Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP
The European Union Agency for Cybersecurity (ENISA) provides authorities with technical guidance on the 5G Toolbox measure for security requirements in existing 5G standards.
The Agency has released its Security in 5G Specifications Report about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks. As vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.
This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security - mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
More specifically, the report provides:
- A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
- An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
- Summary of key findings and good security practices.
The ENISA report also covers security considerations beyond standards and specifications, such as testing and assurance, product development, network design, configuration and deployment, and operation and management.

ENISA release new report and training material to fight cybercrime and improve cooperation

The European Union Agency for Cybersecurity releases a new report and training material to support the cooperation among CSIRTs, Law Enforcement Agencies (LEAs) and their interaction with the judiciary.
The publications are designed to help tackle the challenges of this complex multi-stakeholder cooperation. The report, the handbook and the toolset are a set of deliverables complementing each other as follows:
- The report analyses roles, duties, competences, synergies and potential interferences across Computer Security Incident Response Teams (CSIRTs) - in particular, national and governmental ones, LE and judiciary (prosecutors and judges);
- The handbook helps a trainer explain these concepts through different scenarios;
- The toolset consists of exercises meant for trainees based on the handbook’s scenarios.
The report proposes a methodology to analyse the legal and organisational framework defining the roles and duties, the required competencies of CSIRTs and LE. It also identifies synergies and the potential interferences that may occur while engaging in the activities needed to respond to incidents of criminal nature and in fighting cybercrime.
In addition, it presents a detailed analysis focusing on Czechia, France, Germany, Luxembourg, Norway, Portugal, Romania, and Sweden. The methodology proposed can be used for a more comprehensive future analysis covering additional countries as it is based on:
- desk research;
- subject matter expert interviews;
- the segregation of duties (SoD) matrix.
This SoD matrix is also available in the ENISA repositories in GitHub, as well as the documentation on the Reference Security Incident Taxonomy Working Group (RSIT).
The RSIT working group will meet today as part of the 62nd TF-CSIRT Meeting. These are two other examples of the efforts ENISA engages in to contribute to building a bridge between CSIRTs and LE communities.
Main conclusions of the 2020 report on CSIRTs and LE cooperation include:
- The communities already engage in a number of actions meant to:
  - Avoid interferences wherever possible;
  - Create effective partnerships;
  - Use their synergies to support each other.
- However, interferences may still happen in the process of incident handling and cybercrime investigations, mainly because of the difference in purpose and mandate of each of these communities, i.e. incident mitigation (CSIRTs) compared with evidence preservation and criminal prosecution (LE and the judiciary).
- Joint training activities are organised mainly in community pairs, being either CSIRT and LE or LE and the judiciary. Such activities rarely involve the three communities. The joint training activities help the wider development of the competences required to respond to cybercrime.
- Overall, the 2019 pandemic of the COVID-19 virus did not have any significant impact on cooperation and exchanges between the three communities and their ability to function. Interaction even increased in some instances. For example, daily dialogues became more frequent in order to ensure that each community was kept informed as the situation evolved.
The response to cybercrime requires the cooperation of all actors involved. In this response, CSIRTs, LE and the judiciary perform each a different role and seek different objectives. Helping CSIRTs, LE and the judiciary understand their roles, duties and competences reciprocally will allow a closer cooperation while building on synergies and hence avoid possible interferences.
ENISA has been collecting input from the communities and compiling reports to shed light on the different aspects of the cooperation. These efforts are meant to further enhance the cooperation between CSIRTs and LE and their interaction with the judiciary, In addition, the Agency has been developing training material and co-organising the annual ENISA-EC3 workshop on CSIRT-LE Cooperation. The last edition of this event took place on 16 September 2020.
This new report and training material build on the work already completed in the area over the past. It contributed to the implementation of the ENISA programming document 2020-2022. The work conducted by ENISA in this area is planned to continue in 2021.

Securing Cloud Services for Health: New report by EU Agency for Cybersecurity helps healthcare organisations securely adopt cloud services and prepare for cybersecurity challenges

The European Union Agency for Cybersecurity (ENISA) published the Cloud Security for Healthcare Services report, which provides cybersecurity guidelines for healthcare organisations to help further digitalise with cloud services. Building on ENISA’s procurement guidelines for cybersecurity in hospitals, published early last year, this new report assesses the cybersecurity risks of cloud services and offers good practices for their secure integration into the European healthcare sector. The ENISA report comes as the European Commission is moving forward this year with the European Health Data Space initiative to promote the safe exchange of patients’ data and access to health data.
The COVID-19 pandemic has underlined an increased need for efficient – and secure – digital healthcare services. Cloud solutions allow for the flexible and rapid deployment of the electronic storage of data and electronic communications such as telemedicine. However, the complexity of legal systems and new technologies, as well as concerns over the security of sensitive patient data have slowed the healthcare sector in adopting cloud services.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “A resilient health sector relies on secure digital solutions. The EU Agency for Cybersecurity provides healthcare organisations with guidance to address cybersecurity concerns related to cloud services and is preparing an EU Cloud Cybersecurity Certification scheme, both of which aim to do just that.”
The report addresses these concerns by providing security guidelines for three main areas in which cloud services are used by the healthcare sector, namely for:
Electronic Health Record (EHR), i.e. systems focusing on the collection, storage, management and transmission of health data, such as patient information and medical exam results;
Remote Care, i.e. the subset of telemedicine supporting remote patient-doctor consultation;
Medical Devices, i.e. cloud services supporting the operation of medical devices such as making medical device data available to different stakeholders or for device monitoring.
For each of these use cases, the report highlights the main factors to be considered when healthcare organisations conduct the relevant risk assessment – for example, in terms of risk to sensitive patient data or availability of a medical service. These guidelines, however, are only a first step for healthcare providers to adapt securely to the cloud. More support is needed, such as established industry standards on cloud security, specific direction from national and EU authorities, and further guidelines from Data Protection Authorities on transferring healthcare data to the cloud.
The report also proposes a set of security measures for healthcare organisations to implement when planning their move to cloud services, such as establishing processes for incident management, defining data encryption requirements, and ensuring data portability and interoperability. The measures are proposed taking into consideration the draft candidate EU Cybersecurity Certification Scheme on Cloud Services (EUCS) to ensure compatibility and requirements mapping. The Agency’s draft scheme is part of the larger cybersecurity certification framework aimed at enhancing trust in ICT products, services and processes across Europe. The draft scheme is open for public consultation until 7 February 2021.
The EU Agency for Cybersecurity will continue its work to strengthen the cybersecurity of Europe’s healthcare sector by publishing guidelines, promoting information sharing, collaborating with policy-makers and organising events such as the annual eHealth Conference, addressing the healthcare sector’s major cybersecurity challenges.

