Telecommunications Sector

Security Reforms (TSSR)

Administrative Guidelines

1300 27 25 24
[email protected]
 Contents
Disclaimer 4
Contact us 4

Purpose of this document 5

Note on definition of ‘security’ 5

TSSR Framework 6
Table 1. Who does TSSR affect? 6
How does TSSR work? 6
Security Obligation 6
Notification Obligation 7
General Engagement 7
TSSR framework principles 7
Implementation of the TSSR framework by Government and industry in good faith 7
Key security principles 7
Regulatory powers 9
Power to direct C/CSPs 9
Power to obtain information from C/CSPs 9
Civil penalty regime 9
Relationship between TSSR and the Security of Critical Infrastructure Act 2018 9

Information sharing and assistance 11

Specific assistance 11
General industry guidance 12
General information sharing 12
TISN Communications Sector Group (CSG) 12
ASIO Outreach 12
Australian Cyber Security Centre 13
Office of the Australian Information Commissioner 13

National security risks 14

Telecommunication networks and facilities are critical infrastructure 14
High risk areas 14
Vulnerabilities posed by outsourcing and offshoring arrangements 14
Sensitive functions and facilities 15

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|2
 Network Operations Centres 15
Lawful interception equipment or operations 15
Parts of networks that manage or store an aggregate of information 15
Locations where traffic belonging to customers or end users is aggregated in large volumes, either
in transit or at rest 16

Security Obligation 17
Unauthorised access or unauthorised interference 17
Availability and integrity of telecommunications networks and facilities 18
Confidentiality of communications and information 19
How do you meet your Security Obligation? 19
Ensure regular two-way engagement with the Critical Infrastructure Centre 19
Do your ‘best’ 20
Implement a risk management approach 20
Demonstrate competent supervision and effective control 21
A note on standards compliance and certification 23

Notification Obligation 24
Overview of the Notification Obligation 24
Notifiable changes 24
Non-notifiable changes 25
The right time to notify 27
Administrative process for notifications 27
Post-Notification 28
Re-notification 29
Notification exemptions 29
Grounds for exemption 29
Security Capability Plans 30
How far in advance should Security Capability Plans forecast? 30
What information should be included in a security capability plan? 30

Regulatory powers 31
Direction powers 31
Direction to cease use or supply of a carriage service 31
Direction to do, or not do, a thing to address a risk to security 31
Transparency and accountability measures 31
Consultation 32

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|3
 Information gathering power 32
Transparency and accountability measures 32
Written notice 33

Glossary 34

List of acronyms 35

Appendices 36
Notification process chart 36
Resources to help you meet your national Security Obligation 37
Checklists 38
Ways to meet your Security Obligation 38
Sensitive functions and facilities 39

Disclaimer

This document is intended as a guide and readers should seek legal, technical and risk advice as
to their own specific needs. The information in this document should not be relied upon as legal
advice. The provision of this information does not override the need to observe laws, in particular
requirements to protect personal information under Australian privacy law.

Contact us
The Critical Infrastructure Centre (the Centre) within the Department of Home Affairs is responsible for
the administration of Telecommunication Sector Security Reforms (TSSR) and for ongoing engagement
with the telecommunications industry.

Any questions about this document or TSSR should be directed to the Centre:

Website: cicentre.gov.au

Email: [email protected]

Telephone: (02) 5127 7387

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|4
 Purpose of this document
This document is designed to help telecommunications service providers understand and comply with
the changes to Part 14 of the Telecommunications Act 1997 (the Act) introduced by the
Telecommunication and Other Legislation Act 2017, known as the Telecommunication Sector Security
Reforms (TSSR).

Detailed guidance is provided to carriers, carriage service providers and carriage service intermediaries
(C/CSPs) on how to comply with their obligations to:
 do their best to protect telecommunication networks and facilities from risks of unauthorised
interference or unauthorised access; and to
 engage with Government to discuss proposed changes to their telecommunications systems and
services that may impact national security.

The Guidelines also detail the importance of the enhanced partnership between Government and the
telecommunications industry and the processes to support early engagement on potential risks,
increased information sharing on specific national security risks, and increase industry awareness of
national security vulnerabilities and risks.

Note on definition of ‘security’

Unless otherwise indicated, the term ‘security’ has the same meaning as in the Australian Security
Intelligence Organisation Act 1979. Section 4 of the Australian Security Intelligence Organisation Act
1979 provides that

"security" means:

(a) the protection of, and of the people of, the Commonwealth and the several States and
Territories from:

(i) espionage;

(ii) sabotage;

(iii) politically motivated violence;

(iv) promotion of communal violence;

(v) attacks on Australia's defence system; or

(vi) acts of foreign interference;

whether directed from, or committed within, Australia or not; and

(aa) the protection of Australia's territorial and border integrity from serious threats; and

(b) the carrying out of Australia's responsibilities to any foreign country in relation to a matter
mentioned in any of the subparagraphs of paragraph (a) or the matter mentioned
in paragraph (aa).

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|5
 TSSR Framework
TSSR is a principles based framework for industry and government to formally share information to
manage national security risks in telecommunications networks.

Australia’s telecommunication networks, systems and facilities are critical infrastructure that are vital to
the social and economic well-being of the nation. As many commercial entities have experienced,
espionage, sabotage and foreign interference pose a real and growing threat to Australia’s
telecommunications infrastructure.

The TSSR framework responds to these threats by formalising engagement mechanisms and helping
telecommunications service providers to understand and take into account national security risk factors
when making investment and operational decisions. By working closely with Government,
telecommunications providers can better safeguard Australia’s sensitive information and systems.

Table 1. Who does TSSR affect?

TSSR Framework Carriers Nominated Carriage Service Carriage Service
Carriage Service Providers Intermediaries
Providers

Security
Obligation ✔ ✔ ✔ ✔

Notification
✔ ✔ ✘ ✘
Obligation

Information
✔ ✔ ✔ ✔
Gathering Power

Direction Powers ✔ ✔ ✔ ✔

How does TSSR work?

Security Obligation

Carriers and carriage service providers (C/CSPs) and carriage service intermediaries should do their
best to protect the networks and facilities they own, operate or use, from unauthorised access or
interference to ensure:
 the availability and integrity of telecommunications networks and facilities; and
 the confidentiality of communications carried on, and information contained on
telecommunications networks or facilities.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|6
 Carriers and carriage service providers (but not carriage service intermediaries) should also maintain
competent supervision of, and effective control over, telecommunication networks and facilities that they
own or operate.

For further information see Security Obligation on page 17.

Notification Obligation

Section 314A requires carriers and nominated carriage service providers (C/NCSPs) to notify the
Communications Access Co-ordinator (CAC), through the Critical Infrastructure Centre (the Centre), of
proposed changes to their telecommunication systems or services that are likely to have a material
adverse effect on their capacity to comply with the Security Obligation.

For further information see Notification Obligation on page 24.

General Engagement

Carriers and carriage service providers are encouraged to engage with the Centre, even if they consider
that changes to their telecommunications systems or services are not notifiable under TSSR.

Regular, two-way engagement with the Centre is the best way for C/CSPs to stay informed about the
changing security environment, the potential implications for the security of their infrastructure and
operations.

TSSR framework principles

Implementation of the TSSR framework by Government and industry in good faith

C/CSPs are expected to comply with the Security Obligation, and engage with Government
cooperatively and in good faith.

Government will work cooperatively with C/CSPs to identify and mitigate risks to Australia’s national
security arising from the design, construction or operation of telecommunications systems and networks.
Government agencies will take adequate steps to engage with C/CSPs, listen to the C/CSPs’ concerns
and work with C/CSPs’ to develop mitigation measures reasonably necessary for addressing identified
risks.

Government recognises that some mitigation measures to address some security risks to networks may
have cost impacts. For this reason, Government will work closely with C/CSPs to ensure the TSSR
framework operates in a pragmatic way that balances national security outcomes with commercial
drivers.

Key security principles

Protection of telecommunications infrastructure is a shared responsibility

Owners and operators of telecommunications networks and systems have primary responsibility for
ensuring their security; this is a matter of good corporate governance and business continuity. Owners
and operators are best placed to manage risks to their operations and determine the most appropriate
strategies to boost resilience.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|7
 Government will work with the telecommunications industry to support assurance, vulnerability and risk
management practices.

