The BSI ist currently analysing several technical, 5G-unspecific areas of a public 5G mobile network to develop appropriate security requirements. The individual results of this project will be listed successively below.

These studies serve the implementation of the legal obligation according to § 165(4) TKG. According to § 165(4) TKG, the 5G mobile network operators in Germany have to certify their critical components before its first use until 01.01.2026. The identification of the critical components is done by the mobile network operators based on the list of critical functions by the Federal Network Agency. The BSI is defining the details of this certification obligation in the technical guideline 03163 "Security in Telecommunications Infrastructure". In the annex A of this technical guideline, the approved certification requirement documents are listed, which need to be used to comply with § 165(4) TKG.

On the basis of the aforementioned security requirements, the BSI is analysing already existing certification requirement documents in respect to their use to comply with § 165(4) TKG. If no appropriate certification requirement documents could be identified in this analysis, the BSI will develop new certification requirement documents together with relevant vendors and the 5G mobile network operators.

In order to get a complete view if possbile on the security of the public 5G mobile networks in Germany, operational security requirements will be developed alongside the product-specific security requirements in these studies as well.

Policy and Charging Functions (PCF & CCS) in 5G

The aim of this study is to describe the policy and charging functions in public 5G mobile networks in a product-independent manner and to create suitable security requirements in the form of Essential Security Requirements on the basis of a risk analysis.

Policy and charging functions in 5G mobile networks grant users the mobile network services activated for them based on a stored usage profile. These functions also ensure that the 5G mobile network operators correctly record the services used, so that these can ultimately be billed correctly. Depending on the operating model selected for these functions, a failure of the policy and charging functions can lead to an considerable impairment of the 5G mobile network.

Study and Risk Analysis for Policy and Charging Control Functions (PCF & CCS) in 5G

Appendix A - Study and Risk Analysis for Policy and Charging Control Functions (PCF & CCS) in 5G

Management- und Orchestrierungssysteme (MANO) in 5G

The aim of this study is to describe and analyse MANO in a product-independent manner so that specific certification requirements can be drawn up based on the results of this study.

Network orchestration, more precisely the creation, configuration, monitoring and cancellation of network functions, is one of the critical functions of a public 5G mobile network. MANO are complex systems with multiple interconnected components. Ensuring the security of the systems is of paramount importance in today's connected and digital world. Security is a multi-layered concern and requires a combination of technical measures, secure development practices and organisational processes. By implementing robust security measures and a proactive approach to threat defence, network operators and service providers can ensure the integrity, availability and confidentiality of their network functions and services.

Study and risk analysis of Management and Orchestration (MANO) systems in 5G