1、 0 5G CYBERSECURITY STANDARDS Analysis of standardisation requirements in support of cybersecurity policy MARCH 2022 5G CYBERSECURITY STANDARDS March 2022 1 ABOUT ENISA The European Union Agency for Cybersecurity,ENISA,is the Unions agency dedicated to achieving a high common level of cybersecurity
2、across Europe.Established in 2004 and strengthened by the EU Cybersecurity Act,the European Union Agency for Cybersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products,services and processes with cybersecurity certification schemes,cooperates with Member States and EU
3、bodies,and helps Europe prepare for the cyber challenges of tomorrow.Through knowledge sharing,capacity building and awareness raising,the Agency works together with its key stakeholders to strengthen trust in the connected economy,to boost resilience of the Unions infrastructure and,ultimately,to k
4、eep Europes society and citizens digitally secure.More information about ENISA and its work can be found here:www.enisa.europa.eu.CONTACT For contacting the authors please use erika.magonaraenisa.europa.eu For media enquiries about this paper,please use pressenisa.europa.eu.AUTHORS Franois Cosquer,F
5、ranois Zamora,Alf Zugenmaier EDITORS Erika Magonara,Sawomir Grniak ENISA ACKNOWLEDGEMENTS ENISA would like to thank Ms.Elbieta Andrukiewicz and Mr.Jordi Batalla for their support to the study,reviews and comments.LEGAL NOTICE This publication represents the views and interpretations of ENISA,unless
6、stated otherwise.It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulation(EU)No 2019/881.ENISA has the right to alter,update or remove the publication or any of its contents.It is intended for information purposes only and it must be accessible free of charg
7、e.All references to it or its use as a whole or partially must contain ENISA as its source.Third-party sources are quoted as appropriate.ENISA is not responsible or liable for the content of the external sources including external websites referenced in this publication.Neither ENISA nor any person
8、acting on its behalf is responsible for the use that might be made of the information contained in this publication.ENISA maintains its intellectual property rights in relation to this publication.5G CYBERSECURITY STANDARDS March 2022 2 COPYRIGHT NOTICE European Union Agency for Cybersecurity(ENISA)
9、,2022 This publication is licenced under CC-BY 4.0“Unless otherwise noted,the reuse of this document is authorised under the Creative Commons Attribution 4.0 International(CC BY 4.0)licence(https:/creativecommons.org/licenses/by/4.0/).This means that reuse is allowed,provided that appropriate credit
10、 is given and any changes are indicated”.For any use or reproduction of photos or other material that is not under the ENISA copyright,permission must be sought directly from the copyright holders.ISBN 978-92-9204-568-5 DOI 10.2824/700472 5G CYBERSECURITY STANDARDS March 2022 3 TABLE OF CONTENTS EXE
11、CUTIVE SUMMARY 6 1.INTRODUCTION 8 1.1 DOCUMENT PURPOSE AND OBJECTIVES 8 1.2 OVERVIEW AND STRUCTURE OF THE STUDY 8 1.3 TARGET AUDIENCE AND PREREQUISITES 9 2.SCOPE,DEFINITIONS,AND CONVENTIONS 10 2.1 THE 5G ECOSYSTEM 10 2.1.1 5G technological and functional domains 10 2.1.2 Technology lifecycle process
12、es 12 2.1.3 5G Stakeholders 13 2.1.4 5G Security domains,objectives and measures 15 2.2 TAXONOMY OF DOCUMENTS CONSIDERED 16 3.POSITIONING AND ASSESSMENT OF REFERENCE DOCUMENTS IN THE 5G ECOSYSTEM 18 3.1 METHODOLOGY FOR THE ASSESSMENT OF COVERAGE 18 3.2 CONSOLIDATED RESULTS 18 4.IDENTIFICATION OF GAP
13、S IN STANDARDISATION 21 4.1 METHODOLOGY FOR THE IDENTIFICATION OF GAPS IN THE EXISTING LITERATURE 21 4.2 ASSESSMENT OF COVERAGE AND IDENTIFICATION OF GAPS IN STANDARDISATION 21 4.3 OVERVIEW OF GAPS BY SECURITY DOMAIN 27 4.4 OBSERVATIONS ON THE GAPS IN STANDARDISATION 29 4.5 ADDITIONAL LEARNINGS AND
14、OBSERVATIONS 29 5.RECOMMENDATIONS 31 5.1 ADOPT A PROGRESSIVE APPROACH TO 5G STANDARDISATION 31 5.2 HAVE A BROADER VIEW ON THE CREATION OF NEW REFERENCES 31 5G CYBERSECURITY STANDARDS March 2022 4 5.3 FOSTER THE MATURITY AND THE COMPLETENESS OF THE IDENTIFICATION AND ASSESSMENT OF RISK 31 5.3.1 ENISA
15、s methodology for sectoral cybersecurity assessment 32 5.4 FINAL OBSERVATIONS 32 6.BIBLIOGRAPHY 33 A.1 DOCUMENT TYPOLOGIES DEFINED BY THE EU REGULATION 37 A.2 DOCUMENT TYPOLOGIES DEFINED BY ISO 37 A.3 REFERENCING THE 5G TECHNICAL AND FUNCTIONAL DOMAINS 39 A.4 REFERENCING THE STAKEHOLDERS 39 A.5 REFE
16、RENCING THE EXISTING LITERATURE 42 A.6 DETAILED MAPPING 50 D1-GOVERNANCE AND RISK MANAGEMENT 51 SO 1-Information security policy 51 SO 2-Governance and risk management 52 SO 3-Security roles and responsibilities 53 SO 4-Security of third-party dependencies 53 D2 -HUMAN RESOURCES SECURITY 55 SO 5-Bac
17、kground checks 55 SO 6-Security knowledge and training 56 SO 7-Personnel changes 57 SO 8-Handling violations 57 D3 -SECURITY OF SYSTEMS AND FACILITIES 58 SO 9-Physical and environmental security 58 SO 10-Security of supplies 60 SO 11 Access control to network and information systems 61 SO 12-Integri
18、ty of network and information systems 63 SO 13-Use of encryption 64 SO14-Protection of security critical data 65 D4-OPERATIONS MANAGEMENT 66 SO 15-Operational procedures 66 SO 16-Change management 66 SO 17-Asset management 68 D5 INCIDENT MANAGEMENT 69 SO 18-Incident management procedures 69 SO 19-In
19、cident detection capability 70 SO 20-Incident reporting and communication 71 D6-BUSINESS CONTINUITY MANAGEMENT 72 SO 21-Service continuity strategy and contingency plans 72 5G CYBERSECURITY STANDARDS March 2022 5 SO 22-Disaster recovery capabilities 73 D7-MONITORING,AUDITING AND TESTING 74 SO 23-Mon
20、itoring and logging policies 74 SO 24-Exercise contingency plans 75 SO 25-Network and information systems testing 76 SO 26 -Security assessments 77 SO 27-Compliance monitoring 78 D8-THREAT AWARENESS 79 SO 28-Threat intelligence 79 SO 29 -Informing users about threats 80 5G CYBERSECURITY STANDARDS Ma
21、rch 2022 6 EXECUTIVE SUMMARY The ambition of this report is to outline the contribution of standardisation to the mitigation of technical risks,and therefore to trust and resilience,in the 5G ecosystem.The 5G ecosystem considered in this report is a multi-dimensional space encompassing not only tech
22、nological and functional domains,but also the related technology lifecycle processes and stakeholders.This report focuses on standardisation from a technical and organisational perspective.Considerations of the effectiveness of specific standards and of the strategic aspects related to 5G security,a
23、lthough important,are outside the scope of this report.Accordingly,this report:Collects standards,specifications and guidelines1 relevant to the cybersecurity of the 5G ecosystem that had been published,either as drafts or in their final versions,by September 2021;Positions them within the defined 5
24、G ecosystem by assessing the extent to which they address security objectives;Identifies gaps in standardisation by comparing the existing literature against an ideal situation of cybersecurity robustness and resilience,where standardisation addresses the necessary technical and organisational secur
25、ity aspects;Formulates recommendations on standardisation in the area of 5G cybersecurity.The report collects and analyses more than 140 documents and positions them across 150 security measures.The main observations that can be derived from the analysis are the following.All in all,available standa
26、rds,specifications and guidelines are general.They can be applied consistently to the 5G technical and functional domains and related lifecycle processes only after being tailored accordingly.5G-specific standards,specifications and guidelines are available to a greater extent to the stakeholders of
27、 the telecommunication sector than for other stakeholders(e.g.audit organisations and stakeholders in the connected devices industry).5G-specific standards,specifications and guidelines cover to a greater extent the run phase of a technology lifecycle,whereas other phases would need tailoring.Existi
28、ng knowledge bases on cybersecurity threats and IT-security guidelines can be used for 5G cloud native architectures and architectures relying on APIs(Application Programming Interface).Although these families of software are well known to the IT industry,their use is quite recent and constitute dri
29、vers of the cloudification of the telecom sector.The existing literature does not allow for end-to-end trust and resilience in the 5G ecosystem.For example,guidelines for 5G-specific tools and key performance indicators could be needed to ensure a common understanding of 5G protection and of end-to-
30、end trust and resilience.Concerning gaps in standardisation,the report finds that only the areas of governance and risk management as well as the security of human resources present moderate gaps e.g.related to sector-specific risk management.The other areas considered(e.g.operations management,1 Se
31、ction 2.2 explains the taxonomy used by the document.For convenience the report refers to all considered documents alternatively as standards,specifications,guidelines,existing literature,reference documents.5G CYBERSECURITY STANDARDS March 2022 7 business continuity management and incident manageme
32、nt)present major gaps in standardisation.Still,this report recommends the adoption of a progressive approach to 5G standardisation,which should consider several elements such as the usefulness and necessity of new standards and their link with strategic objectives.It also notes the importance of fos
33、tering the maturity and the completeness of the identification and assessment of risk by harmonising risk assessment practices in a way that is inclusive of all stakeholders in the 5G ecosystem.Finally,this report stresses that,while the technical and organisational standards analysed can contribute
34、 to the security of 5G,they should not be treated as an exhaustive list of measures guaranteeing security.There are risks that are not covered by standards,for example residual risks whose cost is neither borne by nor attributable to a specific stakeholder,such as societal risks resulting from netwo
35、rk malfunctions.Indeed,the complexity of 5G calls for a comprehensive vision of trust and of resilience that goes beyond standardisation.This vision should be future-proof and not dependent on the variability of assets and configurations in the network.5G CYBERSECURITY STANDARDS March 2022 8 1.INTRO
36、DUCTION 1.1 DOCUMENT PURPOSE AND OBJECTIVES The ambition of this document is to outline the contribution of standardisation to the mitigation of technical risks,and therefore to trust and resilience,in the 5G ecosystem.Accordingly,the objectives of the document are:to provide an overview of standard
37、s,specifications and guidelines2 relevant to the cybersecurity of the 5G ecosystem and that had been published,either as drafts or in their final versions,by September 2021;to facilitate the positioning and to assess the applicability of any reference document in the 5G security environment;to formu
38、late recommendations on standardisation in the area of 5G security.The document focuses on standardisation from a technical and organisational perspective.Considerations of the effectiveness of specific standards and of the strategic and policy aspects related to 5G security,although important,are o
39、utside the scope of this report.Note on the relation to other on-going work on 5G cybersecurity carried out by ENISA:this report is not intended to pre-conceive any work related to the drafting of the European cybersecurity certification candidate scheme on 5G networks.1.2 OVERVIEW AND STRUCTURE OF
40、THE STUDY Businesses and institutions participate in several activities concerning 5G networks and 5G-dependent processes:their design,construction,operation,introduction to the market,use,audit and even certification.Altogether,with various degrees of importance,they contribute to the Digital Singl
41、e Market.The EU Cybersecurity Strategy3,published in 2020,reinstates the importance of trust and resilience in the Union,to be sustained in the long run for societal purposes and at a systemic scale.Therefore,cybersecurity risks and the capabilities for their mitigation need to be considered also fr
42、om a systemic perspective.To this end,the analysis proposed in the report is based on a 5G Ecosystem defined as a multi-dimensional space comprising not only 5G technological and functional domains but also the related technology lifecycle processes and stakeholders.The conceived ecosystem is also u