A risk management approach

This document does not specify how telecommunications companies must protect their networks.
Rather, it encourages a risk-based approach that allows companies to choose the best technical and
business solutions for their unique circumstances. There is no single solution to protect networks and
facilities—good security is multi-layered and tailored to identified threats.

Good risk management is an ongoing process. It involves establishing a context, determining threats,
vulnerabilities and criticality of systems and information, then analysing likelihood and consequence
before evaluating and applying risk controls to the identified vulnerability.

Embedding security considerations into business processes

Good security should be part of an organisation’s principles, practices and culture. If compliance with the
Security Obligation is only considered as an afterthought, it can leave systems or business
arrangements exposed and increase cost and complexity. Integrating security measures into business
systems and processes from the start is ultimately more effective and less costly than adding on security
measures after the fact.

C/CSPs are encouraged to engage with the Centre early in the process of planning changes to systems
and services which affect core and sensitive parts of a network and may give rise to national security
risks. C/CSPs are also encouraged to engage with the CAC at any stage if they are uncertain about what
parts of a network or system may be vulnerable to unauthorised access or unauthorised interference.

A list of resources to assist C/CSPs to protect networks and information is at Appendix B –.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|8
 Regulatory powers
The TSSR framework introduces powers to direct C/CSPs to take specific action, or refrain from taking
specific action, or provide information.

Power to direct C/CSPs

Section 315A of the Act enables the Minister for Home Affairs (the Minister) to give a C/CSP a direction
to cease using or supplying a carriage service if the Minister considers the use or supply is, or would be,
prejudicial to security.

The Minister can only give a direction under section 315A if the Australian Security Intelligence
Organisation (ASIO) has issued an adverse security assessment in relation to the C/CSP.

Section 315B of the Act enables the Minister to give a C/CSP a direction to do, or not do, a specified act
or thing where there is a risk of unauthorised interference or access involving telecommunications
networks or facilities and the risk would be prejudicial to security. These include risks to:
 the confidentiality of information contained on or carried across telecommunications networks
and/or facilities
 the availability and integrity of telecommunications networks and facilities and this was prejudicial
to security

The Minister can only give a direction under section 315B if ASIO has issued an adverse security
assessment in relation to the C/CSP and if there have been reasonable steps to negotiate in good-faith
with the C/CSP to achieve an outcome of eliminating or reducing the risk.

For further information see page 31.

Power to obtain information from C/CSPs

Section 315C of the Act enables the Secretary of the Department of Home Affairs (or the Director-
General of Security, ASIO if authorised), to request information or documents from a C/CSP for the
purpose of assessing compliance with the Security Obligation.

For further information see page 33.

Civil penalty regime

The Minister can initiate proceedings in the Federal Court to seek civil remedies for non-compliance with
the Security Obligation, a Direction or a request for information, including civil penalties, enforceable
undertakings and injunctions.

Relationship between TSSR and the Security of Critical Infrastructure Act

2018
TSSR and the Security of Critical Infrastructure Act 2018 (SOCI) create regulatory frameworks that apply
to different critical infrastructure assets and create different statutory obligations.

However, there will be some instances where regulated entities may have obligations under both
frameworks. For example, an energy company that holds a carrier licence would need to comply with its

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
|9
 reporting obligations under SOCI and TSSR obligations in relation to its telecommunications
infrastructure.

Contact the Centre if you have specific questions about the application of TSSR and SOCI to your
organisation.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 10
 Information sharing and assistance
Telecommunications services providers are encouraged to Contact us the Centre with any questions
about TSSR, or to discuss how they can best ensure the security of their operations within a commercial
setting.

Specific assistance
C/CSPs of all sizes can get targeted security assistance about national security risks through one-on-
one engagement with the Centre.

Nobody knows C/CSPs’ networks and operations better than C/CSPs themselves—not even
Government. Conversely, even the most well-informed, capable and well-resourced C/CSP may not
have access to the most up to date security information available to Government.

Engaging with the Centre ensures C/CSPs benefit from Government information and Government’s
experience responding to security threats. C/CSPs can benefit from Government information holdings by
raising specific issues with the Centre, who may then consult with security agencies in appropriate
circumstances.

Submitting a Notification is the Centre’s preferred mechanism for providing guidance about C/CSPs’
particular risks and vulnerabilities, as it affords the greatest protection to information C/CSPs share with
the Centre. C/CSPs are also welcome to engage informally with the Centre, outside the Notification
process, though the Centre may be more limited in the assistance that it can provide.

Confidentiality

The Centre always operates to the highest standards for the protection of information, and must comply
with the following legislative provisions:
 Privacy Act 1988 (Cth) sch 1 (Australian Privacy Principles).
 Archives Act 1983 (Cth) s 33.
 Crimes Act 1914 (Cth) ss 70, 79.
 Criminal Code s 91.1.
 Public Service Regulation 1999 (Cth) reg 2.1.
 Public Service Act 1999 (Cth) s 13 (APS Code of Conduct).

Information shared through Notifications or Security Capability Plans, or obtained as a result of the
Information Gathering Power, is subject to additional, specific protections under section 315H.

Security clearances

Security agencies may request that specified personnel within a C/CSP apply for a security clearance.
Having cleared staff will give security agencies the option of sharing classified information where there is
a need to know this information. While these individuals cannot disclose the classified information to
colleagues without security clearances, they will be able to provide better informed guidance on
identifying and addressing network security risks.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 11
 If a C/CSP does not have security cleared staff, security agencies will still engage with them and share
what information they can about security risks.

General industry guidance

Government may from time to time publish industrywide guidance setting out how it believes TSSR
applies in particular contexts. The 5G Security Guidance to Australian Carriers is an example of this type
of guidance.

These publications are intended to assist C/CSPs of all sizes to understand Government’s expectations
about TSSR, and ensure that all C/CSPs have equal awareness of the Government’s position.

General information sharing

The Australian Government supports a range of mechanisms to share information about security threats,
risks and vulnerabilities with industry.

Please note that participating in any of the following information sharing schemes will not in and of
itself achieve compliance with either the Security Obligation or Notification Obligation.

TISN Communications Sector Group (CSG)

https://cicentre.gov.au/tisn

The Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN) Communications
Sector Group (CSG) is one of the key mechanisms for Government to provide security advice to
telecommunications providers. The Centre and security agencies will use this forum to provide updates
about national security risks to the communications sector, share information and techniques required to
assess and mitigate risks, and build capacity within organisations so they are better able to respond to
risks and develop a common approach to organisational resilience.

To join the CSG interested parties must demonstrate they are owners and operators of communications
critical infrastructure, and provide a company biography to the CSG Secretariat.

The Department of Infrastructure, Transport, Regional Development and Communications provides

Secretariat support to the CSG. They can be contacted at [email protected].

ASIO Outreach

https://outreach.asio.gov.au

ASIO Outreach is the principal interface between the Australian Security Intelligence Organisation
(ASIO) and government and industry stakeholders.

ASIO Outreach provides information via a number of means including a subscriber-controlled website,
ASIO-hosted briefings, face to face engagement and participation in joint government and industry
forums. All these mechanisms are aimed at providing risk management decision-makers within
government and industry with the most current security intelligence and protective security advice to
assist them to:

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 12
  recognise and respond to national security threats;
 develop appropriate risk mitigation strategies; and
 provide informed briefings to executives and staff.

The secure website operates on a free subscription basis. The ASIO Outreach website contains
intelligence-backed reporting on the domestic and international security environment. This reporting is
drawn from the full range of ASIO's information holdings and expertise (including the multi-agency
National Threat Assessment Centre, ASIO's protective security area (T4) and the Counter-Espionage
and Interference Division) and some foreign intelligence partner agency reports.

Australian Cyber Security Centre

https://cyber.gov.au

The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve
cyber security, and provides a wealth of information on information security best practices.

The ACSC monitors cyber threats to Australia and distributes advice through a range of publications and
partnership programs. Up to date information about available ACSC publications and programs is
available through the ACSC website.

Office of the Australian Information Commissioner

https://oaic.gov.au

The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for
privacy and freedom of information and has a number of powers and functions under the Privacy Act
1988, including oversight of Australia’s Notifiable Data Breaches (NDB) scheme. The OAIC can provide
general information about obligations under the Privacy Act, factors to consider in responding to a data
breach, and steps to take to prevent similar future incidents.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 13
 National security risks

Telecommunications networks and facilities are attractive targets for espionage,

sabotage and foreign interference activity by state and non-state actors

Telecommunication networks and facilities are critical infrastructure

The security and resilience of telecommunications infrastructure significantly affects Australia’s social
and economic well-being. Government and business are increasingly storing and communicating large
amounts of information on and across telecommunications networks and facilities. For these reasons,
the telecommunications networks and facilities of C/CSPs are attractive targets for espionage, sabotage
and foreign interference activity by state and non-state actors.

