How Telecom Providers Can Bolster Identity Security to Meet the UK TSA

November 14, 2023 Mark Seddon and Violeta Pavel

Bolster Identity Security

As technology evolves, so do the threats that loom over our communication infrastructure. The rollout of 5G, the rise of artificial intelligence (AI) and our ongoing dependence on these networks combine to make the telecommunications industry a prime target for cyberattacks.

The consequences of attacks on telecommunications organisations – usually a component of critical national infrastructure – can be far-reaching, extending beyond affecting corporate interests and compromising staff and customer identity security, right up to affecting national security. As such, regulators and operators are motivated to act in tandem to protect these critical national assets.

The Growing Threat to Telecom Providers

Over the last few years, several cybersecurity regulations have set out requirements for how telecom providers are required to approach and implement security. Some are specific to the telecom sector, like the U.K.’s Telecommunications (Security) Act (TSA). In contrast, others are generic – like the NIS2 directive, which applies to multiple critical industry sectors, telecommunications being one.

Driving these global security efforts in the telecom industry is a collective recognition and awareness of not just the severity of the potential threat but the interests of billions of users. With this shift, many advanced economies are increasingly placing the onus and burden of protection on the shoulders of the big telecom providers, prominent actors in the digital ecosystem who can absorb and implement that responsibility. As a result, stakeholders are subjecting telecom providers’ services and networks in their downstream supply chain to high scrutiny, especially concerning identity security – like vendor admin access – and managed service provider (MSP) contract requirements and obligations.

This scrutiny is welcome because telecommunications providers – though very different in terms of the services they provide and infrastructure that they sit on compared to, for instance, a bank – are vulnerable to cyberattack in very similar ways to other organisations that have fully embraced the power of software, digitalisation and the cloud. Attacking the software supply chain of an organisation that has an extensive digital ecosystem is a proven method of infiltrating the target infrastructure to compromise identity security, extract privileged credentials, modify scripts, spread malware, take sensitive data and many other potentially devastating actions. The effects can and often are magnified beyond users of the compromised software to their customers, suppliers and partners.

The drive to up the cybersecurity game across telecommunications infrastructure is a global phenomenon, which stems from recognizing how fast and how far the threat landscape has evolved. In attempts to address the current threat landscape, many countries are now updating their legislative frameworks, while others – like the U.K. – have recently made updates.

“While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers…”

Building Telecommunications Cybersecurity Resilience

The U.K., like many other countries, is home to a competitive telecommunications market serving its 68 million residents. Recognizing the critical importance of securing the nation’s telecommunications industry, in 2020, the National Cyber Security Centre (NCSC) conducted its security analysis for the U.K. telecom sector, highlighting the risks associated with telecommunication companies’ supply chains, especially those linked to high-risk vendors such as non-national infrastructure suppliers. The U.K. government subsequently passed the TSA in 2021 to address these concerns and bolster national infrastructure security.

The TSA empowers the U.K.’s communications regulator Ofcom (Office of Communications)  to intervene in the cybersecurity practices of telecom service providers. It establishes a comprehensive security framework to identify, reduce and mitigate security risks. Furthermore, the accompanying 2022 Telecommunications Security Code of Practice classifies public telecom providers into one of three tiers based on their commercial scale, each with distinct compliance obligations and measures in the code to comply with. The Code of Practice document outlines specific timelines, with Tier 1 providers having to implement some measures as early as March 31, 2024. In cases of non-compliance, Ofcom can issue financial penalties.

The three provider tiers are:

  • Tier 1. Public telecom providers with annual revenue over £1 billion
  • Tier 2. Public telecom providers with annual revenue over £50 million but less than £1 billion
  • Tier 3. Public telecom providers with annual revenue of less than £50 million

Implementing the TSA requirements is no small task. It introduces a comprehensive security framework that must be applied across complex and extensive networks, interconnected systems and legacy infrastructure. Reevaluating current security practices, identifying vulnerabilities and making necessary adjustments is resource intensive. Moreover, it may impact ongoing network upgrades and transformation projects. Collaboration with internal stakeholders and coordination with regulatory bodies add to the complexity.

