Downstream Encryption (AES-128): Confirm that AES-128 encryption is enabled for all downstream GEM (GPON Encapsulation Method) ports. Audit the "Key Exchange" process (GEM port 0). Verify that keys are rotated every 15-60 mins.

ONU/ONT Authentication: Confirm that all ONUs (Optical Network Units) are authenticated using a serial number (SN) and an optional "Registration ID" password. Rogue ONT Detection: Is the OLT configured to automatically shut down or isolate any ONT that transmits at the "wrong time" (Continuous Mode Fault)?

Data Isolation (OMCI Security): Verify that management traffic (OMCI) is isolated from user traffic (VLANs/VRFs).

Control Plane Isolation (ASON/GMPLS): Verify that the OTN control plane signaling is carried over an authenticated/secure Supervisory Channel (OSC).

Payload Transparency & Integrity: Confirm that client signals (Ethernet, FC) are mapped into ODU (Optical Data Unit) frames without unintended payload leakage between channels.

Optical Fragmentation Protection (OTU Security): Audit the configurations for "OTU-Level Protection" (O-SNCP). Verify failover times meet the <50ms requirement.

Data Encryption (MAC Layer): Confirm that AES-128 CCM (Counter with CBC-MAC) is enabled for all data payloads. Audit the Key Management: Are "Network Keys" rotated periodically using the 6LoWPAN/802.15.4 security framework?

Device Authentication: Verify that new Smart Meters (nodes) are authenticated using a EAP-PSK or certificate-based mechanism before joining the PLC mesh. Anti-Replay Protection: Is the Frame Counter (FC) check enabled for all incoming PLC frames?

PTP (IEEE 1588) Security: For Precisely Timed Networks (5G Sync), verify that PTP messages are authenticated and checked for "Time Spoofing".

Anti-Jamming (Synchronization Loss): Audit the "Holdover" capabilities of the Grandmaster clock. Is there a precise internal atomic clock (Rb/Cs) for sync stability during GPS/GNSS jammings?