In some cases, national security risks will overlap with general security risks related to the running of a
business, for example ensuring personal information about customers is protected. The difference lies in
how that risk may be exploited by specific threat actors, and the impact it may have on Australia's critical
infrastructure and national security.

In summary, national security risks relate to possible:

 compromise or degradation of telecommunications networks;
 compromise of valuable data or information of a sensitive nature, such as aggregate stores of
personal data or commercial or other sensitive data;
 impairment of the availability or integrity of telecommunications networks; or
 potential impact on other critical infrastructure or Government services (such as banking and finance,
health or transport services).

Global supply chains create particular challenges for implementing controls to mitigate personnel,
physical and ICT security risks and therefore make networks and facilities more vulnerable to
unauthorised access or unauthorised interference, such as espionage, sabotage, and foreign
interference.

High risk areas

The majority of high consequence and high frequency attack vectors fit into one of the following five
categories:
 exploitation via the operators’ management plane
 exploitation via the international signalling plane
 exploitation of virtualised networks
 exploitation via the supply chain
 loss of the national capability to operate and secure our networks (dependency).

Vulnerabilities posed by outsourcing and offshoring arrangements

The TSSR framework is designed to ensure adequate risk management, not prescribe particular
business models or service delivery solutions. There is no general prohibition against C/CSPs using third
party cloud services, and/or service providers or facilities located offshore.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 14
 A key area of interest for Government is changes to networks and systems from outsourcing and
offshoring arrangements that are managed by a vendor, rather than the carrier or provider. Vendor-
managed outsourcing and offshoring arrangements can provide a vendor with broad access to the
carrier’s or provider’s networks, facilities and customer information, which potentially heightens risks of
unauthorised access or interference. There may additional risk if the offshore location from where these
services and functions are delivered limits the telecommunications operator’s visibility over the network
or facility.

Foreign solutions operate in different legal environments that may create potential national security
vulnerabilities and risks. These can be further exacerbated by an operator’s lack of competent
supervision and effective control over offshore arrangements. The objective of the TSSR framework is to
ensure that these types of risks are appropriately identified and adequately managed by C/CSPs.

For guidance see the ACSC’s Cyber Supply Chain Risk Management Practitioner Guide, which is
available from https://cyber.gov.au.

Sensitive functions and facilities

Note: a consolidated list of sensitive functions and facilities is available at Appendix C –.

The following parts of networks and facilities are generally considered to be most sensitive. ‘Sensitivity’ is
established based upon the following three impacts:
 availability impact: the damage to the network of the equipment going offline
 integrity impact: the disruption caused by changing the data over which the equipment has
control
 confidentiality impact: the cost of compromise of data within the network equipment.

Network Operations Centres

A Network Operations Centre (NOC) or Security Operations Centre (SOC) contains the function or
functions through which network operations are controlled, either as a function distributed among
business units, or as a discrete business unit itself. This includes equipment, services, locations and
processes used to support the network should this occur outside a NOC. This includes SOCs if distinct
from the NOC (since they also perform key functions of network governance and oversight).

Lawful interception equipment or operations

Lawful interception equipment refers to any equipment, parts of equipment, or software designed to
facilitate the lawful interception of communications on a network, which is permanently installed on the
network, or able to be installed on request. For the purposes of this guidance, this also includes
hardware or software which supports or facilitates this function.

Parts of networks that manage or store an aggregate of information

These are the places where information of a sensitive nature is likely to be stored, making the systems
hardware and its support/operation of specific security interest. This refers to:
 applications, databases and hardware that store or process data in bulk, such as call records or
network traffic data

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 15
  Operations Support Systems (OSS), or Business Support Systems (BSS) and other forms of
business customer databases
 areas of the network which store authentication credentials & encryption keys
 Evolved Packet Core (EPC) and the Home Location Register (HLR/HSS) in mobile networks
 IP core (routing or switching of traffic)
 virtualisation infrastructure, orchestrators and controllers
 internet gateways and monitoring functions
 backhaul transport and transmission
 places where privileged user credentials regarding the network and support systems themselves
are stored and audit and oversight controls are retained.

Locations where traffic belonging to customers or end users is aggregated in large

volumes, either in transit or at rest

Areas where data is aggregated may include:

 points of interconnection or intersection with other networks, and other areas over which a
significant proportion of the traffic on the network travels, in each case where the volume of traffic
is, in absolute terms, 15% or greater of the total traffic travelling over the network
 large databases which reside in the core of the network, including customer Voice Mail Systems
(VMS), large email or message systems.

Case study – Consequences from the compromise of a ‘sensitive part’ of the

network
Hackers in Greece infiltrated core components of the largest carrier in Greece’s network to
intercept mobile phone conversations. Rogue software was illegally implanted in four of the
company’s switches (the computer-controlled component of a phone network that connects two
telephone lines to complete a telephone call). This created two parallel streams – one stream went
to the correct recipient and the other to other stream to the hacker’s network. This allowed hackers
to listen in on conversations, potentially record conversations, and track the locations of key
dignitaries as well as members of other political and non-political groups. As switches are at the
heart of a telecommunications network, the hackers only needed to take over a few switches to
carry out the attack.
What were the consequences?
It is not known who the hackers were (including whether trusted insiders were involved or whether
it was an external attack) or what conversations were intercepted and the purpose of the
interception. However, the list of targets was discovered. It included the phones of the Greek Prime
Minister and other high-ranking ministers, government and military officials involved in sensitive
political and business discussions.
How is this case study relevant to the TSSR framework?
This case study highlights why the TSSR framework is focussed on the sensitive parts of networks
– the consequences of a compromise of these parts can be particularly serious.
In addition, this particular carrier had inadequate monitoring processes and controls to detect the
unauthorised access to its lawful interception system. Under TSSR, C/CSPs will need to identify
vulnerabilities in their networks and implement appropriate measures and controls to manage those
risks.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 16
 Security Obligation

For the purposes of security, carriers, carriage service providers and carriage
service intermediaries must do their best to protect telecommunications networks
and facilities they own, operate or use from unauthorised interference or
unauthorised access.
The Security Obligation in subsections 313(1A), (1B) and (2A) of the Act has two elements:

All carriers and providers must do their best to protect telecommunications networks and facilities from
unauthorised access or unauthorised interference to ensure the:
 confidentiality of communication carried on and information contained on telecommunications
networks or facilities; and
 availability and integrity of telecommunications networks and facilities.

This includes providers that have telecommunications networks and facilities, based in Australia or
overseas, which are used to provide services and carry and/or store information from Australian
customers.

Carriers and carriage service providers (but not carriage service intermediaries) must also maintain
competent supervision of, and effective control over, telecommunication networks and facilities that
they own, operate or use.

Unauthorised access or unauthorised interference

The obligation to protect networks and facilities from unauthorised access or unauthorised interference
requires C/CSPs to maintain competent supervision and effective control. This may include taking
reasonable steps to prevent intrusions or breaches within networks or facilities or to minimise the effect
of malicious activity, demonstrable by the security controls in place. This will be particularly relevant
where activity, if left unchecked, could provide opportunity to compromise the confidentiality, availability
or integrity of telecommunications infrastructure or information carried by, or across it.

Breaches and security incidents are not reportable under TSSR, but carriers and providers may have
obligations under other Commonwealth legislation such as the mandatory reporting regime for data
breaches in the Privacy Act 1988.

