Understanding the UK Telecommunications and Security Act

The Telecommunications and Security Act is an important piece of legislation passed by the UK Government in October 2022 as an addition to the existing Communications Act 2003, which stipulates some actions required by UK operating telecommunications companies from 31^st March 2023 onwards

What is behind the Telecommunications and Security act

The TSA was designed to address concerns across Government and Industry about the need for telecommunications companies/network providers to have resilient and secure networks all the way through their tech stack to ensure that the Internet infrastructure or CNI (Critical National Infrastructure) that we all now rely so heavily on can continue to work and is not open to compromise by bad actors.

It is a known fact that electronic espionage, disruption, and hacking are tools widely used by Governments across the world. It is almost an open strategy employed by the less democratic nations in the world to further their world view but also to disrupt the services and lives of their opponents.

Some recent examples of attacks undertaken to influence policy and cause disruption are:

• US 2020 Election – With the aim to create mis-trust in politics and potentially assist Donald Trump in his aim to be US President
• Brexit vote – Fragmentation of the EU is a cause close to Russia, therefore any mis-information or amplifying an anti-EU message could benefit them.
• Estonia Internet disruption – A major Denial of Service to Estonian Internet access and services carried out by Russia as punishment for the Baltic states western leaning stance.
• UK/US ransomware of key institutions – UK NHS, US Healthcare institutions, US Gas pipelines and many more.

Data from the US FBI Internet Crime report for 2023 shows the extent that critical infrastructure organisations were targeted by ransomware, which is only one of the attack vectors that the bad actors will use. View the report here: 2023_IC3Report.pdf

The same applies in the UK with the NCSC Annual Review of 2023. View here: NCSC – Annual Review 2023

What is Icotera’s stance on the TSA

Much of the TSA is focused on compliance by the public telecom providers/network operators and what they need to do within their networks, but one of the key components of the aligned Code of Practice is for Providers to protect what is known as the Exposed Edge and broadband CPEs fall into this category.

There is a recommendation for network operators to assess their tech vendors’ stance and the framework for this is for them to undertake a Vendor Security Assessment (VSA) which involves asking a number of key questions to get an understanding of the vendors’ current position on security relating to hardware and software.

Icotera have taken the framework of the VSA and analysed ourselves against all the criteria, so we understand where we stand against all components which provide us with a framework for continual improvement. For details on the Icotera VSA please reach out to Technical Program Manager UK and Ireland, Jim Lucking at: jlucking@icotera.com

The VSA (Vendor Security Assessment) Structure

The VSA covers nine high level key components which network vendors throughout the tech stack need to consider and assess themselves on. 

Below the nine high level components there are many granular sub-items that provide guidance on what the vendor should investigate and address

VSA high level items

• Product lifecycle management
• Product Security Management
• Protected Development and Build Environments
• Exploit Mitigation
• Secure Updates and Software Signing
• Hardware Roots of Trust and Secure Boot
• Security Testing
• Secure Management and Configuration
• Vulnerability and Issue Management

Summary

Being prepared for the TSA is crucial for all UK public telecom operators as it has legal obligations that must be met (depending on tiering and timescale these timelines can be more onerous), but as previously explained even if you are in a lower tier but you contract with a company in a higher tier (think Openreach, CityFibre, etc) you need to comply with the higher tier requirements and timelines.

But apart from the legal obligations it introduces some best practices for securing the network tech stack to minimise the attack surface and any potential malicious exploits.

Implementing its recommendations makes commercial and reputational sense to everyone involved

The assumption is that most, if not all telecom operators have started down the journey already, but if not, don’t delay.

1^st steps:

• Get the buy-in of the C Suite/Board of your company. This is crucial as they may need to approve investment and are likely the ones who will be liable and will be penalised for non-compliance.
• Review the available documentation on the TSA. Info can be found at UK Govt websites Telecoms Security Code of Practice – GOV.UK, and the regulator Ofcom New powers for Ofcom to oversee security of telecoms networks – Ofcom and many 3^rd party technical consultants
• Speak to your peers. This may be via an umbrella organisation such as INCA or ISPA in the UK where they can provide guidance on how to ensure compliance
• If necessary, seek help and advice from a 3d party specialist. There are plenty out there that can be found using Internet searches.
• Carry out a gap analysis of where you currently stand on the main items.
• Allocate dedicated resources (finance and personnel) to addressing the issues, this is not one of those tasks that can be in the low priority section of the Task List.
• Engage with your partners and supply chain who provide services and hardware for your network. It is key that you understand and assess all components of the end to end network