diff --git a/.gitignore b/.gitignore index 0e51560e58..a9b155db3c 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ django_secret_key temp/ db/ .dccache +/backend/profiles diff --git a/backend/core/helpers.py b/backend/core/helpers.py index 3e515bb109..be9b956179 100644 --- a/backend/core/helpers.py +++ b/backend/core/helpers.py @@ -309,12 +309,6 @@ def get_sorted_requirement_nodes_rec( "status_display": req_as.get_status_display(), "status_i18n": camel_case(req_as.status), "style": "leaf", - "threats": ThreatReadSerializer( - req.threats.all(), many=True - ).data, - "reference_controls": ReferenceControlReadSerializer( - req.reference_controls.all(), many=True - ).data, } ) else: @@ -325,12 +319,6 @@ def get_sorted_requirement_nodes_rec( "name": req.name, "description": req.description, "style": "leaf", - "threats": ThreatReadSerializer( - req.threats.all(), many=True - ).data, - "reference_controls": ReferenceControlReadSerializer( - req.reference_controls.all(), many=True - ).data, } ) return result diff --git a/backend/core/migrations/0013_requirementnode_typical_evidence.py b/backend/core/migrations/0013_requirementnode_typical_evidence.py new file mode 100644 index 0000000000..3cf411fa71 --- /dev/null +++ b/backend/core/migrations/0013_requirementnode_typical_evidence.py @@ -0,0 +1,19 @@ +# Generated by Django 5.0.4 on 2024-05-20 10:52 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0012_alter_appliedcontrol_updated_at_and_more"), + ] + + operations = [ + migrations.AddField( + model_name="requirementnode", + name="typical_evidence", + field=models.TextField( + blank=True, null=True, verbose_name="Typical evidence" + ), + ), + ] diff --git a/backend/core/models.py b/backend/core/models.py index 387dcb216f..b0d38b9479 100644 --- a/backend/core/models.py +++ b/backend/core/models.py @@ -536,6 +536,9 @@ class RequirementNode(ReferentialObjectMixin): null=True, verbose_name=_("Implementation groups") ) assessable = models.BooleanField(null=False, verbose_name=_("Assessable")) + typical_evidence = models.TextField( + null=True, blank=True, verbose_name=_("Typical evidence") + ) class Meta: verbose_name = _("RequirementNode") diff --git a/backend/library/libraries/enisa-5g-scm-v1.3.yaml b/backend/library/libraries/enisa-5g-scm-v1.3.yaml index 99be4dd18f..434e30a7c8 100644 --- a/backend/library/libraries/enisa-5g-scm-v1.3.yaml +++ b/backend/library/libraries/enisa-5g-scm-v1.3.yaml @@ -753,6 +753,9 @@ objects: parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so1 ref_id: SO1-001 description: Security policy is defined, followed, and kept updated + typical_evidence: MNO has well-defined and documented security policies, procedures, + and best practices. MNO also has a documented audit process to confirm that + security policy and procedures are followed and are effective reference_controls: - risk:reference_control:enisa-5g-scm:5G-M1 - risk:reference_control:enisa-5g-scm:5G-M2 @@ -760,14 +763,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M4 - risk:reference_control:enisa-5g-scm:5G-M5 - risk:reference_control:enisa-5g-scm:5G-M6 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so1-001 - name: Evidence - description: MNO has well-defined and documented security policies, procedures, - and best practices. MNO also has a documented audit process to confirm that - security policy and procedures are followed and are effective - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so1-002 assessable: true depth: 3 @@ -775,6 +770,9 @@ objects: ref_id: SO1-002 description: Industry trends and best practices related to security management should be monitored + typical_evidence: MNO has documented processes, tools, and responsible personnel + for monitoring industry trends and best practices related to security management. + If applicable, MNO has monitoring records, such as reports and lessons learnt reference_controls: - risk:reference_control:enisa-5g-scm:5G-M1 - risk:reference_control:enisa-5g-scm:5G-M2 @@ -782,14 +780,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M4 - risk:reference_control:enisa-5g-scm:5G-M5 - risk:reference_control:enisa-5g-scm:5G-M6 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node7 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so1-002 - name: Evidence - description: MNO has documented processes, tools, and responsible personnel - for monitoring industry trends and best practices related to security management. - If applicable, MNO has monitoring records, such as reports and lessons learnt - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2 assessable: false depth: 2 @@ -806,6 +796,9 @@ objects: ref_id: SO2-001 description: Extensive assessment of virtualization-related vulnerabilities for MEC components + typical_evidence: Documentation of MEC components lists potential vulnerabilities + relating to using MEC components in virtualized environments, along with appropriate + measures to ensure their secure deployment/operation reference_controls: - risk:reference_control:enisa-5g-scm:5G-M7 - risk:reference_control:enisa-5g-scm:5G-M8 @@ -814,20 +807,17 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M11 - risk:reference_control:enisa-5g-scm:5G-M12 - risk:reference_control:enisa-5g-scm:5G-M13 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node10 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-001 - name: Evidence - description: Documentation of MEC components lists potential vulnerabilities - relating to using MEC components in virtualized environments, along with appropriate - measures to ensure their secure deployment/operation - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2 ref_id: SO2-002 description: Insurable risks are identified, assessed, and appropriately mitigated + typical_evidence: Documented (i) process of identifying insurable risks, (ii) + list of insurable risks with their owners, (iii) risk assessment and evaluation + criteria as well as results (documented risk analysis), (iv) selected security + controls for each of the identified risks, and (v) a list of accepted residual + risks reference_controls: - risk:reference_control:enisa-5g-scm:5G-M7 - risk:reference_control:enisa-5g-scm:5G-M8 @@ -836,16 +826,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M11 - risk:reference_control:enisa-5g-scm:5G-M12 - risk:reference_control:enisa-5g-scm:5G-M13 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node12 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-002 - name: Evidence - description: Documented (i) process of identifying insurable risks, (ii) list - of insurable risks with their owners, (iii) risk assessment and evaluation - criteria as well as results (documented risk analysis), (iv) selected security - controls for each of the identified risks, and (v) a list of accepted residual - risks - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-003 assessable: true depth: 3 @@ -855,20 +835,7 @@ objects: proactively. Threats of particular significance for 5G networks are included. Identified risks are aligned with the main risks for 5G networks identified in the EU Coordinated Risk Assessment of 5G Network Security. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M7 - - risk:reference_control:enisa-5g-scm:5G-M8 - - risk:reference_control:enisa-5g-scm:5G-M9 - - risk:reference_control:enisa-5g-scm:5G-M10 - - risk:reference_control:enisa-5g-scm:5G-M11 - - risk:reference_control:enisa-5g-scm:5G-M12 - - risk:reference_control:enisa-5g-scm:5G-M13 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node14 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-003 - name: Evidence - description: MNO has documented risk analysis policy and procedures, including + typical_evidence: MNO has documented risk analysis policy and procedures, including a documented list of threats and risk scenarios with their sources, including to 5G networks, which also involves threat information collected from external sources. Documented list of external sources for threat and risk monitoring @@ -877,6 +844,14 @@ objects: and open source solutions such as MISP/OpenCTI). The documented list of threats and risk scenarios is aligned with the EU Coordinated Risk Assessment of 5G Network Security. + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M7 + - risk:reference_control:enisa-5g-scm:5G-M8 + - risk:reference_control:enisa-5g-scm:5G-M9 + - risk:reference_control:enisa-5g-scm:5G-M10 + - risk:reference_control:enisa-5g-scm:5G-M11 + - risk:reference_control:enisa-5g-scm:5G-M12 + - risk:reference_control:enisa-5g-scm:5G-M13 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-004 assessable: true depth: 3 @@ -884,6 +859,12 @@ objects: ref_id: SO2-004 description: A baseline set of security controls should be selected, designed, and specified + typical_evidence: A documented risk management plan with assets and threats. + Documented processes and, if applicable, other records of using the risk management + plan as input for specification of security controls. Documented processes + and, if applicable, other records (such as review comments) showing that the + preventive measures listed by the security controls have been compared against + catalogues of best practices such as ISO 27001/ITU x.1051 reference_controls: - risk:reference_control:enisa-5g-scm:5G-M7 - risk:reference_control:enisa-5g-scm:5G-M8 @@ -892,17 +873,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M11 - risk:reference_control:enisa-5g-scm:5G-M12 - risk:reference_control:enisa-5g-scm:5G-M13 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node16 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-004 - name: Evidence - description: A documented risk management plan with assets and threats. Documented - processes and, if applicable, other records of using the risk management plan - as input for specification of security controls. Documented processes and, - if applicable, other records (such as review comments) showing that the preventive - measures listed by the security controls have been compared against catalogues - of best practices such as ISO 27001/ITU x.1051 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-005 assessable: true depth: 3 @@ -915,6 +885,10 @@ objects: \ is carried out at the beginning to ensure products/solutions are evaluated\ \ against known risks. However, this should be automated once the products\ \ are implemented in the network." + typical_evidence: "Verification of the evaluation report by the MNO to ensure\ + \ that deployed VNFs conform to security functional and assurance requirements.\ + \ \n \nIn case of a Common Criteria certification, MNO verifies the certificate\ + \ issued by an accredited laboratory and certification body." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M7 - risk:reference_control:enisa-5g-scm:5G-M8 @@ -923,15 +897,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M11 - risk:reference_control:enisa-5g-scm:5G-M12 - risk:reference_control:enisa-5g-scm:5G-M13 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node18 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so2-005 - name: Evidence - description: "Verification of the evaluation report by the MNO to ensure that\ - \ deployed VNFs conform to security functional and assurance requirements.\ - \ \n \nIn case of a Common Criteria certification, MNO verifies the certificate\ - \ issued by an accredited laboratory and certification body." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so3 assessable: false depth: 2 @@ -947,21 +912,16 @@ objects: ref_id: SO3-001 description: Assign security roles and responsibilities to personnel with clear segregation of duties + typical_evidence: List of MNO personnel with documented non-overlapping security + roles and responsibilities. Documented processes are in place for regularly + reviewing and revising the structure of roles and responsibilities based on + changes and/or past incidents reference_controls: - risk:reference_control:enisa-5g-scm:5G-M14 - risk:reference_control:enisa-5g-scm:5G-M15 - risk:reference_control:enisa-5g-scm:5G-M16 - risk:reference_control:enisa-5g-scm:5G-M17 - risk:reference_control:enisa-5g-scm:5G-M18 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node21 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so3-001 - name: Evidence - description: List of MNO personnel with documented non-overlapping security - roles and responsibilities. Documented processes are in place for regularly - reviewing and revising the structure of roles and responsibilities based on - changes and/or past incidents - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 assessable: false depth: 2 @@ -978,6 +938,12 @@ objects: ref_id: SO4-001 description: Equipment installed outside a telecommunications organization's own premises should be sited in a protected area + typical_evidence: Contracts with third parties hosting the equipment contain + requirements for adhering to security best practices and industry standards. + Documented security policy for contracts with third parties and a list of + contracts with third-parties. Verify that residual risks are included in incident + management plans/processes (for incidents) and business continuity plans/processes + (for disasters) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -987,23 +953,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node24 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-001 - name: Evidence - description: Contracts with third parties hosting the equipment contain requirements - for adhering to security best practices and industry standards. Documented - security policy for contracts with third parties and a list of contracts with - third-parties. Verify that residual risks are included in incident management - plans/processes (for incidents) and business continuity plans/processes (for - disasters) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-002 description: Protection against semiconductor doping + typical_evidence: Product documentation contains information on certification + of semiconductors and their suppliers for compliance with standards such as + ISO 26262 reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1013,20 +971,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node26 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-002 - name: Evidence - description: Product documentation contains information on certification of - semiconductors and their suppliers for compliance with standards such as ISO - 26262 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-003 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-003 description: Prevent TPM-Fail vulnerabilities + typical_evidence: Verify product documentation to ensure that the TPM hardware + used in the product is certified, for example, by the Trusted Computing Group + (TCG) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1036,13 +989,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node28 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-003 - name: Evidence - description: Verify product documentation to ensure that the TPM hardware used - in the product is certified, for example, by the Trusted Computing Group (TCG) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-004 assessable: true depth: 3 @@ -1054,6 +1000,7 @@ objects: provider to respond quickly to such vulnerability to mitigate potential attacks. SBOM should follow the NTIA guidelines and be in a machine-readable format, such as SPDX, or CycloneDX. + typical_evidence: Verify that the software package includes a SBOM. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1063,18 +1010,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node30 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-004 - name: Evidence - description: Verify that the software package includes a SBOM. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-005 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-005 description: Resource development should be coordinated with suppliers + typical_evidence: MNO has documented processes to ensure that required service + level agreements and operational level agreements are developed and agreed + for each resource class deployed, and any supplier/partner operational support + has been identified and agreed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1084,15 +1029,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node32 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-005 - name: Evidence - description: MNO has documented processes to ensure that required service level - agreements and operational level agreements are developed and agreed for each - resource class deployed, and any supplier/partner operational support has - been identified and agreed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-006 assessable: true depth: 3 @@ -1102,6 +1038,15 @@ objects: clauses should be adequately defined. Sourcing requirements and limitations should address threats posed by potentially high-risk suppliers or managed service providers. + typical_evidence: MNO has documented policies and processes to determine sourcing + requirements based on industry standards and regulatory requirements. Documented + sourcing requirements include technical, operational, training, specific supplier + support, and clauses to ensure non-disclosure of confidential information + to third parties, including information originating from or relating to its + customers. Review of supply-chain policies, related policies and processes + (e.g. business continuity) and any other relevant documentation indicates + that threats posed by potentially high-risk suppliers or managed service providers + are addressed appropriately, and in line with the applicable national requirements. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1111,20 +1056,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node34 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-006 - name: Evidence - description: MNO has documented policies and processes to determine sourcing - requirements based on industry standards and regulatory requirements. Documented - sourcing requirements include technical, operational, training, specific supplier - support, and clauses to ensure non-disclosure of confidential information - to third parties, including information originating from or relating to its - customers. Review of supply-chain policies, related policies and processes - (e.g. business continuity) and any other relevant documentation indicates - that threats posed by potentially high-risk suppliers or managed service providers - are addressed appropriately, and in line with the applicable national requirements. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-007 assessable: true depth: 3 @@ -1132,6 +1063,9 @@ objects: ref_id: SO4-007 description: 'Operational and security clauses should be defined in agreements with suppliers and partners ' + typical_evidence: MNO has documented processes to prepare agreements with third + parties. Such processes could involve the use of templates. Agreements generated + from MNO processes include relevant up to date security clauses. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1141,14 +1075,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node36 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-007 - name: Evidence - description: MNO has documented processes to prepare agreements with third parties. - Such processes could involve the use of templates. Agreements generated from - MNO processes include relevant up to date security clauses. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-008 assessable: true depth: 3 @@ -1156,6 +1082,11 @@ objects: ref_id: SO4-008 description: Contractual obligations of third parties, including suppliers, are monitored and any variations are managed + typical_evidence: 'MNO has documented processes to monitor that suppliers are + meeting their contractual obligations, as well as to manage changes in terms/conditions + of an agreement during its term. MNOs should keep track of such variations. + + ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1165,22 +1096,17 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node38 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-008 - name: Evidence - description: 'MNO has documented processes to monitor that suppliers are meeting - their contractual obligations, as well as to manage changes in terms/conditions - of an agreement during its term. MNOs should keep track of such variations. - - ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-009 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-009 description: Support party requisition should be managed + typical_evidence: MNO has documented processes to i) arrange and manage external + party access to infrastructure deployment support tools and processes ii) + oversee roll-out of new infrastructure, iii) track and monitor infrastructure + deployment undertaken by contractors, and iv) continuously update relevant + inventories reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1190,16 +1116,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node40 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-009 - name: Evidence - description: MNO has documented processes to i) arrange and manage external - party access to infrastructure deployment support tools and processes ii) - oversee roll-out of new infrastructure, iii) track and monitor infrastructure - deployment undertaken by contractors, and iv) continuously update relevant - inventories - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-010 assessable: true depth: 3 @@ -1207,6 +1123,8 @@ objects: ref_id: SO4-010 description: Support party performance should be managed to ensure its efficient operation + typical_evidence: MNO has documented processes for performance restoration activity + with outsourced infrastructure providers reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1216,13 +1134,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node42 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-010 - name: Evidence - description: MNO has documented processes for performance restoration activity - with outsourced infrastructure providers - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-011 assessable: true depth: 3 @@ -1233,6 +1144,13 @@ objects: process with vulnerabilities disclosed along with mitigation recommendations. The patch management process must consider the ability to update the cryptographic algorithms and to adapt to upcoming 5G security challenges. + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with NFV providers (e.g. maintenance agreements) confirm that the MNO requires\ + \ his NFV providers to have a process to deal with vulnerabilities in network\ + \ products and issue security patches/upgrades.\n\nCheck for presence of patch\ + \ management tools notifying of patch releases. All patches, especially those\ + \ to critical or sensitive NFV components or functions, are reviewed and subjected\ + \ to security testing in controlled environment prior to deployment." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1242,18 +1160,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node44 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-011 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ NFV providers (e.g. maintenance agreements) confirm that the MNO requires\ - \ his NFV providers to have a process to deal with vulnerabilities in network\ - \ products and issue security patches/upgrades.\n\nCheck for presence of patch\ - \ management tools notifying of patch releases. All patches, especially those\ - \ to critical or sensitive NFV components or functions, are reviewed and subjected\ - \ to security testing in controlled environment prior to deployment." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-012 assessable: true depth: 3 @@ -1262,21 +1168,7 @@ objects: description: Adequate policies and processes for supplier/partner selection should be used. They should manage the potential risk of dependency on a single supplier of network equipment. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M19 - - risk:reference_control:enisa-5g-scm:5G-M20 - - risk:reference_control:enisa-5g-scm:5G-M21 - - risk:reference_control:enisa-5g-scm:5G-M22 - - risk:reference_control:enisa-5g-scm:5G-M23 - - risk:reference_control:enisa-5g-scm:5G-M24 - - risk:reference_control:enisa-5g-scm:5G-M25 - - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node46 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-012 - name: Evidence - description: MNO has documented policies and processes to determine potential + typical_evidence: MNO has documented policies and processes to determine potential suppliers/partners. MNO processes only shortlist suppliers that meet specific enterprise and industry standard requirements including, where available, EU certification schemes for 5G network components, customer equipment, and/or @@ -1286,12 +1178,26 @@ objects: on a single supplier of network equipment, if such a dependency exists. Documented policies and risk management plans also include contingency plans and appropriate fallback strategies in case of a loss of critical suppliers + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M19 + - risk:reference_control:enisa-5g-scm:5G-M20 + - risk:reference_control:enisa-5g-scm:5G-M21 + - risk:reference_control:enisa-5g-scm:5G-M22 + - risk:reference_control:enisa-5g-scm:5G-M23 + - risk:reference_control:enisa-5g-scm:5G-M24 + - risk:reference_control:enisa-5g-scm:5G-M25 + - risk:reference_control:enisa-5g-scm:5G-M26 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-013 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-013 description: Adequate tender and purchase process should be in place + typical_evidence: MNO has documented processes to manage and administer the + mechanics of tender process. These processes should ensure coordination and + control of engagement interactions with potential parties, timing of the tender + process, inclusion of relevant commercial and functional requirements, and + tender analysis mechanisms/procedures reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1301,22 +1207,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node48 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-013 - name: Evidence - description: MNO has documented processes to manage and administer the mechanics - of tender process. These processes should ensure coordination and control - of engagement interactions with potential parties, timing of the tender process, - inclusion of relevant commercial and functional requirements, and tender analysis - mechanisms/procedures - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-014 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-014 description: Supplier/Partner interface should be managed + typical_evidence: MNO has documented processes for ensuring effective operation + of the supplier/partner interface reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1326,19 +1224,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node50 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-014 - name: Evidence - description: MNO has documented processes for ensuring effective operation of - the supplier/partner interface - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-016 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-016 description: Interaction with external parties should be handled + typical_evidence: MNO has documented processes in place to fulfill all inbound + and outbound requests from/to external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1348,13 +1241,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node52 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-016 - name: Evidence - description: MNO has documented processes in place to fulfill all inbound and - outbound requests from/to external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-017 assessable: true depth: 3 @@ -1362,6 +1248,8 @@ objects: ref_id: SO4-017 description: Performance of services, processes, or resources delivered by external parties are monitored + typical_evidence: MNO has documented processes in place to monitor the performance + of services, processes, and resources delivered by external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1371,19 +1259,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node54 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-017 - name: Evidence - description: MNO has documented processes in place to monitor the performance - of services, processes, and resources delivered by external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-018 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4 ref_id: SO4-018 description: Interaction with external parties should be tracked + typical_evidence: MNO has documented processes and tools in place to i) track + and manage timely closure of all interactions with external parties, ii) notify + when SLAs with external parties are endangered, and iii) communicate KPIs + to improve efficiency of interactions with external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1393,15 +1278,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node56 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-018 - name: Evidence - description: MNO has documented processes and tools in place to i) track and - manage timely closure of all interactions with external parties, ii) notify - when SLAs with external parties are endangered, and iii) communicate KPIs - to improve efficiency of interactions with external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-019 assessable: true depth: 3 @@ -1409,6 +1285,10 @@ objects: ref_id: SO4-019 description: 'MNO requires vendors to implement security requirements of relevant 5G technical specifications (including 3GPP) and industry standards ' + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to implement\ + \ security requirements of relevant 5G technical specifications (including\ + \ 3GPP) and industry standards" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1418,15 +1298,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node58 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-019 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to implement security\ - \ requirements of relevant 5G technical specifications (including 3GPP) and\ - \ industry standards" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-020 assessable: true depth: 3 @@ -1440,6 +1311,10 @@ objects: Special review is to be conducted on the code used for automated administration. Specifically, changes to the automated administration code should require peer review and a two-person sign off.' + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to have processes\ + \ in place for review of new and changed source codes. When possible, automated\ + \ source code analysis tools are used to aid the code review process" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1449,15 +1324,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node60 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-020 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to have processes\ - \ in place for review of new and changed source codes. When possible, automated\ - \ source code analysis tools are used to aid the code review process" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-021 assessable: true depth: 3 @@ -1465,6 +1331,10 @@ objects: ref_id: SO4-021 description: MNO requires vendors to ensure that no code changes are introduced to a network product without appropriate governance + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers i) to have independent\ + \ lines of control for code review within the supplier organization and ii)\ + \ to use governance frameworks such as ITIL, COBIT etc." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1474,15 +1344,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node62 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-021 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers i) to have independent\ - \ lines of control for code review within the supplier organization and ii)\ - \ to use governance frameworks such as ITIL, COBIT etc." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-022 assessable: true depth: 3 @@ -1491,6 +1352,10 @@ objects: description: MNO requires vendors to protect component compilation and build process from tampering and ensure that builds are reproducible, deterministic, and cover security procedures + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to protect component\ + \ compilation and build process from tampering and ensure that builds are\ + \ reproducible, deterministic, and cover security procedures" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1500,15 +1365,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node64 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-022 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to protect component\ - \ compilation and build process from tampering and ensure that builds are\ - \ reproducible, deterministic, and cover security procedures" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-023 assessable: true depth: 3 @@ -1516,6 +1372,9 @@ objects: ref_id: SO4-023 description: MNO requires vendors to ensure proper testing and/or support for periodic testing of network products + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to ensure proper\ + \ testing and/or support for periodic testing of network products" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1525,14 +1384,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node66 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-023 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to ensure proper testing\ - \ and/or support for periodic testing of network products" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-024 assessable: true depth: 3 @@ -1540,6 +1391,9 @@ objects: ref_id: SO4-024 description: MNO requires vendors to implement effective software integrity verification methods + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to implement\ + \ effective software integrity verification methods" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1549,14 +1403,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node68 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-024 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to implement effective\ - \ software integrity verification methods" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-025 assessable: true depth: 3 @@ -1564,6 +1410,9 @@ objects: ref_id: SO4-025 description: MNO requires vendors to ensure that software versions are uniquely identified + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to ensure that\ + \ software versions are uniquely identified" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1573,14 +1422,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node70 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-025 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to ensure that software\ - \ versions are uniquely identified" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-026 assessable: true depth: 3 @@ -1588,6 +1429,9 @@ objects: ref_id: SO4-026 description: MNO requires vendors to ship up-to-date documentation along with network products and software upgrades + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to ship up-to-date\ + \ documentation along with network products and software upgrades" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1597,14 +1441,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node72 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-026 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to ship up-to-date\ - \ documentation along with network products and software upgrades" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-027 assessable: true depth: 3 @@ -1612,6 +1448,9 @@ objects: ref_id: SO4-027 description: MNO requires vendors to provide a point of contact for security questions/issues + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to provide a\ + \ point of contact for security questions/issues" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1621,14 +1460,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node74 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-027 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to provide a point\ - \ of contact for security questions/issues" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-028 assessable: true depth: 3 @@ -1637,6 +1468,10 @@ objects: description: MNO requires vendors to have reliable processes to collect and process updated information about vulnerabilities in 3rd party components. This may include tracking open vulnerability databases + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to have reliable\ + \ processes to collect and process updated information about vulnerabilities\ + \ in 3rd party components" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1646,15 +1481,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node76 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-028 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to have reliable processes\ - \ to collect and process updated information about vulnerabilities in 3rd\ - \ party components" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-029 assessable: true depth: 3 @@ -1662,6 +1488,10 @@ objects: ref_id: SO4-029 description: MNO requires vendors to have a process to deal with vulnerabilities in network products and issue security patches/upgrades + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers (e.g. maintenance agreements) confirm that the MNO requires\ + \ his suppliers to have a process to deal with vulnerabilities in network\ + \ products and issue security patches/upgrades" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1671,15 +1501,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node78 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-029 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers (e.g. maintenance agreements) confirm that the MNO requires his\ - \ suppliers to have a process to deal with vulnerabilities in network products\ - \ and issue security patches/upgrades" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-030 assessable: true depth: 3 @@ -1689,6 +1510,11 @@ objects: introduced vulnerabilities, as well as, a reliable process for communicating any discovered vulnerabilities along with corresponding software fixes in a timely manner + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers (e.g. maintenance agreements) confirm that the MNO requires\ + \ his suppliers to guarantee that there are no intentionally introduced vulnerabilities\ + \ and a reliable process is in place for communicating discovered vulnerabilities\ + \ along with corresponding software fixes in a timely manner" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1698,16 +1524,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node80 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-030 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers (e.g. maintenance agreements) confirm that the MNO requires his\ - \ suppliers to guarantee that there are no intentionally introduced vulnerabilities\ - \ and a reliable process is in place for communicating discovered vulnerabilities\ - \ along with corresponding software fixes in a timely manner" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-031 assessable: true depth: 3 @@ -1716,6 +1532,9 @@ objects: description: MNO requires vendors to use a version control system, including for hardware, source code, build tools and environment, binary software, and 3rd party components + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to use a version\ + \ control system" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1725,14 +1544,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node82 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-031 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to use a version control\ - \ system" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-032 assessable: true depth: 3 @@ -1741,6 +1552,9 @@ objects: description: MNO requires vendors to have a comprehensive and documented change management process for ensuring that all requirements and design changes are managed and tracked in a systematic and timely manner + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to have a comprehensive\ + \ and documented change management process" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1750,14 +1564,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node84 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-032 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to have a comprehensive\ - \ and documented change management process" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-033 assessable: true depth: 3 @@ -1767,6 +1573,10 @@ objects: in network product design, engineering, development, implementation, testing and maintenance are security-vetted with background checks and undergo regular security education + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers and contractors confirm that the MNO requires that the staff\ + \ of his suppliers and contractors are security-vetted with background checks\ + \ and undergo regular security education" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1776,15 +1586,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node86 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-033 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers and contractors confirm that the MNO requires that the staff of\ - \ his suppliers and contractors are security-vetted with background checks\ - \ and undergo regular security education" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-034 assessable: true depth: 3 @@ -1795,6 +1596,9 @@ objects: schemes to avoid leakage of sensitive information and processes for security flaw root cause analysis to continually improve the development and product lifecycle + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to have an effective\ + \ ISMS" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1804,14 +1608,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node88 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-034 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to have an effective\ - \ ISMS" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-035 assessable: true depth: 3 @@ -1826,6 +1622,9 @@ objects: \ to the extent they are not covered by such certification schemes, adherence\ \ to best practices and industry standards throughout the lifetime of the\ \ component" + typical_evidence: 'EU and/or industry standards compliance certificates. Audit + reports certifying vendor compliance with relevant EU and/or industry standards + certification schemes ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1835,14 +1634,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node90 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-035 - name: Evidence - description: 'EU and/or industry standards compliance certificates. Audit reports - certifying vendor compliance with relevant EU and/or industry standards certification - schemes ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-036 assessable: true depth: 3 @@ -1850,6 +1641,10 @@ objects: ref_id: SO4-036 description: MNO requires vendors to support in investigating and remedying security incidents + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers (e.g. support agreements) confirm that the MNO requires his\ + \ suppliers to provide assistance with investigation and remediation of security\ + \ incidents" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1859,14 +1654,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node92 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-036 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers (e.g. support agreements) confirm that the MNO requires his suppliers\ - \ to provide assistance with investigation and remediation of security incidents" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-037 assessable: true depth: 3 @@ -1875,6 +1662,12 @@ objects: description: MNO requires vendors to demonstrate quality level of internal information security processes, including having a secure software development lifecycle (SDLC) built in the product development process + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to implement\ + \ and demonstrate internal security processes, including an SDLC built in\ + \ the product development process. Documentation explaining rationale for\ + \ architectural decisions based on security principles. Risk analysis identifying\ + \ threats, their likelihood, and mitigation mechanisms" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1884,17 +1677,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node94 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-037 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to implement and demonstrate\ - \ internal security processes, including an SDLC built in the product development\ - \ process. Documentation explaining rationale for architectural decisions\ - \ based on security principles. Risk analysis identifying threats, their likelihood,\ - \ and mitigation mechanisms" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-038 assessable: true depth: 3 @@ -1904,27 +1686,13 @@ objects: customer privacy or confidentiality related information is stored securely on any shared or local storage using industry standard best practice (e.g. encryption). - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M19 - - risk:reference_control:enisa-5g-scm:5G-M20 - - risk:reference_control:enisa-5g-scm:5G-M21 - - risk:reference_control:enisa-5g-scm:5G-M22 - - risk:reference_control:enisa-5g-scm:5G-M23 - - risk:reference_control:enisa-5g-scm:5G-M24 - - risk:reference_control:enisa-5g-scm:5G-M25 - - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node96 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-038 - name: Evidence - description: "Documentation provided by the vendor describes how critical data\ - \ that could possibly be revealed in clear text is handled by network product\u2019\ - s functions. Information on security mechanisms used to protect critical data\ - \ and instructions on how to enable and execute these mechanisms are provided\ - \ as part of the vendor's documentation. The document demonstrates that LI\ - \ and privacy data are protected to ensure that it cannot be compromised or\ - \ weakened by running the NFV environment.\n\nVerify, for cases where the\ + typical_evidence: "Documentation provided by the vendor describes how critical\ + \ data that could possibly be revealed in clear text is handled by network\ + \ product\u2019s functions. Information on security mechanisms used to protect\ + \ critical data and instructions on how to enable and execute these mechanisms\ + \ are provided as part of the vendor's documentation. The document demonstrates\ + \ that LI and privacy data are protected to ensure that it cannot be compromised\ + \ or weakened by running the NFV environment.\n\nVerify, for cases where the\ \ critical data is accessible in clear text, that attempts to access it are\ \ recorded in a log, that the log includes the identity of the user that has\ \ attempted to access the data, and that the log does not include the actual\ @@ -1935,6 +1703,15 @@ objects: \ data at rest. Cryptographic operations, key sizes, algorithms and standards\ \ for encrypting that critical information are described as part of the documented\ \ process." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M19 + - risk:reference_control:enisa-5g-scm:5G-M20 + - risk:reference_control:enisa-5g-scm:5G-M21 + - risk:reference_control:enisa-5g-scm:5G-M22 + - risk:reference_control:enisa-5g-scm:5G-M23 + - risk:reference_control:enisa-5g-scm:5G-M24 + - risk:reference_control:enisa-5g-scm:5G-M25 + - risk:reference_control:enisa-5g-scm:5G-M26 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-039 assessable: true depth: 3 @@ -1942,6 +1719,8 @@ objects: ref_id: SO4-039 description: Third party hosting environments that support VNFs should meet 3GPP virtualisation security requirements. + typical_evidence: Verification of an appropriate evaluation report or security + certification of a VNF confirming that the VNF meets 3GPP SCAS specifications. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1951,13 +1730,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node98 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-039 - name: Evidence - description: Verification of an appropriate evaluation report or security certification - of a VNF confirming that the VNF meets 3GPP SCAS specifications. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-040 assessable: true depth: 3 @@ -1972,6 +1744,13 @@ objects: \ ensure seamless integration with the broader code base.\nSoftware developers\ \ should, where possible, vet suppliers, establish trusted repositories of\ \ third-party components, and enforce security standards through contracts." + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to provide SBOM\ + \ containing an inventory of components.\n\nMNO\u2019s documented procurement\ + \ policies and contracts with suppliers confirm that the MNO requires his\ + \ suppliers to enforce security standards and ensure proper code review and\ + \ testing procedures to identify known vulnerabilities and ensure seamless\ + \ integration with the broader code base." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -1981,18 +1760,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node100 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-040 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to provide SBOM containing\ - \ an inventory of components.\n\nMNO\u2019s documented procurement policies\ - \ and contracts with suppliers confirm that the MNO requires his suppliers\ - \ to enforce security standards and ensure proper code review and testing\ - \ procedures to identify known vulnerabilities and ensure seamless integration\ - \ with the broader code base." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-041 assessable: true depth: 3 @@ -2006,23 +1773,9 @@ objects: \ and outsourcing security controls. If the NFVI is deployed on the cloud\ \ in an IaaS model, then the MNO should be able to attest the root of trust\ \ on demand." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M19 - - risk:reference_control:enisa-5g-scm:5G-M20 - - risk:reference_control:enisa-5g-scm:5G-M21 - - risk:reference_control:enisa-5g-scm:5G-M22 - - risk:reference_control:enisa-5g-scm:5G-M23 - - risk:reference_control:enisa-5g-scm:5G-M24 - - risk:reference_control:enisa-5g-scm:5G-M25 - - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node102 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-041 - name: Evidence - description: "Documentation on the security controls (such as a statement of\ - \ applicability) implemented at the datacentre site supporting NFVI and MANO\ - \ elements. \n \nResults of security audits documenting correct implementation\ + typical_evidence: "Documentation on the security controls (such as a statement\ + \ of applicability) implemented at the datacentre site supporting NFVI and\ + \ MANO elements. \n \nResults of security audits documenting correct implementation\ \ of these controls. \n \nIf a third party operated datacentre is used by\ \ the MNO, the audit report should include that third party's compliance with\ \ MNO security controls and applicable regulations. This should include security\ @@ -2035,6 +1788,15 @@ objects: \ for securing MNO\u2019s cryptographic materials, sensitive data and functions.