network resilience and security: challenges and measures · 2017-10-03 · network resilience and...
TRANSCRIPT
Network Resilience and Security:
Challenges and Measures
Report of the ENISA Virtual Working Group on
Network Providers’ Resilience Measures
December 2009
Page ii
Change History
Version Date Editor Description
1.0 22/12/2009 ENISA - Initial Release. Based on 4.6.1-proof-read + comments 4.6.3
Page iii
Virtual working group members
Carpio, Manuel Telefonica, Spain
Chataignon, Jean-Luc FT-Orange, France
Clarke, Dave Telefónica O2, UK
Constantin, Daniel SC Romtelecom SA, Romania
De Lutiis, Paolo Telecom Italia, Italy
Gomez, Juan Carlos Telefonica, Spain
Lockwood, Shaun BT,UK
Markoulidakis, Yannis Vodafone, Greece
Stevens, Joe Interoute, Czech Republic
Strakadounas, Kostas Forthnet, Greece
Tinguely, Nicolas Swisscom, Switzerland
Van Leeuwen, John KPN, The Netherlands
ENISA Secretariat:
Koutsouris, Charalampos
Dr. Marinos, Louis
Page iv
Table of Contents
Executive summary .............................................................................................................................. 1
Goals and target audience ................................................................................................................... 3
1. Introduction ................................................................................................................................ 5
Definitions used in this work ................................................................................................................ 6
Abbreviations ....................................................................................................................................... 7
Problem statement............................................................................................................................... 7
Scope, objectives and outcomes ........................................................................................................ 10
Approach ............................................................................................................................................ 11
How to use this document ................................................................................................................. 12
2. Public communication network challenges and counter-measures ......................................... 14
About the measure ratings ................................................................................................................. 15
3. Infrastructure challenges .......................................................................................................... 17
Infrastructure challenges: measures .................................................................................................. 19
4. Technology platform challenges ............................................................................................... 25
Technology platform challenge: measures ........................................................................................ 27
6. Operational process and people challenges ............................................................................. 32
Operations challenges: measures ...................................................................................................... 33
7. Organisational continuity challenges ........................................................................................ 37
Organisational continuity: measures ................................................................................................. 39
8. Commercial challenges ............................................................................................................. 46
Commercial challenges: measures ..................................................................................................... 48
9. Regulatory challenges ............................................................................................................... 52
Regulatory challenges: measures ....................................................................................................... 52
10. Conclusions ............................................................................................................................... 53
Annex A: Measures ratings ................................................................................................................. 56
Annex B: EU / Member State level measures .................................................................................... 60
Page v
Annex C: Mapping Measures to Challenges ....................................................................................... 61
Annex D: Mapping Threats to Challenges .......................................................................................... 67
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 1
Executive summary The lengthy experience of telecom operators has indicated that certain processes and measures
associated with resilience, business continuity and security are mandatory for ensuring appropriate
levels of performance in business operations. All operators agree that these topics are very wide
ranging and that their application should match the nature of each particular operator and local
market conditions. In addition, any investment associated with these topics has an immediate
negative impact on profits and yet it is uncertain as to how, or if, a return on investment (ROI) can
be achieved. Thus, it is difficult for operators to assess the appropriate level of effort and cost that
should be allocated to these matters.
As a result, a wide variety of practices are applied by operators in terms of processes, organizational
structures, design principles and investments. In an attempt to provide a contribution on this
matter, ENISA established a virtual working group (VWG), consisting of representatives from various
European telecom operators, to undertake the task of elaborating on resilience, business continuity
and security issues.
The VWG has identified key challenges in the area of resilience which are common to most
operators. Relevant measures and, where possible, applied practices to counter these challenges
have also been provided. Key challenges were identified in the areas of infrastructures, technology
platforms, operational processes and people, and organisational continuity, as well as commercial
and regulatory challenges.
Members of the group have provided perceived ratings1, based on their experience, on the effort,
cost and time needed to implement the proposed counter-measures. These measures are relevant
both for authorities who need to implement supportive actions for resilience and for the network
providers who are aiming to align their approaches with the suggestions elaborated by the group.
In brief, the identified challenges and related counter-measures are as follows:
Infrastructures face challenges from increased density, limited diversity and in some cases capacity,
while increased shared risk highlights the importance of management and maintenance induced
vulnerabilities. Related counter-measures include:
transparency of shared physical infrastructures and identification of critical parts;
interconnection and peering, good practices for operation and maintenance;
defined responsibilities for shared infrastructure management;
shared infrastructure or co-location – development of resilience ratings and KPIs.
Technology platforms and innovation by the vendors is what produces evolution. However, late
standardisation and testing, integration mismatches, retrofitting functionality to protocols and
inherent security limitations in the protocols are examples of the challenges to be faced in this area.
Related counter-measures include:
1 The ratings and status of measures are average figures based on experts’ perception and don't reflect the
individual opinion of their organisations.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 2
availability of resilience, business continuity, risk management and information security skills
within new project teams;
delivery of risk assessment information and risk mitigation practices for new deployments by
vendors;
platform deployment, including incident detection and incident management functions.
Operational processes and people need to adapt to complexity and to achieve the integration of
technology and processes. In the meantime, error probability and recovery times increase and are
further affected by the learning curve of personnel. Processes are not performing well when inter-
dependencies call for collaboration across organisational or country borders. At the same time,
networks are exposed to a larger variety of threats with potentially cascading impacts. Related
counter-measures include:
uptake and use of existing standards and best practices;
assigning high priority and specific resources to the detection and mitigation of cyber–
threats;
routinely collecting and analysing measurements for indicators of resilience and acting upon
them.
Organisational continuity is challenged by emerging threats that stress the pro-activeness of
organisations and their capacity to align practices with policies in a timely manner. At the same time
the resilience of public communications networks requires enlarging the scope of continuity beyond
the borders of a single organisation. Thus, coordination and the relevant costs have to be taken up
by authorities. However, at the moment, neither customers nor authorities can describe adequately
their needs or assess their fulfilment. At the same time, commercial limitations confine business
continuity exercises to desktop exercises or procedural testing, thus ensuring that the validity of
business continuity plans is also limited. Relevant counter-measures include:
establishment of a crisis incident management organisation;
establishment of ownership for the components of critical infrastructure and maintenance of
permanent trustworthy communication channels;
making responsibilities for resilience an inherent part of professional behaviour and societal
responsibility;
creating an extroversive attitude to incident response for high magnitude incidents (eg,
through cross-sector communication and structures for coordination and collaboration);
development of exercise tactics for business continuity that will increase trust in a minimal
probability of failure due to technology or people.
Commercial and regulatory challenges limit the capacity of network providers to invest in and
achieve higher levels of resilience in their networks. Currently, customer spending on resilience is
limited and network providers have no way to establish the actual ROI of their investments. Due to
customer demand, time to market and budgetary pressures, outsourcing contracts and SLAs are
increasing, thus making the establishment of due diligence a difficult task. Moreover, virtual mobile
network operators (VMNOs) are also pressed by higher budget limitations and resilience spending
may be questioned even more. At the same time, the lack of harmonisation in regulations obstructs
standardisation which is a primary need for building resilient networks. Relevant counter-measures
include:
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 3
establishment of criteria (qualitative and quantitative) for the measurement of resilience;
generation of a flexible operational framework for data collection on the performance of
resilience measures and the enablement of confidential benchmarking exercises;
restricting outsourcing to the ‘do’ or (eventually) ‘act’ dimensions, with ‘plan’ and ‘check’
steering the activities performed within the company;
defining third-party responsibilities for security and resilience in SLAs;
promotion by network providers of complementary regulatory initiatives to support and
encourage collective measures for resilience.
National and EU authority measures
Finally, the group identified a number of counter-measures that should be considered in terms of
national and EU-wide initiatives to coordinate resilience activities, including:
pan-European coordination for cross-border risks;
collaboration with national authorities for the protection of critical infrastructure;
promotion of regulatory initiatives that complement, support and encourage the
organisation of resilience measures;
EU-wide monitoring and early warning systems on external threats;
establishment or participation in national infrastructure emergency plans;
creating a voluntary ‘virtual’ database of cable infrastructure to protect against accidents
during digging works;
identification of the levels of resilience required in critical infrastructures;
infrastructure interdependencies – focusing on identifying practical issues and the mitigation
of risk;
tracking the exposures of technology platforms and mitigating them at the EU level;
tracking disruptions to infrastructure and utilities at the EU or national levels;
having regulators check the availability of necessary functions at the level of VMNOs in order
to provide resilience measures.
The challenges and counter-measures discussed can play an important role in shaping a picture of
the hurdles all network operators, regardless of their size and maturity, will have to face in several
cases. The proposed measure ratings can help resilience managers in network providers to
understand trends in the mitigation towards resiliency. When combined with the targets for
resilience presented in this work, this information can set the first level vision for resilience in public
communication networks. Further elaboration of the information provided can be the starting point
for forming a constructive agenda for collaboration between public and private stakeholders in the
area of resilience.
