Securing the Network: How Automation Transforms Compliance and Cybersecurity for CSPs

The importance of automating network access and network resource management has been highlighted by issues with leading CSPs

Recent articles have revealed low levels of compliance around “whereabouts” regulations for maintenance activities on the Openreach network – making it challenging to know who is accessing network resources – and leading to fears of cyber-attacks. Automation could be the solution.

The importance of automating network maintenance where possible, and of tracking manual actions automatically where not, cannot be understated and has been vividly highlighted recently. In an article in UK newspaper The Telegraph, as well as other technology-related publications, it has been reported that leading CSPs have failed to comply sufficiently with ‘whereabouts’ legislation.

Bluntly, this means that technicians are not providing full details of where and when they are working on the network – causing problems for downstream customers. As we will outline later in this blog, this is a completely avoidable situation.

This means that customers cannot see who is accessing, or working on, their critical network infrastructure, which in turn is exposing companies to cyber-attacks and network sabotage. Two outages at a hospital and a financial organisation are noted in the article – both were forced offline in October 2023 after an engineer was found to have cut through a cable.

“Whereabouts” regulations suffering low levels of compliance

Compliance with whereabouts rules has fallen to 23% (according to BT), which means that it’s difficult for Openreach to ensure the integrity of its network and identify if unauthorised personnel are accessing it. So, planned outages can be confused with attacks, while unplanned outages that result from mistakes are harder to track and isolate.

The problem is that without adequate knowledge of who is accessing their network, it’s difficult for any network operator to pinpoint where any problem might arise, and who’s accessing the network. While industry watchers suggest that The Telegraph’s claims about cyber-attacks may have been a little overblown, there is still clearly an issue.

But, as mentioned, this is an avoidable problem. Automation of routine manual tasks can ensure better compliance. The fact is that security affects every layer and level in any organisation – from network to operations, and from processes to people – and it’s imperative to address them all.

Network resource and access management obligations

A lot of operators have disparate systems for logging network access management and network resource access, which can create security gaps. Automation can significantly improve compliance processes that require manual input and close such gaps – like those found by Openreach in its network resources and access compliance challenges.

As outlined in the Code of Practice that supports the UK’s Telecoms (Security) Act 2021 (TSA) – which has a deadline implementation of 31 March 2024 – operators have compliance obligations to ensure that the root cause of unplanned outages, or unexplained network access, must be identified, isolated, and eliminated.

Automation is imperative here to ensure that Network Assets are not taken offline in an unplanned way due to work undertaken by engineers or sub-contractors. If they do not follow the correct procedures, such outages may appear as if they are the result of a cyber-attack, but the reality could be more prosaic – the result of work that is not properly recorded or traceable.

In this context, there are two dimensions of automation that are applicable. First, the automation of routine / common activities to remove the need for error-prone human access. Second, to enable human access only in the context of an automated governance process. This means that, for example, access to secure locations (such as a street cabinet or fibre duct) must be linked to an approved or open change request that references that particular location.

This should also be applicable to user login access to the equipment in question. Similarly, changes to equipment, such as moving a system into a maintenance condition, or offline mode should be made automatically before any technician tries to access it – as well as automatically testing to verify that it is still functioning after human access but before it is brought back to normal service.

There’s a long checklist of tasks that could easily be automated to prevent unexpected outages and to provide gateways to any active intervention on the part of a technician – essentially providing blocking mechanisms to avoid errors.

In our experience, network operators often fail to track and identify planned (and unplanned, ad hoc) outages or service disruptions adequately (and then cannot make this data available to key customers and accounts).

This applies to unlogged maintenance on network assets. How can operators track legitimate access, or know that work has been completed to an appropriate standard, so they can close security gaps and ensure compliance with policies and protocols?

This is BT’s challenge – and that of any other network operator, for that matter. Automation solves this challenge, by removing paper from the process – activities can be logged and distributed, according to the needs of the stakeholders. When an activity has been completed, the event can be cleared.

Automation can have significant positive benefits for security, from top-to-bottom of any organisation. But it also requires a security-first mindset.

To find out more, and to download a new paper from We Are CORTEX that outlines the requirements of security from a cultural point of view, and explains the obligations of new compliance regulations, such as the TSA,  click below or, contact us today to find out how we can help you on your automation journey.

 

Share this article