Mobile telephone services and the Internet were introduced to India in 1995. Less than three decades later, India has the second largest mobile network in the world, trailing just China. This growth has become exponential in recent years due to the integration of transformative technology like IoT and 5G. 

As of 2023, the average 5G download speed in the country was approximately 25 times faster than 4G, and it is estimated that 5G will account for nearly 66% of mobile subscriptions by 2029. This all points to a data explosion in the industry, fueled by high-speed Internet, streaming services, and the increased use of data-intensive apps.

This data explosion leads to a wider attack surface that attackers increasingly exploit. Earlier this year, cybersecurity security firm CloudSEK unveiled a massive security breach exposing the sensitive personal information of an astonishing 750 million people in India, including names, mobile numbers, addresses, and AADHAAR information. The breach highlighted the need for a comprehensive approach to cybersecurity, including collaboration with the relevant authorities and implementing robust measures to protect against unauthorized access.

The Solution: The Telecommunications (Telecom Cyber Security) Rules, 2024

The Indian Central Government issued these guidelines on November 21, 2024, as an extension of the Telecommunications Act, 2023, with rules and regulations involving telecom cyber security. It applies to everyone regarded as a telecom entity, which the guidelines define as ‘any person providing telecom services or establishing, operating, maintaining or expanding the telecom network.’

Cybersecurity for telecom entities starts by adopting a cybersecurity policy with these elements:

• Incorporation of telecom network protection strategies, including network testing that features hardening, vulnerability assessments & penetration testing (VAPT)
• A mechanism to identify & prevent a security incident, which the rules define as ‘an event having real or potential risk on telecom cybersecurity’
• A rapid action system to deal with security incidents, including mitigation measures to limit their impact
• Conducting a forensic analysis of security incidents to learn from them and further strengthen your cybersecurity posture
• Incorporating an ideal mix of security safeguards, risk management approaches, actions, training, best practices & ideal technology to enhance your security

Following all the elements of this policy will help reduce the risks of security incidents through timely responses and appropriate actions. To maintain the efficacy of these policies, the Central Government mandates periodic cyber security audits to assess the overall resilience to threats, in intervals specified on their portal.

The Custodian: Chief Telecommunications Security Officer

To ensure that all these requirements are met, the Central Government requires a liaison to connect with each telecom entity. That comes through the role of Chief Telecommunications Security Officer (CTSO), with the requisites of the position being:

• A citizen or resident of India
• Directly responsible to the Board of Directors or similar governing body of the entity concerning the requirements of the new laws
• Directly responsible for coordinating with the Central Government for implementation of the rules on behalf of the entity

Details regarding the holder of the position need to be provided in writing to the Central Government, through a form available on the portal. Any replacement or change to the position also has to be promptly intimated through another form there.

The Oversight: Requirement of SOC

One of the roles the CTSO has to fulfill is establishing & overseeing a Security Operations Centre (SOC) that uses 24×7 monitoring to help identify, mitigate, and respond to threats. Two crucial pillars identified by these rules about SOC are:

Pillar 1: Monitoring

This includes incidents in the form of successful intrusions and breaches of telecom services & networks, along with attempts to cause such incidents, intrusions, and breaches. Details of such threat actors impacting services & networks have to be collected and stored.

Pillar 2: Maintaining

Telecom entities have to maintain a variety of logs, including:

• Firewall, Security Information & Event Management (SIEM), Intrusion Detection System (IDS), and Intrusion Prevention System (IPS) logs, all of which will form the core of your SOC strategy
• Command logs of operation & maintenance
• Any other element required for the functioning of telecom services & networks

Entities have to maintain these logs and make them available to any person authorised by the Central Government. The period for maintaining all these logs is again specified on the portal.

The Process: Incident Reporting Requirements

Another important role of the CTSO is to follow this timeline whenever there is a discovery of a security incident:

After conducting these measures, the Central Government may ask for further action on your part through a variety of ways:

• If they feel that disclosure of the security incident is in the public interest, they may ask you to inform the public or do it themselves.
• They may issue directions concerning the measures required to remedy the security incident if it has already happened or prevent one from occurring when a significant threat is identified, with time limits potentially prescribed for each measure.

The Penalties: Non-Compliance Rules

If the Central Government has reason to believe that any telecom entity is endangering telecom cybersecurity, they can issue a notice to said entity. The entity then has 7 days to respond, post which an investigation will commence. 

Depending on the findings of the investigation, the Central Government can either suspend or permanently disconnect all the privileges that the entity is privy to. This order can also be extended to any equipment or identifiers linked to the entity. Entities can respond to the order within 30 days, and depending on the response, the Central Government can either uphold, modify, or revoke the earlier order.

There are further regulations for telecom identifiers:

• Any manufacturer of equipment that has an international mobile equipment identity (IMEI) number shall register the number with the Central Government, whether it’s being produced in India or imported from abroad.
• No person shall intentionally remove, obliterate, change, or alter the unique telecom identification number, or intentionally use, produce, traffic in, or possess software related to the identifier or equipment.
• The Central Government may issue directions to equipment manufacturers bearing IMEI numbers to provide assistance or block the use of tampered IMEI numbers in telecom networks and services.

The Way Forward: A Technology Partner like iValue Group

There are a lot of things to keep track of in the new telecommunications security guidelines 2024 brought to telecom entities. Keeping an in-house SOC is one of the options the Central Government prescribes, but maintaining it has become a major challenge for organizations. They have to deal with burnout, false positives, alert fatigue, and cybersecurity skills shortages. Therefore, outsourcing your SOC operations to a trusted provider like us has become the preferred option for many companies.

Additionally, the reporting requirements of these new rules are extremely stringent. While global regulations like GDPR set the reporting time for critical infrastructure & personal data breaches at 72 hours, these rules require you to do so within 6. That could prove to be a major challenge if your cybersecurity processes are not alert and optimized.

Amid such flux, an ideal solution could be partnering with a technology provider like us who will take care of every aspect of telecom cybersecurity compliance and enable you to continue doing what you do best. Click here to start a conversation about your telecom cybersecurity needs!