Goals and target audience
This document is intended for two categories of stakeholders in the resilience of public
communications networks. The first category consists of the decision-makers and resilience
managers of telecommunication organisations and Internet service providers (ISPs). This work can
be leveraged to compare and, if desired, to update their internal approaches to resilience with the
information provided by the experts of this working group. Ideally, the stakeholders will contribute
their experiences by providing feedback on this document and enriching areas where they can see a
potential for improvement.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 4
The second category of stakeholders consists of policy-makers in the EU and Member States. This
stakeholder group has the opportunity to understand the perspectives of the industry on the
challenges to resilience and the current and future measures seen as appropriate for mitigating
these challenges. Measures that require an EU-wide approach and that can benefit from a broad
public and private partnership at the EU level are especially relevant to this group of stakeholders.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 5
1. Introduction Telecommunication networks and information systems are an essential factor in economic and social
development. Computing and networking are now ubiquitous utilities, similar to the supply of
electricity, transport or water. At the same time the convergence of communication networks,
media, content, services and devices is growing, increasing the European Union's dependency on
these communications networks and the supporting infrastructure and technologies that sustain
them.
As a consequence, the telecommunications infrastructures constitute vital infrastructure and
communications platforms for Europe's citizens, corporations, industry and governments. A brief
review of the critical infrastructure sectors in the EU that have already been identified2 reveals the
extent of dependency (and in many cases interdependency) between industry sectors and the
communication networks.
ICT systems, such as SCADA and process control systems in the critical industry sectors of energy,
water, food, chemical and nuclear industries, demonstrate a vital dependency on resilient
communication networks. Financial and medical services require the timely exchange of information
for the execution of critical processing that may affect economic welfare and the protection of
human life. Terrestrial transport networks depend on communication networks to facilitate public
transport and the logistics of critical services for EU citizens. Air traffic control and tourism would not
function should communications networks be disrupted. Public order and emergency services
require communications to protect public welfare, as do national and local governments to maintain
order and administer government services for citizens. Any extended disruption to the
communications networks providing telephony and Internet services would result in civil unrest and
endanger the public welfare.
While in a person’s mind the communications network may seem to be just a single entity, in reality,
especially since the deregulation of communications, more and more telecommunication
organizations are part of the puzzle of the communications infrastructure both in the EU and
globally. What used to be a network owned by public entities is now owned mostly by private
companies, yet it is considered a public communications network. EU regulations recognise this
complexity in today’s communication networks and define a public communications network as ’an
electronic communications network that offers publicly available services’3.
Summarising the relevant EU definitions we can say that the expression public communications
network means an electronic communication network that is used wholly or mainly for the provision
of electronic communication services available to the public and that supports the transfer of
2 EU ECI sectors: Energy; Nuclear industry; ICT; Water; Food; Health; Finance; Transport; Chemical industry;
Space and research facilities. See Annex2, COM(2005) 576 final, GREEN PAPER ON A EUROPEAN PROGRAMME FOR CRITICAL INFRASTRUCTURE PROTECTION http://eur- lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0576en01.pdf 3
DIRECTIVE 2002/21/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 March 2002 on a
common regulatory framework for electronic communications networks and services http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0033:0050:EN:PDF
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 6
information between network termination points, including network elements which are not active4.
It is clear that the definition of public communication networks does not differentiate public from
private networks on the basis of their ownership but rather on the types of traffic they convey. Thus,
a private interconnection between two internet service providers that is governed by a private
agreement and SLA arrangements is still a component of a public communications network as long
as the traffic conveyed through it is offered as a publicly available service.
The European Union’s dependency on public services provided through communications networks
demonstrates the need to ensure the resiliency of our networks. We use the term resilient to
characterise networks that ‘provide and maintain an acceptable level of service in the face of faults
(unintentional, intentional, or naturally caused) affecting their normal operation’5. In that respect, a
resilient network must exhibit the ability to protect itself from damage, sustain a minimum service
level when under load or a failure has occurred, and provide for effective and timely mitigation and
recovery mechanisms.
Our communication networks have been designed and built with redundancy and fault recovery
mechanisms that contribute to the high levels of availability reported by the operators. However,
the increased dependency of the EU on, and the complexity of, the communications networks that
provide public services require further assessment and the encouragement of best practices in
resiliency in order to improve network availability and protect against extended disruptions. In this
work, the virtual working group (VWG) explores the path to overcoming the barriers of the past and
reaching even higher levels of resilience.
Definitions used in this work
Challenge: is understood as an obstacle to achieving resilience. Furthermore, it can facilitate the
collapse of resilience targets through the materialisation of threats.
Public communications network: defines an electronic communication network that is used wholly
or mainly for the provision of electronic communication services available to the public and that
supports the transfer of information between network termination points, including network
elements which are passive (non active). Network components can be cabling systems for radio
wave transmission and power supplies, connectors, etc. (VWG definition – contributed by RAND
Europe)
Public communications network: means an electronic communications network used wholly or
mainly for the provision of publicly available electronic communications. (EU Regulations6)
4 Passive (non-active) network components can be cabling systems for radio wave transmission and power
supply, connectors, etc. 5 ENISA – Trust on Infrastructure – About Resilience http://www.enisa.europa.eu/act/it/inf/inf
6 For a more detailed definition of electronic communications network, electronic communications service,
please consult EU (DIRECTIVE 2002/21/EC
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0033:0050:EN:PDF).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 7
Network resilience: ‘resilient’ characterises networks that provide and maintain an acceptable level
of service in the face of faults (unintentional, intentional, or naturally caused) affecting their normal
operation. (ENISA – Trust on Infrastructure)
User: any organisation providing a public communications network that uses a shared network
component or infrastructure.
End-user: any customer, being a physical or legal entity, that uses the transport service offered by a
public communications network for a fee.
TIER-1 networks: a network that can reach every other network on the Internet using multiple
interconnections without purchasing IP transit or paying settlements. (Adapted from Wikipedia)
Tier-2 networks: An Internet service provider who engages in the practice of peering with other networks, but who still purchases IP transit to reach some portion of the Internet. (Wikipedia)
Rights of way (ROW): allow an undertaking to install facilities on, over or under public or private
properties. When a competent authority considers an application for the granting of rights of way, it
must act on the basis of transparent procedures, applied without discrimination and without delay.
(Directive 2002/21/EC of the European Parliament)
Indefeasible right of use (IRU): is a contractual agreement between the operators of a
communications cable, such as a submarine communications cable or a fibre optic network, and a
client. An IRU “shall mean the exclusive, unrestricted, and indefeasible right to use the relevant
capacity (including equipment, fibres or capacity) for any legal purpose. (Wikipedia)
Abbreviations
IMS IP Multimedia Subsystem
IRU Indefeasible rights of use
BSS Business support systems
CAPEX Capital Expenditure
NETEX Network Expenditure
NGAN Next Generation Access Networks
OSS Operations support systems
PCN Public Communication Networks
ROI Return on Investment
ROW Right of way
Tech Technology
Problem statement
The need for resilient public communication networks is recognised as an important topic both by the industry and public bodies. Individual operators of public communication networks are pursuing uninterruptible service provision through enhanced technologies, redundant systems, processes, etc. Yet, as the public communications networks are in effect composed of numerous individual
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 8
networks, the overall result reflects the strong and the weak points of their individual approaches. A survey7 conducted by ENISA indicated the problems faced by the industry:
New threats, dynamic risk and constant network evolution pose a demanding environment
for engineering and operating resilient networks where threat identification and risk
management approaches must evolve.
Linking between different management processes is a challenging endeavour while holistic
resilience management is still evolving.
Business continuity exercises have a critical role to play in preparedness and as a culture
building and evolution enhancing mechanism, yet complex testing types have still not been
widely adopted.
Coping with third-party dependencies as well as inter-infrastructure dependencies is
challenging.
Though it is clear that network operators are investing in most of these areas, reaching
maturity takes time. This fact brings us to the challenge of small-sized companies and new
entrants to the market that tend to fall short in RM and BCM capacities. How do we avoid
the weakest link in resilience?
In the context of this working group, the members faced further problems in addressing resilience in
public communications networks, stemming from the broadness of the definitions of these terms:
The current trend of providing more and more services transforms many of the traditional
network operators into service providers and mixes the provision of a public communication
network and the service offerings that utilise the transmission service of these networks. As
a consequence, defining the scope of this work around public communications networks was
a difficult task. It involved a clear understanding of the term ‘public communications
networks’, which encompasses privately-owned infrastructures and a large variety of private
commercial agreements, as well as publicly-owned infrastructures, but excludes most of the
services offered.
As public communication networks cover a wide range of networks the group was faced with
the task of following an approach that was generic enough to cover most cases and yet
specific enough to provide a useful outcome that provides specific measures. Thus,
addressing the following issues was part of the problem:
o Financing, economic impact and feasibility of the task: the key assumption here is that
profitable companies take measures in the area of resilience in order to ensure their
successful and profitable operation in the long run. At the same time they must be
profitable organizations, which means that, as they operate in a highly competitive
environment, they need a strong focus on profitable marketing activities and optimized
investment plans.
7 www.enisa.europa.eu/doc/pdf/deliverables/enisa_network_provider_measures_on_resilience.pdf
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 9
o Who are the users and what are their requirements?
o What level of resilience do they need?
o What is the exact measure of resilience we are using?