Case study – Unauthorised access resulting from failure to maintain competent

supervision and effective control
A CSP operating in Australia contracted a webhosting business also located in Australia to hold the
CSP's information about business clients, including information to verify customers’ identities and
information to provide a quoting and billing system.
The hacking group Anonymous was able to exploit vulnerability in an application used by the
webhosting business to gain access to the data they held. Although the webhosting business kept
the application patched, they had not upgraded to newer versions as they considered it the
responsibility of the CSP (the version being used was seven years old). New versions had security
features that may have prevented the attack by Anonymous.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 17
 Who was responsible for the breach?
The Office of the Information Commissioner (OAIC) found that the CSP had breached their
obligation under the Privacy Act 1988 to take reasonable steps to secure the personal information
it held. The OAIC took the view that the CSP 'held' the information for the purposes of the Privacy
Act, despite the fact that it was technically on the servers of a third party company.
What steps could prevent a breach such as this?
The OAIC recommended that the CSP:
 conduct regular reviews of all IT applications held internally or with external providers to ensure
visibility to the CSP
 take steps to ensure all IT applications held internally or externally which hold or use personal
information are subject to vulnerability assessment and testing, regular vulnerability scanning
and have effective lifecycle management
 clearly allocate responsibility for lifecycle management of applications
 conduct regular audits of the CSP's IT security framework to ensure that security measures are
working effectively, and that policies and procedures relating to data security are being complied
with
 undertake further training for IT staff and relevant business units to increase their understanding
of their data Security Obligations (including lifecycle management of IT applications), data
security risks and threats, and the importance of following the CSP's policies and procedures
that relate to data security
 undertake steps to ensure appropriate classification of data it holds either internally or
externally, including whether it includes personal information and the sensitivity of that
information
 review the terms of the contracts it has with IT suppliers that hold or manage the CSP's data to
ensure clarity around which party has responsibility for identifying and addressing data security
issues (such as vulnerabilities associated with old versions of IT applications).
How is the case study relevant to the TSSR framework?
The recommendations are relevant to any outsourcing arrangements to supply or manage
equipment or services (not just hosting data). For example, if management of core parts of
networks are outsourced without adequate security requirements these parts could be used to gain
access to the networks.

Availability and integrity of telecommunications networks and facilities

Availability is about ensuring that authorised users have access to information, communications and
telecommunications networks and facilities when required. An example where networks and facilities are
not available would be a denial-of-service attack which prevents the ordinary functioning of the service,
which could have serious economic, social or other consequences (particularly in an emergency).

Integrity relates to the accuracy and completeness of information and communications, as well as the
protection of telecommunications networks and facilities from compromise or unauthorised modification.
An example of a breach of integrity would be where a C/CSP’s systems are accessed by a third party
and modified to allow remote access by that party.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 18
 Confidentiality of communications and information

Confidentiality refers to ensuring that only authorised people have access to information, systems or
facilities.

The objective of the Security Obligation under subsections 313(1A) and 313(2A) is the protection of all
communications carried on and information contained on networks and facilities, including information
about the network itself, not just personal information or communications content.1 This includes
government and business information such as intellectual property, information that could provide a
competitive advantage, and information of a sensitive nature about a C/CSP’s network, service delivery
models and customers.

For example, a C/CSP that provides services to large businesses or research organisations (such as
universities) may be at a greater risk of espionage, sabotage or foreign interference because of the
commercial value of the information held by their clients (such as scientific research).

How do you meet your Security Obligation?

Note: a consolidated list of ways to comply with the Security Obligation is available at Appendix C
–.

The most effective way for C/CSPs to comply with their Security Obligation is to:
 ensure regular two-way engagement with the Critical Infrastructure Centre
 do your ‘best’
 adopt a risk-based approach to protecting networks and facilities
 demonstrate competent supervision of, and effective control over, telecommunications networks
and facilities owned or operated by the carrier or provider.

Ensure regular two-way engagement with the Critical Infrastructure Centre

Regular two-way engagement with the Critical Infrastructure Centre is an essential component of
C/CSPs ‘doing their best’, and the easiest way for C/CSPs to demonstrate that they are complying with
the Security Obligation.

Confidential, working-level engagement between C/CSPs’ technical personnel and the Centre’s analysts
underpins TSSR’s cooperative approach to security. Supported by Australia’s security agencies, the
Centre’s analysts can work with C/CSP personnel to advance commercially-minded solutions to the full
breadth of security challenges confronting Australia’s telecommunications service providers. See
Specific assistance on page 11 for further information.

Openness with the Centre about security practices and decisions, underpinned by the Centre’s
confidentiality obligations, enables C/CSPs to demonstrate that they are ‘doing their best’. This includes
where a C/CSP ‘doing its best’ is on a path to strengthen its security practices. The Centre is keen to

__________
1 C/CSPs are already required to comply with the obligations contained in the Australian Privacy Principles (APPs) in
Schedule 1 of the Privacy Act 1988 that regulate the handling of personal information.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 19
 support these C/CSPs, and encourages them in particular to get in touch for confidential advice or
support.

Do your ‘best’

Compliance with the Security Obligation requires C/CSPs to take all reasonable steps to prevent
unauthorised access and interference for the purpose of protecting the confidentiality of information and
the availability and integrity of networks.

Steps that may demonstrate a carrier, carriage service provider or carriage service intermediary is doing
its best to protect its networks and facilities from unauthorised access or interference, for the purposes of
security include, but are not limited to:
 clearly define the security-related roles and responsibilities of the Board, senior management and
individuals
 maintain a security capability commensurate with the size and extent of risks from unauthorised
access or interference
 considering risks to information security, and risks to physical security, personnel security and
supply chain security
 employing sufficient competent personnel to identify, assess and manage the full breath of risks
to security
 adopting industry best practices to protect the confidentiality, integrity and availability of systems
and data
 implementing recommended aspects of technical standards (e.g. ‘SHOULD’ aspects) that
increase security or decrease vulnerability
 addressing known vulnerabilities in systems, standards, configurations, etc.
 maintaining awareness of the threat environment
 understanding the criticality of the telecommunications services that are being supplied
 adopting policies and procedures to validate the effectiveness of security controls
 knowing the physical locations where third parties can and do deliver their services from
 knowing the physical locations and supply chains for ‘cloud services’ and other external data
storage and processing services
 maintaining awareness of who else may have access to shared facilities, such as data centres
and telephone exchanges
 engaging with Government when planning major changes to networks or facilities
 implementing and testing data and disaster recovery plans and procedures
 formalising required security, control and supervision expectations and practices with vendors,
service providers and similar third parties
 adopting change management policies and procedures that mandate consideration of the
security implications of a change and whether a change is subject to the Notification Obligation.

Implement a risk management approach

Risk management includes the principle, processes and structures that underpin the effective
management of potential opportunities and adverse effects. It is a structured approach to identifying,
assessing and controlling risks that emerge during a program or project life cycle.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 20
 Key to any risk assessment is an appreciation of how a threat or vulnerability will affect the
confidentiality of communication contained within networks and facilities, and the integrity and
availability of networks and facilities.

A risk-management approach under the TSSR framework should particularly focus on risks posed by
arrangements with suppliers (in particular managed service providers) and particular service delivery
models (i.e. outsourcing/offshoring) that can make risks more difficult to manage. For example, if a
C/CSP is using a supplier or managed service arrangement, or has outsourced elements (such as data
hosting), the C/CSP will need to consider the controls it has in place, or is proposing to put in place, to
manage who can access and control sensitive parts of the network or data.

If a C/CSP is engaging offshore arrangements, one of the key risks to consider is the legislative
environment in the offshore location and whether offshoring particular parts of their business may mean
that personal information about Australians, as well as sensitive commercial information or
communications, may have to be provided to a foreign government under a lawful request in the foreign
jurisdiction.

External assessments provide a mechanism for organisations to have their security controls
independently reviewed. Organisations can engage an appropriately qualified and/or certified individual
or company to provide an external assessment on the appropriateness and sufficiency of their security
controls.

Australian organisations can engage a Certified Information Security Registered Assessors Program
(IRAP) Assessor to conduct independent ICT assessments, identify security risks facing their
organisation and develop mitigation strategies. The IRAP is governed and administered by the Australian
Government Australian Signals Directorate (ASD).

Penetration or vulnerability testing is another option to assess the vulnerability of a service to

unauthorised access or interference. It is important that any penetration test considers both technology
and human interaction. You may wish to consider using a company approved by the Council of
Registered Ethical Security Testers (CREST) Australia. The companies that CREST certified individuals
work for have subjected themselves to audit and scrutiny by CREST Australia, and have signed up to the
CREST code of conduct.

Third party assurance may also mean implementing controls which can be tested, and, when fully
effective, provide evidence that primary information security requirements have been, or are able to be,
satisfied. The Protective Security Policy Framework (PSPF) administered by the Attorney-General’s
Department provides best practice guidance, in particular INFOSEC-4 and INFOSEC-5.

