Recent years have seen an increase in cybersecurity incidents across the UK, the EU, and around the world.
As service providers continue to invest in the expansion of 5G infrastructure and connectivity becomes increasingly crucial to the way the world operates, governments are updating telecommunications security rules and adopting new frameworks to reduce risk and ensure the security of infrastructure that is deemed critical to national security. The UK is well down this road, with the bulk of new requirements coming into effect in March of next year (or 2027 for Tier 2 service providers). But this trend is developing in EU countries as well, and service provider leaders across the world should look to update network management and security strategies to get ahead of upcoming regulatory requirements.
With the evolving network security landscape and fast-approaching regulatory deadlines, service providers are faced with a significant challenge: reduce manual touchpoints to increase reliability, adopt new security tools and practices to manage security across distributed networks, and reduce reliance on specific equipment vendors — all while managing the costs of this transformation.
What Is the Telecommunications Security Act?
In the UK, 2020 saw a 106% increase in malware and a record 18,341 new vulnerabilities (CACI). Networks are expanding and becoming more distributed, and there is increased scrutiny on equipment vendors from a cybersecurity perspective.
The UK Office of Communications (Ofcom) first introduced a new telecommunications security regulatory framework in 2020 with the Telecommunications Security Act (TSA), which was finalized in 2021. The TSA establishes new requirements and duties for service providers and gives Ofcom more regulatory powers for enforcement. After some public consultation, the complementary Electronic Communications Regulations and the Telecommunications Security Code of Practice were finalized in 2022, outlining the requirements and offering specific practical guidance, implementation requirements, and a compliance framework for service providers to follow. Requirements come into effect through the next several years, with different deadlines for Tier 1 and Tier 2 providers.
The regulations will require telecommunications service providers to implement new practices around:
Automation & Access Control
- Automation is viewed as a central pillar of the new guidelines, and service providers must increase automation adoption to enhance security and resilience of networks and services.
- Reducing manual touchpoints will be crucial to ensuring strict security across a wide range of network services.
- With automated network services, SPs must also implement stringent access controls and must segment networks to limit the impact of unauthorized access or breaches.
Network & Service Monitoring
- SPs must implement new systems to continuously monitor network traffic and activities, as well as detecting any anomalies across a hybrid, multi-vendor network.
- SPs must maintain audit logging for all network changes.
Reporting & Compliance
- Incidents must be reported swiftly, and the definition of what constitutes an incident has been expanded.
- Ofcom has been granted new regulatory powers, and SPs must allow for regulatory audits to verify compliance with telecommunications security rules.
Supply Chain & Equipment Vendors
- New equipment security standards will mean some equipment in use today is now considered non-compliant — SPs will have to migrate away from these and only use equipment that meets standards.
- SPs must have oversight of vendors to ensure TSRs are followed.
- SPs must work closely with vendors on assurance testing for systems, software, and physical equipment.
Data Protection
- All systems must be hardened against potential attacks.
- SPs must implement robust encryption methods to protect data in transit.
Governance & Risk Management
- The laws establish new standards for risk assessment and risk documentation.
To dive into the regulations in full, refer to the policy papers here — of the three documents, the Electronic Communications Regulations contain the most detail regarding specific technical requirements, while the Code of Practice is a great resource for guidance on how to comply.
Security Requirements Deadlines
Regulations must be followed within a tight timeline, with a two-year buffer for Tier 2 service providers compared to Tier 1 providers. For Tier 1 providers, the “most straightforward and least resource intensive measures” came into effect in March of this year — but for the bulk of the new requirements, compliance is required by 31 March 2025. For Tier 2 SPs, the first deadline is 31 March 2026 and the full deadline is 31 March 2027. See here for official definitions of SP tiers in the UK.
The Challenge: Cost
All of these requirements are important and worthwhile as we move further into an era where communications technology is so foundational to business and life. However, short timelines and stringent requirements have placed a significant burden on service providers: cost.
How can UK providers ensure they comply with new regulations and implement stricter security measures without incurring overwhelming costs?
