TIA: Securing the Connected World

View This Article in BOSS Magazine

Developing the first global quality and security standards for ICT is a hallmark achievement for the Telecommunications Industry Association

For over 90 years the Telecommunication Industry Association has worked to strengthen and improve information communications technology (ICT) and serve consumers in businesses across the globe. Drawing on a far-reaching and dynamic ecosystem of international manufacturers and suppliers, network operators, service providers, and others, the association has created enduring ICT best practices and thousands of standards to drive the industry forward.

As technological advancements bring a host of sophisticated challenges to the connected world, TIA QuEST Forum brings together the best and brightest business leaders and thinkers to drive the highest levels of security, quality, and sustainability in ICT.

The association’s quality mandate is a direct descendant of the total quality management philosophy that demonstrated that quality work can result in cost improvements, improved product quality, and fewer failures. “Fewer failures mean you save money, and a more reliable product means you keep customers happier,” said Dave Stehlin, the association’s CEO. “That whole methodology and concept is what QuEST Forum is all about.”

TIA QuEST Forum’s Business Performance Community, which centers on process improvement, works with TIA members and participants to develop processes and certifiable standards that ensure the triple goal is consistently achieved. The standards are intended to improve technical efficacy and enhance products, systems, and networks.

“The important distinction is that they are certifiable,” Mike Regan, TIA’s VP of Business Performance, told BOSS. Independent, accredited third-party auditors work with organizations seeking certification to determine their conformance to these standards, unlike organizations that self-assess in something of a standards honor system.

Certification is a compelling value add for TIA members. “Anyone that gets certified has a level of credibility differentiation in their own industry,” Regan said. “When they compete against others that may not be, they are viewed as a more reliable and credible supplier to the people consuming their products and services.”

TIA views security as a subset of quality. “You can’t have a quality product or quality network unless it's secure,” Stehlin said. “As more and more elements get connected, and to what truly is a global network, from devices in our homes to businesses to utilities and infrastructure to government locations, security is of the utmost importance.”

Where no one has gone before

TIA QuEST Forum recently released SCS 9001, the first ICT-specific supply chain security standard, which is also “a complete supply chain security management system that verifies trusted ICT providers and suppliers for businesses, governments and consumers,” according to the association.

SCS 9001 provides guidance for secure software development, validation methods for ensuring software ID and source traceability, product security, and governmental requirements on source of origin and transparency of internal controls.

Trust is a major factor in SCS 9001. Suppliers that meet the standard prove that they are trustworthy and aligned with its security mandates. “Our goals are about building trust amongst our members, in the industry as a whole, and the governments we interface with,” Stehlin stressed. “Trust is extremely critical to moving any intention forward.”

In the run-up to the standard’s creation, TIA studied all the security-related standards made by governments and industries outside of telecommunications. “We realized that there was no standard specifically for the telecom space, nothing for ICT,” Stehlin said. “There are generic security standards out there, but nothing that's tailored for this unique world that we’re in.”

The QuEST Forum Supply Chain Security Working Group curated the most effective standards and integrated them into what would become SCS 9001, adding a layer of investigational scrutiny to determine suppliers’ trustworthiness, including how the company is governed and by whom, if they are unduly influenced by a government, and other significant measures. Suppliers seeking certification must also answer development-related security questions, including the origins of software and hardware.

“Security has to be considered for the entire product life cycle, from conception right through to delivery and during the lifetime of the products in live production networks, and not something that can be simply tested at the end of the development cycle,” Regan explained.

Today's modern communications products contain tens of millions of lines of executable code, some of which may be open source. The versatility and accessibility that defines open source also contains a high element of risk. Regan pointed out that manufacturers using open-source code have an obligation to track every open-source component and their respective road maps, to assure customers that they are shielded from any new vulnerabilities that have emerged since the code was written.

“A supply chain security standard makes sense because it applies to many industries, products, and technologies. It’s not just a traditional telecom switch; it's all the devices that are going to connect to a network of any type through a public network,” Regan asserted. “Whether we're going through a private network, government network, or an enterprise cloud network, it touches everything.”

The association is a strong proponent of global standards set by the industry. As such, TIA works with ISO, as well as ITU, the United Nations specialized agency for information and communication technologies. They also have close ties to ANSI, the American National Standards Institute. Stehlin is a member of the ANSI board of directors.

The project, which started in 2019, took two full calendar years to complete. A team of approximately 75 to 80 volunteers with expertise in security, network architecture, procurement, hardware, and software development focused on specific elements of the standard.

Unlike a technical standard that establishes uniform engineering or technical specifications for developing products and solutions, SCS 9001 is a process-based standard. Processes require measures with specific targets to determine whether the process is achieving its goals. If a supplier is not meeting the targets, action is required, which results in continual improvement. “Bringing this QMS component into security and supply chain management is unique and emphasizes our appreciation that security is a critical element of quality,” Regan added.

Benchmarking is an important and unique aspect of SCS 9001. Every quarter, companies certified to the standard must submit information about their performance against certain controls, this data is anonymized, aggregated, and then published to the broader participant base who can use the data to understand how they stack up versus the industry. “Benchmarking drives continuous improvement, which in turn makes for more secure products and lowers cost,” Stehlin said.

“Technologies have advanced a great deal in the past 30 years and will continue to advance. We are so connected now, but you can imagine that in the next 20 or 30 years we’ll be significantly more connected, which is great on one side but risky on the other,” he added. “We're working very hard with our members to solve this massive security problem and quality problem across all industries.”