Fifth Arab Security Conference highlights criteria to secure networks

• GSMA and 3GPP developed the NESAS mechanism to standardize device and mobile network security.
• James Moran, Head of Security at the GSM Associations introduced NESAS network security standard to Egypt for the first time.

During the Fifth Arab Security Conference, James Moran, Head of Security at the GSM Associations, highlighted vital details about the Network Equipment Security Assurance Scheme (NESAS). GSMA and 3GPP co-developed it as a standardized security assessment mechanism suitable for vendor devices and mobile networks. NESAS’s objective is to provide an industry-wide security assurance framework to facilitate improvements in security levels across the entire industry.

In a nutshell, the NESAS standard defines security requirements and offers an assessment framework for secure product development and product lifecycle processes. It also provides security test cases used when evaluating network equipment. Accordingly, when vendors use the NESAS standard, they avert fragmented regulatory security requirements.

Moran notes that NESAS acts as a common global baseline for operators and national ICT security agencies. That would benefit both the vendor and operator, mainly when used alongside other security protocols and policies covering the entire network lifecycle.

GSMA is responsible for the operational aspect of the mechanism, including methodologies and vendor processes. 3GPP focuses on security requirements and test cases. Meanwhile, third parties audit the network and vendor equipment according to GSMA’s FS.16 threat-based approach. NESAS complies with the Security Assurance Specifications (SCAS) standards and ISO/IEC 17025 when evaluating products in its “Test Labs.” Its primary aim is to ensure facts, upon experts base their security-related decisions, are verifiable.

GSMA and 3GPP consulted with global operators, suppliers, government regulators, and industry partners to develop that framework based on three principal values.

The first is “Industry-defined, more authoritative.” The NESAS is tailor-made for mobile communication devices, ensuring security, analyzing threats, defining critical assets, and assuring networks meet security requirements.

The second value is “Globally unified and more efficient.” NESAS has straightforward, short, cost-effective authentication processes. That significantly benefits the efficiency of security testing.

The third pillar is “Continuous evolution and openness.” NESAS benefits from regular updates and a feedback section.
In addition to ensuring the technical security of vendor equipment and networks, NESAS indirectly helps its users comply with national legal requirements and policies.

One of the motivations for developing NESAS is that the scheme will help vendors and operators avert fragmented regulatory security requirements. NESAS should be used globally as a common baseline for operators or national IT security agencies.

Moran singled out supply chains as the sector benefiting the most when using NESAS to protect against cyber and physical threats. Implementing it would guarantee consumer trust in the vendors and their networks.

What is GSMA?

The GSM Association is an industry organization representing mobile network operators worldwide. Over 750 mobile operators are full-time GSMA members, and a further 400 are associate members.

The GSMA mission is to produce industry-leading MWC events held annually in Barcelona, Los Angeles, and Shanghai. It also has the Mobile 360 Series of regional conferences.

What is NESAS?

NESAS is a standardized Cybersecurity assessment mechanism that GSMA and 3GPP co-developed with major global operators, vendors, industry partners, and regulators. It provides an industry-wide security assurance framework across the mobile industry. It is a voluntary scheme that networks and vendors use to develop products and ensure comprehensive security audits.

NESAS defines security requirements, acting as an assessment framework for secure product development and lifecycle processes. The mechanism uses the 3GPP-defined security test cases to evaluate network security standards.

GSMA NESAS is widely accepted in the mobile industry, commanding the confidence of major telecom equipment makers. It aims to ensure the security and reliability of 5G networks within the industry and is an essential consideration for all regional markets.

What is the 3GPP?

The 3rd Generation Partnership’s (3GPP) Project Security Assurance Methodology (SECAM) is used in 3GPP Nodes to provide secure network architectures. In addition, the 3GPP SA3 produces technical reports to describe new security assurance and evaluation frameworks for mobile network products. 3GPP’s SECAM aims to provide standard and testable baseline security for different network product classes.