort would

140、 be required to bridge that gap.Major gap The orange cells indicate the areas where major gaps in standardisation have been identified.A gap is identified as major when the existing literature does not address the domain(or only to a limited extent),meaning that a major effort would be required to b

141、ridge that gap.No gap/Not relevant The cells that are not coloured indicate areas where no gaps have been identified or only those that are not relevant for the stakeholder.For research and innovation organisations,gaps are intended as areas where further work by these organisations is required.5G C

142、YBERSECURITY STANDARDS March 2022 22 For every domain,the table(Figure 9)identifies between brackets the relevant literature as grouped by the shorthand in Annex 5 Referencing the existing literature,reproduced below for convenience.Figure 9:Reference shorthand each shorthand indicates the areas cov

143、ered by the selection of documents Shorthand Selection of documents concerning:ISOIEC27K ISO/IEC 27K series ISOIEC20K IT services process map SUPPLSEC Security of suppliers POLTEMPLATES Build security policies RM Cybersecurity risk management ENISATL ENISA works related to threats SP800HR Security r

144、elated to human resources IAM Identity and access management.DEVSECOPS Security in the IT lifecycle 3GPP-All 3GPP technical specifications NFVSEC Security of network functions virtualisation eUICC Security in the eUICC domain CRYPTOTECH Use of cryptographic techniques PHYSEC Physical and environment

145、al security HARDEN Technical robustness VULN Management of vulnerabilities THREATMOD Threat modelling and security monitoring SECASSUR Security assurance and related guidelines AUDIT Audit planning and assessment BCM Organisational and technical resilience 5G CYBERSECURITY STANDARDS March 2022 23 Fi

146、gure 10:Assessment of coverage and evaluation of gaps in standardisation Stakeholders 5G Service customer or consumer Telecom sector Datacentre Services Providers Connected devices industry Cybersecurity assessment stakeholders Cybersecurity information exchange stakeholders Research and innovation

147、organisations*Role in standardisation Implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services Audit the implementation of standards,specifications and guidelines Implement standards,specifications a

148、nd guidelines to securely exchange cyber-intelligence Expose gaps in standardisation and create innovations that can lead to advancements in standardisation,by acting as starting points for new standards,specifications and guidelines D1 Governance and risk management Existing literature addressing t

149、he domain ISOIEC27K,ISO20K,RM,SP800HR,ENISATL,ISOIECSUPPL,POLTEMPLATES SECASSUR RM RM NFVSEC DEVSECOPS,HARDEN Moderate gap:Areas partly covered by existing literature Sector-specific governance and risk management Sector-specific risk register Sector-specific ISMS and PIMS implementation 5G risk ass

150、essment by third parties Processes for cross-border information exchange to share best practices in governance and risk management D2 Human resources security Existing literature addressing the domain SP800HR,IAM SP800HR SP800HR ISOIEC27K,SP800HR,IAM Moderate gap:Areas partly covered by existing lit

151、erature Vertical-specific educational security content,specifying awareness programmes and training contents e.g.MOOCs,serious games services(note:area that might be addressed by soft measures,not standards)Evaluation methods of human resources management processes Cross-border process for the excha

152、nge of information(e.g.best practices)on the security of human resources Vertical-specific educational security content,specifying awareness programmes and training contents e.g.MOOCs,serious games services*D3 Security of systems and facilities Existing literature Addressing the domain PHYSEC,IAM,3G

153、PP-All,SECASSUR,CRYPTOTECH,NFVSEC,eUICC AUDIT,SECASSUR DEVSECOPS,eUICC,CRYPTOTECH 5G CYBERSECURITY STANDARDS March 2022 24 Moderate gap:Areas partly covered by existing literature Robust configuration and deployment of 5G vertical use cases Robust configuration of 5G micro services and automation Se

154、curity of RAN,Open RAN,ONAP Methods for evaluating the security of 5G verticals Methods for evaluating the robustness of the configuration of 5G micro services and automation Testbeds environments and tools*Major gap Areas not covered(or covered to a limited extent)by existing literature Information

155、 security requirements applicable to vendors of 5G solutions sourcing contracts Automation of robust configurations and deployment Audits of the security of orchestration and micro-services(note:area that might be addressed by soft measures,not standards)D4 Operations management Existing literature

156、addressing the domain Standards ISO20K,RM,NFVSEC Standards ISO20K,RM,AUDIT DEVSECOPS Moderate gap:Areas partly covered by existing literature High-level requirements for 5G-specific cloud-native and edge deployments Operations and security practices concerning firmware,data aggregation and related c

157、omponents Third party risk assessment of 5G operations Major gap Areas not covered(or covered to a limited extent)by existing literature Requirements to implement the whole lifecycle of 5G-specific cloud-native and edge deployments such as:centralised management of certificates,interoperable automat

158、ion and orchestration,serverless environments Automated security evaluation for industrial IoT Testbeds environments and tools*D5 Incident management Existing literature addressing the domain ISOIEC20K,ISOIEC27K,BCM,AUDIT THREATMOD,NFVSEC ISOIEC20K,ISOIEC27K,BCM,AUDIT ISOIEC20K,ISOIEC27K,BCM,AUDIT D

159、EVSECOPS 5G CYBERSECURITY STANDARDS March 2022 25 Moderate gap:Areas partly covered by existing literature Typologies of scenarios for 5G-specific,end-to-end incident management,including severity criteria and thresholds for incidents in a 5G context Evaluation methods for the investigation of incid

160、ents and the chain of custody for evidence Typologies of scenarios for 5G-specific,end-to-end incident management,including severity criteria and thresholds for incidents in a 5G context Processes for cross-border information exchange to share best practices in incident response Major gap Areas not

161、covered(or covered to a limited extent)by existing literature Automated incident response in a 5G context Evaluation methods for the performance of automated incident response D6 Business continuity management Existing literature addressing the domain ISOIEC27K,VULN,BCM ISOIEC27K,VULN,BCM,AUDIT ISOI

162、EC27K,BCM,AUDIT Moderate gap:Areas partly covered by existing literature 5G-specific business impact analysis Methodology to assess ICT readiness 5G-specific disaster recovery Processes for cross-border information exchange to share best practices in business continuity Major gap Areas not covered(o

163、r covered to a limited extent)by existing literature Technical disaster recovery plans for 5G functions and orchestration Methods for evaluating the ICT ICT readiness for business continuity D7 Monitoring,auditing and testing Existing literature Addressing the domain VULN,HARDEN,THREATMOD,DEVSECOPS