After several discussions the group managed to identify workable answers to these questions, which
in turn allowed a list of counter-measures to the identified challenges to resilience to be compiled as
well as a list of the threats that are of concern when discussing resilience. The measures identified
target not only network operators but also authorities at the national and EU levels.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 10
Scope, objectives and outcomes
Voice and data services offered over the public communications networks today support critical
applications in several identified critical sectors. Currently, besides the broad areas mentioned in EU
documents, an exhaustive enumeration of the services and their users is neither available nor can
the required resilience levels of the end-to-end services be adequately measured and defined.
Thus, the scope of this work is set around the common denominator of public communication
networks across EU Member States. This common denominator is the core networks of the various
telecommunication providers across the EU, including their interconnections at national level as well
as across borders, and their interconnection with countries outside the EU.
The scope of work also includes other critical components that are necessary for the resilience of
public communication networks and these include operation support systems (OSS), the business
support systems (BSS) of organisations and the corresponding organisational structures including
people. The application services offered at the network edges, as well as end-user access, are not
within the scope of this work.
The overall resilience targets set as a working assumption for this work are that core public
communication networks across the EU:
1. remain seamlessly interconnected and provide the same perceived feeling of a ‘single’
communications platform they offer under normal conditions albeit at a reduced but
acceptable service level;
2. be able to differentiate services and offer the desired level of resilience when EU Member
States finally need or wish to define their exact requirements;
3. exhibit the ability to protect against threats and recover from their effects in due time;
4. exhibit agility and re-configurability to support authorities in emergency communications
and crisis situations.
To this end, the ENISA virtual working group has settled on the following objectives for the public communication networks in its scope of work:
To identify and discuss the key challenges to resilience in public communication networks.
To identify measures and practices to address challenges and safeguard resilience. While there is a plethora of guidance on several of the areas with a relevance to resilience, we are still missing important information. The level at which measures have penetrated the industry , as well as their usefulness and applicability in public communications networks, are the kinds of information needed to boost their uptake or to point out the need for other measures that might be more appropriate.
Working towards the fulfilment of the stated objectives, the VWG has achieved the following
outcomes which should prove to be useful input for all interested stakeholders:
1. Endorsed a definition of public communication networks as commonly understood by its
members.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 11
2. Identified and agreed on a common set of targets for resilience in public communication
networks.
3. Identified and grouped logically the challenges that prevent achievement of the resilience
targets set or that facilitate their collapse through the materialisation of threats.
4. Produced a mapping of threats to the agreed challenges. This map can be used in two ways:
a. to obtain a brief overview of the threat landscape and the possible consequences for
resilience;
b. by organisations, to factor in measures already in place that address threats or prevent
their consequences, and thereby identify their posture regarding resilience.
5. Proposed measures with a national or an EU scope.
6. Provided indications of industry adoption of the proposed measures and their expected
impact in terms of benefits to resilience, cost, time and effort. The ratings are based on the
perceptions of the experts and should be treated only as estimates.
Approach
This work began with a brainstorming session that took place during the first meeting of the group
and through initial email interactions. The analysis revealed a set of challenges the participants had
to face when addressing issues concerning resilience for the public communication networks they
operate.
A challenge is understood to be an obstacle to achieving resilience. Furthermore, it can facilitate the
collapse of targets for resilience through the materialisation of threats. The challenges identified
were grouped into six areas, four asset challenge areas and two environmental challenge areas:
The four asset challenge areas are:
infrastructures: shared buildings and locations, power, facility systems, fibre cables,
indefeasible rights of use and rights of way, backhaul connectivity physical routings, cable
landing stations, national border crossings of physical fibre routings, interconnection
locations and Internet exchange points (IXPs);
technology platforms: protocols, hardware and software implementation, operational
support systems (OSS) and business support systems (BSS);
operational processes and people: processes for network management and operations,
including problem and incident management, change and configuration management,
capacity and inventory management, etc;
organisational continuity: responsibilities and resources for continuity and resilience,
training and awareness, stakeholder relationships and interdependencies, cross-team
collaboration, crisis communications and assurance through exercises.
The two environmental challenge areas are:
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 12
commercial environment: customer requirements, outsourcing to third parties, investment
feasibility and availability of finance;
regulation: EU harmonization of regulatory requirements for networks, disunity of data
protection and retention laws, intercepts and monitoring.
The presence of these challenges significantly limits the capabilities of public communication
networks to achieve and maintain resilience, thus taking mitigating action is required. At the same
time, the difficulty of identifying counter-measures when no clear targets for resilience exist was
raised. Based on the argumentation presented in the scope of work section of this document, the
group agreed on the targets for resilience and suggested a series of related measures.
The discussions of challenges often led to the identification of relevant threats. The attempt to
understand the effect of the threats in the presence of the challenges to the fulfilment of the targets
for resilience was not attempted, as the group noted that there was not enough information on the
exact assets involved. Consequently, attempting to evaluate the exact impact of these threats was
not feasible due to limited resources.
How to use this document
This document is the result of discussions among the members of the ENISA virtual working group
on the topic of the resilience of public communications networks. The group has focused on the
challenges faced by network operators and possible measures for addressing them. The challenges
and the measures are discussed in chapters 3 to 9. Each of these chapters contains the measures
relevant to a particular challenge area. When a measure is relevant to more than one area, it can
only be found in the area that was considered the most relevant.
For a complete mapping of challenges to measures the reader should consult the tables in Annexes
A and B. Measures that are suggested for action at the level of the EU or Member States are listed in
Annex C. In addition, where relevant threats were identified, they have been recorded in Annex D to
serve as a rough sketch of the threat landscape and as a reference for the interested reader.
Executive summary, target audience and goals: provides a quick understanding of what this work is
about.
Chapter 1: serves as an introduction to the problem and presents the scope of this work and the
outcomes achieved. You should read this chapter if you intend to understand in detail any of the
following chapters.
Chapter 2: provides a brief overview of the challenges and a note on understanding the profiles of
the measures.
Chapters 3 – 8: describe the challenges in the individual challenge areas and provide full profiles of
the relevant measures. It examines, in detail, what the network operators find challenging and the
counter-measures they are using, currently implementing or thinking about using in the future. It
provides insight as to how costly, time intensive, and beneficial these measures are perceived to be.
Chapter 9: concludes this work and provides some indication as to how it may possibly be used.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 13
Annex A: Measure ratings: contains the full list of counter-measures, including their rating in terms
of ‘time to implement’, ‘implementation cost’, ‘impact on resilience’, etc.
Annex B: EU & Member State level measures: indicates the measures proposed to authorities in the
EU or Member States.
Annex C: Mapping measures to challenges: contains a list of the challenges and the relevant
measures for mitigation.
Annex D: Mapping threats to challenges: lists threats to resilience in the presence of challenges. Are
our measures good enough against these threats even in the presence of challenges? Do we need to
adapt some of our measures? This list is just a start.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 14
2. Public communication network challenges and counter-
measures The following chapters discuss the challenges identified by the experts in the working group.
Challenges are marked in bold and a numbering scheme is used to identify the challenges in each
challenge area.
The numbering scheme uses a letter (I – Infrastructure, T – Technology, O – Operational process and
people, B – Commercial, R – Regulatory) and a two digit number. In addition, the challenges are
assigned a title in order to convey their meaning in just a single line.
The full list of challenges is as follows:
I01 - Logical diversity v physical cable routing density and separacy I02 - Limited diversity, capacity and pinch points, backhaul, cable landing stations, cable border crossings, submarine cables I03 – EU traffic concentration at IXPs and high magnitude events I04 - Private interconnections, unknown effects on resilience I05 - Interconnection or peering = location, protocol, policy I06 - Shared risks of poor infrastructure management I07 - Shared infrastructure, majority vote = cumbersome vulnerability management I08 - Infrastructure management, individual v collective responsibility for mitigation T01 - Emerging technologies = unknown impact on resilience T02 - Assessing the maturity of technologies and implementations T03 - New techs and their implementations bring functionality and vulnerability T04 - Old tech issues, scalability, vulnerable, costly maintenance T05 - IP control plane retrofitted with functionality T07 - End point devices used for attacks T08 - Late standardisation and interoperability testing O01 - Standardisation and tech – process integration O02 - Complexity and integration = many human errors, slow recovery O03 - New skills, human learning curve O05 - Operational risk variety O06 - Cascading impact of operational errors (eg, BGP mis-configuration) O07 - Operational processes do not reflect network infrastructure inter-dependency O08 - Cross border operator presence, information sharing, communication and collaboration C01 - Limited foresight to emerging and future risks and threats C02 - Effort to balance policies and practices or processes C03 - Projects may miss resilience considerations or expertise C04 - Resiliency management needs multi-discipline teams not easily available C05 - Crisis staffing requirements C06 - Network failures can cause a domino effect C07 - PCN continuity cannot be restricted within organisational boundaries C08 - Authorities and customers – fuzzy requirements and direction C09 - Borders of responsibility jeopardize collective mitigation C10 - Ownership and cost of coordinating EU wide resilience C11 - Slow communication and decision-making C12 - Management reluctance to tackle risks of BC testing
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 15
C13 - Limited assurance of BC plans B01 - Limited customer spending on resilience services B02 - New development priority over resilience B03 - Lack of KPIs and ROI for resilience B04 - Resilience expenditure must prove business benefit B05 - Resiliency in VMNOs pressed by budget B06 - Rapid deployments = limited internal know-how B07 - Multitude of contracting agreements (SLAs) B08 - Critical consultants as single point of failure B09 - Difficulties of due diligence in outsourcing R01 - Lack of harmonization in EU regulations obstructs standardisation
As far as counter-measures are concerned, they are provided for each challenge area in a separate
sub-section. Each measure is described in a measure profile card, like the one shown below.
