How to test 5G to be sure the code and hardware are safe?

How to make sure your infrastructure is secure? How do you know that there are no backdoors, bugs or other issues that may affect the user experience? It's best to test it!

The same applies to 5G infrastructure, which has dominated the media headlines for several months due to the tension between China and the United States. What are the technology verification options? It turns out that the standard that perfectly fits the market needs is entering into force, namely NESAS, about which Rafał Jaczyński, Huawei's head of security in the region of Central and Eastern Europe and the Nordic countries, tells me.

We publish the interview a few days after both the core and wireless 5G network equipment from Huawei successfully passed the NESAS verification.

Karol Kopańko, Spider's Web: Can we first draw a wide landscape of technology testing in Polish (and not only) telecommunications?

Rafał Jaczyński: Let's go back to history - to the early 1990s. From the very beginning, the operators were mostly left to themselves in the field of hardware and software security testing. Governments were only interested in regulating the so-called legal wiretaps, leaving all tests to the operators. Meanwhile, building laboratories from scratch is associated with a high cost.

And the operator business is not coconuts - we often hear about reaching the end of market penetration.

Over the last five years, operators have lost approx. 40 percent. revenues. Penetration of the smartphone market is already stable.

Who was supposed to buy a cell phone, had already bought it.

Yes, we are the fourth country in this respect in the European Union. Penetration with mobile internet services is over 180%, which means that almost every statistical Pole already uses mobile internet on two different devices. We also had over 52 million active SIM cards at the end of 2019. So it is not special to whom to sell the new services.

On the other hand, traffic in mobile networks has increased almost sevenfold in the last 5 years. So it is a unique business. When a hot dog stand sells more sausages, its revenues increase. Here, however, you sell more and earn less and less.

So maybe vendors should finance testing to reassure operators they're not at fault with security?

This is happening now, but similarly to the above, unfortunately in the long term it has no economic justification. Association

GSMA has 750 members, so if we had to do independent testing for each of them, our business would unfortunately stop being profitable. Not the way. It is much better to rely on standards that would be repeatable for all market participants, regardless of the country they come from.

Currently, there are statements in the style of Trusted Vendor - can't this be what it is?

It has nothing to do with fair tests, because it usually means that the supplier comes from a country that we "like". Yet the future may bring suppliers who are great at technology but come from India or Malaysia. Without clear standards, we will be doomed to the same discussion as today.

So what is changing on the market?

We have been observing the changes for eight years. It was then that 3GPP started working on the NESAS standard.

It is to this organization that we owe SCAS (Security Assurance Specification), i.e. guidelines on what makes a given solution safe.

Two years later, the GSMA association joined the project, taking the baton and enriching NESAS with the process and competence side of the supplier.

What competencies are tested?

You need to check the supplier's skills and how he not only designs and builds solutions, but also the possibility of supporting them with security patches. Even if a given solution looks correct, we need to know if it is a stroke of luck or the provider simply knows what he is doing. We are associated with it for a longer time, so a process audit is necessary.

What about Common Criteria Certification? After all, it is also used to certify that the solution is safe. Huawei even got such a certificate from a Spanish laboratory.

This is true. The Common Criteria describes well the requirements for the lab itself and the test method. Graphically translating: we know whether to tap the box, open it, remove the screws and look at each one under a microscope. It's all well described so the whole process is repeatable.

The weakness of Common Criteria, however, is the lack of common requirements that would define what exactly is to be tested in a given type of product. So it could happen that supplier A tested the solution for X, and supplier B tested the same, but for Y. The results were therefore not reliable.

So when two suppliers come to an operator with the same certification, it doesn't mean that the operator is easy to crack.

That's why it's not easy to apply Common Criteria to 5G network testing right now.

How does NESAS approach this ?

Common Criteria and NESAS are two ideas that try to solve the same problem from different places.

How are they different?

Comparing the two approaches, the Common Criteria currently better answers the "how to test" question, and NESAS has a better answer to the "what to test" question.

And the test itself - practically already - how will it differ?

It starts very much the same. The manufacturer supplies the product that is the subject of the tests. Then, in the case of Common Criteria, we agree on a set of requirements, i.e. what we test. We share information about the product, explaining safety functions and their operation. We set the test level, for example at the fourth.

