The telecommunications and information technology industries have revolutionised the way people communicate in today?s world and has impacted our lifestyle.

Mobile phones have moved beyond their fundamental role of communications and have improvised to become an extended persona of the user. Customers continuously want more from their phone, they use cell phones to play games, listen to music, be on social networking sites, Internet surfing and many other activities.

The penetration of mobile phones and its utility (value-added services) services has grown significantly in rural India as well, with farmers receiving updates on mobile applications for modern agricultural techniques, pricing etc.

Businesses these days are moving towards incorporating ubiquity, rather than mobility. This implies enterprises require information access from anywhere, anytime and on any device for their employees.  This enables multiple intrusion channels for the cyber crime and attacks, thus exposing the telecom/data networks to a whole new gamut of cyber threats which are more sophisticated in nature.

Examples of this include denial of service attacks, registration hijacking, proxy impersonation, message tampering and the likes.

The telecommunication industry has a unique security requirement, if compared to the conventional IT/ITES industry.

As per ITU-T Recommendation X.805, the following security planes exist in telecommunication networks:

  • Management plane – concerned with Operations, Administration, Maintenance & Provisioning (OAM&P) activities such as provisioning a user or a network etc
  • Control plane ? associated with signaling aspects for setting up (and modifying) the end-to-end communication through the network irrespective of the medium and technology used in the network
  • End-User plane – addresses security of access and use of the network by customers. This plane also deals with protecting end-user data flows.

Threats and vulnerability exist in each security plane and the challenge is the fact that these planes work on different communication protocols. This adds to the overall complexity and management of telecommunication security.

Another point of concern from a security standpoint is the popularity and availability of attack toolkits online. This further lowers the entry barrier in this field of cybercrime and hacking.  Telecommunication infrastructure is publicly exposed and script kiddies or exploit artists target this infrastructure openly. These cyber warfare developments emphasise on the growing need to have more complex and sophisticated security tools and regulations around it.

There are few developments which have totally missed the highlights of news channels and media. There are some serious steps that the Department of Telecommunications (DoT) has taken towards curbing the vulnerabilities in information security that a telecom /data network may get exposed to. The aim is to enforce end-to-end security framework in the existing telecommunication ecosystem.

It initiated with the security fuss related to the foreign equipments, wherein the government also got involved and all the consignments of these equipment vendors were stopped until a self-security clearance was provided. However, this did not prove to be a big deterrent for any organisation in the industry and all the vendors submitted the undertaking related to the security of their equipments.

DoT released amendments to the license agreement of various service providers, the amendments were initially released in July 2010 with a final update in May 2011. The suggested amendments mostly revolved around information security. One of the critical amendments as part of this was release of the draft template of the agreement between the operator and the vendor of equipment products and services, which caught the equipment vendors by surprise.

By way of the template, DoT has tried to address the issues concerning to security in the telecom industry, the template spans across various domains of information security such as:

  • Contract personnel security
  • Regulatory and Legal
  • Audit and Investigation
  • Data Protection
  • Network Security
  • Service Continuity Assurance
  • Information Security
  • Access Controls

 Some of the major clauses covered as part of the agreement are as follows:

  • Establishment of an information security organisation structure in accordance with ISO 27001:2005 certification;
  • Physical and logical segregation of different operators? networks;
  • Improved controls around recruitment and employee termination process;
  • A penalty of Rs 500 million would be imposed on the operator for any  material security breach;
  • Quarterly network audits  including network security, network forensics for the operator have been mandatory;
  • All the equipments in a telecom network shall be subject to audit and shall have the functionality of generating auditable logs;
  • Controls around physical security have been strengthened; and
  • Improved controls around data protection, data privacy and confidentiality.

 The next question which interested parties would be asking is what’s in it for me?

  • For a subscriber, it means better and improved services in terms of better network connectivity and better complaint resolution.
  • For a telecom operator it means a number of additional processes and checks that would be required to implement for meeting DoT guidelines.
  • For an equipment vendor, it could mean a number of things, notably additional cost to implement information security controls, extra effort to streamline your processes and systems, additional efforts and cost to meet the legal and regulatory challenges, complying to all DoT guidelines may mean improved security organisation which has better visibility of the controls, better coordination within departments and better security for your customers.

 At this point in time, telecommunication organisations shall understand the recent developments in regulatory space and adhere to such guidelines. They need to adopt a methodological approach in developing an end-to-end security framework as per their organisational requirement and regulatory requirements. Though the initial journey has tough starting but the organisations will see a long term benefits from this.