The Telecommunications (Security) Act became law in November. Currently, telecoms firms set their own security standards in their networks. However, the UK Government’s Telecoms Supply Chain Review found providers often have little incentive to adopt best security practices.
Hence new UK Government regulations and a code of practice set out specifics for UK public telecoms providers to meet their legal duties in the Act. The communications regulator Ofcom will oversee and enforce the new legal duties and have the power to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations. If companies fail to meet their duties, the regulator will be able to issue fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 per day.
From October, providers will be subject to the new rules and Ofcom will be able to use its new powers. Guidance within the code of practice includes:
identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers. This includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network;
keeping control of who can make network-wide changes;
protecting against malicious signalling coming into the network which could cause outages;
understanding risks facing their networks; and
making sure business processes are supporting security (such as board accountability).
The substance of the regulations was released by the DCMS (Department for Digital, Culture, Media & Sport) after a response to a public consultation on them now published.
At the DCMS, Digital Infrastructure Minister Matt Warman said: “We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life. We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
And at the UK official National Cyber Security Centre (NCSC) Technical Director Dr Ian Levy said: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”
Comments
Amit Sharma, Security Engineer, Synopsys Software Integrity Group said: “Establishing new rules have been the need of the hour. The second most important aspect of any kind of critical infrastructure, after its functionality of course, has been security. Appropriate security measures are key to the success as well as protection of any telecom infrastructure.
“With the wide capability of 5G, it has become more crucial than ever to define security policies and measures, and drive them via regulations which can be used effectively by the telecom firms to manufacture and implement more secure products. Enabling various telecom manufacturers to test their equipment against defined security policies and measures, setting up of standards etc. will not only help individual vendors build robust and secure products, but also ensure that the supply chain is intact. To top this, it would be good to see a new automation framework for testing and managing the test beds and lab infrastructure. This will not only enable organisations to identify issues much earlier, but will also decrease the cost significantly. These regulations not only help streamline the process of security maturity but also ensures the nation’s safety from cyber attacks.”
And Michael Bishaey, Senior Security Consultant at Adarma, called it a move in the right direction. “Everyone in the UK is connected to the internet through their telecoms provider. Having these regulations introduced now will ensure we are more future-proof against cyber-attacks. Although telecom providers already have stringent security measures in place, having these hefty new fines assigned to these measures will help ensure they are strictly followed and that any outstanding security issues are resolved much faster to avoid huge fines.”