164、AUDIT DEVSECOPS 5G CYBERSECURITY STANDARDS March 2022 26 *Note:For research and innovation organisations,gaps are intended as areas where further work by these organisations is required.*Note:area that might be addressed by soft measures,not standards.Moderate gap:Areas partly covered by the existin

165、g literature Evaluation methods for monitoring capabilities Evaluation methods for the capabilities of automated testbeds Process for the cross-sector exchange of information in the area of sharing best practices for monitoring,auditing and testing Major gap Areas not covered(or covered to a limited

166、 extent)by existing literature 5G-specific log sources Event correlation for 5G end-to-end services and roaming D8 Threat awareness Existing literature addressing the domain Knowledge base of risk sources,attack methods,best practices of incident playbooks THREATMOD,ISOIEC27K,RM,SECASSUR THREATMOD T

167、HREATMOD DEVSECOPS,eUICC,CRYPTOTECH Moderate gap:Areas partly covered by the existing literature Typologies of threats for 5G-verticals applicable to RAN/Open RAN,APIs,ONAP,and cloud native technology Evaluation methods for the capabilities of the effectiveness of threat intelligence and threat hunt

168、ing Process for the cross-sector exchange of information in the area of sharing threat intelligence Prerequisites for standards:new specifications,testbeds environments and tools Major gap Areas not covered(or covered to a limited extent)by existing literature Automatic remediation playbooks 5G CYBE

169、RSECURITY STANDARDS March 2022 27 4.3 OVERVIEW OF GAPS BY SECURITY DOMAIN The gaps identified in the previous table can be summarised as follows:Security domain Moderate gaps Major gaps D1 Governance and risk management Sector-specific governance and risk management Sector-specific risk register Sec

170、tor-specific ISMS and PIMS implementation 5G risk assessment by third parties Processes for cross-border information exchange to share best practices in governance and risk management D2 Human resources security Vertical-specific educational security content,specifying awareness programmes and train

171、ing contents e.g.MOOCs,serious games services(note:area that might be addressed by soft measures,not standards).Methods for evaluating the management processes for human resources Cross-border process for the exchange of information(e.g.best practices)on the security of human resources D3 Security o

172、f systems and facilities Robust configuration and deployment of 5G vertical use cases Robust configuration of micro services and automation Security of RAN,Open RAN,ONAP Information security requirements applicable to vendors of 5G solutions sourcing contracts Automation of robust configurations and

173、 deployment Audits of the security of orchestration and micro-services(note:area that might be addressed by soft measures,not standards)5G CYBERSECURITY STANDARDS March 2022 28 Methods for evaluating the security of 5G verticals Methods for evaluating the robustness of the configuration of 5G micro

174、services and automation D4 Operations management High-level requirements for 5G-specific cloud-native and edge deployments Operations and security practices concerning firmware,data aggregation and related components Third party risk assessment of 5G operations Requirements to implement the whole li

175、fecycle of 5G-specific cloud-native and edge deployments such as centralised management of certificates,interoperable automation and orchestration,serverless environments Automated of security evaluation for industrial IoT D5 Incident management Typologies of scenarios for 5G-specific,end-to-end inc

176、ident management,including severity criteria and thresholds for incidents in a 5G context Evaluation methods for the investigation of incidents and the chain of custody for evidence Processes for cross-border information exchange to share best practices Automated incident response in a 5G context Ev

177、aluation methods for the performance of automated incident response D6 Business continuity management 5G-specific business impact analysis Methodology to assess ICT readiness 5G-specific disaster recovery Processes for cross-border information exchange to share best practices in business continuity

178、Technical disaster recovery plans for 5G functions and orchestration Methods for evaluating the ICT readiness for business continuity D7 Monitoring,auditing,and testing Evaluation methods for monitoring capabilities Evaluation methods for the capabilities of automated testbeds 5G-specific log source

179、s Event correlation for 5G end-to-end services and roaming 5G CYBERSECURITY STANDARDS March 2022 29 Process for the cross-sector exchange of information in the area of sharing best practices for monitoring,auditing and testing D8 Threat awareness Typologies of threats for 5G-verticals applicable to

180、RAN/Open RAN,APIs,ONAP,and cloud native technology Evaluation methods for the capabilities of the effectiveness of threat intelligence and threat hunting Process for the cross-sector exchange of information in the area of sharing threat intelligence Automatic remediation playbooks 4.4 OBSERVATIONS O

181、N THE GAPS IN STANDARDISATION The gap analysis is based on the standards,specifications and guidelines presented in Section 6 Bibliography.The following should be noted.The bibliography relies on a sampled set of documents.Despite the authors efforts,there may exist standards,specifications or guide

182、lines that are not referenced and thus a gap is reported in error.When a partial or major gap is pointed out,the question arises as to whether this area should be standardised,supported by specifications or guidelines,or whether company-specific needs make this contextualisation impossible.Given the

183、 above,the present report might over-represent existing gaps in some areas.For example,in relation to the latter point,one consistent observation is that the lifecycle of open-source software does not fit well with the processes defined in the standards,specifications,and guidelines.This is mainly d

184、ue to the lack of a formal organisational structure that could support,enforce and finance standardised processes in the open-source community.This is particularly true for the security domains D1(Governance and Risk Management),D7(Monitoring,Auditing and Testing)and D8(Threat Awareness).Furthermore

185、,the process for developing security standards is not included in the analysis itself.The interests of individual players may influence the definition of security standards,specifications,or guidelines in favour of economic or other trade-offs sometimes at the cost of a higher risk.One example is th

186、e trade-off between capabilities for legal interception and security against espionage through end-to-end confidentiality.4.5 ADDITIONAL LEARNINGS AND OBSERVATIONS Complementary to the assessment of the coverage of the existing security literature,the following elements intend to bring a qualitative

187、 perspective on the organisational and technical 5G CYBERSECURITY STANDARDS March 2022 30 areas where the 5G stakeholders can intervene to improve maturity,robustness,and readiness for resilience.The following list gathers observations from the initial deployments of 4G that have been shared in the

188、Telecom industry.These trends continue to be relevant and should be considered in the context of 5G8:The complexity of simultaneously operating virtualised infrastructure and virtualised network functions(VNFs)working together;The need for consistency between the three key technical domains of VNFs(

189、Virtual Network Functions),SDN(Software-defined networks)controllers,IaaS(Infrastructure as a Service)due to their mutual dependencies;The reliance on a Linux kernel leading to a systemic risk related to unexpected changes of configuration or unexpected behaviours at the core of computing and connec

190、tivity capabilities,possibly impacting also new critical functions e.g.orchestration,containers and microservices;The emergence of new solutions to entrust data management on cloud-based and serverless solutions,based on short-lived assets requiring new approaches for the observability of actions an

