Securing physical infrastructure for critical communication services
James Thorpe
Share this content
ISJ hears from Nina Myren, Chair, TCCA Legal and Regulatory Working Group.
Evidence from around the world indicates that threats to mobile network operators (MNOs) are increasing – not only in terms of cybersecurity attacks, but in terms of the vulnerability of their physical infrastructure.
In parallel, some critical communications services are transitioning from designed-for-purpose narrowband networks primarily operated by governments, to broadband networks operated on a commercial basis by MNOs.
There is an undisputed need for critical communications services for first responders.
Yet, despite this, there are no mandatory standards specified to either governments or MNOs in terms of the physical security of the MNO infrastructure supporting the delivery of those services.
Most of the current nationwide narrowband critical communication networks use technologies such as TETRA, Tetrapol and P25 and are owned and operated by the state.
As such, their physical security is assured by the state to the extent deemed necessary.
However, the ongoing transition from narrowband to commercial broadband networks has changed the operating model.
In the future, most public protection and disaster relief (PPDR) broadband networks will, completely or to some extent, need to rely on MNOs infrastructure and coverage.
Critical communications
Critical communications are services that are crucial for the successful delivery and completion of the missions, tasks and operations of professional users who rely on being in contact when it counts.
These include public safety and security, emergency services, critical infrastructure, public utilities, transportation, critical industries and related activities, where failures in critical communications would lead to catastrophic degradation of services.
This in turn could place critical services and citizen safety and security at immediate risk.
Critical communications users require their services to be reliable, available and stable to a very high degree. The security of the physical infrastructure is central and decisive to the availability and functioning of critical communications.
There is however no universally agreed definition of what ‘good enough’ looks like with respect to physical security of infrastructure for critical communications.
It is apparent that different countries may have different ambitions and needs, depending on their evolving threat picture and finances available.
A common approach should take these differences into account, while working towards common solutions and standards where this is beneficial.
TCCA’s Legal and Regulatory Working Group (LRWG) has collected information on existing regulations for physical security of telecommunications infrastructure used for critical communications.
The findings are that some regulatory frameworks for MNOs and infrastructure providers are in place in most countries.
There is also a common legislative and regulatory framework that addresses the physical security of infrastructure in EU countries primarily under NIS 2 (EU 2022/2555).
This framework places obligations on MNOs to adopt security and risk-management measures encompassing the physical security of networks and information systems.
A number of EU countries have taken measures to give effect to these obligations while other countries, notably the UK, have taken a similar approach in regulating the physical security of infrastructure.
However, implemented measures and what may constitute an appropriate level of security will largely be based on the MNOs’ own risk assessments.
Current legislation does not include specific measures or a mandatory security baseline.
As we already have seen with respect to Quality of Service, Priority and Pre-emption (QPP) and national roaming, existing regulations do not take into account the emerging situation where PPDR communications are beginning to rely on commercial networks to deliver their services.
Standards requirements set as part of public procurement processes would in this case assist in creating a common threshold and approach to security.
Though new legal and regulatory obligations on physical security would increase the costs and compliances of MNOs and other infrastructure providers that provide services for critical communications, they would also have a salutary effect due to the improved standards of security in the network.
With the increasing threat levels, it is highly likely that over time also consumers and particularly business customers, will start demanding reassurances on all aspects of security in the network including of the physical infrastructure.
From a wider national perspective, governments have started taking steps to ensure the security of commercial broadband networks.
These would be complemented by legislative and regulatory obligations on infrastructure used for critical communications, if such obligations were harmonised across the MNO sector.Â
With clearer and strengthened regulation there would be a baseline that all MNOs would be obligated to meet and other interested parties would be aware of, including principles for cost-ceiling and cost sharing between the MNOs and the critical communication operator.
This would enable MNOs to make better informed decisions, particularly when bidding to provide services for critical communications.
Compliance with the requirements would be a statutory obligation which would ease the procurement process. It would also be easier to harmonise across jurisdictions, making way for multi-state standards.
Any legislation and regulation needs to be carefully crafted in order to make the obligations proportionate, as the scale of MNOs’ engagement in providing critical communications may vary.
Addressing developments in technology or the market may be more complicated as it will require legislative amendments.
Since the national regulator will be the enforcing authority, the critical communication operator may have limited access to information on MNO’s compliance, unless access to that information is specifically mandated.
Contractual arrangements would make it easier to design individualised and proportionate obligations and it would be less complicated to update the contractual provisions in line with developments in technology and the market.Â
However, it would take time, effort and expertise to negotiate standards of security with the MNO acceptable to the critical communications operator, particularly if there is no legally set minimum standard.
It would also be challenging to monitor compliance by the MNO and would require specific contractual provisions that empower the critical communications operator.
There is increasing awareness and interest among the critical communications community for closer cooperation.
In some instances, cooperation is bilateral or multilateral whilst the ongoing work on European Critical Communications Service (EUCCS) aims to connect communication networks of law-enforcement, civil protection and public safety responders in Europe to allow for seamless critical communication and operational mobility across the Schengen area.
However, TCCA’s LRWG notes that the current EU directives require more clarity to ensure that physical security of networks are within scope.
Security of the physical infrastructure is of paramount importance to the effective delivery and operation of critical communications services, especially when critical communications rely on the networks of the MNOs.
TCCA’s LRWG recommends that legislation on the physical security of broadband critical communication infrastructure, defining baseline requirements and rules for cost ceilings/sharing, be adopted in EU regulations.
Such a multinational standard will greatly assist the decision-making process of individual countries and establish a common understanding between all relevant parties, including MNOs, governments and users.
It will provide a baseline for acquiring services via public procurements. Moreover, a European regulation would serve as an inspiration for the wider global community of critical communication operators.