Security Assurance Methodology is a framework developed by the 3rd Generation Partnership Project (3GPP) to assure and evaluate the security of network products used in the mobile communications sector. An important partner in the development and implementation of the framework is the GSM Association (GSMA). SECAM provides general, testable security requirements and security properties for the various classes of network products.
SECAM is the acronym for Security Assurance Methodology. It is a security framework developed by the 3rd Generation Partnership Project (3GPP) specifically for network products used in mobile communications.
The framework can be used to evaluate and ensure the security of products. SECAM defines general, testable properties and requirements for the security of the various classes of network products. The framework is based on CC (Common Criteria) and CCRA (Common Criteria Recognition Arrangement) and their implementation in mobile networks.
An important partner in the development and implementation of the Security Assurance Methodology is the GSM Association (GSMA) with its Network Equipment Security Assurance Group (NESAG). Among other things, NESAG defines the framework for the accreditation of test laboratories. An important component of SECAM is the Security Assurance Specifications (SCAS).
They contain the security requirements and the test specifications. In addition to the security evaluation of network products, the Security Assurance Methodology also covers the evaluation of the security of manufacturers’ development and lifecycle management processes.
Motivation for the development of SECAM
Mobile networks have become indispensable in both private and industrial environments. They belong to critical infrastructures and form the backbone of digitalization in many areas of daily life such as medicine, transportation, and others. A failure of mobile communications can have significant negative consequences for the economy and society. The security of products used in the mobile communications sector is therefore becoming increasingly important. Mobile operators place high demands on the security of the products used by the various manufacturers. At the same time, manufacturers want to provide secure network products that can be used in different markets worldwide. SECAM was developed to provide universally applicable, auditable security standards and processes that meet the described objectives of manufacturers and network operators regarding the security of network products.
The importance of SCAS for SECAM
Security Assurance Specifications (SCAS) play an important role for SECAM. They define and describe the security requirements and test cases for a given class of network products. The Security Assurance Specifications provide the basis for a security evaluation. For example, their security requirements cover product resilience, data security, and more. Basically, a SCAS document is divided into these three parts:
- The network product class description (NPCD).
- The security problem definition (SPD)
- The security requirements including the different test cases (Security Requirements – SR)
The process of network product evaluation according to SECAM
The process of network product evaluation according to SECAM is described in simplified form in these steps:
First, the manufacturer receives the Security Assurance Specifications (SCAS) that his network product is supposed to fulfill. Then the product is evaluated according to the Security Assurance Specifications.
The result is a detailed report of the evaluation, which is sent to the network operator who deploys the products. The network operator decides whether the results meet the internal specifications (or also external specifications such as regulatory requirements) and whether it accepts the product’s Security Assurance Level.