ETSI TS 103 924 V1.1.1 (2022-12)

TECHNICAL SPECIFICATION
Optical Network and Device Security
Catalogue of requirements
2 ETSI TS 103 924 V1.1.1 (2022-12)

Reference
DTS/CYBER-0078
Keywords
cybersecurity, network, optical, requirements

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2022.
All rights reserved.
ETSI
3 ETSI TS 103 924 V1.1.1 (2022-12)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 9
3.1 Terms . 9
3.2 Symbols . 9
3.3 Abbreviations . 9
4 Summary of security requirements for optical networks and devices . 11
4.1 Rationale for provision of security functions in optical networks . 11
4.2 Definition of optical network . 11
4.3 Optical network functionality (user and control) . 12
4.4 Optical network functionality (management) . 13
4.5 Optical network security objectives . 14
4.6 ON (user, control and management) security and trust associations . 14
5 Identification and authentication framework . 14
5.1 Introduction . 14
5.2 Functional identification and authentication . 15
6 Confidentiality protection. 15
6.1 Protection of data in transit (access and core) . 15
6.2 Protection of data at rest . 16
6.2.1 Cryptographic key management (symmetric keying) . 16
6.2.2 Certificate management (asymmetric keying) . 16
7 Integrity protection . 16
7.1 Core capabilities of OTH . 16
7.2 Network and Data integrity protection in transit . 17
7.3 Integrity protection of data at rest. 17
7.4 Message Integrity Protection . 17
8 Availability protection . 18
8.1 Redundancy protection . 18
8.2 Denial of Service and Distributed Denial of Service protection. 18
8.3 Network security awareness . 18
8.4 Passive versus Active Optical Networks . 18
Annex A (informative): Simplified threat analysis for optical networks . 19
A.1 Overview and method . 19
A.2 Core risk analysis - asset level risks . 19
A.3 Cost Benefit Analysis - outline view and application . 20
A.3.1 Standards design . 20
A.3.2 Implementation . 20
A.3.3 Operation . 20
A.3.4 Regulatory impact . 20
A.3.5 Market acceptance . 21
A.4 Wider review of application of security controls . 21
A.5 Specific risk analysis for ONs . 24
A.5.1 Risks to confidentiality . 24
ETSI
4 ETSI TS 103 924 V1.1.1 (2022-12)
A.5.2 Risks to integrity . 25
A.5.3 Risks to availability . 25
Annex B (informative): Stage 2 mapping to devices and equipment . 26
B.1 Purpose of mapping exercise . 26
B.2 Reference device model for Optical Transport Network and allocation of security functions to
devices . 26
Annex C (informative): Assignment of trust domains and security associations for key
management in OTNs . 28
Annex D (informative): Cryptographic algorithm selection . 29
Annex E (informative): Bibliography . 30
E.1 Articles on tapping of optical fibre . 30
E.2 Cross referenced ISO documents . 30
E.3 Regulatory documents . 30
History . 31

ETSI
5 ETSI TS 103 924 V1.1.1 (2022-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the ®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI
6 ETSI TS 103 924 V1.1.1 (2022-12)
1 Scope
The present document provides a catalogue of baseline requirements specific to optical network and devices covering
access network, transport network and network management system.
The present document presents the functional requirements using the stage 2 model approach outlined in
Recommendation ITU-T Q.65 [i.1] and adopts the functional framework for security functions from ETSI
TS 102 165-2 [i.2].
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] FIPS 140-2: "Security Requirements for Cryptographic Modules".
[2] FIPS 140-2: "Annex C: Approved Random Number Generators".
NOTE: ISO/IEC 19790:2012: "Information technology - Security techniques - Security requirements for
cryptographic modules" (see Annex E, bibliography) also applies for each of [1] and [2].
[3] NIST Special Publication 800-90B: "Recommendation for the Entropy Sources Used for Random
Bit Generation".
NOTE: ISO/IEC 20543: "Information technology - Security techniques - Test and analysis methods for random
bit generators within ISO/IEC 19790 and ISO/IEC 15408" also applies to this standard (see Annex E,
bibliography).
[4] Recommendation ITU-T G.975 "Forward error correction for submarine systems".
[5] Recommendation ITU-T G.975.1: "Forward error correction for high bit-rate DWDM submarine
systems".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Recommendation ITU-T Q.65 (06/97): "The unified functional methodology for the
characterization of services and network capabilities".
