24.2k unique visitors in the last 3 days

ENISA Publishes 5G Security Controls Matrix

This inventory of 5G cybersecurity objectives and mitigations is cross-referenced to a wide variety of technical and non-technical security and risk standards from around the world.

Those seeking best practice in cybersecurity for 5G networks have a valuable new free resource: EU cybersecurity agency ENISA has produced a comprehensive matrix of objectives, mitigations and checks which have been cross-referenced to ISO, 3GPP, ETSI, TM Forum, GSMA, NIST and other standards. The matrix provides guidance for both standalone and non-standalone 5G networks. It is provided in the form of a spreadsheet, the extensive nature of which is best conveyed by observing the 14 worksheets contain 24,526 populated cells, and would require 3,943 pages if printed.

The authors identified three use cases for the matrix, each of which focuses on the role of national regulatory authorities (NRAs).

Use case 1: NRAs use the 5G Matrix to review and update national regulation and frameworks, for example to understand what high level security objectives to include.

Use case 2: NRAs use the 5G Matrix to develop high-level or more technical questionnaires for operators, for example, to follow up on an incident ex-post, or to carry out supervision ex-ante, to understand how operators work in more detail and to provide guidance to mobile network operators at the national level.

Use case 3: NRAs use the Matrix to develop detailed technical guidance for telecom operators, for example on a specific topic that supports operators with deploying 5G networks securely.

I would have been tempted to emphasize that the same matrix can also be used by telcos to review and improve security before regulators issue any guidance. Businesses should seek to secure their assets and customers without relying on the compliance fallback of waiting to be told what to do. Any telco should be comparing the checklists they developed in-house or purchased from consultants to the contents of ENISA’s matrix to see if they are any gaps in their approach that need to be filled.

Many risk professionals who work in fields other than cybersecurity will skip past this article but that would be a mistake. It is vital to take an inter-disciplinary approach to mitigating increasingly intertwined risks even if cybersecurity is nominally the responsibility of somebody else in the organization. This means other risk professionals need to be mindful of the relationship between their work and cybersecurity. For example, business continuity professionals should be conscious of whether a network will remain resilient when it comes under attack, and it is increasingly unlikely that technology will remain secure if insufficient regard has been paid to vetting and monitoring staff. This is why ENISA has identified further work that will be done to incorporate ‘non-technical controls’ into their matrix including…

…risk management, human resources security, supplier risk management, access control policies, incident and business continuity management, based on standards such as ISO/IEC 27002, ISO/IEC 27005, ISO 22301 and NIST SP 800-53.

The matrix spreadsheet and supporting documentation is available without charge and without needing to register. The matrix spreadsheet can be downloaded by clicking here, a booklet for users of the matrix is here, and a brief history of the matrix is here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email