191、d for detecting threats;New cloud environments impact identity and access management as they are no longer purely role-based,but attribute-based and context-based;The increased need for confidentiality and resilience on connectivity and data storage in the network and its operation;The exploding num

192、ber of cryptographic certificates to ensure legitimacy and avoid man-in-the-middle attacks shine a new light on key management;The abundance of configurations using text-based descriptors such as JSON and XML,together with highly distributed processing and storage;The effects of the increased import

193、ance of IT technologies including the importance of open source,both at service and infrastructure levels;The large number of APIs bringing complexity in ensuring the legitimacy of requests and the balance between attack surface and the exposure of an application interface;Cybersecurity incidents in

194、volving the recurring exposure of credentials and secrets in CI/CD environments;The MNOs tendency to outsource their network operations and field operations to third-party service providers entrusted with multiple networks in multiple countries,which reinforces the importance of connectivity and the

195、refore the inter-dependency between the ability to operate and the operated assets;Outsourcing to tower companies(companies taking charge of the radio access sites)and fibre companies(companies that operate fibre access networks),which are now entrusted with managing several operators simultaneously

196、 in several countries.The above key trends are observed in 4G,but they should be taken into consideration to improve the coverage of standardisation for the cybersecurity of 5G.Furthermore,one should take into account the fact that 5G networks are systems of systems,whose representation requires aut

197、omation and abstraction and whose services necessitate end-to-end quality controls.8(Affirmed Networks,2019)5G CYBERSECURITY STANDARDS March 2022 31 5.RECOMMENDATIONS This section provides the recommendations that result from the previous sections and in particular from the identification of gaps.5.

198、1 ADOPT A PROGRESSIVE APPROACH TO 5G STANDARDISATION The report suggests that a progressive approach to 5G standardisation be undertaken.Such an approach should start by improving existing literature.The current report could help this effort as it gives an overview of references and assesses their s

199、uitability for a given security measure,technical and functional domain and/or stakeholder.The creation of new references if needed could be a subsequent step to enhance standardisation coverage.5.2 HAVE A BROADER VIEW ON THE CREATION OF NEW REFERENCES The creation of new standards,specifications an

200、d guidelines should consider several elements.Usefulness and necessity.It should be considered whether the creation of standards,specifications and guidelines is necessary and/or useful for a specific security measure,for a specific 5G domain,and/or for a specific stakeholder at a given stage of the

201、 lifecycle.Link with strategic objectives.It is recommended that a consistent link between any new reference and the strategic objective it should serve is ensured.For instance,if the objective of a new reference is to harmonise practices at the European level,local regulations should be taken into

202、consideration.For example,contextualisation of HR(human resources)measures must account for local regulations.A special attention shall be brought to provisions for legal interception.Measurability of effectiveness.New references should facilitate the consistent measuring of the effectiveness of the

203、 security measures from an end-to-end service perspective.Consideration for new technologies.For example,detection tactics of incidents in 5G should be tackled also from the perspective of the development and operation of Artificial Intelligence,and not only from the standpoints of mobile network op

204、erators,their managed services provider,and B2B verticals.Thinking beyond standardisation.In some cases,the effectiveness of standards,specifications or guidelines depends on external factors.For example,because of the open nature of the development of free and open source software(FOSS),security gu

205、idelines and recommendations should be accompanied by the commitment of resources to development and audit.Therefore,industry players and public administrations relying on open source software should be encouraged to actively contribute to continuously improve and maintain the security of the FOSS-b

206、ased solutions.5.3 FOSTER THE MATURITY AND THE COMPLETENESS OF THE IDENTIFICATION AND ASSESSMENT OF RISK Section 4 Identification of Gaps in Standardisation points to areas,for each security domain,that are partly covered by the existing literature,as well as those covered to a limited extent or not

207、 at all.Besides these specific areas,the experts observed a broader gap related to risk assessment.The existing literature related to risk assessment is not specific to 5G and/or does not identify and evaluate risks consistently.This leads to a fragmented security landscape which might be detrimenta

208、l for the overall security of 5G.5G CYBERSECURITY STANDARDS March 2022 32 Therefore,it is important to foster the maturity and the completeness of risk identification and assessment,by harmonising risk assessment practices in a way that is inclusive of all stakeholders of the 5G ecosystem.For exampl

209、e,this would imply in particular(but not only)standardised:registers of risks,including from the perspective of the telecommunications sector and service customers,skills and capacities frameworks for third party assessment,knowledge bases of threat scenarios,requirements for security monitoring,ass

210、essment methods with an adequate abstraction level,requirements for auditing capability,in particular for service providers.In this context,it is worth mentioning the approach to risk identification outlined in ENISAs Methodology for Sectoral Cybersecurity Assessment,and described in the subsequent

211、section.5.3.1 ENISAs methodology for sectoral cybersecurity assessment The European Cybersecurity Act(CSA)obliges to the definition of security and certification requirements for ICT products,services and processes to be based on the risk associated with their intended use.To this end,ENISA has prop

212、osed the SCSA methodology(ENISA Methodology for Sectoral Cybersecurity Assessments,2021)to support the identification of cybersecurity risks associated with the intended use of systems in the context of business services and processes,with the option to involve all stakeholders from sectoral vertica

213、l users to the providers of network infrastructure.SCSA carries out the assessment at sectoral business level involving all relevant 5G stakeholders,their business objectives and their ICT subsystems and processes.Cybersecurity risks are identified in relation to the business objectives and the risk

214、s identified indicate the security,certification and assurance level requirements for particular ICT products,services and processes.This can support a balance between the cost that a 5G stakeholder has to cover for security and assurance and the benefit of protecting his business objectives.5.4 FIN

215、AL OBSERVATIONS It is to be noted that the prioritisation of new references to be created is outside the scope of this work and that,in accordance with the previous recommendation,the creation of new references might not always be necessary and should be part of a progressive approach which should c

216、onsider several aspects.Finally,it is important to stress that,while the technical and organisational standards analysed can contribute to the security of 5G,they should not be treated as an exhaustive list of measures guaranteeing security.Besides considerations of the effectiveness of specific sta

217、ndards that are outside the scope this report,it should be reminded that there are risks that are not covered by standards,for example residual risks whose cost is neither borne by nor attributable to a specific stakeholder,such as societal risks resulting from network malfunctions.The complexity of

218、 5G,as depicted in the previous sections,calls for a comprehensive vision of trust and of resilience that goes beyond standardisation.This vision should be future-proof and not dependent on the variability of assets and configurations in the network.5G CYBERSECURITY STANDARDS March 2022 33 6.BIBLIOG

