ZTE Corporation, a significant global supplier of telecommunications, enterprise, and consumer technology solutions for the mobile internet, recently announced that it has completed the Building Security In Maturity Model 12 (BSIMM12) assessment of its 5G Flexhaul products published by Synopsys, outperforming 128 competitors globally with a top score of 100. It isn’t the first time that ZTE security has achieved an excellent performance in the third party’s assessment. Indeed, ZTE security standards have already gained recognition from the telecommunication industry. Let’s review how ZTE’s past achievements reaped industry recognition.
ZTE receives outstanding marks for its 5G Flexhaul products in the BSIMM12 assessment.
The BSIMM is a descriptive model that offers a baseline of observed actions for software security initiatives and is one of the top security practice models in the market. It was created by Synopsys and the BSIMM community in collaboration in 2008 to assist businesses in organizing, carrying out, assessing, and enhancing their software security initiatives (SSIs).
The 2021 edition of the BSIMM report, BSIMM12, examines information from the software security activities of 128 companies from a variety of industries, including financial services, FinTech, independent software vendors (ISVs), Internet of Things (IoT), healthcare, cloud, and technology organizations. ZTE works hard to properly manage and control all security vulnerabilities throughout the lifecycle of its products through architecture analysis, security features & design, automatic static analysis, and penetration testing. ZTE performs regression testing, automatic security hardening, and quantitative scenario evaluation during the O&M phase in the current networks to continuously assure product security.
ZTE has participated in the BSIMM assessment as one of the first echelon members for a number of years. ZTE’s ranking at the top of the first echelon in the BSIMM12 evaluation at the end of 2021 marked a transition in product security from excellence to leadership.
For its 5G RAN solution, ZTE received a CC EAL3+ certification.
Last year, ZTE corporation successfully gained the Common Criteria (CC) EAL3+ certification for its 5G RAN solution.
This certification marks that ZTE is now the first telecoms vendor in the world to have a comprehensive system solution comprised of a number of 5G RAN components that receive the CC EAL3+ certificate. The certificate also attests to the fact that ZTE 5G RAN equipment accomplishes industry-leading levels of security.
Based on IEC/ISO15408, the Common Criteria for Information Technology Security Evaluation is an authoritative, widely accepted international standard. Currently, 31 countries participate in the CC certification’s mutual recognition program. Major worldwide telecom operators appreciate the CC certification in their procurement initiatives due to its high caliber and objectivity.
About the target of evaluation (TOE), the CC certification specifies seven evaluation assurance levels (EAL), of which EAL3 (methodically tested and checked) is the highest level thus far attained by a system-level product in the telecommunications industry. The TOE has achieved EAL3+ status, which indicates that it satisfies both the EAL3 and other upgraded requirements for the evaluated security capability.
ZTE’s certificate, which includes 15 5G RAN products such AAU/RRU, BBU, Unified Management Expert (UME), and others, is the first CC EAL3+ certified in the industry for a complete solution. User plane data routing, data scheduling and transmission, mobility management, and data stream IP header compression and encryption are just a small part of the features that the solution provides and interfaces with User Equipment (UE). Through a web interface, the UME is used to manage the system.
The evaluation, which includes security throughout the whole product lifecycle, including product design, development, testing, manufacture, and delivery, was carried out by the accredited CC evaluation lab SGS Brightsight from the Netherlands. The Netherlands Scheme for Certifying in the Area of IT Security (NSCIB), administered by the certification company TüV Rheinland Nederland B.V., gave the certificate to ZTE and proclaimed that the evaluation met all requirements for the CC Certificate’s international recognition.
ZTE’s 5G network equipment passes NESAS security assessments against SCAS as mandated by 3GPP.
According to the official announcement on GSMA website, ZTE’s 5G NR gNodeB and seven 5GC network equipment passed the GSMA’s Network Equipment Security Assurance Scheme (NESAS) security assessment.
In March 2021, ZTE completed the NESAS security evaluation of its 5G network products in accordance with the security specifications outlined in Security Assurance Specifications (SCAS) by 3GPP.
All relevant SCAS test cases have been executed by SGS Brightsight, a NESAS Security Test Laboratory recognized by GSMA. Air interface security, service-oriented architecture (SOA) security, access security, control/user plane security, general network product security, transmission security, operation and maintenance security, vulnerability and robustness testing are all covered by the tests. The test report, which presents the security levels of ZTE’s 5G products objectively, states that ZTE has passed all of the tests.
As a comprehensive and effective cybersecurity assessment framework, NESAS has been taking into account the feedback from various stakeholders and continuously improving its capacity to meet the security requirements of network operators, equipment vendors, regulators, and national security authorities.
Security has been in the spotlight with the development of telecommunication technologies. Improving industrial security standards requires all telecommunication companies to make efforts together. ZTE, obviously, sets an example for other market players.