Telecommunications Security Act (UK)

What is the Telecommunications Security Act (TSA)? 

The Act outlines legal duties on telecommunications companies to increase the security of the entire UK network. It introduces new regulatory powers to the UK Telecommunications regulator OFCOM to regulate Public Telecommunications Providers in the area of IT security. It introduces obligations on operators to put in place more measures around the security of their supply chains and procured products.

The Act introduces a so-called Code of Practice. It is this Code of Practice that contains the technical requirements that operators should comply with. However, the Code of Practice is not binding but is rather used as a benchmarking tool to understand if the telecom operators has taken "proportional and appropriate" measures to increase security in their business.

Why has the Telecommunications (Security) Act been introduced?

As a result of the UK Telecoms Supply Chain review in 2018, the government identified areas of concern that needed addressing:

1. Existing industry practices may have focused on good commercial outcomes but did not incentivise effective cyber security risk management.
2. Policy and regulation in enforcing telecom's cyber security needed to be significantly strengthened to address these concerns.
3. National dependency on single suppliers poses a range of risks to the security and resilience of UK telecoms networks.

The security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit-capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future.

Whom does the Telecommunications (Security) Act affect?

It will apply to public telecom providers (including smaller companies that offer telecom networks or services to the public). More specifically to quote the Act itself:

• Tier 1: This applies to the largest organizations with an annual turnover of over £1bn providing public networks and services for which a security compromise would have the most widespread impact on network and service availability and the most damaging economic or social effects.
• Tier 2 providers would be those medium-sized companies with an annual turnover of more than £50m, providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects.
• Tier 3 providers would be the smallest companies with an annual turnover of less than £50m in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.
  
  

When do companies need to start adhering to the Telecommunications (Security) Act?

The Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource-intensive measures’ by 31 March 2024, and the more complex and resource-intensive measures by 31 March 2025.

Tier 2 firms have been given an extra two years on the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in the scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations.

How can companies prepare for the Telecommunications (Security) Act?

The Act introduces a range of new requirements for those in the telecoms industry to understand and follow. 

However, there are more common security requirements as well. For example, that users accessing systems, data, and applications are whom they say they are is a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk since most data breaches involved a human element, including incidents in which employees expose information directly or make a mistake that enables cyber criminals to access the organization’s systems.

Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data, and applications. However, even this can take time to implement. 

How can Netadmin customers prepare for the Telecommunications (Security) Act? 

From a specific Netadmin perspective we recommend you to: 

• Use existing or create new ACL rules for your users so that they have access on a need-to-know basis. The administration accounts should only be possible to access via the "PAW" zone (e.g. via IP restrictions). 
• Connect your Netadmin installation to an OpenID Connect provider to enable multi-factor authentication.
• Follow our guidance on how to configure firewall openings between and towards Netadmin servers (this is especially important for access to the administration user interface and the servers communicating with the network elements).
• Make sure you have valid and secure certificates for encryption.
• All servers on separate VLANs and IP subnets, separated by firewalls and restricted for host-to-host comms except where required.
• Follow our administration and maintenance guidelines for backups, security updates, and more.
• If possible, secure the workstations according to the Code of Practice guidelines for the "PAW" zone that access the Netadmin administration UI, at least for administration accounts.
• The Netadmin resource controller servers responsible for executing 'drivers' towards the network should be isolated. Communication should only be allowed using the Netadmin purpose-specific port. 

These recommendations have been considered as "proportional and appropriate" for a majority of our customer base, consisting of tier 2 and tier 3 operators.

Please note that Netadmin prioritize security related enhancements and regularly perform PEN-tests on the application itself. These PEN-tests are performed by specialised IT security companies. 

Where can you find more information on Telecommunications (Security) Act?

We will be creating more information about the Act as we move closer to the deadlines. We are monitoring this closely together with partners, customers, and organisations such as the INCA.