GSMA NESAS Life Cycle and Product Testing

Do you have any questions or comments? Contact us!

Cybersecurity for cross-sector mobile phone networks

The Network Equipment Security Assurance Scheme, or NESAS for short, is a cross-industry scheme that is jointly defined by the 3rd Generation Partnership Project (3GPP) and GSM Association (GSMA) in order to strengthen confidence in the IT security of a wide range of mobile phone network components. The testing of these network devices is carried out by independent testing services providers on the basis of firmly defined evaluation frameworks and safety catalogs. In addition to product safety, the aspect of safety over the entire product life cycle is also audited in a complementary procedure.

Lab and auditor – Two sides of the same coin

With over 25 years of experience in IT security, TÜViT is a renowned and strong partner for manufacturers of network components in mobile phone networks of the latest generation.

For many years we have been operating a highly efficient hardware and software laboratory in Essen. Today, this know-how and our testing methodology form the basis for technical product testing according to 3GPP-defined Security Assurance Specifications (SCAS). With respect to NESAS, our laboratory has all the requirements for extended ISO 17025 accreditation at its disposal.

And that is not all. TÜViT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.

GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing GSMA NESAS Life Cycle & Product Testing
Pioneers wanted!

Contact us now for a pilot evaluation under the NESAS Certification Scheme.
  

Our services

NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services NESAS services: IT security consulting & support for test preparation services

IT security consulting and support for test preparation services

NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements NESAS services: security audits over the product life cycle based on GSMA requirements

Security audits over the product life cycle based on GSMA requirements

NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases NESAS services: security evaluation of network components based on 3GPP SCAS test cases

Security evaluation of network components based on 3GPP SCAS test cases

The benefits to network equipment and component manufacturers

  • Proof of IT security compliance with respect to relevant stakeholders such as network integrators and wireless network operators
  • Manufacturers visibly document their development, maintenance and product safety functions
  • Internationally uniform security requirements enable benchmarking in global distribution
  • The avoidance of globally inconsistent security requirements and conformity fragmentation facilitates the development process of secure network products

The audit process in detail

The Network Equipment Security Assurance Scheme (NESAS) is a security framework that consists of two interconnected test aspects. The test focus and approximate procedures relating to how we carry out testing in each section can be found by those who are interested on the following tabs.

Produkt Life Cycle Audits

Produkt Life Cycle Audits

Auditing based on the requirements of the GSM Association (GSMA)

Step 1 – The document review:
Within the framework of the life cycle audit performed by TÜViT as an experienced audit company, all sites of a product manufacturer that are involved in development and production are initially audited on a document basis. The scope of the audit covers a large number of subject areas and comprises the design, development, implementation, testing and maintenance processes of manufacturers.

Step 2 – On-site audits:
As soon as the documentation situation can be certified as sufficient, on-site audits are carried out at all sites involved in the life cycle. Within this framework, the results of the document review are verified in situ.

The audit report: 
The resulting audit report from both evaluation steps provides proof of a successfully completed life cycle audit based on the GSMA requirements. It also serves as input for the following security evaluation of network components based on the 3GPP safety catalogs. TÜViT offers both auditing components from a single source – an efficiency gain for everyone! More on the security evaluation security evaluation.

 

GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits GSMA NESAS: Produkt Life Cycle Audits


We review these subject areas: CM System ++ Source Code Checks ++ Employee Training Courses ++ Software Integrity & Security ++ Software Security Tests ++ Security By Design ++ Document Accuracy ++

Security Evaluation of Network Components

Security Evaluation of Network Components

Product testing according to the 3GPP-defined security test cases

Step 1 – The basic test case:
The product testing part is strongly oriented towards the actual test object, i.e. the respective network component. The basic test case catalog TS 33.117 is a fixed test component in all cases. As is the case with the other test case catalogs (SCAS catalogs), it contains detailed instructions on which test scenarios are to be performed as part of the test and how they are to be documented.

Step 2 – The supplementary catalogs:
Depending on the product type, the security evaluation is also carried out on the basis of other supplementary catalogs. Across all product types, NESAS comprises 12 product-specific supplementary case catalogs.

Many years of experience in the testing business, test tools that have been developed in-house and cooperations with renowned partner companies in the 5G environment enable TÜViT to test a wide range of network products in accordance with all test case catalogs anchored in the NESAS scheme. 

 






 



  

 


We test these network products: 5G RAN ++ gNodeB ++ 5G Core UDG ++ UDM ++ UNC ++ UPCF ++ LTE eNodeB ++ and much more

About NESAS

The Network Equipment Security Assurance Scheme (NESAS) is a cross-industry, international security framework penned by the 3rd Generation Partnership Project (3GPP) and the GSM Association (GSMA) with the participation of globally operating telecommunications network operators, manufacturers, vendors and industry partners.

As a common basis, NESAS – together with other mechanisms – is aimed at contributing to an increase in the IT security level across the mobile communications industry by evaluating the security requirements of network components through independent, accredited testing services providers.

The security framework is divided up into two sub-areas that build on one other. Based on the security requirements and an evaluation framework of the GSMA, the entire product development and product lifecycle process of a network component and the manufacturer sites involved in it are audited. In a second stage, the security assessment of network devices is carried out using 3GPP-defined security test cases.

The integration of the first sub-area into the second audit level enables an efficient audit sequence. Measurable results also promote transparency in the security protection levels of the industry.

Frequently asked questions (FAQ):
 

Is NESAS a certification scheme?

No, the NESAS program does not certify any network products. Once the audit has been completed, manufacturers receive a transparent audit report that states whether the audit was successful. On request, companies that display interest in certification are provided with support by the TÜViT test center for the certification process on the basis of other schemes (Common Criteria, Trusted Product and the like).

Do differences exist between the auditor and the security testing laboratory?

Yes, the auditing of the product life cycle and the security audit of the product can be carried out by different laboratories. The NESAS auditors appointed by the GSMA carry out the assessment of the product life cycle. The NESAS laboratories focus on the evaluation of network products based on the SCAS test case catalogs. TÜViT offers both services from a single source. 

How are life cycle reports and product tests related to one another?

The audit report of the life cycle audit is required as input for the test laboratory for product testing. During product testing, the points identified in the audit report are verified and the result is documented together with the test results in a product test report.

Why we are a strong partner for you

Expertise on all security levels

With TÜViT, you have a leading expert in the field of cyber security at your disposal. We are accredited around the globe as a laboratory and auditor for a wide range of testing services at the organizational, system, and component level.

Successful in all branches of industry

Since 1995, our security expertise has ensured confidence in the IT systems of many sectors and branches of industry. The positive aspects: From year to year, our experience grows with a large number of challenging projects.

Tailored to your requirements

We focus on individual test solutions that are perfectly adapted to the company situation and your aims. Would you like to make IT security sustainable? We show you potentials “on top” of the minimum requirements of the criteria works.

International network of experts

Around the globe: We advise and support you both nationally and internationally. Our global network of experts is available to you to provide advice and support on all IT security issues, irrespective of the criticality of the test object, the market requirements and the field of application of the evaluation object.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  


Eric Behrendt Global Corporate Development Manager Asia-Pacific


Markus Wagner Product Manager Software Evaluation

Further services