← Book home
Part 6 · Threats, Attacks, and Operator Protection
28

5G Security Audit Checklist

Proving — not assuming — that the protections are on

"An audit isn't a formality. It's the one time someone actually checks whether the security you designed is the security you're running." — WHY AUDITS EXIST

This chapter turns the entire book into an audit program. Each domain — RAN, core/SBA, roaming, slice/NPN, cloud, certificates, devices — gets a focused checklist drawn from the mechanism chapters, with the evidence to demand and the risk to score. It's the systematic version of Chapter 25's quick-scan, structured for a formal, repeatable security audit.

🎯 Learning objectives
📘 Standards reference box — Chapter 28
ReferenceTitleNote
TS 33.117 + 33.51xSCAS — per-NF security requirements (audit seeds)Rel-18 edition
TS 33.5015G security (the controls being audited)Rel-18, v18.11.0 (2026-04)
GSMA NESAS / FS.40Assurance scheme & config guidancecurrent

Checked June 2026 — verify against the latest 3GPP version. Reuse SCAS as audit seeds (Chapter 2, 11).

28.1 The Audit Methodology

FIGURE 28.1Audit Methodology Wheel
scopedomains, releases evidencecaptures, configs, logs score risklikelihood×impact reportprioritized findings fix + re-verify re-verify closes the loop — an audit finding isn't fixed until re-tested evidence-based: demand proof (a capture/config), never a verbal "yes it's on"
Purpose: the repeatable cycle. The non-negotiable principle: evidence-based — every "secure" claim is backed by a capture, config, or log, never a verbal assurance.
FIGURE 28.2RAN Audit Map
RAN AUDIT (Ch 9, 15, 16) ☑ secure boot + signed software — evidence: attestation/config ☑ keys in CU, secure storage — evidence: design + SCAS 33.511 ☑ F1/Xn/N2/N3 IPsec/DTLS — evidence: packet capture ☑ UP integrity required (critical) — evidence: DRB-setup capture ☑ physical/tamper security — evidence: site survey ☑ NCC increments at handover — evidence: HO trace (Ch16) ☑ no NEA0/NIA0 in normal service — evidence: SMC capture ☑ open fronthaul/IAB protected — evidence: config/capture
Purpose: the RAN checklist with evidence per item. Note each item names the proof to collect — a capture or config, not a claim.
FIGURE 28.3Core / SBA Audit Map
CORE / SBA AUDIT (Ch 10, 11) ☑ mTLS on every SBI link (incl. intra-site) — capture ☑ OAuth token validated: sig/scope/AUDIENCE/expiry — negative test ☑ NRF hardened, mTLS, authenticated registration — config + test ☑ UDM HSM-backed, no key export — design + HSM evidence ☑ no plaintext HTTP/2 between NFs — capture ☑ NF SCAS evidence (33.117 + per-NF) — NESAS report ☑ SBI/OAM unreachable externally — reachability scan ☑ NF lifecycle: decommission revokes cert/registration
Purpose: the core/SBA checklist. The audience-claim negative test (Chapter 10) and the SBI reachability scan (Chapter 25) are the highest-yield items.
FIGURE 28.4Roaming Audit Map
ROAMING AUDIT (Ch 13) ☑ ALL inter-PLMN signaling via SEPP — no bypass ☑ message filtering enabled + per-partner allowlist ☑ N32 protection (TLS/PRINS); per-IE policy reviewed ☑ topology hiding enabled — capture/config ☑ partner certificate trust/rotation/revocation ☑ drift alarm on any SEPP with filtering disabled
Purpose: the roaming checklist. The "no bypass" and "filtering enabled" items catch the #1 roaming misconfiguration (Chapter 13/25).
FIGURE 28.5Slice and NPN Audit Map
SLICE / NPN AUDIT (Ch 20, 21) ☑ all FOUR isolation layers verified (CP/UP/mgmt/resource) ☑ enterprise slices: UP integrity required (not eMBB default) ☑ NSSAA + revocation where contracted; NSSAI privacy ☑ resource quotas (anti-starvation) ☑ NPN onboarding: unique scoped time-limited creds ☑ IT/5G/OT segmentation; CAG (PNI-NPN)
Purpose: the slice/NPN checklist. "All four isolation layers" and "no eMBB defaults" catch the recurring slicing failures (Chapter 20).
FIGURE 28.6Cloud / Platform Audit Map
CLOUD / PLATFORM AUDIT (Ch 29) ☑ container image signing + scanning; SBOM ☑ K8s hardening (RBAC, network policy, no privileged pods) ☑ secrets management (Vault/HSM); K in HSM ☑ CI/CD pipeline security gates ☑ multi-tenant/node isolation ☑ NFVI/host hardening; escape prevention
Purpose: the cloud checklist (Chapter 29). For cloud-native cores, this domain often has the most findings — the platform is new ground for telecom teams.
FIGURE 28.7Certificate / PKI Audit Map
CERTIFICATE / PKI AUDIT (Ch 10, 14) ☑ per-NF certs (no shared/wildcard in production) ☑ no self-signed / expired certs in production ☑ automated enrollment (CMPv2) + rotation ☑ revocation works (CRL/OCSP) ☑ expiry-countdown monitoring (availability) ☑ root CA offline / strongly protected
Purpose: the PKI checklist. Certificate hygiene affects both security (un-rotated breach) and availability (expiry outage) — audit both angles.
FIGURE 28.8Audit Risk Scoring and Reporting Template
#findingrisk (L×I)controldue 1SEPP filtering disabled (partner X)CRITICALre-enable + allowlist24h 2token audience not validatedHIGHenable strict validation7d 3SUCI null scheme (region Y)HIGHenforce scheme A/B7d 4UP integrity "preferred" (slice Z)MEDIUMset "required"30d cert rotation manual, F1 partially unprotected…MED/LOWautomate / IPsec30-90d a good audit report is a PRIORITIZED, OWNED, DATED action list — not a 200-page document nobody reads
Purpose: the deliverable. An audit's value is a ranked, owned, dated remediation list — the executive sees the top criticals; the engineers get the evidence and the fix.