\ \ This could be carried out by checking the evaluation/certification report\ \ of the used trusted platform(s)." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M19 + - risk:reference_control:enisa-5g-scm:5G-M20 + - risk:reference_control:enisa-5g-scm:5G-M21 + - risk:reference_control:enisa-5g-scm:5G-M22 + - risk:reference_control:enisa-5g-scm:5G-M23 + - risk:reference_control:enisa-5g-scm:5G-M24 + - risk:reference_control:enisa-5g-scm:5G-M25 + - risk:reference_control:enisa-5g-scm:5G-M26 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-042 assessable: true depth: 3 @@ -2060,6 +1822,9 @@ objects: MNO should require both network product suppliers and cloud service providers to offer the MNO recommendations on deployment and configuration of security services, optimising risk exposure, costs and performance.' + typical_evidence: A documented SSLA is established between MNOs, network product + suppliers and cloud service providers, assigning responsibilities and considering + security monitoring, incident response, maintenance and risk mitigation. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2069,14 +1834,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node104 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-042 - name: Evidence - description: A documented SSLA is established between MNOs, network product - suppliers and cloud service providers, assigning responsibilities and considering - security monitoring, incident response, maintenance and risk mitigation. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-043 assessable: true depth: 3 @@ -2086,6 +1843,9 @@ objects: Disclosure (CVD) program in place. They should also ensure, via contractual arrangements, that they receive timely information about newly discovered vulnerabilities. + typical_evidence: "MNO\u2019s documented procurement policies and contracts\ + \ with suppliers confirm that the MNO requires his suppliers to have a CVD\ + \ program to handle vulnerabilities and develop patches." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2095,14 +1855,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node106 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-043 - name: Evidence - description: "MNO\u2019s documented procurement policies and contracts with\ - \ suppliers confirm that the MNO requires his suppliers to have a CVD program\ - \ to handle vulnerabilities and develop patches." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-044 assessable: true depth: 3 @@ -2110,6 +1862,8 @@ objects: ref_id: SO4-044 description: Proper management of external party notifications of potential security/performance issues + typical_evidence: MNO has documented processes and tools in place to receive + information about potential security/performance issues from external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2119,13 +1873,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node108 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-044 - name: Evidence - description: MNO has documented processes and tools in place to receive information - about potential security/performance issues from external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-045 assessable: true depth: 3 @@ -2133,6 +1880,8 @@ objects: ref_id: SO4-045 description: Security incidents or performance issues caused by external parties are assessed + typical_evidence: MNO has documented processes and tools in place to manage + security incidents and performance issues caused by external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2142,13 +1891,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node110 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-045 - name: Evidence - description: MNO has documented processes and tools in place to manage security - incidents and performance issues caused by external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-046 assessable: true depth: 3 @@ -2156,6 +1898,8 @@ objects: ref_id: SO4-046 description: Security incidents or performance issues caused by external parties are identified + typical_evidence: MNO has documented processes and tools in place to identify + security incidents and performance issues caused by external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2165,13 +1909,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node112 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-046 - name: Evidence - description: MNO has documented processes and tools in place to identify security - incidents and performance issues caused by external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-047 assessable: true depth: 3 @@ -2179,6 +1916,8 @@ objects: ref_id: SO4-047 description: Performance of problem resolution (such as performance degradation) and restoration of services by external parties is monitored + typical_evidence: MNO has documented processes in place to monitor the performance + of problem resolution and restoration of services by external parties reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2188,13 +1927,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node114 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-047 - name: Evidence - description: MNO has documented processes in place to monitor the performance - of problem resolution and restoration of services by external parties - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-048 assessable: true depth: 3 @@ -2202,6 +1934,9 @@ objects: ref_id: SO4-048 description: Past security incidents or performance issues, including trends, caused by external parties should be analyzed + typical_evidence: MNO has documented processes in place to analyze past security + incidents and performance issues caused by external parties and to report + on the findings of the analysis reference_controls: - risk:reference_control:enisa-5g-scm:5G-M19 - risk:reference_control:enisa-5g-scm:5G-M20 @@ -2211,14 +1946,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M24 - risk:reference_control:enisa-5g-scm:5G-M25 - risk:reference_control:enisa-5g-scm:5G-M26 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node116 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so4-048 - name: Evidence - description: MNO has documented processes in place to analyze past security - incidents and performance issues caused by external parties and to report - on the findings of the analysis - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d2 assessable: false depth: 1 @@ -2241,21 +1968,16 @@ objects: description: Personnel that have access, either physically or through management systems, to critical or sensitive components of 5G networks (e.g. for deployment / operations purposes) are security-vetted and qualified + typical_evidence: "MNO\u2019s documented recruitment process includes measures\ + \ to ensure staff has necessary skills and qualifications. For staff that\ + \ will have access to critical or sensitive components of 5G networks (e.g.\ + \ for deployment / operations purposes), the recruitment process includes\ + \ background checks and other security vetting" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M27 - risk:reference_control:enisa-5g-scm:5G-M28 - risk:reference_control:enisa-5g-scm:5G-M29 - risk:reference_control:enisa-5g-scm:5G-M30 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node120 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so5-001 - name: Evidence - description: "MNO\u2019s documented recruitment process includes measures to\ - \ ensure staff has necessary skills and qualifications. For staff that will\ - \ have access to critical or sensitive components of 5G networks (e.g. for\ - \ deployment / operations purposes), the recruitment process includes background\ - \ checks and other security vetting" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so6 assessable: false depth: 2 @@ -2272,21 +1994,16 @@ objects: description: Training program for staff is updated regularly. Processes are in place for ensuring that staff undergoes regular security education with up-to-date training material, including on 5G technical topics, where appropriate + typical_evidence: MNO training material is up-to-date with current 5G security + trends, vulnerabilities, best practices etc. Records of when staff has last + completed necessary security courses, training, and certification required + for their tasks reference_controls: - risk:reference_control:enisa-5g-scm:5G-M31 - risk:reference_control:enisa-5g-scm:5G-M32 - risk:reference_control:enisa-5g-scm:5G-M33 - risk:reference_control:enisa-5g-scm:5G-M34 - risk:reference_control:enisa-5g-scm:5G-M35 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node123 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so6-001 - name: Evidence - description: MNO training material is up-to-date with current 5G security trends, - vulnerabilities, best practices etc. Records of when staff has last completed - necessary security courses, training, and certification required for their - tasks - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d3 assessable: false depth: 1 @@ -2310,6 +2027,8 @@ objects: description: Geographical location of any hardware supporting NFV must comply with each MNO's local regulatory requirements for operating a telecoms network and handling its customers' sensitive data. + typical_evidence: Verify that documented processes and tools are in place to + track geographical location of any hardware/software supporting NFV. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2317,13 +2036,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node127 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-001 - name: Evidence - description: Verify that documented processes and tools are in place to track - geographical location of any hardware/software supporting NFV. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-002 assessable: true depth: 3 @@ -2335,6 +2047,20 @@ objects: policy should allow remote shutdown (or data clearing) for ciritcal stolen equipment and/or re-authentication/re-configuration after a physical attack or power failure + typical_evidence: Statement of Applicability (SoA) or equivalent record which + lists the relevant physical security controls and how they were implemented. + Documented physical security specific policy/policies, which include physical + access control, monitoring, continuity of operations, (multi-vendor) spare + part management. Such policy/policies list critical assets and their respective + controls. Relevant documented procedures that allow physical access only to + security-vetted, trained, and qualified staff. Documented procedures contain + measures allowing vendors access only to equipment sourced from them. Log + containing records of physical access, especially by third parties and contractors. On-site + inspection to verify implementation of the relevant controls. Visual verification + of equipment shutdown after issuing test remote shutdown command. Verify memory + contents via debug interface after issuing a test remote wipe command on equipment. + Logs on critical equipment confirm re-authentication after simulating power + failure or physical attack events reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2342,25 +2068,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node129 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-002 - name: Evidence - description: Statement of Applicability (SoA) or equivalent record which lists - the relevant physical security controls and how they were implemented. Documented - physical security specific policy/policies, which include physical access - control, monitoring, continuity of operations, (multi-vendor) spare part management. - Such policy/policies list critical assets and their respective controls. Relevant - documented procedures that allow physical access only to security-vetted, - trained, and qualified staff. Documented procedures contain measures allowing - vendors access only to equipment sourced from them. Log containing records - of physical access, especially by third parties and contractors. On-site - inspection to verify implementation of the relevant controls. Visual verification - of equipment shutdown after issuing test remote shutdown command. Verify memory - contents via debug interface after issuing a test remote wipe command on equipment. - Logs on critical equipment confirm re-authentication after simulating power - failure or physical attack events - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-003 assessable: true depth: 3 @@ -2368,6 +2075,10 @@ objects: ref_id: SO9-003 description: Protection against side-channel vulnerabilities should be deployed for critical systems + typical_evidence: Inspection of critical systems confirms that TEMPEST standard + guidelines such as equipment distance from walls, amount of shielding in buildings + and equipment, and distance separating wires carrying classified information + from those carrying unclassified are followed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2375,21 +2086,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node131 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-003 - name: Evidence - description: Inspection of critical systems confirms that TEMPEST standard guidelines - such as equipment distance from walls, amount of shielding in buildings and - equipment, and distance separating wires carrying classified information from - those carrying unclassified are followed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-004 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9 ref_id: SO9-004 description: Hardware backdoors, when detected, are removed + typical_evidence: Visual inspection of the equipment does not reveal any suspicious + peripherals or hardware backdoors. Documented processes are in place for obtaining + and flashing a BIOS if a hardware backdoor is suspected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2397,20 +2102,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node133 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-004 - name: Evidence - description: Visual inspection of the equipment does not reveal any suspicious - peripherals or hardware backdoors. Documented processes are in place for obtaining - and flashing a BIOS if a hardware backdoor is suspected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-005 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9 ref_id: SO9-005 description: No unprotected physical management consoles and interfaces + typical_evidence: Visual inspection of the product confirms that physical management + and debugging interfaces such as JTAG have been closed/disabled reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2418,19 +2117,13 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node135 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-005 - name: Evidence - description: Visual inspection of the product confirms that physical management - and debugging interfaces such as JTAG have been closed/disabled - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-006 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9 ref_id: SO9-006 description: Fiber cable management for protecting cables + typical_evidence: Inspection confirms the use of raceway/conduit on cables reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2438,12 +2131,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node137 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-006 - name: Evidence - description: Inspection confirms the use of raceway/conduit on cables - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-007 assessable: true depth: 3 @@ -2452,6 +2139,10 @@ objects: description: Junction boxes and splice closures are located away from high traffic areas. Physical controls ensure that only authorized personnel can access junction boxes and splice closures + typical_evidence: Check that junction boxes and splice closures are located + away from high traffic areas. Documented policies / procedures list physical + access controls ensuring that only authorized personnel can access junction + boxes and splice closures reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2459,21 +2150,18 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node139 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-007 - name: Evidence - description: Check that junction boxes and splice closures are located away - from high traffic areas. Documented policies / procedures list physical access - controls ensuring that only authorized personnel can access junction boxes - and splice closures - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-008 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9 ref_id: SO9-008 description: MNO ensures physical security of equipment in transport + typical_evidence: Statement of Applicability (SoA) or equivalent record which + lists the relevant physical security controls and how they are implemented + to protect equipment in transport. Relevant documented procedures that allow + physical access during transport only to security-vetted, trained, and qualified + staff. Log containing records of physical access, especially by third parties + and contractors reference_controls: - risk:reference_control:enisa-5g-scm:5G-M45 - risk:reference_control:enisa-5g-scm:5G-M46 @@ -2481,17 +2169,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M48 - risk:reference_control:enisa-5g-scm:5G-M49 - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node141 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-008 - name: Evidence - description: Statement of Applicability (SoA) or equivalent record which lists - the relevant physical security controls and how they are implemented to protect - equipment in transport. Relevant documented procedures that allow physical - access during transport only to security-vetted, trained, and qualified staff. - Log containing records of physical access, especially by third parties and - contractors - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-009 assessable: true depth: 3 @@ -2501,19 +2178,7 @@ objects: a VNF then it should not store critical security, customer privacy or confidential information such that its theft or removal would enable an attacker to gain a copy of the stored data. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M45 - - risk:reference_control:enisa-5g-scm:5G-M46 - - risk:reference_control:enisa-5g-scm:5G-M47 - - risk:reference_control:enisa-5g-scm:5G-M48 - - risk:reference_control:enisa-5g-scm:5G-M49 - - risk:reference_control:enisa-5g-scm:5G-M50 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node143 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so9-009 - name: Evidence - description: "Check that there is a document listing all supported non-volatile,\ + typical_evidence: "Check that there is a document listing all supported non-volatile,\ \ fixed or removable storage and that information on how to enable/disable\ \ this storage is documented. \n\nCheck that there is a document describing\ \ how non-volatile, fixed or removable storage is handled.\n\nVerify that\ @@ -2523,6 +2188,13 @@ objects: \ at rest. Cryptographic operations, key sizes, algorithms and standards for\ \ encrypting that critical information are described as part of the documented\ \ process." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M45 + - risk:reference_control:enisa-5g-scm:5G-M46 + - risk:reference_control:enisa-5g-scm:5G-M47 + - risk:reference_control:enisa-5g-scm:5G-M48 + - risk:reference_control:enisa-5g-scm:5G-M49 + - risk:reference_control:enisa-5g-scm:5G-M50 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so10 assessable: false depth: 2 @@ -2538,23 +2210,18 @@ objects: ref_id: SO10-001 description: Power supply continuity strategy that avoids a single point of supply failure + typical_evidence: Check for the presence of multiple power supply sources which + are capable of withstanding primary power supply failures for the duration + of likely outages. Where necessary, batteries are augmented with private electric + generators. Additionally, documented business continuity and incident management + plans and/or processes with provisions on power supply continuity, including + responding to outages reference_controls: - risk:reference_control:enisa-5g-scm:5G-M51 - risk:reference_control:enisa-5g-scm:5G-M52 - risk:reference_control:enisa-5g-scm:5G-M53 - risk:reference_control:enisa-5g-scm:5G-M54 - risk:reference_control:enisa-5g-scm:5G-M55 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node146 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so10-001 - name: Evidence - description: Check for the presence of multiple power supply sources which are - capable of withstanding primary power supply failures for the duration of - likely outages. Where necessary, batteries are augmented with private electric - generators. Additionally, documented business continuity and incident management - plans and/or processes with provisions on power supply continuity, including - responding to outages - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11 assessable: false depth: 2 @@ -2571,6 +2238,7 @@ objects: description: UPF (or SMF depending on MNO) assigns unique tunnel endpoint IDs (TEIDs) for each PDU session while ensuring that TEID is unique within one IP address + typical_evidence: Packet captures at UPF (or SMF) show unique F-TEIDs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2580,18 +2248,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node149 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-001 - name: Evidence - description: Packet captures at UPF (or SMF) show unique F-TEIDs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11 ref_id: SO11-002 description: SMF assigns unique charging IDs for each PDU session + typical_evidence: System logs of the SMF show that it generates a unique charging + ID for each new PDU session and uses it for all subsequent messages for that + PDU session reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2601,14 +2266,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node151 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-002 - name: Evidence - description: System logs of the SMF show that it generates a unique charging - ID for each new PDU session and uses it for all subsequent messages for that - PDU session - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-003 assessable: true depth: 3 @@ -2619,6 +2276,9 @@ objects: application or a system). Network products support individual accounts per user and don't enable the use of group accounts, group credentials or sharing of accounts between several users + typical_evidence: Documented user access policy shows that group accounts, credentials, + and sharing of the same accounts are forbidden. Tests show that the network + product does not support credentials unrelated to an account reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2628,14 +2288,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node153 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-003 - name: Evidence - description: Documented user access policy shows that group accounts, credentials, - and sharing of the same accounts are forbidden. Tests show that the network - product does not support credentials unrelated to an account - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-004 assessable: true depth: 3 @@ -2648,6 +2300,9 @@ objects: a specified configurable period of inactivity' + typical_evidence: Verification of successful login and logout with a new account + or an existing account. Verification that OAM user sessions are terminated + automatically after a predefined configurable amount of time reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2657,14 +2312,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node155 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-004 - name: Evidence - description: Verification of successful login and logout with a new account - or an existing account. Verification that OAM user sessions are terminated - automatically after a predefined configurable amount of time - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-005 assessable: true depth: 3 @@ -2672,6 +2319,8 @@ objects: ref_id: SO11-005 description: System accounts in UNIX (and derivatives like LINUX) have unique UIDs + typical_evidence: Verify that UIDs in the operating system of the network product + are all unique and, in particular, only the root account has UID = 0 reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2681,13 +2330,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node157 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-005 - name: Evidence - description: Verify that UIDs in the operating system of the network product - are all unique and, in particular, only the root account has UID = 0 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-006 assessable: true depth: 3 @@ -2696,6 +2338,10 @@ objects: description: 'Session ID is unpredictable. It uniquely identifies the user and distinguishes the session from all other active sessions. Session ID does not contain sensitive information in clear text ' + typical_evidence: After logging in repeatedly with different user IDs and a + number of times with the same user ID, the logs of the network product show + that Session IDs are random and are different between sessions of the same + and different users reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2705,15 +2351,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node159 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-006 - name: Evidence - description: After logging in repeatedly with different user IDs and a number - of times with the same user ID, the logs of the network product show that - Session IDs are random and are different between sessions of the same and - different users - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-007 assessable: true depth: 3 @@ -2721,6 +2358,10 @@ objects: ref_id: SO11-007 description: ' Network product only accepts server generated session IDs and does not accept session identifiers from GET/POST variables' + typical_evidence: 'Verify that retrieving a session ID and using it to access + an existing session through a POST or GET results in a failure. Generating + a session ID on the client and attempting to login to a network product results + in a failure ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2730,15 +2371,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node161 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-007 - name: Evidence - description: 'Verify that retrieving a session ID and using it to access an - existing session through a POST or GET results in a failure. Generating a - session ID on the client and attempting to login to a network product results - in a failure ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-008 assessable: true depth: 3 @@ -2749,6 +2381,9 @@ objects: the session ID is deleted, and the user is forced to (re)authenticate to establish a new session. Default value for this maximum lifetime should be set to 8 hours + typical_evidence: Verify that it is not possible to keep a session alive for + longer than the configured maximum lifetime documented in the network product + documentation (default should be 8 hours) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2758,14 +2393,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node163 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-008 - name: Evidence - description: Verify that it is not possible to keep a session alive for longer - than the configured maximum lifetime documented in the network product documentation - (default should be 8 hours) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-009 assessable: true depth: 3 @@ -2778,6 +2405,11 @@ objects: specified domain; and ''path'' attribute is set to ensure that the cookie can only be sent to the specified directory or sub-directory' + typical_evidence: 'Verify that, after logging in repeatedly with different user + IDs and a number of times with the same user ID, the cookies received in different + user sessions have the following properties: neither the "expire" nor the + "max-age" attribute is set; attribute ''HttpOnly'' is set to true; ''domain'' + attribute is set; and ''path'' attribute is set' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2787,16 +2419,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node165 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-009 - name: Evidence - description: 'Verify that, after logging in repeatedly with different user IDs - and a number of times with the same user ID, the cookies received in different - user sessions have the following properties: neither the "expire" nor the - "max-age" attribute is set; attribute ''HttpOnly'' is set to true; ''domain'' - attribute is set; and ''path'' attribute is set' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-010 assessable: true depth: 3 @@ -2806,6 +2428,8 @@ objects: in addition to primary authentication used for 3GPP access. This additional access authentication and authorization should use credentials other than those used for the primary authentication + typical_evidence: Verify that access to a slice and its services is not possible + without successful slice specific authentication reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2815,13 +2439,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node167 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-010 - name: Evidence - description: Verify that access to a slice and its services is not possible - without successful slice specific authentication - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-011 assessable: true depth: 3 @@ -2829,6 +2446,9 @@ objects: ref_id: SO11-011 description: MANO components (NFVO, VIM, and VNFM) should verify identity and location of the sender before acting on received data + typical_evidence: Verify that access to MANO components (NFVO, VIM, and VNFM) + is only possible with correct identity/credentials and from approved locations + (such as both source and destination being in the same geographic area) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2838,14 +2458,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node169 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-011 - name: Evidence - description: Verify that access to MANO components (NFVO, VIM, and VNFM) is - only possible with correct identity/credentials and from approved locations - (such as both source and destination being in the same geographic area) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-012 assessable: true depth: 3 @@ -2853,6 +2465,10 @@ objects: ref_id: SO11-012 description: SDN control layer should authenticate and authorize administrators and applications. SDN controller should authenticate the switches + typical_evidence: 'Verify that: (1) attempts to attach new switches without + appropriate credentials are rejected by the SDN controller; (2) access to + SDN controller is denied without credentials for an administrator account; + and (3) unauthorized applications are not executed by the controller' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2862,15 +2478,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node171 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-012 - name: Evidence - description: 'Verify that: (1) attempts to attach new switches without appropriate - credentials are rejected by the SDN controller; (2) access to SDN controller - is denied without credentials for an administrator account; and (3) unauthorized - applications are not executed by the controller' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-013 assessable: true depth: 3 @@ -2878,6 +2485,10 @@ objects: ref_id: SO11-013 description: AKMA reuses the same UE subscription and the same credentials used for 5G access + typical_evidence: Verify that a test UE with 5G credentials can connect to an + MNO network and an application function (AF) supporting AKMA. Logs at the + AF, AAnF, and AUSF confirm successful reuse of UE 5G credentials for authenticating + access to the 5G network and to the AF reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2887,15 +2498,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node173 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-013 - name: Evidence - description: Verify that a test UE with 5G credentials can connect to an MNO - network and an application function (AF) supporting AKMA. Logs at the AF, - AAnF, and AUSF confirm successful reuse of UE 5G credentials for authenticating - access to the 5G network and to the AF - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-014 assessable: true depth: 3 @@ -2903,6 +2505,11 @@ objects: ref_id: SO11-014 description: AKMA reuses the 5G primary authentication procedure for implicit authentication to AKMA services + typical_evidence: "Verify that a test UE device with SIM credentials from an\ + \ MNO can successfully authenticate with EAP-AKA\u2019 or 5G AKA. Verify that\ + \ the same procedure is used when authenticating to an AF supporting AKMA.\ + \ Logs at the AF, AAnF, and AUSF confirm reuse of primary authentication during\ + \ AKMA authentication" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2912,22 +2519,13 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node175 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-014 - name: Evidence - description: "Verify that a test UE device with SIM credentials from an MNO\ - \ can successfully authenticate with EAP-AKA\u2019 or 5G AKA. Verify that\ - \ the same procedure is used when authenticating to an AF supporting AKMA.\ - \ Logs at the AF, AAnF, and AUSF confirm reuse of primary authentication during\ - \ AKMA authentication" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-015 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11 ref_id: SO11-015 description: A-KID should be globlly unique + typical_evidence: Logs at the AAnF show unique/non-repeating A-KIDs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2937,12 +2535,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node177 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-015 - name: Evidence - description: Logs at the AAnF show unique/non-repeating A-KIDs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-016 assessable: true depth: 3 @@ -2950,6 +2542,9 @@ objects: ref_id: SO11-016 description: AAnFs should implement Naanf_AKMA_AnchorKey_Register service in accordance with 3GPP technical specification 33.535, clause 7.1.2 + typical_evidence: Verify via logs at the AAnF that it stores the AKMA related + key material associated with a SUPI on sending a request containing the SUPI, + A-KID, and KAKMA reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2959,14 +2554,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node179 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-016 - name: Evidence - description: Verify via logs at the AAnF that it stores the AKMA related key - material associated with a SUPI on sending a request containing the SUPI, - A-KID, and KAKMA - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-017 assessable: true depth: 3 @@ -2974,6 +2561,9 @@ objects: ref_id: SO11-017 description: AAnFs should implement Naanf_AKMA_ApplicationKey_Get service in accordance with 3GPP technical specification 33.535, clause 7.1.3 + typical_evidence: Verify via packet captures at the AAnF that it responds with + the KAF, KAF expiration time, and SUPI on sending a request containing the + A-KID and AF_ID reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -2983,14 +2573,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node181 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-017 - name: Evidence - description: Verify via packet captures at the AAnF that it responds with the - KAF, KAF expiration time, and SUPI on sending a request containing the A-KID - and AF_ID - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-018 assessable: true depth: 3 @@ -2998,6 +2580,8 @@ objects: ref_id: SO11-018 description: AAnFs should implement Naanf_AKMA_Context_Remove service in accordance with 3GPP technical specification 33.535, clause 7.1.4 + typical_evidence: Verify via logs at the AAnF that it removes AKMA related key + material associated with a SUPI on sending a request containing that SUPI reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3007,13 +2591,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node183 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-018 - name: Evidence - description: Verify via logs at the AAnF that it removes AKMA related key material - associated with a SUPI on sending a request containing that SUPI - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-019 assessable: true depth: 3 @@ -3021,6 +2598,9 @@ objects: ref_id: SO11-019 description: AAnFs should implement Naanf_AKMA_ApplicationKey_ AnonUser_Getservice service in accordance with 3GPP technical specification 33.535, clause 7.1.5 + typical_evidence: 'Verify via packet captures at the AAnF that it responds with + the KAF, KAF expiration time, and optionally the GPSI on sending a request + for anonymous AF access containing the A-KID and AF_ID ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3030,14 +2610,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node185 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-019 - name: Evidence - description: 'Verify via packet captures at the AAnF that it responds with the - KAF, KAF expiration time, and optionally the GPSI on sending a request for - anonymous AF access containing the A-KID and AF_ID ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-020 assessable: true depth: 3 @@ -3045,6 +2617,9 @@ objects: ref_id: SO11-020 description: NEFs should implement Nnef_AKMA_ApplicationKey_Get service in accordance with 3GPP technical specification 33.535, clause 7.1.5 + typical_evidence: Verify via packet captures at the NEF that it responds with + the KAF, KAF expiration time, and optionally the GPSI on sending a request + containing the A-KID and AF_ID reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3054,14 +2629,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node187 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-020 - name: Evidence - description: Verify via packet captures at the NEF that it responds with the - KAF, KAF expiration time, and optionally the GPSI on sending a request containing - the A-KID and AF_ID - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-021 assessable: true depth: 3 @@ -3069,6 +2636,9 @@ objects: ref_id: SO11-021 description: VAL users authenticated and are provided access tokens with OAuth 2.0, OpenID Connect 1.0, or ACE-Oauth for light-weight protocol realizations + typical_evidence: Verify that a test user can authenticate and obtain an authorization + token from the SIM-S over the IM-UU interface. Logs at the SIM-S confirm successful + authentication of the test user reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3078,14 +2648,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node189 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-021 - name: Evidence - description: Verify that a test user can authenticate and obtain an authorization - token from the SIM-S over the IM-UU interface. Logs at the SIM-S confirm successful - authentication of the test user - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-022 assessable: true depth: 3 @@ -3095,6 +2657,11 @@ objects: the target gNB match with locally stored values. If there is a mismatch, the AMFs send their locally stored 5G security capabilities of the UE to the target gNB for preventing bidding down on Xn-handover + typical_evidence: When UE sends different security capabilities from the ones + stored in the AMF, packet captures containing the Path-Switch Acknowledge + message sent by AMF to target gNB include locally stored security capabilities + and not the ones sent by UE. The mismatch between locally stored security + capabilities and those sent by UE is shown in the AMF log reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3104,16 +2671,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node191 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-022 - name: Evidence - description: When UE sends different security capabilities from the ones stored - in the AMF, packet captures containing the Path-Switch Acknowledge message - sent by AMF to target gNB include locally stored security capabilities and - not the ones sent by UE. The mismatch between locally stored security capabilities - and those sent by UE is shown in the AMF log - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-023 assessable: true depth: 3 @@ -3124,6 +2681,10 @@ objects: then the SEAF either initiates an identification procedure with the UE if the 5G-GUTI was used by the UE to retrieve the SUCI, or it sends an authentication failure message to the UE + typical_evidence: Upon receiving an incorrect RES* from UE, logs of the SEAF/AMF + show that the authentication is rejected with an Authentication Reject message + to the UE, or logs of the SEAF/AMF show that that the SEAF/AMF has initiated + an identification procedure with the UE to retrieve the SUCI reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3133,15 +2694,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node193 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-023 - name: Evidence - description: Upon receiving an incorrect RES* from UE, logs of the SEAF/AMF - show that the authentication is rejected with an Authentication Reject message - to the UE, or logs of the SEAF/AMF show that that the SEAF/AMF has initiated - an identification procedure with the UE to retrieve the SUCI - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-024 assessable: true depth: 3 @@ -3149,6 +2701,12 @@ objects: ref_id: SO11-024 description: AUSFs should implement Nausf_UEAuthentication service in accordance with 3GPP technical specification 33.501, clause 14.1 + typical_evidence: "Verify that i) sending SUPI or SUCI with serving network\ + \ name to the Nausf_UEAuthentication service results in the service returning\ + \ a 5G AKA authentication vector or an EAP-AKA\u2019 packet. ii) sending 5G\ + \ AKA authentication confirmation message or EAP-AKA\u2019 message to the\ + \ Nausf_UEAuthentication service results in the service returning the authentication\ + \ result and a master key if authentication was successful" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3158,17 +2716,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node195 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-024 - name: Evidence - description: "Verify that i) sending SUPI or SUCI with serving network name\ - \ to the Nausf_UEAuthentication service results in the service returning a\ - \ 5G AKA authentication vector or an EAP-AKA\u2019 packet. ii) sending 5G\ - \ AKA authentication confirmation message or EAP-AKA\u2019 message to the\ - \ Nausf_UEAuthentication service results in the service returning the authentication\ - \ result and a master key if authentication was successful" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-025 assessable: true depth: 3 @@ -3179,6 +2726,13 @@ objects: indication to the AUSF and does not send new authentication requests to the UE until it has received a response ' + typical_evidence: Sending unsolicited "synchronization failure indication" messages + from UE have no effect on the SEAF. If authentication failure with synchronization + failure message is received by the SEAF, then access logs of the SEAF show + that it does not send new authentication requests before having received the + response to its Nausf_UEAuthentication_Authenticate Request message with a + "synchronization failure indication" from the AUSF (or before it is timed + out) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3188,18 +2742,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node197 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-025 - name: Evidence - description: Sending unsolicited "synchronization failure indication" messages - from UE have no effect on the SEAF. If authentication failure with synchronization - failure message is received by the SEAF, then access logs of the SEAF show - that it does not send new authentication requests before having received the - response to its Nausf_UEAuthentication_Authenticate Request message with a - "synchronization failure indication" from the AUSF (or before it is timed - out) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-026 assessable: true depth: 3 @@ -3207,6 +2749,9 @@ objects: ref_id: SO11-026 description: UDMs should implement Nudm_UEAuthentication_Get service in accordance with 3GPP technical specification 33.501, clause 14.2 + typical_evidence: Verify that the Nudm_UEAuthentication_Get service responds + with the authentication method and corresponding data on sending the SUPI/SUCI + along with the serving network name reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3216,14 +2761,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node199 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-026 - name: Evidence - description: Verify that the Nudm_UEAuthentication_Get service responds with - the authentication method and corresponding data on sending the SUPI/SUCI - along with the serving network name - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-027 assessable: true depth: 3 @@ -3231,6 +2768,9 @@ objects: ref_id: SO11-027 description: UDMs should implement Nudm_UEAuthentication_ResultConfirmation service in accordance with 3GPP technical specification 33.501, clause 14.2 + typical_evidence: Verify that UDM access logs contain information such as SUPI, + timestamp of the authentication, the authentication type, and serving network + name sent to the Nudm_UEAuthentication_ReultConfirmation service of the UDM reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3240,14 +2780,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node201 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-027 - name: Evidence - description: Verify that UDM access logs contain information such as SUPI, timestamp - of the authentication, the authentication type, and serving network name sent - to the Nudm_UEAuthentication_ReultConfirmation service of the UDM - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-028 assessable: true depth: 3 @@ -3255,6 +2787,9 @@ objects: ref_id: SO11-028 description: SMF gives priority to security policy from UDM over locally configured policy + typical_evidence: 'Capture of the Namf_Communication_N1N2MessageTsent from the + SMF to the AMF includes the user plane security policy configured in the UDM + and not the one configured locally in the SMF ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3264,14 +2799,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node203 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-028 - name: Evidence - description: 'Capture of the Namf_Communication_N1N2MessageTsent from the SMF - to the AMF includes the user plane security policy configured in the UDM and - not the one configured locally in the SMF ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-029 assessable: true depth: 3 @@ -3280,6 +2807,9 @@ objects: description: During a handover, the SMF sends locally stored user plane security policy to the gNB/ng-eNB when there is a mismatch in the policy received from the radio network gNB/ng-eNB + typical_evidence: Capture of the Nsmf_PDUSession_SMContextUpdate Response message + sent from the SMF contains the locally stored UE security policy in the n2SmInf + IE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3289,14 +2819,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node205 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-029 - name: Evidence - description: Capture of the Nsmf_PDUSession_SMContextUpdate Response message - sent from the SMF contains the locally stored UE security policy in the n2SmInf - IE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-030 assessable: true depth: 3 @@ -3305,6 +2827,10 @@ objects: description: SEPPs are able to identify mismatch between the PLMN-ID contained in the incoming N32-f message and the PLMN-ID in the related N32-f context, and send appropriate error code on mismatch + typical_evidence: Packet captures at the SEPP show that an error signaling message + containing the N32-f Message Id and error code is sent to the peer SEPP if + the PLMN-ID in the incoming N32 message from the peer SEPP does not match + the peer PLMN ID in the N32-f peer information in the N32-f context reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3314,15 +2840,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node207 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-030 - name: Evidence - description: Packet captures at the SEPP show that an error signaling message - containing the N32-f Message Id and error code is sent to the peer SEPP if - the PLMN-ID in the incoming N32 message from the peer SEPP does not match - the peer PLMN ID in the N32-f peer information in the N32-f context - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-031 assessable: true depth: 3 @@ -3332,6 +2849,10 @@ objects: token matches the remote PLMN-ID corresponding to the N32-f context Id in the N32 message' + typical_evidence: Packet captures and logs of the SEPP show that an error signaling + message containing the N32-f Message Id and error code is sent to the peer + SEPP if the PLMN-ID appended in the subject claim of the access token received + is different from PLMN-ID of the peer SEPP in the N32-f content Id reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3341,15 +2862,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node209 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-031 - name: Evidence - description: Packet captures and logs of the SEPP show that an error signaling - message containing the N32-f Message Id and error code is sent to the peer - SEPP if the PLMN-ID appended in the subject claim of the access token received - is different from PLMN-ID of the peer SEPP in the N32-f content Id - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-032 assessable: true depth: 3 @@ -3358,6 +2870,10 @@ objects: description: SEPPs identify a mismatch between the protection policies manually configured for a specific roaming partner and an IPX provider and the protection policies received on an N32-c connection, and send an error message on mismatch + typical_evidence: Logs and packet captures of a SEPP show that sending a Security + Parameter Exchange Request message to a peer SEPP containing a data-type encryption + policy and modification policy different from what is configured locally on + the peer SEPP results in an error message on the N32-c connection reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3367,15 +2883,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node211 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-032 - name: Evidence - description: Logs and packet captures of a SEPP show that sending a Security - Parameter Exchange Request message to a peer SEPP containing a data-type encryption - policy and modification policy different from what is configured locally on - the peer SEPP results in an error message on the N32-c connection - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-033 assessable: true depth: 3 @@ -3384,6 +2891,8 @@ objects: description: SEPPs ensure that intermediate IPX don't misplace (move or copy) encrypted IE to a different location in a JSON object that would be reflected from the producer NF for an IE without encryption + typical_evidence: Logs and packet captures of a SEPP confirm that an N32-f message + is discarded if an encrypted IE is moved to a cleartext IE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3393,13 +2902,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node213 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-033 - name: Evidence - description: Logs and packet captures of a SEPP confirm that an N32-f message - is discarded if an encrypted IE is moved to a cleartext IE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-034 assessable: true depth: 3 @@ -3411,6 +2913,9 @@ objects: slice, NRF authorizes the discovery request according to the configuration of that slice. Example of such policy configuration could be that certain function/service instances are not discoverable from other network slices + typical_evidence: NRF access logs and packet captures on the NRF confirm that + an NRF returns a response with "403 Forbidden" status code if the requested + NF instance does not allow discovery from other slices reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3420,14 +2925,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node215 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-034 - name: Evidence - description: NRF access logs and packet captures on the NRF confirm that an - NRF returns a response with "403 Forbidden" status code if the requested NF - instance does not allow discovery from other slices - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-035 assessable: true depth: 3 @@ -3435,6 +2932,9 @@ objects: ref_id: SO11-035 description: NRFs should implement Nnrf_AccessToken_Get service in accordance with 3GPP technical specification 33.501, clause 14.3 + typical_evidence: Verify that a test NF service consumer can receive an access + token with appropriate claims from the Nnrf_AccessToken_Get service by sending + it a request with its NF Instance Id, requested "scope", and optional information reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3444,14 +2944,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node217 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-035 - name: Evidence - description: Verify that a test NF service consumer can receive an access token - with appropriate claims from the Nnrf_AccessToken_Get service by sending it - a request with its NF Instance Id, requested "scope", and optional information - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-036 assessable: true depth: 3 @@ -3459,6 +2951,8 @@ objects: ref_id: SO11-036 description: NEFs authorize requests from application functions using standard OAuth as profiled in 3GPP TS 33.501 + typical_evidence: Verification that invocation of NEF northbound APIs with valid + OAuth tokens is successful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3468,13 +2962,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node219 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-036 - name: Evidence - description: Verification that invocation of NEF northbound APIs with valid - OAuth tokens is successful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-037 assessable: true depth: 3 @@ -3487,6 +2974,13 @@ objects: the network from outside of EU. If necessary, only temporary onsite/remote access to third parties should be provided and no permanent credentials are disclosed + typical_evidence: Verify that attempts to access a system function are only + successful when logged in as a user with adequate privileges. Verify access + logs to confirm that attempts for remote access by third parties are either + denied, or restricted (e.g. one-time short-lived access grant), according + to the documented policy (see control description). Access logs confirm that + onsite/remote access by third parties, if allowed, is based on temporary or + one-time passwords used only for designated tasks reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3496,18 +2990,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node221 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-037 - name: Evidence - description: Verify that attempts to access a system function are only successful - when logged in as a user with adequate privileges. Verify access logs to confirm - that attempts for remote access by third parties are either denied, or restricted - (e.g. one-time short-lived access grant), according to the documented policy - (see control description). Access logs confirm that onsite/remote access by - third parties, if allowed, is based on temporary or one-time passwords used - only for designated tasks - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-038 assessable: true depth: 3 @@ -3518,21 +3000,7 @@ objects: the minimum required for the tasks they have to perform. Execution of applications and components shall also take place with rights that are as limited as possible. Access control policy is reviewed and revised based on 5G risk assessment - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node223 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-038 - name: Evidence - description: "Access to critical or sensitive network components is captured\ + typical_evidence: "Access to critical or sensitive network components is captured\ \ in logs of the PAM solution. Documentation of the network product describes\ \ an authorization policy which includes details on the lowest access rights\ \ assigned to user accounts and applications. Verify that files and applications\ @@ -3543,6 +3011,15 @@ objects: \ logs, comments and comparison with prior versions indicate that access control\ \ policy is reviewed and revised periodically in the context of evolving 5G\ \ risks." