Our network security and network resilience work
Ofcom plays a key part in making sure people across the UK can rely on strong and secure networks. This section provides an overview of some of the work we do in network security for communications providers and operators of essential services.
In early 2019, we launched our Security and Resilience Assurance Scheme. This was an information-gathering exercise to build a more detailed understanding of the security and resilience arrangements that major communications providers (CPs) and operators of essential services (OES) have in place.
This work started with a questionnaire, followed up by speaking with individual companies to gather evidence. We worked with the major companies to understand their processes and procedures for identifying and managing security risks, their technical security controls, and how they minimise the effect of network failures on their services. The overall findings were shared at a series of industry roundtables. This provided a foundation of understanding and will help support activities to strengthen telecoms security and help us to understand how these companies may be impacted by new legislation.
In early 2019, we took over the TBEST scheme from DCMS and we have since expanded it to include more communications providers (CPs). This year, we have begun discussing our TBEST scheme with operators of essential services (OES).
TBEST is a simulated threat intelligence-led penetration testing scheme which assesses how well an operator can detect, contain and respond to a cyber-attack. The overall aim is to identify and address any security vulnerability or other weaknesses in a provider’s functions, processes, systems or networks. We expect TBEST to identify specific areas in which an operator’s security could be improved and we will work with them to make sure they implement appropriate changes in a timely manner.
As part of this scheme, we work in partnership with DCMS and the NCSC.
We are expanding our work with operators to improve how resilient their networks are. This will be particularly important in the next few years because the technology powering the networks is changing in fundamental ways. The information that we receive from operators when they report incidents allows us to assess these incidents and establish processes to improve network availability.
The telecoms industry has an existing resilience best practice document, produced by the Electronic Communications Resilience and Response Group (EC-RRG). This group, formed of the major network operators, the UK and devolved Governments, and Ofcom, is a focal point for cooperation on telecoms network resilience issues. We have helped to establish a new working group for EC-RRG members, to review and develop the existing best practice document.
In May 2018, the Network and Information Systems (NIS) Regulations came into force, and we were appointed as the regulator for the digital infrastructure subsector. These regulations were subsequently amended in 2020. Under the regulations, providers must take appropriate steps to manage all security threats, including a strong focus on cyber security.