28.2 The Practical Operator View

28.3 Domain-to-Chapter Map

Audit domainKey itemsChapters
RANsecure boot, interface IPsec, UP integrity, NCC9,15,16
Core/SBAmTLS, token validation, NRF/UDM hardening10,11
RoamingSEPP filtering, N32 protection, topology hiding13
Slice/NPN4-layer isolation, NSSAA, onboarding, OT segmentation20,21
Cloudimage/K8s/secrets/supply-chain29
Certificateper-NF, rotation, revocation, root protection10,14
DeviceUSIM root, EIR, fleet controls4,23
PrivacySUCI, GUTI rotation, LCS, minimization4,19

28.4 Terminology

TermMeaning
evidence-based auditFindings backed by captures/configs/scans, not claims
SCAS / NESASPer-NF requirements / assurance scheme reused as audit seeds
risk score (L×I)Likelihood × impact prioritization
re-verificationRe-testing a fix to confirm closure

Real network example. An operator's compliance team had been running an annual 5G "audit" that consisted of a vendor questionnaire — yes/no boxes the vendors filled in. It always came back green. When a new security lead replaced it with an evidence-based audit (the maps in this chapter), the first run found eleven findings across RAN, core, and roaming — including a critical disabled SEPP filter and a high-risk token-audience gap — none of which the questionnaire had ever surfaced, because the vendors had honestly answered "the capability exists" while the deployment had it switched off. The new audit's evidence requirement (a capture, a config, a scan per item) turned "we support it" into "here it is, running." The remediation list became the security roadmap. An audit that accepts assurances audits the paperwork; an audit that demands evidence audits the network.

Chapter Summary

? Review Questions

  1. Why must an audit be evidence-based, and what's the failure mode of a questionnaire audit?
  2. Name the audit domains and one high-yield item in each.
  3. What is the single highest-yield core/SBA audit test, and why?
  4. How do you reuse SCAS in an audit?
  5. How should findings be scored and sorted?
  6. Why is re-verification part of the audit cycle?
  7. What does a good audit report look like?
  8. Why pair audits with continuous drift alarms?
🧪 Mini lab — run a domain audit

Pick one domain (e.g., core/SBA) and run its checklist against a real or lab network you're authorized to test: (1) For each item, collect the evidence (capture/config/scan), not a claim. (2) Record pass/fail with the evidence attached. (3) Score each fail by likelihood × impact. (4) Produce a one-page prioritized, owned, dated remediation table (Figure 28.8). (5) For one finding, write the re-verification test that proves it's fixed. You've now produced the artifact that turns this entire book into action — and the input to the master checklist of Chapter 35.

← Chapter 27 Chapter 28 · end of Part 6 Chapter 29 →