Network Integration & Orchestration With Itential: Transform Network Management While Minimizing Costs
Like most wide-reaching industry policy products, the Electronic Communications Regulations and the Code of Practice were subject to public review before being finalized. One major theme amongst responses was “apprehension regarding the feasibility of meeting the prescribed measures within the tight timeframe and without incurring disproportionate costs” (Splunk). This lines up with all the conversations around TSA and security rules I’ve had with leaders at UK service providers.
Providers are facing a government mandate to update how they manage networks, gain visibility into distributed network infrastructure, and drastically reduce incidents, all in a very short time frame. What’s become clear to me, speaking with not only UK telecoms but also those in the EU eyeing similar upcoming laws, is that Itential’s technology has the potential to play a significant role in enabling providers to comply while saving money.
Let me be clear; Itential is not a network security platform.
What it is, though, is a central integration and orchestration platform that federates multi-domain, multi-vendor networks and can integrate with any security platform on the market.
Itential provides the following capabilities which are crucial to cost-effective compliance with upcoming security regulations:
Low-Code Orchestration
Teams can incorporate all manner of different devices, services, security platforms, and more into orchestrations — workflows that sequence automations to create an end-to-end outcome. In terms of cost-effective compliance with telecom security requirements, this helps in two major ways: teams are able to build threat/breach response workflows that instantly trigger in response to detected anomalies, and, crucially, the low-code nature of Itential’s workflows allows teams to use the platform without a costly investment in retraining.
Onboards All Vendors’ Network Devices for CLI Automation
Itential’s vendor-agnostic device onboarding and the ability to push CLI configuration changes via orchestrated workflows will allow providers to easily switch out non-compliant vendors for vendors that meet security standards, with minimal impact to the network. Crucially, this allows providers to reduce manual touches and automate configuration changes across their entire library of devices.
Federates Network Devices, Domains, & Services to Provide Centralized Visibility
Network engineers can view all devices and services in a distributed network and leverage them for automation, audit logging, compliance reports, and more. Itential’s federation capabilities reduce the need for tool sprawl and enable providers to stop paying for more limited visibility tools.
Integrates With Security Platforms
Itential is able to generate integrations to other platforms by using API documents, allowing teams to use one platform to take in alerts and build automated responses leveraging multiple security platforms. See this case study for an example of multi-vendor security threat responses with Itential.
Configuration Compliance
Itential enables centralized configuration compliance management, eliminating the need for point solutions. Teams can manage CLI and API compliance within the same platform and can leverage Golden Configuration templates with hierarchical logic to build dynamic reports and deliver insights to network services. In addition, teams can build remediation workflows that trigger when issues are detected so devices are non-compliant for as little time as possible.
With Itential, teams can centralize the way they manage networks and minimize error-prone manual activity while building workflows that can leverage data from any source in the network. Itential also allows organizations to avoid headcount-related costs by increasing the productivity of the existing network teams. It’s the most efficient support system for the security solutions and threat intelligence providers are looking to utilize.
This is why, as a network orchestration and integration platform, Itential still has a vital role to play in enabling providers to transform their security approaches and minimize the cost of network transformation. Automation is the key to advancing security while keeping costs down, and Itential is the leading automation and orchestration platform on the market.
Are you wondering how your organization will manage to comply with upcoming regulations in 2025 (Tier 1) or 2027 (Tier 2)? Or perhaps you’re eyeing similar upcoming laws in Germany, Italy, other EU member states, or anywhere else around the world.
Whatever your position, feel free to reach out — I’d love to have more conversations with service provider leaders about how Itential can help manage costs while enabling the transformation required to comply with strict new security rules. We have experience working with the world’s largest service providers and helping them reduce manual CLI configuration, reduce errors, detect threats faster, respond to threats anywhere, and ensure comprehensive audit logging and rapid incident reporting in case incidents do occur. Please feel free to reach me on LinkedIn.
To look through the upcoming UK telecom security rules yourself, see all three major policy documents here. You can also learn more about our work with service providers here.