219、RAPHY 1.3GPP(2016):3GPP 33.117 Catalogue of general security assurance requirements;Technical Specification.2.3GPP(2016):3GPP 33.401 3GPP System Architecture Evolution(SAE);Security architecture.3.3GPP(2020):3GPP 33.102 3G security;Security architecture;Technical Specification.4.3GPP(2020):3GPP 33.1

220、16 Security Assurance Specification(SCAS)for the MME network product class.5.3GPP(n.d.):3GPP 33.163 Battery Efficient Security for very low throughput Machine Type Communication(MTC)devices(BEST).6.3GPP(n.d.):3GPP 33.210 Network Domain Security(NDS);IP network layer security.7.3GPP(n.d.):3GPP 33.310

221、 Network Domain Security(NDS);Authentication Framework(AF).8.3GPP.(n.d.):3GPP 33.501 Security architecture and procedures for 5G System.9.3GPP.(n.d.):TS 33.514-5G Security Assurance Specification(SCAS)for the Unified Data Management(UDM)network product class.10.ANSI.(2019);ANSI/TIA-569-E Telecommuni

222、cations Pathways and Spaces.11.ANSSI(2018):EBIOS Risk Manager;Paris ANSSI.12.ASIS(2021):ASIS Physical Asset Protection Guideline;Retrieved from asis.org:https:/www.asisonline.org/publications-resources/standards-guidelines/13.Carder,J.(2020):How to build a SOC with limited resources.14.Carder,J.(202

223、0):Security Operation Centers Maturity Model.15.CIS(2018):CIS Risk Assessment Method.16.CIS(2021):CIS Controls v8;Retrieved from https:/www.cisecurity.org/controls/v8/17.Cloud Security Alliance(2015);Best practices for mitigating risks in virtualized environments.18.CSIAC(2021):CSIAC evaluation of t

224、hreat taxonomies;Retrieved from https:/csiac.org/articles/evaluation-of-comprehensive-taxonomies-for-information-technology-threats/19.EBIOS C(2021):Oberisk;Retrieved from https:/club-ebios.org/site/en/tag/oberisk-en/20.ENISA(2014):Report on Cyber Crisis Cooperation and Management.21.ENISA(2016):Thr

225、eat Taxonomy;Retrieved from https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view.22.ENISA(2019):EU Coordinated Risk Assessment of 5G Networks Security.23.ENISA(2019):Threat Landscape for 5G Networks.24.ENISA(2020):ENISA Threat Landsc

226、ape for 5G Networks Updated.25.ENISA(2020):Guideline on Security Measures under the EECC.26.ENISA(2021):5G Supplement to the Guideline on Security Measures under EECC.27.ENISA(2021):Methodology for Sectoral Cybersecurity Assessments.28.ENISA(2021):Security in 5G Specifications.29.ETSI(2014):ETSI GS

227、NFV-SEC 003-Network Functions Virtualisation(NFV)-NFV Security-Security and Trust Guidance.30.ETSI(2014):Network Functions Virtualisation(NFV);Architectural Framework.31.ETSI(2017):ETSI GS NFV-SEC 012-Network Functions Virtualisation(NFV)Release 3;Security;System architecture specification for execu

228、tion of sensitive NFV components.32.ETSI(2017):Network Function Virtualisation(NFV);Reliability;Report on the resilience of NFV-MANO critical capabilities.5G CYBERSECURITY STANDARDS March 2022 34 33.ETSI(2017):Network Functions Virtualisation(NFV)Release 3;Security;Security Management and Monitoring

229、 specification.34.ETSI(2018):ETSI GS NFV-SEC 014-Network Functions Virtualisation(NFV)Release 3-NFV Security-Security Specification for MANO Components.35.ETSI(2022):ETSI TS 103.465 Smart Secure Platform(SSP);Requirements Specification.36.Regulation(EU)No 1025/2012 of the European Parliament and of

230、the Council of 25 October 2012 on European standardisation.37.Regulation(EU)2019/881-Cybersecurity Act;Regulation(EU)2019/881 on ENISA(the European Union Agency for Cybersecurity)and on information and communications technology cybersecurity certification and repealing Regulation(EU)No 526/2013(Cybe

231、rsecurity Act).38.European Commission(2020,December 16):Brussels,Belgium,EU Press Release;New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient.39.Fdration Franaise des Tlcoms(2019):Repository of security objectives for Virtualised Network Function

232、s(French).40.GSMA(2019):GSMA FS.11-SS7 Interconnect Security Monitoring and Firewall Guidelines.41.GSMA(2019):GSMA FS.19-Diameter Interconnect Security.42.GSMA(2020):GSMA FS.23-Coordinated Vulnerability Disclosure;Guideline.43.GSMA(2020):GSMA FS.37-GPRS Tunnelling Protocol User Security.44.GSMA(2020

233、):GSMA NG.113-5G System Roaming Guidelines.45.GSMA(2021):GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0.46.GSMA(n.d.):PRD FS.04 GSMA SAS Standard for UICC Production.47.GSMA(n.d.):PRD FS.05 GSMA SAS Methodology for UICC Production.48.GSMA(n.d.):PRD FS.08 GSMA SAS Standard for

234、Subscription Manager Roles.49.GSMA(n.d.):PRD FS.09 GSMA SAS Methodology for Subscription Manager Roles.50.GSMA(n.d.):PRD FS.18 GSMA SAS Consolidated Security Guidelines.51.GSMA(n.d.):PRD SGP.01 Embedded SIM Remote Provisioning Architecture.52.GSMA(n.d.):PRD SGP.02 Remote Provisioning Architecture fo

235、r Embedded UICC;Technical Specification.53.GSMA(n.d.):PRD SGP.21 Remote SIM Provisioning(RSP)Architecture.54.GSMA(n.d.):PRD SGP.22 Remote SIM Provisioning(RSP)Technical Specification.55.GSMA(n.d.):TS 33.513-5G Security Assurance Specification(SCAS);User Plane Function(UPF);Technical Specification.56

236、.GSMA(n.d.):TS 33.515-5G Security Assurance Specification(SCAS)for the Session Management Function(SMF)network product class.57.IETF(2004):IETF RFC 3871-Operational Security Requirements for Large Internet Service Provider(ISP)IP Network Infrastructure.58.Informationstechnik,B.F.(2017):BSI Standard

237、200-3-IT Risk Management:Standard.59.ISO(2010):ISO/IEC 11770-1:2010-Information technology Security techniques Key management Part 1:Framework.60.ISO(2012):ISO/IEC 17024:2012-Conformity assessment General requirements for bodies operating certification of persons.61.ISO(2012):ISO/IEC 17065:2012-Conf

