NGNuk has been working with NICC , Ofcom and individual CPs to facilitate the adoption of the NICC Minimum Security Standard ( ND1643) within the UK.
Briefings have taken place to Communications Providers via a number of industry fora including the LLU Products and Commercial Group, Openreach Ethernet Forum, OTA2, NGNuk plus individual approaches to a variety of CPs.
Whilst ND1643 has been published by NICC, NGNuk retains as a priority ensuring that the standard does not introduce unnecessary costs for industry as a whole, is easily understood and is clear regarding implementation. NGNuk is also keen to understand what industry support is required to help CPs and their Suppliers adopt the standard most efficiently and effectively so are open to constructive feedback on achieving these goals and helping ensure an appropriate assurance scheme.
There has been increasing concern within Government and other stakeholders about the security of the UK's critical national infrastructure (CNI). Telecoms networks form a vital part of the CNI, and their importance is growing as they are increasingly relied upon by the other parts of the CNI as well as consumers, businesses and Government for their ongoing function.
Within telecoms, there are specific factors that further heighten these security concerns and which has made the need to address them more urgent, for example:
Currently there is an assumption that each network operator should be free to offer services with whatever level of security and resilience they feel is appropriate. This continues to be a key principle. In a successfully functioning competitive market, operators should be free to address the differing security needs of their customers, and as a result, products to satisfy all rational requirements should be forthcoming.
However, in the case where different operators either make use of shared network elements and facilities or interconnect with each other, there are other factors to consider. It may be the case that the action, or inaction, of an operator offering low levels of service security and/or resilience may seriously undermine the ability of other operators to offer higher levels.
In general, an operator wishing to provide higher levels of security needs to put their own security controls in place and price their products accordingly in order to recover their costs. The "minimum standard", looks to ensure that these costs do not become disproportionately high, for want of another operator adopting some reasonable best practise in their approach to security.
If it does become too expensive for any operator to offer higher security services, this would have a severe negative impact on overall security of the UK's telecoms CNI.
The proposed security measures, in particular the 'minimum standard', have been designed to address these concerns and protect the CNI, while at the same time, minimising the costs for operators and so protecting the competition that has delivered so much for consumers and the UK economy. The standard aims to be a minimum baseline of security procedures and processes that all operators can reasonably be expected to meet. These are intended to maintain the freedom for operators to choose the level of service security they wish to offer their customers, whilst at the same time ensuring their choices do not have an undue impact on the operators they share facilities or interconnect with.
The minimum standard is intended to form a baseline which all affected operators will reach. Beyond this, an assurance scheme is proposed to allow operators who wish to go further to demonstrate the additional levels of security they offer. The objective is that these higher security "assured levels" would become recognised in the marketplace, allowing operators who achieve them to command a premium for their products. In the future, certain customer segments, such as Government, may require all their telecoms providers reach a certain assurance level.
CESG is the Information Assurance (IA) arm of GCHQ .It is the Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing. CESG is leading the Government's "NGN Assurance project" to design, develop and implement an independent assurance scheme for telecoms systems and services. CESG is working towards publication of the NGN Standard Level (2-2-4) (level 2 for confidentiality and integrity, 4 for availability) and the development of a formal independent assurance scheme. Further information on this can be found at; http://www.cesg.gov.uk/policy_technologies/ngn/index.shtml
The Minimum standard has been developed by NICC , the technical forum for communications interoperability standards within the UK. The Minimum Security standard ( ND1643 V 1.1.1 ) can be downloaded from the NICC web site via the following link: http://www.niccstandards.org.uk/publications/llu_spec.cfm
The NICC Security Working Group , who developed the standard, are open to modifications to the published version to reflect feedback from operators implementing ND1643 , certification bodies seeking to provide inspection against the standard and improve guidance , especially for smaller Communications Providers and Suppliers to industry seeking certification against the standard.
The following types of interconnect are specified as being within the scope of the Minimum Security Standard:
For the above interconnect types the scope of the standard covers personnel, physical areas and equipment , namely:
The controls within the standard have been modified from existing ISO standards, and guidance provided on the specifics of what an operator would be expected to do and/or demonstrate to show they have met the controls. The controls broadly divide into four categories and the main aspects that each set covers is briefly outlined below:
Organisational security policies
The controls in this area require an organisation to have an audited information security policy in place and supported by senior management. This needs to include items such as security measures for dealing with 3rd parties and how security incidents and weaknesses will be managed and reported upon. The organisation's business continuity plans need to include consideration of information security.
Personnel security
The controls in this area require an organisation to document and implement security roles and responsibilities, have a basic screening process and managed access rights for both direct employees and 3rd parties.
Physical security
The controls in this area require that shared facilities have perimeter security and entry controls in place. They cover proper equipment location, protection and maintenance. They also deal with the ability to separate and disconnect interconnected traffic in the event of a problem.
Logical security
The controls in this area require an organisation to have documented operating procedures and change management processes, including new software installation, in place for shared elements. The operational and signalling systems should be secured and the security features, service levels and management requirements of these elements documented. Audit logs should be maintained for user and administrator activity.
A Code of Practice (CoP) was agreed with industry, that commits a CP to implementing, maintaining and gaining certification against ND1643. This has already been signed by 10 major CPs . These are; BT Group, Colt, C&W, Gamma, Kingston, Orange, O2, Sky, Talk Talk and Virgin Media. Other large CPs are currently undertaking a gap analysis against the standard, prior to signing the CoP.
The work on developing certification to the standard is being undertaken by NGNuk and the NICC Security Working Group.
NGNuk has approached the UK Accreditation Service (UKAS) . The initial thoughts were to incorporate the requirements of the NICC Minimum Security Standard within ISO 27001 and 27011 certification, however this is not feasible since ND1643 does not mandate ISO27001. Whilst this might have been easier and simpler to introduce, it may have been more complex and costly for smaller CPs.
An inspection scheme is therefore being pursued , which is expected to be available in the first half of 2010. NGNuk is working closely with NICC , UKAS, CPs and certification bodies to develop and trial this scheme for CPs in Q1 2010.
Following feedback from CPs implementing the standard, it was agreed that the standard should be amended to allow Suppliers to certify against ND1643. This was felt to be something which would simplify matters for a Supplier dealing with multiple CPs and also avoid the need for CP audits of Suppliers. A new version of the standard will be issued by NICC at the earliest practical date to better facilitate this. In addition it is hoped to trial a Supplier certification scheme in parallel to that for CPs