Application SSP9 Telecommunication Systems Praden Anne-Marie
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
The proposed contribution addresses the cybersecurity of network functions within telecommunication systems, which are increasingly recognized as critical infrastructure. Traditionally supporting public and broadband services, these networks now underpin essential services such as public safety and utilities (e.g., water and power), making them prime targets for cyberattacks—especially in the context of modern warfare.
This proposal aligns with the “broad vertical” work program, “Essential cybersecurity requirements for network functions of telecommunication systems,” managed by the ETSI TC Cyber Working Group for EUSR, by contributing to Boot managers and Hypervisors and container runtime systems.
Boot Manager and Remote Attestation
Ensuring the integrity of telecom infrastructure is fundamental to preventing the execution of malicious code. This can be achieved through robust boot-time and runtime integrity checks, managed by the boot manager and supported by remote attestation mechanisms. By incorporating Software Bill-of-Material (SBOM) attestation, operators can verify that only approved and trusted software components are deployed, thereby minimizing the attack surface and supporting rapid incident response. This approach not only strengthens security but also facilitates compliance with European cybersecurity standards and regulatory requirements.
Isolation and Data Protection in Hypervisors and Containers
In multi-tenant environments, protecting data at rest and in transit is essential. Implementing transparent encryption within hypervisors and container managers, combined with service provider-controlled key management, ensures that sensitive information remains isolated and secure. This approach mitigates risks associated with shared infrastructure and lateral movement by attackers. This strategy is especially important for meeting the requirements of the General Data Protection Regulation (GDPR) and other European data protection frameworks. By enhancing isolation and data protection, telecom operators can provide stronger assurances to their customers and stakeholders.
Authentication and Access Control for Network Function APIs
As telecom networks become increasingly dynamic and multi-tenant, securing communication between network functions across different trust domains presents significant challenges. Adopting identity-based authentication and access control mechanisms—leveraging attributes such as attestation results, certification labels, and geographic location—enables a zero-trust security model. This approach aligns with current best practices and ongoing initiatives within the European Telecommunications Standards Institute (ETSI) and other international bodies. It ensures that only authorized entities can access critical network functions, thereby reducing the risk of unauthorized access and potential breaches.
What is the expected result and impact of this activity?
By contributing to these areas, this initiative aims to strengthen the cybersecurity posture of European telecommunication networks and ensure their resilience against evolving threats.
The proposed contribution introduces essential requirements for dynamically verifying the trustworthiness and certification of services and their underlying infrastructure. It establishes a secure identification mechanism for services and microservices based on identity attributes, leveraging a root of trust for secure boot and attestation. Additionally, it implements attribute-based authorization and API access control, supported by service-specific and adaptive security policies to enable rapid recovery from cyber attacks. Additionally it proposes isolation of data in the permanent storage to avoid lateral movement of data in multi-tenant environment.
Integrating these capabilities across European infrastructure through harmonized standards will enhance cyber protection in multi-tenant and zero-trust environments, and facilitate swift detection of cyber threats.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
The boot manager and remote attestation work proposed facilitates compliance with European cybersecurity regulations by ensuring traceability and accountability in software supply chains. They also support the implementation of CRA requirements for secure software deployment and lifecycle management.
Isolation and Data Protection in Hypervisors and Containers work proposed provides assurance to regulators and stakeholders that sensitive data is adequately protected, even in complex, shared environments and hence meets the General Data Protection Regulation (GDPR) and other European data protection mandates.
Authentication and Access Control for Network Function APIs work proposed aligns with European and international standards, supporting regulatory objectives for secure, resilient, and interoperable telecom infrastructures. They also facilitate cross-border cooperation and trust among service providers.