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-039 assessable: true depth: 3 @@ -3550,6 +3027,9 @@ objects: ref_id: SO11-039 description: Privilege escalation in interactive sessions (CLI or GUI) of a network product is not allowed without re-authentication + typical_evidence: 'Verify that commands such as ''su'' which enable a user or + function to gain administrator/root privileges from another user account require + re-authentication ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3559,13 +3039,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node225 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-039 - name: Evidence - description: 'Verify that commands such as ''su'' which enable a user or function - to gain administrator/root privileges from another user account require re-authentication ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-040 assessable: true depth: 3 @@ -3577,22 +3050,8 @@ objects: This limitation shall be realized on the network product itself (without measures, e.g. firewall, at network side), or by implementing devices such as a virtual firewall, hardware firewall, or a third-party firewall agent. ' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node227 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-040 - name: Evidence - description: 'Services can be configured on a per-interface basis. Running a - network port scanner (e.g. nmap) reveals that services are only active on + typical_evidence: 'Services can be configured on a per-interface basis. Running + a network port scanner (e.g. nmap) reveals that services are only active on the interface where they are needed. @@ -3604,6 +3063,15 @@ objects: and verify that the messages are dropped on receipt by the network product (e.g. by means of appropriate firewall rules), and that the network product''s applicable system configuration remains unchanged upon receipt of the messages.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-041 assessable: true depth: 3 @@ -3613,6 +3081,10 @@ objects: \ or file systems have the necessary privileges to do so. In Unix\xAE systems,\ \ the 'sticky' bit can be set on all directories where all users have write\ \ permissions" + typical_evidence: Verify that modifying files and directories for which the + user has the necessary privileges is successful while attempts to modify the + files and directories for which the user doesn't have the necessary privileges + results in failure reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3622,15 +3094,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node229 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-041 - name: Evidence - description: Verify that modifying files and directories for which the user - has the necessary privileges is successful while attempts to modify the files - and directories for which the user doesn't have the necessary privileges results - in failure - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-042 assessable: true depth: 3 @@ -3638,6 +3101,10 @@ objects: ref_id: SO11-042 description: Mutual authentication between the UE and network using EAP-AKA' and 5G AKA should be supported + typical_evidence: "Verify that a test UE device with SIM credentials from an\ + \ MNO can successfully authenticate with EAP-AKA\u2019 and 5G AKA. Packet\ + \ captures of core network nodes SEAF, AUSF, UDM confirm successful authentication\ + \ of the test UE device" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3647,15 +3114,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node231 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-042 - name: Evidence - description: "Verify that a test UE device with SIM credentials from an MNO\ - \ can successfully authenticate with EAP-AKA\u2019 and 5G AKA. Packet captures\ - \ of core network nodes SEAF, AUSF, UDM confirm successful authentication\ - \ of the test UE device" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-043 assessable: true depth: 3 @@ -3663,6 +3121,12 @@ objects: ref_id: SO11-043 description: NSSAAF should implement Nnssaaf_NSSAA_Authenticate service in accordance with 3GPP technical specification 33.501, clause 14.4.1.2 + typical_evidence: Verify via packet captures that sending an EAP identity response + or an EAP response together with the GPSI and S-NSSAI to the Nnssaaf_NSSAA_Authenticate + service results in the service i) forwarding the EAP message to the AAA-S + handling the network slice specific authentication for the requested S-NSSAI + and ii) returning the EAP message received from the AAA-S in response to the + message forwarded earlier reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3672,17 +3136,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node233 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-043 - name: Evidence - description: Verify via packet captures that sending an EAP identity response - or an EAP response together with the GPSI and S-NSSAI to the Nnssaaf_NSSAA_Authenticate - service results in the service i) forwarding the EAP message to the AAA-S - handling the network slice specific authentication for the requested S-NSSAI - and ii) returning the EAP message received from the AAA-S in response to the - message forwarded earlier - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-044 assessable: true depth: 3 @@ -3690,6 +3143,9 @@ objects: ref_id: SO11-044 description: NSSAAF should implement Nnssaaf_NSSAA_Re-AuthenticationNotification service in accordance with 3GPP technical specification 33.501, clause 14.4.1.3 + typical_evidence: Verify via packet captures on the AMF that a UE is re-authenticated + when the NSSAAF triggers a network slice specific re-authentication procedure + via the Nnssaaf_NSSAA_Re-AuthenticationNotification service reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3699,14 +3155,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node235 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-044 - name: Evidence - description: Verify via packet captures on the AMF that a UE is re-authenticated - when the NSSAAF triggers a network slice specific re-authentication procedure - via the Nnssaaf_NSSAA_Re-AuthenticationNotification service - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-045 assessable: true depth: 3 @@ -3714,6 +3162,9 @@ objects: ref_id: SO11-045 description: NSSAAF should implement Nnssaaf_NSSAA_RevocationNotification service in accordance with 3GPP technical specification 33.501, clause 14.4.1.4 + typical_evidence: Verify via packet captures on the AMF that a UE cannot access + an S-NSSAI once the NSSAAF triggers a network slice specific revocation procedure + via the Nnssaaf_NSSAA_RevocationNotification service reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3723,14 +3174,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node237 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-045 - name: Evidence - description: Verify via packet captures on the AMF that a UE cannot access an - S-NSSAI once the NSSAAF triggers a network slice specific revocation procedure - via the Nnssaaf_NSSAA_RevocationNotification service - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-046 assessable: true depth: 3 @@ -3738,6 +3181,8 @@ objects: ref_id: SO11-046 description: Slice management interface is accessed only by authorized communication service customers + typical_evidence: Verification that attempts to access network management slicing + interfaces are only successful after authenticating with authorized accounts reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3747,13 +3192,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node239 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-046 - name: Evidence - description: Verification that attempts to access network management slicing - interfaces are only successful after authenticating with authorized accounts - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-047 assessable: true depth: 3 @@ -3764,6 +3202,8 @@ objects: interface is authorized using OAuth 2.0' + typical_evidence: Verification that the network management interface is accessible + only with valid OAuth tokens reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3773,13 +3213,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node241 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-047 - name: Evidence - description: Verification that the network management interface is accessible - only with valid OAuth tokens - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-048 assessable: true depth: 3 @@ -3790,6 +3223,10 @@ objects: of whether a NF is a Virtual Network Function (VNF) or a Physical Network Function (PNF). By default, NFs should block communication unless specifically authorized to communicate. + typical_evidence: Verify that attempts to access a network function (NF) from + another NF without explicit authorization are unsuccessful. Verify that, after + explicit authorization, attempts to access a NF with the correct access token + are successful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3799,14 +3236,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node243 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-048 - name: Evidence - description: Verify that attempts to access a network function (NF) from another - NF without explicit authorization are unsuccessful. Verify that, after explicit - authorization, attempts to access a NF with the correct access token are successful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-049 assessable: true depth: 3 @@ -3815,6 +3244,8 @@ objects: description: Protection against hypervisor introspection. Access to state information of guest OS from the hypervisor is restricted and privilege is granted based on "lowest privilege" principle + typical_evidence: Verify that attempts to read or modify log files, or perform + direct memory access from a hypervisor are unsuccessful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3824,13 +3255,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node245 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-049 - name: Evidence - description: Verify that attempts to read or modify log files, or perform direct - memory access from a hypervisor are unsuccessful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-050 assessable: true depth: 3 @@ -3838,6 +3262,9 @@ objects: ref_id: SO11-050 description: MEC platform provides a mobile edge application only the information for which it is authorized + typical_evidence: Access logs of the MEC platform confirm that attempts of the + MEC application to access data or resources via CAPIF for which it does not + have authorization are unsuccessful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3847,14 +3274,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node247 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-050 - name: Evidence - description: Access logs of the MEC platform confirm that attempts of the MEC - application to access data or resources via CAPIF for which it does not have - authorization are unsuccessful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-051 assessable: true depth: 3 @@ -3862,6 +3281,9 @@ objects: ref_id: SO11-051 description: Virtualization platforms or container infrastructure supporting role-based access control in MEC are in use + typical_evidence: Existence of role-based access control is confirmed by inspecting + access control policies and/or access to resources from accounts with different + roles reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3871,14 +3293,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node249 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-051 - name: Evidence - description: Existence of role-based access control is confirmed by inspecting - access control policies and/or access to resources from accounts with different - roles - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-052 assessable: true depth: 3 @@ -3886,6 +3300,10 @@ objects: ref_id: SO11-052 description: 'Network and data separation: Presence of both physical and logical isolation of resources that don''t have the same criticality' + typical_evidence: Verify that physical and logical separation/segregation of + networks, resources and data is in place, depending on their criticality. + For example, that user data is stored separately on an encrypted disk while + system log is integrity protected locally reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3895,15 +3313,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node251 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-052 - name: Evidence - description: Verify that physical and logical separation/segregation of networks, - resources and data is in place, depending on their criticality. For example, - that user data is stored separately on an encrypted disk while system log - is integrity protected locally - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-053 assessable: true depth: 3 @@ -3920,6 +3329,15 @@ objects: capability for correct execution of the VNF as a permitted list of calls depending on the VNF. Access filtering rules shall be included in the VNF Package as a descriptor in the MCIOP, or in a separate security file.' + typical_evidence: ' Documentation of the virtualisation platform confirms that + VM segregation is supported. Inspection of the virtualisation platform with + diagnostic tools confirms functional segregation of VMs. + + + Test: Attempt abnormal access to the virtualisation layer and check that the + virtualisation layer rejects the abnormal access from the VNF and logs the + attack. Verify that the access filtering policies are included either in the + MCIOP or in a separate security file (descriptor) in the VNF package.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3929,26 +3347,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node253 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-053 - name: Evidence - description: ' Documentation of the virtualisation platform confirms that VM - segregation is supported. Inspection of the virtualisation platform with diagnostic - tools confirms functional segregation of VMs. - - - Test: Attempt abnormal access to the virtualisation layer and check that the - virtualisation layer rejects the abnormal access from the VNF and logs the - attack. Verify that the access filtering policies are included either in the - MCIOP or in a separate security file (descriptor) in the VNF package.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-054 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11 ref_id: SO11-054 description: SEAL servers provide service access only to authorized users + typical_evidence: Verify via logs at the SEAL server that requests from a SEAL + client without an access token or with an invalid access token are rejected. + Verify via logs at the SEAL server that service access is granted when a valid + access token is presented reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3958,21 +3366,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node255 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-054 - name: Evidence - description: Verify via logs at the SEAL server that requests from a SEAL client - without an access token or with an invalid access token are rejected. Verify - via logs at the SEAL server that service access is granted when a valid access - token is presented - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-055 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11 ref_id: SO11-055 description: VAL servers provide service access only to authorized users + typical_evidence: Verify via logs at the VAL server that requests from a VAL + client without an access token or with an invalid access token are rejected. + Verify via logs at the VAL server that service access is granted when a valid + access token is presented reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -3982,15 +3385,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node257 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-055 - name: Evidence - description: Verify via logs at the VAL server that requests from a VAL client - without an access token or with an invalid access token are rejected. Verify - via logs at the VAL server that service access is granted when a valid access - token is presented - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-056 assessable: true depth: 3 @@ -4011,6 +3405,13 @@ objects: \ and security of the Virtualisation Fabric should not be run on the fabric\ \ itself, and should be considered as Security Critical functions running\ \ on separate dedicated hardware." + typical_evidence: 'Verify that restrictions are set properly for administrators + allowed to manage the virtualisation fabric. + + Mount an external file system prepared by a tester with files exploiting privilege + escalation methods. Subsequently, attempt gaining privileged access by using + a suitable privilege escalation method with the contents of the mounted file + system. Confirm that privilege escalation has not occurred.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4020,18 +3421,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node259 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-056 - name: Evidence - description: 'Verify that restrictions are set properly for administrators allowed - to manage the virtualisation fabric. - - Mount an external file system prepared by a tester with files exploiting privilege - escalation methods. Subsequently, attempt gaining privileged access by using - a suitable privilege escalation method with the contents of the mounted file - system. Confirm that privilege escalation has not occurred.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-057 assessable: true depth: 3 @@ -4042,22 +3431,8 @@ objects: \ authentication system and Attribute Based Access Control (ABAC) such as\ \ Kerberos, specified in IETF RFC 4120\n\u2022 Token-based authorization framework\ \ such as OAuth 2.0, specified in IETF RFC 6749" - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node261 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-057 - name: Evidence - description: 'Verify that the access token is based on OAuth 2.0. In case of - a verification failure, check that NFV resources reject the request based + typical_evidence: 'Verify that the access token is based on OAuth 2.0. In case + of a verification failure, check that NFV resources reject the request based on OAuth 2.0 error response defined in RFC 6749. Verify that the access ticket based on Kerberos. In case of a verification @@ -4078,6 +3453,15 @@ objects: in the Request sent to NFV resources. NFV verifies that the integrity of the access token/ticket, is valid. However, the expiration time in the access token/ticket has expired against the current data/time.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-058 assessable: true depth: 3 @@ -4088,22 +3472,8 @@ objects: \ protected connection with the VNFM.\n3) VNF checks whether VNFM has been\ \ authorized when VNFM accesses VNF's API.\n4) VNF logs VNFM's management\ \ operations for auditing." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node263 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-058 - name: Evidence - description: "Trigger the establishment of communication between the VNF and\ - \ the VNFM.\nCapture the communication between the VNF and the VNFM using\ + typical_evidence: "Trigger the establishment of communication between the VNF\ + \ and the VNFM.\nCapture the communication between the VNF and the VNFM using\ \ a tool (e.g. wireshark).\nCheck whether the VNF authenticates the VNFM according\ \ to the mechanism described in the vendor's document. For example, the VNF\ \ can use HTTPS to communicate with the VNFM, and the VNF uses VNFM's certificate\ @@ -4114,6 +3484,15 @@ objects: \ in vendor's document. For example, VNF can use OAuth2.0 to authorize the\ \ VNFM. The VNF uses VNFM's token for authorization. \nCheck whether the VNF\ \ logs the operations from VNFM by reviewing VNF logs." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-059 assessable: true depth: 3 @@ -4126,6 +3505,21 @@ objects: to each virtual function are used to limit both incoming and outgoing traffic in an efficient and scalable way. Each VNF has at least two separate (logical) interfaces dedicated to different network domains. ' + typical_evidence: "A document containing the definition of trust domains and\ + \ the separation requirements to be implemented and enforced.\n\nA document\ + \ containing the software defined rules. Verification that those rules are\ + \ implemented:\n- Check whether the inter-VNF traffic and intra-VNF traffic\ + \ are separated according to the documentation stating the software defined\ + \ rules, network domains and separation requirements. \n- A VNF has at least\ + \ two separate (logical) interfaces dedicated to different network domains.\ + \ Check whether the VNF refuses traffic intended for one network domain on\ + \ all interfaces meant for the other network domain, and vice versa. Perform\ + \ this check for all pairs of different network domains.\n- Check whether\ + \ a VNFCI refuses inter-VNF traffic on all intra-VNF interfaces. For example,\ + \ by way of sending a ping to all intra-VNF interfaces through an inter-VNF\ + \ interface.\n- Check whether a VNFCI refuses intra-VNF traffic on all inter-VNF\ + \ interfaces. For example, by way of sending a ping to all inter-VNF interfaces\ + \ through an intra-VNF interface." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4135,26 +3529,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node265 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-059 - name: Evidence - description: "A document containing the definition of trust domains and the\ - \ separation requirements to be implemented and enforced.\n\nA document containing\ - \ the software defined rules. Verification that those rules are implemented:\n\ - - Check whether the inter-VNF traffic and intra-VNF traffic are separated\ - \ according to the documentation stating the software defined rules, network\ - \ domains and separation requirements. \n- A VNF has at least two separate\ - \ (logical) interfaces dedicated to different network domains. Check whether\ - \ the VNF refuses traffic intended for one network domain on all interfaces\ - \ meant for the other network domain, and vice versa. Perform this check for\ - \ all pairs of different network domains.\n- Check whether a VNFCI refuses\ - \ inter-VNF traffic on all intra-VNF interfaces. For example, by way of sending\ - \ a ping to all intra-VNF interfaces through an inter-VNF interface.\n- Check\ - \ whether a VNFCI refuses intra-VNF traffic on all inter-VNF interfaces. For\ - \ example, by way of sending a ping to all inter-VNF interfaces through an\ - \ intra-VNF interface." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-060 assessable: true depth: 3 @@ -4166,23 +3540,9 @@ objects: be configured to securely wipe out the virtual volume disks in the event a VNF is crashed or intentionally destroyed to prevent its resources from unauthorised access. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node267 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-060 - name: Evidence - description: 'A documented privacy impact assessment (PIA) for personally identifiable - information (PII) identifying privacy risks to data assets and appropriate - mitigating actions. + typical_evidence: 'A documented privacy impact assessment (PIA) for personally + identifiable information (PII) identifying privacy risks to data assets and + appropriate mitigating actions. Documented security policies restricting where certain types of data can reside @@ -4202,6 +3562,15 @@ objects: - In Openstack: Tempest, Shaker, OS-Faults - In VMWARE: ONTAP, Log Insight' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-061 assessable: true depth: 3 @@ -4212,21 +3581,7 @@ objects: surface by disabling unneeded interfaces. Example: Wireless interfaces (e.g., WiFi, 4G), if present, should remain optional.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node269 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-061 - name: Evidence - description: 'Verify that all external interfaces are identified and described + typical_evidence: 'Verify that all external interfaces are identified and described in the hardware platform documentation. @@ -4254,6 +3609,15 @@ objects: A documented process is in place indicating a list of interfaces to be disabled and the steps to be followed for disabling them securely. Hardware platform logs confirm the disabled interfaces and conformity with the documented processes.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-062 assessable: true depth: 3 @@ -4265,21 +3629,7 @@ objects: access to RESTful MEC service APIs defined by ETSI ISG MEC. In case of service-producing applications defined by third parties, other mechanisms such as standalone use of JWT can be used to secure related APIs. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node271 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-062 - name: Evidence - description: 'Verification that the MEC platform and applications use OAuth + typical_evidence: 'Verification that the MEC platform and applications use OAuth for authentication and authorization following ETSI ISG MEC and IETF RFC 6749. Verification can involve looking at product documentation and establishing test OAuth connections. @@ -4302,6 +3652,15 @@ objects: include an application access token request with valid client certificate and parameters, and a token-based service access request with a valid access token.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-063 assessable: true depth: 3 @@ -4311,6 +3670,13 @@ objects: framework ETSI GS NFV 002 and support the Os-Ma interface between the traditional OSS/BSS and the NFV management and orchestration (MANO) framework. Os-Ma interface uses OAuth for authentication and authorization. + typical_evidence: 'Verification that the Os-Ma interface uses OAuth for authentication + and authorization. Verification can involve looking at product documentation + and establishing test OAuth connections. + + + Verification that the Os-Ma interface is accessible only with valid OAuth + tokens.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4320,18 +3686,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node273 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-063 - name: Evidence - description: 'Verification that the Os-Ma interface uses OAuth for authentication - and authorization. Verification can involve looking at product documentation - and establishing test OAuth connections. - - - Verification that the Os-Ma interface is accessible only with valid OAuth - tokens.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-064 assessable: true depth: 3 @@ -4343,6 +3697,14 @@ objects: NFVI as these make it significantly harder to update and patch. Virtualisation hosts only open the minimum number of ports required and all ports and services are locked down and managed.' + typical_evidence: 'All interfaces are identified in the documentation. Instructions + of how an administrator user can use all the interfaces are provided in the + documentation. + + + Run a port scanner and verify that the required interfaces are open/reachable. + + Run a port scanner and verify that unneeded ports are not opn/reachable.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4352,19 +3714,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node275 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-064 - name: Evidence - description: 'All interfaces are identified in the documentation. Instructions - of how an administrator user can use all the interfaces are provided in the - documentation. - - - Run a port scanner and verify that the required interfaces are open/reachable. - - Run a port scanner and verify that unneeded ports are not opn/reachable.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-065 assessable: true depth: 3 @@ -4385,22 +3734,8 @@ objects: \ escape from a privileged container to a host. \n- Monitor cluster-level\ \ (Kubernetes) data and events associated with changing containers' volume\ \ configurations." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node277 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-065 - name: Evidence - description: ' By way of reviewing (1) test reports, including testing plans - and results captured therein, (2) documented container and host processes + typical_evidence: ' By way of reviewing (1) test reports, including testing + plans and results captured therein, (2) documented container and host processes and (3) logs associated with container and host activities, verify that during onboarding/instantiation/runtime of containers MNOs perform continuous monitoring for misconfiguration of runtime workloads, container privileges, host, usage @@ -4417,6 +3752,15 @@ objects: Test: Attempt abnormal access from a container to the host and verify that the host rejects such access and logs the attack.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-066 assessable: true depth: 3 @@ -4427,6 +3771,10 @@ objects: clear to users and administrators. Confidential system internal data includes authentication data (i.e. PINs, cryptographic keys, passwords, cookies) as well as other system internal data such as stack traces in error messages + typical_evidence: Verify that system functions as described in the product documentation + (e.g. local or remote OAM CLI or GUI, logging messages, alarms, error messages, + configuration file exports, stack traces) do not reveal any confidential system + internal data in the clear (for example, passphrases) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4436,15 +3784,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node279 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-066 - name: Evidence - description: Verify that system functions as described in the product documentation - (e.g. local or remote OAM CLI or GUI, logging messages, alarms, error messages, - configuration file exports, stack traces) do not reveal any confidential system - internal data in the clear (for example, passphrases) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-067 assessable: true depth: 3 @@ -4452,6 +3791,9 @@ objects: ref_id: SO11-067 description: Sensitive data in persistent/temporary storage has restricted access and files are protected against manipulation + typical_evidence: Verification that records of sensitive data such as passwords + are not stored directly and, instead, they are scrambled with a one-way hash + function reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4461,13 +3803,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node281 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-067 - name: Evidence - description: Verification that records of sensitive data such as passwords are - not stored directly and, instead, they are scrambled with a one-way hash function - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-068 assessable: true depth: 3 @@ -4476,6 +3811,10 @@ objects: description: If normal users are allowed to mount external file systems (locally or via the network), OS-level restrictions should be set properly to prevent privilege escalation or extended access permissions + typical_evidence: "For Linux\xAE systems: verify that nodev and nosuid options\ + \ are set in /etc/fstab for all filesystems which have the \"user\" option.\ + \ For all operating systems: verify that attempts to gain privileged access\ + \ by using the contents of a mounted file system are unsuccessful" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4485,15 +3824,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node283 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-068 - name: Evidence - description: "For Linux\xAE systems: verify that nodev and nosuid options are\ - \ set in /etc/fstab for all filesystems which have the \"user\" option. For\ - \ all operating systems: verify that attempts to gain privileged access by\ - \ using the contents of a mounted file system are unsuccessful" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-069 assessable: true depth: 3 @@ -4504,6 +3834,8 @@ objects: a separate operational role with minimal privileges. All administration login attempts must be logged and audited.' + typical_evidence: Administration document and system logs confirm the correct + configuration and the use of administration roles and rules. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4513,13 +3845,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node285 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-069 - name: Evidence - description: Administration document and system logs confirm the correct configuration - and the use of administration roles and rules. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-070 assessable: true depth: 3 @@ -4532,21 +3857,7 @@ objects: Containers or VMs cannot be granted any additional privileges during their runtime (for example, ''no-new-privileges'' flag in the Container).' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node287 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-070 - name: Evidence - description: 'A document that describes the interfaces to VMs or Containers + typical_evidence: 'A document that describes the interfaces to VMs or Containers and how users can login to them. @@ -4561,6 +3872,15 @@ objects: is allowed. The tester tries to login to the VM or Container using the credentials of the root or equivalent highest privileged user for initialization. The tester is able to perform initialization using the root credentials.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-071 assessable: true depth: 3 @@ -4569,6 +3889,8 @@ objects: description: 'Sensitive information (e.g., private keys, critical configuration files, credentials) should never be published in a production VM/Container image. ' + typical_evidence: Verify through scan that no sensitive information is included + in a VM/Container image before its deployment to NFV. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4578,13 +3900,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node289 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-071 - name: Evidence - description: Verify through scan that no sensitive information is included in - a VM/Container image before its deployment to NFV. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-072 assessable: true depth: 3 @@ -4599,6 +3914,11 @@ objects: \ govern resource access. \n7. The current state of assets, network infrastructure,\ \ and network traffic is tracked to improve security policies, context awareness,\ \ and enforcement. \nFor more information, see NIST SP 800-207. " + typical_evidence: "Document (such as policy and documented processes) on how\ + \ the MNO is implementing zero-trust, security by design and defence-in-depth\ + \ approaches. \n \nDocumented results of security audits and testing of processes\ + \ and technical measures implementing zero-trust, security by design and defence-in-depth\ + \ approaches." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4608,16 +3928,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node291 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-072 - name: Evidence - description: "Document (such as policy and documented processes) on how the\ - \ MNO is implementing zero-trust, security by design and defence-in-depth\ - \ approaches. \n \nDocumented results of security audits and testing of processes\ - \ and technical measures implementing zero-trust, security by design and defence-in-depth\ - \ approaches." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-073 assessable: true depth: 3 @@ -4625,6 +3935,9 @@ objects: ref_id: SO11-073 description: Mutual authentication and cipher suite negotiation between SEPPs in roaming network + typical_evidence: Packet captures on the N32-f interface of the SEPP show that + security parameter exchange request and response messages are used for negotiating + the ciphersuites reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4634,14 +3947,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node293 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-073 - name: Evidence - description: Packet captures on the N32-f interface of the SEPP show that security - parameter exchange request and response messages are used for negotiating - the ciphersuites - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-074 assessable: true depth: 3 @@ -4652,6 +3957,11 @@ objects: resides outside the 3GPP MNO domain, mutual authentication is only based on client and server certificates with TLS. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Verification of successful TLS tunnel setup between NEF and + application functions. Verification with a key management utility that the + keys/certificates for TLS authentication are protected in the system keystore + or similar tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected + with hardware security tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4661,16 +3971,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node295 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-074 - name: Evidence - description: Verification of successful TLS tunnel setup between NEF and application - functions. Verification with a key management utility that the keys/certificates - for TLS authentication are protected in the system keystore or similar tool - (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware - security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-075 assessable: true depth: 3 @@ -4682,6 +3982,13 @@ objects: Mutual authentication of entities for management interfaces is implemented.' + typical_evidence: "Network product documentation contains the list of management\ + \ protocols with a corresponding list of authentication mechanisms, and access\ + \ control rules used for accessing the management plane and its interfaces.\ + \ \n\nExceptions and emergency access procedure are documented.\n\nPacket\ + \ captures of each management protocol confirm successful mutual authentication\ + \ before allowing access.\n\nManagement plane logs confirm correct use of\ + \ authentication mechanisms and access control rules." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4691,18 +3998,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node297 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-075 - name: Evidence - description: "Network product documentation contains the list of management\ - \ protocols with a corresponding list of authentication mechanisms, and access\ - \ control rules used for accessing the management plane and its interfaces.\ - \ \n\nExceptions and emergency access procedure are documented.\n\nPacket\ - \ captures of each management protocol confirm successful mutual authentication\ - \ before allowing access.\n\nManagement plane logs confirm correct use of\ - \ authentication mechanisms and access control rules." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-076 assessable: true depth: 3 @@ -4710,6 +4005,8 @@ objects: ref_id: SO11-076 description: Extensible Authentication Protocol (EAP) framework is used for secondary authentication + typical_evidence: Authentication attempt to an external data network with an + EAP authentication method (and the corresponding credentials) is successful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4719,13 +4016,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node299 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-076 - name: Evidence - description: Authentication attempt to an external data network with an EAP - authentication method (and the corresponding credentials) is successful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-077 assessable: true depth: 3 @@ -4734,6 +4024,12 @@ objects: description: Authentication via trusted and untrusted non-3GPP access is performed with vendor-specific EAP method "EAP-5G" in accordance with 3GPP technical specification 33.501, clauses 7.1, 7.2, and 7A + typical_evidence: Verify that a test UE device with SIM credentials from an + MNO can successfully authenticate and use MNO services when connecting via + trusted and untrusted non-3GPP access networks. For untrusted non-3GPP access, + packet captures at the N3IWF confirm successful authentication with EAP-5G. + For trusted non-3GPP access, packet captures at the TNAN confirm successful + authentication with EAP-5G reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4743,17 +4039,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node301 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-077 - name: Evidence - description: Verify that a test UE device with SIM credentials from an MNO can - successfully authenticate and use MNO services when connecting via trusted - and untrusted non-3GPP access networks. For untrusted non-3GPP access, packet - captures at the N3IWF confirm successful authentication with EAP-5G. For trusted - non-3GPP access, packet captures at the TNAN confirm successful authentication - with EAP-5G - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-078 assessable: true depth: 3 @@ -4761,6 +4046,8 @@ objects: ref_id: SO11-078 description: S1-MME interface uses IKEv2 certificate based authentication as specified in TS 33.310 + typical_evidence: Verification of successful IKEv2 authentication between eNB + and MME reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4770,13 +4057,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node303 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-078 - name: Evidence - description: Verification of successful IKEv2 authentication between eNB and - MME - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-079 assessable: true depth: 3 @@ -4784,6 +4064,7 @@ objects: ref_id: SO11-079 description: X2-C interface uses IKEv2 certificate based authentication as specified in TS 33.310 + typical_evidence: Verification of successful IKEv2 authentication between eNBs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4793,12 +4074,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node305 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-079 - name: Evidence - description: Verification of successful IKEv2 authentication between eNBs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-080 assessable: true depth: 3 @@ -4806,6 +4081,10 @@ objects: ref_id: SO11-080 description: HSE performs key agreement with a BEST UE using either i) AKMA ii) 5G AKA or EAP-AKA' , or iii) proprietary key agreement protocol + typical_evidence: 'Verify via logs at the HSE that a test BEST UE can perform + key agreement and key refresh. Regardless of the key agreement scheme used, + HSE logs confirm the following keys are derived after key agreement: KE2Menc, + KE2Mint, KIntermediate, KEAS_PSK' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4815,15 +4094,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node307 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-080 - name: Evidence - description: 'Verify via logs at the HSE that a test BEST UE can perform key - agreement and key refresh. Regardless of the key agreement scheme used, HSE - logs confirm the following keys are derived after key agreement: KE2Menc, - KE2Mint, KIntermediate, KEAS_PSK' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-081 assessable: true depth: 3 @@ -4835,22 +4105,8 @@ objects: Exposed services (such as etcd for container) are either only available to fully trusted systems or require authentication.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M56 - - risk:reference_control:enisa-5g-scm:5G-M57 - - risk:reference_control:enisa-5g-scm:5G-M58 - - risk:reference_control:enisa-5g-scm:5G-M59 - - risk:reference_control:enisa-5g-scm:5G-M60 - - risk:reference_control:enisa-5g-scm:5G-M61 - - risk:reference_control:enisa-5g-scm:5G-M62 - - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node309 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-081 - name: Evidence - description: 'Documentation stating which security protocols and exposed services - are implemented provided by vendors. + typical_evidence: 'Documentation stating which security protocols and exposed + services are implemented provided by vendors. Documentation provided by vendors accompanying the VNF if the VNF supports @@ -4874,6 +4130,15 @@ objects: Verify using a network port scanner that all exposed services by VMs or containers requires authentication and authorization.