ETSI
7 ETSI TS 103 924 V1.1.1 (2022-12)
[i.2] ETSI TS 102 165-2: "CYBER; Methods and protocols; Part 2: Protocol Framework Definition;
Security Counter Measures".
[i.3] Recommendation ITU-T G.709: "Interfaces for the optical transport network".
[i.4] Broadband Forum.
[i.5] European Parliament legislative resolution of 10 November 2022 on the proposal for a directive of
the European Parliament and of the Council on measures for a high common level of cybersecurity
across the Union, repealing Directive (EU) 2016/1148 (COM(2020)0823 - C9-0422/2020 -
2020/0359(COD).
[i.6] ETSI TS 102 165-1: "CYBER; Methods and protocols; Part 1: Method and pro forma for Threat,
Vulnerability, Risk Analysis (TVRA)".
[i.7] Recommendation ITU-T G.707: "Network node interface for the synchronous digital hierarchy
(SDH)".
[i.8] Recommendation ITU-T G.783: "Characteristics of synchronous digital hierarchy (SDH)
equipment functional blocks".
[i.9] Recommendation ITU-T G.784: "Management aspects of synchronous digital hierarchy (SDH)
transport network elements".
[i.10] Recommendation ITU-T G.803: "Architecture of transport networks based on the synchronous
digital hierarchy (SDH)". .
[i.11] ANSI T1.105: "Synchronous Optical Network (SONET) - Basic Description Including Multiplex
Structure, Rates, And Formats".
[i.12] ETSI GR ETI 002: "Encrypted Traffic Integration (ETI); Requirements definition and analysis".
NOTE: Currently in development.
[i.13] Recommendation ITU-T G.984.1: "Gigabit-capable passive optical networks (GPON): General
characteristics".
[i.14] Recommendation ITU-T X.800: "Recommendation ITU-T X.800: Security Architecture for Open
Systems Interconnection for CCITT Applications".
[i.15] Recommendation ITU-T G.805: "Generic functional architecture of transport networks".
[i.16] Recommendation ITU-T G.872: "Architecture of the optical transport network".
[i.17] Recommendation ITU-T G.7714.1: "Protocol for automatic discovery in transport networks".
[i.18] FIPS 197: "Advanced Encryption Standard (AES)".
NOTE: The above specification is also included in ISO/IEC 18033-3 [i.42].
[i.19] FIPS 180-4: "Secure Hash Standard (SHA)".
[i.20] ETSI TR 103 305-1: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 1: The Critical Security Controls".
[i.21] ETSI GR F5G 010: "Fifth Generation Fixed Network (F5G); Security; Threat Vulnerability Risk
Analysis and countermeasure recommendations for F5G".
[i.22] IETF STD 62.
NOTE: See https://www.rfc-editor.org/info/std62.
[i.23] NIST SP 800-38D: "Recommendation for Block Cipher Modes of Operation: Galois/Counter
Mode (GCM) and GMAC".
[i.24] ETSI GR NFV-SEC 003: "Network Functions Virtualisation (NFV); NFV Security; Security and
Trust Guidance".
ETSI
8 ETSI TS 103 924 V1.1.1 (2022-12)
[i.25] Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing
Directive 2014/53/EU of the European Parliament and of the Council with regard to the
application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that
Directive.
[i.26] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on
ENISA (the European Union Agency for Cybersecurity) and on information and communications
technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity
Act) (Text with EEA relevance).
[i.27] OTN-SEC (Supplement 76 to ITU-T G-Series Recommendations provides an overview of
applications and use cases for secure optical transport in various OTN layers. The Supplement
relates to Recommendations ITU-T G.709/Y.1331 and ITU-T G.709.1/Y.1331.1).
[i.28] IETF RFC 3414 (STD 62): "User-based Security Model (USM) for version 3 of the Simple
Network Management Protocol (SNMPv3)".
[i.29] ETSI TR 102 419: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security analysis of IPv6 application in telecommunications
standards".
[i.30] Recommendation ITU-T G.709.1: "Flexible OTN short-reach interfaces".
[i.31] NIST Framework for Improving Critical Infrastructure Cybersecurity.
NOTE: Available from https://doi.org/10.6028/NIST.CSWP.04162018.
[i.32] Recommendation ITU-T G.9807.1: "10-Gigabit-capable symmetric passive optical network
(XGS-PON)".
[i.33] Recommendation ITU-T M.370x: "Common management services".
NOTE: 'x' refers to all of M.370/M.3701/M.3702 and so on.
