Telecommunications Security Act (TSA): Timescales, Impact and Actions

With the first deadline for the Telecommunications Security Act (TSA) looming, many telecoms/broadband providers are starting the process to further understand the implications and work needed for the TSA. This blog serves as a general guide to those confused about the security framework underpinning the act known as the Code of Practice, and whether this is a legal obligation or a list of recommendations.

What is the purpose of the act?

The act is designed to set a legally binding minimum set of security standards to address issues from recent breaches where security standards and responsibilities have not been defined, and where implications may fail outside of PCI (Payment Card Industry) or the ICO (Information Commissioners Office).

Whilst you may not have a direct requirement for compliance with the act, your providers or suppliers may have requirements imposed meaning you are brought into the scope of the act. It is also worth noting that OFCOM are understood to be referring to the Code of Practice during Cyber Security incidents.

Timescales

Depending on your tier (1,2 or 3) you have different timeframes for completion of the stages.

The tiering system places public telecoms providers in one of three tiers, based on their commercial scale:

As above, the first set of measures for Tier 1 should be completed by 31 March 2024 and 31 March 2025 for Tier 2. This includes controls M1.01 to M5.07 (Page 74 to page 80 in the Security Code of Practice document).

Who is impacted

The Act affects more than just telecom providers, other impacted parties include, network and service providers, ISPs, hardware vendors, software developers and even mobile providers.

This has raised a lot of confusion, and companies are now trying to minimise their third parties as a large percentage of the controls are related to supply chain management and risk assessments of third parties.

Whilst some companies may be unaffected due to their size, with many mergers and acquisitions occurring within the impacted industries these organisations must be aware of the organisational changes that may impact their tier going forward, as well as the systems, processes and third parties which these changes may produce.

Telecommunications Security Code of Practice (The Code of Practice)

Published by the Digital, Culture, Media and Sport (DCMS) and with content from the NCSC;

The main focus for the standard is detecting and responding to a breach, 3rd party and supplier management and management of your network equipment.

This code of practice is not designed to be prescriptive but should be used as a baseline standard with some rough guidance based on the requirements the NCSC are trying to convey.

It’s worth noting that much of this code of practice is taken from the NCSC Cyber Assessment Framework which is becoming a popular framework to simply monitor risk in simple non-technical categories.

The cost of non compliance 

OFCOM, the regulatory authority for communications in the UK, has been granted enhanced enforcement capabilities to guarantee the safety and security of the country’s telecommunications networks, ensuring that telecom providers adhere to their security obligations.

For non compliance, a company can be fined up to a maximum of ten per cent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.

Where to start

• Attackers look for weaknesses in people or technology. Training staff on phishing is a simple and free way to reduce your risk. From a technical perspective, running the same tools that hackers do to look for the “open window” in your network ensures you can find and fix these issues before a hacker exploits them. The Code of Practice recommends continuous scanning to detect these issues. If you don’t have the tools or expertise to run these, your security partner or ourselves can help with a fully managed service, which is normally more cost effective than buying common tools like Tenable Nessus yourself. Control (Measure Number) M11.22
• Third party supplier management is one of the most challenging and time consuming activities, once you have your data flows this should identify suppliers who then must be assessed for risk, at this stage minimising third parties can help to reduce the workload as over 75 controls refer to the supply chain and third parties. Control (Measure Number) M11.22
• Being able to detect a breach and react 24/7 tends to be the most costly set of controls to meet. Either you build a team of generally 5 people to monitor 24/7, buy tooling and train your staff to be able to configure and detect advanced threats or you outsource the task to a third party. Communicate designed a solution using no third parties to only add one supplier. We also support the completion of the assessment to reduce workload. M16.01 – M16.22

How can we help?

The following areas Communicate can provide support, solutions or managed services for:

• Overarching security measures
• Supporting business processes
• Third party supplier measures
• Management plane (Incident Response/Detection of Vulnerabilities)
• Virtualisation (Security of;)
• Network Oversight Functions (CIS/NIST benchmarking and support)
• Monitoring and analysis (SIEM/MDR/XDR/SOC/Detection and Response)

If you’d like to chat with us about your TSA requirement, please contact us.