The Department of Home Affairs is concerned Australian telcos could be putting control of critical infrastructure at risk when using managed service providers.
Telcos were engaging managed service providers (MSPs) to perform a broadening range of functions, the department noted in its annual report.
However, that risked interfering with the carrier’s ability to maintain competent supervision of, and effective control over, their networks and facilities.
Department regulatory unit the Communications Access Coordinator (CAC) reported an increase in the number of proposals to use MSPs as well as an increase in the range and scope of functions MSPs were proposing to undertake.
"The department received multiple notifications during the reporting period in which the CAC considered that a carrier’s proposed use of an MSP could interfere with the carrier’s ability to maintain competent supervision of, and effective control over, telecommunications networks and facilities owned or operated by the carrier, as required," the report said.
CAC’s concerns were most often associated with inadequate proposed supervision by the carrier of the MSP’s activities, including over-reliance on self-supervision and self-reporting; inadequate consideration by the carrier of the locations from which the MSP would be providing their services; and limited assurance that the carrier could demonstrate effective control over networks or facilities being serviced by the MSP.
CAC informed the carriers of its concerns and suggested measures they could implement to ensure continued compliance with security obligations.
The department had noticed an improvement in carrier management of supply chain risks, however.
Telcos were moving beyond basing their judgments simply on the home location of vendors to also consider supply chains associated with individual network equipment components.
Notifications received from a number of carriers highlighted the significance of cloud environments in enabling telcos to scale their storage capacity with demand.
However, it was crucial to acknowledge the adoption of cloud environments introduced potential vulnerabilities within supply chains, the regulator said. Meticulous assessment and diligent monitoring of these environments are also imperative, the department added.
The mass migration of applications into either public or private cloud platforms inherently increased the attack surface for carriers but was necessary as they adopted the latest technologies to meet customers’ needs.
"The department carefully reviewed the process undertaken by carriers to ensure that critical applications or applications where large volumes of sensitive data was stored were either not migrated to the cloud or were afforded the highest possible standard of security," the regulator reported.
Carriers were also advised to ensure they were alert to the security settings and configurations of their cloud environments and that they retained control over their own encryption keys to ensure effective supervision and control.
The department had also been made aware of a number of notifiable network changes through the media rather than through the notifications process.
"Carriers that do not notify the CAC about their proposed changes risk missing out on relevant threat information and targeted security advice, as the department can only provide official technical advice through a response to a notification," the regulator warned.
They also risked non-compliance with their obligations.
In September, the department launched six cyber shields to help protect businesses, organisations and citizens, creating a “cohesive and planned national response”.