SECAM

Security Assurance Methodology

Security →
Introduced in Rel-12

SECAM is a 3GPP security assurance methodology that provides a standardized framework for evaluating, testing, and certifying the security of network products and implementations against specified standards.

Category
Security
Introduced
Rel-12
Where
Security
Specifications
4 specs
SECAM Description Purpose Detected Changes Specifications

Description

The Security Assurance Methodology (SECAM) is a comprehensive framework defined across multiple 3GPP technical specifications (including TS 33.117, 33.805, 33.916, and 33.926) that establishes standardized approaches for security evaluation, testing, and assurance of 3GPP network products and implementations. It provides methodologies to verify that security features are correctly implemented and effective against identified threats. SECAM encompasses security assurance specifications (SCAS) for different network elements, which detail security functional requirements and assurance activities specific to each product type, such as base stations, core network nodes, or user equipment.

SECAM works by defining a structured process that begins with the creation of Security Assurance Specifications (SCAS) for particular 3GPP network elements or functions. These specifications identify security objectives, threats, and required security functions based on the element's role in the network architecture. The methodology then outlines assurance activities—including documentation review, vulnerability analysis, penetration testing, and functional security testing—that must be performed to verify compliance. Testing laboratories or certification bodies execute these activities according to standardized test plans, evaluating both the implementation of security mechanisms and their resilience against attacks. Results are documented in security evaluation reports that form the basis for certification decisions.

Key components of SECAM include the Security Assurance Specification (SCAS) documents that define requirements per network element, the Security Assurance Levels (SAL) that indicate the depth and rigor of evaluation required, standardized test cases and methodologies for security testing, and the certification framework that defines roles of manufacturers, testing laboratories, and certification authorities. The methodology covers various security aspects including cryptographic algorithm implementation, secure boot, access control, log management, and resistance to protocol attacks. SECAM's role in the network is to provide confidence that deployed network equipment has undergone rigorous, standardized security evaluation, reducing the risk of vulnerabilities that could compromise network integrity, user privacy, or service availability.

Purpose & Motivation

SECAM was created to address the growing need for standardized security evaluation of 3GPP network products in an increasingly complex threat landscape. As mobile networks evolved to support critical services and handle sensitive data, vulnerabilities in network equipment could have severe consequences. Prior to SECAM, security testing approaches varied between manufacturers and operators, making it difficult to consistently assess security posture or compare products from different vendors. This inconsistency created potential security gaps and increased the risk of deploying equipment with unknown vulnerabilities.

The methodology solves the problem of inconsistent security evaluation by providing a unified framework that defines what security requirements apply to each type of network element and how those requirements should be tested. It addresses the challenge of ensuring that security features are not just present but correctly implemented and effective against real-world attacks. SECAM enables network operators to make informed procurement decisions based on standardized security certifications, and gives regulators a consistent basis for approving equipment for use in national networks.

Historically, as networks transitioned to all-IP architectures with increased software-defined components and exposure to internet-based threats, the attack surface expanded significantly. SECAM provided the necessary methodology to systematically evaluate security across this expanded threat landscape. It also supports the security assurance needs of emerging technologies like 5G network slicing, edge computing, and massive IoT deployments, where traditional perimeter-based security models are insufficient and each network function requires individual security validation.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (5 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-16.

Rel-16 1 change

In Release 16, the SECAM function was newly introduced as the "Security Assurance Methodology (SECAM) for 3GPP network products," establishing a formal framework for security assurance. This methodology introduced a technical baseline of generic security requirements for all network products and defined specific security functional requirements with corresponding test cases, including those for general SBA/SBI aspects and data-in-transit protection profiles. It also formalized the use of automatic assessment tools and detailed requirements for system behavior under overload conditions to prevent insecure states.

  • Addition of AMF-related Security Problem Descriptions: Not implemented as it was intended as draft CR (MCC). TS 33.926CR0006
Rel-18 1 change

In Release 18, the SECAM function was updated to include a new threat reference for the incorrect encoding of UE 5G security capabilities on the AMF's NG interface. This addition specifically addresses a potential security vulnerability within the 5G system's security architecture as defined in the specifications. The update ensures this threat is formally recognized and incorporated into the security assurance methodology for relevant network product classes.

  • Threat reference for incorrectly encoded UE 5G security capabilities on the AMF NG interface TS 33.926CR0067
Rel-19 3 changes

In Release 19, the SECAM function was enhanced by introducing a dedicated Security Assurance Specification (SCAS) for the SMSF network product class. This involved adding new, specific threats and identifying critical assets for the SMSF within the overarching catalogue of 3GPP network product classes. These updates provide a targeted security baseline for assuring the SMSF, expanding the scope of the SCAS methodology documented in TS 33.926.

  • Add annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0085
  • Security Assurance Specification (SCAS) threats specific to SMSF TS 33.926CR0099
  • Add a new clause in annexure to Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes specific to SMSF TS 33.926CR0105

Explore further

Broader topics and technologies where SECAM plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityTesting & ConformanceMEC (Edge Computing)Privacy (SUPI, SUCI)Lawful Intercept
Technologies
5G

Defining Specifications

3GPP specifications that define or reference SECAM, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.117 vk00 Catalogue of General Security Assurance Requirements Rel-20
TS 33.805 vc00 3GPP Network Product Security Assurance Methodology Rel-12
TR 33.916 vj00 3GPP Security Assurance Methodology (SECAM) Rel-19
TR 33.926 vk00 Security Assurance Specification (SCAS) Rel-20