[i.34] Recommendation ITU-T G.7710: "Common equipment management function requirements".
[i.35] Recommendation ITU-T G.984.3: "Gigabit-capable passive optical networks (GPON):
Transmission convergence layer specification".
[i.36] Supplement 51 to Recommendation ITU-T G-series: "Passive optical network protection
considerations".
[i.37] Recommendation ITU-T G.987: "10-Gigabit-capable passive optical network (XG-PON) systems:
Definitions, abbreviations and acronyms".
[i.38] Recommendation ITU-T G.989: "40-Gigabit-capable passive optical networks (NG-PON2):
Definitions, abbreviations and acronyms".
[i.39] Proposal for a Regulation of the European Parliament and of the Council on horizontal
cybersecurity requirements for products with digital elements and amending Regulation
(EU) 2019/1020.
[i.40] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on
the protection of natural persons with regard to the processing of personal data by the Union
institutions, bodies, offices and agencies and on the free movement of such data, and repealing
Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance).
[i.41] ETSI TR 103 838: "Cyber Security; Guide to Coordinated Vulnerability Disclosure".
[i.42] ISO/IEC 18033-3: "Information technology - Security techniques - Encryption algorithms -
Part 3: Block ciphers".
ETSI
9 ETSI TS 103 924 V1.1.1 (2022-12)
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
adaptation source: transport processing function which adapts the client layer network characteristic information into a
form suitable for transport over a trail in the server layer network
Control Plane Security Function (CPSF): set of security functions that protect activities that enable the efficient
exchange of control and signal data
NOTE: The CPSF typically involves Network Element (NE) to NE communication of information that allows
NEs (e.g. OTN, OLT) to determine how best to transfer traffic across the optical transmission network.
General Security Function (GSF): set of general security functions that apply to UPSF, CPSF and MPSF to provide
fundamental protections for optical NEs
Management Plane Security Function (MPSF): set of security functions that protect OAM&P functions of the optical
NEs
Optical Transport Network (OTN): optical telecommunication network segment comprised by a set of optical
network nodes/equipment connected through optical fibres that provide the functionality of transport, multiplexing,
switching, management, supervision and survivability of the optical channels carrying the end-user's client signals,
according to the requirements given in Recommendation ITU-T G.872 [i.16]
Optical Transport Network Node Interface (ONNI): interface at an optical transport network node which is used to
interconnect with another optical transport network node
trail: "transport entity" which consists of an associated pair of "unidirectional trails" capable of simultaneously
transferring information in opposite directions between their respective inputs and outputs (from
Recommendation ITU-T G.805 [i.15])
User Plane Security Function (UPSF): set of security functions that secure the connectivity provided by carriers, user
access and use of the network, the user data flows transferring via optical network
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ABAC Attribute Based Access Control
AEAD Authenticated Encryption with Associated Data
AES Advanced Encryption Standard
AON Active Optical Network
CBA Cost Benefit Analysis
CIA Confidentiality Integrity Availability
C-MAC Cipher-based Message Authentication Code
CPE Customer Premises Equipment
CPN Customer Premises Network
CPSF Control Plane Security Function
CRC Cyclic Redundancy Check
CSC Cyber Security Control
DCN-DA Data Centre Network Discovery Agent
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DMARC Domain-based Message Authentication Reporting and Conformance
ETSI
10 ETSI TS 103 924 V1.1.1 (2022-12)
DNS Domain Name System
DoS Denial of Service
FCAPS Fault Configuration Accounting Performance Security
FCC Fast Channel Change
FEC Forward Error Correction
FTTB/C Fibre To The Building/Curb
FTTCab Fibre To The Cabinet (data centre cabinet)
FTTH Fibre To The Home
GEM GPON Encapsulation Method
GPON Gigabit capable Passive Optical Networks
GSF General Security Function
HMAC Hash based Message Authentication Code
HTML Hypertext Markup Language
HTTP/S HyperText Transfer Protocol / Secure
IP Internet Protocol
IV Initialization Value
MAC Message Authentication Code
MFA Multi-Factor Authentication
MFAS Multi Frame Alignment Signal
MPLS Multi Protocol Label Switching
MPSF Management Plane Security Function
NE Network Element
NG Next Generation
NIDS Network Intrusion Detection System
NMS Network Management System
NMS-EMS Network Management System - Element Management System
O&AM Operations and Asset Management
O&M Operations and Management
OAM&P Operations, Asset Management and Provisioning
OAN Optical Access Network
ODU Optical Data Unit
OH OverHead
OLT Optical Line Terminal
