NICC Minimum Security Standard ( ND 1643)

  • Security Requirements in the Revised Communications Act 2003
  • Improving Network Security
  • Introduction to Minimum Security Standard (ND1643)
  • The Minimum Security Standard (ND 1643)
  • Certification to the Minimum Standard

Security Requirements in the Revised Communications Act 2003

The EU framework which governs communications regulation across Europe has changed and imposes new requirements on providers of public communications services and networks with respect to the security and reliability of their operation. These came into force in the UK on the 25th May 2011 as result of changes to the Communication Act 2003.

The main requirements placed on providers by the changes to the Act can be summarised as follows:

  • network and service providers must take appropriate measures to manage risks to security, in particular to minimise the impact on end users and interconnected networks;
  • network providers must take all appropriate steps to protect, so far as possible, network availability;
  • network and service providers must notify Ofcom of breaches of security or reductions in availability which have a significant impact on the network or service;

In their document Ofcom guidance on security requirements in the revised Communications Act 2003 - Implementing the revised EU Framework Ofcom sets out a number of areas which they expect providers will normally have needed to consider to demonstrate compliance with the new requirements. The precise measures required in each area will vary by provider, depending on the networks and services they operate and the customers they serve. In summary, the areas are:

  • risk management procedures;
  • basic security measures;
  • transparent information for customers;
  • measures to maintain the availability of services;
  • measures to protect interconnecting networks, either by compliance with established security standards or equivalent activity; and
  • reporting incidents which exceed the thresholds outlined in this guidance.

The Revised Communication Act 2003 states in section 105A(3) that “Measures under subsection (1) taken by a network provider must also include measures to prevent or minimise the impact of security incidents on interconnection of public electronic communications networks

Partly in anticipation of this new duty, cross industry work has been underway in the UK for several years to develop common security standards intended to protect the security of interconnecting CPs. The result of this work is the NICC Minimum Security Standard for network interconnection (ND1643).

The published version of the NICC standard is currently only applicable to CPs and sites with particular types of IP-based interconnection however Ofcom have asked NICC to consider expanding the scope of the minimum standards to include a wider set of networks and sites, such as those using traditional TDM interconnects. As the standard is extended to include other types of networks and sites, Ofcom will normally expect that CPs coming into scope will also obtain certification where this is relevant.

In the case that interconnecting CPs do not seek certification against current or future versions of ND1643, Ofcom will expect to understand why. Ofcom would also normally seek evidence of alternative activities that have been undertaken to achieve the same level of protection of interconnections sought by the standard and that documentation demonstrating compliance is reviewed regularly. Ofcom would judge the appropriateness of these activities in relation to the scale and size of their operation and the types of services that are offered to customers.

Improving Network Security

Currently there is an assumption that each network operator should be free to offer services with whatever level of security and resilience they feel is appropriate. This continues to be a key principle. In a successfully functioning competitive market, operators should be free to address the differing security needs of their customers, and as a result, products to satisfy all rational requirements should be forthcoming.

However, in the case where different operators either use shared network elements and facilities or interconnect with each other, there are other factors to consider. It may be the case that the action, or inaction, of an operator offering low levels of service security and/or resilience may seriously undermine the ability of other operators to offer higher levels.

In general, an operator wishing to provide higher levels of security needs to put their own security controls in place and price their products accordingly in order to recover their costs. The "Minimum Standard", looks to ensure that these costs do not become disproportionately high, for want of another operator adopting some reasonable best practice in their approach to security.

If it does become too expensive for any operator to offer higher security services, this would have a severe negative impact on overall security of the UK's telecoms Critical National Infrastructure (CNI).

The proposed security measures, in particular the 'Minimum Standard', have been designed to address these concerns and protect the CNI, while at the same time minimising the costs for operators and so protecting the competition that has delivered so much for consumers and the UK economy. The Standard aims to be a minimum baseline of security procedures and processes that all operators can reasonably be expected to meet. These are intended to maintain the freedom for operators to choose the level of service security they wish to offer their customers, whilst at the same time ensuring their choices do not have an undue impact on the operators they share facilities or interconnect with.

