CENTRUL NAȚIONAL DE RĂSPUNS LA INCIDENTE DE ... - CERT.RO Popescu.… · 2016/1148 (Cooperation Group) to identify a possible common set of measures to be taken to mitigate cybersecurity

Sabin PopescuCounselor CERT-RO

CENTRUL NAȚIONAL DE RĂSPUNS LA INCIDENTE DE SECURITATE CIBERNETICĂ - CERT-RO

• 5th generation (5G) deployment of network technologiesis a major enabler for future digital services and a priorityfor the Digital Single Market strategy;

• the Commission adopted the 5G Action Plan to make surethat the Union has the connectivity infrastructurenecessary for its digital transformation from 2020;

• the dependence of many critical services on 5G networkswould make the consequences of systemic and widespreaddisruption particularly serious;

• ensuring the cybersecurity of 5G networks is an issue ofstrategic importance for the Union, at a time when cyber-attacks are on the rise and more sophisticated than ever;


• the cybersecurity of 5G networks is the key for ensuringthe strategic autonomy of the Union (as recognized in theJoint Communication ‘EU-China, a Strategic Outlook’);

• to support the implementation of these obligations, theUnion has set up a number of cooperation bodies:• the Agency for Network and Information Security

(ENISA)• the Commission,• national regulatory authorities of member states;• the Cooperation Group established by Directive (EU)

2016/1148;• Computer Security Incident Response Teams network,

which at technical level facilitates operationalcooperation.


• the future European cybersecurity certification framework shouldprovide an essential supporting tool to promote consistent levelsof security;

• the development of cybersecurity certification schemes have torespond to the needs of users of 5G-related equipment andsoftware;

• the critical importance of these infrastructures should make thedevelopment of relevant European cybersecurity certificationschemes for information and communications technologies'products, services or processes used for 5G networks animmediate priority;

• in the absence of harmonized Union law, Member States mayspecify by means of national technical regulations, adopted incompliance with Union law, that a European cybersecuritycertification scheme should be mandatory;


• a high level of data protection and privacy is an importantelement in ensuring the security of 5G networks;

• Member States and operators are currently taking importantpreparatory steps towards enabling the large-scale roll-out of 5Gnetworks. Several Member States have expressed concernsabout potential security risks related to 5G networks in thecontext of carrying out procedures for the grant of rights of usein radio spectrum bands designated for 5G networks;

• addressing cybersecurity risks in 5G networks should take intoaccount both technical and other factors;

• the need to protect the networks across their entire lifecycleand the need to cover all relevant equipment, including in thedesign, development, procurement, deployment, operation andmaintenance phases of 5G networks;


• Member States to assess the cybersecurity risks affecting5G networks at national level and take necessary securitymeasures;

• Member States and relevant Union institutions, agenciesand other bodies to develop jointly a coordinated Unionrisk assessment that builds on the national riskassessment;

• the Cooperation Group set up under Directive (EU)2016/1148 (Cooperation Group) to identify a possiblecommon set of measures to be taken to mitigatecybersecurity risks related to infrastructures underpinningthe digital ecosystem, in particular 5G networks.


• Member States started operating within a dedicated 5Gassessment Work Stream within the Cooperation Group - 30April 2019;

• 30th of June, the member states have responded to aquestionnaire regarding the risk assessment of the 5G networkinfrastructure, including identifying the most sensitive elementswhere security breaches would have a significant negativeimpact;

• by 9 October 2019, Member States with the support of theCommission and together with the European Agency forCybersecurity (ENISA) should complete a joint review of theUnion-wide exposure to risks related to infrastructuresunderpinning the digital ecosystem, in particular 5G networks;


• a toolbox of appropriate, effective and proportionate possible riskmanagement measures to mitigate the identified cybersecurity risks atnational and Union level should be agreed by 31 December 2019, foradvising the Commission on developing minimum commonrequirements to further ensure a high level of cybersecurity of 5Gnetworks across the Union;

• toolbox should include:• an inventory of the types of security risks that can affect the

cybersecurity of 5G networks (e.g. supply chain risk, softwarevulnerability risk, access control risk, risks arising from the legaland policy framework to which suppliers of information andcommunications technologies equipment may be subject in thirdcountries);

• a set of possible mitigating measures (e.g. third-party certificationfor hardware, software or services, formal hardware and softwaretests or conformity checks, processes to ensure access controlsexist and are enforced, identifying products, services or suppliersthat are considered potentially not secure, etc.)


• once European cybersecurity certification schemes relevant for 5Gnetworks are developed, Member States should adopt, in compliancewith Union law, national technical regulations providing for mandatorycertification of information and communications technologies products,services or systems covered by these schemes;

• Member States should cooperate with the Commission to developspecific security requirements that could apply in the context of publicprocurement related to 5G networks. This should include mandatoryrequirements to implement cybersecurity certification schemes inpublic procurement insofar as such schemes are not yet binding for allsuppliers and operators;

• Member States should cooperate with the Commission to assess theeffects of these measures by 1 October 2020, with a view to determineappropriate ways forward. This assessment should take into accountthe outcome of the coordinated Union risk assessment and the Uniontoolbox;


1. Introduction

Policy context and process Scope: 5G networks and related applicationsKey technological novelties of 5G networks5G ecosystem and deployment in the EU

2. EU assessment of cybersecurity risksa) Threats and threat actorsb) Assetsc) Vulnerabilitiesd) Risk scenariose) Existing mitigating measures

3. Conclusions


a) has established an interinstitutional group (comprising the

institutions/authorities with capabilities and responsibilities in thefield) to talk about the risk assessment of cybersecurity of 5Gnetworks

b) attended to the works of NIS Cooperation Group – 5GCybersecurity Work Stream, and contributes with some inputsto the final report;

c) filled the 5G cybersecurity risk assessments questionnaire;d) continues to work through the interinstitutional group on

establishing the impact of 5G networks from cybersecurityperspective in the Romanian cyber environment;


• 5G networks technology and standards will bring certain securityimprovements compared with previous network generations;

• security challenges are linked, among others, to a greater access ofthird-party suppliers to networks and to interlinkages between 5Gnetworks and third party systems, as well as to the degree ofdependency on individual suppliers;

• the technological changes introduced by 5G will increase the overallattack surface and the number of potential entry points forattackers;

• a major dependency on a single supplier also significantly affectsthe security and resilience of networks;

• Romania has to get in line with the way the EU is approaching theissues.


Documents

CENTRUL NAȚIONAL DE RĂSPUNS LA INCIDENTE DE ... - CERT.RO Popescu.… · 2016/1148 (Cooperation Group) to identify a possible common set of measures to be taken to mitigate cybersecurity