238、ormity assessment Requirements for bodies certifying products,processes and services.62.ISO(2013):ISO/IEC 27001:2013-Information technology Security techniques Information security management systems Requirements.63.ISO(2013):ISO/IEC 27002:2013-Information technology Security techniques Code of prac

239、tice for information security controls.64.ISO(2013):ISO/IEC 27036-3:2013-Information technology Security techniques Information security for supplier relationships Part 3:Guidelines for information and communication technology supply chain security.5G CYBERSECURITY STANDARDS March 2022 35 65.ISO(201

240、3):ISO/IEC TR 20000-5:2013-Information technology Service management Part 5:Exemplar implementation plan for ISO/IEC 20000-1.66.ISO(2014):ISO/IEC 27036-1:2014-Information technology Security techniques Information security for supplier relationships Part 1:Overview and concepts.67.ISO(2014):ISO/IEC

241、27036-2:2014-Information technology Security techniques Information security for supplier relationships Part 2:Requirements.68.ISO(2015):ISO 22317:2015-Societal security Business continuity management systems Guidelines for business impact analysis(BIA).69.ISO(2015):ISO/IEC 17021-1:2015-Conformity a

242、ssessment Requirements for bodies providing audit and certification of management systems Part 1:Requirements.70.ISO(2015):ISO/IEC 27033-1:2015-Information technology Security techniques Network security Part 1:Overview and concepts.71.ISO(2015):ISO/IEC TR 20000-11:2015-Information technology Servic

243、e management Part 11:Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks:ITIL.72.ISO(2016):ISO/IEC 24760-3:2016-Information technology Security techniques A framework for identity management Part 3:Practice.73.ISO(2016):ISO/IEC 27035-1:2016-Information technol

244、ogy Security techniques Information security incident management Part 1:Principles of incident management.74.ISO(2016):ISO/IEC 27036-4:2016-Information technology Security techniques Information security for supplier relationships Part 4:Guidelines for security of cloud services.75.ISO(2017):ISO/IEC

245、 20000-6:2017-Information technology Service management Part 6:Requirements for bodies providing audit and certification of service management systems.76.ISO(2017):ISO/IEC 27021:2017-Information technology Security techniques Competence requirements for information security management systems profes

246、sionals.77.ISO(2018):ISO 19011:2018-Guidelines for auditing management systems.78.ISO(2018):ISO 21001:2018-Educational organizations Management systems for educational organizations Requirements with guidance for use.79.ISO(2018):ISO 22331:2018-Security and resilience Business continuity management

247、systems Guidelines for business continuity strategy.80.ISO(2018):ISO 29992:2018-Assessment of outcomes of learning services Guidance.81.ISO(2018):ISO 31000:2018-Risk management Guidelines.82.ISO(2018):ISO/IEC 20000-1:2018-Information technology Service management Part 1:Service management system req

248、uirements.83.ISO(2018):ISO/IEC 20000-10:2018-Information technology Service management Part 10:Concepts and vocabulary.84.ISO(2018):ISO/IEC 27005:2018-Information technology Security techniques Information security risk management.85.ISO(2018):ISO/IEC 29147:2018-Information technology Security techn

249、iques Vulnerability disclosure.86.ISO(2019):ISO 22301:2019-Security and Resilience Business continuity management systems Requirements.87.ISO(2019):ISO/IEC 20000-2:2019-Information technology Service management Part 2:Guidance on the application of service management systems.88.ISO(2019):ISO/IEC 200

250、00-3:2019-Information technology Service management Part 3:Guidance on scope definition and applicability of ISO/IEC 20000-1.89.ISO(2019):ISO/IEC 20000-7:2019-Information technology Service management Part 7:Guidance on the integration and correlation of ISO/IEC20000-1:2018 to ISO 9001:2015 and ISO/

251、IEC27001:2013.90.ISO(2019):ISO/IEC 24760-1:2019-IT Security and Privacy A framework for identity management Part 1:Terminology and concepts.5G CYBERSECURITY STANDARDS March 2022 36 91.ISO(2020):ISO 22313:2020-Security and resilience Business continuity management systems Guidance on the use of ISO 2

252、2301.92.ISO(2020):ISO/IEC 27014:2020-Information technology Security techniques Governance of information security.93.ISO(2021):ISO 22300:2021-Security and Resilience-Vocabulary.94.ISO(2021):ISO 22332:2021-Security and resilience Business continuity management systems Guidelines for developing busin

253、ess continuity plans and procedures.95.ITU-T(2016):X.1038 Security requirements and reference architecture for software-defined networking.96.LogRythm(2021):Analysis and Detection of Golden SAML Attacks.97.MITRE(2019):Common Attack Pattern Enumeration and Classification;Retrieved July 16,2019,from h

254、ttps:/capec.mitre.org 98.NIST(2003):SP800-50-Building an Information Technology Security Awareness and Training Program;Guideline.99.NIST(2006):SP800-100-Information Security Handbook:A Guide for Managers.Gaithersburg,MD:NIST.100.NIST(2006):SP800-92 Guide to Computer Security Log Management.101.NIST

255、(2017):SP800-190-Application Container Security.102.NIST(2018):White Paper-Framework for Improving Critical Infrastructure Cybersecurity.103.NIST(2019):SP800-204-Security Strategies for Microservices-based Application Systems.104.NIST(2020):SP800-181Rev1 Workforce Framework for Cybersecurity(NICE Fr

256、amework).105.NIST(2020):White Paper-Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework(SSDF).106.NIST(2021):NIST SP-800-53A-Assessing Security and Privacy Controls in Information Systems and Organizations.107.NIST(2021):SP800-154 Guide to Data-Centric

257、 System 3 Threat Modeling.108.NIST(2021):SP800-204B-Attribute-based Access Control for Microservices-based Applications using a Service Mesh.109.NIST(2021):SP800-53A Risk Management Framework-Assessing Security and Privacy Controls in Information Systems and Organizations.Guideline.110.NIST(n.d.):SP

258、800-53 Rev.5.1 and SP 800-53B;Retrieved from nist.org:https:/csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1&family=PE 111.OWASP(2017):owasptopten.org;Retrieved from https:/www.owasptopten.org/112.SANS Institute(2021):Security Policy Templates;Retrieved

259、 from https:/www.sans.org/information-security-policy/113.TM Forum(2021):ETOM GB 921 Business Process Framework.114.W.Bautista Jr(2019):Cyber kill chain and the OODA loop;OReilly Editions 5G CYBERSECURITY STANDARDS March 2022 37 ANNEX TAXONOMY FOR STANDARDS This section acts as a reminder of the def