Demonstrate competent supervision and effective control

A key element of complying with the Security Obligation is ensuring that a C/CSP is able to demonstrate
that it has competent supervision and effective control of its network and facilities.

A C/CSP must demonstrate that it has processes, controls and arrangements in place to manage
‘who and how’ can access and use its systems, networks and communications.
C/CSPs cannot delegate, or contract out of, responsibility to comply with the Security Obligation.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 21
 Competent supervision

‘Competent supervision’ refers to a C/CSP knowing and understanding what is happening with its
networks, data and facilities.

C/CSPs can demonstrate competent supervision by maintaining:

 visibility of network and facility operations
 visibility of data flow and locations
 awareness of parties with access to infrastructure
 policies and practices to detect security breaches or compromises.

Where a C/CSP uses a third party to operate, maintain or support a network or facility owned or
operated by the C/CSP, maintaining competent supervision requires the C/CSP to have mechanisms to
supervise and verify the third party’s activities and work that are independent of the third party.

A C/CSP cannot maintain competent supervision by relying solely on assurances from a third party about
what that third party is or is not doing to the C/CSP’s networks or facilities.

Effective control

‘Effective control’ refers to a C/CSP having the practical ability to take action as required to protect its
networks, data and facilities, either directly or by instructing a third party.

This would include maintaining ultimate authority over all parties with access to network infrastructure
and maintaining ultimate control over who has access to network systems, facilities, information and
access restrictions.

C/CSPs can demonstrate effective control by maintaining the ability to:

 direct actions to ensure the integrity of network operations and the security of information they
carry
 terminate contracts without penalty where there has been a security breach or data breach
reasonably attributable to the contracted services or equipment
 address issues of data sovereignty
 direct contractors to carry out mitigation or remedial actions
 oblige contractors to monitor and report breaches to the C/CSP
 re-establish the integrity of data or systems where unauthorised interference or unauthorised
access has occurred.

Effective control over networks and facilities can be maintained using appropriate contractual and legal
arrangements with third parties, but C/CSPs cannot rely solely on those arrangements to discharge their
obligation.

Where a C/CSP uses a third party to operate, maintain or support a network or facility owned or
operated by the C/CSP, maintaining effective control requires the C/CSP to retain the capacity, in
appropriate circumstances, to assert control over such networks and facilities without reliance on support
or cooperation from the third party.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 22
 Case Study – security considerations for using Software as a Service applications
Security First Telco's employees have been asking their IT Department if they can use Software as
a Service (SaaS) applications from a new provider. SaaS is a software delivery model in which
software applications are centrally hosted on vendor managed infrastructure, rather than being
installed and executed on individual customer devices.
Existing use of SaaS applications by Security First Telco's employees would be a form of 'shadow
IT', a term used to describe hardware or software that is not supported by the company's central IT
department.
Security First Telco knows there can be benefits from using SaaS applications. However, Security
First Telco knows there can be risks. These include:
 Offshore storage of information - which means that the provider is subject to the laws of another
country (which could include requirements to provide data about Security First Telco's Australian
customers to another country's government).
 Lack of visibility into the policies and processes of the provider - for example whether they
comply with Australian privacy law and implement sufficient security controls.
For this reason, Security First Telco is going to consider the following matters when deciding
whether to allow use of SaaS applications:
 Should all types of information be stored on SaaS applications?
 Will Security First Telco have visibility over the security processes used by the provider?
 Can Security First Telco verify whether the provider complies with Australian privacy laws and
standard security controls?
 Will Security First Telco have visibility over the actions and processes of the provider?
 Will Security First Telco have the ability to require the provider to put in place certain protections
(e.g. whether the contract specifies security requirements)?

A note on standards compliance and certification

No specific certification is required to comply with the Security Obligation. Conversely, certification will
not in itself establish compliance with the Security Obligation.

However, ISO/IEC 27001 certification and similar certifications (with appropriate scope) can go towards
demonstrating that a C/CSP is doing its best to protect networks and facilities it owns, operates or uses
from unauthorised interference or unauthorised access.

A list of resources to assist C/CSPs to protect networks and information is at Appendix B –.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 23
 Notification Obligation

Carriers and nominated carriage service providers must notify the

Communications Access Co-ordinator of any proposed change to a
telecommunications service or system that is likely to have a material adverse
effect on their capacity to comply with the Security Obligation.
The CAC welcomes and encourages engagement with C/CSPs outside the Notification Obligation. See
page 7 for further information.

Overview of the Notification Obligation

The Notification Obligation in section 314A of the Act requires all carriers and nominated carriage service
providers (C/NCSPs) to notify the CAC of proposed changes to telecommunications services and
systems if they become aware that a proposed change is likely to have a material adverse effect on their
capacity to meet the Security Obligation.

Submitting a notification demonstrates that a C/NCSP has the capability to recognise that a proposed
change could adversely affect its capacity to protect its networks and facilities, and that the C/NCSP is
looking to make an appropriately informed decision about how best to implement that change.

Submitting a notification provides assurance to Government that a C/NCSP is doing its best to comply
with its Security Obligation. Submitting a notification is not an admission by a C/NCSP that the C/NCSP
would implement a change the C/NCSP is aware is likely to, or would, adversely affect its capacity to
protect its networks and facilities.

Notifiable changes
The scope of the Notification Obligation is limited to changes that are likely to have a material adverse
effect on the capacity of the C/NCSP to comply with the Security Obligation. A ‘material adverse effect’
includes any change which could have an actual or potential negative impact on the capacity of the
C/NCSP to comply with the Security Obligation to protect network and facilities from unauthorised
access or interference.

The CAC strongly encourages C/NCSPs to engage with the Critical Infrastructure Centre if they are
proposing to implement any change to the core or sensitive systems or services outlined on page 14, as
these changes are most likely to have a material adverse effect on the capacity of a C/NCSP to comply
with the Security Obligation.
The CAC considers that changes to a telecommunications service or a telecommunications system that
include one or more of the following features or characteristics are likely to have a ‘material adverse
effect’ and would ordinarily trigger the Notification Obligation:
 involvement of a high risk vendor2
 new access technologies
 IP core (routing or switching of traffic)
__________
2 For guidance on what constitutes a ‘high risk vendor’ see the ACSC’s Cyber Supply Chain Risk Management Practitioner
Guide, which is available from https://cyber.gov.au.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 24
  virtualisation infrastructure, orchestrators and controllers
 internet gateways and monitoring functions
 equipment used for network interconnection
 Operations Support Systems (OSS), management and
Authentication, Authorization and Accounting (AAA) systems
 security enforcing functions or security critical functions
 backhaul transport and transmission
 mobile edge computing
 encryption or cryptographic key management
 granting privileged access to anyone not directly employed by the C/NCSP
 granting persons located outside Australia the capacity to access sensitive data about the
configuration or operation of the C/NCSPs network or services
 changing outsourcing or offshoring arrangements for the operation, maintenance and support of
telecommunications equipment, services and associated data, and network management
equipment
 procuring new telecommunications equipment or network management equipment (including
procuring equipment that will be located outside Australia), where the equipment forms or
supports sensitive parts of networks
 entering into outsourcing arrangements
- to have all or part of a telecommunication services provided by a third party, or
- to have all or part of the provision of telecommunication services managed for a C/NCSP,
such as managed services for the management of all or some of C/NCSP's
telecommunications data,
- for the management of all or some of C/NCSP's telecommunications data or
telecommunications network.
 changes to the offshore locations where services or functions will be undertaken or provided from
 entering into arrangements to have telecommunications information accessed by persons outside
Australia
 entering into arrangements to have all or some information or documents to which subsection
187A(1) of the Telecommunications (Interception and Access) Act 1979 applies kept outside
Australia.

The above list is not exhaustive. Please Contact us the Critical Infrastructure Centre if you have
questions about whether a particular change should be notified.

Non-notifiable changes
C/NCSPs providers do not need to submit notifications for changes that do not affect their capacity to
comply with their Security Obligation. Examples include:
 like-for-like replacement equipment
 day-to-day changes, such as routing changes or software updates
 testing or trials not connected to an Australian telecommunications network and where
protections are applied to customer data.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 25
 Note: the exception for like-for-like replacements does not apply to changes featuring a high
risk vendor.3

If a C/NCSP believes that a change is unlikely to have a material adverse effect on its capacity to meet
the Security Obligation, the C/NCSP should maintain a record of the decision not to provide the
CAC with a notification. The CAC may, during routine compliance activities, seek evidence regarding
how the C/NCSP determined the change did not have a material adverse effect.

