The EU ENISA evaluated the risks that mobile networks are facing and published the 5G Toolbox in 2020, followed by a string of related documents e.g., for virtualization. Those documents cover the fundamentals of mobile network protection, but their technical depth varies, and some are quite generic in their requirements.
While this generic risk approach makes it relatively technology neutral, it also brings along some risks. Different European Member States may interpret the ENISA requirements in different ways. This then leads to the situation that multinational operators and vendors face different requirements in different countries they operate even within the European Single Market. This makes compliance certification costly and inefficient.
The 5G Security Control Matrix, which was published in May 2023 takes into account the previous ENISA documents and relevant specifications from 3GPP, ISO, NIST, ITU, ETSI and eTOM. In particular content was added from:
- ISO/IEC 27002:2022
- NIST SP 800-53, Rev 5
- ISO 22301 – Business continuity management systems (Requirements)
- ISO/IEC 27005 – Information security risk management
The new 5G Security Control Matrix is a complex Swiss army knife for mobile network security with nearly 400 controls. The 5G Security Control Matrix builds upon the existing ENISA work, adds then relevant 3GPP specifications and elements from the documents above. The resulting requirements are then mapped against common existing standards and guidelines.
The 5G Security Control Matrix contains nearly 400 very detailed controls, the details of the controls need to be understood by the evaluator and this requires a deep understanding of telecommunication security. “Normal” Cyber Security assessment is not enough to apply the matrix correctly to a mobile network.
The matrix can be used to “standardize” a network assessment across different standards, but also geographical regions. If an operator already has a certification e.g., ISO 27002 or a vendor’s MME is 3GPP TS 33.116/TS33.401 compliant, then that evidence can be mapped to the requirement in the 5G Security Control Matrix. This reduces compliance costs and harmonizes the requirement to the infrastructure.
The 5G Security Control Matrix is not only for 5G, it also contains many security requirements for 4G and other legacy elements. The matrix can be customized based on the asset (e.g., MANO, NRF, MME) , on the deployment type e.g., Stand-Alone (SA) or Non-Standalone (NSA) or cloud model e.g., hybrid, private, public. While this is possible, there will be in most networks “special approaches”, which will not fall clearly in those categories e.g., private cloud for RAN and hybrid cloud for core to name a simple case.
As each mobile network has a unique topology and architecture, the 5G Security Control Matrix needs to be adjusted to the specific target operator, while these categories help, expert knowledge, and deep understanding of inner workings of a network is required to customize the matrix correctly and evaluate the protection evidence. This becomes even more challenging, when the matrix is used to ensure the security of a 5G private network for critical infrastructure e.g., in the framework of NIS2. The matrix is a good tool for that but requires even more customization for private networks usage and deployment approach.
ENISA has been in parallel working on an EU certification scheme for 5G network products, following a certification request issued by the European Commission. The idea is to develop a candidate certification scheme based on two existing industry good practices, for network equipment (GSMA NESAS / 3GPP SCAS) and for mobile network electronic SIMs (GSMA eUICC and remote provisioning). In the future, when this candidate scheme is ready and adopted, the 5G Controls Matrix will be aligned with and mapped to the relevant controls in the developed new EU 5G Certification scheme. Therefore, it is important to keep track of the latest developments of the matrix.
ENISA is currently working on a web-tool version of the matrix, which is expected to appear in public at the end of the year or early in 2024.
Read next
5G is reshaping business in all sectors
