Robust networks, digital stren
Digitalisation requires highly available communication networks
Integrity, robustness and confidentiality are the fundamental requirements for trustworthy communication. They guarantee the trust of users in technology and operators.
Mobile networks are the backbone of our networked society - they enable communication, business and public safety. However, as critical infrastructure, they are also an attractive target for cyber attacks. Security gaps in mobile communications systems can have fatal consequences: from data leaks to large-scale outages. IT security and resilience must therefore be a top priority. Only with robust encryption, secure components and regular updates can we guarantee our digital sovereignty and the availability of these vital networks.
Mobile networks are complex. In addition to secure operation, security at the technology level is particularly important. Nowadays, a large number of different components are installed in core, transport and access networks, mostly from different manufacturers. Software also plays a key role in modern wireless networks. For example, software-defined networks (SDN) in mobile communications enable the separation of control (control plane) and data transmission (data plane) and therefore more flexible, efficient and secure mobile networks. Network slicing, automated network management and dynamic resource control in particular benefit from this. But how do you implement the right security functionalities and how do you prove their effectiveness? We have the answer.
As part of the BSI funding call "Cybersecurity and digital sovereignty in 5G/6G communication technologies", a consortium was formed between TÜV Informationstechnik GmbH (TÜVIT) and exceeding solutions GmbH to analyse efficient test strategies for critical 5G components. The project comprised the specification of a test framework taking into account requirements from the NESAS (Network Equipment Security Assurance Scheme) test scheme and the NESAS CSS-GI (NESAS Cybersecurity Certification Scheme - German Implementation) certification scheme as well as the creation and commissioning of an executable demonstrator.
The Federal Office for Information Security (BSI) is responsible for inspecting operators with increased risk potential in accordance with Section 165 (9) of the German Telecommunications Act (TKG). This currently includes the operators of 5G networks in Germany. This task results from the IT Security Act 2.0 and was carried out for the first time in 2023. To fulfil the audit mandate, initial versions of an audit basis and the audit procedure were developed, which further specify the requirements from the TKG. Both documents must be further developed in the years 2023 to 2025. The reasons for this are that the Federal Network Agency's catalogue of security requirements under Section 167 TKG is being updated, a new version of ISO 27001 is about to be published and ENISA's "Guidance on security measures under the EECC" must be taken into account.
TÜVIT prepared the test basis and the associated documents on behalf of the BSI. Other sources identified by TÜVIT on the basis of its knowledge of the industry and as part of its research are also included to improve quality. The aim is to reflect the current state of the art and to develop a high-quality test basis that optimally supports the tester and enables comparable results for different testers.
The Network Equipment Security Assurance Scheme (NESAS) is a framework for ensuring and improving security in the mobile communications industry. NESAS thus creates a basis for assessing the defined security properties of IT products used to provide mobile network infrastructures, hereinafter referred to as network products. In order to prove this, the corresponding network products must be developed by the manufacturer in accordance with pre-audited development and life cycle processes. Compliance with the audited processes and the product-specific security requirements is then verified in an evaluation at a test centre.
TÜVIT has carried out a pilot evaluation of a 5G gNodeB in collaboration with the ZTE Corporation. The findings and experience from this initial evaluation have been incorporated into the NESAS CCS-German Implementation (GI), which is based on the GSMA-NESAS evaluation scheme. Possible additional requirements are taken into account for certain process steps, test questions or test activities. These were published by the BSI certification body as separate documents in the Application Notes and Interpretations of the Scheme (AIS).
Good reasons that speak in our favour
