Telecoms (Security) Act

The UK Telecom Security Act will soon come in effect. Are you prepared?

Get ready for big changes

Even if final versions of the Statutory Instruments or the Code of Practice hasn’t been released yet, the picture is becoming clearer: For most network providers the Telecoms Security Act will mean an overhaul of today’s processes for prevention, monitoring and remedy of security treats. 

However, you should not see this as an extra burden for your organization and a threat of up to £100.000 per day penalties for non-compliance. This is an opportunity that, besides improving security, can help you implement automated work processes that cut operative costs and improve service quality.

We're here to help

See below the main topics of the Statutory Instruments (SI) and how PacketFront can assist you in addressing many of the requirements. If you want to know more about other benefits, check the rest of our homepage and get into contact with us!

Tier 3 provider?

Providers with less £50m in turnover are currently exempted from TSA requirements, but here are some of the reasons why you should consider compliance:

  • Tier 3 providers must continue to take appropriate measures to comply with the new duties under the Act

  • If you supply services, like connectivity, to Tier 1 or 2 operators you are part of their supply chain and need to comply

  • In merger and acquisition situations compliance means your assets have a higher valuation

  • And last but not least: The requirements in TSA are sensible. The security is ultimately for your benefit, so don’t wait until somebody hacks into your network. You can come a long way ‘for free’ as an additional benefit of a cost saving network automation project.

The areas of interest

Click on the read more-buttons to explore our solutions.

Network architecture
A network provider must design, construct and maintain the network in a manner which reduces the risks of security compromises.
Network architecture

We have been assisting carriers in building networks for more than 20 years. We can advise you on best practices of how to build a robust and secure management plane. But desig is just the start of the journey. Maintaining it over time is more challenging - typically leading to deviation from the security rules as well as poor and lacking documentation.

The benefit of using BECS network orchestrator is that you enforce the security rules and record the use of the system-- and thus reduce the risk of security compromises.

BECS has an always up-to-date network map making sure you have full view and control down to firmware versions and configurations used in the network.

Protection of data and network functions
A network provider must protect sensitive data and functions of the network.
Protection of data and network functions

By centralizing and automating the network management you limit your exposure, as manual access to the network can be highly restricted, making it easier to control and protect. Besides limiting the access, automation eliminates manually introduced errors reducing the number of unintended security vulnerabilities.

Limiting access to the network control layer is, of course, not the whole answer. For example, network or end-customer devices may have software vulnerabilities. BECS provides full control of the used default configuration and enables swift rollout of any security updates via secure management protocols.

Monitoring and Audit
A network provider must monitor, analyse, and audit the use of the network or service to identify security compromises, using automated monitoring and analysis where possible.
Monitoring and Audit

Using our BECS network orchestrator means that you have full control and traceability of your network, who has accessed it, and what they have changed. As the changes are executed, the system automatically becomes your documentation, meaning that you have a real-time picture of your network down to details.

If an internal or external actor would manage to bypass BECS and do changes in the network directly, the network orchestrator’s audit tools will detect these anomalies and report them for further analysis. If deemed appropriate, it can also automatically rollback the changes.

One key security aspect is the access to BECS itself. It can be installed in on-prem or hosted environment. Regardless of which option you choose, the system will be securely located in UK making it easier to monitor and restrict access to.

Supply chain
A network provider must identify and reduce the risks of security compromises due to third party suppliers.
Supply chain

With BECS network orchestrator you have full control of what 3rd party suppliers have access to in your network as well as records of any actions taken by them.

BECS multi-vendor capabilities helps you secure the equipment supply chain, whatever happens in the commercial, technical or political spheres. It gives you full flexibility to choose hardware suppliers, and to swiftly transit between suppliers without affecting your existing services or business logic. You simply download a new ‘Element Manager’, as we call them.

This is good news not only from the supply perspective, but gives procurement a powerful tool when comparing suppliers offers without creating technical lock-ins.

Prevention of unauthorised access or interference
A network provider must take appropriate and proportionate measures to reduce the risk of unauthorised access to the network or services.
Prevention of unauthorised access or interference

BECS network orchestrator has several functions to protect the access to BECS itself and to network elements.

For example, the access to BECS can be controlled via TACACS+ protocol for maximum security and you can control read/write access to the network by providing individual or group level user rights based on factors like geography or network hierarchy.

All passwords to access network elements are stored encrypted in BECS. This highly limits the number of people required to know these passwords and makes it more challenging for any intruder to get hold of the login information.

Remediation and recovery
A network provider must take measures to limit the adverse effects of and recover from security compromises.
Remediation and recovery

If the worst would happen, due to human error or malicious act, and the network is changed in an unintended or unauthorized manner, BECS can rapidly restore the network to the last approved state as it has a database with an always current desired state of the network.

The SI requires both online and offline copies of the information and retain them in UK. This is a standard procedure when using BECS and can be easily achieved with regular backups of the BECS database.

Governance and reviews
A network provider must ensure appropriate management of persons given responsibility for the taking of measures on behalf of the provider and regularly review the undertaken security measures.
Governance and reviews

The SI defines how operators should manage and create best practices for security related administration, i.e. manage business procedures, roles, user rights and responsibilities.

The governance also includes procedures for managing network security updates and equipment upgrades. Again, BECS is an excellent tool for managing these upgrades and making sure that everything is correctly documented.

The security measures should be reviewed annually evaluating risks and results.

Competency
A network provider must ensure that persons given responsibility are competent and are given appropriate powers and resources.
Competency

In manually operated networks the competence is typically in the hands (or rather heads) of a few key employees. This makes it challenging to onboard new personnel leading to errors and, ultimately, security risks. When using BECS, the network is standardized and documented, meaning employees have easier to understand the network structure and the service delivery.

In addition, PacketFront provides extensive training making sure that your personnel understand the system they are working with.

Testing and Assistance
A provider must carry out appropriate security tests to assess the resilience of the network or service.
Testing and Assistance

Testing the security is the ultimate proof that you are compliant to Telecom Security Act. Whether the testing is executed by your own employees or 3rd parties, the key personnel may not be aware of the tests in advance. Service providers must also give reasonable assistance to you and other relevant network providers in their testing and all parties must share information about security compromises.

And lastly: Remember that the penalties will not be applied as long as you can proof that you have taken appropriate and reasonable preventive actions.

Patching and Updates
A provider must deploy any security related patches or mitigations within appropriate time considering the severity of the risk.
Patching and Updates

The SI specifies a 14-day time limit for deploying patches for security compromises. This can be challenging to achieve if a patch is for devices that have been widely deployed in the network. It can also be impossible to know, or proof, that  all devices are running the right firmware.

With BECS you can do extremely fast and controlled upgrades and at the same time make sure that all devices connected to the network are using the intended firmware version.

Contact us to learn more

We are in dialogue with many UK based operators to gather information and experiences about the Telecom Security Act. Don’t hesitate to contact us to get more information about the law or how we can assist you with the compliance.

Contact Us