43、nderpinned by a security dimension.The ecosystem and its components are described in detail in Section 2 Scope,Definitions and Conventions.After having defined the 5G Ecosystem,the document:collects existing cybersecurity standards,specifications and guidelines,and positions them within the defined
44、5G ecosystem(Section 3 Positioning and Assessment of Reference Documents in the 5G Ecosystem);identifies gaps in standardisation by comparing the existing literature against an ideal situation of cybersecurity robustness and resilience,where standardisation addresses the necessary technical and orga
45、nisational security aspects;and(Section 4 Identification of Gaps in Standardisation).2 Section 2.2 explains the taxonomy used by the document.For convenience the report refers to the documents analysed as,alternatively,reference documents,references,existing literature or standards,specifications,gu
46、idelines.3 https:/ec.europa.eu/commission/presscorner/detail/en/IP_20_2391 5G CYBERSECURITY STANDARDS March 2022 9 formulates recommendations on standardisation in the area of 5G cybersecurity(Section 5 Recommendations).1.3 TARGET AUDIENCE AND PREREQUISITES This work is intended for the stakeholders
47、 in the 5G ecosystem,in particular standardisation working groups,industry stakeholders and national cybersecurity agencies across the European Union.The reader is invited to get familiar with the concepts of information security risk management as documented in the ISO/IEC 27005 international stand
48、ard,as well as the concepts developed in the following documents:ENISA,Guideline on Security Measures under the EECC,2020,ENISA,5G Supplement to the Guideline on Security Measures under EECC,2021,ENISA,Threat Landscape for 5G Networks,2019,ENISA,Security in 5G Specifications,2021,ENISA,EU Coordinate
49、d Risk Assessment of 5G Networks Security,2019,ENISA,Methodology for Sectoral Cybersecurity Assessments,2021.An overview of the standardisation organisations active in 5G is contained in ENISA report Security in 5G specifications4.4 https:/www.enisa.europa.eu/publications/security-in-5g-specificatio
50、ns 5G CYBERSECURITY STANDARDS March 2022 10 2.SCOPE,DEFINITIONS,AND CONVENTIONS This section provides the concepts and definitions used to build the 5G Ecosystem introduced in Section 1.2 Overview and Structure of the Study.This ecosystem provides a methodological framework in which it is possible t
51、o locate the standards,the specifications and the guidelines relevant for a given stakeholder group,at a given step of the technology lifecycle,for a given block of the 5G technical architecture.2.1 THE 5G ECOSYSTEM As introduced in section 1.2 Overview and Structure of the Study,the 5G ecosystem is
52、 composed of the following dimensions.Figure 1:The dimensions of the 5G ecosystem Building blocks of the 5G Ecosystem Definitions 5G Technological and functional domains Essential functions of 5G networks and the related supporting asset categories,representing 5G technical components and the scope
53、of their interactions.Technology lifecycle processes Processes applied to the lifecycle of 5G services and of 5G-dependent vertical industrial processes.5G Stakeholders Entities(either public or private)that are related to 5G networks and vertical industries.5G Security domains,objectives and measur
54、es Security dimension of the 5G ecosystem,represented through the security domains,objectives and measures of the ENISA Guideline on Security Measures under the EECC and its 5G supplement.2.1.1 5G technological and functional domains The current section outlines the essential functions of 5G network
55、s and the related categories of supporting assets considered in this report.The 5G technological and functional domains considered are largely based on the set of planes,functional blocks and process blocks of the widely acknowledged representation of the generic 5G architecture depicted in the ENIS
56、A report ENISA Threat Landscape for 5G Networks Updated 2020,which in turn relies on the architecture of the 3GPP Technical Specification 23.502(Release 16).They have been selected because they offer a synthetic overview of 5G technology and 5G-related processes.For the purpose of this study,only th
57、e major blocks depicted in Figure 2 have been considered.5G CYBERSECURITY STANDARDS March 2022 11 Figure 2:The 5G technological and functional domains as represented in ENISA Threat Landscape for 5G Networks Updated 2020 Figure 3:The 5G technological and functional domains considered by the current
58、study G Technical and functional domains Definition 5G Use Cases End-to-end services based on 5G,characterised by how they use and/or transmit data.Example:Vehicle-to-everything,eMBB,mMTC,URLLC.Multi Access Edge Computing(MEC)Services Multi-access computing services used to bring computation and con
59、nectivity closer to the end-user in order to meet the requirements for data transmission speed and latency.Physical infrastructure Set of premises including hardware and software for computation,storage,transmission,as well as the related technical environment(energy,air conditioning,cable paths,civ
60、il works infrastructures,etc.).Virtualised Infrastructure Computing,storage and networking capacities on demand.Radio Access Network(RAN)Logical and hardware components making up the functions of the radio access network.It includes mainly distribution units and control units for radio access.Multi
61、Access Edge Computing(MEC)Infrastructure Infrastructure related to the decentralisation of cloud functions(storage of data and computing)located closer to the user or edge device.5G Core Network,Network Function(CN NF)Central part of the 5G infrastructure which enables new functions related to multi
62、-access technologies.Its main 5G CYBERSECURITY STANDARDS March 2022 12 purpose is to deliver services over all kinds of networks(wireless,fixed,converged).Data Network(DN)Connectivity to external data,content,services and other resources available outside the 5G network.The data network is also used
63、 to interconnect different 5G networks,operators and providers.Transport Part of the network ensuring the connectivity between the access and core networks.Management and Orchestration(MANO)Software,operations tools and the related environment used to automate operations that relate to the lifecycle
64、 of the infrastructure and service components.2.1.2 Technology lifecycle processes Lifecycle processes can be regarded as the heartbeat of all activities based on digital technologies.This section defines the scope of the technology lifecycle processes considered in the 5G ecosystem.They are the pro
65、cesses related to the lifecycle of 5G services and of 5G-dependent vertical industries.To keep the analysis simple,the methodology selects some of the processes listed in GSMA,GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0,2021.Such processes are considered in a technology env
66、ironment including(but not limited to):5G technologies given their underlying technological bricks from cloud-native and service-based architectures,their orchestration and their automation,their components running on top of virtualised infrastructures requiring orchestration and automation.The cons
67、idered processes encompass the phases shown in Figure 4 below.Figure 4:The phases of the technology lifecycle processes considered in the 5G ecosystem Phase Definition Think All activities related to the design of a service,the design principles of an infrastructure,as well as the study of their tec
68、hnological and operational options.The main deliverables of this phase are(for example)anticipation studies,benchmarks,opportunity studies,high-level designs and initial risk assessments.Build All activities that prepare and execute the building phase of a service,including the integration of the so
69、ftware parts,connectivity,application interfaces,data flows and related protocols.When security is integrated within the Build process,the corresponding milestones consist in checking the robustness of the architecture,its attack surface and updating the risks accordingly.Test All activities that ve
70、rify the compliance with specifications,robustness or resilience prior or after the go-live phase,also including auditing at any phase of the lifecycle.Run All activities including the continuous delivery of services,performance and fault management,problem management,customer support,etc.Update Act
71、ivities that relate to the process also referred to as Transition,consisting in identifying capacity needs,requirements for software updates,patch installation,needs for robustness,adjustments to software and equipment 5G CYBERSECURITY STANDARDS March 2022 13 configurations,and the on-demand provisi
72、oning capabilities when a customer purchases a service.End of Life The sequence of steps towards decommissioning or the end of the lifecycle of a service component.In this context,it is to be noted that the lifecycle processes apply to a variety of areas and stakeholders beyond 5G products alone.The
73、se lifecycle processes are applicable to systems other than 5G products,such as IT systems used to operate,test,orchestrate,automate,and develop service bricks.The figure below is an example showing where security steps can be implemented in the lifecycle processes to enable robustness and resilienc
74、e from an end-to-end perspective.Figure 5:Representation of the lifecycle processes considered in the 5G ecosystem 2.1.3 5G Stakeholders The 5G ecosystem relies on several stakeholders that play different roles in its security at different levels.The set of stakeholders selected for this document fo
75、cuses on entities(either public or private)that are related to 5G networks and vertical industries.The set has been adapted from the EU Coordinated Risk Assessment on 5G Networks Security and the ENISA Threat Landscape for 5G Networks Updated(2020),as they encompass both the stakeholders and their r
76、ole with regards to 5G.They are depicted in the following table.Figure 5:The categories of the 5G stakeholders considered in the 5G ecosystem Stakeholder category Definition 5G Service customer or consumer Entities that use services that are offered by a service provider(SP):in the context of 5G,the
77、se would be,for example,vertical industries and their private networks.In addition,consumers of 5G services without a business-relation with a 5G service provider(for example,end users)are included in this category.This category may implement standards,specifications and guidelines to achieve the se
78、curity objectives for the safe use,deployment and operation of 5G networks and/or services.5G CYBERSECURITY STANDARDS March 2022 14 Telecommunications sector(Telecom)This category encompasses entities that are responsible for the manufacture,deployment and operation of 5G networks,such as:Mobile Net
79、work Operators(MNOs):entities providing mobile network services to users,operating their own network,if necessary with the help of third parties Suppliers of mobile networks:entities providing services or infrastructure to MNOs in order to build and/or operate their networks(both telecom equipment m
80、anufacturers and other third-party suppliers,such as cloud infrastructure providers and network infrastructure providers and managed services providers)Service providers(SP):entities that design,build and operate services using aggregated network services.Examples include communication service provi
81、ders offering traditional telecom services,digital service providers offering digital services such as enhanced mobile broadband and IoT to various vertical industries,or network slice as a service(NSaaS)providers offering a network slice along with the services that it may support and configure.Vir
82、tualisation infrastructure service providers(VISP):entities that provide virtualised infrastructure services and design,build,and operate virtualisation infrastructure(s).The infrastructure comprises networking(e.g.for mobile transport)and computing resources(e.g.from computing platforms).This categ
83、ory may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Datacentre services providers(DCSP)Entities that provide data centre services and that design,build and operate their data centres.A D