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M56 + - risk:reference_control:enisa-5g-scm:5G-M57 + - risk:reference_control:enisa-5g-scm:5G-M58 + - risk:reference_control:enisa-5g-scm:5G-M59 + - risk:reference_control:enisa-5g-scm:5G-M60 + - risk:reference_control:enisa-5g-scm:5G-M61 + - risk:reference_control:enisa-5g-scm:5G-M62 + - risk:reference_control:enisa-5g-scm:5G-M63 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-082 assessable: true depth: 3 @@ -4881,6 +4146,10 @@ objects: ref_id: SO11-082 description: Network should support authenticated and unauthenticated IMS Emergency Sessions in accordance with 3GPP technical specification 33.501, clause 10.2 + typical_evidence: Verify that a test UE device can obtain emergency bearer services + with authentication and without authentication. Packet captures on the AMF + confirm successful emergency bearer service establishment for the test UE + with or without authentication reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4890,15 +4159,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node311 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-082 - name: Evidence - description: Verify that a test UE device can obtain emergency bearer services - with authentication and without authentication. Packet captures on the AMF - confirm successful emergency bearer service establishment for the test UE - with or without authentication - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-083 assessable: true depth: 3 @@ -4907,6 +4167,9 @@ objects: description: Network should ensure security for UEs simultaneously connected to more than one NG-RAN node in accordance with 3GPP technical specification 33.501, clause 6.10 + typical_evidence: 'Verify that MN can establish and modify security context + between a test UE and SN. Packet captures at both the MN and SN confirm confidentiality, + integrity, and replay protection ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4916,14 +4179,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node313 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-083 - name: Evidence - description: 'Verify that MN can establish and modify security context between - a test UE and SN. Packet captures at both the MN and SN confirm confidentiality, - integrity, and replay protection ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-084 assessable: true depth: 3 @@ -4931,6 +4186,8 @@ objects: ref_id: SO11-084 description: Internal 5G core information such as SUPI, DNN, S-NSSAI is not disclosed by NEF to application functions residing outside the MNO domain + typical_evidence: Packet captures of interaction between NEF and application + functions outside MNO domain do not contain any 5G core information reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4940,13 +4197,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node315 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-084 - name: Evidence - description: Packet captures of interaction between NEF and application functions - outside MNO domain do not contain any 5G core information - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-085 assessable: true depth: 3 @@ -4955,6 +4205,10 @@ objects: description: Direct login as root or equivalent highest privileged user is limited to the system console only. Root user will not be allowed to login to the system remotely + typical_evidence: Verify that attempts to remotely login to the network product + using the credentials of the root or equivalent highest privileged user results + in failure. Login to the network product using the credentials of the root + or equivalent highest privileged user from the physical console is successful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4964,15 +4218,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node317 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-085 - name: Evidence - description: Verify that attempts to remotely login to the network product using - the credentials of the root or equivalent highest privileged user results - in failure. Login to the network product using the credentials of the root - or equivalent highest privileged user from the physical console is successful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-086 assessable: true depth: 3 @@ -4984,6 +4229,12 @@ objects: of retained data to regulatory agencies. LI data is provided in plaintext. LI data can be captured and retained for inbound roamers. Unauthorized parties (including employees) cannot detect if an individual is a target of LI ' + typical_evidence: 'Simulating a user who is a target of LI confirms that LI + data identified in national laws is retained. The data of the simulated target + user is deleted after the duration mandated by national laws. Packet captures + confirm that TLS (or other protocols) are used for transferring the data of + the simulated target user to regulatory bodies. Employees or target users + cannot detect any changes during the period of LI targeting ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -4993,17 +4244,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node319 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-086 - name: Evidence - description: 'Simulating a user who is a target of LI confirms that LI data - identified in national laws is retained. The data of the simulated target - user is deleted after the duration mandated by national laws. Packet captures - confirm that TLS (or other protocols) are used for transferring the data of - the simulated target user to regulatory bodies. Employees or target users - cannot detect any changes during the period of LI targeting ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-087 assessable: true depth: 3 @@ -5011,6 +4251,8 @@ objects: ref_id: SO11-087 description: SMF provides a user plane security policy to the ng-eNB/gNB during PDU session establishment as specified in 3GPP TS 23.502 + typical_evidence: Capture of the Nsmf_PDUSession_SMContext Response message + sent from the SMF contains the UP security policy reference_controls: - risk:reference_control:enisa-5g-scm:5G-M56 - risk:reference_control:enisa-5g-scm:5G-M57 @@ -5020,13 +4262,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M61 - risk:reference_control:enisa-5g-scm:5G-M62 - risk:reference_control:enisa-5g-scm:5G-M63 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node321 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so11-087 - name: Evidence - description: Capture of the Nsmf_PDUSession_SMContext Response message sent - from the SMF contains the UP security policy - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 assessable: false depth: 2 @@ -5042,6 +4277,8 @@ objects: parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-001 description: Validate all input data before processing + typical_evidence: Documented fuzz testing results confirm robustness against + malformed input data reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5049,13 +4286,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node324 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-001 - name: Evidence - description: Documented fuzz testing results confirm robustness against malformed - input data - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-002 assessable: true depth: 3 @@ -5068,6 +4298,12 @@ objects: documentation. Certain ICMP types are generally permitted and do not need separate documentation. Permitted, forbidden, and optional ICMP types are identified in TS 33.117, cl. 4.2.4.1.1.2 + typical_evidence: Network product documentation identifies a closed group of + ICMP message types which are optional or permitted and lead to responses/configuration + changes on receipt. Verify that the network product drops the message, does + not reply and does not change any configuration when it receives ICMP messages + not listed in the closed group in network product documentation, or identified + as forbidden in the network product configuration reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5075,17 +4311,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node326 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-002 - name: Evidence - description: Network product documentation identifies a closed group of ICMP - message types which are optional or permitted and lead to responses/configuration - changes on receipt. Verify that the network product drops the message, does - not reply and does not change any configuration when it receives ICMP messages - not listed in the closed group in network product documentation, or identified - as forbidden in the network product configuration - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-003 assessable: true depth: 3 @@ -5093,6 +4318,10 @@ objects: ref_id: SO12-003 description: IPv4 packets with unnecessary options or IPv6 packets with unnecessary extension headers are filtered and not processed + typical_evidence: Packet captures confirm that a network product which is configured + for dropping certain IPv4 options and certain IPv6 extension headers does + not generate any ACK responses when packets with those options/extension headers + are sent reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5100,15 +4329,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node328 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-003 - name: Evidence - description: Packet captures confirm that a network product which is configured - for dropping certain IPv4 options and certain IPv6 extension headers does - not generate any ACK responses when packets with those options/extension headers - are sent - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-004 assessable: true depth: 3 @@ -5116,6 +4336,8 @@ objects: ref_id: SO12-004 description: Network Product validates, filters, escapes, and encodes user controllable input before it is used or output + typical_evidence: Fuzz testing does not reveal attacks such as SQL injection + caused by lack of input validation reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5123,13 +4345,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node330 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-004 - name: Evidence - description: Fuzz testing does not reveal attacks such as SQL injection caused - by lack of input validation - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-005 assessable: true depth: 3 @@ -5141,6 +4356,9 @@ objects: packets that match a filter rule. Filtering on the basis of any portion of the protocol header should be possible. Logging of packets that match a rule can be enabled/disabled + typical_evidence: Verify that after enabling packet filtering and configuring + a rule to allow ICMP packets, a 'ping' sent to the product is logged and answered + back reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5148,14 +4366,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node332 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-005 - name: Evidence - description: Verify that after enabling packet filtering and configuring a rule - to allow ICMP packets, a 'ping' sent to the product is logged and answered - back - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-006 assessable: true depth: 3 @@ -5165,6 +4375,8 @@ objects: by incoming packets that are manipulated or differing from the norm. Robustness should be as effective for a large number of invalid packets as it is for small number of packets + typical_evidence: Fuzz testing confirms that the network product is functional + and robust when faced with a large number of malformed packets reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5172,13 +4384,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node334 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-006 - name: Evidence - description: Fuzz testing confirms that the network product is functional and - robust when faced with a large number of malformed packets - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-007 assessable: true depth: 3 @@ -5190,6 +4395,10 @@ objects: for messages when the check is satisfied. If a network product does not support such checks, then it needs to be deployed together with a separate entity which provides such checking capability ' + typical_evidence: Verify that, after configuring GTP-C filtering rule to accept + GTP-C messages from a certain source IP address, messages from that address + are accepted and accounted, while messages from other source IP address not + matching the rule are discarded reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5197,15 +4406,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node336 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-007 - name: Evidence - description: Verify that, after configuring GTP-C filtering rule to accept GTP-C - messages from a certain source IP address, messages from that address are - accepted and accounted, while messages from other source IP address not matching - the rule are discarded - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-008 assessable: true depth: 3 @@ -5217,6 +4417,10 @@ objects: for messages when the check is satisfied. If a network product does not support such checks, then it needs to be deployed together with a separate entity which provides such checking capability ' + typical_evidence: Verify that, after configuring GTP-U filtering rule to accept + GTP-U messages from a certain source IP address, messages from that address + are accepted and accounted, while messages from other source IP address not + matching the rule are discarded reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5224,15 +4428,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node338 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-008 - name: Evidence - description: Verify that, after configuring GTP-U filtering rule to accept GTP-U - messages from a certain source IP address, messages from that address are - accepted and accounted, while messages from other source IP address not matching - the rule are discarded - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-009 assessable: true depth: 3 @@ -5241,6 +4436,9 @@ objects: description: Systems should not process IP packets if their source address is not reachable via the incoming interface. Use of "Reverse Path Filter" (RPF) provides one option to ensure such reachability checks + typical_evidence: The logs of the network product show that sending a ping message + from an IP address which is not reachable through the interface results in + the ping packet being dropped without any response reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5248,20 +4446,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node340 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-009 - name: Evidence - description: The logs of the network product show that sending a ping message - from an IP address which is not reachable through the interface results in - the ping packet being dropped without any response - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-010 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-010 description: 'Systems should support mechanisms for buffer overflow protection ' + typical_evidence: Documentation which describes buffer overflow mechanisms and + also how to check that they have been enabled and/or implemented. Tests listed + in the documentation produce expected results confirming buffer overflow protection reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5269,14 +4462,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node342 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-010 - name: Evidence - description: Documentation which describes buffer overflow mechanisms and also - how to check that they have been enabled and/or implemented. Tests listed - in the documentation produce expected results confirming buffer overflow protection - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-011 assessable: true depth: 3 @@ -5286,6 +4471,10 @@ objects: \ or any other code contained in JSON objects received on Service Based Interfaces\ \ (SBI). These parsers should not include any resources external to the received\ \ JSON object itself, such as files from the NF\u2019s filesystem" + typical_evidence: Verification that on sending an HTTP message containing JavaScript + code, the network product does not execute any of the contained actions. A + traffic analyzer connected to the network product confirms that no external + resources get loaded during JSON parsing reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5293,15 +4482,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node344 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-011 - name: Evidence - description: Verification that on sending an HTTP message containing JavaScript - code, the network product does not execute any of the contained actions. A - traffic analyzer connected to the network product confirms that no external - resources get loaded during JSON parsing - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-012 assessable: true depth: 3 @@ -5316,6 +4496,10 @@ objects: cl. 6.2: for each message the number of leaf IEs should not exceed 16000, the maximum size of the JSON body of any HTTP request should not exceed 2 million bytes, and the maximum nesting depth of leaves should not exceed 32' + typical_evidence: Verify that sending a request to the network product with + duplicate keys in message IE payload results in an error response. Sending + a request with out of bounds IEs results in an error response from the network + product reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5323,14 +4507,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node346 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-012 - name: Evidence - description: Verify that sending a request to the network product with duplicate - keys in message IE payload results in an error response. Sending a request - with out of bounds IEs results in an error response from the network product - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-013 assessable: true depth: 3 @@ -5338,6 +4514,10 @@ objects: ref_id: SO12-013 description: Network slice subnet template (NSST) is integrity protected and management systems should verify the source and integrity of the subnet template + typical_evidence: Verify that the integrity of network slice subnet templates + is ensured with cryptographic tools such as a digital signature or a hash. + In addition, verify that a slice instance cannot be created with a tampered + slice subnet template reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5345,15 +4525,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node348 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-013 - name: Evidence - description: Verify that the integrity of network slice subnet templates is - ensured with cryptographic tools such as a digital signature or a hash. In - addition, verify that a slice instance cannot be created with a tampered slice - subnet template - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-014 assessable: true depth: 3 @@ -5361,6 +4532,10 @@ objects: ref_id: SO12-014 description: Log files must be protected from breaches of their confidentiality and integrity + typical_evidence: Using file inspection tools demonstrates log file integrity + protection with checksums/digital signatures. Using file inspection tools + demonstrates log file encryption with tools such as gpg/ccrypt. Verification + that log files cannot be inspected without supplying necessary credentials reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5368,15 +4543,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node350 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-014 - name: Evidence - description: Using file inspection tools demonstrates log file integrity protection - with checksums/digital signatures. Using file inspection tools demonstrates - log file encryption with tools such as gpg/ccrypt. Verification that log files - cannot be inspected without supplying necessary credentials - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-015 assessable: true depth: 3 @@ -5385,6 +4551,9 @@ objects: description: Protection against application misbehavior and bugs with the use of techniques such as sandboxing, application-kernel isolation, and application permissions + typical_evidence: Check configuration files and diagnostic tools to verify that + sandboxing techniques such as application-kernel isolation identified in product + documentation are enabled and used reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5392,14 +4561,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node352 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-015 - name: Evidence - description: Check configuration files and diagnostic tools to verify that sandboxing - techniques such as application-kernel isolation identified in product documentation - are enabled and used - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-016 assessable: true depth: 3 @@ -5408,6 +4569,10 @@ objects: description: Monitoring of edge network nodes such as Signal Transfer Points (STPs) and Diameter Edge/Routing Agents (DEAs/DRAs) with firewalls or other tools to protect roaming attacks from SS7 and DIAMETER signaling vulnerabilities + typical_evidence: Check the log files of the firewall or other monitoring tools + to confirm that a simulated roaming attack launched using SS7/DIAMETER vulnerabilities + is detected by the firewall rules or other tools used to monitor edge network + nodes reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5415,15 +4580,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node354 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-016 - name: Evidence - description: Check the log files of the firewall or other monitoring tools to - confirm that a simulated roaming attack launched using SS7/DIAMETER vulnerabilities - is detected by the firewall rules or other tools used to monitor edge network - nodes - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-017 assessable: true depth: 3 @@ -5433,6 +4589,10 @@ objects: Register (VLR) and Mobility Management Entity (MME) with firewalls or other tools to detect and prevent roaming attacks from SS7 and DIAMETER signaling vulnerabilities + typical_evidence: Check the log files of the firewall or other monitoring tools + to confirm that a simulated roaming attack launched using SS7/DIAMETER vulnerabilities + is detected by the firewall rules or other tools used to monitor core network + nodes reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5440,15 +4600,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node356 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-017 - name: Evidence - description: Check the log files of the firewall or other monitoring tools to - confirm that a simulated roaming attack launched using SS7/DIAMETER vulnerabilities - is detected by the firewall rules or other tools used to monitor core network - nodes - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-018 assessable: true depth: 3 @@ -5466,6 +4617,10 @@ objects: \ do not have direct access to the physical hardware. Containers are not used\ \ to enforce separation between trust domains. Correspondingly, containerised\ \ hosts only support a single trust domain." + typical_evidence: "A document containing the definition of trust domains and\ + \ the separation requirements to be implemented and enforced.\n\nDocumented\ + \ risk analysis determining which controls set out in the \u2018control description\u2019\ + \ field are appropriate." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5473,15 +4628,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node358 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-018 - name: Evidence - description: "A document containing the definition of trust domains and the\ - \ separation requirements to be implemented and enforced.\n\nDocumented risk\ - \ analysis determining which controls set out in the \u2018control description\u2019\ - \ field are appropriate." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-019 assessable: true depth: 3 @@ -5492,6 +4638,12 @@ objects: Only containers or VMs with the same level of exposure (e.g. Internet facing) run on the same node.' + typical_evidence: 'Data classification process is documented. + + Documented risk assessment includes the sensitivity level of VNFs. + + Documented definition of trust domains, and their separation requirements + to be implemented and enforced.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5499,17 +4651,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node360 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-019 - name: Evidence - description: 'Data classification process is documented. - - Documented risk assessment includes the sensitivity level of VNFs. - - Documented definition of trust domains, and their separation requirements - to be implemented and enforced.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-020 assessable: true depth: 3 @@ -5519,6 +4660,14 @@ objects: be used to effectively defend against or prevent malware and ransomware infections. Such threat detection or prevention and response should include NFVI and network functions. + typical_evidence: "Document describing the implemented security products such\ + \ as firewalls, IDS/IPS, including within NFV. Management of those products\ + \ must be described in terms of authentication and access control.\n\nAll\ + \ security filtering rules are documented.\n\nSend samples of malicious messages\ + \ to the security product and verify that \n- messages are dropped, \n- notification\ + \ is sent to the administrator,\n- event is logged, and\n- security filtering\ + \ rules are applied.\n\nVerify that the security product does not change its\ + \ configuration due to receiving malicious messages." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5526,19 +4675,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node362 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-020 - name: Evidence - description: "Document describing the implemented security products such as\ - \ firewalls, IDS/IPS, including within NFV. Management of those products must\ - \ be described in terms of authentication and access control.\n\nAll security\ - \ filtering rules are documented.\n\nSend samples of malicious messages to\ - \ the security product and verify that \n- messages are dropped, \n- notification\ - \ is sent to the administrator,\n- event is logged, and\n- security filtering\ - \ rules are applied.\n\nVerify that the security product does not change its\ - \ configuration due to receiving malicious messages." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-021 assessable: true depth: 3 @@ -5550,6 +4686,11 @@ objects: from being routed to the hijacked destination. MNOs should also ensure that the IP address space they own and relevant contact information are securely maintained in appropriate up to date registries. + typical_evidence: "MNO has a document explaining risks to BGP protocol and hijack\ + \ response procedures.\n\nMNO has a document containing the IP address space\ + \ and relevant contact information to be securely kept up to date. \n\nBGP\ + \ traffic captures show secure use of BGP protocol, and that the traffic is\ + \ properly protected." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5557,16 +4698,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node364 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-021 - name: Evidence - description: "MNO has a document explaining risks to BGP protocol and hijack\ - \ response procedures.\n\nMNO has a document containing the IP address space\ - \ and relevant contact information to be securely kept up to date. \n\nBGP\ - \ traffic captures show secure use of BGP protocol, and that the traffic is\ - \ properly protected." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-022 assessable: true depth: 3 @@ -5579,19 +4710,7 @@ objects: TTL Security Mechanism (GTSM) as described in RFC 5082, as well as Resource Public Key Infrastructure (RPKI), which add authentication to the routing system using digital signatures. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node366 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-022 - name: Evidence - description: "All filtering rules on Autonomous System (AS) are documented.\n\ + typical_evidence: "All filtering rules on Autonomous System (AS) are documented.\n\ \nAll the implemented Generalized TTL Security Mechanism (GTSM) authentication\ \ mechanisms are documented.\n\nBGP traffic captures show secure use of BGP\ \ protocol and proper traffic protection.\n\nSend samples of malicious messages\ @@ -5599,6 +4718,13 @@ objects: \ is sent to the administrator,\n- event is logged, and\n- security filtering\ \ rules are applied.\n\nVerify that the routing system does not change its\ \ configuration due to receiving malicious messages." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-023 assessable: true depth: 3 @@ -5611,6 +4737,16 @@ objects: is used for mutual authentication with certificates as well as for integrity and confidentiality protection of messages. Cryptographic keys/certificates for TLS authentication are protected' + typical_evidence: 'Verification of each network function for support of TLS + (unless other countermeasures are used, such as physical security for local + services on a single site) as profiled in 3GPP technical specifications: 33.210, + clause 6.2 and 33.310, clause 6.2a. Verification can involve looking at product + documentation and establishing test TLS connections to ensure that only protocol + versions and cryptographic algorithms mandated by the profile are supported + by the network function. Verification with a key management utility that the + keys/certificates for TLS authentication are protected in the system keystore + or similar tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected + with hardware security tools such as TPMs/TEEs' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5618,21 +4754,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node368 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-023 - name: Evidence - description: 'Verification of each network function for support of TLS (unless - other countermeasures are used, such as physical security for local services - on a single site) as profiled in 3GPP technical specifications: 33.210, clause - 6.2 and 33.310, clause 6.2a. Verification can involve looking at product documentation - and establishing test TLS connections to ensure that only protocol versions - and cryptographic algorithms mandated by the profile are supported by the - network function. Verification with a key management utility that the keys/certificates - for TLS authentication are protected in the system keystore or similar tool - (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware - security tools such as TPMs/TEEs' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-024 assessable: true depth: 3 @@ -5640,6 +4761,12 @@ objects: ref_id: SO12-024 description: 'SEPP meets end-to-end security requirements listed in 3GPP TS 33.501 for interconnection between networks ' + typical_evidence: Verification of SEPPs for compliance with 3GPP end-to-end + security requirements. Verification can involve looking at product documentation + detailing compliance with security requirements. Verification can also involve + checking the packet captures on the SEPP to confirm that message elements + at the application are confidentiality and/or integrity protected and no information + about the internal network topology is contained in the packets reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5647,17 +4774,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node370 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-024 - name: Evidence - description: Verification of SEPPs for compliance with 3GPP end-to-end security - requirements. Verification can involve looking at product documentation detailing - compliance with security requirements. Verification can also involve checking - the packet captures on the SEPP to confirm that message elements at the application - are confidentiality and/or integrity protected and no information about the - internal network topology is contained in the packets - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-025 assessable: true depth: 3 @@ -5668,6 +4784,12 @@ objects: such as IPSec, is implemented for integrity, confidentiality, and replay protection of E1, F1-U, F1-C, N2, N3, and Xn interfaces. Cryptographic keys/certificates for IKEv2 authentication are protected + typical_evidence: Verification that a secure IPsec ESP connection can be established + after IKEv2 certificate-based authentication. Verification that a secure record + layer connection can be established. Verification with a key management utility + that the keys/certificates for IKEv2 authentication are protected in the system + keystore or similar tool (Java KeyStore, AWS KMS, etc.), in secure memory, + or protected with hardware security tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5675,17 +4797,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node372 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-025 - name: Evidence - description: Verification that a secure IPsec ESP connection can be established - after IKEv2 certificate-based authentication. Verification that a secure record - layer connection can be established. Verification with a key management utility - that the keys/certificates for IKEv2 authentication are protected in the system - keystore or similar tool (Java KeyStore, AWS KMS, etc.), in secure memory, - or protected with hardware security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-026 assessable: true depth: 3 @@ -5694,6 +4805,8 @@ objects: description: Transmission of data which needs protection uses industry standard network protocols with industry accepted algorithms. A protocol version without known vulnerabilities or a secure alternative protocol should be used + typical_evidence: Packet captures show traffic is properly protected and insecure + options are not accepted by the network products reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5701,13 +4814,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node374 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-026 - name: Evidence - description: Packet captures show traffic is properly protected and insecure - options are not accepted by the network products - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-027 assessable: true depth: 3 @@ -5718,6 +4824,14 @@ objects: on a single site, are used) as profiled in Annex E of TS 33.310 with the following additional requirement: cipher suites with NULL encryption shall not be supported. Cryptographic keys/certificates for TLS authentication are protected' + typical_evidence: Packet captures between the web client and the web server + show the use of TLS (unless other countermeasures, such as physical security + for local services on a single site, are used) and confirm that the protocol + version/cryptographic algorithms mandated by the security profile are used. + Verification with a key management utility that the keys/certificates for + TLS authentication are protected in the system keystore or similar tool (Java + KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware security + tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5725,19 +4839,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node376 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-027 - name: Evidence - description: Packet captures between the web client and the web server show - the use of TLS (unless other countermeasures, such as physical security for - local services on a single site, are used) and confirm that the protocol version/cryptographic - algorithms mandated by the security profile are used. Verification with a - key management utility that the keys/certificates for TLS authentication are - protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-028 assessable: true depth: 3 @@ -5746,6 +4847,12 @@ objects: description: DNS servers in the 3GPP network should support and use DNS over (D)TLS as specified in RFC 7858 and RFC 8310. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Packet captures at DNS servers in the core network confirm + the use of TLS for protection of DNS requests and responses. Verification + with a key management utility that the keys/certificates for TLS authentication + are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5753,17 +4860,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node378 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-028 - name: Evidence - description: Packet captures at DNS servers in the core network confirm the - use of TLS for protection of DNS requests and responses. Verification with - a key management utility that the keys/certificates for TLS authentication - are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-029 assessable: true depth: 3 @@ -5775,6 +4871,12 @@ objects: and IKEv2 certificate-based authentication as specified in TS 33.510, cl. 9.1.2, unless security is provided by other means, such as physical security. Cryptographic keys/certificates for IKEv2 authentication in NDS/IP are protected + typical_evidence: Verification of packet captures on the interface under test + confirms the use of IPsec for integrity, confidentiality, and replay protection. + Verification with a key management utility that the keys/certificates for + TLS authentication are protected in the system keystore or similar tool (Java + KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware security + tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5782,17 +4884,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node380 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-029 - name: Evidence - description: Verification of packet captures on the interface under test confirms - the use of IPsec for integrity, confidentiality, and replay protection. Verification - with a key management utility that the keys/certificates for TLS authentication - are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-030 assessable: true depth: 3 @@ -5801,6 +4892,10 @@ objects: description: Network should provide a mechanism for steering UEs to a preferred roamed-to network indicated by the HPLMN during and after registration in accordance with 3GPP technical specification 33.501, clause 6.14 + typical_evidence: Verify that a test UE can be steered to a preferred roamed-to + network both during and after registration in a VPLMN. Verification can involve + checking the system logs of the test UE for an updated preferred/forbidden + PLMN list and checking the packet captures of the HPLMN UDM for Nudm_SDM_Info reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5808,15 +4903,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node382 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-030 - name: Evidence - description: Verify that a test UE can be steered to a preferred roamed-to network - both during and after registration in a VPLMN. Verification can involve checking - the system logs of the test UE for an updated preferred/forbidden PLMN list - and checking the packet captures of the HPLMN UDM for Nudm_SDM_Info - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-031 assessable: true depth: 3 @@ -5824,6 +4910,9 @@ objects: ref_id: SO12-031 description: AMF state machines handling registration over 3GPP and non-3GPP access follow 3GPP technical specification 33.501, clause 6.8 + typical_evidence: System logs of the AMF confirm that transitions between RM-DEREGISTERED + and RM-REGISTERED/CM-CONNECTED states during UE registration follow the guidelines + listed in 3GPP technical specification 33.501, clause 6.8 reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5831,14 +4920,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node384 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-031 - name: Evidence - description: System logs of the AMF confirm that transitions between RM-DEREGISTERED - and RM-REGISTERED/CM-CONNECTED states during UE registration follow the guidelines - listed in 3GPP technical specification 33.501, clause 6.8 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-032 assessable: true depth: 3 @@ -5846,6 +4927,8 @@ objects: ref_id: SO12-032 description: Network ensures that security is maintained during UE mobility in accordance with 3GPP technical specification 33.501, clause 6.9 and 6.11 + typical_evidence: Packet captures on the AMF as well as on the source and target + gNBs confirm successful UE mobility and handover reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5853,13 +4936,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node386 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-032 - name: Evidence - description: Packet captures on the AMF as well as on the source and target - gNBs confirm successful UE mobility and handover - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-033 assessable: true depth: 3 @@ -5872,6 +4948,9 @@ objects: session and does not have a 5G-GUTI to the chosen PLMN, (2) if the home network has configured "null-scheme" to be used, or (3) if the home network has not provisioned the public key needed to generate a SUCI' + typical_evidence: "Verify that the UDM correctly deconceals the Subscription\ + \ Concealed Identifier (SUCI) using the implementer\u2019s test data in Annex\ + \ C of 3GPP technical specification 33.501" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5879,14 +4958,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node388 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-033 - name: Evidence - description: "Verify that the UDM correctly deconceals the Subscription Concealed\ - \ Identifier (SUCI) using the implementer\u2019s test data in Annex C of 3GPP\ - \ technical specification 33.501" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-034 assessable: true depth: 3 @@ -5895,6 +4966,9 @@ objects: description: Isolation of distinct slices in the slice manager and restrictions on performing changes to parameters shared among slices belonging to different tenants + typical_evidence: Verify that attempts to modify/change shared parameters from + a slice are unsuccessful. Verify that attempts to decrypt/modify traffic intended + for a different slice are unsuccessful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5902,14 +4976,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node390 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-034 - name: Evidence - description: Verify that attempts to modify/change shared parameters from a - slice are unsuccessful. Verify that attempts to decrypt/modify traffic intended - for a different slice are unsuccessful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-035 assessable: true depth: 3 @@ -5918,6 +4984,12 @@ objects: description: Each interface of a MANO entity should use TLS for API communication to ensure integrity protection, replay protection, and confidentiality. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Verification of TLS support for API communication by looking + at packet captures and setting up test TLS connections. Verification with + a key management utility that the keys/certificates for TLS authentication + are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5925,16 +4997,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node392 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-035 - name: Evidence - description: Verification of TLS support for API communication by looking at - packet captures and setting up test TLS connections. Verification with a key - management utility that the keys/certificates for TLS authentication are protected - in the system keystore or similar tool (Java KeyStore, AWS KMS, etc.), in - secure memory, or protected with hardware security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-036 assessable: true depth: 3 @@ -5943,6 +5005,12 @@ objects: description: Control plane data between NFV hosts is sent over an authenticated and encrypted channel with standard protocols. Cryptographic keys/certificates for authentication are protected + typical_evidence: Packet captures confirm the use of standard security protocols + such as TLS for authentication and encryption of control plane data exchanged + between hosts. Verification with a key management utility that the keys/certificates + for TLS authentication are protected in the system keystore or similar tool + (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware + security tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5950,23 +5018,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node394 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-036 - name: Evidence - description: Packet captures confirm the use of standard security protocols - such as TLS for authentication and encryption of control plane data exchanged - between hosts. Verification with a key management utility that the keys/certificates - for TLS authentication are protected in the system keystore or similar tool - (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware - security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-037 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-037 description: SDN controller should not allow conflicting flow rules + typical_evidence: Verify that attempts to add a conflicting flow rule are rejected + by the SDN controller reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5974,19 +5033,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node396 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-037 - name: Evidence - description: Verify that attempts to add a conflicting flow rule are rejected - by the SDN controller - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-038 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-038 description: APIs for the SDN controller and applications should be secured + typical_evidence: Verify that access to APIs is only possible after authenticating + with authorized accounts over encrypted channels. Verification involves checking + the product documentation and executing test API calls reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -5994,20 +5049,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node398 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-038 - name: Evidence - description: Verify that access to APIs is only possible after authenticating - with authorized accounts over encrypted channels. Verification involves checking - the product documentation and executing test API calls - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-039 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-039 description: Operating systems hardening + typical_evidence: Diagnostic tools confirm that unused ports and services are + disabled, firewall is activated, software packages are updated, and system + monitoring tools have been activated reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6015,14 +5065,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node400 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-039 - name: Evidence - description: Diagnostic tools confirm that unused ports and services are disabled, - firewall is activated, software packages are updated, and system monitoring - tools have been activated - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-040 assessable: true depth: 3 @@ -6031,6 +5073,12 @@ objects: description: Mutual authentication followed by confidentiality and integrity of messages on the Common API Framework (CAPIF) are ensured. Cryptographic keys/certificates for authentication are protected + typical_evidence: Verify that API communication is protected with TLS by looking + at packet captures and setting up test TLS connections. Verification with + a key management utility that the keys/certificates for TLS authentication + are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6038,17 +5086,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node402 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-040 - name: Evidence - description: Verify that API communication is protected with TLS by looking - at packet captures and setting up test TLS connections. Verification with - a key management utility that the keys/certificates for TLS authentication - are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-041 assessable: true depth: 3 @@ -6056,6 +5093,8 @@ objects: ref_id: SO12-041 description: Virtualization platform or container infrastructure is hardened using vendor-provided guidelines + typical_evidence: Verification of conformance to vendor provided guidelines + by checking log files, configuration files, and automated tools reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6063,19 +5102,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node404 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-041 - name: Evidence - description: Verification of conformance to vendor provided guidelines by checking - log files, configuration files, and automated tools - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-042 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-042 description: VMs or containers in MEC are encrypted + typical_evidence: Inspection of servers and storage containing VMs or containers + confirm that the VMs or containers are encrypted reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6083,13 +5117,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node406 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-042 - name: Evidence - description: Inspection of servers and storage containing VMs or containers - confirm that the VMs or containers are encrypted - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-043 assessable: true depth: 3 @@ -6098,6 +5125,9 @@ objects: description: MEC systems provide a secure environment for services of users, MNOs, third-party application providers, application developers, and platform vendors + typical_evidence: Documentation of the MEC system contains a list of service + isolation techniques implemented. Verify that attempts to access other services + from within a service instance are unsuccessful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6105,20 +5135,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node408 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-043 - name: Evidence - description: Documentation of the MEC system contains a list of service isolation - techniques implemented. Verify that attempts to access other services from - within a service instance are unsuccessful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-044 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-044 description: 'User plane data is integrity-protected ' + typical_evidence: Packet captures of the traffic between the RN and the DeNB + confirm the use of the PDCP protocol for integrity protection reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6126,13 +5150,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node410 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-044 - name: Evidence - description: Packet captures of the traffic between the RN and the DeNB confirm - the use of the PDCP protocol for integrity protection - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-045 assessable: true depth: 3 @@ -6140,6 +5157,9 @@ objects: ref_id: SO12-045 description: End-to-end signaling security is used for DIAMETER signaling when physical security is not provided + typical_evidence: Packet captures confirm that Diameter End-to-End Signaling + (DESS), or a similar protection mechanism, is used to provide end-to-end security, + unless physical security is provided reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6147,20 +5167,19 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node412 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-045 - name: Evidence - description: Packet captures confirm that Diameter End-to-End Signaling (DESS), - or a similar protection mechanism, is used to provide end-to-end security, - unless physical security is provided - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-046 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-046 description: Protections against ReVOLTE attacks are implemented + typical_evidence: 'Depending on the mitigation implemented: i) packet captures + at the eNodeB confirm that different radio bearer identities are used for + subsequent calls even within the same radio connection, and/or ii) system + logs of the eNB show that it has initiated an intra-cell handover to derive + fresh keys for subsequent calls on the same radio connection, and/or iii) + packet captures at the IMS access gateway confirm the use of SRTP for encryption + and integrity protection of VoLTE calls' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6168,18 +5187,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node414 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-046 - name: Evidence - description: 'Depending on the mitigation implemented: i) packet captures at - the eNodeB confirm that different radio bearer identities are used for subsequent - calls even within the same radio connection, and/or ii) system logs of the - eNB show that it has initiated an intra-cell handover to derive fresh keys - for subsequent calls on the same radio connection, and/or iii) packet captures - at the IMS access gateway confirm the use of SRTP for encryption and integrity - protection of VoLTE calls' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-047 assessable: true depth: 3 @@ -6187,6 +5194,9 @@ objects: ref_id: SO12-047 description: Bidding down should be prevented by including the replayed security capabilities of the UE in the Security Mode Command sent from the MME + typical_evidence: Verify that eliminating certain UE capabilities on the interface + between the UE and MME results in a protocol continuation failure and the + UE responds with a NAS Security Mode Reject message reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6194,14 +5204,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node416 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-047 - name: Evidence - description: Verify that eliminating certain UE capabilities on the interface - between the UE and MME results in a protocol continuation failure and the - UE responds with a NAS Security Mode Reject message - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-048 assessable: true depth: 3 @@ -6209,6 +5211,10 @@ objects: ref_id: SO12-048 description: eNBs should have a secure environment for storage of sensitive data and execution of sensitive functions + typical_evidence: Documentation of the eNB contains a list of mechanisms such + as Trusted Execution Environment (TEE) used to protect storage of sensitive + data and execution of sensitive functions. Diagnostic tools on the eNB confirm + that the mechanisms are implemented, enabled, and used reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6216,21 +5222,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node418 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-048 - name: Evidence - description: Documentation of the eNB contains a list of mechanisms such as - Trusted Execution Environment (TEE) used to protect storage of sensitive data - and execution of sensitive functions. Diagnostic tools on the eNB confirm - that the mechanisms are implemented, enabled, and used - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-049 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-049 description: Protection against VM sprawl + typical_evidence: Documentation of the hypervisor has a list of hardening techniques. + Diagnostic tools confirm that hypervisor hardening techniques described in + documentation are enabled reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6238,14 +5238,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node420 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-049 - name: Evidence - description: Documentation of the hypervisor has a list of hardening techniques. - Diagnostic tools confirm that hypervisor hardening techniques described in - documentation are enabled - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-050 assessable: true depth: 3 @@ -6255,6 +5247,15 @@ objects: SEAL group management server is protected using HTTPS with TLS usage following the profile specified in clause 6.2a of 3GPP TS 33.310. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Verification that the SEAL key management server and the SEAL + group management server support HTTPS with TLS as profiled in clause 6.2a + of 3GPP TS 33.310. Verification can involve looking at product documentation + and establishing test TLS connections to ensure that only protocol versions + and cryptographic algorithms mandated by the profile are supported. Verification + with a key management utility that the keys/certificates for TLS authentication + are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6262,19 +5263,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node422 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-050 - name: Evidence - description: Verification that the SEAL key management server and the SEAL group - management server support HTTPS with TLS as profiled in clause 6.2a of 3GPP - TS 33.310. Verification can involve looking at product documentation and establishing - test TLS connections to ensure that only protocol versions and cryptographic - algorithms mandated by the profile are supported. Verification with a key - management utility that the keys/certificates for TLS authentication are protected - in the system keystore or similar tool (Java KeyStore, AWS KMS, etc.), in - secure memory, or protected with hardware security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-051 assessable: true depth: 3 @@ -6284,6 +5272,15 @@ objects: the SEAL group management server is protected using HTTPS with TLS usage following the profile specified in clause 6.2a of 3GPP TS 33.310. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Verification that the SEAL location management server and + the SEAL group management server support HTTPS with TLS as profiled in clause + 6.2a of 3GPP TS 33.310. Verification can involve looking at product documentation + and establishing test TLS connections to ensure that only protocol versions + and cryptographic algorithms mandated by the profile are supported. Verification + with a key management utility that the keys/certificates for TLS authentication + are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6291,20 +5288,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node424 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-051 - name: Evidence - description: Verification that the SEAL location management server and the SEAL - group management server support HTTPS with TLS as profiled in clause 6.2a - of 3GPP TS 33.310. Verification can involve looking at product documentation - and establishing test TLS connections to ensure that only protocol versions - and cryptographic algorithms mandated by the profile are supported. Verification - with a key management utility that the keys/certificates for TLS authentication - are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-052 assessable: true depth: 3 @@ -6318,19 +5301,7 @@ objects: CoAP with OSCORE as profiled in RFC 8613 or iii) CoAP with DTLS/TLS as profiled in clause 6.2a of 3GPP TS 33.310. Cryptographic keys/certificates for TLS/DTLS/OSCORE authentication are protected - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node426 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-052 - name: Evidence - description: Verification that the SEAL client, SEAL server, SEAL key management + typical_evidence: Verification that the SEAL client, SEAL server, SEAL key management client, SEAL key management server, SEAL identity management client, and the SEAL identity management server either i) support HTTPS with TLS as profiled in clause 6.2a of 3GPP TS 33.310, or ii) CoAP with OSCORE as profiled in @@ -6342,6 +5313,13 @@ objects: DTLS, TLS, and OSCORE authentication are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware security tools such as TPMs/TEEs + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-053 assessable: true depth: 3 @@ -6353,6 +5331,16 @@ objects: clause 6.2 and 33.310, clause 6.2a, or ii) CAPIF as specified in 3GPP technical specifications: 23.434 and TS 33.122, clause 6.5.2. Cryptographic keys/certificates for IKEv2, TLS, etc. authentication in NDS/IP are protected' + typical_evidence: Verification that the SEAL server and the VAL server use TLS + with OAuth or CAPIF for authentication and authorization following profiles + in TS 33.210, TS 33.310, and TS 33.122. Verification can involve looking at + product documentation and establishing test TLS or CAPIF connections to ensure + that only protocol versions and cryptographic algorithms mandated by the 3GPP + profiles are supported by the network function. Verification with a key management + utility that the keys/certificates for IKEv2, TLS, etc. authentication are + protected in the system keystore or similar tool (Java KeyStore, AWS KMS, + etc.), in secure memory, or protected with hardware security tools such as + TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6360,21 +5348,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node428 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-053 - name: Evidence - description: Verification that the SEAL server and the VAL server use TLS with - OAuth or CAPIF for authentication and authorization following profiles in - TS 33.210, TS 33.310, and TS 33.122. Verification can involve looking at product - documentation and establishing test TLS or CAPIF connections to ensure that - only protocol versions and cryptographic algorithms mandated by the 3GPP profiles - are supported by the network function. Verification with a key management - utility that the keys/certificates for IKEv2, TLS, etc. authentication are - protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-054 assessable: true depth: 3 @@ -6383,6 +5356,12 @@ objects: description: SEAL-E interface between SEAL servers is protected with NDS/IP as specified in TS 33.210. Cryptographic keys/certificates for IKEv2, TLS, etc. authentication in NDS/IP are protected + typical_evidence: Verification of packet captures on the SEAL server confirms + the use of TLS, IPsec, etc. for integrity, confidentiality, and replay protection. + Verification with a key management utility that the keys/certificates for + IKEv2, TLS, etc. authentication are protected in the system keystore or similar + tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware + security tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6390,17 +5369,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node430 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-054 - name: Evidence - description: Verification of packet captures on the SEAL server confirms the - use of TLS, IPsec, etc. for integrity, confidentiality, and replay protection. - Verification with a key management utility that the keys/certificates for - IKEv2, TLS, etc. authentication are protected in the system keystore or similar - tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware - security tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-055 assessable: true depth: 3 @@ -6408,6 +5376,14 @@ objects: ref_id: SO12-055 description: Transfer of key material from SKM server to SKM client over HTTP are protected with TLS as profiled in clause 6.2a of 3GPP TS 33.310 + typical_evidence: Verification that the SKM server supports HTTPS with TLS as + profiled in clause 6.2a of 3GPP TS 33.310. Verification can involve looking + at product documentation and establishing test TLS connections to ensure that + only protocol versions and cryptographic algorithms mandated by the profile + are supported. Verification with a key management utility that the keys/certificates + for TLS authentication are protected in the system keystore or similar tool + (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware + security tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6415,19 +5391,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node432 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-055 - name: Evidence - description: Verification that the SKM server supports HTTPS with TLS as profiled - in clause 6.2a of 3GPP TS 33.310. Verification can involve looking at product - documentation and establishing test TLS connections to ensure that only protocol - versions and cryptographic algorithms mandated by the profile are supported. - Verification with a key management utility that the keys/certificates for - TLS authentication are protected in the system keystore or similar tool (Java - KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware security - tools such as TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-056 assessable: true depth: 3 @@ -6442,19 +5405,7 @@ objects: - Seccomp allows administrators to define system call security that must be\ \ blocked during container runtime. Seccomp policies are defined using JSON\ \ files." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node434 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-056 - name: Evidence - description: "Use of testing and analysis tools to verify:\n- That containers\ + typical_evidence: "Use of testing and analysis tools to verify:\n- That containers\ \ are executed as runtime processes within given namespaces.\n- That Cgroups\ \ is used to control the different resources.\n- That an application running\ \ within a container is executed only with the necessary capability.\n- That\ @@ -6466,6 +5417,13 @@ objects: - To detect secrets in images: ggshield, SecretScanner\n- To detect misconfigurations\ \ in Kubernetes: kubeaudit, kubesec.io, kube-bench\n- To detect misconfigurations\ \ in Docker: inspec.io, dev-sec.io, Docker Bench for Security" + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-057 assessable: true depth: 3 @@ -6475,6 +5433,16 @@ objects: guidelines, such as CIS benchmarks. In particular, on OSs, Docker, VMWARE, Kubernetes and cloud. They should follow the guidance in the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. + typical_evidence: "Verify that hardening guidelines are applied for the secure\ + \ configuration and deployment of NFV components. This could be achieved by\ + \ verifying a document containing technical description of the hardening controls\ + \ that have been implemented on the NFV. This document contains details of\ + \ whether the hardening controls are implemented by default, or if additional\ + \ actions (e.g. scripts or manually executed commands) are required. \n\n\ + Verify that hardening best practices (e.g. automation) are part of the MNOs\u2019\ + \ testing framework. This could be achieved by verifying a test report which\ + \ demonstrates that the hardening controls described in the technical description\ + \ document have been implemented." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6482,21 +5450,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node436 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-057 - name: Evidence - description: "Verify that hardening guidelines are applied for the secure configuration\ - \ and deployment of NFV components. This could be achieved by verifying a\ - \ document containing technical description of the hardening controls that\ - \ have been implemented on the NFV. This document contains details of whether\ - \ the hardening controls are implemented by default, or if additional actions\ - \ (e.g. scripts or manually executed commands) are required. \n\nVerify that\ - \ hardening best practices (e.g. automation) are part of the MNOs\u2019 testing\ - \ framework. This could be achieved by verifying a test report which demonstrates\ - \ that the hardening controls described in the technical description document\ - \ have been implemented." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-058 assessable: true depth: 3 @@ -6513,20 +5466,8 @@ objects: \ of the list of devices checked by the BIOS to boot an operating system)\n\ \u2022\tReplacing default Secure Boot keys with custom keys generated by the\ \ owner" - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node438 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-058 - name: Evidence - description: 'A document which contains all required security features provided - by the firmware configuration interfaces. + typical_evidence: 'A document which contains all required security features + provided by the firmware configuration interfaces. A tool or any other suitable testing means used to detect the security features @@ -6536,6 +5477,13 @@ objects: Validation that there are no security features apart from the ones that have been mentioned and deemed necessary for the operation of the product in the attached documentation.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-059 assessable: true depth: 3 @@ -6546,6 +5494,12 @@ objects: \ VNFs requiring a \u2018hardware root of trust\u2019 cannot be installed\ \ on a physical host or blade that does not fully support trusted boot (e.g.\ \ Intel-TXT) and TPM." + typical_evidence: "Document describing how to determine the trust level of VNFs.\n\ + \nDocument describing how to configure the VIM for VNFs segregation according\ + \ to trust levels.\n\nVerify that it is impossible to run two VNFs of differing\ + \ trust level on the same physical host.\n\nVerify that VNFs requiring a \u2018\ + hardware root of trust\u2019 cannot be installed on a physical host or blade\ + \ that does not fully support trusted boot (e.g. Intel-TXT) and TPM." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6553,17 +5507,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node440 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-059 - name: Evidence - description: "Document describing how to determine the trust level of VNFs.\n\ - \nDocument describing how to configure the VIM for VNFs segregation according\ - \ to trust levels.\n\nVerify that it is impossible to run two VNFs of differing\ - \ trust level on the same physical host.\n\nVerify that VNFs requiring a \u2018\ - hardware root of trust\u2019 cannot be installed on a physical host or blade\ - \ that does not fully support trusted boot (e.g. Intel-TXT) and TPM." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-060 assessable: true depth: 3 @@ -6575,20 +5518,8 @@ objects: It should also be possible to take a snapshot of the affected VNF to allow for security investigation and analysis.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node442 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-060 - name: Evidence - description: "Document describing the recovery mechanisms for NFVI, VNFs and\ - \ MANO in the event of a VNF being attacked/compromised, or of any unauthorized/accidental\ + typical_evidence: "Document describing the recovery mechanisms for NFVI, VNFs\ + \ and MANO in the event of a VNF being attacked/compromised, or of any unauthorized/accidental\ \ service changes.\n\nDocument describing the configuration rollback mechanism,\ \ VNF relocation/retirement rule. Operational guide from VNF vendor sets out\ \ error logs/traps/notifications and troubleshooting.\n\nVerify that controls\ @@ -6607,6 +5538,13 @@ objects: \ the VNF instance. VNF instances termination should release allocated resources\n\ 8. Load backup VNF instance file and spin a new VNF instance\n9. Connect to\ \ VNF" + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-061 assessable: true depth: 3 @@ -6616,19 +5554,7 @@ objects: (e.g. SDN Controllers) to ensure operational service is maintained. The design should include primary and secondary IP links with, where possible, diverse routing to prevent a single point of network failure. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node444 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-061 - name: Evidence - description: 'Documentation is available containing the default SDN controller + typical_evidence: 'Documentation is available containing the default SDN controller configuration. @@ -6642,6 +5568,13 @@ objects: packet from the network product 1 to the network product 2 with the primary IP. Then, verify that the packet is correctly routed and received by the network product 2 (logged by the network traffic analyser) with the secondary IP.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-062 assessable: true depth: 3 @@ -6651,20 +5584,8 @@ objects: networks and NFV environments are not operationally dependent on the orchestration or MANO layer to maintain operating services under circumstances that may render the orchestration platform unavailable. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node446 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-062 - name: Evidence - description: 'Security architecture documentation confirms that SDN and NFV - are operationally independent. + typical_evidence: 'Security architecture documentation confirms that SDN and + NFV are operationally independent. Verify via tests that MANO layer can continue providing services while SDN @@ -6675,6 +5596,13 @@ objects: - Turn off MANO services and verify that requests sent to the SDN are correctly processed and that any running SDN service does not crash.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-063 assessable: true depth: 3 @@ -6698,23 +5626,11 @@ objects: IKEv2 certificated-based authentication. ' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node448 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-063 - name: Evidence - description: "Network product documentation containing information about supported\ - \ TLS, IPsec with IKEv2, OAuth protocols and certificates is provided by the\ - \ vendor. Verification by looking at product documentation to ensure that\ - \ only protocol versions and cryptographic algorithms mandated by the profile\ - \ are supported by the network function. \n\nTLS:\n- Check that compliance\ + typical_evidence: "Network product documentation containing information about\ + \ supported TLS, IPsec with IKEv2, OAuth protocols and certificates is provided\ + \ by the vendor. Verification by looking at product documentation to ensure\ + \ that only protocol versions and cryptographic algorithms mandated by the\ + \ profile are supported by the network function. \n\nTLS:\n- Check that compliance\ \ with the TLS profile (in 3GPP technical specifications: 33.210, clause 6.2\ \ and 33.310, clause 6.2a) can be inferred from detailed provisions in the\ \ network product documentation.\n- Establish a secure connection between\ @@ -6743,6 +5659,13 @@ objects: \ with IKEv2 authentication are protected in the system keystore or similar\ \ tool (Java KeyStore, AWS KMS, etc.), in secure memory, or protected with\ \ hardware security tools such as TPMs/TEEs." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-064 assessable: true depth: 3 @@ -6756,21 +5679,9 @@ objects: gateway can be deployed on the N4/N3/N6/N9 interface for encrypted transmission of user data, and a firewall can be deployed on the MEC to defend against DDoS and other traffic attacks. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node450 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-064 - name: Evidence - description: 'Verification of successful IPsec tunnel over N4/N3/N6/N9 interfaces. - Verification of packet captures on the interfaces under the test confirms - the use of IPsec. + typical_evidence: 'Verification of successful IPsec tunnel over N4/N3/N6/N9 + interfaces. Verification of packet captures on the interfaces under the test + confirms the use of IPsec. Verification of successful TLS channel on the management plane. Verification @@ -6784,6 +5695,13 @@ objects: Diagnostic tools confirm that firewalls and gateways, if any, are activated.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-065 assessable: true depth: 3 @@ -6795,6 +5713,12 @@ objects: signature. A list of public keys or certificates of authorized software sources are provisioned to verify software origin. Tampered software is not executed or installed ' + typical_evidence: Log files of the update manager/utility (e.g. application/history + logs) in the network product show that installation/upgrade operation of network + product fails when using an invalid software package. Log files of the update + manager/utility (e.g. application/history logs) in the network product show + that installation/upgrade operation is successful when using a valid software + package reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6802,17 +5726,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node452 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-065 - name: Evidence - description: Log files of the update manager/utility (e.g. application/history - logs) in the network product show that installation/upgrade operation of network - product fails when using an invalid software package. Log files of the update - manager/utility (e.g. application/history logs) in the network product show - that installation/upgrade operation is successful when using a valid software - package - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-066 assessable: true depth: 3 @@ -6820,6 +5733,10 @@ objects: ref_id: SO12-066 description: Regular and effective patch management. Ideally, applying patches is fully automated. + typical_evidence: Check for presence of patch management tools notifying of + patch releases. All patches, especially those to critical or sensitive network + components or functions, are reviewed and subjected to security testing in + controlled environment prior to deployment reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6827,15 +5744,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node454 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-066 - name: Evidence - description: Check for presence of patch management tools notifying of patch - releases. All patches, especially those to critical or sensitive network components - or functions, are reviewed and subjected to security testing in controlled - environment prior to deployment - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-067 assessable: true depth: 3 @@ -6845,20 +5753,8 @@ objects: vulnerability assessments on initial deployment and subsequent periodic scans for deployed network components. Security scans should cover the whole NFV, and not just the network functions layer. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node456 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-067 - name: Evidence - description: 'Verify that documented processes and tools are in place to track - public and vendor/supplier databases of disclosed vulnerabilities. Verify + typical_evidence: 'Verify that documented processes and tools are in place to + track public and vendor/supplier databases of disclosed vulnerabilities. Verify via system logs and scan/test reports that vulnerability scanning tools are activated and periodic scans are performed for newly deployed network components, in particular for products supplied by suppliers considered to be high-risk. @@ -6872,6 +5768,13 @@ objects: MANO and VNFs. Such verification activities include checking the output of scan results generated by vulnerability scanners and a list of discovered vulnerabilities/identified discrepancies.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-068 assessable: true depth: 3 @@ -6879,6 +5782,11 @@ objects: ref_id: SO12-068 description: Timely delivery and implementation of security patches to vulnerable components in accordance with industry best practices + typical_evidence: MNO has documented and tested processes for timely delivery + of security patches following industry best practices, including patch implementation + according to specific timeframes and testing. There is evidence of these processes + being reviewed and adjusted, where appropriate, including review logs, comments + and previous versions. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6886,16 +5794,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node458 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-068 - name: Evidence - description: MNO has documented and tested processes for timely delivery of - security patches following industry best practices, including patch implementation - according to specific timeframes and testing. There is evidence of these processes - being reviewed and adjusted, where appropriate, including review logs, comments - and previous versions. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-069 assessable: true depth: 3 @@ -6907,21 +5805,9 @@ objects: signed update older than the version currently installed on the hardware platform shall be considered illegitimate by default (however, the platform owner should be able to disable this protection using the firmware configuration interface). - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node460 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-069 - name: Evidence - description: 'A document which contains information on the firmware access mechanism - supported by the hardware platform, and on the memory devices from which the - platform can boot. + typical_evidence: 'A document which contains information on the firmware access + mechanism supported by the hardware platform, and on the memory devices from + which the platform can boot. Verify that the hardware platform is configured to boot only from memory devices @@ -6934,6 +5820,13 @@ objects: A documented configuration process is in place for the hardware boot from memory devices, as declared in the hardware platform document.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-070 assessable: true depth: 3 @@ -6942,6 +5835,8 @@ objects: description: MANO is kept in sync about a VNF application software modification. Such a modification may be performed without requiring termination of the VNF instance with the prior VNF application software version. + typical_evidence: 'Verify that the information about a VNF instance stored in + MANO is updated as a result of a VNF application software modification ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6949,13 +5844,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node462 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-070 - name: Evidence - description: 'Verify that the information about a VNF instance stored in MANO - is updated as a result of a VNF application software modification ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-071 assessable: true depth: 3 @@ -6965,6 +5853,10 @@ objects: program, in line with industry good practices, and communicate it clearly so that security researchers and ethical hackers know how to inform them about potential vulnerabilities. + typical_evidence: Documentation and processes for vulnerability handling and + patch management following a CVD program are in place. These processes include + assessing a discovered vulnerability, developing patches and securely updating + NFV components (manually or via an OTA). reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -6972,15 +5864,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node464 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-071 - name: Evidence - description: Documentation and processes for vulnerability handling and patch - management following a CVD program are in place. These processes include assessing - a discovered vulnerability, developing patches and securely updating NFV components - (manually or via an OTA). - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-072 assessable: true depth: 3 @@ -6990,19 +5873,7 @@ objects: a robust risk assessment to ensure that they adhere to specific security policies on interface security, security affinity/anti-affinity rules, NFV network zoning and application security. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node466 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-072 - name: Evidence - description: 'Documentation of the risk assessment process on new or modified + typical_evidence: 'Documentation of the risk assessment process on new or modified VNF service templates indicates that they adhere to security policies on interface security, security affinity/anti-affinity rules, NFV network zoning and application security. @@ -7010,6 +5881,13 @@ objects: Verify via system logs and risk assessment reports that periodic risk assessments are performed for new or modified VNF service templates.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-073 assessable: true depth: 3 @@ -7019,19 +5897,7 @@ objects: The NFVI is kept up to date (including firmware), to minimise security issues. If possible, automatically update the NFVI to minimise the time that the fabric is at risk if an issue is found. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node468 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-073 - name: Evidence - description: 'Log files of the update manager in the NFVI show that installation/upgrade + typical_evidence: 'Log files of the update manager in the NFVI show that installation/upgrade operation fails when using an invalid software package. Log files of the update managerin the NFVI show that installation/upgrade operation is successful when using a valid software package. @@ -7039,6 +5905,13 @@ objects: Verify using automatic testing tools that NFVI is successfully updated without impacting VNFs.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-074 assessable: true depth: 3 @@ -7048,6 +5921,8 @@ objects: signature using the NRF's public key or verifying a MAC when using shared keys. NF providers further validate the fields in the access token such as scope, expiration time, etc. + typical_evidence: NF service provider rejects malformed access tokens with incorrect + MACs or incorrect fields/values and sends an OAuth error response reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7055,13 +5930,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node470 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-074 - name: Evidence - description: NF service provider rejects malformed access tokens with incorrect - MACs or incorrect fields/values and sends an OAuth error response - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-075 assessable: true depth: 3 @@ -7069,6 +5937,9 @@ objects: ref_id: SO12-075 description: AUSFs should implement Nausf_SoRProtection service in accordance with 3GPP technical specification 33.501, clause 14.1 + typical_evidence: Verify that sending the SUPI, service name, requester ID etc. + to the Nausf_SoRProtection service results in the service returning a SoR-MAC-IAUSF + and CounterSoR or an error reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7076,14 +5947,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node472 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-075 - name: Evidence - description: Verify that sending the SUPI, service name, requester ID etc. to - the Nausf_SoRProtection service results in the service returning a SoR-MAC-IAUSF - and CounterSoR or an error - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-076 assessable: true depth: 3 @@ -7091,6 +5954,9 @@ objects: ref_id: SO12-076 description: AUSFs should implement Nausf_UPUProtection service in accordance with 3GPP technical specification 33.501, clause 14.1 + typical_evidence: Verify that sending the SUPI, service name, UE Parameters + Update Data. etc. to the Nausf_UPUProtection service results in the service + returning a UPU-MAC-IAUSF and CounterUPU or an error reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7098,14 +5964,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node474 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-076 - name: Evidence - description: Verify that sending the SUPI, service name, UE Parameters Update - Data. etc. to the Nausf_UPUProtection service results in the service returning - a UPU-MAC-IAUSF and CounterUPU or an error - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-077 assessable: true depth: 3 @@ -7113,6 +5971,9 @@ objects: ref_id: SO12-077 description: SEPPs correctly replace information elements requiring encryption with the value "NULL" and create JSON patches with the encrypted values + typical_evidence: 'Packet capture at the SEPP shows that information elements + in the original message that require encryption according to the Data-type + encryption policy are replaced with the value "NULL" ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7120,14 +5981,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node476 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-077 - name: Evidence - description: 'Packet capture at the SEPP shows that information elements in - the original message that require encryption according to the Data-type encryption - policy are replaced with the value "NULL" ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-078 assessable: true depth: 3 @@ -7135,6 +5988,9 @@ objects: ref_id: SO12-078 description: SEPPs ensure that IEs requiring encryption are not inserted at a different location in the JSON object + typical_evidence: Logs and packet captures of a SEPP confirm that an N32-f message + is discarded if an encrypted IE in the message received has been moved to + a cleartext IE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7142,14 +5998,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node478 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-078 - name: Evidence - description: Logs and packet captures of a SEPP confirm that an N32-f message - is discarded if an encrypted IE in the message received has been moved to - a cleartext IE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-079 assessable: true depth: 3 @@ -7157,6 +6005,11 @@ objects: ref_id: SO12-079 description: Network products can boot only from the memory devices intended for this purpose + typical_evidence: Verification with 'bootlist' or similar command line tools + to confirm that the network product is configured to boot from memory devices + declared in the network product documentation and it cannot boot from another + memory device. Verification that access to the firmware is not possible without + correct authentication reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7164,16 +6017,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node480 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-079 - name: Evidence - description: Verification with 'bootlist' or similar command line tools to confirm - that the network product is configured to boot from memory devices declared - in the network product documentation and it cannot boot from another memory - device. Verification that access to the firmware is not possible without correct - authentication - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-080 assessable: true depth: 3 @@ -7182,6 +6025,10 @@ objects: description: Security mechanism to guarantee that only authorized individuals can initiate and deploy a software update, and modify the list cryptographic credentials used for verifying software sources + typical_evidence: Verify that attempts to modify the list of cryptographic credentials + used for verifying software sources are unsuccessful when logged in as a user + without adequate privileges. Verify that attempts to install software packages + are unsuccessful when logged in as a user without adequate privileges reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7189,21 +6036,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node482 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-080 - name: Evidence - description: Verify that attempts to modify the list of cryptographic credentials - used for verifying software sources are unsuccessful when logged in as a user - without adequate privileges. Verify that attempts to install software packages - are unsuccessful when logged in as a user without adequate privileges - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-081 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12 ref_id: SO12-081 description: Integrity protection of data store used for VNF and CNF images. + typical_evidence: Manual inspection of VNF and CNF images confirms that their + integrity is protected with cryptographic tools such as a digital signature + or a hash. Verify that VMs and Containers cannot be created with tampered + images. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7211,14 +6053,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node484 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-081 - name: Evidence - description: Manual inspection of VNF and CNF images confirms that their integrity - is protected with cryptographic tools such as a digital signature or a hash. - Verify that VMs and Containers cannot be created with tampered images. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-082 assessable: true depth: 3 @@ -7239,19 +6073,7 @@ objects: support Intel TXT, SGX, AMD SEV or ARM Trustzone silicon-based security functionality implemented with a TPM that stores measurements of the entire hypervisor or CIS stack and boot process.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node486 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-082 - name: Evidence - description: 'Verify that documentation of the host system describes support + typical_evidence: 'Verify that documentation of the host system describes support for HBRT. Verify via a guest OS that HBRT can be used for attestation. @@ -7262,6 +6084,13 @@ objects: Tamper a BIOS or a file in the host OS kernel and restart the host. Then, check that the boot operation is verified by a trusted HW platform and fails when using a tampered BIOS or a file in the host OS kernel.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-083 assessable: true depth: 3 @@ -7279,19 +6108,7 @@ objects: VNF package is to be successfully authenticated and verified during instantiation to the NFVI from the trust packages repository.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node488 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-083 - name: Evidence - description: "Verify that integrity of VNF packages is ensured with cryptographic\ + typical_evidence: "Verify that integrity of VNF packages is ensured with cryptographic\ \ tools such as a digital signature or a hash during onboarding. \nVerify\ \ that confidentiality of sensitive VNF package artifacts/configuration files\ \ is ensured with cryptographic tools such as an encryption during onboarding.\ @@ -7310,6 +6127,13 @@ objects: \ of the VNF package using the certificate of VNF vendor. During VNF instantiation,\ \ the VIM selects a VNF image with an incorrect integrity protection value\ \ from the image repository to instantiate the VNF image." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-084 assessable: true depth: 3 @@ -7317,6 +6141,12 @@ objects: ref_id: SO12-084 description: Integrity and confidentiality protection of configuration interfaces and configuration data stored in SDN controller + typical_evidence: Verify that integrity of configuration data is ensured with + cryptographic tools such as a digital signature or a hash. Verify that SDN + controller does not accept configuration data from SDN applications over the + application-control interface if the integrity checks fail. Verify via packet + captures at the SDN controller that the communication between the SDN applications + and the SDN controller is encrypted reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7324,17 +6154,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node490 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-084 - name: Evidence - description: Verify that integrity of configuration data is ensured with cryptographic - tools such as a digital signature or a hash. Verify that SDN controller does - not accept configuration data from SDN applications over the application-control - interface if the integrity checks fail. Verify via packet captures at the - SDN controller that the communication between the SDN applications and the - SDN controller is encrypted - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-085 assessable: true depth: 3 @@ -7342,6 +6161,9 @@ objects: ref_id: SO12-085 description: The MME protects the Security Mode Command message with the integrity algorithm which has the highest priority according to the ordered lists + typical_evidence: MME system logs confirm that the MME has selected the integrity + algorithm which has the highest priority according to the locally configured + ordered lists and is also contained in the UE security capabilities reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7349,14 +6171,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node492 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-085 - name: Evidence - description: MME system logs confirm that the MME has selected the integrity - algorithm which has the highest priority according to the locally configured - ordered lists and is also contained in the UE security capabilities - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-086 assessable: true depth: 3 @@ -7364,6 +6178,9 @@ objects: ref_id: SO12-086 description: MME releases any established non-emergency bearers when the authentication of UE fails + typical_evidence: Check the system logs of the MME to confirm that when the + UE sends a request for EPS emergency bearer services and UE authentication + fails, the established non-emergency bearers are released by the MME reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7371,14 +6188,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node494 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-086 - name: Evidence - description: Check the system logs of the MME to confirm that when the UE sends - a request for EPS emergency bearer services and UE authentication fails, the - established non-emergency bearers are released by the MME - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-087 assessable: true depth: 3 @@ -7387,6 +6196,10 @@ objects: description: NWDAF always determines a recent NF instance serving a UE before retrieving data related to it, unless, the NWDAF has already obtained this information due to recent operations related to this UE + typical_evidence: Upon subscribing to analytics results for a test UE, the data + retrieved from the NWDAF is from an NF which served the UE most recently. + Verification includes inspecting timestams in the logs at various NFs that + have served the test UE recently reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7394,15 +6207,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node496 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-087 - name: Evidence - description: Upon subscribing to analytics results for a test UE, the data retrieved - from the NWDAF is from an NF which served the UE most recently. Verification - includes inspecting timestams in the logs at various NFs that have served - the test UE recently - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-088 assessable: true depth: 3 @@ -7415,6 +6219,8 @@ objects: the NFVI may solve the issue of Virtual Network Function (VNF) isolation, memory introspection, and confidentiality of data-in-use in both virtualized and containerized environments. ' + typical_evidence: Document describing the deployed hardware resources that have + an HMEE enabled, and how they can be used. reference_controls: - risk:reference_control:enisa-5g-scm:5G-M64 - risk:reference_control:enisa-5g-scm:5G-M65 @@ -7422,13 +6228,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M67 - risk:reference_control:enisa-5g-scm:5G-M68 - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node498 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-088 - name: Evidence - description: Document describing the deployed hardware resources that have an - HMEE enabled, and how they can be used. - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-089 assessable: true depth: 3 @@ -7458,20 +6257,9 @@ objects: If any step in the attestation process fails, the CoT cannot be expanded further and a recovery procedure should be activated to handle the failure.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node500 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-089 - name: Evidence - description: 'Document describing the attestation process to enable the software - integrity state to be reported and verified in order to determine its trustworthiness. + typical_evidence: 'Document describing the attestation process to enable the + software integrity state to be reported and verified in order to determine + its trustworthiness. Verification of attestation evidence from NFVI is performed by a verifier @@ -7481,6 +6269,13 @@ objects: Documented process on how to verify the attestation evidence by an external verifier. Further, the process includes the recovery process to handle attestation process failures.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-090 assessable: true depth: 3 @@ -7489,19 +6284,7 @@ objects: description: Critical MEC components (e.g. security end points and crypto functions) need to be implemented in HMEEs (Hardware Mediated Execution Environments) e.g. Intel SGX or ARM TrustZone. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M64 - - risk:reference_control:enisa-5g-scm:5G-M65 - - risk:reference_control:enisa-5g-scm:5G-M66 - - risk:reference_control:enisa-5g-scm:5G-M67 - - risk:reference_control:enisa-5g-scm:5G-M68 - - risk:reference_control:enisa-5g-scm:5G-M69 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node502 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so12-090 - name: Evidence - description: 'Check a document describing secure services provided by trusted + typical_evidence: 'Check a document describing secure services provided by trusted HW platforms, and how to use them to verify whether blade servers support a trusted HW platform (e.g. Intel TXT, SGX, AMD SEV or ARM Trustzone) for secure storage, root of trust and secure boot. @@ -7519,6 +6302,13 @@ objects: (profile defined in TS 33.210) secure connection and verify that all protocol versions and combinations of cryptographic algorithms that are mandated by the security profile are provided by the tamper resistant module.