ENISA Publishes 5G Cybersecurity Standards
European Union Agency for Cybersecurity (ENISA) published 5G Cybersecurity Standards report focused on 5G cybersecurity standardisation from a technical and organisational perspective. The report aims to highlight the role of standardization in reducing technical risks and enhancing trust and resilience within the 5G ecosystem. It examines the 5G landscape, which includes technological, functional, process, and stakeholder dimensions. The report’s focus is on the technical and organizational aspects of standardization, excluding the effectiveness of specific standards and strategic considerations related to 5G security.
Key points of the report include:
- Collection and Analysis of Documents: The report gathers over 140 documents, including standards, specifications, and guidelines relevant to 5G cybersecurity as of September 2021. It assesses how these documents meet security objectives within the 5G ecosystem.
- Identification of Gaps: By comparing existing literature to an ideal scenario of cybersecurity robustness, the report identifies gaps in standardization, particularly in addressing necessary technical and organizational security aspects.
- Observations and Findings:
- Existing standards are generally applicable but need tailoring for specific 5G technical and functional domains.
- 5G-specific standards are more available to telecommunications sector stakeholders than others, like audit organizations or connected devices industry.
- The standards primarily cover the ‘run’ phase of technology lifecycle, with other phases requiring more specific tailoring.
- Current knowledge bases on cybersecurity threats and IT-security guidelines can support 5G cloud-native architectures and API-based architectures.
- There is a lack of comprehensive literature for end-to-end trust and resilience in the 5G ecosystem.
- Gaps in Standardization: Moderate gaps exist in governance, risk management, and security of human resources, while major gaps are found in areas like operations management, business continuity, and incident management.
- Recommendations:
- Adopt a progressive approach to 5G standardization, considering the usefulness, necessity, and strategic alignment of new standards.
- Harmonize risk assessment practices to include all stakeholders in the 5G ecosystem.
- Broader Perspective: The report emphasizes that while technical and organizational standards contribute to 5G security, they are not exhaustive. It acknowledges risks not covered by standards, such as societal risks from network malfunctions. The report advocates for a comprehensive, future-proof vision of trust and resilience that transcends standardization, considering the complexity and evolving nature of 5G networks.
The report is available here: https://www.enisa.europa.eu/publications/5g-cybersecurity-standards
Marin Ivezic
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.