The GSMA, an industry organization representing the interests of global mobile network operators, has announced that major vendors ZTE, Ericsson, Huawei and Nokia have passed an independent security audit of product development and lifecycle management processes and intend to submit a network kit for evaluation in the second test round.
This testing system is called the Network Equipment Security Scheme (NESAS) and claims to have been designed to increase industry confidence in telecommunications network equipment while promoting a more coordinated mobile market. NESAS was jointly established by GSMA and 3GPP.
NESAS provides an industry-wide security assurance framework to improve the level of security throughout the mobile industry. The scheme defines security requirements and an assessment system for secure product development and product life cycle processes, and uses 3GPP-defined security test cases to assess the security of network equipment. The audits are conducted by world-class security auditing companies on behalf of the GSMA.
The first phase that the vendors passed included an assessment of their product development and lifecycle management processes. Alex Sinclair, GSMA CTO commented: “By committing to NESAS, vendors are helping network operators, and other stakeholders make informed decisions about secure product development. We look forward to others participating in the scheme, evidencing their commitment to good security practice by promoting a security-by-design culture within the industry.”
In the second stage, vendors will submit network equipment products to qualified testing laboratories for evaluation. It is questionable to what extent this process will provide significant assurances about the security status of the entire portfolio. However, failure at any stage of NESAS will pose a problem for the relevant vendor. In total, NESAS has 20 assessment categories that define safety requirements, a 5G product assessment framework and product life cycle assessment system.
The GSMA actively supports the latest developments and efforts being made in the industry to increase the level of security of network infrastructure.