84、CSP differs from a VISP by offering raw resources(i.e.host servers)in rather centralised locations and simple services for consumption of these raw resources.A VISP rather offers access to a variety of resources by aggregating multiple technology domains and making them accessible through a single A
85、PI.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Connected devices industry This category includes manufacturers of connected devices and related service providers,meanin
86、g entities providing objects or services that will connect to 5G networks(e.g.smartphones,connected vehicles,e-health)and related service components hosted in a 5G control plane as defined in a service-based architecture or mobile edge computing.This category may implement standards,specifications a
87、nd guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Cybersecurity assessment This category includes entities that assess the security of 5G networks and systems e.g.auditing companies and accredited 5G laboratories.This category a
88、udits the implementation of standards,specifications and guidelines.Cybersecurity information exchange This category includes entities that share threat intelligence and incident-related information,for example information sharing and analysis centres(ISACs)and cyber security incident response teams
89、(CSIRTs).5G CYBERSECURITY STANDARDS March 2022 15 This category may implement standards,specifications and guidelines to securely exchange cyber-intelligence.Standards development organisations(SDOs),associations,alliances This category encompasses entities that develop and promote the adoption of s
90、tandards,specifications and guidelines,for example,GSMA and 3GPP.Research and innovation organisations This category encompasses entities contributing to R&D and innovation tasks related to all kinds of innovative actions in areas related to 5G,including verticals.It also includes open source organi
91、sations or communities providing technological support and guidance in the development of 5G functions and services,as well as public-private partnerships and innovation programmes.This category exposes gaps in standardisation and creates innovations that can lead to advancements in standardisation
92、by acting as starting points of new standards,specifications and guidelines.Explanatory notes:5G vertical industries working at the Think phase of the lifecycle have been included in the category Research and innovation organisations.5G vertical industries using 5G services have been considered as s
93、ervice customers,whereas verticals delivering services to the customers in their own sector have been considered as service providers.Open-source organisations have been included in the category Research and innovation organisations when considered for their development activities at the Think phase
94、 of the lifecycle.They have been included in the category Suppliers of MNOs when considered for their support to technologies in production.2.1.4 5G Security domains,objectives and measures This section outlines the security dimensions of the 5G ecosystem used in this report.In the absence of an equ
95、ally comprehensive framework,the report uses the security domains,objectives and measures found in the ENISA Guideline on Security Measures under the EECC and its 5G supplement.The former concern security in general,the latter concern 5G.Although they target mainly operators,the domains and measures
96、 set out in the documents above have been used as an analytical framework.Still,it is important to stress that the security measures used are not to be considered as the totality of the measures necessary for the mitigation of cybersecurity risks in 5G.Security objectives and measures could be added
97、 for any sectoral risk assessment covering a subset of the 5G ecosystem.The table below shows the security domains and objectives taken into consideration.The mapping of the reference documents is further broken down into security measures in Annex 6 Detailed mapping.Figure 6:Security domains and ob
98、jectives in the Guideline on Security Measures under EECC and its 5G Supplement Security domains(D)Security objectives D1 Governance and risk management Information security policy Governance and risk management Security roles and responsibilities Security of third-party dependencies D2 Human resour
99、ces security Background checks Security knowledge and training Personnel changes 5G CYBERSECURITY STANDARDS March 2022 16 Handling violations D3 Security of systems and facilities Physical and environmental security Security of supplies Access control to network and information systems Integrity of
100、network and information systems Use of encryption Protection of security critical data D4 Operations management Operational procedures Change management Asset management D5 Incident management Incident management procedures Incident detection capability Incident reporting and communication D6 Busine
101、ss continuity management Service continuity strategy and contingency plans Disaster recovery capabilities D7 Monitoring,auditing,and testing Monitoring and logging policies Exercise contingency plans Network and information systems testing Security assessments Compliance monitoring D8 Threat awarene
102、ss Threat intelligence Informing users about threats 2.2 TAXONOMY OF DOCUMENTS CONSIDERED To facilitate the analysis,this report relies on a taxonomy comprising three categories of documents.Each of the documents considered is assigned to one of the categories below,according to its related definiti
103、on:Standard:a technical specification,adopted by a recognised standardisation body,for repeated or continuous application,with which compliance is not compulsory5.The standards considered are documents produced by a standardisation body(international,national or European),and whose content include(b
104、ut is not limited to)requirements,principles,description of frameworks or processes and codes of practice.ICT Technical specification:a technical specification in the field of information and communication technologies6.ICT technical specifications are referred in this document as specifications.Gui
105、delines and Best Practices:documents that explain,interpret and simplify standards or standardisation deliverables.These can include user guides,abstracts of standards,best practice information and awareness-building actions,strategies,and training programmes7.For convenience,the report refers to th
106、e documents analysed as,alternatively,reference documents,references,existing literature or standards,specifications and guidelines.5 Standardisation bodies as defined by Regulation(EU)No 1025/2012,2012),Article 2 paragraph(1)6 Understood as ICT technical specification as defined by Regulation(EU)No
107、 1025/2012,2012),Article 2 paragraph(5)7 Definition adapted from Regulation(EU)No 1025/2012,2012)Chapter IV,Article 15,paragraph 1 Alinea(f).The reference to European standards and standardisation deliverables has been deleted as the current report refers also to non-European documents.5G CYBERSECUR
108、ITY STANDARDS March 2022 17 Although these categories have been identified solely for the purpose of the study,they are based on the EU Regulation on European standardisation(Regulation(EU)No 1025/2012,2012)and of the International Standardisation Organisation(ISO).A reminder of the exact definition
109、s is given in Annexes 1 and 2 on the taxonomy for standards.Cybersecurity standards provide an important range of contents:requirements applicable to ICT-related domains of technology or processes,requirements for management systems,frameworks and guidelines on security controls about what to do.In
110、turn,reference documents helping the implementation and the how to do things relate to specifications,guidelines,and best practices.The documents analysed in this report are listed in the Annex 5 Referencing the Existing Literature.An important part of the 5G-related documents in this study are refe
111、rred in the report from ENISA Security in 5G Specifications(2021).5G CYBERSECURITY STANDARDS March 2022 18 3.POSITIONING AND ASSESSMENT OF REFERENCE DOCUMENTS IN THE 5G ECOSYSTEM 3.1 METHODOLOGY FOR THE ASSESSMENT OF COVERAGE This section provides the methodology to position existing standards,speci
112、fications and guidelines in the 5G ecosystem and to assess the extent to which they address the 5G security environment.It consists of the following steps:Using ENISAs literature and complementary knowledge of the Expert Group missioned for this study,relevant documents are sampled and grouped into
113、consistent clusters(shorthand)made up of a selection of standards,specifications,and guidelines.The documents analysed are listed in the Section 6 Bibliography.These clusters are mapped against each security domain,objective and measure of the 5G ecosystem as described Section 2.1.4 5G Security doma
114、ins,objectives and measures.The relevance and the completeness of the clusters is then analysed from the perspectives of the three remaining dimensions of the 5G ecosystem,that is its stakeholders(Section 2.1.3 5G Stakeholders);its technical and functional domains(Section 2.1.1 5G technological and
115、functional domains);and the related technology lifecycle processes(Section 2.1.2 Technology lifecycle processes).The results of the mapping and of the assessment are described in the section Annex 6 Detailed Mapping.A summarised version is contained in section 3.2 Consolidated Results.3.2 CONSOLIDAT
116、ED RESULTS The detailed analysis underlying this report concerns more than 150 security measures and more than 140 documents which were identified and selected from the available literature.This detailed and in-depth analysis is provided in section Annex 6 Detailed Mapping.Given the volume of inform
117、ation and the level of detail,the current section only contains a summary table,representing the consolidated findings by security domain.A high-level assessment of the extent to which the analysed literature addresses a given security domain for each of the dimensions of the 5G ecosystem(i.e.stakeh
118、olders,technological and functional domains,and technology lifecycle processes)is also provided.Some details may not be obvious in the consolidated results.For example,All under the column Coverage of Stakeholders means that the literature analysed is considered relevant for every entity in the ecos
119、ystem.The specific degree or depth of relevance for each category of stakeholders,technological and functional domains,and technology lifecycle processes is tackled in the detailed mapping.5G CYBERSECURITY STANDARDS March 2022 19 Figure 7:Summary of the coverage of existing literature by security do
120、main Security domain Taxonomy of applicable documents Coverage of the dimensions of the 5G ecosystem Observations Stakeholders 5G Technological and functional domains Technology lifecycle processes D1 Governance and risk management Standards All All All The documents referred to are,to some extent,r
121、elevant to all dimensions of the 5G ecosystem.However,they are not specific to 5G.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes.Such an effort requires
122、skills and expertise.Furthermore,fragmentation in implementation should be avoided.D2 Human resources security Standards All All All The documents referred to are to some extent relevant to all dimensions of the 5G ecosystem.However,they are not specific to 5G.To get their full value,each stakeholde
123、r category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes.Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided D3 Security of systems and facilities
124、Standards Specifications Guidelines Telecommunications sector DCSPs All Run Although general,the documents referred to are especially relevant for the telecommunications sector and DCSPs.Also,they are relevant to all technological and functional domains.They can be tailored with minimal effort to a
125、5G-specific context in the Run phase.Tailoring to the Think and Build phases would require significant effort by the stakeholders.D4 Operations management Specifications Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommun
126、ications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fr
127、agmentation in implementation should be avoided.D5 Incident management Standards Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a
128、significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the 5G CYBERSECURITY STANDARDS March 2022 20 Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.