OMCI Optical network terminal Management and Control Interface
ON Optical Network
ONNI Optical transport Network Node Interface
ONT Optical Network Termination
ONU Optical Network Unit
OPU Optical Payload Unit
OSI Open Systems Interconnection
OSMC OTN Synchronization Message Channel
OTH Optical Transport Hierarchy
OTN Optical Transport Network
OTU Optical Transport Unit
PCEP Path Computation Element
PLOAM Physical Layer Operation Administration and Maintenance
PON Passive Optical Network
RoT Root of Trust
RS Reed Solomon
SA Security Association
SDH Synchronous Digital Hierarchy
SNMP Simple Network Management Protocol
SONET Synchronous Optical Network
SPL SPLitter
TCP-ID Termination Connection Point Identifier
TCP-ID Termination Connection Point Identifier
ToE Target of Evaluation
UPSF User Plane Security Function
URL Uniform Resource Locator
USM User-based Security Model
WDM Wavelength Division Multiplexing
XGS 10-Gigabit-capable Symmetric PON (in the context of XGS-PON)
ETSI
11 ETSI TS 103 924 V1.1.1 (2022-12)
4 Summary of security requirements for optical
networks and devices
4.1 Rationale for provision of security functions in optical
networks
Optical fibre networks are not immune to security attacks. The splicing of optical fibre and the leakage of signals from
bent fibres is a recognized means of extracting content from fibre thus the confidentiality of communications without
additional measures cannot be assured. Similarly it is possible for an attacker to inject signals into fibre and therefore
the source and integrity of any signal or content can similarly not be assured. A simplified threat evaluation is given in
Annex A of the present document. It is necessary to consider that optical networks are targets of attack and that
assurance of confidentiality, integrity and availability cannot be given without added security measures.
A number of techniques do exist for detection of faults that can indicate a potential breach. For example if the cable is
distorted or damaged at a splice point, or interception curve, optical reflectometry can detect the approximate location
of the breach. However as the optical bandwidth is increased, and the symbol rate is increased, the noise margin of the
connection is decreased with the result that adding probe signals to detect line problems may interfere with the signal by
further reducing the noise margin. The degree to which an interception probe interferes with the optical transport signal
is not fixed and can, if applied, result in loss of signal at the receiver.
NOTE 1: As identified in a number of sources (see Annex E, bibliography) the tapping of optical fibres to extract
content is a well known attack vector for interception of content.
NOTE 2: The term interception is often considered to be a synonym of the term eavesdropping to imply secretly
"listening in" to the content of communication. The term interception as used in the present document is
more nuanced and is intended to convey the act of finding and observing where communication takes
place, i.e. the fibre optic cable. Any action after interception, such as listening in or eavesdropping on
content, is considered for the present document as a secondary action and unrelated to the interception
itself.
4.2 Definition of optical network
An optical network is distinguished from a non-optical network by the physical means of transferring data, which is
achieved using fibre optic links, data encoded using photons, and by the use of optical switching. The core definition of
the structure of Optical Networking interfaces is found in Recommendation ITU-T G.709 [i.3], defining the Optical
Transport Hierarchy (OTH), including the structure of an optical data unit, which is revised and extended by activities
of other ETSI groups and by groups including the Broadband Forum [i.4]. The core definition of the structure of Gigabit
capable Passive Optical Networks (GPONs) is found in Recommendation ITU-T G.984.1 [i.13], defining the network
architecture, reference configuration, interfaces and so on.
For the purposes of the present document the optical network is defined as a network that lies between the customer
premises network and the core network with a primary purpose of providing high-capacity data access and high-rate
data transport to enable high-quality network services with full fibre connection. For the present document the term
optical network is limited to considerations of the Optical Transport Network (OTN) and the Optical Access Network
(OAN) and to the devices that support them. It provides network access and transport services to a variety of markets
including individual customer, government, industry, business, etc. Thus the present document discusses the optical
access-, aggregation- and core network aspects.
NOTE 1: The core content of Recommendation ITU-T G.709 [i.3], nor of Recommendation ITU-T G.984.1 [i.13],
does not define any security specific elements or any encoding of native security functionality.