260、initions of document typologies from the EU regulatory framework and the ISO.A.1 DOCUMENT TYPOLOGIES DEFINED BY THE EU REGULATION The European Unions Regulation(EU)No 1025/2012,2012 stipulates the following provisions:A Technical specification is a document that prescribes technical requirements to

261、be fulfilled by a product,process,service or system(.).Depending on the source of such specification,it could be a standard(standard means a technical specification adopted by a recognised standardisation body for repeated or continuous application)at the international,regional(e.g.European)or natio

262、nal level.Additionally,there is the European standardisation deliverable,which refers to any technical specification other than a European standard adopted by a European standardisation organisation for repeated or continuous application.Technical specifications,not being standards nor European stan

263、dardisation deliverables,could be identified as equivalent to standards if they meet the requirements set up in Annex II of Regulation 1025/2012.If the taxonomy based on EU Regulation 1025/2012 were considered it could look like:A.Technical specification document containing the requirements for:A1 T

264、echnical specification standard A2 Technical specification European standardisation deliverable considered as a standard(adopted by one of the European Standards Organisations)A3 Technical Specification standard(according to the rules and principles set up in Annex II of the Regulation)B.Document th

265、at contains information other than requirements:B1 (Name of a Recognised Standardisation Body)standard Framework B2 (Name of a Recognised Standardisation Body)standard Guidelines B3 (Name of a Recognised Standardisation Body)standard Best practices B4 (Name of a Recognised Standardisation Body)stand

266、ard Vocabulary A.2 DOCUMENT TYPOLOGIES DEFINED BY ISO If we consider the ISO taxonomy we are dealing with the following(according to ISO):Standard:is a document established by consensus and approved by a recognised body that provides for common and repeated use rules,guidelines or characteristics fo

267、r activities or their results,aimed at the achievement of the optimum degree of order in a given context.International Standard:is a standard that is adopted by an international standardising or standards organisation and made available to the public.5G CYBERSECURITY STANDARDS March 2022 38 Technica

268、l Specification(TS):is a document published by ISO or IEC for which there is,in the future,the possibility of agreement on an International Standard but for which at present:the required support for approval as an International Standard cannot be obtained,there is doubt on whether consensus has been

269、 achieved,the subject matter is still under technical development,or there is another reason precluding immediate publication as an International Standard.Technical Report(TR):is a document published by ISO or IEC containing collected data of a different kind from that normally published by ISO or I

270、EC.If the ISO taxonomy were considered it could look like:A.Standards A1 (Name of a Recognised Standardisation Body)Standard Requirements A2 (Name of a Recognised Standardisation Body)Standard Framework A3 (Name of a Recognised Standardisation Body)Standard Guidelines A4 (Name of a Recognised Standa

271、rdisation Body)Standard Vocabulary B.Technical reports B1 ISO Technical Report Guidelines B2 ISO Technical Report Best practices C.Non-standard documents C1 (Name of the Issuer)Guidelines C2 (Name of the Issuer)Best Practices 5G CYBERSECURITY STANDARDS March 2022 39 ANNEX MAPPING In the detailed ana

272、lysis,to keep the information in the table manageable,the convention used in this annex is proposed to refer to one or several stakeholders,one or several documents,under a common label.A.3 REFERENCING THE 5G TECHNICAL AND FUNCTIONAL DOMAINS In the detailed analysis,to keep the information in the ta

273、ble manageable,a convention specific to this document is proposed to refer to one or several 5G technical and functional domains under a common label.The table below provides for every 5G domain,the associated label.5G Technical and functional domains Definition 5G Use cases End-to-end services base

274、d on 5G,characterised by how they use and/or transmit data.Example:Vehicle-to-everything,eMBB,mMTC,URLLC.Multi Access Edge Computing(MEC)Services Multi access computing services used to bring computation and connectivity closer to the end-user in order to meet the requirements for data transmission

275、speed and latency.Physical Infrastructure Set of premises including hardware and software for computation,storage and transmission as well as the related technical environment(energy,air conditioning,cable paths,civil works infrastructures,etc.).Virtualised Infrastructure Computing,storage and netwo

276、rking capacities on demand.Radio Access Network(RAN)Logical and hardware components making up the functions of the radio access network.It includes mainly distribution units and control units for radio access.Multi Access Edge Computing(MEC)Infrastructure Infrastructure related to the decentralisati

277、on of cloud functions(storage of data and computing)located closer to the user or edge device.5G Core Network,Network Function(CN NF)Central part of the 5G infrastructure which enables new functions related to multi-access technologies.Its main purpose is to deliver services over all kinds of networ

278、ks(wireless,fixed,converged).Data Network(DN)Connectivity to external data,content,services and other resources available outside the 5G network.The data network is also used to interconnect different 5G networks,operators and providers.Transport Part of the network ensuring the connectivity between

279、 the access and core networks.Management and Orchestration(MANO)Software,operations tools and the related environment used to automate operations that relate to the lifecycle of the infrastructure and service components.A.4 REFERENCING THE STAKEHOLDERS In the detailed analysis,to keep the informatio

280、n in the table manageable,a convention specific to this document is proposed to refer to one or several stakeholders under a common label.The table below provides for every stakeholder category,the list of the concerned stakeholders is represented by the designation provided in Section 2.1.3 5G Stak

281、eholders.5G CYBERSECURITY STANDARDS March 2022 40 Stakeholder category Definition 5G Service customer or consumer Entities that use services that are offered by a service provider(SP).In the context of 5G,these would be,for example,vertical industries and their private networks.In addition,consumers

282、 of 5G services without a business relation with a 5G service provider(e.g.end users)are included in this category.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Telecommu

283、nications sector(Telecom)This category encompasses entities that are responsible for the manufacture,deployment and operation of 5G networks,such as:Mobile network operators:entities providing mobile network services to users,operating their own network,if necessary with the help of third parties.Su

284、ppliers of mobile networks:entities providing services or infrastructure to MNOs in order to build and/or operate their networks(both telecom equipment manufacturers and other third-party suppliers,such as cloud infrastructure providers and network infrastructure providers and managed services provi

285、ders).Service provider(SP):entities that design,build and operate services using aggregated network services such as,for example,communication service providers offering traditional telecom services,digital service providers offering digital services such as enhanced mobile broadband and IoT to vari

286、ous vertical industries,or network slice as a service(NSaaS)providers offering a network slice along with the services that it may support and configure.Virtualisation infrastructure service providers(VISP):entities that provide virtualised infrastructure services and that design,build and operate v

287、irtualisation infrastructure(s).The infrastructure comprises networking(e.g.for mobile transport)and computing resources(e.g.from computing platforms).This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5