129、D6 Business continuity management Standards Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to
130、the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.D7 Monitoring,auditing,and testing Standards Telecommunications sector All Run
131、 The documents referred to are not specific to 5G,although especially relevant for the telecommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle pro
132、cesses(at the Think and Build phases).Such an effort requires skills and expertise.Furthermore,fragmentation in implementation should be avoided.D8 Threat awareness Guideline Telecommunications sector All Run The documents referred to are not specific to 5G,although especially relevant for the telec
133、ommunications sector.To get their full value,each stakeholder category would need to put in a significant effort to tailor them to the relevant 5G technical and functional domains and technology lifecycle processes(at the Think and Build phases).Such an effort requires practice.Furthermore,fragmenta
134、tion in implementation should be avoided.5G CYBERSECURITY STANDARDS March 2022 21 4.IDENTIFICATION OF GAPS IN STANDARDISATION 4.1 METHODOLOGY FOR THE IDENTIFICATION OF GAPS IN THE EXISTING LITERATURE This section presents existing literature addressing each security domain in accordance with Section
135、 2.1.4 5G Security domains,objectives and measures from the perspective of the stakeholder considered in accordance with Section 2.1.3 5G Stakeholders and points to the areas partly covered by existing literature as well as those covered to a limited extent or not at all.The identification of these
136、areas relies on expert assessment by the authors of this report.They have assessed the extent to which the existing literature addresses an ideal situation where 5G technical and organisational cybersecurity risks are mitigated and adequate controls to ensure security are performed thanks to availab
137、le standards,specifications,and guidelines.This is therefore the reference against which gaps in standardisation have been identified.4.2 ASSESSMENT OF COVERAGE AND IDENTIFICATION OF GAPS IN STANDARDISATION The assessment of the coverage of the standards,specification and guidelines considered,as we
138、ll as the identification of the gaps in standardisation,is conveyed in the form of a table(Figure 9),which follows the colour coding below:Figure 8:Colour coding for the representation of the gaps Colour code Definition Existing literature The green cells show the existing literature addressing each
139、 security domain from the perspective of the stakeholder considered.Moderate Gap The yellow cells indicate the areas where moderate gaps in standardisation have been identified.A gap is identified as moderate when the existing literature addresses the domain partly,meaning that moderate effort would
140、 be required to bridge that gap.Major gap The orange cells indicate the areas where major gaps in standardisation have been identified.A gap is identified as major when the existing literature does not address the domain(or only to a limited extent),meaning that a major effort would be required to b
141、ridge that gap.No gap/Not relevant The cells that are not coloured indicate areas where no gaps have been identified or only those that are not relevant for the stakeholder.For research and innovation organisations,gaps are intended as areas where further work by these organisations is required.5G C
142、YBERSECURITY STANDARDS March 2022 22 For every domain,the table(Figure 9)identifies between brackets the relevant literature as grouped by the shorthand in Annex 5 Referencing the existing literature,reproduced below for convenience.Figure 9:Reference shorthand each shorthand indicates the areas cov
143、ered by the selection of documents Shorthand Selection of documents concerning:ISOIEC27K ISO/IEC 27K series ISOIEC20K IT services process map SUPPLSEC Security of suppliers POLTEMPLATES Build security policies RM Cybersecurity risk management ENISATL ENISA works related to threats SP800HR Security r
144、elated to human resources IAM Identity and access management.DEVSECOPS Security in the IT lifecycle 3GPP-All 3GPP technical specifications NFVSEC Security of network functions virtualisation eUICC Security in the eUICC domain CRYPTOTECH Use of cryptographic techniques PHYSEC Physical and environment
145、al security HARDEN Technical robustness VULN Management of vulnerabilities THREATMOD Threat modelling and security monitoring SECASSUR Security assurance and related guidelines AUDIT Audit planning and assessment BCM Organisational and technical resilience 5G CYBERSECURITY STANDARDS March 2022 23 Fi
146、gure 10:Assessment of coverage and evaluation of gaps in standardisation Stakeholders 5G Service customer or consumer Telecom sector Datacentre Services Providers Connected devices industry Cybersecurity assessment stakeholders Cybersecurity information exchange stakeholders Research and innovation
147、organisations*Role in standardisation Implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services Audit the implementation of standards,specifications and guidelines Implement standards,specifications a
148、nd guidelines to securely exchange cyber-intelligence Expose gaps in standardisation and create innovations that can lead to advancements in standardisation,by acting as starting points for new standards,specifications and guidelines D1 Governance and risk management Existing literature addressing t
149、he domain ISOIEC27K,ISO20K,RM,SP800HR,ENISATL,ISOIECSUPPL,POLTEMPLATES SECASSUR RM RM NFVSEC DEVSECOPS,HARDEN Moderate gap:Areas partly covered by existing literature Sector-specific governance and risk management Sector-specific risk register Sector-specific ISMS and PIMS implementation 5G risk ass
150、essment by third parties Processes for cross-border information exchange to share best practices in governance and risk management D2 Human resources security Existing literature addressing the domain SP800HR,IAM SP800HR SP800HR ISOIEC27K,SP800HR,IAM Moderate gap:Areas partly covered by existing lit
151、erature Vertical-specific educational security content,specifying awareness programmes and training contents e.g.MOOCs,serious games services(note:area that might be addressed by soft measures,not standards)Evaluation methods of human resources management processes Cross-border process for the excha
152、nge of information(e.g.best practices)on the security of human resources Vertical-specific educational security content,specifying awareness programmes and training contents e.g.MOOCs,serious games services*D3 Security of systems and facilities Existing literature Addressing the domain PHYSEC,IAM,3G
153、PP-All,SECASSUR,CRYPTOTECH,NFVSEC,eUICC AUDIT,SECASSUR DEVSECOPS,eUICC,CRYPTOTECH 5G CYBERSECURITY STANDARDS March 2022 24 Moderate gap:Areas partly covered by existing literature Robust configuration and deployment of 5G vertical use cases Robust configuration of 5G micro services and automation Se
154、curity of RAN,Open RAN,ONAP Methods for evaluating the security of 5G verticals Methods for evaluating the robustness of the configuration of 5G micro services and automation Testbeds environments and tools*Major gap Areas not covered(or covered to a limited extent)by existing literature Information
155、 security requirements applicable to vendors of 5G solutions sourcing contracts Automation of robust configurations and deployment Audits of the security of orchestration and micro-services(note:area that might be addressed by soft measures,not standards)D4 Operations management Existing literature
156、addressing the domain Standards ISO20K,RM,NFVSEC Standards ISO20K,RM,AUDIT DEVSECOPS Moderate gap:Areas partly covered by existing literature High-level requirements for 5G-specific cloud-native and edge deployments Operations and security practices concerning firmware,data aggregation and related c
157、omponents Third party risk assessment of 5G operations Major gap Areas not covered(or covered to a limited extent)by existing literature Requirements to implement the whole lifecycle of 5G-specific cloud-native and edge deployments such as:centralised management of certificates,interoperable automat
158、ion and orchestration,serverless environments Automated security evaluation for industrial IoT Testbeds environments and tools*D5 Incident management Existing literature addressing the domain ISOIEC20K,ISOIEC27K,BCM,AUDIT THREATMOD,NFVSEC ISOIEC20K,ISOIEC27K,BCM,AUDIT ISOIEC20K,ISOIEC27K,BCM,AUDIT D
159、EVSECOPS 5G CYBERSECURITY STANDARDS March 2022 25 Moderate gap:Areas partly covered by existing literature Typologies of scenarios for 5G-specific,end-to-end incident management,including severity criteria and thresholds for incidents in a 5G context Evaluation methods for the investigation of incid
160、ents and the chain of custody for evidence Typologies of scenarios for 5G-specific,end-to-end incident management,including severity criteria and thresholds for incidents in a 5G context Processes for cross-border information exchange to share best practices in incident response Major gap Areas not
161、covered(or covered to a limited extent)by existing literature Automated incident response in a 5G context Evaluation methods for the performance of automated incident response D6 Business continuity management Existing literature addressing the domain ISOIEC27K,VULN,BCM ISOIEC27K,VULN,BCM,AUDIT ISOI
162、EC27K,BCM,AUDIT Moderate gap:Areas partly covered by existing literature 5G-specific business impact analysis Methodology to assess ICT readiness 5G-specific disaster recovery Processes for cross-border information exchange to share best practices in business continuity Major gap Areas not covered(o
163、r covered to a limited extent)by existing literature Technical disaster recovery plans for 5G functions and orchestration Methods for evaluating the ICT ICT readiness for business continuity D7 Monitoring,auditing and testing Existing literature Addressing the domain VULN,HARDEN,THREATMOD,DEVSECOPS
164、AUDIT DEVSECOPS 5G CYBERSECURITY STANDARDS March 2022 26 *Note:For research and innovation organisations,gaps are intended as areas where further work by these organisations is required.*Note:area that might be addressed by soft measures,not standards.Moderate gap:Areas partly covered by the existin
165、g literature Evaluation methods for monitoring capabilities Evaluation methods for the capabilities of automated testbeds Process for the cross-sector exchange of information in the area of sharing best practices for monitoring,auditing and testing Major gap Areas not covered(or covered to a limited
166、 extent)by existing literature 5G-specific log sources Event correlation for 5G end-to-end services and roaming D8 Threat awareness Existing literature addressing the domain Knowledge base of risk sources,attack methods,best practices of incident playbooks THREATMOD,ISOIEC27K,RM,SECASSUR THREATMOD T
167、HREATMOD DEVSECOPS,eUICC,CRYPTOTECH Moderate gap:Areas partly covered by the existing literature Typologies of threats for 5G-verticals applicable to RAN/Open RAN,APIs,ONAP,and cloud native technology Evaluation methods for the capabilities of the effectiveness of threat intelligence and threat hunt
168、ing Process for the cross-sector exchange of information in the area of sharing threat intelligence Prerequisites for standards:new specifications,testbeds environments and tools Major gap Areas not covered(or covered to a limited extent)by existing literature Automatic remediation playbooks 5G CYBE
169、RSECURITY STANDARDS March 2022 27 4.3 OVERVIEW OF GAPS BY SECURITY DOMAIN The gaps identified in the previous table can be summarised as follows:Security domain Moderate gaps Major gaps D1 Governance and risk management Sector-specific governance and risk management Sector-specific risk register Sec
170、tor-specific ISMS and PIMS implementation 5G risk assessment by third parties Processes for cross-border information exchange to share best practices in governance and risk management D2 Human resources security Vertical-specific educational security content,specifying awareness programmes and train
