angelsmarketplace_dghob2
The Telecommunications Industry Association (TIA) is on a mission to turn the phrase ‘securing the telecoms equipment supply chain’ from a soundbite into something a little more tangible.
TIA’s QuEST Forum this week unveiled a new standard designed to measure and verify the end-to-end cyber and physical security of ICT network infrastructure, including hardware, software and services.
Called SCS 9001, it aims to crystallise various internationally-recognised guidelines and best practices into processes that telco suppliers can adopt. These include ISO-20071, which covers information safeguarding; the Criteria for Security and Trust in Telecommunications Networks and Services as drawn up by the Centre for Strategic and International Studies (CSIS); relevant security standards defined by the US Commerce Department’s National Institute of Standards and Technology (NIST); and the so-called Prague Proposals for securing 5G networks.
Perhaps the most important part of all this though, is the verification process. Any supplier that wants to impress potential clients by demonstrating their compliance with SCS 9001 has to submit to an audit by an independent certification body to ensure they measure up. That certification body must first be accredited by an accreditation body to make sure they’re up to the job of carrying out the audit. In addition, that accreditation body must first be authorised by the TIA QuEST Forum. In short: the auditors of the auditor need to be audited before the first auditors can conduct any auditing.
“Our global community depends on connectivity and while technology continues to outpace security, we now have a process-based, verifiable standard to significantly mitigate threats to the ICT supply chain,” said David Stehlin, CEO of TIA, in a statement on Wednesday.
An all-to-easy conclusion to jump to is that this is about Huawei, and a US-based industry association setting an impossible-to-reach bar for the Chinese vendor, thereby making its exclusion from network tenders that much easier to justify. But the fact is, governments have already proved that they don’t need to go to that much trouble to shut the door on Chinese vendors.
Rather, this is more about the shake-up of the supply chain wrought by virtualisation and OpenRAN, which together provide an opportunity for a wider array of players to enter the market, disrupting incumbents like Ericsson and Nokia. The more links there are in the supply chain, the greater number of potential attack vectors.
“Improving the performance of our suppliers by defining outcome-based delivery models has been a key component of building our global communications network. Never more so has this been important with the growing role of software and agile transformation in the network ecosystem,” said Sankaran Ramanathan, executive director, network systems, at Verizon. “Given the current global landscape and the increased complexity and diversity of the ICT supply chain, a standard like SCS 9001 can help verify which suppliers and manufacturers are building security into their solutions and enhancing trust.”
There’s an enterprise angle to this too, of course. According to IBM, a data breach costs an organisation on average $4.24 million per incident. Organisations keen to tap the benefits of new technology, such as private mobile networking, hybrid cloud and so-on, need to be able to trust this technology with critical corporate data. Ergo, standards like SCS 9001 are an important step in the right direction.
