Network Assurance Levels

Network Assurance Levels (NALs) are a structured framework for measuring the degree of confidence in the security provided by a communication network infrastructure. The concept is derived from the practice of graded evaluations in information security, similar to the Evaluation Assurance Levels (EALs) in ISO/IEC 15408 (Common Criteria). Within the context of 5G and V2X, the European Telecommunications Standards Institute (ETSI) defines a framework for network security assurance in its specification ETSI TS 103 732. NALs categorize network security capabilities into distinct levels, each corresponding to a specific set of security controls, testing methodologies, and evidence requirements. A higher level signifies a greater rigor in the network operator's security architecture, threat detection, and incident response. This complements the Cybersecurity Assurance Level (CAL) defined in the automotive standard ISO/SAE 21434, where NALs focus on the external network and CALs on the in-vehicle systems.

Automotive companies apply Network Assurance Levels in risk management to ensure the security and compliance of their connected vehicle services, especially in response to regulations like UNECE R155. The implementation involves three key steps: 1) **Risk-Based Level Definition**: Based on a Threat Analysis and Risk Assessment (TARA) per ISO/SAE 21434, classify V2X applications (e.g., OTA updates, emergency braking warnings) and assign a required NAL. High-risk functions demand higher NALs. 2) **Supplier Due Diligence**: Incorporate specific NAL requirements into procurement specifications and Service Level Agreements (SLAs) when selecting 5G providers. This includes demanding third-party audit reports confirming compliance with standards like ETSI TS 103 732. 3) **Continuous Monitoring**: Establish mechanisms to continuously verify the provider's adherence to the agreed NAL, using security logs and periodic penetration tests. This approach measurably improves supplier compliance rates and can reduce security incidents stemming from network vulnerabilities by over 30%.

Taiwanese enterprises face three primary challenges when implementing Network Assurance Levels: 1) **Lack of Localized Standards**: There is no unified, government-endorsed NAL framework in Taiwan, creating ambiguity when specifying requirements to local telecom operators. Mitigation: Proactively reference international standards like ETSI TS 103 732 in contracts to create a common basis for security expectations. 2) **Insufficient Supply Chain Transparency**: The complexity of telecom networks makes it difficult to assess end-to-end security. Mitigation: Mandate the provision of a Software Bill of Materials (SBOM) from network providers and reserve the right to conduct independent security assessments. 3) **Shortage of Cross-Disciplinary Talent**: Experts proficient in automotive cybersecurity (ISO/SAE 21434), telecommunications (5G), and network security are rare. Mitigation: Engage with specialized consulting firms like Winners Consulting for initial guidance and develop a long-term internal training program to build in-house capabilities.

Winners Consulting specializes in network assurance levels for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact