Telecoms infrastructure is considered Critical National Infrastructure and it is increasingly under threat from cyber-attackers. In a world of increasing geo-political tension, we have seen a significant rise in attacks from state actors targeting these critical services.
Security risks and requirements are shifting as telecoms providers or Telcos transition to 5G networks. 5G uses software-defined networks and virtualises many of its most fundamental components across the core and the radio access networks. This creates new market opportunities but also creates new attack vectors for hackers to exploit. Indeed, cybercriminals have come to view attacks on critical infrastructure as a lucrative target. Any attack that causes service disruption in our critical national infrastructure can potentially have enormous repercussions on national security and the economy. There is also a knock-on effect in that many other critical services and providers such as power and water suppliers rely heavily on telecoms services and would therefore be affected by any outages. This raises many concerns about the security of our critical national infrastructure.
Disaggregation of Functions
Protecting against attacks in 5G networks is increasingly complex due to the disaggregation of network functions across the cloud. Telcos are essentially becoming cloud service companies, which is a necessary technology and business capability, but this increases the attack surface and opens up a multitude of new attack vectors as a result of leveraging common web protocols and APIs. In addition, network slicing will become more mainstream, allowing for multiple specialised software-defined networks to be hosted on the same network infrastructure. However, each slice will require its own specific security controls to be implemented adding to the complexity.
Cost of Cybercrime
According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercriminals are taking advantage of the vulnerability of industries requiring high levels of availability and reliable connectivity to function. This represents a serious risk for mobile network operators.
One recent report revealed that in Q3-2022, the Telco sector was the target of over 43% of all DDoS attacks. This report shows that the number of attacks in the telecoms sector grew by a factor of 7 since Q3 2021. Most of the attacks on telecoms were carried out with the aim of extortion and blackmail.
Government Regulation & Compliance
In the face of this threat, the UK Government has launched a new security framework for telecoms security, which came into effect in October 2022. Coming under the Telecommunications Security Act, the Telecommunications Security Requirements or TSRs introduces new demands around designing, implementing, managing and monitoring network security.
The government’s UK Telecoms Supply Chain Review Report published in July 2019, highlighted the security risks as well as the economic opportunities associated with the next generation of telecommunications networks, particularly 5G and full fibre networks.
Since the Review was published, the government has put this recommendation into action, developing a new security framework for providers of public electronic communications networks or services through the Telecommunications Security Act 2021 otherwise known as ‘the TSA’. The new telecoms security framework was developed in collaboration with the National Cyber Security Centre (NCSC), drawing on its technical expertise in cyber security matters relating to the telecoms sector. This code of practice provides guidance for large and medium‑sized public telecoms providers whose security is most crucial to the effective functioning of the UK’s telecoms critical national infrastructure (CNI). The framework established through the TSA comprises three layers:
- Strengthened overarching security duties on public telecoms providers.
- Specific security measures (referred to as ‘requirements’). These are set out in the Electronic Communications (Security Measures) Regulations 2022 and detail the specified measures to be taken in addition to the overarching duties in the Act.
- Technical guidance. The code of practice provides detailed guidelines to large and medium‑sized public telecoms providers on the government’s preferred approach to demonstrating compliance with the duties in the Act and the requirements within the regulations.
To ensure security risks are mitigated proportionately, the code of practice includes a tiering system which sets out the different expectations on public telecoms providers. The tiering system places public telecoms providers in one of three tiers, based on their commercial scale:
- Tier 1 – public telecoms providers with relevant turnover in the relevant period of £1bn or more.
- Tier 2 – public telecoms providers with relevant turnover in the relevant period of more than or equal to £50m but less than £1bn.
- Tier 3 – public telecoms providers whose relevant turnover in the relevant period is less than £50m, but who are not micro‑entities.
Ofcom's Remit
Ofcom will be regulating this new framework to seek to ensure that public telecoms providers comply with their security duties. In cases of non-compliance with the new security duties and/or specific security requirements, Ofcom will be able to issue a notification of contravention to providers setting out that they have not complied, and any remedial action to be taken.
Ofcom also has the ability to direct telecoms providers to take interim steps to address security gaps during the enforcement process. In addition, in cases of non‑compliance, including where a provider has not complied with a notification of contravention, Ofcom can issue financial penalties. The amount of a penalty is specified as what the Secretary of State determines to be:-
- appropriate; and
- proportionate to the contravention
The penalties can be significant but may not exceed 10 per cent of the turnover of the public communications provider’s relevant business for the relevant period, and may not exceed £100,000 per day. This is certainly an incentive to get this right!
Timeframes
The telecoms security framework came into force on 1 October 2022, however, it would not have been realistic to of expected public telecoms providers to have met all their obligations from that date. Instead, specific recommended compliance timeframes by which providers are expected to have taken relevant measures have been set out in the code of practice.
It is also recognised that it would not be appropriate, proportionate, or technically feasible, to expect providers to implement all measures at the same time. The timeframes specified in the code of practice reflect which guidance measures are most important and/or most straightforward to implement first, and which guidance measures may require more time to implement.