288、G networks and/or services.Datacentre services providers(DCSP)Entities that provide data centre services and that design,build and operate their data centres.A DCSP differs from a VISP by offering raw resources(i.e.host servers)in rather centralised locations and simple services for consumption of t

289、hese raw resources.A VISP rather offers access to a variety of resources by aggregating multiple technology domains and making them accessible through a single API.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and o

290、peration of 5G networks and/or services.Connected devices industry This category includes manufacturers of connected devices and related service providers,meaning entities providing objects or services that will connect to 5G networks(e.g.smartphones,connected vehicles,e-health)and related service c

291、omponents hosted in a 5G control plane as defined in service-based architecture or mobile edge computing.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.5G CYBERSECURITY ST

292、ANDARDS March 2022 41 Cybersecurity assessment This category includes entities that assess the security of 5G networks and systems e.g.auditing companies and accredited 5G laboratories.This category audits the implementation of standards,specifications and guidelines.Cybersecurity information exchan

293、ge This category includes entities that share threat intelligence and incident-related information,for example information sharing and analysis centres(ISACs)and cyber security incident response team(CSIRTs).This category may implement standards,specifications and guidelines to securely exchange cyb

294、er-intelligence.Standards development organisations(SDOs),associations,alliances This category encompasses entities that develop and promote the adoption of standards,specifications and guidelines,for example GSMA and 3GPP.Research and innovation organisations This category encompasses entities cont

295、ributing to R&D and innovation tasks related to all kinds of innovative actions in the areas related to 5G,including verticals.It also includes open source organisations or communities providing technological support and guidance in the development of 5G functions and services,as well as public-priv

296、ate partnerships and innovation programmes.This category exposes gaps in standardisation and creates innovations that can lead to advancements in standardisation,by acting as starting points for new standards,specifications and guidelines.5G CYBERSECURITY STANDARDS March 2022 42 A.5 REFERENCING THE

297、EXISTING LITERATURE In the detailed analysis,to keep the information in the detailed analysis table manageable,a convention specific to this document is proposed for referring to one or several documents under a common cluster for easy reference.The clustering choice is based on either the family of

298、 documents or common security theme.The table below provides for every group,the reference shorthand,the descriptive title,the list of concerned documents based on Section 6 Bibliography,and the document taxonomy from Section 2.2.Reference shorthand Descriptive title References from the bibliography

299、 Document taxonomy ISOIEC27K A selection of ISO/IEC JTC1 SC27 requirements and code of practice to setup information security processes.(ISO,ISO/IEC 27001:2013-Information technology Security techniques Information security management systems Requirements,2013)(ISO,ISO/IEC 27002:2013-Information tec

300、hnology Security techniques Code of practice for information security controls,2013)(ISO,ISO/IEC 27005:2018-Information technology Security techniques Information security risk management,2018)(ISO,ISO/IEC 27035-1:2016-Information technology Security techniques Information security incident manageme

301、nt Part 1:Principles of incident management,2016)Standard ISOIEC20K A selection of ISO/IEC processes mapped for service delivery.(ISO,ISO/IEC 20000-1:2018-Information technology Service management Part 1:Service management system requirements,2018)(ISO,ISO/IEC 20000-2:2019-Information technology Ser

302、vice management Part 2:Guidance on the application of service management systems,2019)(ISO,ISO/IEC 20000-3:2019-Information technology Service management Part 3:Guidance on scope definition and applicability of ISO/IEC 20000-1,2019)(ISO,ISO/IEC TR 20000-5:2013-Information technology Service manageme

303、nt Part 5:Exemplar implementation plan for ISO/IEC 20000-1,2013)(ISO,ISO/IEC 20000-6:2017-Information technology Service management Part 6:Requirements for bodies providing audit and certification of service management systems,2017)(ISO,ISO/IEC 20000-7:2019-Information technology Service management

304、Part 7:Guidance onthe integration and correlation of ISO/IEC20000-1:2018 to ISO 9001:2015 and ISO/IEC27001:2013,2019)(ISO,ISO/IEC 20000-10:2018-Information technology Service management Part 10:Concepts and vocabulary,2018)(ISO,ISO/IEC TR 20000-11:2015-Information technology Service management Part

305、11:Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks:ITIL,2015)Standard 5G CYBERSECURITY STANDARDS March 2022 43 (TMForum,2021)(IETF,2004)(ISO,ISO/IEC 27002:2013-Information technology Security techniques Code of practice for information security controls,20

306、13):12.1 Operational procedures and responsibilities SUPPLSEC A selection of references for the security of suppliers.(ISO,ISO/IEC 27036-1:2014-Information technology Security techniques Information security for supplier relationships Part 1:Overview and concepts,2014)(ISO,ISO/IEC 27036-2:2014-Infor

307、mation technology Security techniques Information security for supplier relationships Part 2:Requirements,2014)(ISO,ISO/IEC 27036-3:2013-Information technology Security techniques Information security for supplier relationships Part 3:Guidelines for information and communication technology supply ch

308、ain security,2013)(ISO,ISO/IEC 27036-4:2016-Information technology Security techniques Information security for supplier relationships Part 4:Guidelines for security of cloud services,2016)(GSMA,GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0,2021)Standard POLTEMPLATES A select

309、ion of guidelines to build security policies(SANS Institute,2021)Guideline RM A selection of references for cybersecurity risk management and related assessments(ISO,ISO/IEC 27005:2018-Information technology Security techniques Information security risk management,2018)(ENISA,Methodology for Sectora

310、l Cybersecurity Assessments,2021)(Cloud Security Alliance,2015)(TMForum,2021)Note:The eTOM consists in a process map reference framework.Its a useful reference for identifying business processes.However,the eTOM material does not provide any coverage on the implementation of security measures other

311、than their use to identify a scope of governance for S01 and a scope of primary assets for SO2.(ISO,ISO 31000:2018-Risk management Guidelines,2018)Standard(ANSSI,EBIOS Risk Manager,2018),Guideline 5G CYBERSECURITY STANDARDS March 2022 44 (MITRE,Common Attack Pattern Enumeration and Classification,20

312、19),(NIST,SP800-53A Risk Management Framework-Assessing Security and Privacy Controls in Information Systems and Organizations,2021),(EBIOS,2021)(CIS,CIS Risk Assessment Method,2018)(Informationstechnik,2017)ENISATL A selection of references for ENISA works related to threats (ENISA,ENISA Threat Lan

313、dscape for 5G Networks Updated,2020)(ENISA,Threat Landscape for 5G Networks,2019)(ENISA,EU Coordinated Risk Assessment of 5G Networks Security,2019)Report SP800HR A selection of references for security related to human resources (NIST,SP800-50-Building an Information Technology Security Awareness an