Historically the Synchronous Optical Network (SONET) and the Synchronous Digital Hierarchy (SDH) also played a
significant role in the delivery of optical networking services for (mostly) circuit mode connections (voice) and the
latter was developed in ETSI but later subsumed into standards from ITU-T as Recommendations G.707 [i.7],
G.783 [i.8], G.784 [i.9] and G.803 [i.10]. The SONET specification is formalized in ANSI T1.105 [i.11]. The present
document focusses on the mapping to OTH and to GPON, and only addresses SDH and SONET for completeness as
mappings exist for carriage of SDH/SONET on OTH.
ETSI
12 ETSI TS 103 924 V1.1.1 (2022-12)
NOTE 2: SONET, SDH and G.709 all refer to themselves as transport protocols but this is not to be confused with
the transport layer protocol model commonly identified in the OSI model. The model in SONET, SDH
and G.709 applies transport to the physical means of getting data from A to B across a network using an
optical transmission system (i.e. fibre optic cable and phased light), i.e. transport protocol in the meaning
of transmission protocol.
NOTE 3: OTN as defined in Recommendation ITU-T G.709 [i.3], operates at the data link layer (i.e. layer 2) of
Open Systems Interconnection (OSI) model defined in Recommendation ITU-T X.800 [i.14] thus whilst
referring to Optical Transport Networks this should not be confused with the functions of the OSI
transport layer.
The optical information elements in OTH (G.709) represent one of control, signalling data, and user data. The
distinction between control data and signalling data is that control data is required by the system itself to manage
entities in the optical network (e.g. O&M facilities), whereas signalling data is associated to the user plane. In addition
the user data plane can contain higher layer signalling that is transparent to the optical network.
EXAMPLE: User devices connecting to the Internet and to Web-services will exchange a number of signalling
protocols including DNS, HTTP/S and SNMP that present data to user applications in the form of
URLs, HTML pages and email content.
It is recognized that the telecommunications network is composed of a mix of optical links, copper links (e.g. twisted
pair or coaxial cable ethernet links), wireless links (long and short range), and silicon based processing. An attack on an
associated processing element or copper link or wireless link can be considered as a side-channel attack on the optical
fabric. It is also recognized that an attacker can use multiple attacks in sequence or in parallel to achieve their goals. A
summary of the threats and vulnerabilities associated to ONs is given in Annex A of the present document.

Figure 1: Optical network architecture (device level)
4.3 Optical network functionality (user and control)
NOTE 1: The text in this clause summarizes functions in optical networks that is derived from G.709, SDH and
SONET.
The optical network in the scope of the present document describes a transmission system that is used to carry client
data, where client data can be presented in a number of formats, including Ethernet frames, IP packets, MPLS frames
and so on. Client data is transferred through the Optical transport network by encapsulation into an Optical Payload
Unit (OPU) into an Optical Data Unit (ODU), or directly as an OPU. OPUs are then encoded into Optical Transport
Units (OTUs). The point of interconnect between nodes is identified by the Optical Network Node Interface (ONNI)
which is defined in detail in Recommendation ITU-T G.805 [i.15], and also in Recommendation ITU-T G.709 [i.3], and
is derived from the functional architecture defined in Recommendation ITU-T G.872 [i.16].
ETSI
13 ETSI TS 103 924 V1.1.1 (2022-12)

Figure 2: Optical Transport Network Connection structure
In general terms an optical network consists of 2 types of physical network device: Optical Line Terminal (OLT) and
Optical Transport Network switches or routers (OTN).
NOTE 2: The OLT, OTN distinction can be derived from the functional model given in
Recommendation ITU-T G.805 [i.15] where the OLT is an adaptation source of a trail.
NOTE 3: The combination of function into specific devices is not addressed by the present document although in
the present document indicative combinations are presented in Annex A.
As seen in figure 1 "Network architecture" in clause 5.1 of Recommendation ITU-T G.984.1 [i.13] the OAN, an optical
implementation of a local access network system, can be either active or passive and its architecture can be either point-
to-point or point-to-multipoint. Figure 1 of the present document shows the architectures considered of a local access
network system, which range from Fibre To The Home (FTTH), through Fibre To The Building/Curb (FTTB/C) to
Fibre To The Cabinet (data centre cabinet) (FTTCab), and practically to a room or client device. Client data processed
by an OLT will be transmitted into the OTN.
4.4 Optical network functionality (management)
The provisions for securing the management of the optical network should follow existing best practice for securing
management data and protocols.