There has been a delay on the earliest implementation date for some security measures which changed from 31 March 2023, to 31 March 2024, for ‘the most straightforward and least resource intensive measures’ giving Telcos a further year. Other deadlines, for 'more complex' security measures, remain unchanged at 31 March 2025, 2027 and 2028 for Tier 1 and 2 providers, with longer for Tier 3 operators. Indeed, this leaves a lot of room for interpretation.
Whilst the specific definition of the least, relatively low, most complex and most resource-intensive measures remains up for debate, it will most likely involve a lot of work to achieve compliance with these new regulations.
What Does This Mean for Telcos?
If we boil it down to the essentials, the new regulations state that Telcos need to understand and identify the security risks, take measures to mitigate these risks, and frequently review their cybersecurity posture and processes so they have a robust process in place, to deal with a security breach. What is deemed as a security breach or compromise?
‘anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission’.
On the face of it, this doesn’t sound too daunting or burdensome. However, if we dig a bit deeper, we get a much more detailed picture of what is required for compliance. This includes the following areas, but there is a lot more detail in each of these domains.
Network architecture - provides guidance to design, build and manage secure networks. The architectural and design decisions which are made when creating and modifying a provider’s network or supporting systems are critical to the security of that network. This security architecture determines how difficult it will be to compromise or disrupt the network, the scale of any associated impact, and whether the provider is likely to detect and recover from any compromise.
Protection of data and network functions - provides guidance on the measures to be taken to protect data and network functions that could be at risk of security compromises.
Protection of certain tools enabling monitoring or analysis - provides guidance on the measures to be taken to protect certain tools that enable the monitoring or analysis in real time of the use of the network or service.
Monitoring and analysis - provides guidance on the measures to monitor and analyse the use of their networks in order to identify any security compromises. While not directly a set of preventative controls, security monitoring fundamentally underpins the security posture of a network or system.
Supply chain - provides guidance on the measures to identify and reduce the security risk arising from actions taken or not taken by third-party suppliers.
Prevention of unauthorised access or interference - provides guidance on the measures to be taken to prevent the occurrence of security compromises that consist of unauthorised access to their networks or services.
Preparing for remediation and recovery - provides guidance to prepare for the occurrence of security compromises with a view to limiting the adverse effects of security compromises and being able to recover from them.
Governance - provides guidance on the measures to ensure appropriate and proportionate management of the persons who are given security‑related tasks. This is intended to ensure that providers employ the appropriate security governance and business processes to protect UK networks and services.
Reviews - provides guidance on the measures to ensure that regular reviews of their security measures are undertaken.
Patching and updates - provides guidance on the measures to be taken to deploy patches or mitigations (including software updates and equipment replacement) as well as the necessary security updates and equipment upgrades.
Competency - provides guidance on the measures to be taken to ensure that the persons who have been given security‑related tasks can conduct their duties appropriately.
Testing - provides guidance on the measures to be taken to conduct appropriate tests. The purpose of testing, or ‘red team’ exercising, is to verify the security defences of the network, and identify any security weaknesses prior to any potential attacks. For this reason it is essential that the testing simulates, so far as possible, real-world attacks.
Assistance - provides guidance on the measures to be taken to reduce the risk of security compromise by seeking and providing appropriate assistance. In certain circumstances it is appropriate for providers to receive information from other providers that would help to reduce the risk of security compromises occurring.
Technical Guidance Measures
Within each of the domains listed above, there are specific technical measures to be taken by providers, grouped by the date by which they are expected to be completed. Due to the amount of detail, these are out of scope for this article, but we'll circle back to these in future articles.
However, it should be noted that the extent to which each technical guidance measure can contribute to ensuring compliance with any specific regulation will depend on the facts of each case. So clearly, it is not a straightforward, tick-in-the-box exercise, and once again, there is room for a certain degree of interpretation.
Where to Start?
Start at the beginning. Telcos should get an understanding of their current state and begin testing and auditing their existing security infrastructure and staff’s cyber awareness. This will serve two purposes:
- Provides a current state baseline, against which, future progress can be measured.
- Identify potential security gaps both in the network environments and employee knowledge.
Telcos can also start to identify which of the regulations fall into the different timescales. While the complexity of each security task may vary for different providers, depending on their existing network and the tools being used, identifying quick wins that are easy to achieve, will help to prepare for the first deadline. Following this, map out the dates needed to achieve compliance with all of the other TSRs.
Conclusion
For all of 5G’s transformative potential, the risks are high. Hackers will exploit everything, everyone, everywhere they can reach. Whilst threats are escalating and the challenges in protecting these networks are rapidly evolving, with a multi-layered defence that focuses on protecting access to key assets and systems, based on the guidance we have discussed above, Telcos can significantly bolster the security posture of their network infrastructure.
Though the Government’s deadline (31st of March 2028) for full compliance may seem quite a way off in the future, Telcos should begin to take action now. While compliance with the TSR's may look like a cause for concern in terms of the potential for complex, resource-intensive work streams, it is actually a good thing. This is because these measures are necessary for the security of the communications infrastructure. These networks have become critically important in our lives and as we see the deployment of more advanced 5G infrastructure, (ORAN, 5G Standalone, Network Slicing) with more functions and capabilities disaggregated across the cloud, the more important network security becomes. Therefore, we need to ensure they are protected, without underestimating the effect a security breach could have on all of us.
