As one of the first companies in Germany, atsec has become a certified evaluation laboratory in the German Network Equipment Security Assurance Scheme Cybersecurity Certification Scheme – German Implementation (NESAS CCS-GI) scheme maintained by BSI (Bundesamt für Sicherheit in der Informationstechnik). This certification scheme is based on the Groupe Speciale Mobile Association (GSMA) NESAS, in which atsec can perform security testing (i.e., SCAS testing) for security-critical 4G/5G telecommunication equipment.
NESAS is an effort to provide an industry-wide security assurance framework to facilitate improvements in security levels across the whole industry. It defines security requirements and an assessment framework for secure product Development and Product Lifecycle Processes as well as security test cases for the security evaluation of network equipment. The security requirements have been defined and are being actively maintained by 3rd Generation Partnership Project (3GPP), a global consortium of standardization organizations as well as industry partners around the world.
A successful certification under NESAS CCS-GI will provide the product vendor with a certificate from BSI to assure customers that the requirements mandated by the standard are fulfilled. The equipment types/functionality eligible for certification are:
– access and mobility management functions (MME/AMF)
– base station software (eNB, gNB)
– IP Multimedia Subsystems (IMS)
– Packet Data Network Gateways (PGW)
– Network Slice-Specific Authentication and Authorization Function (NSSAAF)
– User Plane Functions (UPF)
– Unified Data Management functions (UDM)
– Session Management Functions (SMF)
– Authentication Server Functions (AUSF)
– Security Edge Protection Proxies (SEPP)
– Network Repository Functions (NRF)
– Network Exposure Functions (NEF)
– Non-3GPP InterWorking Functions (N3IWF)
– Network Data Analytics Functions (NWDAF)
– Service Communication Proxies (SCP)
The SCAS testing not only covers security functions that are specific to a certain network product but also focuses on a broad set of security aspects like authentication and authorization between components within the 5G core network, robustness in overload or malicious input scenarios, as well as general hardening configurations of the involved computing platforms.
atsec is now in a unique position to be able to provide Network Product evaluations under the NESAS CCS-GI and GSMA NESAS schemes. The requirements for both schemes are very similar, and it will enable atsec to provide more efficient and cost-effective services for vendors that select atsec as a single lab provider for both schemes.
The achievement of becoming an approved IT security provider in the NESAS CCS-GI scheme extends the scope of our general Common Criteria laboratory competence, and it is a logical next step in atsec’s continuous activity in the telecommunication area.
atsec is one of two German NESAS CCS-GI laboratories:
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Listen/Liste-NESAS-Pruefstellen/liste-nesas-pruefstellen_dvl.html
GSMA NESAS test laboratories:
https://www.gsma.com/security/nesas-authorised-test-laboratories
atsec is one of two GSMA NESAS-appointed auditors:
https://www.gsma.com/security/nesas-appointed-auditors
There is talk on making network equipment more resilient:
https://www.gsma.com/services/resources/building-resilience-into-network-equipment-securityshowcase-live-5
