As our reliance on communications technology has grown, so have the associated risks involved, writes Rob Pocock, Technical Director, at the cyber firm Red Helix.
With about 95pc of the UK population predicted to be using a smartphone by 2025, not to mention the wealth of other devices connected to the internet, the potential damage caused to the UK infrastructure should a Carrier network be breached is severe. In response to this, the Government unveiled the Telecommunications (Security) Act (TSA) in November 2021, introducing a stronger security framework for public electronic communications network providers, and has since released a draft regulation and new code of practice to address advanced security risks.
In principle, the regulations have been well received. However, although the requirements presented in this new security framework are clear, the implementation timescales and exact details of what is expected by when are vague. The Government has requested ‘the most straightforward and least resource intensive measures’ be actioned by March 31st, 2024, and ‘the most complex and resource intensive measures’ be conducted by 2028 – with some ‘relatively low’ and ‘more complex’ measures to be completed in between – all of which leaves a lot to each individual organisation’s interpretation.
Whilst the exact definition of the least, relatively low, more complex and most resource intensive measures remains up for debate, it is likely a great deal of work will be needed to achieve compliance with these new regulations.
TSA regulations in a nutshell
In essence, the new regulations state that Telcos need to be able to identify the risks of security compromises, take measures to reduce these risks and consistently review their existing processes, preparing for the occurrence of a security compromise –defined as ‘anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission’.
This sounds relatively straightforward in theory; however the secondary legislation provides far more detailed requirements, including:
•Security by design – Networks must be designed, or redesigned (if necessary) to ensure security at all times
•UK-based – Networks must be capable of operating without reliance on people, equipment or stored data from outside of the UK (though this may prove difficult in practice, given many Telcos have an international footprint)
•Supply chain – Telcos must assess the impact of security compromise on third-party suppliers, reduce dependency on any single third-party providers and ensure there are written contingency plans in place should supply be interrupted
•Patching – Security patches must be applied within 14-days of any risk of compromise (a longer period may be allowed if this can be proved to be necessary)
•Board-level security officer – Security compliance must be managed by a person or committee with board-level responsibility (who must also be granted authority to effectively manage those responsible for the organisation’s security measures)
•Testing – Regular penetration testing, security reviews and written assessments must be conducted to test both network security and staff awareness
•Security logs – All logs relating to network access must be kept for at least 13 months, with systems in place to monitor unauthorised changes to sensitive parts of the network/services. (Whether or not those logs should be stored solely in the UK is an ongoing point of discussion); and
•Industry Co-operation – Telcos must share information with other providers, should that information be able to help mitigate risks caused by security compromise
Additionally, the ‘code of practice’ included alongside these regulations outlines how Telcos can achieve compliance and what good security looks like in the industry. Although not legally binding, the provisions included in the code of practice clarify what ‘appropriate and proportionate’ measures look like according to each tier – using a three-tier system based on the annual turnover of the telecoms provider.
Where to begin
There is a lot to be achieved to comply with the new regulations and getting started on the extensive list of tasks may seem like a daunting prospect. It is therefore worth breaking these tasks down into smaller, easier to manage steps. As a first port of call, Telcos need to allocate specific roles within their organisation to deal with the TSA regulations. For many, there will be a great deal of change required to bring security up to the level outlined in the regulations, and by creating a role responsible for achieving compliance within the appropriate timescales, companies can ensure the work is being managed.
For smaller telcos that might not have the capacity to create a bespoke role, sharing the responsibilities between multiple members of staff can still ensure this work is picked up. Additionally, telcos should begin testing and auditing their existing security infrastructure and staff’s cyber awareness. Not only will this help to identify potential security gaps, both in their network environments and employee knowledge, it will also provide a base mark which can be used to show future progress.
Telcos can also start to identify which of the regulations fall into the different timescales. While the complexity of each security task may vary for different providers, depending on their existing infrastructure and the tools already available, identifying easy wins is something all can do to help to prepare for the first deadline, and to map out the dates needed to achieve security requirements for the rest.
Why start now?
Given the ambiguity around the Government timescales, there is no doubt a temptation to identify all measures as highly complex and resource intensive, then wait until 2028 before enacting change. This temptation should be avoided, not only because these measures will take time to enact, with adjustments and testing needed to determine which security solutions are right for each particular environment, but primarily because these measures are necessary for the security of our communications infrastructure. As we move closer to the rollout of 5G core and the new capabilities this enables, network security will become increasingly important and the consequences of a breach will become more severe – we only need to look at the Optus breach late last year to see the impact a data breach can have when telecommunications security is unregulated.
The TSA regulations have been heavily vetted and shouldn’t be seen as a simple ‘tick box’ exercise. They are crucial measures for Telcos to put in place, to ensure the success and robustness of the UK’s telecommunications networks.
Better network security, today
Though the Government’s March 31, 2028 deadline for full compliance may feel like some time away, businesses shouldn’t be tempted to delay action. Telcos need to assess their security infrastructures now, identifying any gaps and start making the necessary adjustments to ensure these are fixed. We must take onboard the lessons learned from financial companies that missed taking early action in complying with MiFID II’s precision time regulations – causing a rush to achieve and report MiFID II adherence, which created high-pressure distractions for the trading companies and the supply chains supporting them. And when you factor in the TSA’s focus on supply chain security, the selection of suppliers to help with TSA delivery (amongst other needs), and the evaluation of security contingency plans, there will be numerous time-consuming distractions created that could risk further delays to achieving compliance.
With telcos also set to upgrade their networks to 5G and 400Gbps over the next few years, these TSA mandates and the focus they require will also govern the evolution of the UK’s networks – further adding to the workloads of Telcos’ security and infrastructure teams. We must view these requirements as a good thing, not as a cause for a heavy workload. As these networks become ever more intertwined into all our lives, we need to ensure they are protected, without underestimating the effect a security breach could have on every one of us.
