Telecoms security and resilience update - December 2023
Ofcom has proposed to update its resilience guidance to provide greater clarity on how UK telecoms companies can reduce the risk of network outages. The regulator is taking the opportunity - post-TSA - to update its resilience guidance for communications providers, setting out the measures it expects PECN/PECS to take to keep their networks running.
- making sure networks are designed to avoid, or reduce, single points failure;
- making sure key infrastructure points have automatic failover functionality built in, so that traffic is immediately diverted to another device or site when equipment fails; and
- setting out the processes, tools and training that should be considered to support the requirements on resilience.
Communications providers have a legal obligation to identify, prepare for and reduce the risk of anything that compromises the availability, performance or functionality of their network or service.
Sections 105A to 105D of the Communications Act (2003) was amended by the Telecoms Security Act, which commenced in 2022. The TSA amendments included the definition of a "Security Compromise", and that the concept of a Security Compromise in the 2003 Act includes Resilience Incidents, Ofcom is updating existing resilience guidance to provide greater clarity on how PECN/PECS providers can comply with their security duties. The proposed guidance describes a range of practices in the architecture, design, and operational models that underpin robust and resilient telecoms networks and services as well as more specific measures that Ofcom expects communications providers to consider.
The consultation is open now and deadline for submissions is 17:00 on Friday 1 March 2024. Ofcom intends to publish its statement on the resilience guidance, and next steps on mobile RAN power resilience (more info below), in summer 2024.
Government response: the uses and security of Private Telecommunications Networks within the UK
In the summer, DSIT launched a call for information on the uses and security of private telecoms networks, noting that as the use of private networks increases, it was important for government to have an understanding of the implications of this growth, and how impactful damage or disruption to those networks could have on users of critical services. techUK members contributed to this call - and in total, DSIT received 41 responses from a range of individuals and organisations.
Earlier in the month, DSIT published its response to this call, summarising key findings and determining that it will use the information supplied, alongside wider evidence and research, to determine whether government intervention is necessary to protect private telecoms networks.
The following themes were identified:
- Private telecoms networks are being used in a range of critical sectors (c.90% of providers stated they had customers in these sectors) and where private telecoms networks are deployed, they are typically being used for business-critical functions.
- Of the customers and providers who responded to the call for information, security was a key feature and rationale for the procurement of private telecoms networks.
- Whilst respondents predominantly believed the market for private telecoms networks is developing a way which promotes good security and resilience and that standards were broadly supporting the deployment of secure and resilient private telecoms networks, there was appetite for a range of future interventions. This included developing guidance, education initiatives and ensuring adequate funding for innovation projects on the security and resilience of private telecoms networks.
- Respondents noted positive and negative effects of future technological developments (e.g. with AI) on private telecoms networks and the need to monitor the impacts of technology as it evolves. This covered the development of existing technology such as ‘on device’ security protocols and the emergence of future technology such as quantum decryption.
- Most respondents stated that private and public networks should continue to be treated differently due to their distinct security characteristics. A small number of respondents called for further work in creating a clearer legal definition for private telecoms networks.
- Respondents outlined a range of security risks that could be prioritised when developing policies regarding private telecoms networks. These included risks relating to cyber and physical security of private telecoms networks and overall security of the supply chain. Respondents also stated that device security, data infrastructure and work to specifically address the risks to critical sectors could also be prioritised.
Power backup for mobile networks
Alongside the resilience guidance, Ofcom is also calling for input on power backup for mobile networks, which are dependent on electrical power to function, and outages can cause service disruption for customers.
Currently, the amount of battery backup in place varies by MNO - the regulator is kickstarting a discussion about what power backup MNOs can and should provide for their networks and services, with a view to implementing this in future guidance, and/or working with industry and Government to identify and pursue other ways to address this issue.
As above, the deadline for submission is 17:00 on 1 March 2024. Details can be found on page 42 of this document.
Protecting and enhancing the security and resilience of UK data infrastructure
DSIT has also launched a new consultation with proposals outlined to better protect data storage facilities from cyber-attacks, physical threats and extreme weather. "Protecting and enhancing the security and resilience of UK data infrastructure" opened on 14 December 2023, with views sought by the 22 February 2024.
A new set of laws to better protect the nation’s data would make minimum requirements mandatory to ensure data centre operators are taking appropriate steps to boost their security and resilience. It will also help protect businesses and services that rely on data centres against disruption, reducing the risk of significant incidents that would interrupt or compromise access to data they rely on.
A new regulatory function is also being considered, to make sure operators of data centre services report incidents and work with the sector to assure and test risk mitigation against threats and hazards. The move is intended to encourage better transparency of information and cooperation across industry and the government so risks to the UK can be appropriately identified and addressed.
Government is seeking views from data centre operators, data centre land and facility owners, cloud platform providers, managed service providers, customers and suppliers of these groups, and independent or academic experts on data storage and processing.
The proposed statutory framework includes:
- Scope: third-party data centres, in particular, those being implemented to provide colocation and co-hosting data centre services. It is intended that organisations that operate these data centres or provide these services, and so fall within the scope, would be required to undertake or comply with the following:
- Registration: relevant data centre providers would be required to register with the designated regulator and provide relevant information regarding their UK operations.
- Security and resilience measures: relevant data centre providers would have a duty to take appropriate and proportionate technical and organisational measures to manage risks to security and resilience of these services. Baseline measures may relate to:
- risk management;
- the physical and cyber security of facilities, networks and systems including measures targeted at specific areas or functions (for example, meet-me rooms);
- incident management;
- resilience and service continuity;
- monitoring, detection, auditing and testing;
- governance and personnel;
- supply chain management.
- Standards, assurance and testing: standards, assessment frameworks and other tools can be used to improve and assure security and resilience mitigations. To enable this, the government would introduce a range of mechanisms which could be used by a regulator to mandate assurance of, and provide assurance beyond, baseline security and resilience measures.
- Incident reporting: relevant providers would be required to report significant incidents to the regulator, and in some cases disclose incidents to customers or other affected parties.
- Regulatory function: a regulatory function would be established with the appropriate remit, powers and capability to implement, manage and enforce the new framework. This function would take a risk-based, proactive approach, based on the principle of proportionality and with a duty to consider growth and innovation when exercising its functions.
DSIT does not intend to identify an existing, or propose the establishment of a new, regulatory body until further views on the proposed framework have been received and assessed.