In particular it is recognized that the NMS manages and controls devices on optical networks, supports unified
management, and offers control of networks. Thus the NMS integrates functions including network management,
service control, and network analysis. It is enablement system for network resource pooling, network connection
automation and self-optimization, and O&M automation. The Recommendation ITU-T M.370x [i.33] series of
Recommendations define the management functions applicable in the Network Management System-Element
Management System (NMS-EMS) interface which includes object management, state management, notification
management, performance management and fault management. More specifically, the common equipment management
function requirements for optical network are specified in Recommendation ITU-T G.7710 [i.34]. The optical NMS
can support SNMP, PCEP, and Netconf, with the following functionalities:
• discover and update the network topology in real time;
• conduct the device and service configuration;
• FCAPS management;
• responsible to the network resilience via mechanisms like protection and/or restoration.
ETSI
14 ETSI TS 103 924 V1.1.1 (2022-12)
EXAMPLE: If Simple Network Management Protocol (SNMP), defined in IETF STD 62 [i.22], is used then the
security models incorporated are adopted, thus the User-based Security Model (USM) defined in
IETF RFC 3414 [i.28] are used.
4.5 Optical network security objectives
It is noted in [i.5] that optical networks are susceptible to eavesdropping attacks by interception of the signals on the
fibre, and have associated vulnerabilities of availability from conventional physical attack. It is also noted that as the
data load carried by optical networks is substantial, and that a single fibre using the multiplexing arrangements
described in Recommendation ITU-T G.709 [i.3] support multiple customers and/or multiple services, an attack of any
type will have a high impact to the customer. (See also the risk analysis provided in Annex A).
NOTE 1: When the term optical transmission is used in the present document it is referring to the physical use of
light to transfer data and not to any specific network configuration or equipment.
As stated in ETSI TS 102 165-1 [i.6] an objective is the expression of what a security system should be able to do in
very broad terms, whereas a requirement is a more detailed specification of how an objective is achieved.
With respect to confidentiality the user content of an optical transmission should not be available to an attacker even if
the raw data is intercepted.
Endpoints of each link should be uniquely identifiable, and should be able to verify their identity (i.e. their identity
rd
should be verifiable by a 3 party).
Data (content, control, signalling) that is essential to the management of the network should only be visible to
authorized entities in the network.
NOTE 2: The capabilities defined in ETSI GR ETI 002 [i.12] apply where encryption is applied to data.
Clauses 5, 6, 7 and 8 introduce general requirements to achieve the security objectives.
4.6 ON (user, control and management) security and trust
associations
In like manner to the model given in ETSI TS 102 165-2 [i.2] each security measure creates a security association
between two or more assets in the ON (see also Annex D). The security association can also be dependent on an explicit
trust association that creates a trust boundary around a set of assets (the set of assets within the trust boundary is
considered to be in the same trust domain (see also Annex D)).
5 Identification and authentication framework
5.1 Introduction
In simple terms identity, semantic or canonical, in context, is the anchor for most security functions if a key or
credential is bound to an identified entity and purpose.
NOTE: A semantic identity is one that informs of its purpose, so an email address is a semantic identifier as it
informs that the content is for use in email. A canonical identifier is one that has no association to purpose
but where its purpose is added by an association, an example is the string 123456 which if used as an
identifier needs additional context to identify its purpose, for example it can be the serial number of an
IoT device.
Conventionally at the OSI-Link layer, layer-2 and at the physical layer (layer-1), the set of functions identified by
Recommendation ITU-T X.800 [i.14] are as follows:
• At layer 1: Connection confidentiality, Traffic flow confidentiality
• At layer 2: Connection confidentiality, Connectionless confidentiality
ETSI
15 ETSI TS 103 924 V1.1.1 (2022-12)
With respect to the security functions of the NMS entities, they are mapped to the OSI model at each of the network
layer, session layer, presentation layer and application layer, and the set of functions identified by Recommendation
ITU-T X.800 [i.14] at layer 3 are as follows:
• At layer 3: Peer entity authentication, Data origin authentication, Access control service, Connection
confidentiality, Connectionless confidentiality, Traffic flow confidentiality, Connection integrity without
recovery, Connectionless integrity.
Within the optical network, entities shall be able to be uniquely identified to each other element within a single trusted
domain (see Annex C for an overview of the establishment of trusted domains in ONs).
For each of Connection confidentiality and Connectionless confidentiality the confidentiality service (see also clause 6)
shall be bound to the semantic and canonical identifier of the terminator of the service.
The mechanisms defined in Recommendation ITU-T G.7714.1 [i.17] and in Recommendation ITU-T G.709 [i.3]
clause 15.8.2.3 apply for the definition and assignment of a Termina
...