171、ing contents e.g.MOOCs,serious games services(note:area that might be addressed by soft measures,not standards).Methods for evaluating the management processes for human resources Cross-border process for the exchange of information(e.g.best practices)on the security of human resources D3 Security o
172、f systems and facilities Robust configuration and deployment of 5G vertical use cases Robust configuration of micro services and automation Security of RAN,Open RAN,ONAP Information security requirements applicable to vendors of 5G solutions sourcing contracts Automation of robust configurations and
173、 deployment Audits of the security of orchestration and micro-services(note:area that might be addressed by soft measures,not standards)5G CYBERSECURITY STANDARDS March 2022 28 Methods for evaluating the security of 5G verticals Methods for evaluating the robustness of the configuration of 5G micro
174、services and automation D4 Operations management High-level requirements for 5G-specific cloud-native and edge deployments Operations and security practices concerning firmware,data aggregation and related components Third party risk assessment of 5G operations Requirements to implement the whole li
175、fecycle of 5G-specific cloud-native and edge deployments such as centralised management of certificates,interoperable automation and orchestration,serverless environments Automated of security evaluation for industrial IoT D5 Incident management Typologies of scenarios for 5G-specific,end-to-end inc
176、ident management,including severity criteria and thresholds for incidents in a 5G context Evaluation methods for the investigation of incidents and the chain of custody for evidence Processes for cross-border information exchange to share best practices Automated incident response in a 5G context Ev
177、aluation methods for the performance of automated incident response D6 Business continuity management 5G-specific business impact analysis Methodology to assess ICT readiness 5G-specific disaster recovery Processes for cross-border information exchange to share best practices in business continuity
178、Technical disaster recovery plans for 5G functions and orchestration Methods for evaluating the ICT readiness for business continuity D7 Monitoring,auditing,and testing Evaluation methods for monitoring capabilities Evaluation methods for the capabilities of automated testbeds 5G-specific log source
179、s Event correlation for 5G end-to-end services and roaming 5G CYBERSECURITY STANDARDS March 2022 29 Process for the cross-sector exchange of information in the area of sharing best practices for monitoring,auditing and testing D8 Threat awareness Typologies of threats for 5G-verticals applicable to
180、RAN/Open RAN,APIs,ONAP,and cloud native technology Evaluation methods for the capabilities of the effectiveness of threat intelligence and threat hunting Process for the cross-sector exchange of information in the area of sharing threat intelligence Automatic remediation playbooks 4.4 OBSERVATIONS O
181、N THE GAPS IN STANDARDISATION The gap analysis is based on the standards,specifications and guidelines presented in Section 6 Bibliography.The following should be noted.The bibliography relies on a sampled set of documents.Despite the authors efforts,there may exist standards,specifications or guide
182、lines that are not referenced and thus a gap is reported in error.When a partial or major gap is pointed out,the question arises as to whether this area should be standardised,supported by specifications or guidelines,or whether company-specific needs make this contextualisation impossible.Given the
183、 above,the present report might over-represent existing gaps in some areas.For example,in relation to the latter point,one consistent observation is that the lifecycle of open-source software does not fit well with the processes defined in the standards,specifications,and guidelines.This is mainly d
184、ue to the lack of a formal organisational structure that could support,enforce and finance standardised processes in the open-source community.This is particularly true for the security domains D1(Governance and Risk Management),D7(Monitoring,Auditing and Testing)and D8(Threat Awareness).Furthermore
185、,the process for developing security standards is not included in the analysis itself.The interests of individual players may influence the definition of security standards,specifications,or guidelines in favour of economic or other trade-offs sometimes at the cost of a higher risk.One example is th
186、e trade-off between capabilities for legal interception and security against espionage through end-to-end confidentiality.4.5 ADDITIONAL LEARNINGS AND OBSERVATIONS Complementary to the assessment of the coverage of the existing security literature,the following elements intend to bring a qualitative
187、 perspective on the organisational and technical 5G CYBERSECURITY STANDARDS March 2022 30 areas where the 5G stakeholders can intervene to improve maturity,robustness,and readiness for resilience.The following list gathers observations from the initial deployments of 4G that have been shared in the
188、Telecom industry.These trends continue to be relevant and should be considered in the context of 5G8:The complexity of simultaneously operating virtualised infrastructure and virtualised network functions(VNFs)working together;The need for consistency between the three key technical domains of VNFs(
189、Virtual Network Functions),SDN(Software-defined networks)controllers,IaaS(Infrastructure as a Service)due to their mutual dependencies;The reliance on a Linux kernel leading to a systemic risk related to unexpected changes of configuration or unexpected behaviours at the core of computing and connec
190、tivity capabilities,possibly impacting also new critical functions e.g.orchestration,containers and microservices;The emergence of new solutions to entrust data management on cloud-based and serverless solutions,based on short-lived assets requiring new approaches for the observability of actions an
191、d for detecting threats;New cloud environments impact identity and access management as they are no longer purely role-based,but attribute-based and context-based;The increased need for confidentiality and resilience on connectivity and data storage in the network and its operation;The exploding num
192、ber of cryptographic certificates to ensure legitimacy and avoid man-in-the-middle attacks shine a new light on key management;The abundance of configurations using text-based descriptors such as JSON and XML,together with highly distributed processing and storage;The effects of the increased import
193、ance of IT technologies including the importance of open source,both at service and infrastructure levels;The large number of APIs bringing complexity in ensuring the legitimacy of requests and the balance between attack surface and the exposure of an application interface;Cybersecurity incidents in
194、volving the recurring exposure of credentials and secrets in CI/CD environments;The MNOs tendency to outsource their network operations and field operations to third-party service providers entrusted with multiple networks in multiple countries,which reinforces the importance of connectivity and the
195、refore the inter-dependency between the ability to operate and the operated assets;Outsourcing to tower companies(companies taking charge of the radio access sites)and fibre companies(companies that operate fibre access networks),which are now entrusted with managing several operators simultaneously
196、 in several countries.The above key trends are observed in 4G,but they should be taken into consideration to improve the coverage of standardisation for the cybersecurity of 5G.Furthermore,one should take into account the fact that 5G networks are systems of systems,whose representation requires aut
197、omation and abstraction and whose services necessitate end-to-end quality controls.8(Affirmed Networks,2019)5G CYBERSECURITY STANDARDS March 2022 31 5.RECOMMENDATIONS This section provides the recommendations that result from the previous sections and in particular from the identification of gaps.5.
198、1 ADOPT A PROGRESSIVE APPROACH TO 5G STANDARDISATION The report suggests that a progressive approach to 5G standardisation be undertaken.Such an approach should start by improving existing literature.The current report could help this effort as it gives an overview of references and assesses their s
199、uitability for a given security measure,technical and functional domain and/or stakeholder.The creation of new references if needed could be a subsequent step to enhance standardisation coverage.5.2 HAVE A BROADER VIEW ON THE CREATION OF NEW REFERENCES The creation of new standards,specifications an
200、d guidelines should consider several elements.Usefulness and necessity.It should be considered whether the creation of standards,specifications and guidelines is necessary and/or useful for a specific security measure,for a specific 5G domain,and/or for a specific stakeholder at a given stage of the
201、 lifecycle.Link with strategic objectives.It is recommended that a consistent link between any new reference and the strategic objective it should serve is ensured.For instance,if the objective of a new reference is to harmonise practices at the European level,local regulations should be taken into
202、consideration.For example,contextualisation of HR(human resources)measures must account for local regulations.A special attention shall be brought to provisions for legal interception.Measurability of effectiveness.New references should facilitate the consistent measuring of the effectiveness of the
203、 security measures from an end-to-end service perspective.Consideration for new technologies.For example,detection tactics of incidents in 5G should be tackled also from the perspective of the development and operation of Artificial Intelligence,and not only from the standpoints of mobile network op
204、erators,their managed services provider,and B2B verticals.Thinking beyond standardisation.In some cases,the effectiveness of standards,specifications or guidelines depends on external factors.For example,because of the open nature of the development of free and open source software(FOSS),security gu
205、idelines and recommendations should be accompanied by the commitment of resources to development and audit.Therefore,industry players and public administrations relying on open source software should be encouraged to actively contribute to continuously improve and maintain the security of the FOSS-b
206、ased solutions.5.3 FOSTER THE MATURITY AND THE COMPLETENESS OF THE IDENTIFICATION AND ASSESSMENT OF RISK Section 4 Identification of Gaps in Standardisation points to areas,for each security domain,that are partly covered by the existing literature,as well as those covered to a limited extent or not
207、 at all.Besides these specific areas,the experts observed a broader gap related to risk assessment.The existing literature related to risk assessment is not specific to 5G and/or does not identify and evaluate risks consistently.This leads to a fragmented security landscape which might be detrimenta
208、l for the overall security of 5G.5G CYBERSECURITY STANDARDS March 2022 32 Therefore,it is important to foster the maturity and the completeness of risk identification and assessment,by harmonising risk assessment practices in a way that is inclusive of all stakeholders of the 5G ecosystem.For exampl
209、e,this would imply in particular(but not only)standardised:registers of risks,including from the perspective of the telecommunications sector and service customers,skills and capacities frameworks for third party assessment,knowledge bases of threat scenarios,requirements for security monitoring,ass
210、essment methods with an adequate abstraction level,requirements for auditing capability,in particular for service providers.In this context,it is worth mentioning the approach to risk identification outlined in ENISAs Methodology for Sectoral Cybersecurity Assessment,and described in the subsequent
211、section.5.3.1 ENISAs methodology for sectoral cybersecurity assessment The European Cybersecurity Act(CSA)obliges to the definition of security and certification requirements for ICT products,services and processes to be based on the risk associated with their intended use.To this end,ENISA has prop