Readers can find out whether the industry has already adopted a particular measure in the industry
status column. The expected positive impact of the measure is given in the ‘impact on resilience’
field while monetary cost and time to implement are also given in their respective fields.
The reader should note that the measures are rated according to the perceptions of the experts, so
the ratings only provides estimates and are not exact assessments of the measures.
Measure profile
Name Measure name – short and as descriptive as possible
Measure ID A number
for
identifying
measures
in
annexes
Industry status Implemented / Current / Future (Keep one)
Describes the current implementation status.
Implemented == the measure had already been
implemented a long time ago
Current == recently implemented or under
implementation
Future == could be considered in the future
Relevant good
practices
Experience of the members referring to their own practices or standards used
Description
A more detailed description of the measure; some implementation information may be given.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
The experts’ perceptions of implementation: what is or would be the cost in time and money and the expected outcome. Used to provide an estimate of usefulness versus cost and to identify measures that can offer quick wins == low cost, short time to implement and high impact.
About the measure ratings
These ratings were provided confidentially by the members of the group and are based on their
perception and not on official corporate data. The intent of this effort is to provide estimates and
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 16
indicators, thus interpretation of this table as a prescription for solutions to problems in resilience
must be avoided.
The numbers provided as a rating in the fields ‘time to implement’, ‘implementation cost’ and
‘impact on resilience’ range from 1=Low to 3=High. The ratings have decimals as they are the
average of the individual ratings provided, eg, for ‘time to implement’:
Rating colour coding
In Annex A: Measures ratings, you can find a table of all measures that include the measure ratings.
To allow for a better illustration of the perception of the experts, we have chosen to colour the
individual cells relevant to the rating in green, yellow or red. The table below provides the legend for
the colour scheme used. You should also note that for the ‘impact on resilience’ rating, the green
zone has a much higher threshold compared to the other ratings. This was chosen in order to make
measures perceived to be really helpful stand out from the crowd.
Time to implement Time <1.8 1.8<=Time<=2.2 Time >2.2
Cost Cost <1.8 1.8<=Cost<=2.2 Cost >2.2
Impact on resilience
(benefit)
Impact <1.8 1.8<=Impact<2.5 Impact>=2.50
Table 1 - Measure rating colour legend
Industry Status
The field ‘industry status’ provides a rather rough indication of what the majority of the experts said
about the status of implementation. The term ‘majority’ can simply mean just one vote more than
the dissenting opinion, so it is not representative of the distribution of the status of implementation
among voters. The possible status can be one of the seven states listed below:
Field value Meaning
I implemented
IC equal number of votes between ‘implemented’ and ‘currently being or recently
implemented’
C currently under implementation or recently implemented
CF equal number of votes for ‘currently implemented’ and ‘possible future
implementation’
F a candidate for future implementation
ICF equal number of votes for all three options.
Table 2 : Measures rating - Industry status legend
n
Tin
i
1
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 17
3. Infrastructure challenges Convergence on the network infrastructure is promoting the sharing of many of its parts. Network
operators tend to share most infrastructures for operational and cost efficiency reasons. Cable
landing stations, fibre crossings at national borders, public and private peering8 locations, sharing
physical space, power and HVAC in co-location centres are long existing forms of sharing. In addition,
the virtualisation of physical connectivity leads to the sharing of resources, such as radio frequencies
and lambdas in fibres, blurring the distinction between physical infrastructure and technology logical
resources.
Continual improvements in transmission and processors on DWDM technology platforms have
increased the number of wavelengths on fibre infrastructure. These technological innovations,
aligned with deregulation, market demand and the competitive environment, have significantly
increased capacity while using the same fibre infrastructure. Network operators, instead of building
dark fibre infrastructure and purchasing associated rights of way (ROW), have leased capacity or
procured indefeasible rights of use (IRUs) to sustain networks and avoid the expense associated with
laying and managing fibre infrastructure. Thus a high number of logical connections over far fewer
and more densely routed physical cables are generating diverse logical architectures in which
separacy in the routing of physical cable is not assured (I01)9.
In addition, cable landing stations, underwater sea cables and fibre crossing locations at national
borders are in many cases concentrated at specific locations due to the characteristics of the terrain
or a focus on cost control and efficiency in design; in these situations diversity and redundancy is
limited. The selection of locations for cable landing stations has, in several cases, resulted in remote
installations with limited options for backhaul connectivity to the core networks. Limited diversity
and capacity of cable landing stations, submarine cables, backhaul connectivity and border
crossing locations can jeopardise backbone connectivity (I02).
The interconnection of networks is exhibiting signs that high percentages of traffic are being
concentrated at a few large Internet exchange points (IXPs). These locations provide an excellent
opportunity for Internet peering and reduced transit costs. In addition, the peering locations of the
IXPs are increasingly being used to implement private interconnections not governed by ‘traditional’
public peering agreements. The value of a presence in an IXP location gets higher as the number of
participants increase, as the opportunities for interconnection agreements are also increasing. Thus,
IXP locations now have an even greater criticality for the continuity of the European backbone –
especially, when considering threats of high magnitude, diverse IXP locations in the same city or
even in the same country may just not be enough for those locations that service an important
percentage of EU traffic (I03).
In addition, throughout the EU we can still find countries that have only a single local IXP and several
countries with just two IXP locations. In such cases, loss of a single peering location has the potential
to damage the health of the backbone connectivity inside national borders and increase the load on
8 A settlement free interconnection of networks for exchange of traffic.
9 Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the
annexes. Infrastructure challenges are coded with the initial letter I followed by a two digit number, eg, (I01).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 18
international IXPs that will need to route national traffic. Larger and more experienced ISPs mitigate
this by establishing multiple private peering and public peering connections across multiple EU
countries.
Private interconnection and peering or transit agreements are still taking place in several locations
where operators may meet (co-location centres) or through direct point-to-point connections. These
private interconnections are driven by traffic requirements and information about them is in general
only known to the interconnecting organisations. As such it is not possible to identify and take into
account the effects of private interconnections on resiliency without extensive involvement by the
industry (I04).
There are international organizations which track peering capacity for research purposes, such
as CAIDA10, but no similar organization exists, with industry participation, that is focused on the
evolution of the pan-European networks. Overall network interconnections (referred to as peerings
when they concern the Internet Protocol) are effectuated in three different levels: the policy or
service exchange agreement level (transit or peering), the technology or protocol level, and the
physical point(s) of the interconnection. While the physical aspects of the interconnection have
been discussed in this section, the protocol and policy aspects need also to be taken into account
(I05).
On the policy side, several business reasons or disputes may drive decisions to terminate
interconnection or peering, in some cases in an ungraceful manner. The resulting loss of an
interconnection can cause country-wide segmentation of connectivity or severe service degradation.
On the Internet when TIER-1 networks are involved, even the segmentation of Internet space is
possible. Redundant interconnections (N+1) are an absolute requirement to limit the effects a
peering termination as is the case for any critical component of a system.
Other policy decisions may also prevent the establishment of private or public peering in the first
place. The decision to peer is influenced heavily by CAPEX and NETEX requirements, which are driven
by business and commercial objectives. The peering agreements are based on traffic ratios between
networks, similar to interconnect agreements between PSTN service providers. Measurements of
traffic flows determine the feasibility of a peering agreement where ISP with equal demand between
their IP networks agree through a peering arrangement to share costs for exchanging traffic (routes)
and deliver services. Unbalanced traffic ratios between networks result in unequal costs to support
traffic requirements prohibiting peering, thus often limiting the resiliency capabilities of smaller ISP
networks.
Typically smaller operators, tier two or below, compensate by entering into transit agreements to
augment capabilities to deliver traffic. These additional costs, both CAPEX and NETEX to fulfil service
delivery often constrict resiliency or force smaller ISPs to depend more heavily on public exchange
points for their service delivery. Consequently even larger amounts of IP capacity are concentrating
into single termination points.
10 The Cooperative Association for Internet Data Analysis; http://www.caida.org/home/
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 19
A variety of other threats from targeted attacks, accidents directly or indirectly targeting these
infrastructures, as well as natural disasters, can have severe impacts. Management of infrastructures
and protection against those threats is essential but, with the trend in infrastructure sharing
expanding to active equipment and complete network sites, the shared risk is now even more
profound. Thus, when vulnerabilities arise from poor management and maintenance practices,
these will affect all services of all users sharing this component (I06).
Depending on the management model, cumbersome handling of vulnerabilities may arise where a
majority vote of different organisations is required to implement an overall mitigation or
resilience strategy (I07). The degree of inter-dependence and the multitude of infrastructure
owners complicate the development of the overall understanding required to handle the shared
risks. Handling of shared risk requires additional motivation to enable infrastructure management
to see through the individual responsibilities and act collectively for mitigation (I08).
