UK Telecommunications Security Act 2021 – 3 Documents Every Telco Executive Should Read 

In 2019, the National Cyber Security Centre conducted The UK Telecoms Supply Chain Review to assess and address potential risks associated with the supply chain of telecommunications infrastructure in the United Kingdom. The review highlighted the risks associated with reliance on certain vendors, particularly those with high-risk profiles. It also recommended increased oversight and regulation to mitigate security risks and protect critical national infrastructure. 

Following the review, the UK government enacted the Telecommunications (Security) Act 2021 (henceforth, TSA) on October 1st, 2022. This legislation empowers the Office of Communications (Ofcom) to intervene in the cyber security practices of telecommunications service providers, ensuring the resilience and integrity of core telecommunications networks in the UK.

In this blog, post CyberCrowd will be taking a deeper look at the Telecommunications Security Act –from which documents from the regulator every executive should be reading and why it remains so important to maintain your organisations security. 

What is TSA?

The TSA is a comprehensive security framework for telecom service providers, imposing specific obligations and measures to identify, reduce, and mitigate the risk of security compromises. The Act classifies providers into three tiers based on their scale and criticality, with each tier having distinct compliance obligations.

Documents Every Exec Should be Aware of:

Document 1: UK Telecoms Supply Chain Review Report from the UK Department for Digital, Culture, Media, and Sport

‘The Review’s starting point was a set of concerns about the security and resilience of the UK’s telecoms networks, largely related to: 

(a) inadequate industry practices overall, driven by a lack of incentives to manage security risks to an appropriate level; and 

(b) the risk of national dependency on a small number of viable suppliers.’

Document 2:  Security analysis for the UK telecoms sector from NCSC

‘Upon completion of the threat analysis, the majority of the highest scoring attack vectors fitted into one of the following five categories:’

  • Exploitation via the operators’ management plane
  • Exploitation via the international signalling plane
  • Exploitation of virtualised networks
  • Exploitation via the supply chain
  • Loss of the national capability to operate and secure our networks (dependency)

Document 3: Code of Practice from the UK Department for Digital, Culture, Media and Sport

Section 1: Introductory and background information

Section 2: Key concepts that need to be understood

Section 3: Technical guidance measures & implementation timeframe

During the public consultation process of the Regulation and its associated code of practice, public telecom providers, industry trade bodies, and telecom suppliers raised a number of concerns. They expressed apprehension regarding the feasibility of meeting the prescribed measures within the tight timeframe and without incurring disproportionate costs. 

Of particular concern were the targets for the gigabit rollout and the development of 5G services, as they posed a risk to the resources required for implementing the new security measures. Furthermore, there were concerns that the rapid pace of implementations might inadvertently introduce new security vulnerabilities.

Why is the TSA Needed?

The UK Telecoms Supply Chain Review (2019), revealed the absence of a comprehensive security framework and adequate practices within the UK telecom industry. Telecoms often faced the challenge of balancing security considerations alongside their commercial priorities, creating a delicate balance. However, with the government’s increased emphasis on strengthening cybersecurity through TSA and the potential fines imposed by Ofcom, telecoms will be compelled to adopt a new approach and invest in robust security measures to ensure compliance and protect their networks.

Why is Adhering to the Regulation Challenging?

​​TSA introduces a comprehensive security framework that requires telecom providers to adhere to specific technical requirements and measures. Ensuring compliance with these requirements across complex and extensive networks, interconnected systems, and legacy infrastructure can be a daunting task. Re-evaluating their current security measures, identifying vulnerabilities, and making necessary adjustments to meet the standards set by TSA is a time-consuming and resource-intensive process for telcos. Implementing TSA requirements may also have an impact on their current network upgrade or other transformation engagements. Collaboration with multiple internal stakeholders and coordination with regulatory bodies will add further complexities and overheads. 

How can Telecom Executives Implement TSA Requirements?

The TSA has provided a roadmap to success. Telecom providers should refer to the Code of Practice accompanying the Act. The Code of Practice outlines specific technical requirements and measures that providers must adhere to in various areas, such as network architecture, protection of data and network functions, monitoring and analysis, supply chain management, access control, remediation and recovery, governance, reviews, and testing. 

The Need to Modernise Your SOC Tools

This demonstrates the crucial importance of agility and quick adaptation for telcos in response to new compliance requirements. It serves as another example of an external shock that IT teams must navigate. 

We witness the need for top security teams to swiftly adapt to new situations. Whether it’s integrating new technology or service into security monitoring, addressing novel tactics employed by cyber attackers, or fulfilling new compliance requirements such as expanding log retention times and re-architecting storage, our Managed SOC, empowers your Security Team to focus on business operations whilst our eyes are on the glass monitoring your environment from above.

Next Steps?

The TSA requires telecom providers to enhance their cybersecurity practices. If you have questions about the details, know that you’re not alone. At CyberCrowd, we specialise in addressing the toughest aspects of cybersecurity, operating with a partnership first approach, we become an extension of your security team, to not only help navigate regulations but to bolster your defences against the growing threat landscape. Our security experts are always on hand to answer any questions that you may have, please feel free to contact us.