212、osed the SCSA methodology(ENISA Methodology for Sectoral Cybersecurity Assessments,2021)to support the identification of cybersecurity risks associated with the intended use of systems in the context of business services and processes,with the option to involve all stakeholders from sectoral vertica
213、l users to the providers of network infrastructure.SCSA carries out the assessment at sectoral business level involving all relevant 5G stakeholders,their business objectives and their ICT subsystems and processes.Cybersecurity risks are identified in relation to the business objectives and the risk
214、s identified indicate the security,certification and assurance level requirements for particular ICT products,services and processes.This can support a balance between the cost that a 5G stakeholder has to cover for security and assurance and the benefit of protecting his business objectives.5.4 FIN
215、AL OBSERVATIONS It is to be noted that the prioritisation of new references to be created is outside the scope of this work and that,in accordance with the previous recommendation,the creation of new references might not always be necessary and should be part of a progressive approach which should c
216、onsider several aspects.Finally,it is important to stress that,while the technical and organisational standards analysed can contribute to the security of 5G,they should not be treated as an exhaustive list of measures guaranteeing security.Besides considerations of the effectiveness of specific sta
217、ndards that are outside the scope this report,it should be reminded that there are risks that are not covered by standards,for example residual risks whose cost is neither borne by nor attributable to a specific stakeholder,such as societal risks resulting from network malfunctions.The complexity of
218、 5G,as depicted in the previous sections,calls for a comprehensive vision of trust and of resilience that goes beyond standardisation.This vision should be future-proof and not dependent on the variability of assets and configurations in the network.5G CYBERSECURITY STANDARDS March 2022 33 6.BIBLIOG
219、RAPHY 1.3GPP(2016):3GPP 33.117 Catalogue of general security assurance requirements;Technical Specification.2.3GPP(2016):3GPP 33.401 3GPP System Architecture Evolution(SAE);Security architecture.3.3GPP(2020):3GPP 33.102 3G security;Security architecture;Technical Specification.4.3GPP(2020):3GPP 33.1
220、16 Security Assurance Specification(SCAS)for the MME network product class.5.3GPP(n.d.):3GPP 33.163 Battery Efficient Security for very low throughput Machine Type Communication(MTC)devices(BEST).6.3GPP(n.d.):3GPP 33.210 Network Domain Security(NDS);IP network layer security.7.3GPP(n.d.):3GPP 33.310
221、 Network Domain Security(NDS);Authentication Framework(AF).8.3GPP.(n.d.):3GPP 33.501 Security architecture and procedures for 5G System.9.3GPP.(n.d.):TS 33.514-5G Security Assurance Specification(SCAS)for the Unified Data Management(UDM)network product class.10.ANSI.(2019);ANSI/TIA-569-E Telecommuni
222、cations Pathways and Spaces.11.ANSSI(2018):EBIOS Risk Manager;Paris ANSSI.12.ASIS(2021):ASIS Physical Asset Protection Guideline;Retrieved from asis.org:https:/www.asisonline.org/publications-resources/standards-guidelines/13.Carder,J.(2020):How to build a SOC with limited resources.14.Carder,J.(202
223、0):Security Operation Centers Maturity Model.15.CIS(2018):CIS Risk Assessment Method.16.CIS(2021):CIS Controls v8;Retrieved from https:/www.cisecurity.org/controls/v8/17.Cloud Security Alliance(2015);Best practices for mitigating risks in virtualized environments.18.CSIAC(2021):CSIAC evaluation of t
224、hreat taxonomies;Retrieved from https:/csiac.org/articles/evaluation-of-comprehensive-taxonomies-for-information-technology-threats/19.EBIOS C(2021):Oberisk;Retrieved from https:/club-ebios.org/site/en/tag/oberisk-en/20.ENISA(2014):Report on Cyber Crisis Cooperation and Management.21.ENISA(2016):Thr
225、eat Taxonomy;Retrieved from https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view.22.ENISA(2019):EU Coordinated Risk Assessment of 5G Networks Security.23.ENISA(2019):Threat Landscape for 5G Networks.24.ENISA(2020):ENISA Threat Landsc
226、ape for 5G Networks Updated.25.ENISA(2020):Guideline on Security Measures under the EECC.26.ENISA(2021):5G Supplement to the Guideline on Security Measures under EECC.27.ENISA(2021):Methodology for Sectoral Cybersecurity Assessments.28.ENISA(2021):Security in 5G Specifications.29.ETSI(2014):ETSI GS
227、NFV-SEC 003-Network Functions Virtualisation(NFV)-NFV Security-Security and Trust Guidance.30.ETSI(2014):Network Functions Virtualisation(NFV);Architectural Framework.31.ETSI(2017):ETSI GS NFV-SEC 012-Network Functions Virtualisation(NFV)Release 3;Security;System architecture specification for execu
228、tion of sensitive NFV components.32.ETSI(2017):Network Function Virtualisation(NFV);Reliability;Report on the resilience of NFV-MANO critical capabilities.5G CYBERSECURITY STANDARDS March 2022 34 33.ETSI(2017):Network Functions Virtualisation(NFV)Release 3;Security;Security Management and Monitoring
229、 specification.34.ETSI(2018):ETSI GS NFV-SEC 014-Network Functions Virtualisation(NFV)Release 3-NFV Security-Security Specification for MANO Components.35.ETSI(2022):ETSI TS 103.465 Smart Secure Platform(SSP);Requirements Specification.36.Regulation(EU)No 1025/2012 of the European Parliament and of
230、the Council of 25 October 2012 on European standardisation.37.Regulation(EU)2019/881-Cybersecurity Act;Regulation(EU)2019/881 on ENISA(the European Union Agency for Cybersecurity)and on information and communications technology cybersecurity certification and repealing Regulation(EU)No 526/2013(Cybe
231、rsecurity Act).38.European Commission(2020,December 16):Brussels,Belgium,EU Press Release;New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient.39.Fdration Franaise des Tlcoms(2019):Repository of security objectives for Virtualised Network Function
232、s(French).40.GSMA(2019):GSMA FS.11-SS7 Interconnect Security Monitoring and Firewall Guidelines.41.GSMA(2019):GSMA FS.19-Diameter Interconnect Security.42.GSMA(2020):GSMA FS.23-Coordinated Vulnerability Disclosure;Guideline.43.GSMA(2020):GSMA FS.37-GPRS Tunnelling Protocol User Security.44.GSMA(2020
233、):GSMA NG.113-5G System Roaming Guidelines.45.GSMA(2021):GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0.46.GSMA(n.d.):PRD FS.04 GSMA SAS Standard for UICC Production.47.GSMA(n.d.):PRD FS.05 GSMA SAS Methodology for UICC Production.48.GSMA(n.d.):PRD FS.08 GSMA SAS Standard for
234、Subscription Manager Roles.49.GSMA(n.d.):PRD FS.09 GSMA SAS Methodology for Subscription Manager Roles.50.GSMA(n.d.):PRD FS.18 GSMA SAS Consolidated Security Guidelines.51.GSMA(n.d.):PRD SGP.01 Embedded SIM Remote Provisioning Architecture.52.GSMA(n.d.):PRD SGP.02 Remote Provisioning Architecture fo
235、r Embedded UICC;Technical Specification.53.GSMA(n.d.):PRD SGP.21 Remote SIM Provisioning(RSP)Architecture.54.GSMA(n.d.):PRD SGP.22 Remote SIM Provisioning(RSP)Technical Specification.55.GSMA(n.d.):TS 33.513-5G Security Assurance Specification(SCAS);User Plane Function(UPF);Technical Specification.56
236、.GSMA(n.d.):TS 33.515-5G Security Assurance Specification(SCAS)for the Session Management Function(SMF)network product class.57.IETF(2004):IETF RFC 3871-Operational Security Requirements for Large Internet Service Provider(ISP)IP Network Infrastructure.58.Informationstechnik,B.F.(2017):BSI Standard
237、200-3-IT Risk Management:Standard.59.ISO(2010):ISO/IEC 11770-1:2010-Information technology Security techniques Key management Part 1:Framework.60.ISO(2012):ISO/IEC 17024:2012-Conformity assessment General requirements for bodies operating certification of persons.61.ISO(2012):ISO/IEC 17065:2012-Conf
238、ormity assessment Requirements for bodies certifying products,processes and services.62.ISO(2013):ISO/IEC 27001:2013-Information technology Security techniques Information security management systems Requirements.63.ISO(2013):ISO/IEC 27002:2013-Information technology Security techniques Code of prac
239、tice for information security controls.64.ISO(2013):ISO/IEC 27036-3:2013-Information technology Security techniques Information security for supplier relationships Part 3:Guidelines for information and communication technology supply chain security.5G CYBERSECURITY STANDARDS March 2022 35 65.ISO(201
240、3):ISO/IEC TR 20000-5:2013-Information technology Service management Part 5:Exemplar implementation plan for ISO/IEC 20000-1.66.ISO(2014):ISO/IEC 27036-1:2014-Information technology Security techniques Information security for supplier relationships Part 1:Overview and concepts.67.ISO(2014):ISO/IEC
241、27036-2:2014-Information technology Security techniques Information security for supplier relationships Part 2:Requirements.68.ISO(2015):ISO 22317:2015-Societal security Business continuity management systems Guidelines for business impact analysis(BIA).69.ISO(2015):ISO/IEC 17021-1:2015-Conformity a
242、ssessment Requirements for bodies providing audit and certification of management systems Part 1:Requirements.70.ISO(2015):ISO/IEC 27033-1:2015-Information technology Security techniques Network security Part 1:Overview and concepts.71.ISO(2015):ISO/IEC TR 20000-11:2015-Information technology Servic
243、e management Part 11:Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks:ITIL.72.ISO(2016):ISO/IEC 24760-3:2016-Information technology Security techniques A framework for identity management Part 3:Practice.73.ISO(2016):ISO/IEC 27035-1:2016-Information technol
244、ogy Security techniques Information security incident management Part 1:Principles of incident management.74.ISO(2016):ISO/IEC 27036-4:2016-Information technology Security techniques Information security for supplier relationships Part 4:Guidelines for security of cloud services.75.ISO(2017):ISO/IEC
245、 20000-6:2017-Information technology Service management Part 6:Requirements for bodies providing audit and certification of service management systems.76.ISO(2017):ISO/IEC 27021:2017-Information technology Security techniques Competence requirements for information security management systems profes
246、sionals.77.ISO(2018):ISO 19011:2018-Guidelines for auditing management systems.78.ISO(2018):ISO 21001:2018-Educational organizations Management systems for educational organizations Requirements with guidance for use.79.ISO(2018):ISO 22331:2018-Security and resilience Business continuity management
247、systems Guidelines for business continuity strategy.80.ISO(2018):ISO 29992:2018-Assessment of outcomes of learning services Guidance.81.ISO(2018):ISO 31000:2018-Risk management Guidelines.82.ISO(2018):ISO/IEC 20000-1:2018-Information technology Service management Part 1:Service management system req
248、uirements.83.ISO(2018):ISO/IEC 20000-10:2018-Information technology Service management Part 10:Concepts and vocabulary.84.ISO(2018):ISO/IEC 27005:2018-Information technology Security techniques Information security risk management.85.ISO(2018):ISO/IEC 29147:2018-Information technology Security techn
249、iques Vulnerability disclosure.86.ISO(2019):ISO 22301:2019-Security and Resilience Business continuity management systems Requirements.87.ISO(2019):ISO/IEC 20000-2:2019-Information technology Service management Part 2:Guidance on the application of service management systems.88.ISO(2019):ISO/IEC 200
250、00-3:2019-Information technology Service management Part 3:Guidance on scope definition and applicability of ISO/IEC 20000-1.89.ISO(2019):ISO/IEC 20000-7:2019-Information technology Service management Part 7:Guidance on the integration and correlation of ISO/IEC20000-1:2018 to ISO 9001:2015 and ISO/
251、IEC27001:2013.90.ISO(2019):ISO/IEC 24760-1:2019-IT Security and Privacy A framework for identity management Part 1:Terminology and concepts.5G CYBERSECURITY STANDARDS March 2022 36 91.ISO(2020):ISO 22313:2020-Security and resilience Business continuity management systems Guidance on the use of ISO 2