Case Study – Which proposed changes to their systems should Security First Telco
notify?
Security First Telco is reviewing proposed changes to their telecommunications systems to decide
which changes need to be notified to Government.
Examples of changes that should be notified
After a risk assessment of options (based on the guidance in this document), they have decided
the following changes are likely to have a material adverse effect on their capacity to protect their
networks from unauthorised access and interference (i.e. espionage, sabotage and interference)
for the following reasons:
Engagement of a new billing provider
This proposal would likely involve the new billing supplier and a third party, being used by the
billing supplier, having access to Security First Telco’s sensitive customer information during the
projects and possibly after the project as part of support arrangements.
After discussing the project with Government, appropriate risk mitigation could include controlling
the access any third party company located outside of Australia may have to the personal
information and billing data for all of Security First Telco’s Australian customers.
A mobile network operator to deploy Long Term Evolution (LTE) technology
A mobile network operator plan to deploy LTE would likely mean new or upgraded equipment and
involve an equipment supplier or managed service provider to have access to sensitive parts of
Security First Telco’s networks, including access to communications.
In this instance, appropriate mitigation could include ensuring adequate control and monitoring
over levels of access the equipment supplier may have, including remote access arrangements.
This would also apply if the network operator were planning to trial new equipment before
considering any tender related activity.
Engagement of an existing supplier to upgrade core routing equipment
This plan would likely require a supplier to access or install software on equipment where a
significant proportion of the network traffic travels including telecommunications intercepted traffic.
Appropriate mitigation could address concerns related to unauthorised access to the network real
time traffic or interception data.
Examples of changes that do not need to be notified
Through their risk assessment, Security First Telco has assessed that the following changes are
not likely to have a material adverse effect on their capacity to protect their network and therefore
do not need to be notified:
__________
3 For guidance on what constitutes a ‘high risk vendor’ see the ACSC’s Cyber Supply Chain Risk Management Practitioner
Guide, which is available from https://cyber.gov.au.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 26
 Renewal of a contract previously notified to the Government
Security First Telco advised the CAC when they first engaged this supplier to provide their data
storage solution. However, given the CAC previously advised there were no security concerns with
this supplier (because Security First Telco had built in security requirements and protections into
the original contract) there would generally be no need to notify again as there would be no change
to existing arrangements (i.e. there are no changes to the location of the data storage or
contractual requirements). However, if the threat environment has changed (for example if Security
First Telco has been advised by security agencies of new security threats) then Security First Telco
may need to notify of the renewal of a contract.
Construction of new mobile towers by Security First Telco
Security First Telco has assessed that proposed construction of further mobile towers is unlikely to
have a material adverse effect on their capacity to protect their networks from unauthorised access
and interference because they are using a standard build, which has been previously notified to
the CAC and assessed as not giving rise to security concerns.
Upgrades to the operations centre
Security First Telco is expanding and renovating their operations centre in Australia, including new
access restrictions. As there will be no substantial change to existing arrangements (in fact the
new access restrictions are likely to tighten physical and logical access and therefore will enhance
the company’s capacity to protect their network from security risks) there is no need to notify of the
changes.
Business-as-usual maintenance
Security First Telco does not need to notify of ongoing maintenance of legacy systems and
infrastructure which do not amount to substantial changes to network design, operations or service
delivery, unless a high risk vendor will be involved.

The right time to notify

The timing of notification is important. C/NCSPs are encouraged to Contact us the Centre before
submitting a Notification, to ensure that Notifications they submit are timely, but not premature.
C/NCSPs should notify the CAC about a proposed change before a proposal has been implemented, but
after there is sufficient information and certainty about a proposed change to identify and consider
potential security risks. For example, notification should be made before making a decision about
procurement, but after a issuing a Request for Information (RFI) to vendors.
Please contact the Centre if you have questions about the best time to submit a notification. Timely
engagement with the Critical Infrastructure Centre is the surest way to avoid unanticipated delays and
complications during the notification process.

Administrative process for notifications

A standard form has been created for all C/NCSPs to notify the CAC about proposed changes. Using
this form assists the CAC to adopt a speedy and consistent approach to considering notified changes.

The TSS1 – Notification of proposed change form is available from https://cicentre.gov.au/tss/forms.

Completed forms and attachments should be submitted using the web form located at
https://cicentre.gov.au/tss-submission.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 27
 If a C/NCSP has completed its own risk assessment of a proposed change, submitting a copy of that risk
assessment with the completed notification form is strongly encouraged.

C/NCSPs are encouraged to contact the Critical Infrastructure Centre for advice before submitting their
first notification.

Corporate groups

If two or more related carriers or providers (e.g. two carriers in the same corporate group) are jointly
implementing the same proposed change, then one notification form may be submitted to the CAC on
behalf of the related carriers.

In this situation the notification must clearly identify the carriers or providers the change applies to and
the specific carriers or providers that own or operate the affected networks, systems and facilities.

Post-Notification

Following the submission of a complete notification, a C/NCSP will receive one of the following notices
from the CAC within 30 calendar days of notifying of a proposed change:
 Further information: request under subsection 314B(1) for further information about the planned
change so the Centre can assess whether there is a risk of unauthorised access to, or
interference with, telecommunications networks or facilities that would be prejudicial to security.
C/NCSPs are expected to respond to a notice requesting further information either within 30
calendar days of receipt or in a timeframe agreed with the CAC. Assessment will resume for a
further 30 calendar day period once the C/NCSP has provided the requested information.
 Risk associated: notice under subsection 314B(3) advising the C/NCSP of a risk associated
with the planned change of unauthorised access to, or interference with, telecommunications
networks or facilities that would be prejudicial to security.
A notice under subsection 314B(3) will also ordinarily list measures the CAC considers the
C/NCSP could adopt to reduce or mitigate the identified risk. The Critical Infrastructure Centre
may follow-up with C/NCSPs to confirm their response to this advice.
Where the CAC considers that further measures are necessary to manage the identified risks
associated with particularly large or complex changes, the CAC encourages a dialogue with
C/NCSPs about how best to implement necessary measures. Support is also available for
C/NCSPs proposing smaller or less complex changes who have questions about implementing
suggested measures.
The CAC recognises and appreciates that commercial concerns often underpin or influence the
approaches C/NCSPs adopt to manage risks to their networks and facilities, and that C/NCSPs
often have a deeper understanding than Government of their networks and facilities. The CAC is
happy to work with C/NCSPs to identify alternative measures to eliminate or reduce identified
risks in appropriate circumstances.
 No risk: notice under subsection 314B(5) advising that the CAC is satisfied there is not a risk
from the planned change of unauthorised access to, or interference with, telecommunications
networks or facilities that would be prejudicial to security.
The CAC’s assessment of a notified change, and any corresponding advice, is limited to risks to
security; the CAC will not consider, or advise of, other risks unless those risks intersect with risks
to security.

While the above process is premised on cooperative engagement and collaboration, in the event that a
C/NCSP refuses to provide information requested by the CAC or fails to address potential security risks,
the responsible Minister may use a direction or information gathering power.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 28
 C/NCSPs who have questions after receiving a notice are encouraged to Contact us the Critical
Infrastructure Centre for clarification.

Re-notification

A C/NCSP may need to submit a new notification if a previous notification no longer accurately reflects
the proposed change. For example, if a C/NCSP elects to use different vendors than was initially notified.

C/NCSPs who believe they may be affected by this requirement should Contact us the Critical
Infrastructure Centre for advice.

Notification exemptions
C/NCSPs may receive a full or partial exemption from their obligation to notify the CAC of proposed
changes to a telecommunications system or service.

A full exemption means the C/NCSP does not have to notify the CAC of any planned changes to
telecommunications systems or services. A partial exemption may be given in relation to certain
categories of changes or in respect of particular parts of the C/NCSP’s business.

For example, a large carrier which offers a number of different types of services, may be exempted from
providing any notifications in relation to a part of their business, but would still be required to notify of
changes to other parts of their business. The details of a partial exemption would be specified in a notice
provided to the C/NCSP.

The CAC may grant an exemption under subsections 314A(4) or (5), either on the CAC’s own initiative
or in response to a written application to the CAC using the TSS2 – Notification exemption application
form.

The CAC may also grant class exemptions on their own initiative. Class exemptions will typically relate
to particular classes of low risk service or network operator.