ENISA and eu-LISA – Cooperation for a More Digitally Resilient Europe

Within the priorities of the Portuguese Presidency of the Council of the European Union and the current Recovery Plan for Europe put forward by the European Commission, the words “digital” and “resilience” are prominent and at times used together. When combined they bring to mind IT-related challenges that need to be addressed to ensure a stronger and safer Europe for its citizens. One of the primary concerns is cybersecurity; and, given that this is a topic of common interest to the European Union Agency for Cybersecurity (ENISA) and the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), it gives the two Agencies further impetus to work together to face this growing threat.
Earlier today Executive Directors Juhan Lepassaar (ENISA) and Krum Garkov (eu-LISA) signed a multiannual Cooperation Plan. The plan sets out activities that will provide benefits through joint actions to the Agencies themselves and to the EU Member States.
The three-year Cooperation Plan complements the existing regulations applicable to ENISA and eu-LISA, and lays out various actions within complimentary areas that the Agencies can draw benefits from by sharing knowledge, information and expertise. Information Security, Business Continuity, Research, Data Protection and Corporate Quality Management are among the priority areas identified for collaboration.
ENISA Executive Director Juhan Lepassaar said: “Securing our digital future is facilitated by sharing knowledge and expertise. This Cooperation Plan will allow our Agencies to find solutions together.”
"With cybersecurity and digital resilience high on the European agenda for the coming years, it seems fitting to take the opportunity to strengthen our cooperation with ENISA and to boost our common contributions to the goals set for Europe's digital future. There are many areas where our respective consolidated expertise can be put to good use. The EU Cybersecurity Strategy, adopted by the Commission in December, is one of these and the fast changing landscape of cyber threats including the ensuing need to secure common cyber spaces are examples of where we can mutually assist each other. This renewed agreement is the best way to kick-off 2021 and eu-LISA is looking forward to extending its relationship with ENISA." said Krum Garkov, Executive Director of eu-LISA.
It is in the common interest of both Agencies to promote and share activities with their stakeholders and the general public in order to provide increased visibility and further improve awareness of their respective responsibilities and joint successes. For this reason, the Cooperation Plan includes core activity related plans, as well as communication and information sharing as important areas for joint actions.

Cybersecurity in the Maritime Sector: ENISA Releases New Guidelines for Navigating Cyber Risk

The European Union Agency for Cybersecurity provides port operators with a set of good practices to help them identify and evaluate cyber risks, and effectively identify suitable security measures.
The European Union Agency for Cybersecurity (ENISA) released cybersecurity guidelines to help European port operators manage cyber risks amid digital transformation and increased regulations. ENISA’s new Guidelines - Cyber Risk Management for Ports was drafted in collaboration with several ports in EU Member States. The publication builds on ENISA’s 2019 Port Cybersecurity Report by providing actionable practices that speak to the current cybersecurity threats and changing digital landscape faced by Europe’s maritime sector.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar stated: “The maritime sector plays a pivotal role in the global supply chain. Advancing digital technologies bring economic benefits to ports, but also introduce new cyber threats. The report provides guidelines and good practices to support them in effectively conducting this cyber risk assessment, which is where many of these operators face challenges.”
The interconnected nature of ports requires operators to achieve and maintain a baseline level of cybersecurity to ensure security across the port ecosystem. The report notes that the EU maritime sector has a fragmented approach to assessing cyber risks.
The report encourages port operators to develop a set of good practices in a means to develop this baseline level of cybersecurity. Practices include to:
- Identify cyber-related assets and services in a systematic way that includes maintaining an asset inventory, identifying dependencies and deploying automation;
- Adopt a comprehensive approach for identifying and evaluating cyber risks that includes CTI, risk indicators and business impact analysis, involves all relevant stakeholders and is integrated at an organisational level;
- Prioritise the implementation of security measures following a risk-based approach that considers security measure effectiveness and pertinence to the identified risks, and is founded in a security-by-design approach;
- Implement organisation-wide cybersecurity awareness and technical training programmes;
- Develop a comprehensive cybersecurity programme that involves a commitment by senior management;
- Conduct a cybersecurity maturity self-assessment to identify priorities for improvement, and budget and resource allocation.
The NIS Directive classifies several categories of port operators as Operators of Essential Services (OES), including port authorities and terminal operators. Cyber risk assessments are among the NIS Directive requirements for these OES. The International Maritime Organisation’s (IMO) International Ship and Port Facility Security (ISPS) code concerns port facilities / terminal operators and provides a framework for conducting security risk assessment, albeit not necessarily specific to cyber risks. The ISPS code is implemented in the EU by Regulation 725/2004; while EU Directive 2005/65 on enhancing port security introduces similar requirements and extends them to ports.
The EU Agency for Cybersecurity supports cybersecurity in Europe’s maritime sector by providing recommendations, supporting the development of regulations, facilitating information exchange and organising awareness-raising events. In 2019, the Agency published its Port Cybersecurity Report with a set of cybersecurity good practices for the maritime sector, and organised two maritime security workshops with the European Maritime Safety Agency (EMSA).
The Agency is currently developing an online tool for cyber risk management for port operators, and will continue its work with EU bodies, such as the EMSA, and Member States to strengthen cybersecurity for the sector.