252、2301.92.ISO(2020):ISO/IEC 27014:2020-Information technology Security techniques Governance of information security.93.ISO(2021):ISO 22300:2021-Security and Resilience-Vocabulary.94.ISO(2021):ISO 22332:2021-Security and resilience Business continuity management systems Guidelines for developing busin
253、ess continuity plans and procedures.95.ITU-T(2016):X.1038 Security requirements and reference architecture for software-defined networking.96.LogRythm(2021):Analysis and Detection of Golden SAML Attacks.97.MITRE(2019):Common Attack Pattern Enumeration and Classification;Retrieved July 16,2019,from h
254、ttps:/capec.mitre.org 98.NIST(2003):SP800-50-Building an Information Technology Security Awareness and Training Program;Guideline.99.NIST(2006):SP800-100-Information Security Handbook:A Guide for Managers.Gaithersburg,MD:NIST.100.NIST(2006):SP800-92 Guide to Computer Security Log Management.101.NIST
255、(2017):SP800-190-Application Container Security.102.NIST(2018):White Paper-Framework for Improving Critical Infrastructure Cybersecurity.103.NIST(2019):SP800-204-Security Strategies for Microservices-based Application Systems.104.NIST(2020):SP800-181Rev1 Workforce Framework for Cybersecurity(NICE Fr
256、amework).105.NIST(2020):White Paper-Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework(SSDF).106.NIST(2021):NIST SP-800-53A-Assessing Security and Privacy Controls in Information Systems and Organizations.107.NIST(2021):SP800-154 Guide to Data-Centric
257、 System 3 Threat Modeling.108.NIST(2021):SP800-204B-Attribute-based Access Control for Microservices-based Applications using a Service Mesh.109.NIST(2021):SP800-53A Risk Management Framework-Assessing Security and Privacy Controls in Information Systems and Organizations.Guideline.110.NIST(n.d.):SP
258、800-53 Rev.5.1 and SP 800-53B;Retrieved from nist.org:https:/csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1&family=PE 111.OWASP(2017):owasptopten.org;Retrieved from https:/www.owasptopten.org/112.SANS Institute(2021):Security Policy Templates;Retrieved
259、 from https:/www.sans.org/information-security-policy/113.TM Forum(2021):ETOM GB 921 Business Process Framework.114.W.Bautista Jr(2019):Cyber kill chain and the OODA loop;OReilly Editions 5G CYBERSECURITY STANDARDS March 2022 37 ANNEX TAXONOMY FOR STANDARDS This section acts as a reminder of the def
260、initions of document typologies from the EU regulatory framework and the ISO.A.1 DOCUMENT TYPOLOGIES DEFINED BY THE EU REGULATION The European Unions Regulation(EU)No 1025/2012,2012 stipulates the following provisions:A Technical specification is a document that prescribes technical requirements to
261、be fulfilled by a product,process,service or system(.).Depending on the source of such specification,it could be a standard(standard means a technical specification adopted by a recognised standardisation body for repeated or continuous application)at the international,regional(e.g.European)or natio
262、nal level.Additionally,there is the European standardisation deliverable,which refers to any technical specification other than a European standard adopted by a European standardisation organisation for repeated or continuous application.Technical specifications,not being standards nor European stan
263、dardisation deliverables,could be identified as equivalent to standards if they meet the requirements set up in Annex II of Regulation 1025/2012.If the taxonomy based on EU Regulation 1025/2012 were considered it could look like:A.Technical specification document containing the requirements for:A1 T
264、echnical specification standard A2 Technical specification European standardisation deliverable considered as a standard(adopted by one of the European Standards Organisations)A3 Technical Specification standard(according to the rules and principles set up in Annex II of the Regulation)B.Document th
265、at contains information other than requirements:B1 (Name of a Recognised Standardisation Body)standard Framework B2 (Name of a Recognised Standardisation Body)standard Guidelines B3 (Name of a Recognised Standardisation Body)standard Best practices B4 (Name of a Recognised Standardisation Body)stand
266、ard Vocabulary A.2 DOCUMENT TYPOLOGIES DEFINED BY ISO If we consider the ISO taxonomy we are dealing with the following(according to ISO):Standard:is a document established by consensus and approved by a recognised body that provides for common and repeated use rules,guidelines or characteristics fo
267、r activities or their results,aimed at the achievement of the optimum degree of order in a given context.International Standard:is a standard that is adopted by an international standardising or standards organisation and made available to the public.5G CYBERSECURITY STANDARDS March 2022 38 Technica
268、l Specification(TS):is a document published by ISO or IEC for which there is,in the future,the possibility of agreement on an International Standard but for which at present:the required support for approval as an International Standard cannot be obtained,there is doubt on whether consensus has been
269、 achieved,the subject matter is still under technical development,or there is another reason precluding immediate publication as an International Standard.Technical Report(TR):is a document published by ISO or IEC containing collected data of a different kind from that normally published by ISO or I
270、EC.If the ISO taxonomy were considered it could look like:A.Standards A1 (Name of a Recognised Standardisation Body)Standard Requirements A2 (Name of a Recognised Standardisation Body)Standard Framework A3 (Name of a Recognised Standardisation Body)Standard Guidelines A4 (Name of a Recognised Standa
271、rdisation Body)Standard Vocabulary B.Technical reports B1 ISO Technical Report Guidelines B2 ISO Technical Report Best practices C.Non-standard documents C1 (Name of the Issuer)Guidelines C2 (Name of the Issuer)Best Practices 5G CYBERSECURITY STANDARDS March 2022 39 ANNEX MAPPING In the detailed ana
272、lysis,to keep the information in the table manageable,the convention used in this annex is proposed to refer to one or several stakeholders,one or several documents,under a common label.A.3 REFERENCING THE 5G TECHNICAL AND FUNCTIONAL DOMAINS In the detailed analysis,to keep the information in the ta
273、ble manageable,a convention specific to this document is proposed to refer to one or several 5G technical and functional domains under a common label.The table below provides for every 5G domain,the associated label.5G Technical and functional domains Definition 5G Use cases End-to-end services base
274、d on 5G,characterised by how they use and/or transmit data.Example:Vehicle-to-everything,eMBB,mMTC,URLLC.Multi Access Edge Computing(MEC)Services Multi access computing services used to bring computation and connectivity closer to the end-user in order to meet the requirements for data transmission
275、speed and latency.Physical Infrastructure Set of premises including hardware and software for computation,storage and transmission as well as the related technical environment(energy,air conditioning,cable paths,civil works infrastructures,etc.).Virtualised Infrastructure Computing,storage and netwo
276、rking capacities on demand.Radio Access Network(RAN)Logical and hardware components making up the functions of the radio access network.It includes mainly distribution units and control units for radio access.Multi Access Edge Computing(MEC)Infrastructure Infrastructure related to the decentralisati
277、on of cloud functions(storage of data and computing)located closer to the user or edge device.5G Core Network,Network Function(CN NF)Central part of the 5G infrastructure which enables new functions related to multi-access technologies.Its main purpose is to deliver services over all kinds of networ
278、ks(wireless,fixed,converged).Data Network(DN)Connectivity to external data,content,services and other resources available outside the 5G network.The data network is also used to interconnect different 5G networks,operators and providers.Transport Part of the network ensuring the connectivity between
279、 the access and core networks.Management and Orchestration(MANO)Software,operations tools and the related environment used to automate operations that relate to the lifecycle of the infrastructure and service components.A.4 REFERENCING THE STAKEHOLDERS In the detailed analysis,to keep the informatio
280、n in the table manageable,a convention specific to this document is proposed to refer to one or several stakeholders under a common label.The table below provides for every stakeholder category,the list of the concerned stakeholders is represented by the designation provided in Section 2.1.3 5G Stak
281、eholders.5G CYBERSECURITY STANDARDS March 2022 40 Stakeholder category Definition 5G Service customer or consumer Entities that use services that are offered by a service provider(SP).In the context of 5G,these would be,for example,vertical industries and their private networks.In addition,consumers
282、 of 5G services without a business relation with a 5G service provider(e.g.end users)are included in this category.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.Telecommu
283、nications sector(Telecom)This category encompasses entities that are responsible for the manufacture,deployment and operation of 5G networks,such as:Mobile network operators:entities providing mobile network services to users,operating their own network,if necessary with the help of third parties.Su
284、ppliers of mobile networks:entities providing services or infrastructure to MNOs in order to build and/or operate their networks(both telecom equipment manufacturers and other third-party suppliers,such as cloud infrastructure providers and network infrastructure providers and managed services provi
285、ders).Service provider(SP):entities that design,build and operate services using aggregated network services such as,for example,communication service providers offering traditional telecom services,digital service providers offering digital services such as enhanced mobile broadband and IoT to vari
286、ous vertical industries,or network slice as a service(NSaaS)providers offering a network slice along with the services that it may support and configure.Virtualisation infrastructure service providers(VISP):entities that provide virtualised infrastructure services and that design,build and operate v
287、irtualisation infrastructure(s).The infrastructure comprises networking(e.g.for mobile transport)and computing resources(e.g.from computing platforms).This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5
288、G networks and/or services.Datacentre services providers(DCSP)Entities that provide data centre services and that design,build and operate their data centres.A DCSP differs from a VISP by offering raw resources(i.e.host servers)in rather centralised locations and simple services for consumption of t
289、hese raw resources.A VISP rather offers access to a variety of resources by aggregating multiple technology domains and making them accessible through a single API.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and o
290、peration of 5G networks and/or services.Connected devices industry This category includes manufacturers of connected devices and related service providers,meaning entities providing objects or services that will connect to 5G networks(e.g.smartphones,connected vehicles,e-health)and related service c
291、omponents hosted in a 5G control plane as defined in service-based architecture or mobile edge computing.This category may implement standards,specifications and guidelines to achieve the security objectives for the safe use,deployment and operation of 5G networks and/or services.5G CYBERSECURITY ST
292、ANDARDS March 2022 41 Cybersecurity assessment This category includes entities that assess the security of 5G networks and systems e.g.auditing companies and accredited 5G laboratories.This category audits the implementation of standards,specifications and guidelines.Cybersecurity information exchan
293、ge This category includes entities that share threat intelligence and incident-related information,for example information sharing and analysis centres(ISACs)and cyber security incident response team(CSIRTs).This category may implement standards,specifications and guidelines to securely exchange cyb
