Strict new rules for telecoms firms to prevent cyber-attacks on UK networks
Broadband and mobile companies will have to follow stricter security rules in order to better protect UK networks from potential cyber-attacks.
The Department for Digital, Culture, Media & Sport (DCMS) said the security regulations will be “among the strongest in the world” and will provide protections designed to prevent network failure or the theft of sensitive data.
This will include protections to the electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
Currently, telecoms providers are responsible for setting their own security standards in their networks. However, the government’s Telecoms Supply Chain Review found providers often have little incentive to adopt the best security practices.
The new regulations and code of practice were developed with the National Cyber Security Centre and the industry regulator Ofcom, and will force providers to embed good security practices in long-term investment decisions.
This includes protecting the data processed by their networks and services while securing the critical functions that allow them to be operated.
It also requires firms to protect software and equipment that monitor and analyse their networks and services to take account of supply chain risks.
Digital infrastructure minister Matt Warman said: “We know how damaging cyber-attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.
“We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which will secure our communications against current and future threats.”
NCSC technical director Dr Ian Levy said: “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.
“Ofcom will oversee, monitor and enforce the new legal duties and have the power to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations.
“If companies fail to meet their duties, the regulator will be able to issue fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day.”
From October, providers will be subject to the new rules and Ofcom will be able to use its new powers to ensure providers are following the guidance.
This includes identifying any ‘edge’ equipment that is directly exposed to potential attackers, including radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network.
Providers will be expected to meet all the expectations by March 2024, the code will also be updated periodically to ensure it keeps pace with any evolving cyber threats.
Avishai Avivi, CISO at SafeBreach, said: “Rather than tick-the-box compliance with generic guidelines, specific recommendations and requirements will require organisations to remediate any deficiencies they may currently have.
“While there are several important aspects to the legislation, we particularly welcome how the legislation requires that penetration testing includes regularly simulating real techniques that might be used in an attack on the network.
“Continuous security control validation is the only way to truly ensure the organisation’s resilience to malicious attacks.”
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.