Infrastructure challenges: measures
Measure profile
Name Transparency of shared physical infrastructures and identification of critical parts
Measure ID 07 Industry status Implemented
Relevant good
practices
- Design of shared infrastructure with proper resilience rules (eg, international
interconnect carriers having more than one physical path with fully separated
physical infrastructures)
- Each network operator should have access to the information on the actual
level of resilience provided through shared infrastructures and take necessary
measures (eg, using two different international inter-connection carriers with
separated infrastructures).
Description
Transparency of shared physical infrastructures and identification of critical parts, such as submarine
fibre cables, cable landing stations and national fibre crossings, is required. Obtaining information on
the levels of resilience in the shared infrastructure at the design stage can facilitate easier
implementation with no time delays.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.7 2.1
Measure profile
Name Interconnection and peering – operation and maintenance of good practices
Measure ID 12 Industry status Implemented
Relevant good
practices
Description
Promote and adopt good practices for the operation and maintenance of interconnections and
peerings throughout the industry. Such practices must be widely known and accepted as references
(eg, best current practices).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 20
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.6 2.0
Measure profile
Name Interconnections and peering – code of ethics
Measure ID 13 Industry status Future
Relevant good
practices
Description
Develop a code of ethics for peer relationships and termination of peering or interconnections
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.3 1.2
Measure profile
Name Shared infrastructure – management responsibilities
Measure ID 01 Industry status Implemented
Relevant good
practices
Description
Responsibilities for managing the functions of shared components have to be clearly defined. This
should be implemented by means of clear SLAs for all parties sharing this component, stating the
responsibilities for maintenance and management (including monitoring) of the component. Error
messages, malfunctions and security incidents that are tracked have to be communicated to all users
of the component.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 1.7 2.3
Measure profile
Name Critical assets (including shared infrastructure and third party services) included
within the scope of information security management
Measure ID 02 Industry status Current
Relevant good
practices
BS7799
Description
Information security cannot be confined only to internal components. Lists of external partners or
service providers and externally-owned components have to be maintained and the provision of their
service has to be monitored. In the case where external providers have access to internal information
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 21
resources, controls have to be in place in order to maintain the necessary level of security.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.0 2.5
Measure profile
Name Shared infrastructure components included in risk assessments and business
impact assessments
Measure ID 03 Industry status Implemented
Relevant good
practices
Description
Each user of shared components (ie, components that are external to the organisations) has to assess
the risks that are connected to the usage of those components. This includes organisational (eg,
personnel issues), impact of non-availability, procedures to deal with information security incidents,
and potential damages. The assessed level of risk has to be acceptable and must comply with existing
internal security policies, ie, an incident or failure should not jeopardise the businesses of the users of
the shared components. In these considerations, physical security is also of major importance.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.4 2.0 2.5
Measure profile
Name Shared component (infrastructure or service) – audit results communicated to
users
Measure ID 04 Industry status Future
Relevant good
practices
Description
To verify that the agreed responsibilities are being carried out by the provider of shared equipment,
the user of a service (ie, of a component) has the right to be informed of the results of audits that
take place in the organisation of the ‘owner’ of the shared equipment.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.0 1.1
Measure profile
Name Shared infrastructure – incidents reporting made a mutual obligation through
appropriate interfaces and procedures
Measure ID 05 Industry status Current / Future
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 22
Relevant good
practices
Description
The user of the shared component has to provide the appropriate interfaces to enable the (mutual)
communication of incidents regarding the shared components.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.5 1.6 1.3
Measure profile
Name Shared infrastructure or co-location – develop resilience ratings and KPIs
Measure ID 06 Industry status Current
Relevant good
practices
Description
Development of KPIs concerning resilience and, in particular, resilience in the design of common
networks. The goal is to create an operating environment where the sharing of infrastructure does
not expose operators to additional risks. The same approach should also apply in the case of co-
location where common physical and network resilience has to be identified.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.8 2.0
Measure profile
Name Infrastructure interdependencies – focus on identifying practical issues and risk
mitigation
Measure ID 54 Industry status Future
Relevant good
practices
Description
The issue of infrastructure interdependencies deserves special attention as it can lead to major
outages of critical infrastructure components spanning different sectors (eg, electricity grid). Effort
has to be invested in practical issues concerning the identification of infrastructure dependencies and
the mitigation of existing risks. Infrastructure owners must identify their own needs and promote
mitigating solutions, engaging the corresponding infrastructure owners and national or EU structures.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.0 2.8
Measure profile
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 23
Name Incident reporting and communication to stakeholders
Measure ID 20 Industry status Current
Relevant good
practices
Description
Information about security breaches has to be collected and communicated between infrastructure
owners or operators to mutually inform each other and also the customer base.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.9 1.3 1.5
Measure profile
Name Critical infrastructure – component owners establish and maintain permanent
trustworthy communication channels
Measure ID 08 Industry status Current / Future
Relevant good
practices
Description
A communication channel between relevant operators of (components of) critical infrastructures has
to be established. The coordination of such expert groups might be headed by public authorities, ie,
public crisis management teams.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.4 1.7 2.6
Measure profile
Name Exercises to include communication channels and emergency plan testing with
inter-dependant critical infrastructures
Measure ID 09 Industry status Future
Relevant good
practices
Description
Exercises that include a provider of critical infrastructure have to be carried out in order to check the
effectiveness of established communications and the available emergency plans.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.5 2.4
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 24
Measure profile
Name Participation in forums addressing cross-organisational collaboration issues
Measure ID 10 Industry status Implemented
Relevant good
practices
Description
Participation in dialogue to identify technical and operational interfaces, responsibility structures, the
role of public organisations, best practices in cross-cutting security issues, vendor or provider
interdependencies, and risk structures that span organisational limits.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.3 1.2 1.5
Measure profile
Name Protection of critical infrastructure – collaboration with national authorities
Measure ID 11 Industry status Implemented / Current
Relevant good
practices
Description
Maintenance of contacts with authorities coordinating the protection of critical infrastructure
nationwide.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.3 2.3
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 25
4. Technology platform challenges Communication networks and technology are evolving in support of commercial requirements and
market trends. New products and services that increase the utilization of the networks are possible.
Computing innovations have drastically altered network architectures and the technologies used in
public communications networks. These newer technologies offer improvements over older ones
with features that fulfil new requirements and use more and more protocols to deliver functionality.
NGAN, IMS and others are examples of emerging technologies whose impact on the resilience of
the current telecommunication infrastructures is currently unknown (T01)11.
Emerging infrastructures are extremely complex and are actually composed of several ‘basic’
technologies and protocols defined by different standards developing organisations (SDOs) and fora
(eg, ITU-T, ETSI, GSMA, and IETF, just to list the main bodies). Time-to-market pressures lead to
implementation based on different versions of a standard or draft standard and compatibility is
uncertain. It is a fact that interoperability testing between different vendor solutions and
standardisation lags behind deployments (T08).
Recent events12, such as Interoperability and Plug tests13promoted by telcos are verifying these
interoperability problems. The tests show that, among different vendors, current implementations
are far from being fully interoperable. This situation increases the vulnerability to threats targeting
the resilience of emerging telecommunications infrastructures.
Another consequence of fast technological changes is the shortening of the lifecycles of equipment
to just a few years. This is a tremendous change compared to older technologies where the required
expertise and network management processes remained almost identical for decades (ie, the PSTN
network that is still in use today). In contrast, innovative equipment and various proprietary
platforms are now available, many of them produced by creative vendors who recently entered the
market. Given these developments, assessing the maturity of the technologies themselves as well
as the maturity of their implementations can be extremely hard (T02).
Furthermore, the network evolution leads to the co-existence of older and newer components and
platforms, which constitute an integrated mosaic of increasing complexity and interdependencies
across the various layers of the network. This is a necessary step as our networks migrate to new
architectures and technologies to achieve the gains in functionality required to meet present and
future demands. Still, we need to be aware of the risks of technology innovation and be prepared to
address them. During their lifecycles, each technology and product introduces vulnerabilities and
scalability issues that affect the network as a whole. Thus, while new technologies offer solutions to
well-known problems, they also introduce new vulnerabilities that need to be identified and
addressed (T03).
11
Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the
annexes. Technology challenges are coded with the initial letter T followed by a two digit number, eg, (T01).
12 Telecom Italia hosted the First ETSI IMS Interoperability Test Event, at the laboratories of Torino, from October 8th to 12th 2007, which focused on IMS NNI (Network-to-Network Interface) interoperability. 13 ETSI Plugtests T has hosted the 8th GPON Interoperability Test Event, from 22 to 26 June 2009, in Sophia Antipolis. For the latest Plugtest events: http://www.etsi.org/Website/OurServices/Plugtests/home.aspx.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 26
While the deployment of new services, technologies and designs are getting much of the attention,
we also need to take into account existing infrastructures. Older technologies may be limiting the
network in terms of scalability or contain vulnerabilities that it may not be feasible to address
(T04). For example, much of the older equipment does not support current secure network access
and management protocols or cryptographic algorithms, as is the case with Secure Shell Access v
Telnet access and AES v DES crypto algorithms.
It is even possible that some equipment and technologies have to be used beyond their official end-
of-life as announced by vendors. This actually means that there will be no further support at all and
that vulnerabilities will never be fixed. In the cases where upgrades or fixes are available, they are
often too costly to be a feasible investment for technologies that will be phased out in coming years.