Introduction to Minimum Security Standard (ND1643)

NGNuk has been working with NICC, Ofcom and individual CPs to facilitate the development and adoption of the NICC Minimum Security Standard (ND1643) within the UK. This Minimum standard is intended to form a baseline with respect to the security and integrity of network interconnection.

During the development of the Standard briefings have taken place with a large number of Communications Providers via a variety of industry fora including the Copper Products Commercial Group, Connectivity Services Products Commercial Group, OTA2 Executive and NGNuk plus individual approaches to a variety of communications providers and industry associations.

The Minimum Standard (ND1643) will be treated by Ofcom as creating a presumption of a communications provider’s compliance with the provisions of the new EU Directive and the associated changes to the Communications Act 2003 as it applies to interconnection.

Whilst ND1643 has been published by NICC, NGNuk is acting as the ‘scheme owner’ for any queries but also retains a responsibility to ensure that the Standard does not introduce unnecessary costs for industry as a whole, is easily understood and is clear regarding implementation. The contact details for Peter Ryde (NGNuk) are listed below. NGNuk remains keen to understand what industry support is required to help communications providers and their suppliers adopt the standard most efficiently and effectively, and are open to constructive feedback on achieving these goals and helping ensure an appropriate assurance scheme.

The Minimum Security Standard (ND 1643)

The Minimum standard has been developed by NICC, the technical forum for communications interoperability standards within the UK. The Minimum Security standard (ND1643) can be downloaded from the NICC web site.

The following types of interconnect are currently specified as being within the scope of the Minimum Security Standard:

  • SIP, SIP-I and H323 based interconnects, or similar IP session based interconnects. (For example interconnects supporting streaming services, for example, live radio, live TV and video on demand. near real-time interactive services, for example, instant messaging and press-to-talk)
  • Interconnects supporting broadband/NGA access
  • Data connection services, for example IP, Ethernet and MPLS
  • Specific exclusions are, internet peering, and traditional SS7 PSTN interconnections

As detailed above, Ofcom have requested NICC to extend the scope of ND1643 beyond its original remit and generalise the Standard to cover the full range of services provided over points of UK interconnection. This version of the standard is not yet available.

For those interconnects within the scope the Standard will cover personnel, physical areas and equipment, namely:

  • Personnel who have right of access to shared area
  • Personnel who have access permissions permitting configuration changes, or other privileged access to shared interconnect equipment
  • Equipment within a shared area
  • Other accessible areas containing interconnect equipment
  • Environmental and other services (fire suppression, air-conditioning, power etc.) associated with a shared area
  • The equipment that terminates each layer of the interconnect
  • Procedures supporting these

The controls within the standard have been modified from existing ISO standards, and guidance provided on the specifics of what an operator would be expected to do and/or demonstrate to show they have met the controls. The controls broadly divide into four categories and the main aspects that each set covers is briefly outlined below:

  • organisational security policies;
  • personnel security;
  • physical security; and
  • logical security.

Certification to the Minimum Standard

The work on developing certification to the standard is being undertaken by NGNuk with the support of the NICC Security Working Group.

Any questions or clarification regarding the Standard or certification to the Standard should be raised with:

Peter Ryde
NGNuk
Email: peter.ryde@ngnuk.org.uk
Tel: 0207 783 4688

NGNuk’s initial approach to certification was to endeavor to incorporate the requirements of the Minimum Standard within ISO 27001 or ISO 27011 certification. This was not feasible since ND1643 does not mandate ISO27001/11. ND1643 is therefore an inspection scheme.

NGNuk has approached the UK Accreditation Service (UKAS) to establish accreditation for the inspection scheme. In the interim three certification bodies have been active in testing the scheme and are familiar with its implementation. These are BABT, BSI and LRQA.

To top