5G cybersecurity: report on Member States’ progress in implementing the EU Toolbox

On 24 July, the European Commission published a report prepared by the NIS Cooperation Group on the implementation of the 5G Toolbox.

This report shows that at least 15 Member States have a significant level of exposure to potentially high-risk vendors. In addition, most of the Member States are still struggling to implement a multi-vendor strategy.

Interestingly, Member States that indicated a high level of exposure to a potentially high-risk vendor also stated -in most cases- that they have a high degree of dependency on a single supplier for an individual Mobile and Network Operator (MNO) or nationally.

On the technical side, it appears that the basic security requirements (not 5G specific) are applied in a great majority of Member States.

However, when it comes to security measures which are more specific to 5G networks (e.g. related to future standalone deployment options) the level of maturity in implementation is considerably lower. This is the case for the implementation of existing 5G standards or measures for increasing of security in NFV, which currently have a low level of implementation maturity.

Please find below the link to the full report and a briefing.

Background: the Toolbox

On 29 January 2020, the European Commission presented the EU toolbox for 5G networks. The Toolbox was prepared by the NIS Cooperation Group*, as planned in in the Commission’s Recommendation on 5G published in March 2019.

The Toolbox recommends that additional security measures are introduced to specify detailed obligations for 5G networks, addressing a range of identified risks. Specifically, the Toolbox identifies and describes a set of Strategic and Technical measures, which may be put in place in order to mitigate the identified risks.

These measures are addressed to national and EU responsible authorities and agencies. The Toolbox is not legally-binding, which means that its implementation largely depends on the willingness of the Member States and the EU’s follow up. This new report gives an overview of the implementation at national level of both the Strategic and Technical measures.

*composed of representatives from Member States, the Commission and ENISA.

Key extracts from the report:

I) Strategic measures

-Strengthening the role of powers of regulatory authorities (medium-high maturity level)

A significant number of Member States have now introduced or have communicated detailed plans to introduce a legal basis to be able to impose restrictions or to prohibit the supply, deployment and operation of 5G network equipment, whereas until now they only had had ex-post powers and controls and/or no powers to regulate the procurement of equipment and services by operators.

Among them, several Member States have or are considering putting in place of a pre-authorisation or notification mechanism, allowing them to assess operators’ 5G deployment plans on a case-by-case basis, by requiring operators to either seek approval before deploying 5G equipment or to notify their plans to authorities who can in certain cases mandate specific restrictions or prohibitions.

In all cases, assessments are taking into account both technical and non-technical factors (e.g. such as the origin of the suppliers and/or the risk of interference by a third country). Moreover, decisions based on such mechanisms may also in some Member States apply retroactively, i.e. to existing equipment used in legacy parts of the networks.

-Restrictions for high-risk suppliers (medium maturity level)

[The chart above represents the number of Member States per estimated level of exposure]

A few Member States have already implemented measures aimed at minimising the exposure to risks from suppliers considered to be high risk while in a large majority of other Member States, this process is ongoing and, in many cases, well advanced. A small minority of Member States have not communicated specific information regarding their plans to implement this measure.

Regarding the identification of key network assets requiring higher protection, […] only one Member State has published a list of assets subject to pre-authorisation, which extends the scope of the regulatory powers beyond core network functions to cover also other highly sensitive parts of the networks (e.g. radio access network), in line with the Toolbox. A few others have announced that they would follow the Toolbox guidance as regards the rating of network asset sensitivity. […] Another approach […] consists of identifying all 5G elements and functions as sensitive and applying restrictions to the infrastructure as a whole.

-Ensuring the diversity of suppliers for individual MNOs through appropriate multi-vendor strategies and avoiding dependency on high risk suppliers (low maturity level)

This measure shows a LOW level of maturity. Indeed, most Member States seems to be in the early stages of implementation of [the measure] with about half of the respondents indicating that they have, or are in the progress of implementing measures but a majority have not indicated a time-plan of the implementation.

It can be worth noting that among the five Member States that have indicated a high level of exposure to a potentially high risk vendor [see graph above], in most cases also have stated that they have a high degree of dependency for an individual MNO and/or nationally.

II) Technical measures (security requirements for Mobile Network Operators)

-Ensuring the application of baseline security requirements (medium-high maturity level)

In a great majority of Member States this measure is either already implemented or is underway (twenty-three Member States).

