itu-t Series-X: Data Networks, Open System Communications and Security
The definitive source of ITU-T security architecture. X.805 defines the eight security dimensions across all network layers and planes β the framework that maps every telecom threat to a structured remediation domain.
Official Scope
Study Group: SG17 β Security
Active Status: Ongoing (SG17 is the primary ITU-T security body)
Covers the complete security architecture for data networks and OSI systems: foundational security frameworks (X.800/X.805), identity management (X.509/X.1254), cryptographic frameworks (X.1034), 5G and virtualized infrastructure security (X.1038), incident management (X.1500 CYBEX), IoT security (X.1362), and quantum-safe cryptography (X.1714 series).
Tactical Security Significance
- Relevance: π’ Critical β Core Security Architecture, 5G Infrastructure Security, Identity & Cryptography Standards
- Key Security Concepts: X.805 Eight Security Dimensions, X.800 OSI Security Architecture, X.509 PKI, X.1038 NFV/5G Core Security, X.1035 Password-Authenticated Key Exchange, X.1500 CYBEX Vulnerability Exchange
- Attack Surface: Every network layer and plane β X.805 provides the decomposition framework; SG17 recommendations address each identified attack surface
Key Recommendations
| ITU Rec | Title | Security Domain | Cross-Reference |
|---|---|---|---|
| X.800 | Security architecture for Open Systems Interconnection (OSI) | OSI Security Framework Baseline | ISO/IEC 7498-2 |
| X.805 | Security architecture for systems providing end-to-end communications | 8 Security Dimensions Γ 3 Layers Γ 3 Planes | 3GPP TS 33.501 |
| X.509 | Information technology β The Directory: PKI and attribute certificates | PKI, Certificate Chains, mTLS | RFC 5280 |
| X.1034 | Guidelines on signature verification practices | Digital Signature Security | RFC 6960 (OCSP) |
| X.1035 | Password-authenticated key exchange (PAK) protocol | 5G UE Authentication / EAP-TLS | 3GPP TS 33.501 |
| X.1038 | Security requirements and framework for software-defined networking / NFV | 5G SBA & NFV Security | 3GPP SECAM/SCAS |
| X.1051 | Information security management guidelines for telecommunications | ISMS for Telecom Operators | ISO/IEC 27011 |
| X.1060 | Framework for the creation and operation of cyber defence centres | SOC/CSIRT Framework | NIST CSF |
| X.1254 | Entity authentication assurance framework | Authentication Assurance Levels | NIST SP 800-63 |
| X.1500 | Overview of cybersecurity information exchange (CYBEX) | Structured Vulnerability Exchange | CVE / STIX / TAXII |
Security Mapping
X.805 β Eight Security Dimensions Applied to 5G
X.805 defines 8 security dimensions (Access Control, Authentication, Non-repudiation, Data Confidentiality, Communication Security, Data Integrity, Availability, Privacy) mapped across 3 security layers (Infrastructure, Services, Applications) and 3 security planes (Management, Control, End-user).
For 5G networks, the 3GPP TS 33.501 security architecture is a direct realization of X.805:
| X.805 Dimension | 5G Realization |
|---|---|
| Access Control | NF (Network Function) authorization via OAuth2 (SBA) |
| Authentication | 5G-AKA / EAP-AKA' for UE; NF mutual TLS for SBA |
| Data Confidentiality | SUCI (subscriber identity concealment) via ECIES |
| Communication Security | N2/N3 IPsec (RANβCore), TLS 1.3 on N32/SEPP |
| Availability | Network Slicing isolation; AMF/UPF redundancy |
| Privacy | SUPI concealment in SUCI; GUTI reallocation |
X.509 PKI β Certificate Chain Attacks in Telecom
X.509 certificates are the trust anchor for TLS, mTLS, SEPP (Security Edge Protection Proxy), and S/MIME in telecom. Certificate chain vulnerabilities directly expose 5G roaming security.
- Attack: Forged X.509 certificate (via compromised CA or certificate misissuance) allows MITM on N32 SEPP interface β intercepts inter-PLMN signaling between operators
- Mitigation: Monitor CT logs for unexpected certificates in operator PKI; enforce certificate pinning for N32 SEPP connections; restrict trusted CA list for N32 to operator-controlled PKIs only
X.1038 β 5G SBA and NFV Security Architecture
X.1038 defines the security framework for Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) β the enabling technologies for 5G Service-Based Architecture (SBA).
- Threat: A compromised NF (e.g., AMF) in the SBA can query other NFs without proper OAuth2 scope enforcement β enabling unauthorized subscriber data access
- Mitigation: Enforce X.1038 NF authentication and authorization: mutual TLS for all SBA interfaces; OAuth2 access tokens with explicit scope claims per 3GPP TS 33.501 Clause 13
graph TD
A[X.805 Security Framework] --> B[Infrastructure Layer]
A --> C[Services Layer]
A --> D[Applications Layer]
B --> E[Management Plane]
B --> F[Control Plane]
B --> G[End-User Plane]
E --> H[M-Series: TMN Security]
F --> I[Q-Series: Signaling Firewall]
G --> J[G-Series: Transport Encryption]
C --> K[X.1038: 5G SBA/NFV Security]
D --> L[X.1051: ISMS for Telecom]
Operational Audit
- X.805 Security Architecture Audit Checklist: Comprehensive checklist for auditing the 8 security dimensions across all network layers and planes.
- X.1038 NFV/5G Core Security Checklist: Audit checklist for 5G SBA and virtualized infrastructure security per X.1038.
- X.1051 ISMS Checklist: Information security management framework checklist for telecom operators.
Generation-Specific Bridges
- 3GPP Rel-15: 5G Security Baseline: X.805 β TS 33.501 mapping for 5G core deployment
- 3GPP Rel-17: 6G Preparation: X.1038 SDN/NFV evolution into 6G security architecture
!NOTE This series is part of the master Series Tracker.