As a continuation of our content detailing legislative changes affecting organisations with regard to cybersecurity and compliance, we wanted to take a closer look at the 2021 Telecommunications Security Act.
While not a new one, this piece of legislation details the measures which providers of this Critical National Infrastructure (CNI) must take with regard to the security of the services they provide, as well as the fines and measures which can be taken by regulators (in this case, OFCOM) to ensure compliance with the regulation.
These powers came into effect from October 1st 2022, and OFCOM is bolstering their capability to investigate and enforce compliance.
The impact of non-compliance
If a telecoms provider is found to not comply with these security duties, then 10% of relevant turnover could be jeopardized, or in the case of continuous failure, £100,000 per day.
For failure to provide information, or refusal to explain a failure to follow a code of practice, there are fines of up to £10 million, or £50,000 per day for continuous failure.
What's included in the act?
Detailed within The Telecommunications Security Act are 4 key areas of focus for companies:
- Making sure that network equipment that handles sensitive data is securely designed, built and maintained
- Reducing supply-chain risks
- Carefully controlling access to sensitive parts of the network
- Making sure the right processes are in place to understand the risks facing public networks and service
In addition, there is a provision about monitoring providers’ use of ‘high-risk vendors’. This is essentially an expansion of the supply-chain risk, but specifically targeted at reducing inherent risk from using vendors which may be providing insecure hardware or software.
Key within the provisions is a requirement to be able to secure systems and networks, but also to be able to detect and respond to a security incident, with response plans in place in the event of a serious breach impacting availability or disclosing sensitive information. Regular readers will recognize these as the first four pillars of the NIST methodology.
1. Ensuring network equipment that handles sensitive data is securely designed, built, and maintained:
This provision is intended to ensure that security is at the heart of service provision and not considered as an afterthought.
Many development and deployment principles within organisations have reduced the requirement for security within project and programme lifecycles, as the move toward more agile DevOps methodologies has been adopted, often security is seen as a constraint to these agile deployments.
This approach is in conflict with the cybersecurity objective to “move-left” with regard to security – ensuring a secure-by-design approach where security is considered at the first stages of programmes.
These principles should be extended to the transition from project to Business As Usual (BAU) operations, ensuring that support and maintenance of the network equipment continue to operate within the security guidelines. These should therefore be designed with usability in mind; a process which is cumbersome and seen to disrupt day-to-day operations will not be adopted by the parties responsible for those operations.
Organisations should ensure that:
- Design principles include clear guidance on security principles as part of discovery phases of projects and procurement processes.
- Vendors of both services and hardware/software are assessed with regard to their security principles and operations.
- Support contracts include a clear understanding of the security principles applicable to the provision of services.
- Assessments and testing are conducted to ensure continuous compliance with security objectives.
- Data security principles and reporting obligations are clearly outlined in contracts and functional specifications.
- Procedures and technical provisions are in place for detecting and responding to a security breach in a timely fashion.
- Disaster recovery and business continuity plans are in place, with clearly defined roles and responsibilities for incident response.
2. Reducing supply-chain risks
This provision is intended to ensure that all elements of the software, hardware and services supply chain are not introducing vulnerabilities to the key networks and service provision.
With this objective in mind, CISOs must work with procurement functions and programme directors to ensure that adequate assessments are undertaken prior to the commencement of contracts for provision.
Plus, continual testing and assessment of security practices should be undertaken as the threat landscape evolves.
Consider the following:
- Have all suppliers involved in the provision of services been assessed for their security compliance, both for onboarding and periodically afterward?
- Do suppliers provide updates on security practices, such as patching, testing, and continual monitoring?
- Have relevant elements like SOC2 certifications been reviewed?
- Are provisions in place to test the effectiveness of security across the supply chain?
- Can you demonstrate any gaps in security within the supply chain and are provisions in place to address these?
3. Carefully controlling access to sensitive parts of the network:
This provision is intended to secure the most fundamental elements of the technical infrastructure, through the adoption of technical and process controls around accessing sensitive data and functionality.
Concepts such as network segmentation can prevent traversal from less-secure environments to critical parts of the infrastructure, while controlling the use of privileged accounts can reduce the capability of credential misuse.
Effectively segregating where sensitive data is stored reduces the risk that this data is breached from more common attack methods which, when combined with cyber-defence good practice, will reduce the likelihood of a breach.
Consider the following:
- Is there physical, or logical separation of networks to reduce the likelihood of traversal between segments?
- Are privileged accounts controlled and monitored for use?
- Do you map sensitive data to assets in which it is stored, transmitted, and processed?
- Can you identify vulnerabilities which may impact sensitive parts of the network, such as hardware or software vulnerabilities and zero-days?
- Have you implemented patching processes to reduce vulnerabilities?
- Have all users with access to sensitive networks been appropriately trained with regard to cyber threats and defence techniques?
- Have you integrated critical systems and infrastructure with SOC operations via SIEM/SOAR solutions?
- Do you test these controls, and can you demonstrate their effectiveness?
- Think about penetration testing.
- Think about testing security awareness and culture.
- Think about systems of record for control effectiveness.
- How do you demonstrate compliance?
4. Making sure the right processes are in place to understand the risks facing their public networks and services:
This provision is intended to ensure that organisations are aware of the internal and external threats facing the provision of their critical services.
In risk management terms, we would refer to this as a risk assessment, but in cybersecurity terms, this might be considered as Cyber Threat Intelligence (CTI).
Ensuring that you have documented risks and can tie these to assets is the first step in establishing an effective Risk and Control Matrix for your organisation. Mapping these risks to the systems, networks and infrastructure impacted then allows you to determine the effectiveness of the controls applied to the impacted systems.
Gaps in controls can then be identified and addressed as part of continuous improvement plans.
Consider the following:
- Do RACMs accurately represent the risks presented to service provision, sensitive data, supply chain risk etc.?
- Do those RACMs clearly articulate the controls which must be applied to the risks?
- Do RACMs clearly articulate the responsibilities of the impacted parties in managing risk?
- Are RACMs continuously reviewed and updated as part of project and programme work?
- Is there a clearly articulated response to failures in control processes?
- Does this response include notification of regulators, to ensure compliance with legal requirements?
The TSA is not detailing anything new which organisations should be doing, but raises the profile and requirement to demonstrate that these best practices are being handled.
The increased power to impose fines and penalties for non-compliance will force an increased level of focus on these practices and should ensure that sufficient attention to these is paid by both senior executives and shareholders.
The impact on the supply chain should not be underestimated, as providers to these organisations will have increased requirements to comply, replicating this effort across multiple sectors of the industry.
If you would like to know more about compliance with the requirements laid out in the TSA, or any other regulatory requirements, please contact us at firstname.lastname@example.org