On August 28, 2024, the Ministry of Communications, through the Department of Telecommunications, released a crucial notification regarding the protection of Critical Telecommunication Infrastructure (CTI). These new draft rules are the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, and they aim to safeguard telecommunication networks that are deemed vital for national security, economy, and public safety.
What Are the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024?
The new rules are designed to enhance the security and resilience of telecommunication networks that have been identified as critical. These networks are so essential that any disruption could severely impact national security, the economy, public health, or safety.
Key Points of the Draft Rules
1.Definitions
Understanding key terms is crucial:
- Critical Telecommunication Infrastructure (CTI): This includes any telecommunication network or part thereof specifically designated by the Central Government as critical. Disruptions to this infrastructure could severely impact national security, the economy, public health, or safety.
- Chief Telecommunication Security Officer (CTSO): This is the individual appointed by a telecommunication entity to oversee compliance with these rules and ensure security measures are in place.
- Security Incident: Defined in the Telecommunications (Telecom Cyber Security) Rules, 2024, this term refers to any event that threatens the security of telecommunication systems.
2. Applicability
These rules apply to any telecommunication network identified by the Central Government as Critical Telecommunication Infrastructure. Telecommunication entities must provide detailed information about their networks, including the hardware, software, and other relevant components, when requested by the government.
3. Compliance Requirements
Entities are required to adhere to several standards and directives:
- Essential Requirements (ERs): These are mandatory standards issued by the Telecommunication Engineering Centre and the National Centre for Communication Security.
- National Security Directive on Telecommunication Sector (NSDTS): This directive outlines national security measures that telecommunication entities must follow.
- Directives on Communication Security Certification: These directives set the standards for the certification of communication security measures.
Entities must ensure that their Critical Telecommunication Infrastructure, including hardware and software, complies with these standards. They are also required to adhere to any additional standards or directives issued by the Central Government.
4. Inspection and Access
The Central Government has the authority to inspect CTI to ensure compliance with the rules:
- Inspection Rights: Government-authorized personnel can access and inspect hardware, software, and data related to CTI.
- Facilitating Access: Telecommunication entities must allow access to these authorized personnel to conduct inspections.
5. Role of the Chief Telecommunication Security Officer
The CTSO is central to the implementation of these rules:
- Responsibilities: The CTSO must manage and oversee the security of CTI and provide detailed reports to the Central Government. This includes information on network architecture, personnel access, inventory of components, risk analysis, and security audits.
6. Obligations Related to CTI
Telecommunication entities must meet several key obligations:
- Security Measures: Implement and maintain security measures as specified by the Central Government.
- Documentation: Keep a detailed list of CTI, including hardware, software, and dependencies.
- Log Preservation: Maintain logs and documentation related to the network architecture of CTI, including any changes.
- Access Control: Develop and maintain verification practices for personnel with access to CTI.
- Supply Chain Records: Keep records of the supply chain for equipment used in CTI.
- Remote Access: Obtain prior written approval from the Central Government for remote access to CTI for repairs or maintenance.
- Vulnerability Assessments: Conduct annual or directed risk assessments of CTI.
- Backup and Recovery: Regularly back up logs and implement standard operating procedures for incident response and business continuity.
- Incident Reporting: Report security incidents within two hours, as specified.
- Risk Register: Maintain a risk register detailing potential risks and mitigation strategies.
7. Requirements for Upgradation of CTI
When upgrading equipment within CTI:
- Notification and Approval: Entities must notify the Central Government and submit test reports for approval before proceeding with upgrades.
- Certification: Upgrades require certification from the Central Government or an authorized body.
- Testing: The government may direct testing in a controlled environment, and entities must comply with these directives.
- Record Keeping: Maintain records of any upgradation until the CTI is in use.
8. Digital Implementation
The Central Government may introduce digital procedures to facilitate the implementation of these rules, including:
- Incident Reporting: Digital methods for reporting security incidents and other CTI-related information.
- Process Streamlining: Digital procedures for the CTSO to report and manage compliance with the rules.
How This Affects You
For telecommunication entities, these rules will necessitate rigorous adherence to new compliance standards and procedures. This includes maintaining detailed documentation, undergoing regular inspections, and promptly addressing any security incidents.
For the public, these measures are designed to ensure that the networks critical to national security and daily communications are protected against potential threats. By enhancing the security framework, the government aims to fortify the resilience of the nation’s telecommunication infrastructure.
PUBLIC CONSULTATION:
Objections or suggestions, if any, may be addressed to the Joint Secretary (Telecom), Department of Telecommunications, Ministry of Communications, Government of India, Sanchar Bhawan, 20, Ashoka Road, New Delhi- 110001 by September 27th 2024