The same rule of increasing cost may apply to the overall maintenance of end-of-life technologies
because they become too costly as physical wear increases, personnel focuses on new technologies
and human skills decrease over time.
On the protocol side, limitations such as the IPv4 address space exhaustion and the lack of security
mechanisms in the initial design of critical protocols, such as BGP, impose scalability limitations and
introduce vulnerabilities. For example, the simple trust mechanisms used in BGP may allow for
routing information to be altered by unauthorised originators causing routing loops, blackholes,
network congestion and denial of service attacks14. The industry is already aware of and is tackling
the challenges of BGP, but as the control plane of IP networks is retrofitted with more
functionality, new threats and vulnerabilities are certain to surface (T05).
Attacks on the core protocols of the infrastructure have the potential to be highly damaging to
network availability and performance, as the effects can be propagated through interconnections
across multiple networks. Due to the propagating effects of an attack, a systemic failure that will
disrupt services and applications affecting other critical sectors is possible. Thus, protecting the
integrity of critical core protocols is essential. Protection covers the physical and logical security of
the network equipment and the avoidance of man-in-the-middle and trust or spoofing attacks, thus
preventing tampering with the protocols at the core. In this respect the security of the network and
of customer end-point devices has been identified as a major challenge (T07).
The lax security of end-user networks and devices allow the manifestation of many attack vectors
that give rise to several threats. Examples include Botnets, viruses, DDoS and the challenge of spam
emanating from compromised machines. Trends show that the number of attacks against network
components is increasing, as is the magnitude of these attacks.15 Though network operators are
familiar with dealing with these kinds of attacks, it is clear that they a pose a risk not only for end-
users but also to the resilience of the whole network. Thus, EU-wide tracking and mitigation
mechanisms could have the potential to increase the efficiency of mitigation.
14
A Survey of BGP Security, Kevin Butler, Toni Farley, Patrick McDaniel, Jennifer Rexford, 2005
15 Worldwide Infrastructure Security Report, Volume IV - Arbor Networks, October 2008,
www.arbornetworks.com/report
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 27
Technology platform challenge: measures
Measure profile
Name New technologies platforms are assessed for resilience features and
compatibility
Measure ID 14 Industry status Implemented
Relevant good
practices
Description
Security characteristics of newly introduced technologies have to be investigated by the network
owners before the implementation of new products and services, especially with regard to security,
resilience and contingency. Capabilities and pre-requisites for their availability and desired
performance have to be compatible with the intended use and deployment environment. This would
take into account co-existence with old technologies and the existing operational model.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.6 2.7 3.0
Measure profile
Name Risk management used for critical components and processes
Measure ID 15 Industry status Implemented / Current
Relevant good
practices
Description
A threat, vulnerability and impact analysis has to be performed to identify risks. Following this, the
number of additional measures to be taken has to be identified.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.0 2.4
Measure profile
Name Life cycle – design and implementation: new project teams to include resilience,
BC, RM, and IS experts
Measure ID 55 Industry status Current
Relevant good
practices
Description
Organisations must include resilience in the agenda for a project from the early design stage of a new
product or service. Putting together project teams that include people with a background in business
or service continuity, risk management and information security will raise the importance of issues
that affect resilience.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 28
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.2 3.0
Measure profile
Name Life cycle – design and implementation: vendor RFIs and RFQs to explicitly
request resilience considerations to be addressed
Measure ID 56 Industry status Implemented
Relevant good
practices
Description
Requests to vendors in the form of RFIs and RFQs should be used to leverage the resilience aspects of
requested product or service.
For example, proposed architectures must describe clearly how different types of traffic (control,
management or end-user traffic) are transmitted, separated and protected. A communications matrix
should be requested where appropriate.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.7 1.7 2.4
Measure profile
Name Life cycle – design and implementation: vendors to deliver risk assessment report
and risk mitigation practices for new deployments
Measure ID 57 Industry status Current
Relevant good
practices
Description
Risk assessment reports covering the design and implementation of new products have to be part of
the delivered material for new products (especially concerning continuity and resilience issues). The
vendors have to suggest risk mitigation practices for new deployments. This can be considered as a
maturity characteristic of new products and their implementation.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 2.0 2.6
Measure profile
Name Life cycle – design and implementation: full Integration with OSS or BSS to be
part of all deployment projects
Measure ID 58 Industry status Implemented
Relevant good
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 29
practices
Description
The management of new technological components has to comply with or be adaptable to the
management practices followed in the existing network. Even in the case of a proprietary product,
integration with existing operational support services and business support services has to be carried
out.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.5 2.7 2.6
Measure profile
Name Life cycle – design and implementation: new platforms assured compatibility
with existing infrastructure
Measure ID 59 Industry status Implemented
Relevant good
practices
Description
Test environments have to be developed to extensively test new products with regard to their co-
existence with existing components.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.6 2.9
Measure Profile
Name Life cycle – commissioning and acceptance: technology platform deployments
establish incident detection, response and incident management early in the
process
Measure ID 60 Industry status Implemented / Current
Relevant good
practices
Description
Starting from the initial stages of deployment, incident detection and incident management for
problems arising from new products and the transition process have to be in place.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.0 2.4
Measure profile
Name Life cycle – commissioning and acceptance: technology platform acceptance
testing incorporating resilience features of the system
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 30
Measure ID 61 Industry status Implemented
Relevant good
practices
Description
An acceptance process should be in existence before a new service is offered to the market. Testing
and validating the resilience features and the suitability of risk mitigation practices should be part of
the acceptance. Testing must be performed both at the component (node) and system level.
Make sure employees are fully engaged in testing and acceptance to benefit from engaging
with the vendor and of familiarising themselves with the technology and components.
In the future, testing scenarios could be leveraged for the planning of BC exercises.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.2 2.3
Measure profile
Name End-point security practices – awareness raising
Measure ID 16 Industry status Current
Relevant good
practices
Description
Awareness programmes have to be deployed to ‘educate’ end-users about how to securely cope with
their devices.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.5 2.0 1.7
Measure profile
Name End-point access shutdown or quarantine
Measure ID 17 Industry status Current
Relevant good
practices
Description
A possible solution to attacks initiating from end-points (end-user devices) is to shut down an access
point, albeit this might have implications from a commercial and data protection legislation point of
view.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.4 1.6 2.2
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 31
Measure profile
Name End-user notification of incidents
Measure ID 18 Industry status Current
Relevant good
practices
Description
End-users are put in the information exchange loop concerning security incidents and fraud.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.4 1.3
Measure profile
Name End-user incentives for practising secure computing
Measure ID 19 Industry status Current
Relevant good
practices
Description
Incentives for the secure usage of user-equipment might enhance user preparedness to maintain
equipment security.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.5 1.3 1.6
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 32
6. Operational process and people challenges Networks are, by their nature, integrated and complex. As their evolution continues, standardizing
procedures and achieving full integration of network management processes within a changing
network is a continuous challenge (O01)16. Maintaining the ability to control both internal and
external agents to prevent disruption is as crucial as it is difficult. The successful implementation of
effective change and configuration controls is a primary reason our networks have achieved high
levels of availability.
However the increasing complexity, interoperability and integration aspects of the technology
directly influence the network management processes used to control the operation of the network.
As a consequence of the complexity and integration mismatches the probability of failures
increases, as does the duration of the resolution of problems (O02). For instance, implementation
of peering arrangements requires complex routing policies. Thus policy-based routing is difficult to
get right and an incompatibility or administrative error can easily hide parts of the internet.
It is evident that related personnel are an important factor and a challenge, since operational
mistakes or errors can have severe impacts. Moreover, there is always the threat of people (insiders,
disgruntled employees, etc) intentionally causing operational problems to the network. In all cases
(eg, mis-configuration of a router or a directed threat), the end result is nearly always the same. The
introduction of new technologies creates additional challenges of the human factor in two
respects: (a) due to the low experience of personnel during the initial period when a new
technology is being introduced (O03), and (b) in areas of technology where complexity increases
(O02).
When vulnerabilities arise from poor management and maintenance practices, these will affect all
services of all users sharing the particular component and all inter-dependent components. Indeed,
the network disruptions of small networks or providers can have an impact on the operations of
larger ones (O06); this is exemplified in the case of spam which can arise from small providers and
lead to a loss of service to a group of providers due to upstream service cut-off. In addressing
threats and risks that reach beyond organisational boundaries, organisations are interdependent;
this has to be reflected in their operational processes (O07).
A central instrument in overcoming these challenges is the availability of the correct information to
the people who are empowered and technically capable of acting on and mitigating them. As such, a
focus on monitoring and information sharing across stakeholders, supported by good internal and
external communications, is required. These elements should allow the pick-up of signs of failure to
initiate response and, if needed, crisis management procedures. Communication, information
sharing and collaboration are a key challenge, especially because of the global nature of the
network and the cross-border and international presence of operators (O08). Thus, technical
intelligence, monitoring and detection capabilities must be reinforced. In particular, intelligence that
offers situational awareness and early warning beyond the capabilities of a single network provider
can be very useful. It is also important to note that special attention should be directed to the
16
Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the
annexes. Operations challenges are coded with the initial letter O followed by a two digit number, eg, (O01).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 33
service layer, due to significant new threats and the broad impact of potential failure, eg, VoIP
malfunctions.