294、er-intelligence.Standards development organisations(SDOs),associations,alliances This category encompasses entities that develop and promote the adoption of standards,specifications and guidelines,for example GSMA and 3GPP.Research and innovation organisations This category encompasses entities cont
295、ributing to R&D and innovation tasks related to all kinds of innovative actions in the areas related to 5G,including verticals.It also includes open source organisations or communities providing technological support and guidance in the development of 5G functions and services,as well as public-priv
296、ate partnerships and innovation programmes.This category exposes gaps in standardisation and creates innovations that can lead to advancements in standardisation,by acting as starting points for new standards,specifications and guidelines.5G CYBERSECURITY STANDARDS March 2022 42 A.5 REFERENCING THE
297、EXISTING LITERATURE In the detailed analysis,to keep the information in the detailed analysis table manageable,a convention specific to this document is proposed for referring to one or several documents under a common cluster for easy reference.The clustering choice is based on either the family of
298、 documents or common security theme.The table below provides for every group,the reference shorthand,the descriptive title,the list of concerned documents based on Section 6 Bibliography,and the document taxonomy from Section 2.2.Reference shorthand Descriptive title References from the bibliography
299、 Document taxonomy ISOIEC27K A selection of ISO/IEC JTC1 SC27 requirements and code of practice to setup information security processes.(ISO,ISO/IEC 27001:2013-Information technology Security techniques Information security management systems Requirements,2013)(ISO,ISO/IEC 27002:2013-Information tec
300、hnology Security techniques Code of practice for information security controls,2013)(ISO,ISO/IEC 27005:2018-Information technology Security techniques Information security risk management,2018)(ISO,ISO/IEC 27035-1:2016-Information technology Security techniques Information security incident manageme
301、nt Part 1:Principles of incident management,2016)Standard ISOIEC20K A selection of ISO/IEC processes mapped for service delivery.(ISO,ISO/IEC 20000-1:2018-Information technology Service management Part 1:Service management system requirements,2018)(ISO,ISO/IEC 20000-2:2019-Information technology Ser
302、vice management Part 2:Guidance on the application of service management systems,2019)(ISO,ISO/IEC 20000-3:2019-Information technology Service management Part 3:Guidance on scope definition and applicability of ISO/IEC 20000-1,2019)(ISO,ISO/IEC TR 20000-5:2013-Information technology Service manageme
303、nt Part 5:Exemplar implementation plan for ISO/IEC 20000-1,2013)(ISO,ISO/IEC 20000-6:2017-Information technology Service management Part 6:Requirements for bodies providing audit and certification of service management systems,2017)(ISO,ISO/IEC 20000-7:2019-Information technology Service management
304、Part 7:Guidance onthe integration and correlation of ISO/IEC20000-1:2018 to ISO 9001:2015 and ISO/IEC27001:2013,2019)(ISO,ISO/IEC 20000-10:2018-Information technology Service management Part 10:Concepts and vocabulary,2018)(ISO,ISO/IEC TR 20000-11:2015-Information technology Service management Part
305、11:Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks:ITIL,2015)Standard 5G CYBERSECURITY STANDARDS March 2022 43 (TMForum,2021)(IETF,2004)(ISO,ISO/IEC 27002:2013-Information technology Security techniques Code of practice for information security controls,20
306、13):12.1 Operational procedures and responsibilities SUPPLSEC A selection of references for the security of suppliers.(ISO,ISO/IEC 27036-1:2014-Information technology Security techniques Information security for supplier relationships Part 1:Overview and concepts,2014)(ISO,ISO/IEC 27036-2:2014-Infor
307、mation technology Security techniques Information security for supplier relationships Part 2:Requirements,2014)(ISO,ISO/IEC 27036-3:2013-Information technology Security techniques Information security for supplier relationships Part 3:Guidelines for information and communication technology supply ch
308、ain security,2013)(ISO,ISO/IEC 27036-4:2016-Information technology Security techniques Information security for supplier relationships Part 4:Guidelines for security of cloud services,2016)(GSMA,GSMA FS.16-NESAS Development and Lifecycle Security Requirements v2.0,2021)Standard POLTEMPLATES A select
309、ion of guidelines to build security policies(SANS Institute,2021)Guideline RM A selection of references for cybersecurity risk management and related assessments(ISO,ISO/IEC 27005:2018-Information technology Security techniques Information security risk management,2018)(ENISA,Methodology for Sectora
310、l Cybersecurity Assessments,2021)(Cloud Security Alliance,2015)(TMForum,2021)Note:The eTOM consists in a process map reference framework.Its a useful reference for identifying business processes.However,the eTOM material does not provide any coverage on the implementation of security measures other
311、than their use to identify a scope of governance for S01 and a scope of primary assets for SO2.(ISO,ISO 31000:2018-Risk management Guidelines,2018)Standard(ANSSI,EBIOS Risk Manager,2018),Guideline 5G CYBERSECURITY STANDARDS March 2022 44 (MITRE,Common Attack Pattern Enumeration and Classification,20
312、19),(NIST,SP800-53A Risk Management Framework-Assessing Security and Privacy Controls in Information Systems and Organizations,2021),(EBIOS,2021)(CIS,CIS Risk Assessment Method,2018)(Informationstechnik,2017)ENISATL A selection of references for ENISA works related to threats (ENISA,ENISA Threat Lan
313、dscape for 5G Networks Updated,2020)(ENISA,Threat Landscape for 5G Networks,2019)(ENISA,EU Coordinated Risk Assessment of 5G Networks Security,2019)Report SP800HR A selection of references for security related to human resources (NIST,SP800-50-Building an Information Technology Security Awareness an
314、d Training Program,2003)(NIST,SP800-100-Information Security Handbook:A Guide for Managers,2006)(NIST,SP800-181Rev1 Workforce Framework for Cybersecurity(NICE Framework),2020)(ISO,ISO 29992:2018-Assessment of outcomes of learning services Guidance,2018)(ISO,ISO/IEC 27021:2017-Information technology
315、Security techniques Competence requirements for information security management systems professionals,2017)(ISO,ISO/IEC 17024:2012-Conformity assessment General requirements for bodies operating certification of persons,2012)(ISO,ISO 21001:2018-Educational organizations Management systems for educat
316、ional organizations Requirements with guidance for use,2018)Guideline IAM A selection of references for identity and access management(ISO,ISO/IEC 24760-1:2019-IT Security and Privacy A framework for identity management Part 1:Terminology and concepts,2019)(ISO,ISO/IEC 24760-3:2016-Information techn
317、ology Security techniques A framework for identity management Part 3:Practice,2016)(NIST,SP800-204B-Attribute-based Access Control for Microservices-based Applications using a Service Mesh,2021)Standard 5G CYBERSECURITY STANDARDS March 2022 45 (ETSI,ETSI GS NFV-SEC 003-Network Functions Virtualisati
318、on(NFV)-NFV Security-Security and Trust Guidance,2014)(ETSI,ETSI GS NFV-SEC 014-Network Functions Virtualisation(NFV)Release 3-NFV Security-Security Specification for MANO Components and,2018)(IETF,2004)(ISO,ISO/IEC 27001:2013-Information technology Security techniques Information security managemen
319、t systems Requirements,2013):12.1 Operational procedures and responsibilities DEVSECOPS A selection of references for security in the IT lifecycle(NIST,SP800-204-Security Strategies for Microservices-based Application Systems,2019)(NIST,SP800-190-Application Container Security,2017)(NIST,White Paper
320、-Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework(SSDF),2020)(ISO,ISO/IEC/IEEE 29119-1:2013 Software and systems engineering Software testing Part 1:Concepts and definitions,2013)Guideline 3GPP-All 3GPP Technical specifications from the library The
321、whole of the 3GPP list from the bibliography.Note:3GPP technical specifications have been considered as technical features that are part of the capabilities of the network.3GPP Technical specifications have been considered as addressing a security measure only when they have been deemed valid as a s
322、tand-alone input to a given security measure.Specification NFVSEC A selection of references for the security of network functions virtualisation(ISO,ISO/IEC 27033-1:2015-Information technology Security techniques Network security Part 1:Overview and concepts,2015)(ETSI,Network Function Virtualisatio
323、n(NFV);Reliability;Report on the resilience of NFV-MANO critical capabilities,2017)(ETSI,Network Functions Virtualisation(NFV)Release 3;Security;Security Management and Monitoring specification,2017)(ETSI,Network Functions Virtualisation(NFV);Architectural Framework,2014)Specification 5G CYBERSECURI
324、TY STANDARDS March 2022 46 eUICC A selection of references for security in the eUICC domain(GSMA,PRD FS.04 GSMA SAS Standard for UICC Production)(GSMA,PRD FS.05 GSMA SAS Methodology for UICC Production)(GSMA,PRD FS.08 GSMA SAS Standard for Subscription Manager Roles)(GSMA,PRD FS.09 GSMA SAS Methodol
325、ogy for Subscription Manager Roles)(GSMA,PRD FS.18 GSMA SAS Consolidated Security Guidelines)(GSMA,PRD SGP.01 Embedded SIM Remote Provisioning Architecture)(GSMA,PRD SGP.02 Remote Provisioning Architecture for Embedded UICC)(GSMA,PRD SGP.21 Remote SIM Provisioning(RSP)Architecture)(GSMA,PRD SGP.22 R
326、emote SIM Provisioning(RSP)Technical Specification)Specification CRYPTOTECH A selection of references for the use of cryptographic techniques(3GPP,3GPP 33.501 Security architecture and procedures for 5G System)(3GPP,3GPP 33.310 Network Domain Security(NDS);Authentication Framework(AF)(3GPP,3GPP 33.2
327、10 Network Domain Security(NDS);IP network layer security)(3GPP,3GPP 33.163 Battery Efficient Security for very low throughput Machine Type Communication(MTC)devices(BEST)(ISO,ISO/IEC 11770-1:2010-Information technology Security techniques Key management Part 1:Framework,2010)(ETSI,ETSI GS NFV-SEC 0
328、12-Network Functions Virtualisation(NFV)Release 3;Security;System architecture specification for execution of sensitive NFV components,2017)(ITU-T,2016)Specification NIST,2021,Planning for a Zero Trust Architecture:A Starting Guide for Administrators Guideline 5G CYBERSECURITY STANDARDS March 2022 4
329、7 PHYSEC A selection of references for physical and environmental security(NIST,SP800-53 Rev.5.1 and SP 800-53B)(ASIS,2021)(Informationstechnik,2017)(ISO,ISO/IEC 27002:2013-Information technology Security techniques Code of practice for information security controls,2013)-11.1 Secure areas and 11.2
330、Equipment (ANSI,2019)Guideline HARDEN A selection of references for technical robustness(CIS,CIS Controls v8,2021)(OWASP,2017)Guideline VULN A selection of references for the management of vulnerabilities(GSMA,GSMA FS.23-Coordinated Vulnerability Disclosure,2020)Guideline(ISO,ISO/IEC 29147:2018-Info
331、rmation technology Security techniques Vulnerability disclosure,2018)(ISO,ISO/IEC 17960:2015 Information technology Programming languages,their environments and system software interfaces Code signing for source code,2015)(ISO,ISO/IEC 30111:2019-Information technology Security techniques Vulnerabili
332、ty handling processes,2019)(ISO,ISO/IEC TS 30104:2015-Information Technology Security Techniques Physical Security Attacks,Mitigation Techniques and Security Requirements,2015)Standard THREATMOD A selection of references for threat modelling and security monitoring,including threat intelligence capa
333、bilities(ENISA,Threat Taxonomy,2016)(MITRE,Common Attack Pattern Enumeration and Classification,2019)(NIST,SP800-92 Guide to Computer Security Log Management,2006)(NIST,SP800-154 Guide to Data-Centric System 3 Threat Modeling,2021)(CSIAC,2021)(Carder,How to build a SOC with limited resources,2020)Guideline 5G CYBERSECURITY STANDARDS March 2022 48 (Carder,Security Operation Centers Maturity Model,2