Our network security and network resilience work
Ofcom plays a key part in making sure people across the UK can rely on strong and secure networks. This section provides an overview of some of the work we do in network security for communications providers and operators of essential services.
Since October 2022, Ofcom has additional duties and powers under the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021. In particular, Ofcom must seek to ensure that telecoms providers comply with new rules to boost the security and resilience of their networks and services against security compromises, including those caused by cyber-attacks.
Public telecoms providers must take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring on their networks and services, as well as preparing for such events. They must also take action after a security compromise has occurred, to prevent damage and take steps to remediate or mitigate any damage. Telecoms providers can be fined if they do not comply with the new rules.
As part of this, we work closely with the telecoms providers to improve their security and monitor how they comply with the new rules. We also have powers to take enforcement action where necessary. Providers are also required to share information with us that we consider necessary to carry out our functions, including to assess how secure their networks and services are.
The Telecommunications (Security) Act 2021 also introduced new powers for Government to manage risks posed by ‘high risk vendors’.
This means the Secretary of State can control the extent to which goods, services or facilities provided by these companies are used in telecoms networks, if it is considered necessary in the interest of national security. Ofcom has a more limited role under the ‘High Risk Vendor’ regime. Where the Secretary of State issues directions to public communications providers (‘designated vendor directions’), we can be tasked by the Secretary of State with gathering and providing information relevant to the Secretary of State’s assessment of providers’ compliance with such directions.
TBEST is a threat intelligence-led penetration testing scheme which simulates a well-resourced cyber-attack from a nation state or large organised crime groups. It assesses how well a provider can detect, contain and respond to such an attack. The overall aim is to identify and address any security vulnerability or other weaknesses in a provider’s functions, processes, policies, systems or networks.
We expect TBEST to identify specific areas in which a provider’s security could be improved and we will work with them to make sure they implement appropriate changes in a timely manner.
While the new security duties require telecoms providers to carry out their own regular testing, we continue to run TBEST with industry. However, where appropriate, we may exercise our statutory powers to require a provider to undergo testing, either like TBEST or some other type of testing.
As part of this scheme, we work in partnership with DCMS and the NCSC.
Ofcom is expanding its work with telecoms providers to improve their network resilience. This will be particularly important over the next few years because the technology powering the networks is changing in fundamental ways. The information that we receive from providers when they report incidents allows us to assess these incidents and establish processes to improve network resilience.
The legislation that requires telecom providers to take measures to ensure the security and resilience of their networks and services was amended by the Telecommunications (Security) Act 2021. Following this, we revised our 2017 guidance on security requirements so that it applies to the sub-category of security compromises relating to the resilience of networks and services, in terms of availability, performance, or functionality. We have also taken the opportunity to update the guidance to take account of the revised legislative framework, as well as to reflect the changing nature of resilience risks and Ofcom’s experience of incident reporting and investigation.
We encourage providers to review the existing telecommunications infrastructure resilience guidance produced by the Electronic Communications Resilience and Response Group (EC-RRG). This group, formed of the major network operators, the UK and devolved Governments, and Ofcom, is a focal point for cooperation on telecoms network resilience issues. We have helped to establish a new working group for EC-RRG members, to review and develop the existing best practice document.
Ofcom is the designated competent authority for the digital infrastructure subsector in the United Kingdom under the Network and Information Systems Regulations 2018 (as subsequently amended including by the Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020)), collectively referred to as the NIS Regulations.
The types of essential services falling within the digital infrastructure subsector are: Top Level Domain (TLD) Name Registries; Domain Name System (DNS) Resolver Services; DNS Authoritative Hosting Service; and Internet Exchange Point (IXP).
Under the NIS Regulations, so-called operators of essential services (OES) must comply with various duties. In particular, their initial duties are to notify themselves to Ofcom as deemed OES where certain conditions are satisfied, together with notifying their nominated representatives in the UK (if they are based overseas).
OES must also comply with security duties in relation to security of the network and information systems on which their essential service relies. They must also notify to Ofcom incidents having a significant impact on the continuity of their essential service. Those duties are supplemented by various other requirements, such as responding to our information notices (if any); complying with our enforcement notices; paying our fees for regulating the digital infrastructure subsector; and having regard to our statutory guidance in relation to the digital infrastructure subsector.