Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Alastair Williams, Director of Solution Engineering EMEA at Skybox Security explains how preventative security can help telcos avoid multi-million-pound penalties.

Following a lengthy parliamentary passage period, the UK’s Telecom Security Bill  is set to become law this autumn, imposing new requirements on telecommunications operators. In short, the new legislation forces telcos to protect their networks against common attacks, utilising modern tools to identify and resolve security risks impacting critical voice network infrastructure.

Under the Act, operators must proactively identify “the risks of security compromises occurring; reduc[e] the risks of security compromises occurring; and prepar[e] for the occurrence of security compromises.” The Act empowers Ofcom to penalise non-compliance with £100,000 per day in fines, up to a maximum penalty of £10m.

Clearly, the law increases telecom providers’ responsibilities and pressures in ways that guarantee cybersecurity will be taken seriously. Telcos’ ability to comply and avoid censure will be determined by how well they can see, assess, and remediate their computing and network infrastructure threats.

Yet, practically meeting the new legal mandates presents an extreme challenge for operators because of the sheer complexity and scale of their networks. Carriers’ network sprawl and assets have grown significantly over time and are often burdened with redundant technologies and technical debt. Moreover, the size of any telco’s attack surface means many still don’t have a complete understanding of their security weaknesses across their hybrid infrastructure.

How telcos prepare themselves to work within the new regulations comes down to three main recommendations:

Crack the vulnerability management challenge

Gaining visibility of the problem is complicated by the considerably increasing volume of potential security vulnerabilities that an operator must now address. Skybox Research Lab reported 18,341 new vulnerabilities in 2020 and a record 106% increase in malware. Correctly identifying, assessing, and remediating vulnerabilities requires a new approach because the attack surface is so dynamic.

Vulnerability management’s centrality is underscored in the new legislation. The law requires a telecommunications provider to inform both Ofcom and its own users of any security vulnerabilities, expanding upon the existing requirement that the Information Commissioner’s Office must be notified of a security breach.

Clearly, the Act puts significant pressure on each communications provider to review and strengthen their security posture. The new law requires the provider not only to identify and reduce security risk effectively but also prepare for breaches.

Balance tighter security without compromising service quality  

There is an added complication for telecommunications providers: They are simultaneously required to maintain critical services and scan their network infrastructures more intensively and extensively. Providers understand, however, that traditional security scanning can cause service outages and performance problems.

The answer must therefore be more modern security strategies that assure compliance with the new stricter regulations while simultaneously guaranteeing continuous network and service availability.

Complete network visibility can be achieved by understanding all network infrastructure components along with identifying the device, its configuration, and firmware version. Using this detail, real-time threat intelligence can pinpoint vulnerabilities that affect specific devices. Once exploitable vulnerabilities are identified across the attack surface, security ops can deploy fixes, controls, and countermeasures, including firewalls or patches.

Based on prior experience managing a major carrier’s security infrastructure, it is incredibly difficult to change telecom infrastructure architecturally, introduce components, or rapidly perform upgrades. Such work must be meticulously planned and timetabled to be done overnight; any risk of something going wrong and impacted services must be avoided. Downtime itself causes regulatory problems with Ofcom, as well as damaging customer trust and a provider’s brand value.

Ensure clear prioritisation to ensure dangerous vulnerabilities are remediated first

For forward-thinking telcos, complying with the legislation has meant adopting a security platform that includes hybrid network visibility, threat intelligence, vulnerability prioritisation, and security policy management in a single view. Proactive cybersecurity requires a data-driven approach that  can spot vulnerabilities on mission-critical assets. Then, attack simulation can ensure the right compensating controls are in place to remediate vulnerabilities quickly.

Alternatively, security teams can use data to outsmart bad actors. For example, if there is no known exploit code and no accessibility, there is minimal risk, and the work can be deprioritised. On the other hand, if there is known exploit code yet no accessibility, there is a level of risk via like a bad change inadvertently opening up unintended access. The worst-case scenario would be a vulnerability which is actively being exploited in the wild on a server with a clear access path from a threat origin, making this a top priority for remediation.

Using these different levels of prioritisation, telecommunication providers can get the visibility they need and ensure they are using their limited resources in the right areas to minimise risk and ultimately meet regulatory requirements.

Prepare for future cybersecurity legislation

The new Telecom Security Act will certainly push providers to harden their infrastructure against attacks. However, looking ahead to the future, it is essential that no one considers this Act to be the final destination for network security regulation: As security evolves, so too will attacks, and additional mandates will be required to protect data in the 5G era. For that reason, the UK government has made it clear that the Act’s mandates apply specifically to voice communications and that regulations will be further updated to secure Internet of Things devices.

In other words, telecommunication providers must be ready for more regulatory oversight in the near future. Proper preparation should include adopting a modern platform that integrates vulnerability management, analysis, and remediation capabilities in a manner that can keep pace during a decade of digitisation that will be defined by constant change, spurred in equal parts by cyber-attacks and legislation.

Alastair Williams is the Director of Solutions Engineering, EMEA, at Skybox Security. With over 20 years of experience in cybersecurity and enterprise software, Alastair is responsible for helping customers solve their complex cybersecurity challenges – from Fortune 1000 companies, to healthcare organisations, and the world’s largest banks. Prior to Skybox, he spent 11 years at the cybersecurity company Symantec, where he held technical roles, including Senior Technical Product Manager, Senior Principal Systems Engineer, and Security Architect. Based in the U.K, Williams is a frequent speaker on cybersecurity topics in Europe and around the world.