Strengthening Identity Security in the Telecom Industry – UK Telecommunications Security Act (TSA)

written by Mark Seddon and Violeta Pavel, CyberArk

As technology evolves, so do the threats that loom over our communication infrastructure. The consequences of attacks on telecommunications organisations – usually a component of critical national infrastructure – can be far-reaching, extending beyond affecting corporate interests and compromising staff and customer identity security right up to affecting national security.

Meeting The Growing Threat to Telecom Providers

Over the last few years, several cybersecurity regulations have set out requirements for how telecom providers are required to approach and implement security. Some are specific to the telecom sector, like the U.K.'s Telecommunications (Security) Act (TSA). In contrast, others are generic – like the NIS2 directive, applicable to multiple critical sectors of industry, telecommunications being one.

Driving these global security efforts in the telecom industry is a collective recognition and awareness of not just the severity of the potential threat but the interests of billions of users. As a result, stakeholders are subjecting telecom providers' services and networks in their downstream supply chain to high levels of scrutiny, especially concerning identity security – like vendor admin access – as well as managed service provider (MSP) contract requirements and obligations.

This scrutiny is welcome because telecommunications providers – though very different in terms of the services they provide and infrastructure that they sit on compared to, for instance, a bank – are vulnerable to cyberattack in very similar ways to other organisations that have fully embraced the power of software, digitalisation, and the cloud. Attacking the software supply chain of an organisation that has an extensive digital ecosystem is a proven method of infiltrating the target infrastructure to compromise identity security, extract privileged credentials, modify scripts, spread malware, take sensitive data and many other potentially devastating actions. The effects can and often are magnified beyond users of the compromised software to their customers, suppliers and partners.

Building Telecommunications Cybersecurity Resilience

The U.K., like many other countries, is home to a competitive telecommunications market serving its 68 million residents. Recognizing the critical importance of securing the nation's telecommunications industry, in 2020, the National Cyber Security Centre (NCSC) conducted its security analysis for the U.K. telecoms sector, highlighting the risks associated with telecommunication companies' supply chains, especially those linked to high-risk vendors i.e. non-national infrastructure suppliers. The U.K. government subsequently passed the TSA in 2021 to address these concerns and bolster national infrastructure security. The TSA empowers the UK’s communications regulator Office of Communications (Ofcom) to intervene in the cybersecurity practices of telecom service providers. It establishes a comprehensive security framework to identify, reduce and mitigate security risks. Tier 1 providers must implement some measures as early as March 31, 2024. In cases of non-compliance, Ofcom can issue financial penalties.

Preparing to Meet TSA Requirements Now

Telecom providers, services and networks in the U.K. are now under pressure to dial up their cybersecurity posture, take accountability and present to Ofcom what cybersecurity measures are in place: no small task. The 2022 Telecommunications Security Code of Practice also outlines specific technical requirements in areas such as network architecture, data and network protection, supply chain management and identity security, to help organisations prepare.

Quick Wins On The TSA Journey

While the scope of the TSA is very broad, there are smart ways that telecom providers can achieve significant wins, in particular with ensuring identity security is maintained, with the knowledge that the majority of all breaches and attacks involve the compromise of identities as an essential step for attackers – nation-state and other bad actors – to achieve their goals. One of the key TSA principles (point 1.11) is ‘assumed compromise’, which is a cybersecurity mindset that expects that the organization, if it hasn’t already been breached, will be breached in the future. This assumption leads to the expectation that any identity across your organization – whether human or machine – may have been compromised and therefore the focus should be on identifying, isolating and stopping threats.

Assumed compromise is a foundational tenet of Zero Trust architecture, where all identities are continuously authenticated and authorized before securely granting just-in-time access with the right set of permissions. Specific actions to reduce the attack surface should include introducing the following capabilities:

· Securing, logging and monitoring privileged access for both internal and external users.

· Removing default passwords for systems, users and applications.

· Automatically discovering and onboarding unmanaged privileged accounts and credentials. Detect anomalous behavior and indicators of compromise with policy-driven remediation capabilities.

· Removing local admin rights and implementing application controls- which will limit what the users can do on specific endpoints as well as which applications are whitelisted.

· Ensuring every user is who they claim to be with strong, contextual, risk-based authentication.

Telecoms Providers: Guardians of the Grid

The telecommunications industry’s critical role in our connected world necessitates rigorous security measures. The TSA and accompanying Telecommunications Security Code of Practice provide a much-needed framework to ensure the resilience and integrity of our communication networks in the U.K. Introducing the TSA and potential fines imposed by Ofcom compels telecom providers to adopt a new approach and invest in robust security strategy. In our evolving digital landscape, telecom providers are the guardians of the grid, and their commitment to protecting critical national infrastructure is essential for a secure and connected future.

CyberArk, with many years of experience partnering with the UK’s largest telecom providers has closely collaborated with the U.K.'s National Cyber Security Centre (NCSC) to comprehend the complex technical requirements of the TSA. Read this eBook to understand how CyberArk’s Identity Security framework—grounded in Zero Trust and intelligent privilege controls—can help your organization defend against identity-centric threats or join us on March 14 to hear directly from techUK and CyberArk specialists at this free webinar; Securing Telecoms: UK TSA & Identity Security - a webinar sponsored by CyberArk.

Get in touch:

Mark Seddon, Director, Solution Engineering UKI

Violeta Pavel, Director, Corporate Sales EMEA