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M64 + - risk:reference_control:enisa-5g-scm:5G-M65 + - risk:reference_control:enisa-5g-scm:5G-M66 + - risk:reference_control:enisa-5g-scm:5G-M67 + - risk:reference_control:enisa-5g-scm:5G-M68 + - risk:reference_control:enisa-5g-scm:5G-M69 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 assessable: false depth: 2 @@ -7533,18 +6323,14 @@ objects: parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-001 description: 'NAS signaling should be confidentiality protected by the MME ' + typical_evidence: Packet captures confirm the encryption of the NAS signaling + messages reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node505 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-001 - name: Evidence - description: Packet captures confirm the encryption of the NAS signaling messages - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-002 assessable: true depth: 3 @@ -7552,39 +6338,30 @@ objects: ref_id: SO13-002 description: All NAS signaling messages except those explicitly listed in TS 24.301 as exceptions should be integrity-protected + typical_evidence: 'Packet captures confirm the integrity protection of the NAS + signaling messages with one of the following algorithms: 128-NIA1, 128-NIA2, + or 128-NIA3' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node507 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-002 - name: Evidence - description: 'Packet captures confirm the integrity protection of the NAS signaling - messages with one of the following algorithms: 128-NIA1, 128-NIA2, or 128-NIA3' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-003 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-003 description: NAS NULL integrity with EIA0 is only used for emergency calls + typical_evidence: Packet captures at the MME confirm that that the SECURITY + MODE COMMAND message sent by the MME after successful UE authentication contains + an algorithm different from EIA0 (except for emergency calls) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node509 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-003 - name: Evidence - description: Packet captures at the MME confirm that that the SECURITY MODE - COMMAND message sent by the MME after successful UE authentication contains - an algorithm different from EIA0 (except for emergency calls) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-004 assessable: true depth: 3 @@ -7592,18 +6369,14 @@ objects: ref_id: SO13-004 description: eNB ensures confidentiality and integrity protection of control plane data on X2-C and S1-MME interfaces + typical_evidence: Packet captures confirm the use of IPsec on X2-C and S1-MME + interfaces reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node511 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-004 - name: Evidence - description: Packet captures confirm the use of IPsec on X2-C and S1-MME interfaces - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-005 assessable: true depth: 3 @@ -7611,19 +6384,14 @@ objects: ref_id: SO13-005 description: eNB ensures confidentiality and integrity protection of user plane packets between the Uu reference point and the S1/X2 reference points + typical_evidence: Packet captures confirm that the transport of user data over + S1-U and X2-U interfaces is integrity, confidentially and replay-protected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node513 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-005 - name: Evidence - description: Packet captures confirm that the transport of user data over S1-U - and X2-U interfaces is integrity, confidentially and replay-protected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-006 assessable: true depth: 3 @@ -7632,60 +6400,45 @@ objects: description: eNB protects the Security Mode Command message with the integrity and ciphering algorithms which have the highest priority according to the ordered lists + typical_evidence: System logs of the eNB confirm that it has selected the integrity + and ciphering algorithms which have the highest priority according to the + locally configured ordered lists and which are also contained in the UE security + capabilities reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node515 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-006 - name: Evidence - description: System logs of the eNB confirm that it has selected the integrity - and ciphering algorithms which have the highest priority according to the - locally configured ordered lists and which are also contained in the UE security - capabilities - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-007 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-007 description: eNBs verify RRC integrity + typical_evidence: Verify that eNB rejects a RRC message sent with faulty or + missing MAC-I reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node517 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-007 - name: Evidence - description: Verify that eNB rejects a RRC message sent with faulty or missing - MAC-I - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-008 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-008 description: AS NULL integrity with EIA0 is only used for emergency calls + typical_evidence: Confirmation that the SECURITY MODE COMMAND message sent by + the eNB after successful UE authentication contains an algorithm different + from EIA0 (except for emergency calls) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node519 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-008 - name: Evidence - description: Confirmation that the SECURITY MODE COMMAND message sent by the - eNB after successful UE authentication contains an algorithm different from - EIA0 (except for emergency calls) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-009 assessable: true depth: 3 @@ -7693,20 +6446,15 @@ objects: ref_id: SO13-009 description: NWDAF applies data masking on integration analysis of personal data + typical_evidence: Verify that retrieving analytics results from the NWDAF after + creating an account does not contain any personal data of UE's users such + as the subscriber permanent identifier (SUPI) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node521 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-009 - name: Evidence - description: Verify that retrieving analytics results from the NWDAF after creating - an account does not contain any personal data of UE's users such as the subscriber - permanent identifier (SUPI) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-010 assessable: true depth: 3 @@ -7718,19 +6466,8 @@ objects: After the hypervisor/CIS has used the key to decrypt the workload, it shall delete any local copy of the key.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M70 - - risk:reference_control:enisa-5g-scm:5G-M71 - - risk:reference_control:enisa-5g-scm:5G-M72 - - risk:reference_control:enisa-5g-scm:5G-M73 - - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node523 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-010 - name: Evidence - description: 'A document describing the encryption/decryption mechanisms of - VM or container workload and the secure destruction of cryptographic materials. + typical_evidence: 'A document describing the encryption/decryption mechanisms + of VM or container workload and the secure destruction of cryptographic materials. Verify using testing tools that the workload is encrypted according to the @@ -7742,29 +6479,30 @@ objects: Verify that the destruction process of the used cryptographic key(s) for encryption or decryption is applied. Verify that the used key is unavailable (e.g. zeroed).' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M70 + - risk:reference_control:enisa-5g-scm:5G-M71 + - risk:reference_control:enisa-5g-scm:5G-M72 + - risk:reference_control:enisa-5g-scm:5G-M73 + - risk:reference_control:enisa-5g-scm:5G-M74 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-011 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-011 description: VM or container swap encryption (e.g. dm-crypt linux based tool) + typical_evidence: 'A document containing the tools used for encrypting swapped + VM or container and their configuration. + + + Verification through a test machine (e.g. network traffic analyser) that a + swapped VM or container to a hard disk is encrypted.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node525 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-011 - name: Evidence - description: 'A document containing the tools used for encrypting swapped VM - or container and their configuration. - - - Verification through a test machine (e.g. network traffic analyser) that a - swapped VM or container to a hard disk is encrypted.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-012 assessable: true depth: 3 @@ -7773,19 +6511,14 @@ objects: description: SIDF uses protection scheme indicator in the concealed identifier (SUCI) for determining which ECIES profile should be used for resolving the SUCI to the SUPI + typical_evidence: SUPI available from SUCI resolution at the SIDF matches the + SUPI of the UE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node527 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-012 - name: Evidence - description: SUPI available from SUCI resolution at the SIDF matches the SUPI - of the UE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-013 assessable: true depth: 3 @@ -7793,20 +6526,15 @@ objects: ref_id: SO13-013 description: 'Certificates for mutual authentication of network functions follow the profiles given in 3GPP technical specifications: 33.310 and 33.501' + typical_evidence: Verification of all client and server certificates indicates + their compliance with the 3GPP profiles given in TS 33.310 and 33.501. Verification + can involve manual inspection of certificates or automated tools, if available reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node529 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-013 - name: Evidence - description: Verification of all client and server certificates indicates their - compliance with the 3GPP profiles given in TS 33.310 and 33.501. Verification - can involve manual inspection of certificates or automated tools, if available - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-014 assessable: true depth: 3 @@ -7815,19 +6543,14 @@ objects: description: AMFs protect signaling messages with ciphering and integrity protection of NAS signaling messages using appropriate algorithms such as 128-NEA1 128-NIA1 standardized in 3GPP TS 33.501 + typical_evidence: Packet captures of NAS SMC procedure taking place between + UE and AMF demonstrate integrity protection, replay protection, and encryption reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node531 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-014 - name: Evidence - description: Packet captures of NAS SMC procedure taking place between UE and - AMF demonstrate integrity protection, replay protection, and encryption - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-015 assessable: true depth: 3 @@ -7836,22 +6559,17 @@ objects: description: 'AMFs reject registration request messages containing invalid or unacceptable UE security capabilities. For example: UE security capabilities message containing no integrity algorithms' + typical_evidence: Sending invalid/unacceptable UE security capabilities such + as those with no 5GS encryption algorithms (all bits zero), no 5GS integrity + algorithms (all bits zero), mandatory 5GS encryption algorithms not supported + or mandatory 5GS integrity algorithms not supported are rejected by the AMF + and their rejection is captured in its access logs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node533 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-015 - name: Evidence - description: Sending invalid/unacceptable UE security capabilities such as those - with no 5GS encryption algorithms (all bits zero), no 5GS integrity algorithms - (all bits zero), mandatory 5GS encryption algorithms not supported or mandatory - 5GS integrity algorithms not supported are rejected by the AMF and their rejection - is captured in its access logs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-016 assessable: true depth: 3 @@ -7859,58 +6577,44 @@ objects: ref_id: SO13-016 description: Protect application layer messages on the N32 interface of SEPPs in different PLMN + typical_evidence: SEPP documentation and system logs confirm the use of PRINS + (PRotocol for N32 Interconnect Security) for protecting application layer + messages on the N32 interface of SEPPs when there are IPX entities between + SEPPs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node535 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-016 - name: Evidence - description: SEPP documentation and system logs confirm the use of PRINS (PRotocol - for N32 Interconnect Security) for protecting application layer messages on - the N32 interface of SEPPs when there are IPX entities between SEPPs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-017 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-017 description: SEPPs follow the JWS profile defined in 3GPP TS 33.210 + typical_evidence: Logs of the SEPP show that sending an N32-f message with a + JWS not following the 3GPP TS 33.210 profile is rejected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node537 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-017 - name: Evidence - description: Logs of the SEPP show that sending an N32-f message with a JWS - not following the 3GPP TS 33.210 profile is rejected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-018 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-018 description: SEPPs only use the ES256 algorithm with IPX entities + typical_evidence: Review of the network product documentation shows that SEPP + only supports the JWS ES256 algorithm for use with IPX entities reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node539 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-018 - name: Evidence - description: Review of the network product documentation shows that SEPP only - supports the JWS ES256 algorithm for use with IPX entities - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-019 assessable: true depth: 3 @@ -7918,19 +6622,14 @@ objects: ref_id: SO13-019 description: gNB implements ciphering algorithms NEA0, 128-NEA1, 128-NEA2, 128-NEA3 for ciphering of RRC signaling + typical_evidence: Packet captures show that control plane packets sent to the + UE after the gNB sends AS Security Mode Command (SMC) are ciphered reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node541 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-019 - name: Evidence - description: Packet captures show that control plane packets sent to the UE - after the gNB sends AS Security Mode Command (SMC) are ciphered - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-020 assessable: true depth: 3 @@ -7939,19 +6638,14 @@ objects: description: gNB implements NIA0, 128-NIA1, 128-NIA2, 128-NIA3 algorithms with NIA0 disabled unless necessary by regulatory requirements for integrity and replay protection of RRC signaling + typical_evidence: Packet captures show that control plane packets sent/received + to/from the UE are integrity protected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node543 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-020 - name: Evidence - description: Packet captures show that control plane packets sent/received to/from - the UE are integrity protected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-021 assessable: true depth: 3 @@ -7960,20 +6654,15 @@ objects: description: gNBs refresh keys KgNB, KRRC-enc, KRRC-int, KUP-int, and KUP-enc when the PDCP COUNT value is about to be re-used with the same Radio Bearer identity and with the same KgNB + typical_evidence: 'gNB system logs and packet captures on the gNB confirm that + it performs KgNB refresh when PDCP COUNTs are about to wrap around because + of RRC or UP messages with increasing PDCP COUNT from the UE ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node545 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-021 - name: Evidence - description: 'gNB system logs and packet captures on the gNB confirm that it - performs KgNB refresh when PDCP COUNTs are about to wrap around because of - RRC or UP messages with increasing PDCP COUNT from the UE ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-022 assessable: true depth: 3 @@ -7986,20 +6675,15 @@ objects: If the MN cannot allocate an unused identity due to radio bearer identity space exhaustion, the MN shall increment the SN Counter and compute a fresh KSN which it then updates with SN modification procedure ' + typical_evidence: 'gNB system logs and packet captures on a gNB acting as an + MN show that it performs KSN update and sends it to the SN via the SN Modification + Request when DRB-IDs are about to be reused ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node547 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-022 - name: Evidence - description: 'gNB system logs and packet captures on a gNB acting as an MN show - that it performs KSN update and sends it to the SN via the SN Modification - Request when DRB-IDs are about to be reused ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-023 assessable: true depth: 3 @@ -8007,19 +6691,14 @@ objects: ref_id: SO13-023 description: IAB donor should support confidentiality, integrity, and replay protection of RRC-signalling between the IAB donor and the IAB-node (IAB-UE) + typical_evidence: Packet captures at the IAB donor confirm integrity, confidentiality, + and replay protection of RRC-signalling reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node549 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-023 - name: Evidence - description: Packet captures at the IAB donor confirm integrity, confidentiality, - and replay protection of RRC-signalling - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-024 assessable: true depth: 3 @@ -8027,21 +6706,16 @@ objects: ref_id: SO13-024 description: Slice management interface messages have replay protection, integrity protection, and confidentiality + typical_evidence: Verify that standard security protocols such as TLS which + provide integrity, confidentiality, and replay protection are used for communicating + with the slice management interfaces. This can be confirmed by checking packet + captures or by setting up test connections reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node551 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-024 - name: Evidence - description: Verify that standard security protocols such as TLS which provide - integrity, confidentiality, and replay protection are used for communicating - with the slice management interfaces. This can be confirmed by checking packet - captures or by setting up test connections - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-025 assessable: true depth: 3 @@ -8050,21 +6724,16 @@ objects: description: Supervision and performance reporting of a Network Slice Instance (NSI) should at least be integrity protected and may additionally be confidentiality protected + typical_evidence: Verify that standard security protocols such as TLS which + provide integrity, confidentiality, and replay protection are used for communicating + supervising and performance reporting of NSIs. This can be confirmed by checking + packet captures or by setting up test connections reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node553 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-025 - name: Evidence - description: Verify that standard security protocols such as TLS which provide - integrity, confidentiality, and replay protection are used for communicating - supervising and performance reporting of NSIs. This can be confirmed by checking - packet captures or by setting up test connections - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-026 assessable: true depth: 3 @@ -8072,20 +6741,16 @@ objects: ref_id: SO13-026 description: Network slice subnet template (NSST) should be confidentiality protected + typical_evidence: Inspection of the encrypted network slice subnet template + does not reveal configuration and topology information. Verification that + network slice subnet template can only be used after decryption with appropriate + credentials reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node555 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-026 - name: Evidence - description: Inspection of the encrypted network slice subnet template does - not reveal configuration and topology information. Verification that network - slice subnet template can only be used after decryption with appropriate credentials - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-027 assessable: true depth: 3 @@ -8096,23 +6761,18 @@ objects: have replay, integrity, and confidentiality protection with TLS. Version 1.2 or 1.3 of TLS are recommended. Cryptographic keys/certificates for TLS authentication are protected + typical_evidence: Verify by successfully setting up test connections with slice + management interface and negotiating different slice characteristics via TLS. + Verification with a key management utility that the keys/certificates for + TLS authentication are protected in the system keystore or similar tool (Java + KeyStore, AWS KMS, etc.), in secure memory, or protected with hardware security + tools such as TPMs/TEEs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node557 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-027 - name: Evidence - description: Verify by successfully setting up test connections with slice management - interface and negotiating different slice characteristics via TLS. Verification - with a key management utility that the keys/certificates for TLS authentication - are protected in the system keystore or similar tool (Java KeyStore, AWS KMS, - etc.), in secure memory, or protected with hardware security tools such as - TPMs/TEEs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-028 assessable: true depth: 3 @@ -8120,20 +6780,15 @@ objects: ref_id: SO13-028 description: Interconnect traffic between data centers should be authenticated and encrypted + typical_evidence: Check documentation of SDN controller/switches, business agreements, + and packet captures for use of L1 and/or L2 encryption techniques such as + MACsec reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node559 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-028 - name: Evidence - description: Check documentation of SDN controller/switches, business agreements, - and packet captures for use of L1 and/or L2 encryption techniques such as - MACsec - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-029 assessable: true depth: 3 @@ -8141,20 +6796,15 @@ objects: ref_id: SO13-029 description: Configuration and user profile data sent from the VAL server in the network to a VAL UE is integrity, confidentiality, and replay protected + typical_evidence: Packet captures at the VAL server confirm that protocol such + as TLS which provide encryption, integrity protection, and replay protection + are used from sending configuration and user profile data reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node561 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-029 - name: Evidence - description: Packet captures at the VAL server confirm that protocol such as - TLS which provide encryption, integrity protection, and replay protection - are used from sending configuration and user profile data - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-030 assessable: true depth: 3 @@ -8163,19 +6813,14 @@ objects: description: Control and user plane EMSDP messages between the HSE and BEST UE are integrity protected protected with algorithms such as 128-NIA1, 128-NIA2 or 128-NIA3 + typical_evidence: Packet captures at the HSE show that control and user plane + packets between HSE and BEST UE are integrity protected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node563 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-030 - name: Evidence - description: Packet captures at the HSE show that control and user plane packets - between HSE and BEST UE are integrity protected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-031 assessable: true depth: 3 @@ -8184,19 +6829,14 @@ objects: description: Control and user plane EMSDP messages between the HSE and BEST UE are confidentiality protected protected with algorithms such as 128-NEA1, 128-NEA2 or 128-NEA3 + typical_evidence: Packet captures at the HSE show that control and user plane + packets between HSE and BEST UE are ciphered reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node565 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-031 - name: Evidence - description: Packet captures at the HSE show that control and user plane packets - between HSE and BEST UE are ciphered - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-032 assessable: true depth: 3 @@ -8204,19 +6844,14 @@ objects: ref_id: SO13-032 description: Support for NIA0 integrity protection is disabled in AMF unless support for unauthenticated emergency session is a regulatory requirement + typical_evidence: 'NAS Security Mode Command message to the UE containing the + selected NAS algorithms does not include NIA0 if it is disabled ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node567 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-032 - name: Evidence - description: 'NAS Security Mode Command message to the UE containing the selected - NAS algorithms does not include NIA0 if it is disabled ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-033 assessable: true depth: 3 @@ -8225,40 +6860,30 @@ objects: description: During the handover, if the AMF changes, the target AMF selects the NAS algorithm with the highest priority in the ordered list of the UE security capabilities + typical_evidence: Packet capture of the NGAP HANDOVER REQUEST message sent by + the target AMF to the gNB includes the algorithm with the highest priority + of the target AMF and not the highest priority in the ordered list received + from the source AMF reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node569 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-033 - name: Evidence - description: Packet capture of the NGAP HANDOVER REQUEST message sent by the - target AMF to the gNB includes the algorithm with the highest priority of - the target AMF and not the highest priority in the ordered list received from - the source AMF - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-034 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13 ref_id: SO13-034 description: gNB verify RRC and user plane integrity + typical_evidence: gNB system logs show that gNB rejects a RRC message or a PDCP + PDU sent with faulty or missing MAC-I reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node571 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-034 - name: Evidence - description: gNB system logs show that gNB rejects a RRC message or a PDCP PDU - sent with faulty or missing MAC-I - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-035 assessable: true depth: 3 @@ -8266,19 +6891,14 @@ objects: ref_id: SO13-035 description: gNB activates ciphering of user data based on security policy sent by the SMF + typical_evidence: Packet captures show that user plane packets sent to the UE + after the gNB sends RRCConnectionReconfiguration are confidentiality protected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node573 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-035 - name: Evidence - description: Packet captures show that user plane packets sent to the UE after - the gNB sends RRCConnectionReconfiguration are confidentiality protected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-036 assessable: true depth: 3 @@ -8286,20 +6906,15 @@ objects: ref_id: SO13-036 description: gNB ensures integrity of user data based on security policy sent by the SMF + typical_evidence: Packet captures show that user plane packets sent between + UE and gNB over the NG RAN air interface after gNB sends RRCConnectionReconfiguration + are integrity protected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node575 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-036 - name: Evidence - description: Packet captures show that user plane packets sent between UE and - gNB over the NG RAN air interface after gNB sends RRCConnectionReconfiguration - are integrity protected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-037 assessable: true depth: 3 @@ -8308,21 +6923,16 @@ objects: description: gNB selects the ciphering and integrity algorithm with the highest priority from the UE's 5G security capabilities and locally configured list of algorithms + typical_evidence: Packet captures at the gNB show that the AS Security Mode + Command message includes the chosen algorithm with the highest priority according + to the ordered lists locally configured and contained in the UE 5G security + capabilities reference_controls: - risk:reference_control:enisa-5g-scm:5G-M70 - risk:reference_control:enisa-5g-scm:5G-M71 - risk:reference_control:enisa-5g-scm:5G-M72 - risk:reference_control:enisa-5g-scm:5G-M73 - risk:reference_control:enisa-5g-scm:5G-M74 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node577 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so13-037 - name: Evidence - description: Packet captures at the gNB show that the AS Security Mode Command - message includes the chosen algorithm with the highest priority according - to the ordered lists locally configured and contained in the UE 5G security - capabilities - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14 assessable: false depth: 2 @@ -8338,23 +6948,18 @@ objects: ref_id: SO14-001 description: Protect the Home Network private key from physical attacks in the UDM + typical_evidence: UDM documentation lists mechanisms for protection of private + key from physical attacks. Verification with a key management utility that + the home network private key in the UDM is protected in the system keystore. + If hardware security tools such as TEEs are used, then the system logs of + the UDM show that sending a test SUCI to the TEE inside the UDM results in + the correct mapping to SUPI reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node580 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-001 - name: Evidence - description: UDM documentation lists mechanisms for protection of private key - from physical attacks. Verification with a key management utility that the - home network private key in the UDM is protected in the system keystore. If - hardware security tools such as TEEs are used, then the system logs of the - UDM show that sending a test SUCI to the TEE inside the UDM results in the - correct mapping to SUPI - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-002 assessable: true depth: 3 @@ -8362,21 +6967,16 @@ objects: ref_id: SO14-002 description: The algorithm for subscriber privacy (SUCI to SUPI mapping) is executed in the secure environment of the UDM + typical_evidence: UDM documentation lists mechanisms for protection of the algorithm + for mapping concealed identity to permanent identity. If hardware security + tools such as TEEs are used, then the system logs of the UDM show that sending + a test SUCI to the TEE inside UDM results in the correct mapping to SUPI reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node582 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-002 - name: Evidence - description: UDM documentation lists mechanisms for protection of the algorithm - for mapping concealed identity to permanent identity. If hardware security - tools such as TEEs are used, then the system logs of the UDM show that sending - a test SUCI to the TEE inside UDM results in the correct mapping to SUPI - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-003 assessable: true depth: 3 @@ -8384,18 +6984,14 @@ objects: ref_id: SO14-003 description: UDM logs the authentication status and timestamp of subscriber authentication, in particular when the subscriber is in a visited network + typical_evidence: Logs of the UDM show the status and timestamp of subscriber + authentication reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node584 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-003 - name: Evidence - description: Logs of the UDM show the status and timestamp of subscriber authentication - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-004 assessable: true depth: 3 @@ -8408,21 +7004,16 @@ objects: to the chosen PLMN, (2) if the home network has configured "null-scheme" to be used, or (3) if the home network has not provisioned the public key needed to generate a SUCI' + typical_evidence: Verification of UE authentication confirms that SUPI is not + transmitted in clear text. Inspection of the protection scheme in the SUCI + confirms a non-null protection scheme was used or one of the special conditions + for using a null-scheme is met reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node586 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-004 - name: Evidence - description: Verification of UE authentication confirms that SUPI is not transmitted - in clear text. Inspection of the protection scheme in the SUCI confirms a - non-null protection scheme was used or one of the special conditions for using - a null-scheme is met - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-005 assessable: true depth: 3 @@ -8431,21 +7022,16 @@ objects: description: 'Key hierarchy defined in technical specification 33.501, clause 6.2 and Annex A is followed for deriving and distributing keys KAUSF, KSEAF, KAMF, KgNB, and KN3IWF ' + typical_evidence: After a test UE device has successfully authenticated and + registered, debug tools on the test UE and network nodes AUSF/SEAF/AMF/gNB/N3IWF + confirm that the keys in the network nodes are identical to the ones derived + by the UE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node588 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-005 - name: Evidence - description: After a test UE device has successfully authenticated and registered, - debug tools on the test UE and network nodes AUSF/SEAF/AMF/gNB/N3IWF confirm - that the keys in the network nodes are identical to the ones derived by the - UE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-006 assessable: true depth: 3 @@ -8453,42 +7039,32 @@ objects: ref_id: SO14-006 description: Security of the User ID and credentials used for slice specific authorization and authentication is ensured during transfer and network storage + typical_evidence: 'Verification that User ID and credentials used for slice + specific authorization and authentication are protected with the use of password + salting, database encryption, etc. Packet captures show that secure protocols + such as TLS are used for slice specific authorization and authentication. ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node590 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-006 - name: Evidence - description: 'Verification that User ID and credentials used for slice specific - authorization and authentication are protected with the use of password salting, - database encryption, etc. Packet captures show that secure protocols such - as TLS are used for slice specific authorization and authentication. ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-007 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14 ref_id: SO14-007 description: Secure transfer of UICC (or eUICC) credentials from the UICC manufacturer + typical_evidence: MNO has documented processes and tools in place to manage + the security of UICC credentials transferred from the UICC manufacturer to + the MNO. Process documentation confirms adherence to industry best practices + such as those defined in GSMA FS.28 reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node592 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-007 - name: Evidence - description: MNO has documented processes and tools in place to manage the security - of UICC credentials transferred from the UICC manufacturer to the MNO. Process - documentation confirms adherence to industry best practices such as those - defined in GSMA FS.28 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-008 assessable: true depth: 3 @@ -8497,40 +7073,30 @@ objects: description: SEPPs clearly differentiate between certificates used for authentication of peer SEPPs and certificates used for authentication of intermediates performing message modifications + typical_evidence: Verification that the SEPPs don't accept N32-c TLS connections + if raw public keys/certificates are used. Verification that SEPPs don't accept + N32-f JSON patches signed with raw public keys/certificates of peer SEPPs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node594 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-008 - name: Evidence - description: Verification that the SEPPs don't accept N32-c TLS connections - if raw public keys/certificates are used. Verification that SEPPs don't accept - N32-f JSON patches signed with raw public keys/certificates of peer SEPPs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-009 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14 ref_id: SO14-009 description: AKMA Application Key (KAF) has a maximum lifetime + typical_evidence: Verify that the Naanf_AKMA_ApplicationKey_Get response message + from the AAnF to the AF contains the KAF lifetime. Verify via AF logs that + a KAF cannot be used for AKMA authentication after its lifetime has expired reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node596 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-009 - name: Evidence - description: Verify that the Naanf_AKMA_ApplicationKey_Get response message - from the AAnF to the AF contains the KAF lifetime. Verify via AF logs that - a KAF cannot be used for AKMA authentication after its lifetime has expired - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-010 assessable: true depth: 3 @@ -8539,20 +7105,15 @@ objects: description: 'SDN controller and NFV Security Manager (NSM) should have a key and certificate management system which includes key generation, storage, deletion and cryptographic processing. ' + typical_evidence: Verify that system documentation outlines an API for key management. + Making API calls to create, store, delete keys/certificates confirms support + for key management reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node598 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-010 - name: Evidence - description: Verify that system documentation outlines an API for key management. - Making API calls to create, store, delete keys/certificates confirms support - for key management - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-011 assessable: true depth: 3 @@ -8564,24 +7125,20 @@ objects: KMIP SPEC should be supported. The key management system uses a tamper resistant module, such as HSM. The tamper-resistant module storing the key(s) shall be certified e.g. Common Criteria, FIPS 140-2 Level 3. ' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M75 - - risk:reference_control:enisa-5g-scm:5G-M76 - - risk:reference_control:enisa-5g-scm:5G-M77 - - risk:reference_control:enisa-5g-scm:5G-M78 - - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node600 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-011 - name: Evidence - description: 'A document describing the supported KMIP and how to use it securely. + typical_evidence: 'A document describing the supported KMIP and how to use it + securely. Verify that the implemented protocol is robust against unexpected input. Verify that the execution of this protocol is based on tamper resistant modules such as HSMs. Verify that the protocol is using crypto materials provided by the tamper resistant module (e.g. random number, session keys, etc.)' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M75 + - risk:reference_control:enisa-5g-scm:5G-M76 + - risk:reference_control:enisa-5g-scm:5G-M77 + - risk:reference_control:enisa-5g-scm:5G-M78 + - risk:reference_control:enisa-5g-scm:5G-M79 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-012 assessable: true depth: 3 @@ -8599,23 +7156,18 @@ objects: \ in IETF RFC 3647.\n\nCertificates are continuously monitored, with the ability\ \ to generate audits and keep on top of expirations and renewals to avoid\ \ any disruption in NFV services." + typical_evidence: "MNO has a documented certification management process for\ + \ distributing Public Key Certificates (PKC) to authenticate, authorize, and\ + \ encrypt links between NFV components.\n\nVerify that a Certificate Policy\ + \ is developed and documented by MNOs in accordance with their regional and\ + \ national requirements. \n\nVerify that a documented renewal procedure (preferably\ + \ automatic) of certificates prior to their expiration is in place. " reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node602 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-012 - name: Evidence - description: "MNO has a documented certification management process for distributing\ - \ Public Key Certificates (PKC) to authenticate, authorize, and encrypt links\ - \ between NFV components.\n\nVerify that a Certificate Policy is developed\ - \ and documented by MNOs in accordance with their regional and national requirements.\ - \ \n\nVerify that a documented renewal procedure (preferably automatic) of\ - \ certificates prior to their expiration is in place. " - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-013 assessable: true depth: 3 @@ -8632,20 +7184,9 @@ objects: The handling of certificates, including certificate profiles, may follow the rules defined in 3GPP TS 33.310.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M75 - - risk:reference_control:enisa-5g-scm:5G-M76 - - risk:reference_control:enisa-5g-scm:5G-M77 - - risk:reference_control:enisa-5g-scm:5G-M78 - - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node604 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-013 - name: Evidence - description: "Documented certificate management policy shows how vendor default\ - \ certificates are removed and replaced by those of MNO. \n\nCertificate management\ - \ policy contains rules on management of the life cycle of a certificate.\n\ + typical_evidence: "Documented certificate management policy shows how vendor\ + \ default certificates are removed and replaced by those of MNO. \n\nCertificate\ + \ management policy contains rules on management of the life cycle of a certificate.\n\ \nDocumentation containing CMP profiles that specifies clearly which options\ \ and features of CMP are used and how.\n\nTests via auditing tools show that\ \ the network product does not support vendor default certificates during\ @@ -8657,25 +7198,26 @@ objects: \ by the CMP profile are supported.\n\nVerification with a key management\ \ utility that the keys/certificates are protected with hardware security\ \ devices, such as hardware security modules (HSMs)." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M75 + - risk:reference_control:enisa-5g-scm:5G-M76 + - risk:reference_control:enisa-5g-scm:5G-M77 + - risk:reference_control:enisa-5g-scm:5G-M78 + - risk:reference_control:enisa-5g-scm:5G-M79 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-014 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14 ref_id: SO14-014 description: Predefined or default accounts are deleted or disabled + typical_evidence: Access logs of the network product confirm that login attempts + with predefined accounts are unsuccessful reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node606 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-014 - name: Evidence - description: Access logs of the network product confirm that login attempts - with predefined accounts are unsuccessful - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-015 assessable: true depth: 3 @@ -8691,20 +7233,15 @@ objects: Before deploying any new network functions, all default passwords must be changed to have values consistent with administrative level accounts. ' + typical_evidence: Documented password policy with requirements on complexity + and change frequency, means of protection against brute force/dictionary attacks, + and means for hiding password display in clear reference_controls: - risk:reference_control:enisa-5g-scm:5G-M75 - risk:reference_control:enisa-5g-scm:5G-M76 - risk:reference_control:enisa-5g-scm:5G-M77 - risk:reference_control:enisa-5g-scm:5G-M78 - risk:reference_control:enisa-5g-scm:5G-M79 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node608 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so14-015 - name: Evidence - description: Documented password policy with requirements on complexity and - change frequency, means of protection against brute force/dictionary attacks, - and means for hiding password display in clear - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d4 assessable: false depth: 1 @@ -8728,22 +7265,17 @@ objects: lifecycle. Such analysis should identify critical dependencies that may impact availability or continuity of 5G network service as well as corresponding mitigation measures - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M80 - - risk:reference_control:enisa-5g-scm:5G-M81 - - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node612 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-001 - name: Evidence - description: Documented evidence of detailed mapping and analysis of resource + typical_evidence: Documented evidence of detailed mapping and analysis of resource infrastructure requirements and associated performance requirements. This mapping and analysis exercise is based on the requirements in standards such as 3GPP 33.501 and 23.501 as well as other corporate/service-level security requirements. MNO has documented up-to-date operational procedures which are proactively tested for mitigating or reducing service disruption when critical dependencies have outages. Test results are documented. + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M80 + - risk:reference_control:enisa-5g-scm:5G-M81 + - risk:reference_control:enisa-5g-scm:5G-M82 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-002 assessable: true depth: 3 @@ -8751,35 +7283,25 @@ objects: ref_id: SO15-002 description: Adequate resource capability delivery management process should be ensured + typical_evidence: MNO has documented processes in place to manage the provisioning, + implementation, commissioning, and roll-out of new resource capabilities. + These documented processes include management of suppliers/partners reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node614 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-002 - name: Evidence - description: MNO has documented processes in place to manage the provisioning, - implementation, commissioning, and roll-out of new resource capabilities. - These documented processes include management of suppliers/partners - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-003 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-003 description: Adequate processes to support resource trouble management + typical_evidence: MNO has documented processes for resource trouble management, + such as statistically driven preventive maintenance reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node616 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-003 - name: Evidence - description: MNO has documented processes for resource trouble management, such - as statistically driven preventive maintenance - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-004 assessable: true depth: 3 @@ -8787,19 +7309,14 @@ objects: ref_id: SO15-004 description: Security management processes should be used for operational deployment considerations + typical_evidence: Verify that documented operational procedures across the company, + including division of responsibilities and monitoring capabilities, are guided + by security management principles of prevention, monitoring, detection, analysis + and incident management reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node618 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-004 - name: Evidence - description: Verify that documented operational procedures across the company, - including division of responsibilities and monitoring capabilities, are guided - by security management principles of prevention, monitoring, detection, analysis - and incident management - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-005 assessable: true depth: 3 @@ -8812,20 +7329,15 @@ objects: small servers (Echo, Chargen, Discard and Daytime) are disabled except if services are needed during deployment (in which case, those services are disabled after deployment)' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M80 - - risk:reference_control:enisa-5g-scm:5G-M81 - - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node620 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-005 - name: Evidence - description: List of protocols/services in the network product documentation + typical_evidence: List of protocols/services in the network product documentation that are necessary for correct operation of the network product. Verifying that the list of protocols/services in the network product documentation match with the list of protocols/services returned by tools for enumerating protocols/services (such as nmap) + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M80 + - risk:reference_control:enisa-5g-scm:5G-M81 + - risk:reference_control:enisa-5g-scm:5G-M82 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-006 assessable: true depth: 3 @@ -8835,29 +7347,24 @@ objects: the network element should be deactivated. Kernel functions such as IP packet forwarding, proxy ARP, gratuitous ARP, IPv4 multicast handling, and directed broadcast are deactivated unless needed in certain deployments ' + typical_evidence: 'Verification method: After connecting two hosts to the two + interfaces of the network product, it is confirmed that i) an IP packet from + Host 1 on subnet A destined for Host 2 on subnet B with the network product + configured as a default gateway is logged but not forwarded by the network + product, ii) an ARP request from Host 1 on subnet A to discover the MAC of + Host 2 on subnet B does not result in an ARP reply from the network product + to Host 1 with its own MAC address, iii) an IP packet from Host 1 whose IP + destination address is a valid broadcast address belonging to the subnet B + is dropped by the network product rather than being broadcast, iv) system + commands confirm that none of the network product''s interface is running + multicast, v) a gratuitous ARP request from Host 1 is received by the network + product but discarded without updating the ARP cache (unless gratuitous ARP + is necessary for a deployment scenario). The fact that kernel based network + functions are disabled is also confirmed in the configuration files' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node622 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-006 - name: Evidence - description: 'Verification method: After connecting two hosts to the two interfaces - of the network product, it is confirmed that i) an IP packet from Host 1 on - subnet A destined for Host 2 on subnet B with the network product configured - as a default gateway is logged but not forwarded by the network product, ii) - an ARP request from Host 1 on subnet A to discover the MAC of Host 2 on subnet - B does not result in an ARP reply from the network product to Host 1 with - its own MAC address, iii) an IP packet from Host 1 whose IP destination address - is a valid broadcast address belonging to the subnet B is dropped by the network - product rather than being broadcast, iv) system commands confirm that none - of the network product''s interface is running multicast, v) a gratuitous - ARP request from Host 1 is received by the network product but discarded without - updating the ARP cache (unless gratuitous ARP is necessary for a deployment - scenario). The fact that kernel based network functions are disabled is also - confirmed in the configuration files' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-007 assessable: true depth: 3 @@ -8868,18 +7375,13 @@ objects: are connected. If the operating system of the network product supports an automatic launch, it should be deactivated unless it is needed for availability requirements + typical_evidence: 