If a C/NCSP submits a written application, the CAC must respond within 60 calendar days by either:
 granting the exemption; or
 refusing the exemption and providing written reasons for the refusal.

A C/NCSP may apply to the Administrative Appeals Tribunal (AAT) for review of a decision by the CAC
not to grant an exemption.

Grounds for exemption

The CAC will consider applications for exemptions on a case-by-case basis, with regard to the security risk profile
of a company based on factors such as:
 advice from ASIO on the security risk profile of the C/NCSP
 the market share held by the C/NCSP
 the sensitivity of the C/NCSP’s customer base
 the criticality of the networks and services owned or operated by the C/NCSP
 the prospective regulatory burden of complying with the Notification Obligation.

The CAC will not grant unnecessary exemptions; for example, in the instance that a carrier or nominated
carriage service provider does not have obligations to notify for a particular change.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 29
 Security Capability Plans
A Security Capability Plan is essentially a bundle of notifications that the CAC must respond to within 60
calendar days (rather than 30 calendar days if individual notifications were submitted).

One Security Capability Plan may be submitted in any 12-month period to notify about one or more
proposed changes that are likely to have a material adverse effect on their capacity to meet their
Security Obligation to protect networks.

How far in advance should Security Capability Plans forecast?

The legislation does not prescribe how far in advance the plan should capture proposed changes.

However, it may not be feasible to include changes that have tight deadlines for implementation and
which require CAC consideration in less than 60 calendar days. For such proposed changes, a C/NCSP
may wish to complete a standard notification form which the CAC must respond to within 30 calendar
days (unless further information is required).

What information should be included in a security capability plan?

A Security Capability Plan may include the following five components:

Details of one or more notifiable changes.
A timeline setting out the when the carrier or provider proposes to implement each of the changes.
Details of the carriers or provider’s practices, policies or strategies to comply with the Security
Obligation.
Details of the measures the carrier or provider is implementing, or proposing to implement, to
mitigate the risk of unauthorised interference with, or unauthorised access to, telecommunications
networks or facilities.
Any other information the carrier or provider believes is relevant to assessment of the proposed
changes.

A Security Capability Plan must include the same level of detail about each proposed change as
would be required if an individual notification was submitted for each change using the TSS1 –
Notification of proposed change form. Carriers and providers submitting a Plan should complete a
separate TSS1 – Notification of proposed change form for each change notified as part of the Plan.

Carriers and nominated carriage service providers who have submitted a Plan must still submit individual
notifications if:
 the submitted Plan no longer accurately reflects a change a carrier or provider is proposing to
implement; or
 the carrier or provider proposes to implement a notifiable change not included in the Plan it
submitted.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 30
 Regulatory powers

Enforcement mechanisms are intended as a last resort to address

non-cooperative conduct rather than to penalise action and decisions taken in
good faith.

Direction powers
The Minister for Home Affairs may give a C/CSP a written direction under the following circumstances:
 if the use or supply of a carriage service is prejudicial to security (s 315A)
 if there is a risk of unauthorised interference or access involving networks of facilities (s 315B)

Noting the TSSR framework is premised on cooperative engagement and collaboration, the Minister’s
direction powers are intended as a last resort to achieve compliance or address security risks.

Direction to cease use or supply of a carriage service

Section 315A provides that the Minister may issue a direction not to use or supply, or to cease using or
supplying a carriage service if:
 a person who is a C/CSP uses or supplies, or proposes to use or supply, for the person’s own
benefit, one or more carriage services; and
 the Minister, after consulting with the Prime Minister, considers the proposed use or supply would
be prejudicial to security.

Direction to do, or not do, a thing to address a risk to security

Section 315B provides that the Minister may issue a direction to a C/CSP to do, or not do, a specified act
or thing where there is a risk of unauthorised interference with or unauthorised access to, networks or
facilities that would be prejudicial to security. These include risks to the:
 confidentiality of information contained on or carried across telecommunications networks
and/or facilities;
 availability and integrity of telecommunications networks and facilities and this was prejudicial
to security.

Transparency and accountability measures

The Minister may only issue a direction under either section if:
 the Minister is satisfied that there is a risk of unauthorised interference with or unauthorised
access to networks or facilities that would be prejudicial to security having reference to the
meaning of ‘security’ in the Australian Security Intelligence Organisation Act 1979; and
 ASIO has made an adverse security assessment in respect of a C/CSP.

In addition, the Minister may only issue a direction under s 315B if satisfied that all reasonable steps
have been taken to negotiate, in good faith, with the C/CSP to achieve an outcome of eliminating or
reducing the security risk.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 31
 Before giving a s 315B direction, the Minister must also consider a range of other matters including, but
not limited to:
 an adverse security assessment by ASIO;
 the costs, in complying with any direction, that would be likely to be incurred by the C/CSP; and
 the potential consequences that any direction may have on competition in the
telecommunications industry, as well as customers of the C/CSP.

The requirement to have regard to these matters is intended to ensure that a direction is proportionate
and reasonable and does not have an unnecessarily negative effect on the C/CSP’s business, or impede
market innovation and competition.

Consultation

Before giving a C/CSP either direction the Minister must consult with the Minister administering the Act,
and provide the C/CSP an opportunity to make representations in relation to the proposed direction.

Where the Minister is considering issuing a s 315A direction, the Minister must also consult with the
Prime Minister.

Where the Minister is considering issuing a s 315B direction, the Minister must also provide the C/CSP
with a written notice setting out the proposed direction and invite the C/CSP to make written
representations to the Minister in relation to the proposed direction, and have regard to any
representations made.

If the Minister gives a C/CSP either direction, the Minister must provide a copy of the direction to the
Australian Communications and Media Authority (ACMA).

Information gathering power

Section 315C of the Act enables the Secretary of the Department of Home Affairs (or the Director-
General of Security, ASIO if authorised), to request information or documents from a C/CSP for the
purpose of assessing compliance with the Security Obligation.

This provision is necessary to ensure that the Government can access the relevant information needed
to make an assessment regarding the C/CSP’s compliance with its obligations and to assess the risk to
security. To ensure the relevant information is accessible, section 315D removes the privilege against
self-incrimination; a C/CSP cannot refuse to comply with a direction on the grounds it may incriminate a
person or expose the person to a penalty.

The information-gathering power is intended to be used as a last resort, or in circumstances where a

C/CSP considers it is restrained from sharing information for contractual or other legal reasons, or for
some other reason refuses to cooperate.

Transparency and accountability measures

Information that can be requested is limited to material relevant to monitoring compliance with the
Security Obligation.

The Secretary must have regard to the costs for the C/CSP in complying with any requirement in the
notice that would be likely to be incurred by the C/CSP.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 32
 In practice, the CAC will engage the C/CSP prior to issuing a notice to discuss the terms of the notice.
The purpose of this discussion will be to ensure the notice targets the information sought and does not
put the C/CSP to unnecessary expense.

There may be circumstances where it is not feasible or necessary to engage the C/CSP prior to issuing
the notice. A failure to engage or consult does not affect the validity of the notice as it is not a pre-
condition for issuing the notice.

Written notice

A formal notice requesting information and or documents must be made by written notice and include:
 timeframe for the provision of information
 the form in which the C/CSP is required to provide/produce the information or documents
 outline the effect of provisions relevant to C/CSPs concerning compliance with the Act and
offences under the Criminal Code for providing false or misleading information.

This ensures C/CSPs understand the consequences of failure to comply with a notice issued under
section 315C, including the criminal consequences for providing misleading or false information.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 33
Glossary
This glossary describes key terms used in these guidelines; they are not intended to be legal definitions.
The descriptions are also specific to these guidelines only and should not be relied upon in other contexts.
Availability Availability is about ensuring that authorised users have access to information,
communications and telecommunications networks and facilities when required. An
example where networks and facilities are not available would be a denial-of-service
attack which prevents the ordinary functioning of the service, which could have
serious economic, social or other consequences (particularly in an emergency).

Carrier A carrier is defined in the Telecommunications Act 1997 to mean the holder of a
carrier licence.

Carriage service provider A carrier service provider (CSP) is defined by the Telecommunications Act 1997 to be
a person who supplies, or proposes to supply, a listed carriage service to the public
using:
 a network unit owned by one of more carriers, or
 a network unit in relation to which a nominated carrier declaration is in force.
A CSP may include an international CSP, a secondary user of an exempt network
unit, an intermediary and a specified person declared by the Minister as a CSP.

