Security for Telecom Infrastructure and Networks | CloseProtectionHire

Telecommunications infrastructure sits at the intersection of critical national infrastructure designation, state-sponsored cyber targeting, physical attack by hostile actors, and persistent opportunistic crime. Security for telecom infrastructure is a multi-layered discipline that demands physical, electronic, and cyber security functions operating in coordination – not in departmental isolation.

This article addresses the regulatory framework, physical threat picture, state-sponsored cyber threats, submarine cable vulnerability, and the practical security standards telecoms operators and their security advisers need to understand.

The Regulatory Framework

The Electronic Communications (Security) Act 2021 fundamentally changed the UK telecoms security landscape. Prior to this legislation, telecoms security was largely self-regulated, with providers applying voluntary NCSC guidance and the broader NIS Regulations 2018 framework.

The 2021 Act imposed specific statutory security duties on public communications providers for the first time. Ofcom enforces the resulting Telecoms Security Requirements (TSRs) – a detailed set of technical and organisational measures covering access control, network monitoring, vendor management, and incident reporting. Failure to comply with TSRs can result in financial penalties up to ten per cent of turnover. Persistent non-compliance or inadequate incident response can result in Ofcom issuing enforcement notices with further escalating consequences.

The Act also introduced the vendor designation power – the statutory basis on which Huawei equipment was required to be removed from 5G core networks by January 2023 and from all parts of 5G networks by January 2027. The designation power reflects a settled view across UK, EU, US, and Australian governments that certain vendors represent an unacceptable national security risk regardless of contractual protections or technical mitigations.

At the EU level, the NIS2 Directive (2022/2555), transposing into member state law by October 2024, brought telecoms into its highest-tier essential entity category. ENISA’s 5G threat landscape report (2022) and the EU 5G Toolbox provide the technical framework within which member state telecoms regulators operate.

Submarine Cables: The Overlooked Infrastructure Layer

TeleGeography’s most recent survey data estimates that approximately 95 per cent of all international internet and data traffic – including financial transactions, voice calls, government communications, and military data – travels via submarine cable. Satellite provides resilience for remote locations but cannot carry the volume of global traffic that submarine cables handle.

This concentration creates a significant structural vulnerability. Cable landing stations are fixed, known locations. The cable routes are publicly mapped. Depth varies from several thousand metres in mid-ocean to as little as a few metres near shorelines.

The events of late 2022 and 2024 demonstrated that state actors are willing to act against this infrastructure. The Nord Stream pipeline explosions of September 2022 – attributed by most Western governments to deliberate sabotage – were a proof of concept for subsea infrastructure attack. In November 2024, two submarine cables in the Baltic Sea were severed in what the UK government described as likely deliberate hostile state activity. The BCS East-West Interlink between Finland and Germany and a cable between Sweden and Lithuania were both cut within a short period of each other.

Protection options at the physical cable level are limited. The primary mitigations are:

• Cable landing station security: physical access control, CCTV, guards, and perimeter security at the points where submarine cables connect to terrestrial networks
• Route diversity: ensuring that any single geographic choke point does not carry a disproportionate share of critical traffic
• Repair capability pre-positioning: maintaining repair vessels and cable inventory to reduce restoration time
• International co-ordination: bilateral and multilateral frameworks for monitoring, attribution, and response

The International Cable Protection Committee (ICPC) provides the primary non-governmental framework for cable security co-ordination. Its recommendations on cable burial depth in shallow water and exclusion zone management are referenced by many national regulators.

Volt Typhoon: Pre-Positioning as a New Threat Category

In February 2024, CISA, NSA, and the FBI published a joint advisory on Volt Typhoon – a PRC state-sponsored threat actor assessed to have pre-positioned itself inside critical US infrastructure, including telecoms networks. The UK’s NCSC endorsed the advisory. Similar warnings followed from Australian and Canadian cyber security agencies.

The advisory was notable not for documenting espionage – the expected use of such access – but for assessing that the objective was contingency pre-positioning: placing persistent footholds in infrastructure to enable disruption or destruction at a time of China’s choosing, specifically in the context of a potential future Taiwan conflict.

This is a qualitatively different threat model from espionage. Signature-based detection, which looks for known malicious tools, is largely ineffective against Volt Typhoon activity described as “living off the land” – using legitimate system tools and credentials to avoid triggering standard detection. Detection requires anomaly-based monitoring: baselines for normal network behaviour against which deviations are flagged regardless of the tool used.

For telecoms security teams, the implication is that continuous monitoring of network access patterns, user behaviour analytics, and periodic adversary simulation exercises are requirements, not optional additions to a compliance-focused programme.