Cloud Certification Scheme: Building Trusted Cloud Services Across Europe

ENISA launches a public consultation on a new draft candidate cybersecurity certification scheme in a move to enhance trust in cloud services across Europe.
The European Union Agency for Cybersecurity (ENISA) launched a public consultation, which runs until 7 February 2021, on its draft of the candidate European Union Cybersecurity Certification Scheme on Cloud Services (EUCS). The scheme aims to further improve the Union’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU Member States.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar said: “Cloud services play an increasing role in the life of European citizens and businesses under lockdown; and their security is essential to the functioning of the Digital Single Market. A single European cloud certification is critical for enabling the free flow of data across Europe, and is an important factor in fostering innovation and competitiveness in Europe.”
Speaking at the ENISA Cybersecurity Certification Conference on 18 December 2020, Director of Digital Society, Trust and Cybersecurity at the European Commission Directorate-General for Communications Networks, Content and Technology (DG CONNECT) Lorena Boix Alonso said: “We must ensure that cybersecurity certification strikes the right balance, following a sensible risk-based approach, with flexible solutions and certification schemes designed to avoid being outdated quickly. And we need a clear roadmap to allow industry, national authorities and standardisation bodies to prepare in advance.”
There are challenges to the certification of cloud services, such as a diverse set of market players, complex systems and a constantly evolving landscape of cloud services, as well as the existence of different schemes in Member States. The draft EUCS candidate scheme tackles these challenges by calling for cybersecurity best practices across three levels of assurance and by allowing for a transition from current national schemes in the EU. The draft EUCS candidate scheme is a horizontal and technological scheme that intends to provide cybersecurity assurance throughout the cloud supply chain, and form a sound basis for sectoral schemes.
More specifically, the draft EUCS candidate scheme:
- Is a voluntary scheme;
- The scheme’s certificates will be applicable across the EU Member States;
- Is applicable for all kinds of cloud services – from infrastructure to applications;
- Boosts trust in cloud services by defining a reference set of security requirements;
- Covers three assurance levels: ‘Basic’, ‘Substantial’ and ‘High’;
- Proposes a new approach inspired by existing national schemes and international standards;
- Defines a transition path from national schemes in the EU;
- Grants a three-year certification that can be renewed;
- Includes transparency requirements such as the location of data processing and storage.