Carriage service A carriage service intermediary (CSI) is defined in the Telecommunications Act 1997
intermediary as a person who is a carriage service provider under subsection 87(5) of that Act. To
summarise, carriage service intermediaries are middle persons that arrange the
supply of a service between carriage service providers and customers, for reward.
Communications Access The Communications Access Co-ordinator (CAC) is a role established under section
Co-ordinator 6R of the Telecommunications (Interception and Access) Act 1979 and performed in
the Department of Home Affairs.
Confidentiality Confidentiality under 313 (1A) and (2A) of the Telecommunications Act 1997 relates
to the obligations to protect information and communication from unauthorised
access or unauthorised interference for the purpose of security.

Nominated carriage service A carriage service provider covered by a declaration in force under subsection 197(4)
provider of the Telecommunications (Interception and Access) Act 1979.

Telecommunications Telecommunications service is defined in the Telecommunications (Interception and

service Access) Act 1979 as a service for carrying communications by means of guided or
unguided electromagnetic energy or both, being a service the use of which enables
communications to be carried over a telecommunications system operated by a
carrier but not being a service for carrying communications solely by means of radio
communication.
Telecommunications Telecommunications system is defined in the Telecommunications (Interception and
system Access) Act 1979 as
(a) a telecommunications network that is within Australia; or
(b) a telecommunications network that is partly within Australia, but only to the extent
that the network is within Australia;
and includes equipment, a line or other facility that is connected to such a network
and is within Australia.

Telecommunications Sector Security

Reforms (TSSR) Administrative Guidelines
Critical Infrastructure Centre | 34
List of acronyms
ACORN Australian Cybercrime Online Reporting Network

ACSC Australian Cyber Security Centre

ASIO Australian Security Intelligence Organisation

ATT Administrative Appeals Tribunal

BSS Business Support Systems

CAC Communications Access Co-ordinator

C/CSP Carrier, carriage service provider or carriage service intermediary

C/NCSP Carrier or nominated carriage service provider

CREST Council of Registered Ethical Security Testers

CSG TISN Communications Sector Group

CSI Carriage service intermediary

CSP Carriage service provider

DIO Defence Intelligence Organisation

EPC Evolved Packet Core

HLR/HSS Home Location Register

IRAP International Road Assessment Programme

ISO International Organization for Standardization

NOC Network Operations Centre

OAIC Office of the Australian Information Commissioner

OSS Operations Support Systems

OTT Over the top

PSPF Protective Security Policy Framework

SOC Security Operations Centres

TISN Trusted Information Sharing Network

TSSR Telecommunication Sector Security Reforms

VMS Voice Mail Systems

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 35
Appendices

Notification process chart

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 36
 Resources to help you meet your national
Security Obligation
The following resources may assist with compliance with the Security Obligation.
 AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines deals with risk generally.
 ISO 27001:2013 Information security management helps organisations keep information assets
secure.
 The International Telecommunications Union Recommendation X.1051 Information technology –
Security techniques – Information security management guidelines for telecommunications
organizations based on ISO/IEC 270024 provides guidance on information security management in
telecommunications organisations.
 The Australian Signals Directorate:
– Information Security Manual5 is the standard for the security of government ICT systems
– Cloud Computing Security6 can help businesses perform a risk assessment and use cloud
services securely
 Strategies to Mitigate Targeted Cyber Intrusions7 provides information about how organisations can
select the best mitigation strategies for their requirements.
 The Protective Security Policy Framework outlines a range of information to effectively managing
protective security risk, including controls. Information can be found at
www.protectivesecurity.gov.au.
 The Australian Communications and Media Authority publishes information about legal obligations
on C/CSPs. This information can be accessed at www.acma.gov.au under ‘law enforcement’.

The United Kingdom Cyber Essentials Scheme: Requirements for basic technical protection from cyber-
attacks is an accessible guide for organisations of all sizes to mitigating the most common internet based
threats to cyber security.8

The United Kingdom National Cyber Security Centre, Cloud Security Collection is a comprehensive suite of
documents to assist organisations in how to configure, deploy and use cloud services securely.9

The United States National Institute of Standards and Technology (NIST) Framework for Improving Critical
Infrastructure Cybersecurity10 includes standards, guidelines, and practices to help owners and operators of
critical infrastructure to manage cybersecurity-related risk. It can help organisations determine their current
cybersecurity capabilities, set goals for a target level of cyber resilience and establish a plan to improve and
maintain cybersecurity.

Further assistance can be obtained from other non-government sources such as:
 MITRE Common Vulnerabilities and Exposures (CVE)
 MITRE Adversarial Tactics, Technologies & Common Knowledge (ATT&CK)
 NIST Computer Security Resource Centre (CSRC)

__________
4 Available at www.itu.int/rec/T-REC-X.1051
5 Available at www.asd.gov.au/infosec/ism/
6 Available at http://www.asd.gov.au/infosec/cloudsecurity.htm
7 Available at www.asd.gov.au/infosec/mitigationstrategies.htm
8 Further information is available at www.gov.uk/.
9 Available at www.ncsc.gov.uk/guidance/cloud-security-collection
10 Further information is available at www.nist.gov/cyberframework/

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 37
 Checklists
The following ‘checklists’ are excerpted from the main body of this document to assist C/CSPs incorporate
TSSR into their internal processes and procedures.

Ways to meet your Security Obligation

These are examples of the ways that C/CSPs can meet their Security Obligation:

 Ensure regular two-way engagement with the Critical Infrastructure Centre

 Implement a risk management approach that considers how a threat or vulnerability will affect the
confidentiality of communication contained on and information carried networks and facilities, and
the integrity and availability of networks and facilities
 Clearly define the security-related roles and responsibilities of the Board, senior management and
individuals
 Maintain a security capability commensurate with the size and extent of risks from unauthorised
access or interference
 Consider risks to information security
 Consider risks to physical security
 Consider risks to personnel security
 Consider risks to supply chain security
 Employ sufficient competent personnel to identify, assess and manage the full breath of risks to
security
 Adopt industry best practices to protect the confidentiality, integrity and availability of systems and
data
 Implement recommended aspects of technical standards (e.g. ‘SHOULD’ aspects) that increase
security or decrease vulnerability
 Address known vulnerabilities in systems, standards, configurations, etc.
 Maintain awareness of the threat environment
 Understand the criticality of the telecommunications services that are being supplied
 Adopt policies and procedures to validate the effectiveness of security controls
 Know the physical locations where third parties can and do deliver their services from
 Know the physical locations and supply chains for ‘cloud services’ and other external data storage
and processing services
 Maintain awareness of who else may have access to shared facilities, such as data centres and
telephone exchanges
 Engage with Government when planning major changes to networks or facilities
 Implement and testing data and disaster recovery plans and procedures
 Formalise required security, control and supervision expectations and practices with vendors,
service providers and similar third parties
 Adopt change management policies and procedures that mandate consideration of the security
implications of a change and whether a change is subject to the Notification Obligation

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 38
  Know, and understand, what is happening with your networks, data and facilities
 Have the practical ability to take action as required to protect your networks, data and facilities,
either directly or by instructing a third party.

Sensitive functions and facilities

These are examples of the telecommunications functions and facilities that are generally considered most
sensitive:

 Network Operations Centres (NOCs)

 Security Operations Centres (SOCs)
 Lawful Interception (LI) equipment, records and roles
 Parts of networks that manage or store an aggregate of information
 Databases that store data in bulk, such as call records or network traffic data
 Operations Support Systems (OSS), or Business Support Systems (BSS) and other forms of
business customer databases
 Areas of the network which store authentication credentials & encryption keys
 Evolved Packet Core (EPC) and the Home Location Register (HLR/HSS) in mobile networks
 IP core (routing or switching of traffic)
 Virtualisation infrastructure, orchestrators and controllers
 Internet gateways and monitoring functions
 Backhaul transport and transmission
 Places where privileged user credentials regarding the network and support systems themselves
are stored and audit and oversight controls are retained.
 Points of interconnection or intersection with other networks, and other areas over which a
significant proportion of the traffic on the network travels, in each case where the volume of traffic
is, in absolute terms, 15% or greater of the total traffic travelling over the network
 Security and access control systems and appliances.

Telecommunications Sector Security

Critical Infrastructure Centre Reforms (TSSR) Administrative Guidelines
| 39