Physical Security: Towers, Cabinets, and NOCs

Mobile tower sites represent a significant physical security challenge. A typical national mobile network has thousands of sites, many in remote or semi-rural locations with limited passive security. The threats are:

Metal and cable theft. The BSIA reports persistent theft of copper and aluminium from telecoms infrastructure. Copper prices at London Metal Exchange levels make tower sites economically attractive targets for criminal gangs. Theft causes service outages and repair costs that can run to tens of thousands of pounds per incident.

Sabotage. Deliberate damage to tower infrastructure – whether by organised criminal groups, political activists, or state-proxied actors – increased during the 5G conspiracy period of 2020-2021 (in the UK, 77 telecoms towers were reportedly damaged or set alight between January and April 2020). Physical sabotage remains a live threat.

Unauthorised access. Cabinet compromise – installing covert monitoring equipment or interfering with network components – requires physical access. Electronic access control systems with audit logs are the appropriate response; mechanical padlocks provide minimal security against a prepared adversary.

Minimum physical security requirements for tower sites:

• CCTV with remote monitoring capability, minimum 30-day retention (ICO CCTV Code 2023)
• Electronic access control with named-individual audit trail
• Anti-tamper sensors on equipment cabinets
• Lone worker protocol for maintenance technicians: structured check-in/check-out, missed check-in escalation within 30 minutes
• Perimeter security meeting BS 1722 fencing standards or equivalent

Network Operations Centres (NOCs) are the highest-value physical targets within a telecoms operator’s estate. NOC compromise – whether through physical intrusion, social engineering of staff, or insider threat – could provide access to controls affecting millions of customers. NOC security should apply the same tiered access control model used for data centres: outer perimeter, building entry, operations floor, and core systems access each with independent authentication requirements.

5G Security: A National Security Decision in Operational Form

The NCSC’s 5G Security Guidance (2020) and the EU’s ENISA 5G Threat Landscape report (2022) both set the framework within which 5G deployments must be evaluated. The core principles are:

Vendor diversity. Single-vendor dependency in any network layer creates both a commercial and security risk. The 5G Toolbox recommends limiting market share of high-risk vendors and maintaining multi-vendor options across network layers.

Core-RAN segregation. The most sensitive network functions – authentication, policy control, subscriber data management – must be segregated from the radio access network. Compromise of the RAN should not provide a pathway to core functions.

Security testing before deployment. Network equipment should be tested against defined security requirements before deployment, not assumed compliant based on vendor documentation alone.

Supply chain assurance. Software and firmware updates from vendors represent an ongoing supply chain risk. Code review, integrity verification, and staged deployment of updates to production networks are baseline requirements.

The exclusion of Huawei from UK 5G core networks and the progressive exclusion from radio access networks reflects a settled national security assessment – not a commercial or technical performance judgement. Telecoms operators who are still carrying excluded vendor equipment past defined deadlines face both regulatory enforcement and reputational risk from Ofcom.

P1 Country Operational Considerations

Russia imposes mandatory lawful intercept capability (SORM) on all telecoms operators. Foreign telecoms equipment sent to or installed in Russia should be treated as potentially compromised for the purpose of any sensitive communications.

Turkey operates a significant telecoms infrastructure and is a transit hub for submarine cables connecting Europe, Asia, and the Middle East. Istanbul is a known environment for intelligence collection against foreign telecoms and technology professionals.

Nigeria’s NCC (Nigerian Communications Commission) licenses telecoms operators and mandates local data retention requirements. Tower security in Lagos and other Nigerian cities faces the same physical threat picture described above – compounded by higher rates of generator theft (generators are required at most Nigerian tower sites given power grid reliability).

Internal Links

For related guidance on protecting digital infrastructure, see our articles on security for data centres and technology facilities and physical and cyber security convergence for executives. For satellite operations and space ground stations – where NIS2 Directive 2022/2555 classifies space operators as essential entities alongside telecoms, the Viasat KA-SAT attack demonstrated the kinetic consequences of satellite communications disruption, and command uplink security requires a framework distinct from standard telecoms network protection – see our security for satellite operations and space ground stations guide.

Key Takeaways

Telecoms infrastructure is CNI in the fullest sense – its disruption degrades almost every other sector’s ability to function. The Electronic Communications Security Act 2021 set a new statutory baseline that operators must meet, not merely aspire to. Volt Typhoon demonstrated that the threat is not limited to espionage – pre-positioning for contingency disruption is now documented. Physical protection of distributed tower estates, submarine cable landing stations, and NOC facilities requires the same rigour applied to any other critical infrastructure environment.

James Whitfield is a Senior Security Consultant with experience across critical national infrastructure security, executive protection, and risk assessment in high-threat environments. This article is for informational purposes only and does not constitute legal or regulatory advice.