5G Security to Get Boost from E.U. Certification Scheme

The European Commission has requested that the European Union Agency for Cybersecurity (ENISA) develop an E.U.-wide cybersecurity certification scheme for 5G networks. The request leans on the Cybersecurity Act’s European Cybersecurity Certification Framework to allow the creation of market-driven E.U. certification schemes. The aim is two-fold: the first is to address the technical vulnerabilities of 5G networks, and the second is to harmonize all certification and best practice measures (for IT and cellular) under one scheme (e.g., reducing fragmentation between existing cyber certification schemes being one of the Cybersecurity Act’s mandates). ENISA will be expected to build on the E.U. Toolbox for 5G Security (published January 2020), and will look to involve the European Cybersecurity Certification Group (ECCG), the NIS Cooperation Group Work Stream, and its subgroup on 5G standardization and certification in the process.

The certification scheme will provide trust in the eventual rollout of enterprise applications in 5G, and in particular for Massive Machine-Type Communications (MMTC) and Ultra-Reliable Low-Latency Communications (URLLC). The efforts undertaken by the European Union to ensure trust in 5G will not just assuage national security concerns, but also boost enterprise adoption going forward.

In addition to the toolbox published last year, ENISA has released a number of supporting documents throughout the years that have aimed to cover issues related to 5G security. In December 2020, it published the ENISA Threat Landscape for 5G Networks Report (the fourth of its kind since 2016), and just recently (as of February 24, 2021), a detailed report on Controls in 3GPP Security Specifications (for 5G SA—Standalone), which builds upon the toolbox. In particular, the latter report provides guidance on how to implement security measures and controls appropriately from a mobile network operator and a supplier perspective. The document focuses on the 3GPP technical specification TS 33.5016, which is the central security technical specification for 5G network. Most important, the document references efforts by other groups as well, including ETSI, ITU-T, and IETF, among others, in order to ensure harmonization of efforts going forward. Next, ENISA plans to prepare a 5G Security Controls Matrix, which will be a one-stop-shop repository of security controls for 5G networks.

ABI Research expects 5G networks to have a positive impact on the cybersecurity industry over the next few years, with a forecasted global market of US$9 billion by 2025. Both security software and services will be in growing demand from enterprises looking to leverage trusted MMTC and URLLC applications. A security certification scheme for 5G will go a long way in marketing that trust in a relatable manner to enterprises. There will be opportunity for vendors and infrastructure providers to showcase certified product portfolios and architectures, as well as for the emergence of a lucrative service industry to provide the requisite services for its obtention.

To its credit, ENISA has taken a meticulous and extensive approach to informing on 5G security over the years, initially in 2016, with its first threat landscape report on the matter, and later in 2018, with research on signaling security vulnerabilities that will be inherited from 4G during the first hybrid rollouts (non-standalone 5G). Today, its latest report focused on 5G SA security tackles the next few years of 5G rollout. Now that the key critical security elements have been studied and presented, the certification scheme can build on that research concretely to provide the tools for market players to effectively prove they have achieved the requisite level of security and can be trusted to participate in the 5G market. There is little doubt that certification, much like regulation, provides an acceptable stamp of trust to end users, and will unlock business adoption in 5G applications (including for security market products in this space). Further, the reach and scope of an E.U. certification scheme makes it attractive from a global standpoint (much like the E.U.’s GDPR and the Common Criteria Recognition Agreement). As a gold standard of sorts, achieving certification will open doors to the lucrative 5G enterprise markets.