314、d Training Program,2003)(NIST,SP800-100-Information Security Handbook:A Guide for Managers,2006)(NIST,SP800-181Rev1 Workforce Framework for Cybersecurity(NICE Framework),2020)(ISO,ISO 29992:2018-Assessment of outcomes of learning services Guidance,2018)(ISO,ISO/IEC 27021:2017-Information technology

315、Security techniques Competence requirements for information security management systems professionals,2017)(ISO,ISO/IEC 17024:2012-Conformity assessment General requirements for bodies operating certification of persons,2012)(ISO,ISO 21001:2018-Educational organizations Management systems for educat

316、ional organizations Requirements with guidance for use,2018)Guideline IAM A selection of references for identity and access management(ISO,ISO/IEC 24760-1:2019-IT Security and Privacy A framework for identity management Part 1:Terminology and concepts,2019)(ISO,ISO/IEC 24760-3:2016-Information techn

317、ology Security techniques A framework for identity management Part 3:Practice,2016)(NIST,SP800-204B-Attribute-based Access Control for Microservices-based Applications using a Service Mesh,2021)Standard 5G CYBERSECURITY STANDARDS March 2022 45 (ETSI,ETSI GS NFV-SEC 003-Network Functions Virtualisati

318、on(NFV)-NFV Security-Security and Trust Guidance,2014)(ETSI,ETSI GS NFV-SEC 014-Network Functions Virtualisation(NFV)Release 3-NFV Security-Security Specification for MANO Components and,2018)(IETF,2004)(ISO,ISO/IEC 27001:2013-Information technology Security techniques Information security managemen

319、t systems Requirements,2013):12.1 Operational procedures and responsibilities DEVSECOPS A selection of references for security in the IT lifecycle(NIST,SP800-204-Security Strategies for Microservices-based Application Systems,2019)(NIST,SP800-190-Application Container Security,2017)(NIST,White Paper

320、-Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework(SSDF),2020)(ISO,ISO/IEC/IEEE 29119-1:2013 Software and systems engineering Software testing Part 1:Concepts and definitions,2013)Guideline 3GPP-All 3GPP Technical specifications from the library The

321、whole of the 3GPP list from the bibliography.Note:3GPP technical specifications have been considered as technical features that are part of the capabilities of the network.3GPP Technical specifications have been considered as addressing a security measure only when they have been deemed valid as a s

322、tand-alone input to a given security measure.Specification NFVSEC A selection of references for the security of network functions virtualisation(ISO,ISO/IEC 27033-1:2015-Information technology Security techniques Network security Part 1:Overview and concepts,2015)(ETSI,Network Function Virtualisatio

323、n(NFV);Reliability;Report on the resilience of NFV-MANO critical capabilities,2017)(ETSI,Network Functions Virtualisation(NFV)Release 3;Security;Security Management and Monitoring specification,2017)(ETSI,Network Functions Virtualisation(NFV);Architectural Framework,2014)Specification 5G CYBERSECURI

324、TY STANDARDS March 2022 46 eUICC A selection of references for security in the eUICC domain(GSMA,PRD FS.04 GSMA SAS Standard for UICC Production)(GSMA,PRD FS.05 GSMA SAS Methodology for UICC Production)(GSMA,PRD FS.08 GSMA SAS Standard for Subscription Manager Roles)(GSMA,PRD FS.09 GSMA SAS Methodol

325、ogy for Subscription Manager Roles)(GSMA,PRD FS.18 GSMA SAS Consolidated Security Guidelines)(GSMA,PRD SGP.01 Embedded SIM Remote Provisioning Architecture)(GSMA,PRD SGP.02 Remote Provisioning Architecture for Embedded UICC)(GSMA,PRD SGP.21 Remote SIM Provisioning(RSP)Architecture)(GSMA,PRD SGP.22 R

326、emote SIM Provisioning(RSP)Technical Specification)Specification CRYPTOTECH A selection of references for the use of cryptographic techniques(3GPP,3GPP 33.501 Security architecture and procedures for 5G System)(3GPP,3GPP 33.310 Network Domain Security(NDS);Authentication Framework(AF)(3GPP,3GPP 33.2

327、10 Network Domain Security(NDS);IP network layer security)(3GPP,3GPP 33.163 Battery Efficient Security for very low throughput Machine Type Communication(MTC)devices(BEST)(ISO,ISO/IEC 11770-1:2010-Information technology Security techniques Key management Part 1:Framework,2010)(ETSI,ETSI GS NFV-SEC 0

328、12-Network Functions Virtualisation(NFV)Release 3;Security;System architecture specification for execution of sensitive NFV components,2017)(ITU-T,2016)Specification NIST,2021,Planning for a Zero Trust Architecture:A Starting Guide for Administrators Guideline 5G CYBERSECURITY STANDARDS March 2022 4

329、7 PHYSEC A selection of references for physical and environmental security(NIST,SP800-53 Rev.5.1 and SP 800-53B)(ASIS,2021)(Informationstechnik,2017)(ISO,ISO/IEC 27002:2013-Information technology Security techniques Code of practice for information security controls,2013)-11.1 Secure areas and 11.2

330、Equipment (ANSI,2019)Guideline HARDEN A selection of references for technical robustness(CIS,CIS Controls v8,2021)(OWASP,2017)Guideline VULN A selection of references for the management of vulnerabilities(GSMA,GSMA FS.23-Coordinated Vulnerability Disclosure,2020)Guideline(ISO,ISO/IEC 29147:2018-Info

331、rmation technology Security techniques Vulnerability disclosure,2018)(ISO,ISO/IEC 17960:2015 Information technology Programming languages,their environments and system software interfaces Code signing for source code,2015)(ISO,ISO/IEC 30111:2019-Information technology Security techniques Vulnerabili

332、ty handling processes,2019)(ISO,ISO/IEC TS 30104:2015-Information Technology Security Techniques Physical Security Attacks,Mitigation Techniques and Security Requirements,2015)Standard THREATMOD A selection of references for threat modelling and security monitoring,including threat intelligence capa

333、bilities(ENISA,Threat Taxonomy,2016)(MITRE,Common Attack Pattern Enumeration and Classification,2019)(NIST,SP800-92 Guide to Computer Security Log Management,2006)(NIST,SP800-154 Guide to Data-Centric System 3 Threat Modeling,2021)(CSIAC,2021)(Carder,How to build a SOC with limited resources,2020)Guideline 5G CYBERSECURITY STANDARDS March 2022 48 (Carder,Security Operation Centers Maturity Model,2