ENISA Publishes 5G Security Controls Matrix

Those seeking best practice in cybersecurity for 5G networks have a valuable new free resource: EU cybersecurity agency ENISA has produced a comprehensive matrix of objectives, mitigations and checks which have been cross-referenced to ISO, 3GPP, ETSI, TM Forum, GSMA, NIST and other standards. The matrix provides guidance for both standalone and non-standalone 5G networks. It is provided in the form of a spreadsheet, the extensive nature of which is best conveyed by observing the 14 worksheets contain 24,526 populated cells, and would require 3,943 pages if printed.

The authors identified three use cases for the matrix, each of which focuses on the role of national regulatory authorities (NRAs).

Use case 1: NRAs use the 5G Matrix to review and update national regulation and frameworks, for example to understand what high level security objectives to include.

Use case 2: NRAs use the 5G Matrix to develop high-level or more technical questionnaires for operators, for example, to follow up on an incident ex-post, or to carry out supervision ex-ante, to understand how operators work in more detail and to provide guidance to mobile network operators at the national level.

Use case 3: NRAs use the Matrix to develop detailed technical guidance for telecom operators, for example on a specific topic that supports operators with deploying 5G networks securely.

I would have been tempted to emphasize that the same matrix can also be used by telcos to review and improve security before regulators issue any guidance. Businesses should seek to secure their assets and customers without relying on the compliance fallback of waiting to be told what to do. Any telco should be comparing the checklists they developed in-house or purchased from consultants to the contents of ENISA’s matrix to see if they are any gaps in their approach that need to be filled.

Many risk professionals who work in fields other than cybersecurity will skip past this article but that would be a mistake. It is vital to take an inter-disciplinary approach to mitigating increasingly intertwined risks even if cybersecurity is nominally the responsibility of somebody else in the organization. This means other risk professionals need to be mindful of the relationship between their work and cybersecurity. For example, business continuity professionals should be conscious of whether a network will remain resilient when it comes under attack, and it is increasingly unlikely that technology will remain secure if insufficient regard has been paid to vetting and monitoring staff. This is why ENISA has identified further work that will be done to incorporate ‘non-technical controls’ into their matrix including…

…risk management, human resources security, supplier risk management, access control policies, incident and business continuity management, based on standards such as ISO/IEC 27002, ISO/IEC 27005, ISO 22301 and NIST SP 800-53.

The matrix spreadsheet and supporting documentation is available without charge and without needing to register. The matrix spreadsheet can be downloaded by clicking here, a booklet for users of the matrix is here, and a brief history of the matrix is here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.