Explanatory Note: Guidelines on Security Measures for all licensed telecommunication operators

I. Background

For most of its history, the telecom industry has avoided the security scandals that have beset many industrial sectors. Subscribers have not suffered from the mass theft of private data or user identities because existing cellular networks are built on proprietary physical infrastructure, and network functions reside on hardware platforms. As such in Mauritius, telecom companies have been self-regulating themselves when it comes to security standards in their network.

However, in response to a rapid escalation in the cyber threat landscape which is inherent to IP networks, there is a further need to mandate telecom service providers to better manage security risks not only to enhance the security and resilience of their nationwide infrastructure, but also to better manage security risks within their supply chains. In other words, for telecom operators to be able to mitigate security risks associated with third party suppliers they will also need to take appropriate and proportionate measures with their third-party suppliers to help to identify and reduce risks of security compromise.

II. Rationale for the issuance of Guidelines and forthcoming Regulations and Directives

In order to address the above security concerns, the ICT Authority: –

    1. Is issuing the present set of Guidelines to licensed telecommunication operators. Neither the high-level security objectives nor the detailed security measures in these Guidelines should be seen as binding recommendations, but these Guidelines should rather be used as a self-assessment tool for the preparedness of each licensee towards security requirements. The reason is that the electronic communications sector is very diverse; large incumbents, small service providers, mobile network operators, ISPs, etc. In each setting, the risks are different and it is up to the providers to assess the risks and decide which are appropriate security measures to take. However, the Authority will be using these Guidelines as its benchmark in order to issue the relevant forthcoming regulations to all telecommunication operators.
    2. The forthcoming regulations for licensed telecommunication operators will be issued at least six months after the date of issuance of the present Guidelines. These regulations based on the present Guidelines will be grouped into the following categories:

        2.1 Technical measures which will include measures to strengthen the security of networks and equipment by reinforcing the security of technologies, processes, people and physical factors. These technical measures based on the Guidelines will impose on telecommunication operators, obligations regarding minimum network and service security requirements, risk management measures, incident reporting, data integrity, availability and confidentiality. The submission of security audit reports to the ICT Authority will also be another obligation which will be enforced at the time of issuance of the appropriate Directives by the Authority.

        2.2 Strategic measures which will cover measures concerning increased regulatory oversight by the ICT Authority to scrutinise network procurement and deployment, specific measures to address risks related to non-technical vulnerabilities (e.g. dependency risks), as well as possible initiatives to promote a sustainable and diverse supply and value chain in order to avoid systemic, long-term dependency risks. Moreover, where applicable, the necessary security standards for the importation of telecommunication equipment will also be defined.

    3. Issuance of the first Directive to licensed PLMN operators specifically. This is mainly because of the roll out of 5G networks which present considerably more cybersecurity risks as explained in section III below. However, 5G is not a revolutionary telecommunications transformation. The underlying technology is primarily an evolution from previous generations of telecommunications equipment. Current 5G networks in Mauritius are non-stand-alone, meaning they are built on top of existing mobile telecommunications networks. This is why the scope of the Directive will cover telecommunication mobile networks in general and not only 5G networks. Thereafter, the Authority will issue similar Directives for other licensees, in an incremental manner as appropriate.

III. Cybersecurity risks in 5G Networks

The current rollout of 5G networks in Mauritius makes it all the more necessary to come up with this security regulatory framework. 5G network can potentially change that security protection enjoyed by the previous mobile network generations. This is because 5G networks are managed through software rather than hardware. The virtual nature of the 5G network core makes it vulnerable in new ways. When a network resides in software, there is a danger of cross-contamination and data leakage.

The dependence of many critical services on 5G networks would make the consequences of systemic and widespread disruption particularly serious. As a result, ensuring the cybersecurity of 5G networks is an issue of strategic importance, at a time when cyber-attacks are on the rise, more sophisticated than ever and coming from a wide range of threat actors.

5G networks are characterised by high speed, minimal delays and the ability to accommodate more devices. Such characteristics rely on features such as virtualisation, or the increased use of software rather than hardware, and edge computing, which enables networks to move processing power closer to the user. 5G networks comprise multiple ‘layers’ that perform varying parallel functions across the network. Each layer has access to different amounts of information and can transport data packets to and from other layers within the network. Individual components within a layer transmit and receive different amounts and types of information across the network, depending on their access rights to other parts of the network.

5G functions can be divided into two groups – the core and the edge. The core consists of components that have much greater control over the network than access-layer (edge) components. Core components know much more about the context of a 5G network and include routing and switching functions on base stations. If they fail or are compromised, the impact on the rest of the network could be high, as the core has components that determine functions that overlay and control the entire network. Without these functions, the rest of the network could cease to operate.

Edge functions are located at the periphery of the network. This part of the network is closest to end users and is the interface between the network and its customers. Data within this layer includes who is accessing the network and the information sent to and from it by the customer. The failure of individual components at the edge, such as a radio access network (RAN) antenna, usually only affects a small area of the network and can be easily isolated and mitigated. At this layer, the impact of failure or compromise has a limited impact radius with other parts of the network and there is limited access to the sensitive data that helps run the network.

First, 5G networks use virtualised hardware, meaning that in some instances, multiple functions across the network can now be run using the same shared physical components, in a cloud-based environment. Historically, software has been run on proprietary hardware, meaning that there would be specific physical boxes for specific network functions. Meanwhile, the commodity hardware used in 5G runs software from multiple vendors, within the same physical box, to perform multiple network functions. The perceived cyber risk is that, in this new context, there is no physical or logical separation between core and edge functions. Instead, virtualised hardware boxes could be increasingly exposed to malicious or vulnerable code from multiple vendors, which could in turn compromise multiple network functions.

Second, 5G networks are designed to support low-latency data transfer in microseconds which enables extremely fast communications. Achieving such speeds requires moving processing power closer to the edge of the network more than ever before. This requires having more network cores and putting core functions closer to the end user. In theory, this could require moving some core components to the same location as edge components – for example, putting core functions on RAN antennae.

If the distinction between core and edge were no longer meaningful for 5G networks, this would have serious consequences for risk-management approaches to 5G cyber security. If it were no longer possible to distinguish between critical and non-critical parts of the network, in theory a threat actor could gain access to any part of the network and move laterally to more sensitive parts of the network without any restrictions. It would mean that some existing cyber security measures, such as network segmentation, would be ill-equipped to manage 5G cyber risk. However, core and edge functions do remain technically distinct in 5G infrastructure, if measures are implemented to a high standard.

IV. Structure of the Guidelines

As a baseline for the forthcoming regulatory framework for the security measures to be deployed by telecommunication operators, the ICT Authority is issuing a comprehensive set of Guidelines whereby 29 security objectives have first been identified. These Guidelines are benchmarked with the work already undertaken by the European Union Agency for Cybersecurity (ENISA). The reason for adopting this benchmark is because the security measures therein are technology-neutral and these objectives have been derived from a set of international and national standards which are commonly used by providers in the EU’s electronic communication sector. For each of the security objectives more detailed security measures which could be implemented by providers to reach the security objective have been listed. For each security objective detailed evidence which could indicate that the measures are in place are also listed.

To download the guidelines click here