Those seeking best practice in cybersecurity for 5G networks have a valuable new free resource: EU cybersecurity agency ENISA has produced a comprehensive matrix of objectives, mitigations and checks which have been cross-referenced to ISO, 3GPP, ETSI, TM Forum, GSMA, NIST and other standards. The matrix provides guidance for both standalone and non-standalone 5G networks. It is provided in the form of a spreadsheet, the extensive nature of which is best conveyed by observing the 14 worksheets contain 24,526 populated cells, and would require 3,943 pages if printed.
The authors identified three use cases for the matrix, each of which focuses on the role of national regulatory authorities (NRAs).
Use case 1: NRAs use the 5G Matrix to review and update national regulation and frameworks, for example to understand what high level security objectives to include.
Use case 2: NRAs use the 5G Matrix to develop high-level or more technical questionnaires for operators, for example, to follow up on an incident ex-post, or to carry out supervision ex-ante, to understand how operators work in more detail and to provide guidance to mobile network operators at the national level.
Use case 3: NRAs use the Matrix to develop detailed technical guidance for telecom operators, for example on a specific topic that supports operators with deploying 5G networks securely.
I would have been tempted to emphasize that the same matrix can also be used by telcos to review and improve security before regulators issue any guidance. Businesses should seek to secure their assets and customers without relying on the compliance fallback of waiting to be told what to do. Any telco should be comparing the checklists they developed in-house or purchased from consultants to the contents of ENISA’s matrix to see if they are any gaps in their approach that need to be filled.
Many risk professionals who work in fields other than cybersecurity will skip past this article but that would be a mistake. It is vital to take an inter-disciplinary approach to mitigating increasingly intertwined risks even if cybersecurity is nominally the responsibility of somebody else in the organization. This means other risk professionals need to be mindful of the relationship between their work and cybersecurity. For example, business continuity professionals should be conscious of whether a network will remain resilient when it comes under attack, and it is increasingly unlikely that technology will remain secure if insufficient regard has been paid to vetting and monitoring staff. This is why ENISA has identified further work that will be done to incorporate ‘non-technical controls’ into their matrix including…
…risk management, human resources security, supplier risk management, access control policies, incident and business continuity management, based on standards such as ISO/IEC 27002, ISO/IEC 27005, ISO 22301 and NIST SP 800-53.
The matrix spreadsheet and supporting documentation is available without charge and without needing to register. The matrix spreadsheet can be downloaded by clicking here, a booklet for users of the matrix is here, and a brief history of the matrix is here.