DZS (US) goes bust - the implications for UK telecoms providers

Last week saw U.S. based telecommunications hardware and services vendor DZS file for Chapter 7 protection and start the liquidation process (DZS files for chapter 7 protection - DZS). DZS manufacture and distribute critical end-to-end hardware in the Telecoms space, including CPE, ONT’s, OLT’s, Aggregate Switches, DSLAMs, DWDM kit etc. They also offer cloud based SDN, SaaS and managed services.

If you are a UK provider who has put all your eggs (or even some of them) into this basket, no doubt you are having an ‘oh shit!’ moment. At the time of filing, all DZS U.S. operations ceased, and their employees were terminated. At this stage, it’s difficult to see what will happen with their UK subsidiary, however the company did state "Subsidiaries and affiliates outside of the United States will experience near term business disruption with day-to-day operations, which will include various IT (i.e., outlook/email), and other software programs,"

For UK providers, critical telecoms transmission kit no longer being manufactured and supported, along with any dependencies on SaaS or managed services in relation to the supply of PECS/PECN also puts them at risk of falling foul of the Telecommunications (Security) Act 2021 (TSA), the associated Electronic Communications (Security Measures) Regulations 2022 (ECR), and not least, the requirements of Telecommunications Security Code of Practice (CoP) measures.

While the TSA is primarily about security, its also about resilience, and the definition of a ‘security compromise’ also includes ‘resilience incidents’, as per TSA Section’s S105A(2)(a) and (d), as conveniently translated by OFCOM’s ‘Network and Service Resilience Guidance for Communications Providers’, stating;

A security compromise includes “anything that compromises the availability, performance or functionality” of networks and services, and “anything that causes signals conveyed by means of the network or service to be lost”.

For Telco’s heavily reliant on DZS equipment and services, the risk of a ‘resilience incident’ becomes increased, especially if they haven’t the in-house expertise, or access to spares. I can imagine some of them are now scrapping around trying to find out what DZS kit they have where, which from a TSA perspective they are supposed to already be keeping a detailed asset inventory of what's where, with ECR 6(4) requiring that;

"A network provider or service provider must record the type, location, software and hardware information and identifying information of equipment supplied by the network provider or service provider which is used or intended to be used as part of the public electronic communications network or public electronic communications service."

This is supported by CoP Measure 8.05 which states:

"Providers shall record all equipment deployed in their networks, and proactively assess, at least once a year, their exposure should the third party supplier be unable to continue to support that equipment."

(thanks to Des Ward for pointing this one out)

A more specific example relates to CPE, with, CoP Measure 9.02 stating;

“The provider shall ensure that all CPE provided to customers are still supported by the network equipment supplier. For any provider‑provided CPE that go out of third party supplier support, customers shall be informed prior to, and once the equipment goes out of support, and proactively offered a replacement as soon as reasonably practicable. This shall apply only whilst the provider provides the associated service.”

Admittedly, the CoP measures are only mandatory for Tier 1 and Tier 2 providers, however, the principle is such that having huge numbers of no longer supported CPE out in the field, represents a serious risk to any provider. In most cases, while costly and seriously inconvenient, CPE is relatively straight forward to swap out for another vendor’s equivalent. The real headache comes with the access/aggregation/core networking equipment. OLT’s, DSLAM’s and the like are fundamental components within the overall architectural design and operation of the network. Swapping from one vendor to another is likely to require some serious consideration, and probably a certain amount of re-architecture and of course will come at a huge un-budgeted cost (I could retire on the same money as the cost of just one fully populated high spec Nokia or Adtran OLT).

From a regulatory perspective, providers are expected to have some sort of contingency in place for such an event, as ECR 7(5) helpfully points out:

(5)            A network provider must—

(a) ensure that there is in place at all times a written plan to maintain the normal operation of the public electronic communications network in the event that the supply, provision or making available of goods, services or facilities by a third party supplier is interrupted, and

(b) review that plan on a regular basis.

Remembering that the ECR applies to all providers of PECN/PECS, including Tier 3’s.

The likes of DZS going bust potentially may not have an immediate impact on a telecom providers service (unless its operation relies on DZS’s managed or SDN/SaaS services), but it will quickly become a problem if a telco relies heavily on DZS for technical support services, though most likely when spare or new cards are needed, or something serious breaks. There is also the issue that patches and updates will no longer be made available, so should a critical and exploitable vulnerability be found within say, ‘exposed edge’ equipment, providers will need to come up with some sort of ‘alternative mitigation’ to mitigate the risk rather sharpish, as required by CoP Measure M10.52.

Within the CoP, 80 of the measures (almost a third) are third-party supplier measures (M4, M8, M10 & M14) underpinned by ECR Regulation 7 (CoP Section 2 SubSection 6), and supported by the NCSC’s Vendor Security Assessment (VSA) guidelines. What this means is that any Tier 1 & 2 Telco’s exposed to DZS’s demise will need to come up with an action plan to reassess not only their operational and security risk exposure, but also their exposure to the requirements of the TSA and associated regulations. Likewise, from a CoP perspective, any Tier 3 providers that are using DZS kit to provide ECN/ECS to higher tiers, will also come within the cross hairs of the higher tiers regulatory requirements.

Its too early to say what will happen to DZS at the moment but looking at the wording in their official press release, and while they are hopeful that their technology will be acquired, industry analyst assessments are not so optimistic, so UK telco’s who rely on their kit and services will need to start making plans immediately.