Audit and certification programmes
SANCUS aims at accelerating development and implementation of certification processes by helping organisation to understand how they can derive most benefit from digitisation and what they need to do to achieve certification by the regulatory bodies. The project also sets as cornerstone the improvement of cybersecurity and digital privacy auditing methods, which raise strong potential in delivering safe, multi‐sectoral setting for gaining not only skills but also a secure environment for development and promotion of certification processes.
In the context of SANCUS, seven engines have been designed and implemented. They constitute the main technical tooled key results of the project. These engines will be used to perform security audit and offer certification to a 5G network provider according to a set of requirements. The seven engines are as follows:
Firmware Inspection Validation engine (FiV)
Code Integrity Verification engine (CiV)
Software Risk Validation and Verification Engine (SiD)
Modelling of IoT unit defining the security‐vs‐privacy‐vs‐reliability metric (MiU)
Game Implicit Optimisation Engine (GiO)
Attack Configuration Engine (AcE)
Security Orchestrator
The SANCUS Compliant programme
The SANCUS consortium would create a SANCUS Compliant Certification for the 5G security tools vendors that would like to join the SANCUS eco-system. The SANCUS Compliant programme will help these vendors to get the most out of the SANCUS approach both from technical and marketing points of view.
The basic functionality of SANCUS Compliant (SC) 5G security tools can be summarised as being able to duly detect vulnerabilities in 5G network for a specific layer, protocol, domain, or slice. The tool should be also able to share the detection information with SANCUS engines via a dedicated topic in KAFKA event bus as well as potential mitigation action.
SANCUS Certified Verified Logos
The SANCUS Verified programme
A SANCUS Verified programme will be established to help 5G network manufacturer and operators demonstrate externally that they take cybersecurity seriously. The aim is to allow consumers to identify 5G products and networks with better-than average security qualities, and thereby raise their awareness on important quality attributes such as security and privacy. With increased consumer awareness, companies with a SANCUS Verified logo linked to their product or network should have a competitive advantage in the market segment, as consumer expectations of security attributes should increase.
The SANCUS Verified programme will consist of three main parts:
- Certify that different 5G product firmware (e.g., cameras, IoT devices, 5G routers etc.) are vulnerability free. For this purpose, we use CiV/FiV and AcE engines.
- Certify that the 5G network during operation is safe since it detects 5G related attacks using SiD engine.
- Certify that dedicated mitigation actions are well selected in an optimised way and well implemented in the 5G network using the MiU/GiO and Security orchestrator engines.
For each part, we create a certification level:
- SANCUS certification level 1 – SANCUS Bronze logo: To achieve this level, an independent certification organisation must collect and document evidence of the fact that the firmware to be verified is vulnerability free (for known vulnerabilities).
- SANCUS certification level 2 – SANCUS Silver logo: To achieve this level, an independent certification organisation must collect and document evidence of the fact that the detection of attacks is activated during operation and can detect known 5G attacks.
- SANCUS certification level 3 – SANCUS Gold logo: To achieve this level, an independent certification organisation must collect and document evidence that the network is resilient to attacks and that relevant mitigation actions are implemented.
