During the 5th Arab Security Conference, James Moran, Head of Security at the GSM Associations, highlighted vital details about the Network Equipment Security Assurance Scheme (NESAS).
GSMA and 3GPP co-developed the scheme as a standardized security assessment mechanism suitable for vendor devices and mobile networks. NESAS’s objective is to provide an industry-wide security assurance framework to facilitate improvements in security levels across the entire industry.
In a nutshell, the NESAS standard defines security requirements and offers an assessment framework for secure product development and product lifecycle processes. It also provides security test cases used when evaluating network equipment. Accordingly, when vendors use the NESAS standard, they avert fragmented regulatory security requirements.
Moran notes that NESAS acts as a common global baseline for operators and national ICT security agencies. That would benefit both the vendor and operator, mainly when used alongside other security protocols and policies covering the entire network lifecycle.
GSMA is responsible for the operational aspect of the mechanism, including methodologies and vendor processes. 3GPP focuses on security requirements and test cases. Meanwhile, third parties audit the network and vendor equipment according to GSMA’s FS.16 threat-based approach. NESAS complies with the Security Assurance Specifications (SCAS) standards and ISO/IEC 17025 when evaluating products in its “Test Labs.” Its primary aim is to ensure facts, upon experts base their security-related decisions, are verifiable.
GSMA and 3GPP consulted with global operators, suppliers, government regulators, and industry partners to develop that framework based on three principal values.
The first is “Industry-defined, more authoritative.” The NESAS is tailor-made for mobile communication devices, ensuring security, analyzing threats, defining critical assets, and assuring networks meet security requirements.
The second value is “Globally unified and more efficient.” NESAS has straightforward, short, cost-effective authentication processes. That significantly benefits the efficiency of security testing.
The third pillar is “Continuous evolution and openness.” NESAS benefits from regular updates and a feedback section.
In addition to ensuring the technical security of vendor equipment and networks, NESAS indirectly helps its users comply with national legal requirements and policies.
One of the motivations for developing NESAS is that the scheme will help vendors and operators avert fragmented regulatory security requirements. NESAS should be used globally as a common baseline for operators or national IT security agencies.
Moran singled out supply chains as the sector benefiting the most when using NESAS to protect against cyber and physical threats. Implementing it would guarantee consumer trust in the vendors and their networks.