Lower latency times, higher transmission speeds, better network stability - 5G brings many advantages, but also harbours an increased risk of cyberattacks. This is because the large number of networked devices also increases the number of potential points of attack. The 3rd Generation Partnership Project (3GPP) and the GSM Association (GSMA) have developed the joint Network Equipment Security Assurance Scheme (NESAS) to increase confidence in the IT security of a wide range of 5G mobile communications components. The German Federal Office for Information Security (BSI) has in turn converted this scheme into a national certification scheme for product certification: The NESAS Cybersecurity Certification Scheme - German Implementation (NESAS CCS-GI).1
ZTE Corporation is the first mobile communications equipment supplier to successfully complete the NESAS CCS-GI testing and certification process as part of a pilot project. This basically consists of two areas: The auditing of the development and life cycle processes and the evaluation of the technical capabilities of a network product under consideration. In the case of ZTE, the product was evaluated by TÜVIT as a recognised testing body for NESAS CCS-GI.
As part of the joint pilot project, the developed test methodology was applied in practice for the first time. This was preceded by a complex test setup, which included installing a 5G radio base station (gNodeB) from the manufacturer and simulating a complete 5G core network. In order to create the conditions for the successful execution of the test, heavy goods vehicles delivered equipment weighing several tonnes to the TÜVIT premises on the TÜV NORD CAMPUS in Essen, which was set up in close cooperation with ZTE's technicians. The IT security experts then familiarised themselves with the underlying system and began testing the 5G NR gNodeB in accordance with the NESAS CCS-GI test requirements. This included standardised security tests and various test cases.
During the entire test period, the TÜVIT experts were in continuous dialogue with the BSI to report on how the implementation of the specified tests worked in practice and to provide feedback on defined requirements. "The pilot project with ZTE and the associated experience and findings have made a decisive contribution to further advancing the NESAS CCS-GI certification," says Lisa Jäger, IT security expert at TÜVIT. "This means that the still relatively new certification scheme has officially passed its acid test. The decisive factor for the successful completion of the project was the good interaction between a technically skilled team at TÜVIT and a manufacturer that confidently faced up to the requirements."
1 Certification in accordance with NESAS CCS-GI does not replace the testing of critical components in accordance with §9b BSIG with regard to a probable impairment of public order or safety.
