Telecoms security and resilience update - December 2023

15 Dec 2023 12:44 PM

Ofcom has proposed to update its resilience guidance to provide greater clarity on how UK telecoms companies can reduce the risk of network outages. The regulator is taking the opportunity - post-TSA - to update its resilience guidance for communications providers, setting out the measures it expects PECN/PECS to take to keep their networks running. 

They include:

• making sure networks are designed to avoid, or reduce, single points failure;
• making sure key infrastructure points have automatic failover functionality built in, so that traffic is immediately diverted to another device or site when equipment fails; and
• setting out the processes, tools and training that should be considered to support the requirements on resilience.

Communications providers have a legal obligation to identify, prepare for and reduce the risk of anything that compromises the availability, performance or functionality of their network or service. 

Sections 105A to 105D of the Communications Act (2003) was amended by the Telecoms Security Act, which commenced in 2022. The TSA amendments included the definition of a "Security Compromise", and that the concept of a Security Compromise in the 2003 Act includes Resilience Incidents, Ofcom is updating existing resilience guidance to provide greater clarity on how PECN/PECS providers can comply with their security duties. The proposed guidance describes a range of practices in the architecture, design, and operational models that underpin robust and resilient telecoms networks and services as well as more specific measures that Ofcom expects communications providers to consider. 

The consultation is open now and deadline for submissions is 17:00 on Friday 1 March 2024. Ofcom intends to publish its statement on the resilience guidance, and next steps on mobile RAN power resilience (more info below), in summer 2024.

Government response: the uses and security of Private Telecommunications Networks within the UK

In the summer, DSIT launched a call for information on the uses and security of private telecoms networks, noting that as the use of private networks increases, it was important for government to have an understanding of the implications of this growth, and how impactful damage or disruption to those networks could have on users of critical services. techUK members contributed to this call - and in total, DSIT received 41 responses from a range of individuals and organisations. 

Earlier in the month, DSIT published its response to this call, summarising key findings and determining that it will use the information supplied, alongside wider evidence and research, to determine whether government intervention is necessary to protect private telecoms networks.

The following themes were identified:

• Private telecoms networks are being used in a range of critical sectors (c.90% of providers stated they had customers in these sectors) and where private telecoms networks are deployed, they are typically being used for business-critical functions.
• Of the customers and providers who responded to the call for information, security was a key feature and rationale for the procurement of private telecoms networks.
• Whilst respondents predominantly believed the market for private telecoms networks is developing a way which promotes good security and resilience and that standards were broadly supporting the deployment of secure and resilient private telecoms networks, there was appetite for a range of future interventions. This included developing guidance, education initiatives and ensuring adequate funding for innovation projects on the security and resilience of private telecoms networks.
• Respondents noted positive and negative effects of future technological developments (e.g. with AI) on private telecoms networks and the need to monitor the impacts of technology as it evolves. This covered the development of existing technology such as ‘on device’ security protocols and the emergence of future technology such as quantum decryption.
• Most respondents stated that private and public networks should continue to be treated differently due to their distinct security characteristics. A small number of respondents called for further work in creating a clearer legal definition for private telecoms networks.
• Respondents outlined a range of security risks that could be prioritised when developing policies regarding private telecoms networks. These included risks relating to cyber and physical security of private telecoms networks and overall security of the supply chain. Respondents also stated that device security, data infrastructure and work to specifically address the risks to critical sectors could also be prioritised.

If you're interested in discussing these themes, members are welcome to join an upcoming TSA Session which techUK hosts every month. The next dates are 14 December, 25 January and 22 February. 

Power backup for mobile networks

Alongside the resilience guidance, Ofcom is also calling for input on power backup for mobile networks, which are dependent on electrical power to function, and outages can cause service disruption for customers.

Currently, the amount of battery backup in place varies by MNO - the regulator is kickstarting a discussion about what power backup MNOs can and should provide for their networks and services, with a view to implementing this in future guidance, and/or working with industry and Government to identify and pursue other ways to address this issue.

As above, the deadline for submission is 17:00 on 1 March 2024. Details can be found on page 42 of this document.