Preparing to Meet TSA Requirements Now

Telecom providers, services and networks in the U.K. are now under pressure to dial up their cybersecurity posture, take accountability and present to Ofcom what cybersecurity measures are in place. The 2022 Telecommunications Security Code of Practice also outlines specific technical requirements in areas such as network architecture, data and network protection, supply chain management and identity security to help organisations prepare.

While there is an enormous amount of information to absorb, here are four simple steps we suggest to help you get started now:

  1. Plan based on your tier classification. Take time to read and absorb available legislation materials applicable to your tier classification, and keep in mind that more rigorous regulations are coming.
  2. Define your scope and conduct an asset inventory. Identify which systems and operations are in scope for the regulation and prioritise work according to the timelines set by the tiered classification guidance.
  3. Scrutinize your supply chain. Supplier assurance is a huge part of achieving compliance with 80 codes of practice measures related to supply chain validations. Identify and develop a system for validating and managing your supply chain appropriately.
  4. Seek help from a reputable partner. Work with an experienced cybersecurity partner that can help interpret the regulation, understand your organisation’s current scope and posture, and devise a plan to help you achieve compliance.

While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers – nation-state and other bad actors – to achieve their goals.

One of the fundamental TSA principles (point 1.11) is “assumed compromise,” a cybersecurity mindset that expects an organisation to be breached if it hasn’t already been. This assumption leads to the expectation that any identity across your organisation – whether human or machine – may be compromised. Therefore, your focus should be on identifying, isolating and stopping threats.

Assumed compromise is also a foundational tenet of Zero Trust architecture, where all identities are continuously authenticated and authorized before securely granting just-in-time (JIT) access with the right set of permissions.

Specific actions to reduce the attack surface should include introducing the following capabilities:

  • Securing, logging and monitoring privileged access for internal and external users.
  • Removing default passwords for systems, users and applications.
  • Discovering and onboarding unmanaged privileged accounts and credentials Detect anomalous behavior and indicators of compromise with policy-driven remediation capabilities.
  • Removing local admin rights and implementing application controls will limit what the users can do on specific endpoints and which applications are whitelisted.
  • Ensuring every user is who they claim to be with strong, contextual, risk-based authentication.

Telecom Providers: Guardians of the Grid

The telecommunications industry’s critical role in our connected world necessitates rigorous security measures. The TSA and accompanying Telecommunications Security Code of Practice provide a much-needed framework to ensure the resilience and integrity of our communication networks in the U.K. Introducing the TSA and potential fines imposed by Ofcom compels telecom providers to adopt a new approach and invest in a robust security strategy. In our evolving digital landscape, telecom providers are the guardians of the grid, and their commitment to protecting critical national infrastructure is essential for a secure and connected future.

CyberArk, with many years of experience partnering with the U.K.’s largest telecom providers, has closely collaborated with the U.K.’s NCSC to comprehend the complex technical requirements of the TSA. Check out our eBook, “Identity Security: Why It Matters and Why Now,” to learn how CyberArk’s Identity Security framework – grounded in Zero Trust and intelligent privilege controls – can help your organisation defend against identity-centric threats.


Mark Seddon is CyberArk’s Director of Solution Engineering UKI; Violeta Pavel is CyberArk’s Director of Corporate Sales EMEA.

Previous Article
Reduce Compliance Complexities by Securing All Identities
Reduce Compliance Complexities by Securing All Identities

When complying with regulations and frameworks, it’s hard to keep up when the rules keep evolving. Auditors...

Next Article
Identity Security’s Crucial Role in Safeguarding Data Privacy
Identity Security’s Crucial Role in Safeguarding Data Privacy

More than 130 global jurisdictions have enacted data privacy laws. While each contains rules and requiremen...