|
| Category | Security requirements |
|
| UE | Restrict to only access the LTE network (public land mobile network (PLMN)) that the shared infrastructure (PS-LTE) operates |
| Prohibit from accessing other IP networks except those operated by the owner organization |
| Restrict providing network functionalities that enable other devices to access the IP networks, e.g., hotspot and tethering |
| Protect external storages to be read |
| Apply data leakage protection, e.g., use data store ciphering or build a cloud system to prohibit UE from storing data |
| Enforce memory protection and apply PIN to USIM |
| Enforce user to UE authentication |
| Allow transceiving only the PS-LTE radio frequency bands (enforced requirement) |
| Enable minimum functionality of UE when network is disconnected or the mobile device management (security) policies are not applicable |
| Allow only the mobile service application to be installed in the white list |
| Enforce encryption/decryption of all data tranceived from/to UE |
| Enforce the security policies to be applied after the factory initialization of UE |
| Protect the mobile applications to enforce security policies to be terminated and removed |
| Keep the versions of OS and the mobile applications installed in UE up to date and confirm the integrity of the update files |
| Prohibit executing all functionalities of rooted UEs |
|
| PS-LTE infrastructure | Enforce multi-factor authentication for user to UE, user to infrastructure (network), and user to services authentications |
| Check validity of IMSI and IMEI pair and user and UE pair during network connection |
| Allow connections between LTE components only specified in standards and restrict the connections to service/protocol level |
| Allow UE connection to IP network only to those allocated IP within distinguishable range |
| Continuously change ciphering keys for transferring data even within the same session |
| Enforce the traffic tranceived between type 1 UE and IP network of an organization to pass P-GWA and S-GWA, not P-GW nor S-GW |
| Allocate IP address to type 1 UEs distinct to other UEs |
| Use security certified devices consisting of the security systems |
|
| PPDR service system | Provide API to call functions in web server and define/set authorization levels considering user types |
| Prohibit executing the functions for which the API is not defined |
| Provide services run in web server to UEs only through app server |
| Do not store any generated or passing data to app server during service; app server behaves like a proxy |
| Develop the mobile service applications as in-app fashion and check if requests sent from UE are generated by the applications; apps must not rely on browser |
| Develop mobile service applications applying obfuscation technologies |
| Develop the app/web server programs and the mobile service applications following the secure coding norms |
| Use security certified devices consisting of the security systems |
|
