While an operator’s core network can be assumed to be physically inaccessible, it may not be as secure as one would like it to be. With mobile networks becoming a vital part of society’s critical infrastructure, the need for strong security assurance in products has become increasingly important.
To help provide secure network architectures, 3GPP SA3 has produced a Technical Report describing a new security assurance and evaluation framework for mobile network products. By going beyond traditional inter-operability issues, 3GPP Security Assurance Methodology (SECAM) aims at providing common and testable baseline security properties for the different network product classes.
Benefits of this work are twofold:
- Better assurance regarding 3GPP nodes security level and robustness thanks to clear and testable requirements, whose detailed results are provided to the operators;
- Providing for the easier management of operators security needs, with a common reference model being agreed.
TR 33.805 studies the suitability of different industry methodologies that achieve these goals, with the chosen methodology integrating Common Criteria concepts where efficient – and providing the necessary adaptation to 3GPP context where necessary – allowing for accredited self-evaluation with a single assurance level and security baseline per network class.
Major areas covered by TR 33.805 are:
- Agreement on the relevant threat model and needed assurance level
- Definition of the process to build the SeCurity Assurance Specifications (SCAS), which is the document containing the security requirements for a network product class and the associated test cases
- Description of the roles and process needed for security assurance/evaluation/accreditation
In order to coordinate the different players, and to build trust in the evaluation scheme, SECAM vendors and testing laboratories will need to be accredited. The GSMA has proposed to take the SECAM accreditation role and has consequently formed the Network Equipment Security Assurance Group (NESAG). The GSMA NESAG will be an important 3GPP partner in the development and realisation of SECAM, and will coordinate with stakeholders to establish an accreditation process, dispute resolution process, as well as the necessary administrative structure to run the scheme.
The SECAM work item in 3GPP will now pave the way for a set of SeCurity Assurance Specifications for the different network product classes, with LTE network elements to be the first catered for.
Delivery of the first pilot SCAS (addressing the MME security requirements) is expected by Q4 2014. At that time, SECAM will enter a trial phase organised by NESAG with a ‘dry-run’ of the evaluations of MMEs against the specification and the vendor and test lab accreditation.
Once the trial is complete, the MME SCAS will be finalised and official evaluations will begin. 3GPP SA3 will then tackle the other network product classes.
By Loïc Habermacher and Isabelle Kraemer