The security of network equipment is critical to the security of any network. When selecting equipment that will support a critical service or critical infrastructure, customers should make an assessment of the security of that equipment and consider that assessment as part of their procurement and risk management processes.
This guidance provides advice on how to assess the security of network equipment. It provides guidance to support public telecommunications operators (the providers of Public Electronic Communications Networks and Services), in meeting their duties under the Telecommunications (Security) Act 2021, and, when they are finalised following the Government’s consultation, the Electronic Communications (Security Measures) Regulations 2022. For example, under draft Regulation 3.(3)(e), the network provider would be required:
(e) to take appropriate measures in the procurement, configuration, management and testing of equipment to ensure the security of the equipment and functions carried out on the equipment.
This guidance is referenced in the draft Telecommunications Security Code of Practice, in particular draft
measures 5.01 and 10.1. Whilst this guidance is not expected to form part of that code (when it is finalised) and will not be necessary or sufficient to meet new supply chain legal requirements, it is important advice that providers can use to help their compliance.
While written to support telecommunications operators, the advice within this guidance may also be useful to other providers of critical services or critical infrastructure who rely on network equipment to deliver their services. The NCSC acknowledge that the degree of assessment of the security of network equipment advised in this document is most appropriate where the network equipment is supporting a critical service. In addition, to perform the assessment described in this document effectively, customers may require appropriate contractual rights to perform the recommended audits and tests.
This guidance should be used when making selection decisions for network equipment. However, as noted below, security is an ongoing activity. As with other areas of performance, customers should continue to assess and retain evidence of the vendor’s track record in security during the equipment’s lifetime, as this will support future security assessments.
This guidance does not take account of, and cannot mitigate, the threats that may arise because of additional risks specific to a particular vendor in the supply chain. These risks include the degree to which it might be susceptible to being influenced or required to act contrary to the interests of the customer or their national security. In such circumstances, additional controls specific to the vendor in question may be required.