Maintaining resilience requires effective confrontation of threats outside the exposure to expected
threats. The current (network management) processes need to be adapted to handle the blurred
areas of risk, from operational maintenance and fault resolution, resilience or BC plans, to the
maintenance of various proprietary platforms, throughout the lifespan of the technology (O05).
This requires comprehensive organisation that includes internal (organisation wide) and external
(vendors, suppliers, etc) resources. In this direction, several standards are available that can be
utilised by the organisations operating public communication networks to set the foundations for
taking the evolution of the operational process to the next level. While 100% availability of all
components is not possible, adaptability of the operational processes contributes to maintaining
resilience and minimizing the probability of failure and the duration of problem resolution.
Operations challenges: measures
Measure profile
Name Operational processes integrated with established information flows
Measure ID 21 Industry status Implemented
Relevant good
practices
Description
Good integration of network management with other management disciplines within the
organisation seems to be a key issue in mastering the complexity of changing network technologies.
In this respect, integration with the management of risks, assets, security, continuity and incidents
are essential. Furthermore, the interfaces to mature change, release and problem management
processes are highly relevant.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.1 2.7
Measure profile
Name Detection and mitigation of cyber threats given a high priority and assigned
specific resources
Measure ID 22 Industry status Current
Relevant good
practices
Shared good practice: while network operation centres (NOCs) focus on
monitoring network capacity, security operation centres (SOCs) concentrate on
detecting abnormal situations that could be interpreted as the possible beginnings
of attacks against operators’ networks. It has also been stated that an SOC,
moreover, should not have a geographical focus but should act as a global
overview body and undertake the monitoring of the entire network of the
organisations involved. Experience has shown that a threat that is rising in one
country will soon expand to others. Thus an operator should organise its individual
country SOCs to act as a global SOC, allowing the early and joint mitigation of
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 34
threats inside their networks.
Description
The differences in scope between the various management disciplines has to be clear: particular
attention, for example, has to be given to the notion of monitoring, detecting and responding to
cyber incidents and the differences, in terms of operational functionalities, between network
operation centres (NOCs) and security operation centres (SOCs). Adequate resources have to be
assigned, including specialised expertise on the detection and mitigation of cyber threats.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.5 2.7 3.0
Measure profile
Name Operations and network management – personnel participate in schemes for
knowledge sharing with vendors
Measure ID 23 Industry status Implemented
Relevant good
practices
Description
Given the novel functionalities incorporated in new components and the concomitantly reduced
experience in technology administration and management issues, knowledge and information sharing
has to be enforced in order to more effectively master challenges in the introduction or adaptation of
network management activities. Schemes for the exchange of information and for sharing existing
(non-competitive) knowledge between operators and vendors of components have to in place.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.6 1.3 1.8
Measure profile
Name Operations and network management – uptake and use of existing standards
and best practices
Measure ID 25 Industry status Current
Relevant good
practices
Description
Orientation towards existing network management standards and good practices (both technological
and operational) is a key issue to be enforced for new products and services. Compliance with such
standards has to be evident through the functional and qualitative characteristics of new products
(including the deployment process).
Special attention must be given to a defined process for patch management, in order to maintain
critical systems and platforms up to date and to close known vulnerabilities.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 35
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.1 2.8
Measure profile
Name Design documentation of procedures and work instructions for effective use
under high pressure
Measure ID 26 Industry status Implemented / Current
Relevant good
practices
Description
Documentation of network management practices has to be oriented towards practical issues, thus
allowing for good usability in situations of failure and emergency.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.5 1.5 2.4
Measure profile
Name Operational process measurements for resilience indicators routinely collected,
analysed and acted upon
Measure ID 27 Industry status Future
Relevant good
practices
Description
The effectiveness of network management practices, especially those relevant to resilience issues,
has to be measurable. Indicators of adaptability, early detection, mean time to respond, false
negative assessments leading to incidents, etc, are required.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.6 2.5
Measure profile
Name Network monitoring used, and data analysed and acted upon
Measure ID 28 Industry status Implemented / Current
Relevant good
practices
Description
Network measurements (eg, capacity measurements, performance measurements, failure rates, QoS
parameters, etc) have to be introduced, collected and monitored for all vital network components
(eg, availability and performance management).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 36
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.3 2.7
Measure profile
Name Proactively structure operational responses to incidents requiring third party
participation
Measure ID 29 Industry status Future
Relevant good
practices
Description
Operational processes must be designed and structured to address threats and risks reaching beyond
organisational boundaries and must exhibit the ability to locate, communicate, share information,
collaborate, and act in concert with external stakeholders. Personnel must expect to encounter and
address both imaginable and unthinkable scenarios.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.2 2.0
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 37
7. Organisational continuity challenges Every modern organization realizes the value of dedicating some resources to the prevention of
expensive damages that would likely occur should such preventive measures not be taken. For
example, companies operating IT components use intrusion detection and response systems in an
attempt to detect computer intrusions and then activate defensive measures to minimise the
ensuing damage. This is a proactive approach to protecting a company's infrastructure that
contributes to its resilience, but IT and technology platforms are not the only resources that need to
be resilient. Resilience calls for an ability to ‘provide and maintain an acceptable level of service in
the face of faults’. As such there must be the ability to proactively recognise and adapt to changes
that may lead to disruption in either a slow or abrupt way (C01)17.
In some companies resilience related awareness or activity is event driven. For example, the
mitigation of personnel unavailability may be driven by Bird Flu or Swine Fever and thus be reactive
in nature. The organisation’s policies must reflect its strategy to address such risks but this is still not
sufficient. If no proactive permanent precautions exist to cope with the occurrence of such events
then plans to maintain critical activities in these worst case scenarios will likely fail. This illustrates
the difference between policies (good for strategy) and process (good for operational reactive
actions). What is needed is the alignment of practice with policy (C02).
The role of the business continuity management team is to provide the tools and techniques for
effective plans, business impact assessments and exercises to ensure the organisation is equipped to
achieve the right balance between proactive and reactive measures. Proactive measures must be
integrated in the networks, products and services right from the planning phase through to
implementation. The consideration of security, resilience and business continuity requirements
during the early design phases of networks and processes is the only way to ensure that risks are
identified and owned and the appropriate mitigation strategies are followed. Otherwise projects to
bolt on these aspects at a later stage will find obtaining the required resources and budgets almost
impossible. It is thus necessary to get designers and security people together when technological,
implementation or business projects are in their infancy (C03). This is to ensure that resilience and
continuity are part of the delivered result.
The availability of the critical staff necessary to run the business, but who are not limited to technical
personnel, is a primary challenge. There are hardly any reactive strategies that can be implemented
without the involvement of personnel. No matter how automated companies are, a critical mass of
people must be available to handle processes and manage data, infrastructure and technology
(C05).
There are various threats, ranging from outbreaks of infectious diseases through staff kidnappings
and transport strikes to natural disasters such as floods, which may cause critical staff to be
unavailable. To ensure the business can resume operations and recover, the incident management
team has to be prepared to react with the support of plans and technical teams. The variety of
threats affecting infrastructure, people, processes and technology demands that people with
17
Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the
annexes. Challenges to continuity are coded with the initial letter C followed by a two digit number, eg, (C01).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 38
diverse backgrounds need to be engaged to successfully manage resilience and respond to
incidents (C04).
Using the challenge of personnel as an example we can recognise the need to factor in dependencies
with other critical sectors that may, directly or indirectly, affect critical resources or processes. As
regards personnel, dependencies on the transportation and health sectors can be noted. More
dependencies can be recognised for infrastructures, technology platforms and the operational
processes in the energy sector and the intra-sector dependence of ICT, etc. Recognition of the direct
dependencies of critical organisational processes to infrastructures, as well as assessment of the
risks to these assets, is well understood by corporate management.
This is in marked contrast to the hurdle to an understanding of the inter-dependencies that have
developed due to the prevalence of communication technologies. As communications are now an
indispensable component of operations in most critical sectors, disruptions in public communication
networks can be one of the initiating events for a domino disruption of other critical infrastructures.
In effect, a failure of networks can be a cause of failure for their own dependencies in other
sectors. Understanding (inter-)dependencies is critical in avoiding domino failures that have
society-wide consequences (C06). Measures need to be in place to understand the complete supply
chain and not just to focus on internal resilience when the weakest link may lie within third parties.
It is evident that continuity organisation for the resilience of public communication networks
cannot be restricted within the boundaries of organisations owning and operating the networks
(C07). Information required for planning the continuity of inter-dependencies lies with the individual
owners and users and their engagement is necessary. In reality, obtaining the required information
is not a straightforward process, and even when engaging customers and authorities, it is difficult
for these stakeholders to inspect their requirements and control their interests (C08).
In addition, the apparent multitude of infrastructure owners complicates responsibilities, especially
at interconnection points and border crossings where additional motivation to enable
infrastructure management to see beyond their individual responsibilities and act collectively for
mitigation is required (C09). Such an endeavour at the EU level requires major efforts in
coordination and collaborative activities which network providers cannot take up on their own. It is
the governments and EU bodies that should take the lead in these activities. At the same time it is
required of these stakeholders that they have a clear understanding of their needs, which is a
challenge in its own right. Taking up responsibility to scope continuity activities for the good of EU
citizens and bear the costs of such coordination is a major challenge (C10).