What does this fourth level mean?

This is the depth of the tests. The fourth level is the highest level of rational testing for a device that does not primarily provide security. So it is not as closed an environment as a single microprocessor card, which is mostly focused on ensuring security. A base station has hundreds of millions of lines of code and much more than just keeping it safe.

What would happen if we tested the base station on the seventh level?

It would be extremely safe, but it probably wouldn't work.

I understand. And then the laboratory starts working?

Yes, the Common Criteria has a specific test track. The work of the laboratory ends with a report that is sent to the certification body, i.e. in the Polish case to NASK, which analyzes the report and decides about issuing the certificate.

And what does it look like with NESAS?

The verification process itself is similar. In the case of NESAS, there is no certification body that stamps the report, there is a report signed by organizations that conduct technical tests and procedural audit

Another difference is the length of the tests. In the case of NESAS, they last from 3 to 6 months. In Common Criteria on the fourth level, we can even talk about 1.5 years of testing.

After all, it is an eternity in the world of technology, where each year brings a new generation of devices.

Exactly. NESAS has the chance to "keep up" with the product lifecycle much better. On the other hand, Common Criteria is a much more mature standard. It is already operated by 80 laboratories. In the case of NESAS, there are several of these laboratories and there are two companies that deal with their process audit.

Another challenge that arises from NESAS's short experience is the range of techniques that are used for verification - for example, there is no penetration testing. Only scans that look for known vulnerabilities are performed here. There is no attempt to make the device behave differently than the programmers requested.

Why? Both things seem crucial.

NESAS evolves from year to year, adding more elements to its specification. You suspect that the first version simply ran out of time to standardize penetration testing.

The challenge here is to ensure test comparability, as there is no such thing as an internationally recognized methodology for penetration testing. The idea is to make the tests of one laboratory comparable to the tests of another. And here everyone tests differently. It is difficult to place such a creative process in any formalized framework. NESAS 2.0, however, will definitely be improved over what we have now. It is already known that the standard will be extended to include penetration testing and verification of cryptographic mechanisms.

We started talking about a general standard that would give confidence to all market participants. Let's come back to this issue in the context of NESAS.

Currently, NESAS and Common Criteria complement each other, both are candidates for certification schemes in accordance with Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, known as the "Cybersecurity Act". NESAS has a greater chance of being used specifically for 4G and 5G networks, which is why it is increasingly recognized by European governments - for example, Germany promotes its adoption as a European testing standard. Austria will refer to NESAS when it created its own requirements for 5G technology.

Since it is already cited by countries, who will manage it in the future?

The management of NESAS will be delegated to the European Commission. It is she who has to take care of the standard, because the GSMA Association is a commercial organization that cannot - according to the Cybersecurity Act - accredit laboratories and certification bodies. Only in this way will NESAS become a pan-European standard recognized at the government level.

What will the consequences be?

When a technology is certified as compliant with NESAS in Poland, it will be a certification recognized in accordance with the Cybersecurity Act throughout the European Union.

And this should cut short discussions about the security of a given software or hardware?

It should.

* Huawei is the intelligence partner.



How to test 5G to be sure the code and hardware are safe?

Comments

  1. Nice list of bloggers. From this blog i learned more and get to know more .Thank you for sharing this great post. Field Network Testing

    ReplyDelete

Post a Comment

Popular posts from this blog

What is VoLTE and how can you activate it on your Xiaomi

So you can check the battery status of your Xiaomi smartphone and how many cycles you have performed

How to exit the FASTBOOT mode of your Xiaomi if you have entered accidentally

Does your Xiaomi charge slowly or intermittently? So you can fix it

Problems with Android Auto and your Xiaomi? So you can fix it

If your Xiaomi disconnects only from the WiFi it may be because of that MIUI setting

How to change the font in MIUI and thus further customize your Xiaomi: so you can change the type, color and size of the letters of MIUI

What is the Safe Mode of your Xiaomi, what is it for and how can you activate it

Improve and amplify the volume of your Xiaomi and / or headphones with these simple adjustments

How to activate the second space if your Xiaomi does not have this option