The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that apply to more than one network product class, while this Annex covers the aspects specific to the SMSF network product class.

As part of the SMSF network product, it is expected that the SMSF contains SMSF application, a set of running processes (typically more than one) executing the software package for the SMSF functions and OAM functions that are specific to the SMSF network product model. Functionalities specific to the SMSF network product introduce additional critical assets and/or threats as described below.

In addition to the critical assets of a GNP described in clause 5.2 of the TS 33.926 document, the critical assets specific to the SMSF to be protected are:

• SMSF Application;
• NF and User Data: e.g. NF capabilities and events, network and user sensitive information (e.g., UeSMSContextData like supi, gpsi, ueLocation etc.), data retrieved from UDM, etc.
• The interfaces of SMSF to be protected and which are within SECAM scope:
  • Service based interface for providing services to AMF, SMS-GMSC, IP-SM-GW, SMS-Router
  • Service based interface for consuming services from AMF, UDM
  • Reference point interface SGd (Diameter-based) with IP-SM-GW, SMS-GMSC, SMS- router
  • MAP-based SS7 interface with IP-SM-GW/GMSC/SMS- router
  • Console interface, for local access: local interface on SMSF
  • OAM interface, for remote access: interface between SMSF and OAM system
• SMSF Software: binary code or executable code