ENISA AI Threat Landscape Report Unveils Major Cybersecurity Challenges

The European Union Agency for Cybersecurity (ENISA) released its Artificial Intelligence Threat Landscape Report, unveiling the major cybersecurity challenges facing the AI ecosystem. ENISA’s study takes a methodological approach at mapping the key players and threats in AI. The report follows up the priorities defined in the European Commission’s 2020 AI White Paper. The ENISA Ad-Hoc Working Group on Artificial Intelligence Cybersecurity, with members from EU Institutions, academia and industry, provided input and supported the drafting of this report.
The benefits of this emerging technology are significant, but so are the concerns, such as potential new avenues of manipulation and attack methods. The technology takes many steps across the supply chain and requires vast amounts of data to function efficiently. The AI Threat Landscape report underlines the importance of cybersecurity and data protection in every part of the AI ecosystem to create trustworthy technology for end-users.
Executive Director of the EU Agency for Cybersecurity Juhan Lepassaar said: “Cybersecurity is one of the bases of trustworthy solutions for Artificial Intelligence. A common understanding of AI cybersecurity threats will be key to Europe’s widespread deployment and acceptance of AI systems and applications.”
This new work by ENISA aims to serve as a baseline for initiatives to secure AI: both in terms of policies, as it frames the problem and provides guidance on cybersecurity threats, as well as in terms of technical controls, as it highlights specific threats for which action may be needed. The report is directed to policy makers when developing future guidance on secure AI deployments, to technical experts to support customised risk assessments and to standardisation bodies to support upcoming AI security standards.
The main highlights of the report include:
Definition of AI’s scope in the context of cybersecurity by following a lifecycle approach. The ecosystem of AI systems and applications is defined by taking into account the different stages of the AI lifecycle -- from requirements analysis to deployment.
- Identification of assets of the AI ecosystem as a fundamental step in pinpointing what needs to be protected and what could possibly go wrong in terms of the security of the AI ecosystem.
- Mapping of the AI threat landscape by means of a detailed taxonomy. This serves as a baseline for the identification of potential vulnerabilities and attack scenarios for specific use cases.
- Classification of threats and listing of relevant threat actors. The impact of threats to different security properties is also highlighted.
The ENISA AI Threat Landscape identifies the challenges and opportunities to deploy secure AI systems and services across the Union. The report highlights the need for more targeted and proportionate security measures to mitigate the identified threats, as well as the need for an in-depth look into AI’s use in sectors such as health, automotive and finance.
The EU Agency for Cybersecurity continues to play a bigger role in the assessment of Artificial Intelligence (AI) by providing key input for future policies.
Earlier this year, the Agency set up the ENISA Ad Hoc Working Group on Cybersecurity for Artificial Intelligence, which supports ENISA in the process of building knowledge on AI Cybersecurity. The group includes members from the European Commission Directorate-General Communications Networks, Content and Technology (DG CONNECT), the European Commission Directorate-General Joint Research Committee (DG JRC), Europol, the European Defence Agency (EDA), the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Telecommunications Standards Institute (ETSI), as well as academics and industry experts.

ENISA 5G Threat Landscape Report Updated to Enhance 5G Security

The European Union Agency for Cybersecurity (ENISA) published an updated version of its 5G threat assessment report to address advancements in the areas of fifth generation of mobile telecommunications networks (5G) and to contribute to the implementation of the EU 5G toolbox cybersecurity risk mitigating measures.
The new ENISA Threat Landscape for 5G Networks report is a major update of the previous edition as it captures recent developments in 5G standardisation. The publication includes a vulnerability analysis, which examines the exposure of 5G components. The analysis explores how cyber threats can exploit vulnerabilities and how technical security controls can help mitigate risks.
European Union Agency for Cybersecurity Executive Director Juhan Lepassaar explained: “By providing regular threat assessments, the EU Agency for Cybersecurity materialises its support to the EU cybersecurity ecosystem.  This work is part of our continuous contribution to securing 5G, a key infrastructure for the years to come.”
The New Threat Landscape includes:
- An updated system architecture of 5G, indicating introduced novelties and assessed security considerations;
- A detailed vulnerability analysis of all relevant 5G assets, including their exposure to threats;
- A mapping of related security controls aiming at the reduction of threat surface;
- An update of the relevant threats in accordance with their exploitation potential of the assessed vulnerabilities;
- The consideration of implementation options – migration paths from 4G to 5G infrastructures;
- The development of a process map showing the contribution of operational, life cycle and security assurance processes to the overall security of 5G infrastructures;
- A new inventory of critical components.
The information produced for this report is based on publicly available content published by 5G market players (operators, vendors, and national and international organisations), standardisation groups and bodies (for example: 3rd Generation Partnership Project (3GPP); International Telecommunications Union (ITU); European Telecommunications Standardisation Institute (ETSI); International Organisation for Standardisation (ISO); the Global System for Mobile Communications (GSMA)).

