UK Telecommunications Security Act 2021: 3 Documents From The Regulators Every Telco Executive Should Read

In 2019, the UK Government (NSCS) conducted The UK Telecoms Supply Chain Review, to assess and address potential risks associated with the supply chain of telecommunications infrastructure in the country. The review highlighted the risks associated with reliance on certain vendors, particularly those with high-risk profiles. It also recommended increased oversight and regulation to mitigate security risks and protect critical national infrastructure.

To that effect, the UK government enacted the Telecommunications (Security) Act 2021 (TSA) on October 1st, 2022. This legislation empowers the Office of Communications (Ofcom) to intervene in the cybersecurity practices of telecommunications service providers, ensuring the resilience and integrity of core telecommunications networks in the UK.

What is TSA?

The TSA establishes a comprehensive security framework for telecom service providers, imposing specific obligations and measures to identify, reduce, and mitigate the risk of security compromises. The Act classifies providers into three tiers based on their scale and criticality, with each tier having distinct compliance obligations.

Document 1: UK Telecoms Supply Chain Review Report from the UK Department for Digital, Culture, Media and Sport

“The Review’s starting point was a set of concerns about the security and resilience of the UK’s telecoms networks, largely related to:

(a) inadequate industry practices overall, driven by a lack of incentives to manage security risks to an appropriate level; and

(b) the risk of national dependency on a small number of viable suppliers”

Why is the TSA Needed?

The UK Telecoms Supply Chain Review (2019), revealed the absence of a comprehensive security framework and adequate practices within the UK telco industry. Telcos often faced the challenge of balancing security considerations alongside their commercial priorities, creating a delicate balance. However, with the government's increased emphasis on strengthening cybersecurity through TSA and the potential fines imposed by Ofcom, telcos will be compelled to adopt a new approach and invest in robust security measures to ensure compliance and protect their networks.

Why is Adhering to the Regulation Challenging?

​​TSA introduces a comprehensive security framework that requires telecom providers to adhere to specific technical requirements and measures. Ensuring compliance with these requirements across complex and extensive networks, interconnected systems, and legacy infrastructure can be a daunting task. Reevaluating their current security measures, identifying vulnerabilities, and making necessary adjustments to meet the standards set by TSA is a time-consuming and resource-intensive process for telcos. Implementing TSA requirements may also have an impact on their current network upgrade or other transformation engagements. Collaboration with multiple internal stakeholders and coordination with regulatory bodies will add further complexities and overheads.

Document 2: Security analysis for the UK telecoms sector from NCSC

“Upon completing the threat analysis, the majority of the highest scoring attack vectors fitted into one of the following five categories:”

• exploitation via the operators’ management plane
• exploitation via the international signalling plane
• exploitation of virtualised networks
• exploitation via the supply chain

loss of the national capability to operate and secure our networks (dependency)

How can Telecom Executives Implement TSA Requirements?

The TSA has provided a roadmap to success. Telecom providers should refer to the Code of Practice accompanying the Act. The Code of Practice outlines specific technical requirements and measures that providers must adhere to in various areas, such as network architecture, protection of data and network functions, monitoring and analysis, supply chain management, access control, remediation and recovery, governance, reviews, and testing.

Document 3: Code of Practice from the UK Department for Digital, Culture, Media and Sport

Section 1: Introductory and background information

Section 2: key concepts that need to be understood

Section 3: technical guidance measures & implementation timeframe

During the public consultation process of the Regulation and its associated code of practice, public telecom providers, industry trade bodies, and telecom suppliers raised a number of concerns. They expressed apprehension regarding the feasibility of meeting the prescribed measures within the tight timeframe and without incurring disproportionate costs. Of particular concern were the targets for the gigabit rollout and the development of 5G services, as they posed a risk to the resources required for implementing the new security measures. Furthermore, there were concerns that the rapid pace of implementations might inadvertently introduce new security vulnerabilities.

The Need to Modernise Your SOC Tools

This demonstrates the crucial importance of agility and quick adaptation for telcos in response to new compliance requirements. It serves as another example of an external shock that IT teams must navigate. As a market share leader in SIEM, we witness daily how top security teams swiftly adapt to new situations. Whether it's integrating new technology or service into security monitoring, addressing novel tactics employed by cyber attackers, or fulfilling new compliance requirements such as expanding log retention times and re-architecting storage, our platform, Splunk SIEM, empowers your SOC Team to adapt rapidly. Start planning your SOC Tooling Modernization now to enhance the efficiency and effectiveness of your (as per the TSA, UK-based) SOC Team.

Global telcos such as Swisscom and Telenor have already embraced Splunk Enterprise Security to leverage data-driven insights and help ensure comprehensive visibility and swift detection to better proactively defend against cyber threats. This has set them up for success and will make aligning with new regulations simpler.

Next Steps?

The TSA requires telecom providers to enhance their cybersecurity practices. If you have questions about the details, know that you're not alone. At Splunk, we specialise in addressing the toughest aspects of cybersecurity, security operations, and security automation. We're here to support you throughout the process.

Contact us for our briefing document on TSA, which offers in-depth insights into implementing TSA measures. Stay tuned for more information as we delve further into how Splunk helps you comply with TSA security logging and monitoring requirements.