By Suresh P. Nair (WG SA3 Chair)
First published June 2024, in Highlights Issue 08
SCAS - The basis for Network Equipment & Cyber security certification programs.
The need for Security Assurance
As technology advances bring many benefits derived from the increased modes of communication, they also bring challenges to communication network infrastructure in the form of security threats. No wonder, in today’s cyber connected world, cyber security is of paramount importance for everyone connected with the design, operation, regulation and maintenance of the networks.
Many governments have already declared their Public Land Mobile Networks (PLMN) as national assets, recognizing the need to ensure the safety of their critical infrastructure and to protect them against potential catastrophic attacks.
The 5G network has a very distributed set of network functions consisting of RAN nodes to provide radio connectivity, supported by 5G Core network functions to ensure the users connectivity, mobility and policy control session management and applications. Smartphones can do more complex things than the earlier technologies and these devices are connected to an equally complex network which enables these services. Proper and secure functioning of network functions are needed to ensure the legitimate behavior and sanity of the network.
The 3GPP Security WG has defined Security Assurance (SCAS) specifications for the 3GPP defined network nodes to test and ensure that they are implemented and behave according to the specifications to ensure the security and privacy of everyone involved, i.e. end users, operators etc and do not have any security vulnerability. 3GPP started this activity of developing SCAS sometime ago, since then other industry organizations, have taken up further test and certification programs taking SCAS as the basis.
Security Assurance Specifications
A SCAS Specification contains security requirements and test cases for a defined Network Function or a group of Network Functions. Each Network Function SCAS contains a description of the Network Product and the Security problem definition. The Security problem definition identifies the assets in the description of the network product class that require protection and describes how these assets can be exploited by an attacker. This step also contains the threat analysis employed to understand how an attacker performing the identified potential attacks could misuse the identified assets of the network product class. This provides a concrete security problem that is to be solved, which facilitates the selection of security requirements that are necessary and sufficient to solve the identified security problem.
A series of specifications have been developed over the years to cover all Network Functions in the 5G Core. A brief summary is given the table below.
| 3GPP TS/TR No. | Description |
| TR 33.916 | Security Assurance Methodology (SECAM) for 3GPP network products. Defines Security Assurance Methodology (SECAM) evaluation process (evaluation, relation to SECAM Accreditation Body, roles, etc.) as well as the components of SECAM that are intended to provide the expected security assurance. |
| TR 33.926 | Specifies the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class. |
| TS 33.117 | Catalogue of general security assurance requirements. Contains objectives, requirements and test cases that are deemed applicable, possibly after adaptation, to several network product classes. |
| TS 33.511 | Security Assurance Specification (SCAS) for the next generation Node B (gNodeB) network product class |
| TS 33.512 | Specifies objectives, requirements and test cases that are specific to the AMF network product class. |
| TS 33.513 | Specifies requirements and test cases that are specific to the UPF network product class. |
| TS 33.514 | Specifies requirements and test cases that are specific to the UDM network product class. |
| TS 33.515 | Specifies requirements and test cases that are specific to the SMF network product class |
| TS 33.516 | Specifies objectives, requirements and test cases that are specific to the AUSF network product class |
| TS 33.517 | Specifies objectives, requirements and test cases that are specific to the Security Edge Protection Proxy (SEPP) network product class |
| TS 33.518 | Specifies objectives, requirements and test cases that are specific to the Network Repository Function (NRF) network product class |
| TS 33.519 | Specifies requirements and test cases that are specific to the NEF network product class |
| TS 33.520 | Specifies objectives, requirements and test cases that are specific to the Non-3GPP Interworking Function (N3IWF) network product class. |
| TS 33.521 | Specifies requirements and test cases that are specific to the NWDAF network product class. |
| TS 33.522 | Specifies objectives, requirements and test cases that are specific to the SCP network product class. |
| TS 33.523 | Specifies objectives, requirements and test cases that are specific to the various split gNB network product classes. The gNB can be deployed as more than one entity by splitting the gNB into gNB-CU and gNB-DU(s) and possibly further splitting the gNB-CU into gNB-CU-CP and gNB-CU-UP(s). |
| TS 33.326 | Specifies requirements and test cases that are specific to the NSSAAF network product class. |
| TS 33.526 | Specifies objectives, requirements and test cases that are specific to the MnF network product class |
| TS 33.527 | Specifies objectives, requirements and test cases to virtualized network product classes. Several virtualized network product classes share very similar security requirements for some aspects. Therefore, these are collected in the present document applicable to many virtualized network product classes. |
| TS 33.528 | Specifies requirements and test cases that are specific to the PCF network product class. |
| TS 33.529 | Specifies objectives, security assurance requirements and test cases specific to the SMSF network product class. |
| TS 33.530 | Specifies requirements and test cases that are specific to the UDR network product class. |
| TS 33.537 | Specifies requirements and test cases that are specific to the AAnF network product class |
SCAS in the GSMA scheme
The GSMA Network Equipment Security Assurance Scheme (NESAS) has adopted the 3GPP specified Security Assurance Specifications for its security assurance program. A NESAS assessment consists of two parts, the first is an audit of the vendor’s development and product lifecycle process; and the second is an evaluation of a specific product release and its related documents against test-cases defined in 3GPP SCAS. For adoption by GSMA NESAS, the SCAS needs to follow the requirements in GSMA’s FS.50. The adoption policy is contained in Annex A of FS.47
Cyber certification scheme for network products
Regional regulatory bodies such as the EU’s ENISA have enacted Cyber security certification laws in recent years to establish and maintain trust and security on cybersecurity products, services and processes. EU ENISA has adopted 3GPP and GSMA into the certification framework.
Figure 1
In addition to the European Union, there are other countries also that re-use 3GPP SCASs for their own national assurance schemes. This is the case in India, where the Indian Telecommunication Security Assurance Requirements (ITSAR) use the generic SCAS requirements (TS 33.117) and Network Function specific SCASs as the basis for its scheme.
For more on WG SA3: www.3gpp.org/3gpp-groups
Technology