NIS Directive has Positive Effect, though Study Finds Gaps in Cybersecurity Investment Exist

The European Union Agency for Cybersecurity (ENISA) released a new report on information security spending for network and information services (NIS) under the NIS Directive, the first EU-wide legislation on cybersecurity. The NIS Investments report is based on a survey of 251 organisations of operators of essential services (OES) and digital service providers (DSP) from France, Germany, Italy, Spain and Poland. Eighty-two percent of those surveyed reported the NIS Directive had a positive effect on their information security.
The new ENISA study examining cybersecurity spending states that 82% of Operators of Essential Services and Digital Services Providers find that the NIS Directive has a positive effect. However, gaps in investment still exist. When comparing organisations from the EU to those from the United States, data shows that EU organisations allocate on average 41% less to cybersecurity than their US counterparts.
NIS Directive Implementation
The report provides input to the European Commission’s review of the NIS Directive on the 16th of December, four years after the Directive entered into force and two years after the transposition into national law.
Challenges remain after the implementation of the Directive -- the lack of clarity of the NIS Directive expectations after transposition into national law was a common issue. More than 35% of organisations surveyed believe the NIS Directive expectations are unclear. Twenty-two percent of respondents listed limited support from national authorities as one of their top challenges when implementing the Directive.
Cybersecurity Investments: EU vs. US
When comparing organisations from the EU to organisations from the United States, the study shows that EU organisations allocate on average 41% less to information security than their US counterparts.
Key findings about the NIS Directive implementation in the NIS Investment report
- The average budget for NIS Directive implementation projects is approximately €175k, with 42.7% of affected organisations allocating between €100k and €250k. Slightly less than 50% of surveyed organisations had to hire additional security matter experts.
- Surveyed organisations prioritised the following security domains: Governance, Risk & Compliance and Network Security.
- When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services.
- “Unclear expectations” (35%)  and “Limited support from the national authority” (22%) are among the top challenges faced by surveyed organisations when implementing the NIS Directive.
- 81% of the surveyed organisations have established a mechanism to report information security incidents to their national authority.
- 43% of surveyed organisations experienced information security incidents with a direct financial impact to up to €500k, while 15% experienced incidents with over half a million euro.

Focus on National Cybersecurity Capabilities: New Self-Assessment Framework to Empower EU Member States

The EU Agency for Cybersecurity issues a National Capabilities Assessment Framework (NCAF) to help EU Member States self-measure the level of maturity of their national cybersecurity capabilities.
Developed with the support of 19 EU Member States, this framework was designed following an extensive exchange of ideas and good practices. The strategic objectives of the national cybersecurity strategies served as a basis of the study.
The framework was developed as part of the mandate of ENISA, as defined in the Cybersecurity Act. It falls under the provision to support EU Member States in building capacities in the area of national cybersecurity strategies through the exchange of good practices.
The key features
The self-assessment framework is composed of 17 objectives structured around 4 clusters. Each of these clusters is associated to a key thematic area for building cybersecurity capacity. Different objectives are also associated to each cluster. Based on 5 levels of maturity, specific questions were devised for each objective.
The clusters are as follows:
(I) Cybersecurity governance and standards - This dimension considers aspects of planning to prepare the Member State against cyber-attacks as well standards to protect Member States and digital identity
(II) Capacity-building and awareness - This cluster assesses the capacity of the Member States to raise awareness on cybersecurity risks and threats and on how to tackle them. Additionally, this dimension gauges the ability of the country to continuously build cybersecurity capabilities, increase knowledge and skills in the cybersecurity domain.
(III) Legal and regulatory - This cluster measures the capacity of the Member States to put in place the necessary legal and regulatory instruments to address cybercrime and also address legal requirements such as incident reporting, privacy matters, CIIP.
(IV) Cooperation - This cluster evaluates the cooperation and information sharing between different stakeholder groups at the national and international level.
Target Audience
The report issued is intended for policymakers as well as experts and officials responsible for, or involved in the design, implementation and evaluation of a national cybersecurity strategy and/or of national cybersecurity capabilities.
Why a capability assessment framework?
Cybersecurity capabilities are the main tools used by EU Member States to achieve the objectives of their National Cybersecurity Strategies. The purpose of the framework is to help Member States build and enhance cybersecurity capabilities by assessing their level of maturity.
The framework will allow EU Member States to:
- Perform the evaluation of their national cybersecurity capabilities.
- Increase the maturity level of awareness;
- Identify areas for improvement;
- Build new cybersecurity capabilities.
1 2 3 4