'Verify that after logging in to a network product and inserting + removable media devices (CD-, DVD-, USB-Sticks and/or USB-Storage drives) + no applications open the contents of the removable media device ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node624 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-007 - name: Evidence - description: 'Verify that after logging in to a network product and inserting - removable media devices (CD-, DVD-, USB-Sticks and/or USB-Storage drives) - no applications open the contents of the removable media device ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-008 assessable: true depth: 3 @@ -8887,17 +7389,12 @@ objects: ref_id: SO15-008 description: Directory listings (indexing)/Directory browsing is deactivated in all web server components + typical_evidence: Using automated tools demonstrates that directory listing/browsing + has been deactivated in all web server components reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node626 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-008 - name: Evidence - description: Using automated tools demonstrates that directory listing/browsing - has been deactivated in all web server components - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-009 assessable: true depth: 3 @@ -8905,17 +7402,12 @@ objects: ref_id: SO15-009 description: HTTP header does not include information about the version of the web server and the modules/add-ons used + typical_evidence: Automatic assessment tool shows that HTTP headers do not include + information on the version of the web server or the modules/add-ons used reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node628 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-009 - name: Evidence - description: Automatic assessment tool shows that HTTP headers do not include - information on the version of the web server or the modules/add-ons used - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-010 assessable: true depth: 3 @@ -8925,17 +7417,12 @@ objects: about the web server and the modules/add-ons used. Error messages should not information such as internal server names, error codes, etc. Default error pages of the web server should be replaced by error pages defined by the vendor + typical_evidence: Automatic assessment tools show that generated error pages + and error messages do not include information about the web server reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node630 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-010 - name: Evidence - description: Automatic assessment tools show that generated error pages and - error messages do not include information about the web server - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-011 assessable: true depth: 3 @@ -8943,17 +7430,12 @@ objects: ref_id: SO15-011 description: File type- or script-mappings that are not required should be deleted, e.g. php, phtml, js, sh, csh, bin, exe, pl, vbe, vbs + typical_evidence: Automatic assessment tools confirm that file type- or script-mappings + which are not required have been deleted reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node632 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-011 - name: Evidence - description: Automatic assessment tools confirm that file type- or script-mappings - which are not required have been deleted - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-012 assessable: true depth: 3 @@ -8963,20 +7445,15 @@ objects: or indirectly (e.g. via links or in virtual directories) in the web server's document directory. A web server should not have access to files which are not meant to be delivered + typical_evidence: Verification that the servable content of a web server is + owned by the user that runs the web server and the files are not writable + for others. Verification that the user running the web server is an unprivileged + account and, in case of operating systems that have chrooted environments, + the web server runs inside a jail/chrooted environment reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node634 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-012 - name: Evidence - description: Verification that the servable content of a web server is owned - by the user that runs the web server and the files are not writable for others. - Verification that the user running the web server is an unprivileged account - and, in case of operating systems that have chrooted environments, the web - server runs inside a jail/chrooted environment - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-013 assessable: true depth: 3 @@ -8985,19 +7462,14 @@ objects: description: If CGI or other scripting technology is used, only the scripting directory should have execute rights. Other directories used or meant for web content should not have execute rights + typical_evidence: Verification that only the scripting directory has execute + permissions in the web server. Verification of only operating system permissions + may not be sufficient and may require also examining the configuration files + of the web server reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node636 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-013 - name: Evidence - description: Verification that only the scripting directory has execute permissions - in the web server. Verification of only operating system permissions may not - be sufficient and may require also examining the configuration files of the - web server - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-014 assessable: true depth: 3 @@ -9007,18 +7479,13 @@ objects: if the web server process is started by a user with system privileges, execution should be transferred to a different user without system privileges after the start + typical_evidence: Automatic assessment tools confirm that no web server processes + run with system privileges, even if these processes have been started by a + user with system privileges reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node638 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-014 - name: Evidence - description: Automatic assessment tools confirm that no web server processes - run with system privileges, even if these processes have been started by a - user with system privileges - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-015 assessable: true depth: 3 @@ -9027,17 +7494,12 @@ objects: description: HTTP methods not required should be deactivated. Standard requests to web servers should only use GET, HEAD, and POST. If other methods are required, they should not introduce security leaks such as TRACK or TRACE + typical_evidence: Verification of system settings and configurations of all + web components confirms that unneeded HTTP methods are deactivated reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node640 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-015 - name: Evidence - description: Verification of system settings and configurations of all web components - confirms that unneeded HTTP methods are deactivated - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-016 assessable: true depth: 3 @@ -9047,19 +7509,14 @@ objects: not needed should be deactivated. In particular, components such as CGI or other scripting components, Server Side Includes (SSI), and WebDAV shall be deactivated if they are not required + typical_evidence: ' Verification with automated tools and/or manual inspection + of configuration files confirms that, firstly, the web server is only running + and listening on known ports and, secondly, that CGI or other scripting components, + Server Side Includes (SSI), and WebDAV are deactivated unless they are required' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node642 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-016 - name: Evidence - description: ' Verification with automated tools and/or manual inspection of - configuration files confirms that, firstly, the web server is only running - and listening on known ports and, secondly, that CGI or other scripting components, - Server Side Includes (SSI), and WebDAV are deactivated unless they are required' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-017 assessable: true depth: 3 @@ -9068,19 +7525,14 @@ objects: description: If CGI (Common Gateway Interface) or other scripting technologies (including PERL, PHP, and others) are used, the scripting directory should not include compilers or interpreters + typical_evidence: Inspection of the directory/directories used for CGI or other + scripting tools confirms that the scripting directory/directories include + no compilers or interpreters (e.g., PERL interpreter, PHP interpreter/compiler, + Tcl interpreter/compiler or operating system shells) reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node644 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-017 - name: Evidence - description: Inspection of the directory/directories used for CGI or other scripting - tools confirms that the scripting directory/directories include no compilers - or interpreters (e.g., PERL interpreter, PHP interpreter/compiler, Tcl interpreter/compiler - or operating system shells) - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-018 assessable: true depth: 3 @@ -9088,18 +7540,13 @@ objects: ref_id: SO15-018 description: If CGI or other scripting technology is used, the associated CGI/script directory shall not be used for uploads + typical_evidence: Verification of the web server configuration files confirms + that the upload directory is configured to be different from the CGI/scripting + directory reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node646 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-018 - name: Evidence - description: Verification of the web server configuration files confirms that - the upload directory is configured to be different from the CGI/scripting - directory - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-019 assessable: true depth: 3 @@ -9107,18 +7554,13 @@ objects: ref_id: SO15-019 description: If Server Side Includes (SSI) is active, the execution of system commands should be deactivated + typical_evidence: Verification of the web server configuration shows that parameters + such as NOEXEC (APACHE) or ssiExecDisable (IIS) are set to ensure that system + command execution is deactivated reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node648 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-019 - name: Evidence - description: Verification of the web server configuration shows that parameters - such as NOEXEC (APACHE) or ssiExecDisable (IIS) are set to ensure that system - command execution is deactivated - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-020 assessable: true depth: 3 @@ -9126,18 +7568,13 @@ objects: ref_id: SO15-020 description: Access rights for web server configuration files are only granted to the owner of the web server process or to a user with system privileges + typical_evidence: Verification of the access rights settings for web server + system configuration files confirms that access is only granted to the owner + of the web server process or to a user with system privileges reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node650 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-020 - name: Evidence - description: Verification of the access rights settings for web server system - configuration files confirms that access is only granted to the owner of - the web server process or to a user with system privileges - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-021 assessable: true depth: 3 @@ -9145,18 +7582,13 @@ objects: ref_id: SO15-021 description: Default content (examples, help files, documentation, aliases) provided with the standard installation of the web server should be removed + typical_evidence: Verification that all default content (examples, help files, + documentation, aliases) provided with the standard installation of the web + server have been removed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node652 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-021 - name: Evidence - description: Verification that all default content (examples, help files, documentation, - aliases) provided with the standard installation of the web server have been - removed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-022 assessable: true depth: 3 @@ -9166,19 +7598,14 @@ objects: of traffic belonging to different network domains. For example, O&M traffic and control plane traffic belong to different network domains and must be separated + typical_evidence: If a network product handles traffic from different network + domains, then packet-forwarding tests confirm that the network product refuses + traffic intended for one network domain on all interfaces meant for other + network domains, and vice versa reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node654 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-022 - name: Evidence - description: If a network product handles traffic from different network domains, - then packet-forwarding tests confirm that the network product refuses traffic - intended for one network domain on all interfaces meant for other network - domains, and vice versa - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-023 assessable: true depth: 3 @@ -9194,17 +7621,8 @@ objects: \ using an appropriate technology such as PTP. If PTP is used, then the NICs\ \ shall utilize technology based on IEEE 1588TM Precision Time Protocol (PTP)\ \ or the derivative IEEE 802.1ASTM (gPTP)." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M80 - - risk:reference_control:enisa-5g-scm:5G-M81 - - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node656 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-023 - name: Evidence - description: 'Check that time synchronization sources such as NTP servers used - by VNFs are reliable and trusted. This can be verified by checking documentation + typical_evidence: 'Check that time synchronization sources such as NTP servers + used by VNFs are reliable and trusted. This can be verified by checking documentation and configuration. @@ -9216,43 +7634,37 @@ objects: is received by the VNF from the configured synchronized time sources. - Reading and analysing the logged recorded timestamps by the VNF.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M80 + - risk:reference_control:enisa-5g-scm:5G-M81 + - risk:reference_control:enisa-5g-scm:5G-M82 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-024 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-024 description: Proper maintenance of equipment in data centers + typical_evidence: Documented policy / processes for carrying out periodic maintenance + at supplier recommended intervals show that only authorized personnel are + allowed to perform repairs/maintenance reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node658 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-024 - name: Evidence - description: Documented policy / processes for carrying out periodic maintenance - at supplier recommended intervals show that only authorized personnel are - allowed to perform repairs/maintenance - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-025 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-025 description: Network products should use secure firmware images + typical_evidence: Verification of the firmware images confirms that they are + secured with cryptographic tools such as digital signatures. Verification + of the network product confirms that automated tools for downloading, scheduling, + and installing firmware images are installed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node660 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-025 - name: Evidence - description: Verification of the firmware images confirms that they are secured - with cryptographic tools such as digital signatures. Verification of the network - product confirms that automated tools for downloading, scheduling, and installing - firmware images are installed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-026 assessable: true depth: 3 @@ -9260,18 +7672,13 @@ objects: ref_id: SO15-026 description: MNO correctly manages the design of any improvements or changes to the operational support processes for new resource capabilities and infrastructure + typical_evidence: 'Documented evidence that a network product and its compliance + reports and accreditation status are evaluated in light of internal policies + when improving or changing operational support processes ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node662 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-026 - name: Evidence - description: 'Documented evidence that a network product and its compliance - reports and accreditation status are evaluated in light of internal policies - when improving or changing operational support processes ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-027 assessable: true depth: 3 @@ -9280,71 +7687,51 @@ objects: description: Ensure that relevant requirements are met and prerequisites are in place before new resource infrastructure is deployed and handed over to operations + typical_evidence: MNO has documented processes in place to take into use new + resource infrastructure. These documented processes include checks to ensure + that the resource requirements are met and other prerequisites are satisfied reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node664 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-027 - name: Evidence - description: MNO has documented processes in place to take into use new resource - infrastructure. These documented processes include checks to ensure that the - resource requirements are met and other prerequisites are satisfied - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-028 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-028 description: Resource specifications for 5G components should be developed + typical_evidence: MNO has documented processes to define and document technical, + performance, and operational specifications for components reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node666 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-028 - name: Evidence - description: MNO has documented processes to define and document technical, - performance, and operational specifications for components - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-029 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-029 description: Adequate processes for resource provisioning should be in place + typical_evidence: MNO has documented processes for i) creation and deployment + of support tools for resource deployment, ii) scheduling, management, and + monitoring of the new infrastructure roll-out, and iii) monitoring of newly + deployed infrastructure to provide early detection of potential shortfalls reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node668 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-029 - name: Evidence - description: MNO has documented processes for i) creation and deployment of - support tools for resource deployment, ii) scheduling, management, and monitoring - of the new infrastructure roll-out, and iii) monitoring of newly deployed - infrastructure to provide early detection of potential shortfalls - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-030 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15 ref_id: SO15-030 description: Adequate processes to support resource performance management + typical_evidence: MNO has documented processes to monitor and assess resource + infrastructure performance reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node670 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-030 - name: Evidence - description: MNO has documented processes to monitor and assess resource infrastructure - performance - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-031 assessable: true depth: 3 @@ -9359,21 +7746,16 @@ objects: \ layer should consider the CPU & Memory resource requirements & limits associated\ \ to each VNF provided by VNF vendors during onboarding and running of the\ \ VNF." + typical_evidence: "Verify that virtualization layer alerts the MANO in case\ + \ the number of allowed processes and resources within a VM or container is\ + \ exceeded. \n\nRegular verification whether VNF requirements are met by NFVI\ + \ and MANO as required in the VNF descriptor.\n\nVerify that VNF vendors define\ + \ the CPU and Memory requirements of their VNFs. Verify that those requirements\ + \ are included within the VNF package." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M80 - risk:reference_control:enisa-5g-scm:5G-M81 - risk:reference_control:enisa-5g-scm:5G-M82 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node672 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so15-031 - name: Evidence - description: "Verify that virtualization layer alerts the MANO in case the number\ - \ of allowed processes and resources within a VM or container is exceeded.\ - \ \n\nRegular verification whether VNF requirements are met by NFVI and MANO\ - \ as required in the VNF descriptor.\n\nVerify that VNF vendors define the\ - \ CPU and Memory requirements of their VNFs. Verify that those requirements\ - \ are included within the VNF package." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16 assessable: false depth: 2 @@ -9390,19 +7772,14 @@ objects: ref_id: SO16-001 description: Integration process of existing legacy infrastructure with the new resource infrastructure should be robust + typical_evidence: Documented migration policies/processes and/or project logs + which indicate upon review that the migration project is based on standards + and best practices reference_controls: - risk:reference_control:enisa-5g-scm:5G-M83 - risk:reference_control:enisa-5g-scm:5G-M84 - risk:reference_control:enisa-5g-scm:5G-M85 - risk:reference_control:enisa-5g-scm:5G-M86 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node675 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16-001 - name: Evidence - description: Documented migration policies/processes and/or project logs which - indicate upon review that the migration project is based on standards and - best practices - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16-002 assessable: true depth: 3 @@ -9410,19 +7787,14 @@ objects: ref_id: SO16-002 description: Use of software development lifecycle best practices such as Agile, Continuous Integration/Continuous Development (CI/CD), and DevSecOps by MNO + typical_evidence: MNO has documented processes for software development which + follow best practices such as DevSecOps. Tools for Continuous Integration/Continuous + Development (such as Jenkins, Travis CI, etc.) are in use reference_controls: - risk:reference_control:enisa-5g-scm:5G-M83 - risk:reference_control:enisa-5g-scm:5G-M84 - risk:reference_control:enisa-5g-scm:5G-M85 - risk:reference_control:enisa-5g-scm:5G-M86 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node677 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16-002 - name: Evidence - description: MNO has documented processes for software development which follow - best practices such as DevSecOps. Tools for Continuous Integration/Continuous - Development (such as Jenkins, Travis CI, etc.) are in use - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16-003 assessable: true depth: 3 @@ -9431,22 +7803,17 @@ objects: description: Resource deployment, upgrade, and change should be managed. Impact assessments before system changes are made. Changes implemented are recorded, irregularities encountered are investigated and reported to competent authorities + typical_evidence: MNO has a documented policy and processes for coordinated + deployment, upgrade, and change of virtual or physical resources. Documented + system change impact assessments. Records listing changes made and, if applicable, + any irregularities encountered during the change process. If applicable, internal + reports of any irregularities encountered during system change and incident + reports to competent authorities based on incident reporting rules reference_controls: - risk:reference_control:enisa-5g-scm:5G-M83 - risk:reference_control:enisa-5g-scm:5G-M84 - risk:reference_control:enisa-5g-scm:5G-M85 - risk:reference_control:enisa-5g-scm:5G-M86 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node679 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so16-003 - name: Evidence - description: MNO has a documented policy and processes for coordinated deployment, - upgrade, and change of virtual or physical resources. Documented system change - impact assessments. Records listing changes made and, if applicable, any irregularities - encountered during the change process. If applicable, internal reports of - any irregularities encountered during system change and incident reports to - competent authorities based on incident reporting rules - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17 assessable: false depth: 2 @@ -9468,19 +7835,14 @@ objects: installed as examples but typically not be used (e.g. default web pages, example databases, test data)' + typical_evidence: 'Identification of software components/libraries installed + on a network product with command line tools matches the list of software + components/libraries in product documentation that are necessary for the correct + operation of the network product ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node682 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-001 - name: Evidence - description: 'Identification of software components/libraries installed on a - network product with command line tools matches the list of software components/libraries - in product documentation that are necessary for the correct operation of the - network product ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-002 assessable: true depth: 3 @@ -9491,20 +7853,15 @@ objects: and they should not be reactivated after reboot. Hardware functions which are not required for operation or function of the system (e.g. unused interfaces) should be deactivated permanently ' + typical_evidence: Identification of hardware and software functions which are + installed in the system or might have been disabled using any suitable command + line tools or other suitable means of determination matches with the hardware + and software functions listed in the product documentation that are necessary + for the correct operation of the network product reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node684 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-002 - name: Evidence - description: Identification of hardware and software functions which are installed - in the system or might have been disabled using any suitable command line - tools or other suitable means of determination matches with the hardware and - software functions listed in the product documentation that are necessary - for the correct operation of the network product - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-003 assessable: true depth: 3 @@ -9512,18 +7869,13 @@ objects: ref_id: SO17-003 description: Network product does not contain software and hardware components that are no longer supported by their vendor, producer, or developer + typical_evidence: 'Verify that there is no entry in the list of hardware and + software installed which is not supported by the vendor, producer, or developer + of the network product ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node686 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-003 - name: Evidence - description: 'Verify that there is no entry in the list of hardware and software - installed which is not supported by the vendor, producer, or developer of - the network product ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-004 assessable: true depth: 3 @@ -9532,22 +7884,17 @@ objects: description: Configuration management including careful planning, detailed documentation, configuration review, testing before production, and periodic security configuration checks - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M87 - - risk:reference_control:enisa-5g-scm:5G-M88 - - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node688 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-004 - name: Evidence - description: 'Detailed documentation of various configuration options. Presence - of tools to allow testing of configuration before production as well as checks - and notifications of configuration during operation. + typical_evidence: 'Detailed documentation of various configuration options. + Presence of tools to allow testing of configuration before production as well + as checks and notifications of configuration during operation. Security configuration documentation indicates reviews and updates taking place annually, or when significant changes occur. ' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M87 + - risk:reference_control:enisa-5g-scm:5G-M88 + - risk:reference_control:enisa-5g-scm:5G-M89 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-005 assessable: true depth: 3 @@ -9556,53 +7903,38 @@ objects: description: Instantiation of MANO components and managed entities is only possible in explicit geographic locations. Support for attribute-based access control and multi-factor authentication where location is one of the attributes/factors + typical_evidence: ' Verification method: attempts to instantiate MANO components + in unauthorized locations are unsuccessful ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node690 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-005 - name: Evidence - description: ' Verification method: attempts to instantiate MANO components - in unauthorized locations are unsuccessful ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-006 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17 ref_id: SO17-006 description: Storage media should be sanitized + typical_evidence: Documented resource exit processes of the MNO include clear + risk-based rules for media sanitization upon decommissioning of network elements reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node692 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-006 - name: Evidence - description: Documented resource exit processes of the MNO include clear risk-based - rules for media sanitization upon decommissioning of network elements - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-007 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17 ref_id: SO17-007 description: Resource exit should be managed + typical_evidence: MNO has documented processes to ensure controlled resource + exit. These processes ensure that specific exit, migration, resource infrastructure + transition and/or replacement strategies are developed. The processes also + ensure that needs of all stakeholders in the MNO are identified and managed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node694 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-007 - name: Evidence - description: MNO has documented processes to ensure controlled resource exit. - These processes ensure that specific exit, migration, resource infrastructure - transition and/or replacement strategies are developed. The processes also - ensure that needs of all stakeholders in the MNO are identified and managed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-008 assessable: true depth: 3 @@ -9610,27 +7942,22 @@ objects: ref_id: SO17-008 description: Adequate processes for resource inventory and physical/virtual asset management - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M87 - - risk:reference_control:enisa-5g-scm:5G-M88 - - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node696 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-008 - name: Evidence - description: 'MNO has documented policies and processes for i) resource inventory - and asset management, ii) management of registration and access control processes, - and iii) accuracy, completeness, and validation of resource inventory: Up - to date repositories/registries containing details about deployed technologies - and components. Documented asset criticality assessment is aligned with the - list of critical assets identified in the EU coordinated risk assessment. + typical_evidence: 'MNO has documented policies and processes for i) resource + inventory and asset management, ii) management of registration and access + control processes, and iii) accuracy, completeness, and validation of resource + inventory: Up to date repositories/registries containing details about deployed + technologies and components. Documented asset criticality assessment is aligned + with the list of critical assets identified in the EU coordinated risk assessment. List of physical assets with risk assessment categorization (e.g. core network assets, transmission hubs, exchanges, base-stations, interconnection and transport links). Asset management processes handle virtualized assets (such as VNFs) with tools which provide a good understanding of the virtual network including data flows, trust domains and the location and status of the physical hosts on which the virtual network resides ' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M87 + - risk:reference_control:enisa-5g-scm:5G-M88 + - risk:reference_control:enisa-5g-scm:5G-M89 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-009 assessable: true depth: 3 @@ -9638,19 +7965,14 @@ objects: ref_id: SO17-009 description: Adequate processes for resource allocation and installation should be used + typical_evidence: MNO has documented processes for allocating and delivering + specific resources required for new services. MNO has documented processes + to ensure that sufficient information is supplied with resource requisition + orders regarding resource installation and configuration reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node698 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-009 - name: Evidence - description: MNO has documented processes for allocating and delivering specific - resources required for new services. MNO has documented processes to ensure - that sufficient information is supplied with resource requisition orders regarding - resource installation and configuration - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-010 assessable: true depth: 3 @@ -9658,57 +7980,42 @@ objects: ref_id: SO17-010 description: Adequate processes for configuring and activating resources should be used + typical_evidence: MNO has documented processes for i) configuration and activation + approach planning, and ii) resource inventory update with the configuration + of new resources and their status reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node700 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-010 - name: Evidence - description: MNO has documented processes for i) configuration and activation - approach planning, and ii) resource inventory update with the configuration - of new resources and their status - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-011 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17 ref_id: SO17-011 description: Resource provisioning should be tracked and managed + typical_evidence: MNO has documented processes for i) resource provisioning + scheduling, allocation and coordination, ii) tracking of execution process, + iii) including all relevant information to resource orders, iv) monitoring + orders status and escalating orders when necessary, and v) engaging external + suppliers when necessary reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node702 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-011 - name: Evidence - description: MNO has documented processes for i) resource provisioning scheduling, - allocation and coordination, ii) tracking of execution process, iii) including - all relevant information to resource orders, iv) monitoring orders status - and escalating orders when necessary, and v) engaging external suppliers when - necessary - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-012 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17 ref_id: SO17-012 description: Proper management of supplier inventory should be ensured + typical_evidence: MNO has an asset management system for managing supplier inventory, + including documented i) procedures for asset management, ii) roles and responsibilities, + iii) the assets and configurations which are subject to the policy, and iv) + the dependencies between them reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node704 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-012 - name: Evidence - description: MNO has an asset management system for managing supplier inventory, - including documented i) procedures for asset management, ii) roles and responsibilities, - iii) the assets and configurations which are subject to the policy, and iv) - the dependencies between them - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-013 assessable: true depth: 3 @@ -9720,19 +8027,14 @@ objects: \ currently supported by the software's vendor is added to the NFV's authorized\ \ software inventory. Unsupported software should be tagged as unsupported\ \ in the inventory system. " + typical_evidence: "Review of the software list to verify that the software in\ + \ question is supported. \n\nIf the software is unsupported, yet necessary\ + \ for the operation of NFV, verify that the exception is documented, including\ + \ a description of mitigating controls and residual risk acceptance. " reference_controls: - risk:reference_control:enisa-5g-scm:5G-M87 - risk:reference_control:enisa-5g-scm:5G-M88 - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node706 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-013 - name: Evidence - description: "Review of the software list to verify that the software in question\ - \ is supported. \n\nIf the software is unsupported, yet necessary for the\ - \ operation of NFV, verify that the exception is documented, including a description\ - \ of mitigating controls and residual risk acceptance. " - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-014 assessable: true depth: 3 @@ -9743,22 +8045,17 @@ objects: When a VM or container is deleted, the virtual disk should be cleaned up (e.g., zeroed) to prevent an attacker from reconstructing the contents of the VM or container.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M87 - - risk:reference_control:enisa-5g-scm:5G-M88 - - risk:reference_control:enisa-5g-scm:5G-M89 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node708 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so17-014 - name: Evidence - description: "Identify and report what VNFs and associated VMs or containers\ + typical_evidence: "Identify and report what VNFs and associated VMs or containers\ \ are running in the NFVI.\n\nValidate that there are no VMs or containers\ \ unused or unneeded for the operation of VNFs in the NFVI.\n\nCheck that\ \ unused/not needed VMs or containers have been removed (this removal should\ \ be automatic). \n\nA documented process is in place for ensuring that no\ \ unused or unneeded VMs/containers are running in the NFVI. A documented\ \ process is in place for removing unused or unneeded VMs/containers." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M87 + - risk:reference_control:enisa-5g-scm:5G-M88 + - risk:reference_control:enisa-5g-scm:5G-M89 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d5 assessable: false depth: 1 @@ -9783,23 +8080,18 @@ objects: ref_id: SO18-001 description: Incident management planning should be undertaken, including to ensure reporting in accordance with the legal / regulatory framework + typical_evidence: MNO has established documented procedures for incident management + including roles and responsibilities, operational procedures, and escalation + criteria. Compliance reports indicate that incident reporting policies and + processes fulfill the requirements of the applicable legal / regulatory framework. + If applicable, examples of incident reports submitted on time and with the + requisite information reference_controls: - risk:reference_control:enisa-5g-scm:5G-M90 - risk:reference_control:enisa-5g-scm:5G-M91 - risk:reference_control:enisa-5g-scm:5G-M92 - risk:reference_control:enisa-5g-scm:5G-M93 - risk:reference_control:enisa-5g-scm:5G-M94 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node712 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so18-001 - name: Evidence - description: MNO has established documented procedures for incident management - including roles and responsibilities, operational procedures, and escalation - criteria. Compliance reports indicate that incident reporting policies and - processes fulfill the requirements of the applicable legal / regulatory framework. - If applicable, examples of incident reports submitted on time and with the - requisite information - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so18-002 assessable: true depth: 3 @@ -9807,21 +8099,16 @@ objects: ref_id: SO18-002 description: Incident management processes should be adapted to take into account changed technologies and processes + typical_evidence: 'Documented policy/procedures for incident management, including, + types of incidents that could occur, objectives, roles and responsibilities, + detailed description, per incident type, how to manage the incident, when + to escalate to senior management (e.g. CISO) etc. ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M90 - risk:reference_control:enisa-5g-scm:5G-M91 - risk:reference_control:enisa-5g-scm:5G-M92 - risk:reference_control:enisa-5g-scm:5G-M93 - risk:reference_control:enisa-5g-scm:5G-M94 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node714 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so18-002 - name: Evidence - description: 'Documented policy/procedures for incident management, including, - types of incidents that could occur, objectives, roles and responsibilities, - detailed description, per incident type, how to manage the incident, when - to escalate to senior management (e.g. CISO) etc. ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19 assessable: false depth: 2 @@ -9837,41 +8124,31 @@ objects: parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19 ref_id: SO19-001 description: 'Survey and analysis of resource trouble should be performed ' + typical_evidence: MNO has documented processes and tools to i) detect, collect, + record, and manage resource alarm events, ii) perform alarm event notification + analysis, correlation, filtering, anomaly detection, etc. iii) report alarm + events to relevant processes. If relevant, MNO has records of alarm events + and their analysis reference_controls: - risk:reference_control:enisa-5g-scm:5G-M95 - risk:reference_control:enisa-5g-scm:5G-M96 - risk:reference_control:enisa-5g-scm:5G-M97 - risk:reference_control:enisa-5g-scm:5G-M98 - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node717 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-001 - name: Evidence - description: MNO has documented processes and tools to i) detect, collect, record, - and manage resource alarm events, ii) perform alarm event notification analysis, - correlation, filtering, anomaly detection, etc. iii) report alarm events to - relevant processes. If relevant, MNO has records of alarm events and their - analysis - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19 ref_id: SO19-002 description: Root-cause analysis should be performed to localize resource trouble + typical_evidence: MNO has documented processes and tools to diagnose, test, + and audit resources so that resource trouble events can be localized efficiently reference_controls: - risk:reference_control:enisa-5g-scm:5G-M95 - risk:reference_control:enisa-5g-scm:5G-M96 - risk:reference_control:enisa-5g-scm:5G-M97 - risk:reference_control:enisa-5g-scm:5G-M98 - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node719 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-002 - name: Evidence - description: MNO has documented processes and tools to diagnose, test, and audit - resources so that resource trouble events can be localized efficiently - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-003 assessable: true depth: 3 @@ -9880,24 +8157,19 @@ objects: description: ' Monitoring infrastructure for timely detection of significant events or incidents including adequate resources to monitor, understand, and analyze security-related network activity' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M95 - - risk:reference_control:enisa-5g-scm:5G-M96 - - risk:reference_control:enisa-5g-scm:5G-M97 - - risk:reference_control:enisa-5g-scm:5G-M98 - - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node721 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-003 - name: Evidence - description: Periodic/annual reports of the Network Operation Centres (NOC) + typical_evidence: Periodic/annual reports of the Network Operation Centres (NOC) and/or Security Operation Centres (SOC) containing incidents analyzed, trends, etc. MNO has documented processes for ensuring that adequate staff and tools/resources are allocated for monitoring, understanding, and analyzing security-related network activity. Monitoring infrastructure such as a Network Operations Centre (NOC)/Security Operations Centre (SOC) are run on premise, inside the country and/or inside the EU + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M95 + - risk:reference_control:enisa-5g-scm:5G-M96 + - risk:reference_control:enisa-5g-scm:5G-M97 + - risk:reference_control:enisa-5g-scm:5G-M98 + - risk:reference_control:enisa-5g-scm:5G-M99 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-004 assessable: true depth: 3 @@ -9905,22 +8177,17 @@ objects: ref_id: SO19-004 description: Tools for detecting security threats and violations in operational data collected should be used + typical_evidence: Verify that MNO uses correlation tools and rulesets for detecting + potential threats, violations, fraud, or other security-relevant events. Documented + and updated i) processes and tools for incident detection and forwarding, + ii) incident reports, iii) policy/processes/capabilities (including tools) + review comments, and vi) change logs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M95 - risk:reference_control:enisa-5g-scm:5G-M96 - risk:reference_control:enisa-5g-scm:5G-M97 - risk:reference_control:enisa-5g-scm:5G-M98 - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node723 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-004 - name: Evidence - description: Verify that MNO uses correlation tools and rulesets for detecting - potential threats, violations, fraud, or other security-relevant events. Documented - and updated i) processes and tools for incident detection and forwarding, - ii) incident reports, iii) policy/processes/capabilities (including tools) - review comments, and vi) change logs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-005 assessable: true depth: 3 @@ -9928,20 +8195,15 @@ objects: ref_id: SO19-005 description: Tools and procedures to identify trends and events of interest from collected data should be used, updated, and maintained + typical_evidence: Documentation of processes and tools for statistical modeling + and analysis of collected data. Documented review processes, review comments, + and/or change logs relating to these processes and tools reference_controls: - risk:reference_control:enisa-5g-scm:5G-M95 - risk:reference_control:enisa-5g-scm:5G-M96 - risk:reference_control:enisa-5g-scm:5G-M97 - risk:reference_control:enisa-5g-scm:5G-M98 - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node725 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-005 - name: Evidence - description: Documentation of processes and tools for statistical modeling and - analysis of collected data. Documented review processes, review comments, - and/or change logs relating to these processes and tools - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-006 assessable: true depth: 3 @@ -9949,21 +8211,16 @@ objects: ref_id: SO19-006 description: Policies and procedures for incident detection should be regularly updated and maintained + typical_evidence: Documentation of up to date incident detection policies, procedures, + and tools in line with industry best practices and newly implemented technologies. + Documented review processes, review comments, and/or change logs relating + to incident detection policies, procedures, and tools reference_controls: - risk:reference_control:enisa-5g-scm:5G-M95 - risk:reference_control:enisa-5g-scm:5G-M96 - risk:reference_control:enisa-5g-scm:5G-M97 - risk:reference_control:enisa-5g-scm:5G-M98 - risk:reference_control:enisa-5g-scm:5G-M99 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node727 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so19-006 - name: Evidence - description: Documentation of up to date incident detection policies, procedures, - and tools in line with industry best practices and newly implemented technologies. - Documented review processes, review comments, and/or change logs relating - to incident detection policies, procedures, and tools - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d6 assessable: false depth: 1 @@ -9990,6 +8247,9 @@ objects: act in a controlled and predictable way if an overload situation cannot be prevented. If security measures are no longer sufficient, the system should not reach an undefined and potentially insecure state + typical_evidence: 'Network products have detailed technical description of the + overload control mechanisms. Test results verifying the operation of the overload + control mechanisms. ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -9997,14 +8257,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node731 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-001 - name: Evidence - description: 'Network products have detailed technical description of the overload - control mechanisms. Test results verifying the operation of the overload control - mechanisms. ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-002 assessable: true depth: 3 @@ -10014,6 +8266,11 @@ objects: uploads) with countermeasures such as use of a dedicated filesystem separated from main system functions, quotas, or system monitoring tools to ensure that the scenario of a file system reaching its maximum capacity is avoided + typical_evidence: Network product documentation contains a list of resources + that are susceptible to being exhausted with countermeasures in place. Verify + that initiating traffic that causes increase in log files or file uploading + to exhaust the file system does not negatively affect the system operation + because of countermeasures in place reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10021,16 +8278,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node733 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-002 - name: Evidence - description: Network product documentation contains a list of resources that - are susceptible to being exhausted with countermeasures in place. Verify that - initiating traffic that causes increase in log files or file uploading to - exhaust the file system does not negatively affect the system operation because - of countermeasures in place - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-003 assessable: true depth: 3 @@ -10039,6 +8286,11 @@ objects: description: Network product should support a mechanism to prevent Syn Flood attacks and should enable this feature by default. Such mechanisms can include using the TCP Syn Cookie technique in the TCP stack + typical_evidence: 'Verification method: Use a tool to send a large amount of + TCP Syn packets to a network product listening on a TCP port to verify that + this does not affect its services or availability. Verify that the memory + of the network product is not exhausted and there is no crash, despite the + large number of the TCP Syn packets' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10046,16 +8298,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node735 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-003 - name: Evidence - description: 'Verification method: Use a tool to send a large amount of TCP - Syn packets to a network product listening on a TCP port to verify that this - does not affect its services or availability. Verify that the memory of the - network product is not exhausted and there is no crash, despite the large - number of the TCP Syn packets' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-004 assessable: true depth: 3 @@ -10064,6 +8306,9 @@ objects: description: Mobility and handover between 5GS to EPS and vice-versa are handled in accordance with 3GPP technical specification 33.501, clauses 8.2, 8.3, 8.4, 8.5, and 8.6 + typical_evidence: Verify that a test UE device can continue receiving service + during mobility between 5GS to EPS and vice-versa. Packet captures on the + N26 interface confirm successful handover for the test UE reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10071,14 +8316,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node737 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-004 - name: Evidence - description: Verify that a test UE device can continue receiving service during - mobility between 5GS to EPS and vice-versa. Packet captures on the N26 interface - confirm successful handover for the test UE - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-005 assessable: true depth: 3 @@ -10087,6 +8324,8 @@ objects: description: Security of 5G Single Radio Voice Call Continuity (SRVCC) should be ensured during handover from 5G to UTRAN in accordance with Annex J of 3GPP technical specification 33.501. + typical_evidence: Packet captures on the AMF and MME_SRVCC confirm that SRVCC + handover for a test UE is completed successfully reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10094,13 +8333,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node739 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-005 - name: Evidence - description: Packet captures on the AMF and MME_SRVCC confirm that SRVCC handover - for a test UE is completed successfully - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-006 assessable: true depth: 3 @@ -10108,6 +8340,9 @@ objects: ref_id: SO21-006 description: SDN control layer should support hardware management to discover hardware failure automatically and recover + typical_evidence: Check configuration files and diagnostic tools to verify that + techniques such as watch ports, liveness checks, and fast-failover are supported + by the SDN controller and are used in deployments reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10115,14 +8350,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node741 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-006 - name: Evidence - description: Check configuration files and diagnostic tools to verify that techniques - such as watch ports, liveness checks, and fast-failover are supported by the - SDN controller and are used in deployments - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-007 assessable: true depth: 3 @@ -10131,6 +8358,9 @@ objects: description: MEC system is able to flexibly choose UPF(s) and the corresponding DN according to MEC operators' and/or MEC application providers' operation policy or physical conditions + typical_evidence: Verification via system logs of source and target MEC host + that the u-plane traffic between a UE and MEC host is successfully steered + to another target MEC host during mobility reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10138,14 +8368,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node743 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-007 - name: Evidence - description: Verification via system logs of source and target MEC host that - the u-plane traffic between a UE and MEC host is successfully steered to another - target MEC host during mobility - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-008 assessable: true depth: 3 @@ -10153,6 +8375,9 @@ objects: ref_id: SO21-008 description: Denial of service (DoS) protection mitigation is used in distributed edge deployments + typical_evidence: Verification that tools such as 'ufw' are available for filtering + packets headed for a target site. Confirmation that tools for blocking open + ports and suspending facilities under attack are available and functional reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10160,14 +8385,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node745 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-008 - name: Evidence - description: Verification that tools such as 'ufw' are available for filtering - packets headed for a target site. Confirmation that tools for blocking open - ports and suspending facilities under attack are available and functional - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-009 assessable: true depth: 3 @@ -10176,6 +8393,12 @@ objects: description: Adequate capacity for mission-critical and time-critical applications of 5G services such as URLLC. Higher network availability is provisioned for areas with deployments of time-critical and mission-critical services + typical_evidence: Logs showing that resource usage is monitored. Documented + processes are in place for evaluating resource usage at regular intervals + to make future projections. Documented processes and contingency plans indicate + higher network availability in areas with deployments of time-critical and + mission-critical services. Resource usage logs confirm the additional available + resources reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10183,16 +8406,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node747 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-009 - name: Evidence - description: Logs showing that resource usage is monitored. Documented processes - are in place for evaluating resource usage at regular intervals to make future - projections. Documented processes and contingency plans indicate higher network - availability in areas with deployments of time-critical and mission-critical - services. Resource usage logs confirm the additional available resources - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-010 assessable: true depth: 3 @@ -10201,6 +8414,8 @@ objects: description: Security measures to deal with overload situations which may occur as a result of a denial of service attack or during periods of increased traffic. System should react on an overload situation in a controlled way + typical_evidence: Verify that hypervisor tools to detect and counter overload + are enabled for monitoring VM backbone traffic reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10208,19 +8423,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node749 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-010 - name: Evidence - description: Verify that hypervisor tools to detect and counter overload are - enabled for monitoring VM backbone traffic - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-011 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21 ref_id: SO21-011 description: MNO should capture resource capability shortfalls + typical_evidence: MNO has a documented list of resources with capacity or performance + shortfalls reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10228,19 +8438,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node751 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-011 - name: Evidence - description: MNO has a documented list of resources with capacity or performance - shortfalls - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-012 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21 ref_id: SO21-012 description: 'Correction and resolution of troubled resources ' + typical_evidence: 'MNO has documented processes and tools to restore or replace + resources that have failed as efficiently as possible ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10248,13 +8453,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node753 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-012 - name: Evidence - description: 'MNO has documented processes and tools to restore or replace resources - that have failed as efficiently as possible ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-013 assessable: true depth: 3 @@ -10262,6 +8460,10 @@ objects: ref_id: SO21-013 description: VAL service should take measures to detect and mitigate DoS attacks to minimize the impact on the network and on VAL users. + typical_evidence: Verification that tools such as 'ufw' are available on the + VAL server for filtering packets headed for a target site. Confirmation that + tools for blocking open ports and suspending facilities under attack are available + and functional reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10269,21 +8471,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node755 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-013 - name: Evidence - description: Verification that tools such as 'ufw' are available on the VAL - server for filtering packets headed for a target site. Confirmation that tools - for blocking open ports and suspending facilities under attack are available - and functional - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-014 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21 ref_id: SO21-014 description: Resource performance should be optimized + typical_evidence: MNO has documented processes and tools for timely and effective + restoration of failed resource instances reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10291,13 +8486,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node757 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-014 - name: Evidence - description: MNO has documented processes and tools for timely and effective - restoration of failed resource instances - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-015 assessable: true depth: 3 @@ -10305,6 +8493,11 @@ objects: ref_id: SO21-015 description: Business continuity planning should be undertaken. Contingency plans take into account dependent critical sectors + typical_evidence: MNO has documented up-to-date operational procedures which + are proactively tested for ensuring business continuity, including in case + of disasters. Records of carried out tests and their results, procedure review + comments, and change logs. Documented contingency plans map and manage the + risks caused to dependent critical sectors reference_controls: - risk:reference_control:enisa-5g-scm:5G-M104 - risk:reference_control:enisa-5g-scm:5G-M105 @@ -10312,16 +8505,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M107 - risk:reference_control:enisa-5g-scm:5G-M108 - risk:reference_control:enisa-5g-scm:5G-M109 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node759 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so21-015 - name: Evidence - description: MNO has documented up-to-date operational procedures which are - proactively tested for ensuring business continuity, including in case of - disasters. Records of carried out tests and their results, procedure review - comments, and change logs. Documented contingency plans map and manage the - risks caused to dependent critical sectors - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d7 assessable: false depth: 1 @@ -10346,6 +8529,10 @@ objects: description: If access to personal data in clear text is required, any access to this data is logged and the log information includes the user identity that has accessed the data + typical_evidence: Access logs of the network product show that all access attempts + to personal data (in clear text) are recorded in the relevant logs, with the + user identity of the person accessing included and no personal data visible + in the log reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10353,15 +8540,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node763 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-001 - name: Evidence - description: Access logs of the network product show that all access attempts - to personal data (in clear text) are recorded in the relevant logs, with the - user identity of the person accessing included and no personal data visible - in the log - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-002 assessable: true depth: 3 @@ -10372,6 +8550,10 @@ objects: Network product documentation should provide a list of security events and event data (such as username, length of session etc.) the product logs and where they are stored ' + typical_evidence: ' Review security event log files of the network product to + check (1) that they are indeed triggered by security events described in the + network product documentation and (2) that they contain the relevant event + data' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10379,14 +8561,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node765 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-002 - name: Evidence - description: ' Review security event log files of the network product to check - (1) that they are indeed triggered by security events described in the network - product documentation and (2) that they contain the relevant event data' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-003 assessable: true depth: 3 @@ -10394,6 +8568,13 @@ objects: ref_id: SO23-003 description: Network Products support forwarding of security event logging data to an external central system with secure transport protocols + typical_evidence: Check that the network product documentation contains a list + of standard security protocols for transferring event logging data. Confirm + that successful test sessions using the standard protocols listed by the manufacturer + in the documentation can be setup between the product and the central system + where event logging data is sent. Packet captures confirm that the protocol + used for transferring logs provides encryption, integrity protection, and + replay protection reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10401,18 +8582,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node767 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-003 - name: Evidence - description: Check that the network product documentation contains a list of - standard security protocols for transferring event logging data. Confirm that - successful test sessions using the standard protocols listed by the manufacturer - in the documentation can be setup between the product and the central system - where event logging data is sent. Packet captures confirm that the protocol - used for transferring logs provides encryption, integrity protection, and - replay protection - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-004 assessable: true depth: 3 @@ -10421,6 +8590,10 @@ objects: description: Security event log has appropriate access control mechanism allowing only privileged users with the necessary rights to have access to the log files + typical_evidence: ' Verify that security event log files of the network product + are accessible when signed in with a user account with appropriate authorization. + Verify that security event log files are not accessible when singed in as + a user without the correct permissions' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10428,15 +8601,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node769 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-004 - name: Evidence - description: ' Verify that security event log files of the network product are - accessible when signed in with a user account with appropriate authorization. - Verify that security event log files are not accessible when singed in as - a user without the correct permissions' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-005 assessable: true depth: 3 @@ -10445,6 +8609,9 @@ objects: description: 'Access to the webserver is logged and the webserver access logs contain at least the following information: access timestamp, source IP address, account/login name if known, requested URL, and status code of response' + typical_evidence: "Checking the webserver access logs confirms that all webserver\ + \ events are logged along with the required log information listed in the\ + \ \u2018Control\u2019 section" reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10452,14 +8619,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node771 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-005 - name: Evidence - description: "Checking the webserver access logs confirms that all webserver\ - \ events are logged along with the required log information listed in the\ - \ \u2018Control\u2019 section" - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-006 assessable: true depth: 3 @@ -10468,6 +8627,10 @@ objects: description: Appropriate logging and auditing mechanisms should be implemented throughout the slice life cycle. Real-time analysis of security events in the logs should be performed to immediately detect any attempted attacks + typical_evidence: 'System logs of the network slice instance contain event information + and timestamps of the following slice life-cycle stages: 1) Preparation phase; + 2) Installation, Configuration, and Activation phase; 3) Run-time phase; 4) + Decommissioning phase' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10475,21 +8638,14 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node773 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-006 - name: Evidence - description: 'System logs of the network slice instance contain event information - and timestamps of the following slice life-cycle stages: 1) Preparation phase; - 2) Installation, Configuration, and Activation phase; 3) Run-time phase; 4) - Decommissioning phase' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-007 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23 ref_id: SO23-007 description: All resources and network functions consumed by a slice are monitored + typical_evidence: Log files of a slice contain detailed information of the resources + and network functions consumed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10497,13 +8653,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node775 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-007 - name: Evidence - description: Log files of a slice contain detailed information of the resources - and network functions consumed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-008 assessable: true depth: 3 @@ -10511,6 +8660,9 @@ objects: ref_id: SO23-008 description: Appropriate logging and auditing mechanisms should be implemented in the SDN control layer + typical_evidence: Check that log files containing event information and timestamps + are present in the SDN controller. Check that tools for auditing log files + at regular intervals are installed reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10518,14 +8670,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node777 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-008 - name: Evidence - description: Check that log files containing event information and timestamps - are present in the SDN controller. Check that tools for auditing log files - at regular intervals are installed - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-009 assessable: true depth: 3 @@ -10533,6 +8677,11 @@ objects: ref_id: SO23-009 description: MEC system collects charging related data, logs it securely, and makes it available for further processing + typical_evidence: Log files in MEC components include information such as traffic + usage, application instantiation, access, usage duration, resource usage, + etc. Log files are accessible only to authorized users. Packet captures confirm + that the transport protocol used for making the log files available to other + components is secure reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10540,16 +8689,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node779 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-009 - name: Evidence - description: Log files in MEC components include information such as traffic - usage, application instantiation, access, usage duration, resource usage, - etc. Log files are accessible only to authorized users. Packet captures confirm - that the transport protocol used for making the log files available to other - components is secure - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-010 assessable: true depth: 3 @@ -10558,6 +8697,9 @@ objects: description: Event logs containing user activities, exceptions, faults, and information security events are generated, stored, and reviewed. These logs are integrated and corelated with service provider monitoring mechanisms + typical_evidence: Verify that event logs are integrated and corelated with service + provider monitoring mechanisms and that they contain user activities, exceptions, + faults, and information security events, as appropriate reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10565,14 +8707,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node781 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-010 - name: Evidence - description: Verify that event logs are integrated and corelated with service - provider monitoring mechanisms and that they contain user activities, exceptions, - faults, and information security events, as appropriate - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-011 assessable: true depth: 3 @@ -10580,6 +8714,10 @@ objects: ref_id: SO23-011 description: 'MNO has a logging policy which ensures that security and management data is accurate, timely, complete, and includes VPN/remote access ' + typical_evidence: 'MNO has documented processes and tools to collect performance, + management and security data from networks, systems and security sensors, + as well as distribute the information to other processes/services. Presence + of performance and security data in logs includes any remote access ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10587,15 +8725,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node783 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-011 - name: Evidence - description: 'MNO has documented processes and tools to collect performance, - management and security data from networks, systems and security sensors, - as well as distribute the information to other processes/services. Presence - of performance and security data in logs includes any remote access ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-012 assessable: true depth: 3 @@ -10604,20 +8733,8 @@ objects: description: "The VNF supports comparing the owned resource state with the parsed\ \ resource state from VNFD (VNF Description) by the VNFM. \nThe VNF sends\ \ an alarm to the OAM if the two resource states are inconsistent. " - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M115 - - risk:reference_control:enisa-5g-scm:5G-M116 - - risk:reference_control:enisa-5g-scm:5G-M117 - - risk:reference_control:enisa-5g-scm:5G-M118 - - risk:reference_control:enisa-5g-scm:5G-M119 - - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node785 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-012 - name: Evidence - description: 'Verify whether the VNF compares the owned resource state with - the parsed resource state. + typical_evidence: 'Verify whether the VNF compares the owned resource state + with the parsed resource state. Verify whether the VNF sends an alarm to the OAM if the two resource states are inconsistent: @@ -10631,6 +8748,13 @@ objects: and send the received resource state to the VNF. 4. Verify that the alarm is received by the OAM.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M115 + - risk:reference_control:enisa-5g-scm:5G-M116 + - risk:reference_control:enisa-5g-scm:5G-M117 + - risk:reference_control:enisa-5g-scm:5G-M118 + - risk:reference_control:enisa-5g-scm:5G-M119 + - risk:reference_control:enisa-5g-scm:5G-M120 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-013 assessable: true depth: 3 @@ -10638,6 +8762,9 @@ objects: ref_id: SO23-013 description: "The VNF alerts the OAM upon finding an abnormal situation, e.g.\ \ a VNFCI is deleted by a VIM. \nVNF logs the access from the VIM." + typical_evidence: "Log to the VIM and delete a VM of a VNF.\nCheck that VNF\ + \ alerts the OAM. The alert from the VNF is found in the OAM. \nCheck that\ + \ VNF logs the alert." reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10645,14 +8772,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node787 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-013 - name: Evidence - description: "Log to the VIM and delete a VM of a VNF.\nCheck that VNF alerts\ - \ the OAM. The alert from the VNF is found in the OAM. \nCheck that VNF logs\ - \ the alert." - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-014 assessable: true depth: 3 @@ -10664,19 +8783,7 @@ objects: \ the VIM to result in the configuration error of the hardware, the hardware\ \ triggers an alert.\nThe administrator can check the alert and determine\ \ the potential attack reported by that alert." - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M115 - - risk:reference_control:enisa-5g-scm:5G-M116 - - risk:reference_control:enisa-5g-scm:5G-M117 - - risk:reference_control:enisa-5g-scm:5G-M118 - - risk:reference_control:enisa-5g-scm:5G-M119 - - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node789 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-014 - name: Evidence - description: 'Use the VIM to make an error in hardware resource configuration + typical_evidence: 'Use the VIM to make an error in hardware resource configuration (e.g. error firmware upgrade) and check whether an alert is triggered. Tamper the hardware resource configuration the virtualisation layer received @@ -10684,6 +8791,13 @@ objects: Check whether the hardware alerts when the tampered hardware resource configuration is implemented.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M115 + - risk:reference_control:enisa-5g-scm:5G-M116 + - risk:reference_control:enisa-5g-scm:5G-M117 + - risk:reference_control:enisa-5g-scm:5G-M118 + - risk:reference_control:enisa-5g-scm:5G-M119 + - risk:reference_control:enisa-5g-scm:5G-M120 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-015 assessable: true depth: 3 @@ -10696,20 +8810,9 @@ objects: Monitoring of account activity logs to see actions performed and activity associated with NFV components.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M115 - - risk:reference_control:enisa-5g-scm:5G-M116 - - risk:reference_control:enisa-5g-scm:5G-M117 - - risk:reference_control:enisa-5g-scm:5G-M118 - - risk:reference_control:enisa-5g-scm:5G-M119 - - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node791 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-015 - name: Evidence - description: 'Verify that monitoring processes are documented and in place within - the MNO security policies covering the different NFV components and interfaces. + typical_evidence: 'Verify that monitoring processes are documented and in place + within the MNO security policies covering the different NFV components and + interfaces. Verify that testing tools (e.g. vulnerability scanners), which should operate @@ -10722,12 +8825,23 @@ objects: Verify that administration account activities are logged by performing events and verifying the audit logs for their presence.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M115 + - risk:reference_control:enisa-5g-scm:5G-M116 + - risk:reference_control:enisa-5g-scm:5G-M117 + - risk:reference_control:enisa-5g-scm:5G-M118 + - risk:reference_control:enisa-5g-scm:5G-M119 + - risk:reference_control:enisa-5g-scm:5G-M120 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-016 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23 ref_id: SO23-016 description: Adequate monitoring of hardware parameters + typical_evidence: Check that (1) hardware resources are monitored with both + physical and virtual sensors; (2) alarms and alerts are in place to notify + of impending hardware failures and (3) that documented processes are in place + for responding to alarms and alerts to ensure preventive maintenance reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10735,15 +8849,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node793 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-016 - name: Evidence - description: Check that (1) hardware resources are monitored with both physical - and virtual sensors; (2) alarms and alerts are in place to notify of impending - hardware failures and (3) that documented processes are in place for responding - to alarms and alerts to ensure preventive maintenance - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-017 assessable: true depth: 3 @@ -10751,6 +8856,13 @@ objects: ref_id: SO23-017 description: Security and management data should be properly processed and regularly reviewed according to predefined procedures + typical_evidence: 'MNO has documented processes and tools to process for regular + review of security and management data. Verify that tools for detecting anomalies + and threats in logged data, including but not limited to threats to 5G core + coming from compromised end-user devices are installed and used. Review of + security and management data shows processing according to intended recipient + processes, resource instances, or service instances (e.g.: privacy sensitive + identifiers are removed from logged data). ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10758,24 +8870,15 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node795 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-017 - name: Evidence - description: 'MNO has documented processes and tools to process for regular - review of security and management data. Verify that tools for detecting anomalies - and threats in logged data, including but not limited to threats to 5G core - coming from compromised end-user devices are installed and used. Review of - security and management data shows processing according to intended recipient - processes, resource instances, or service instances (e.g.: privacy sensitive - identifiers are removed from logged data). ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-018 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23 ref_id: SO23-018 description: Resource performance should be monitored + typical_evidence: MNO has documented processes and tools for monitoring performance + information and for detecting performance degradation/threshold violations. + Recent monitoring records (e.g. reports). reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10783,20 +8886,16 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node797 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-018 - name: Evidence - description: MNO has documented processes and tools for monitoring performance - information and for detecting performance degradation/threshold violations. - Recent monitoring records (e.g. reports). - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-019 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23 ref_id: SO23-019 description: The virtualisation layer alerts the driver error to the administrator. + typical_evidence: 'Tamper a driver on the server and implement the executive + environment creation. + + Check whether the virtualisation layer alerts the driver error.' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10804,15 +8903,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node799 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-019 - name: Evidence - description: 'Tamper a driver on the server and implement the executive environment - creation. - - Check whether the virtualisation layer alerts the driver error.' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-020 assessable: true depth: 3 @@ -10826,19 +8916,7 @@ objects: It is also recommended that all audit logs are transferred to a log management platform outside the NFV to maintain their integrity and remove the risk of tampering.' - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M115 - - risk:reference_control:enisa-5g-scm:5G-M116 - - risk:reference_control:enisa-5g-scm:5G-M117 - - risk:reference_control:enisa-5g-scm:5G-M118 - - risk:reference_control:enisa-5g-scm:5G-M119 - - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node801 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-020 - name: Evidence - description: 'Check that there is a documented audit log management process. + typical_evidence: 'Check that there is a documented audit log management process. Check in log registries that local logging has been enabled on all systems @@ -10851,6 +8929,13 @@ objects: Check that appropriate logs are being aggregated to a central log management system for analysis and review. ' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M115 + - risk:reference_control:enisa-5g-scm:5G-M116 + - risk:reference_control:enisa-5g-scm:5G-M117 + - risk:reference_control:enisa-5g-scm:5G-M118 + - risk:reference_control:enisa-5g-scm:5G-M119 + - risk:reference_control:enisa-5g-scm:5G-M120 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-021 assessable: true depth: 3 @@ -10858,6 +8943,10 @@ objects: ref_id: SO23-021 description: Tools for capturing relevant operational data should be used and regularly updated + typical_evidence: Verify that MNO has tools and infrastructure for data collection + of operational activity. Documented and updated i) monitoring policy, ii) + processes, iii) monitoring logs, iv) monitoring reports, v) policy/processes/capabilities + (including tools) review comments, and vi) change logs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10865,15 +8954,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node803 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-021 - name: Evidence - description: Verify that MNO has tools and infrastructure for data collection - of operational activity. Documented and updated i) monitoring policy, ii) - processes, iii) monitoring logs, iv) monitoring reports, v) policy/processes/capabilities - (including tools) review comments, and vi) change logs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-022 assessable: true depth: 3 @@ -10881,6 +8961,9 @@ objects: ref_id: SO23-022 description: Policy-based processes and tools for collection, filtering, aggregation, distribution, and retention of data should be used and regularly updated + typical_evidence: MNO has documented policy-based security monitoring procedures/tools + for data collection and storage. MNO has records of reviews of these procedures + and tools, including review comments, and/or change logs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M115 - risk:reference_control:enisa-5g-scm:5G-M116 @@ -10888,14 +8971,6 @@ objects: - risk:reference_control:enisa-5g-scm:5G-M118 - risk:reference_control:enisa-5g-scm:5G-M119 - risk:reference_control:enisa-5g-scm:5G-M120 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node805 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so23-022 - name: Evidence - description: MNO has documented policy-based security monitoring procedures/tools - for data collection and storage. MNO has records of reviews of these procedures - and tools, including review comments, and/or change logs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so24 assessable: false depth: 2 @@ -10912,46 +8987,36 @@ objects: description: MANO and NFVI nodes are set up with redundancy, and ready to support high availability. They are distributed across multiple data centers and availability zones. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M121 - - risk:reference_control:enisa-5g-scm:5G-M122 - - risk:reference_control:enisa-5g-scm:5G-M123 - - risk:reference_control:enisa-5g-scm:5G-M124 - - risk:reference_control:enisa-5g-scm:5G-M125 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node808 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so24-001 - name: Evidence - description: 'A documented recovery plan explaining how the NFV system is deployed - so as to provide isolation and redundancy. + typical_evidence: 'A documented recovery plan explaining how the NFV system + is deployed so as to provide isolation and redundancy. Verify that the MNO recovery plan considers redundancy (network, power and geographic). Verify that the MNO recovery plan identifies a fail-over location for the NFV system in the event current location is inoperable.' + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M121 + - risk:reference_control:enisa-5g-scm:5G-M122 + - risk:reference_control:enisa-5g-scm:5G-M123 + - risk:reference_control:enisa-5g-scm:5G-M124 + - risk:reference_control:enisa-5g-scm:5G-M125 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so24-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so24 ref_id: SO24-002 description: Infrastructure recovery planning should be undertaken + typical_evidence: MNO has documented up-to-date recovery procedures and backup + planning which are proactively and regularly tested for ensuring business + continuity. Reports of tests/exercises showing execution of recovery procedures + and lessons learnt reference_controls: - risk:reference_control:enisa-5g-scm:5G-M121 - risk:reference_control:enisa-5g-scm:5G-M122 - risk:reference_control:enisa-5g-scm:5G-M123 - risk:reference_control:enisa-5g-scm:5G-M124 - risk:reference_control:enisa-5g-scm:5G-M125 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node810 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so24-002 - name: Evidence - description: MNO has documented up-to-date recovery procedures and backup planning - which are proactively and regularly tested for ensuring business continuity. - Reports of tests/exercises showing execution of recovery procedures and lessons - learnt - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so25 assessable: false depth: 2 @@ -10974,24 +9039,19 @@ objects: (SAST) which identifies vulnerabilities in the code base (excluding packages), and dynamic application security testing (DAST) which can be tuned and trained to detect run-time vulnerabilities. - reference_controls: - - risk:reference_control:enisa-5g-scm:5G-M126 - - risk:reference_control:enisa-5g-scm:5G-M127 - - risk:reference_control:enisa-5g-scm:5G-M128 - - risk:reference_control:enisa-5g-scm:5G-M129 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node813 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so25-001 - name: Evidence - description: "By way of reviewing test reports, including testing plans and\ - \ results captured therein: \n\nVerification that there is frequent testing\ + typical_evidence: "By way of reviewing test reports, including testing plans\ + \ and results captured therein: \n\nVerification that there is frequent testing\ \ throughout lifecycles of NFV components.\n\nVerification that vendors during\ \ the development phase conduct regular vulnerability scanning, SAST, DAST,\ \ penetration testing and software composition analysis.\n\nVerification that\ \ MNOs during onboarding/instantiation/runtime of VNFs perform continuous\ \ scanning/monitoring for known vulnerabilities or misconfiguration on runtime\ \ workloads, scanning for any open ports, VM/Container escape, etc." + reference_controls: + - risk:reference_control:enisa-5g-scm:5G-M126 + - risk:reference_control:enisa-5g-scm:5G-M127 + - risk:reference_control:enisa-5g-scm:5G-M128 + - risk:reference_control:enisa-5g-scm:5G-M129 - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so25-002 assessable: true depth: 3 @@ -10999,20 +9059,15 @@ objects: ref_id: SO25-002 description: A regular security testing program is used for identifying and mitigating vulnerabilities in MEC applications in a timely manner + typical_evidence: A documented policy for regular testing of MEC applications + exits. Check for testing reports, logs from testing tools, review comments, + and change logs. Verify that tools are available for isolating applications + until remedial updates are available once vulnerabilities are detected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M126 - risk:reference_control:enisa-5g-scm:5G-M127 - risk:reference_control:enisa-5g-scm:5G-M128 - risk:reference_control:enisa-5g-scm:5G-M129 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node815 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so25-002 - name: Evidence - description: A documented policy for regular testing of MEC applications exits. - Check for testing reports, logs from testing tools, review comments, and change - logs. Verify that tools are available for isolating applications until remedial - updates are available once vulnerabilities are detected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27 assessable: false depth: 2 @@ -11027,36 +9082,26 @@ objects: parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27 ref_id: SO27-001 description: Security data collection and distribution should be audited + typical_evidence: MNO has documented processes and tools to audit information + and data collection activities. Reports of audit results and follow-up actions reference_controls: - risk:reference_control:enisa-5g-scm:5G-M134 - risk:reference_control:enisa-5g-scm:5G-M135 - risk:reference_control:enisa-5g-scm:5G-M136 - risk:reference_control:enisa-5g-scm:5G-M137 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node818 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27-001 - name: Evidence - description: MNO has documented processes and tools to audit information and - data collection activities. Reports of audit results and follow-up actions - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27-002 assessable: true depth: 3 parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27 ref_id: SO27-002 description: Fraud prevention and management policy should be implemented + typical_evidence: 'MNO has documented processes and tools for detecting and + investigating frauds ' reference_controls: - risk:reference_control:enisa-5g-scm:5G-M134 - risk:reference_control:enisa-5g-scm:5G-M135 - risk:reference_control:enisa-5g-scm:5G-M136 - risk:reference_control:enisa-5g-scm:5G-M137 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node820 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27-002 - name: Evidence - description: 'MNO has documented processes and tools for detecting and investigating - frauds ' - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27-003 assessable: true depth: 3 @@ -11064,20 +9109,15 @@ objects: ref_id: SO27-003 description: Tools, processes and rulesets for forensic investigation of incidents should be used and regularly updated + typical_evidence: MNO has up to date documented policies, processes, tools, + and rulesets for forensic investigation of incidents. MNO has records of reviews + of these policies, processes, tools, and rulesets, including review comments, + and/or change logs reference_controls: - risk:reference_control:enisa-5g-scm:5G-M134 - risk:reference_control:enisa-5g-scm:5G-M135 - risk:reference_control:enisa-5g-scm:5G-M136 - risk:reference_control:enisa-5g-scm:5G-M137 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node822 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so27-003 - name: Evidence - description: MNO has up to date documented policies, processes, tools, and rulesets - for forensic investigation of incidents. MNO has records of reviews of these - policies, processes, tools, and rulesets, including review comments, and/or - change logs - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:d8 assessable: false depth: 1 @@ -11104,21 +9144,16 @@ objects: as well as, NAS confidentiality and integrity should be provided to the user/application. The serving network identifier information should be available to applications in the UE + typical_evidence: Verify that the status of AS confidentiality and integrity, + as well as NAS confidentiality and integrity shown in a test application on + the UE matches with the use of confidentiality and integrity reflected in + the packet captures on the gNB/eNB/AMF/MME/. Verify that the serving network + identifier shown by a test application on the UE is the serving network identifier + for the MNO network to which the UE is connected reference_controls: - risk:reference_control:enisa-5g-scm:5G-M142 - risk:reference_control:enisa-5g-scm:5G-M143 - risk:reference_control:enisa-5g-scm:5G-M144 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node826 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so29-001 - name: Evidence - description: Verify that the status of AS confidentiality and integrity, as - well as NAS confidentiality and integrity shown in a test application on the - UE matches with the use of confidentiality and integrity reflected in the - packet captures on the gNB/eNB/AMF/MME/. Verify that the serving network identifier - shown by a test application on the UE is the serving network identifier for - the MNO network to which the UE is connected - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so29-002 assessable: true depth: 3 @@ -11126,18 +9161,13 @@ objects: ref_id: SO29-002 description: To the extent feasible, detect and notify users about vulnerable devices, including IoT and UE supporting eSIM/iSIM + typical_evidence: MNO has documented policies and processes on informing users + about vulnerable devices, including details on communication channels (email, + SMS, etc.). List of users with vulnerable devices and notifications sent reference_controls: - risk:reference_control:enisa-5g-scm:5G-M142 - risk:reference_control:enisa-5g-scm:5G-M143 - risk:reference_control:enisa-5g-scm:5G-M144 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node828 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so29-002 - name: Evidence - description: MNO has documented policies and processes on informing users about - vulnerable devices, including details on communication channels (email, SMS, - etc.). List of users with vulnerable devices and notifications sent - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so29-003 assessable: true depth: 3 @@ -11146,19 +9176,15 @@ objects: description: Inform enterprises and users about signaling threats in legacy network environments, countermeasures deployed, and provide precautionary guidance to prevent adverse events + typical_evidence: MNO has documented policies and processes, including details + on communication channels (web pages, brochures, etc.), explaining risks of + legacy SS7, GTP and Diameter signaling protocols such as location tracking, + interception of data, call, e-mail and SMS messages, financial fraud, theft + or digital identity theft. These policies and processes include provision + of timely guidance (via blog posts etc.), e.g. highlighting the risk of using + SMS as a multi-factor authentication mechanism and suggesting alternative + authentication reference_controls: - risk:reference_control:enisa-5g-scm:5G-M142 - risk:reference_control:enisa-5g-scm:5G-M143 - risk:reference_control:enisa-5g-scm:5G-M144 - - urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:node830 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:enisa-5g-scm-v1.3:so29-003 - name: Evidence - description: MNO has documented policies and processes, including details on - communication channels (web pages, brochures, etc.), explaining risks of legacy - SS7, GTP and Diameter signaling protocols such as location tracking, interception - of data, call, e-mail and SMS messages, financial fraud, theft or digital - identity theft. These policies and processes include provision of timely guidance - (via blog posts etc.), e.g. highlighting the risk of using SMS as a multi-factor - authentication mechanism and suggesting alternative authentication diff --git a/backend/library/utils.py b/backend/library/utils.py index 2b13fc7b40..ce43f3ede6 100644 --- a/backend/library/utils.py +++ b/backend/library/utils.py @@ -202,6 +202,7 @@ def import_requirement_node(self, framework_object: Framework): assessable=self.requirement_data.get("assessable"), ref_id=self.requirement_data.get("ref_id"), annotation=self.requirement_data.get("annotation"), + typical_evidence=self.requirement_data.get("typical_evidence"), provider=framework_object.provider, order_id=self.index, name=self.requirement_data.get("name"), diff --git a/tools/convert_library.py b/tools/convert_library.py index 653a636afb..287f6f82cb 100644 --- a/tools/convert_library.py +++ b/tools/convert_library.py @@ -44,6 +44,7 @@ - threats - reference_controls - annotation + - typical_evidence The normal tree order shall be respected If multiple threats or reference_control are given for a requirements, they shall be separated by blank or comma. They shall be prefixed by the id of the corresponding base_urn and a semicolumn. @@ -311,6 +312,9 @@ def get_color(wb, cell): annotation = ( row[header["annotation"]].value if "annotation" in header else None ) + typical_evidence = ( + row[header["typical_evidence"]].value if "typical_evidence" in header else None + ) implementation_groups = ( row[header["implementation_groups"]].value if "implementation_groups" in header @@ -346,6 +350,8 @@ def get_color(wb, cell): req_node["description"] = description if annotation: req_node["annotation"] = annotation + if typical_evidence: + req_node["typical_evidence"] = typical_evidence if implementation_groups: req_node["implementation_groups"] = implementation_groups.split(",") threats = row[header["threats"]].value if "threats" in header else None diff --git a/tools/enisa/convert_5g_scm.py b/tools/enisa/convert_5g_scm.py index bbb3887966..2504fe5529 100644 --- a/tools/enisa/convert_5g_scm.py +++ b/tools/enisa/convert_5g_scm.py @@ -68,8 +68,7 @@ current_objective_id = objective_id output_table.append(("", 2, objective_id, objectives[objective_id][0], objectives[objective_id][1], "")) req_measures = ["1:"+measure_id for measure_id in measures if measures[measure_id][0] == objective_id] - output_table.append(("x", 3, ref_id, "", description, ",".join(req_measures))) - output_table.append(("", 4, "", "Evidence", evidence, "")) + output_table.append(("x", 3, ref_id, "", description, ",".join(req_measures), evidence)) print("generating", output_file_name) wb_output = openpyxl.Workbook() @@ -100,7 +99,7 @@ ws1 = wb_output.create_sheet("requirements") ws1.append( - ["assessable", "depth", "ref_id", "name", "description", "reference_controls"] + ["assessable", "depth", "ref_id", "name", "description", "reference_controls", "typical_evidence"] ) for row in output_table: ws1.append(row) diff --git a/tools/enisa/enisa-5g-scm-v1.3.xlsx b/tools/enisa/enisa-5g-scm-v1.3.xlsx index 8b71792671..a9b3bf52fe 100644 Binary files a/tools/enisa/enisa-5g-scm-v1.3.xlsx and b/tools/enisa/enisa-5g-scm-v1.3.xlsx differ