Some of the techniques and best practices recommended by Member States include:

-Segregation of trial network from the main core;

-Regular period security testing and vulnerability assessments by independent trusted third parties, including tests on backhaul protection systems;

-Design and manage 5G systems according to the recommendations released by the 5G-Ensure project, involving the company’s security function.

-Implementation of security measures in existing 5G standards, such as existing security measures in 3GPP (low-medium maturity level)

Only a minority (two Member States) consider [this measure] already implemented. In the remaining Member States, only a minority (nine Member States) reported that the implementation is underway.While in some Member States, legislative instruments and relevant technical guidelines that are in place or that are currently being prepared include direct or indirect obligations for MNOs to comply with essential security requirements stemming from existing 5G standards (such as 3GPP), in other Member States these standards are not yet a point of reference to ensure security of 5G networks.

Some Member States have highlighted the fact that standards are still evolving and that their adoption and implementation by MNOs are still in early phase.

-Ensuring strict access controls (medium-high maturity level)

Despite the fact that in number of Member States this measure is considered to be implemented already and that MNOs are considered to already have access control related measures implemented in line with relevant industry standards such as ISO 27001 or under the existing security requirements, there is an apparent need for further reinforcement of this measure, in line with the Toolbox recommendations and in relation to the underlying risks.

In some Member States this technical measure is addressed through inclusion of related specific requirements in the authorisations required prior to the 5G auctions and in some Member States this measure is implemented as part of a relevant critical infrastructure security framework.

-Ensuring secure 5G network management, operation and monitoring (medium maturity level) 

This measure includes ensuring that MNOs run their Network Operation Centres (NOC) and/or Security Operation Centres (SOC) on premise, inside the country and/or inside the EU.

Most Member States appear to be currently considering revising and reinforcement of these existing requirements or are already in the process of implementing such reinforcements. This typically includes identification of new obligations for MNOs, sometimes with explicit provisions for MNOs to operate 5G networks to ensure NOC/SOC operation on premises within EU territory and to have effective monitoring of all critical components and sensitive parts. 

-Reinforcing software integrity, update and patch management (medium maturity level) 

In a majority of Member States the implementation is underway (fifteen Member States). Only a small minority considers this measure implemented (three MemberStates). In a number of Member States there are existing patching policies and/or processes for software integrity, update and patch management in place, either as voluntarily implemented or as imposed on MNOs.

Many Member States are already considering hardening of these existing requirements or inclusion of additional specific obligations for MNOs, as to ensure adequate tools and processes in order to safeguard software integrity.

In some Member States this technical measure is addressed through inclusion of related requirements in the authorisations required prior to the 5G auctions.

Ideas considered by Member States for additional requirements include:

-Specifying requirements regarding the frequency and scope of MNO’s patching process;

-Controlling or restricting automatic software updates;

-Testing of patches in lab environment and ensuring that devices are updated in controlled settings before deployments.

-Raising security standards in suppliers’ processes through robust procurement conditions (low-medium maturity level)

Even though suppliers are explicitly listed among relevant actors for this measure in the Toolbox, there is a general understanding among Member States that the ultimate responsibility for implementation of this measure lies with the MNOs. There is also a de-facto consensus among Member States that this could be achieved through robust procurement process. Such requirements, however, are not always part of the general security requirements for MNOs.

Some Member States are now considering inclusion of such requirements, based on international best practices, including the ENISA Baseline Security Requirements for procurement of secure ICT products, while some are following EU measures in related legislation, such as the Radio Equipment Directive.

In some Member States, the approach to implement this measure is based on the system of authorisations for 5G deployments, applicable to both suppliers and MNOs, at least for the critical network assets.

Pages 41-44: summary of the findings:

To support implementation of some of these technical measures, it is also important that related supporting actions from the Toolbox are addressed, including:

-the development of the new guidelines on security measures in existing standards[…];

 -ensuring increased European engagement in relevant standardisation bodies and contributing to achieving an appropriate level of convergence as regards technical measures relying on standardisation and certification, in line with existing legislation, such as but not limited to the Cybersecurity Act […], including through the subgroup on standardisation and certification.

If you have any questions on these issues, do not hesitate to contact Camille Dornier, Policy Manager: camille.dornier@eurosmart.com