Collaboration among the different parties that need to be involved has to be expanded beyond
planning to active participation in the response to incidents, and this leads to yet another challenge,
that of effective communication, command and control, as the increasing number of parties and
levels of authority lead to increased complexity and slow communications and decision-making
(C11). We must remain mindful that communications lay at the heart of both our own activities and
those of our customers; thus we and our customers expect services to be available even during the
coordination of incident response and management.
An indispensable component of organisational continuity is the implementation of business
continuity exercises. There is broad agreement on the limited senior management attention paid to
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 39
full scale BCM testing as this might have a disproportional impact on service delivery (C12).
Therefore the standard practice, often dictated by commercial limitations, is table (desktop)
exercises or procedural testing involving senior management. In some cases, occurrences of failures
(eg, power or equipment outages) reinforce the feeling that the measures tend to work putting off
people from additional testing. As a result, functional or technical BC exercises do not take place.
Experience at the level of national exercises also shows that, in those cases, technical testing is not
present. This situation with limited exercises adds an additional challenge with regard to the
effectiveness of existing BC plans within and between organisations (C13). Improvements in our
processes and our capabilities, as well as demonstration of continuous improvement, involve the
conduct of exercises at the appropriate level. Technical testing of communications or IT systems,
desktop walk-throughs of the elements of a plan, simulated full-scale exercises, and finally a full, live
invocation of the plan should also be considered.
Organisational continuity: measures
Measure profile
Name The organisation of business continuity to aim for continuous improvement
Measure ID 30 Industry status Implemented / Current
Relevant good
practices
BS25999, ISO27001
Shared good practice: use standards as a guide to implementation. Leverage the
learning capability from audits, exercises and incidents.
Description
Identify lessons to be learned and ensure that risks are understood and where possible mitigated. We
must utilise prior knowledge of faults in order to shape an expected envelope of faults or incidents
against which we can prepare. Achieving pro-activeness will allow the development of the predictive
ability required for resilience. BCM units within organisations have to take advantage of real life
events as cases for analysis and demonstrate the need for resilience and mitigation of risk. Analysed
disasters can serve as scenarios for test plans.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.2 2.7
Measure profile
Name Balanced pro-active and re-active strategies
Measure ID 34 Industry status Implemented / Current
Relevant good
practices
Description
Pro-activeness and re-activeness are not opposing forces but rather complementary ones. Proactive
and reactive strategies for mitigating security risks have to be balanced and mutually tuned up. Extra
effort in pro-active measures that can help in localising the effect of incidents can be preferable to
over-engineered re-active strategies.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 40
2.0 1.9 2.2
Measure profile
Name BC organisation seamlessly integrates organisational and operational resiliency
Measure ID 31 Industry status Current
Relevant good
practices
Implement a BCM life-cycle using the ‘plan-do-check-act’ methodology.
To avoid incurring greater overheads, create a balance between politics, people
and goals.
Description
Resilience or security governance (politics, people and goals) must be embedded throughout the
entire company but must not create too much overhead. Embedding culture does not always incur
great cost, but it is a lengthy process, especially for large organisations, and a continuous one. The
first step is implementation of a business continuity management system (BCMS) that includes
measures around the BCM lifecycle and implementation of the plan-do-check-act methodology.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.2 2.6
Measure profile
Name Responsibilities for resilience are part of professional behaviour and sociel
responsibility
Measure ID 32 Industry status Current
Relevant good
practices
Description
‘We must remain mindful that communications is at the heart of both our customers’ activities and
our own, and our customers expect the services to be available.’ Awareness activities at all levels are
required. The awareness of senior management, especially, must be reinforced.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 1.8 2.4
Measure profile
Name Extroversive attitude to addressing high magnitude incidents (cross-sector
communication, coordination, and collaboration structures)
Measure ID 35 Industry status Current
Relevant good
practices
Description
Today, many of the risks faced by individual operators are considered and evaluated. However, given
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 41
the high degree of dependencies in technical and organisational interfaces (see challenges), there are
numerous risks that are beyond the mitigation strategies of each individual operator. Such threats
and risks cannot be managed and mitigated effectively by a single organisational function. To manage
such risks, cross-sector communication, coordination and a structure for collaboration have to be
established. Risk of systemic or extended disruptions at regional or national level can be effectively
mitigated with shared resources from industry and government. Companies need to account for this
risk by identifying all inter-dependencies. We are only as strong as our weakest link.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.5 2.1 2.7
Measure profile
Name EU-wide monitoring and early warning on external threats
Measure ID 36 Industry status Current
Relevant good
practices
Shared good practice: some organisations have individually established contacts
with authorities.
Description
Monitoring and early warning on external threats to the network’s information security or resilience
(could include physical, environmental, and/or geopolitical risks)
Extra support from authorities, governments or the EU is seen as required to build a threat radar with
early warning notifications based on weak signals analysis (not only at the technical level).
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.8 2.4
Measure profile
Name Tracking of exposures of technology platform and mitigation at EU level
Measure ID 62 Industry status Current
Relevant good
practices
Description
Hardware and software vulnerabilities and risk tracking and resolution. A form of shared intelligence,
as network failures effect all. Includes coordinated actions and tracking the progress of mitigation for
critical exposures.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.0 2.5
Measure profile
Name Tracking disruption of infrastructure and utilities at EU or National level
Measure ID 63 Industry status Current / Future
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 42
Relevant good
practices
Description
Tracking disruptions with intra-sector and inter-sector effects at the EU or national level. This would
need broad cross-sector collaboration that could be facilitated by governmental or EU coordination.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.5 2.4
Measure profile
Name Establish or participate in national infrastructure emergency plans
Measure ID 37 Industry status Implemented / Current / Future (Keep one)
Relevant good
practices
Description
National cross-sector emergency procedures have to be established under the responsibility of
(neutral or independent) public organisations. For effective deployment of such structures, public-
private partnerships have to be considered. Scenarios that need to be tested to ensure that plans and
communication channels are agreed and understood need to be identified.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
Measure profile
Name Pan-European coordination for cross-border risks
Measure ID 38 Industry status Future
Relevant good
practices
Description
Pan-European structures need to be established in order to manage risks that span national borders
or national responsibilities. This coordination is seen by network operators as a resource intensive
task beyond their financial capabilities and should be driven by authorities at EU level. This measure
could be directed at :
1) Protection availability: best practices, contracts, responsibilities for parties which interconnect international networks 2) Disaster recovery: how we work together cross-border or pan–European.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.6 2.2 2.4
Measure profile
Name Volunteer ‘virtual’ database of cable infrastructure against accidents during
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 43
digging works
Measure ID 39 Industry status Future
Relevant good
practices
Example of implementation in Australia:
http://www.dialbeforeyoudig.com.au/1100/
Description
Establishment of voluntary on-demand information-sharing scheme with third parties to avoid cable
damages due to digging works.
A consideration that needs to be addressed is overcoming limitations due to perceived or actual data
sensitivity. Careful use of shared data, anonymisation and trusted third parties to handle requests
and, possibly, the delivery of the needed information could be considered.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 1.4 2.3
Measure profile
Name BC exercises – senior management awareness
Measure ID 41 Industry status Current
Relevant good
practices
Description
Enhance awareness of senior management concerning necessity of BC testing. Present clearly the
tactics used to minimise service failures.
Involve managers in crisis or incident management and strategic teams (silver and gold teams) and
engage them in desktop exercises.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.7 1.3 2.3
Measure profile
Name BC exercises on non-technical parts of the plan
Measure ID 42 Industry status Implemented / Current / Future
Relevant good
practices
Description
Perform ‘real’ exercises on critical non-technical parts of BC plan. Increase the maturity of non-
technical parts of BC plan and avoid exercising bottlenecks from the lack of trust in technology
measures.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.0 2.1
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 44
Measure profile
Name Use BC exercising tactics to increase trust in technology and minimise probability
of failure
Measure ID 43 Industry status Implemented / Current / Future
Relevant good
practices
Description
In order to minimise the impact of failure during an exercise, some of the following tactics could be
used:
Identify time windows to test the recovery of technical components without affecting
operations. This can be challenging due to global, 24-hour nature of businesses; however, as
examples, night periods where usage is low or vacation or holiday periods where a great
percentage of the population is away could be used for testing.
Identify sub-systems that can be tested without affecting important parts of the operated
services. Increase trust in the technology controls.
Avoid keeping systems in-service for prolonged periods without soft-resets, lest risks from
the accumulation of unsaved configuration changes and uncertain system states increase.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.8 2.2
Measure profile
Name Assurance of preparedness for business continuity actions
Measure ID 44 Industry status Implemented / Current
Relevant good
practices
Description
Increase BC assurance by trying to measure:
the understanding of BC plans by individuals; add to key staff roles and job descriptions;
The availability of resources and the actual RTO and RPO that can be achieved.
Increase the complexity of exercises gradually, building trust on the operational capabilities of
technical measures.
Large organisations cannot wait to gain understanding but in the mean time must ensure adherence
to BC policies and processes.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.1 2.3
Measure profile
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 45
Name Establish a crisis or incident management organisation
Measure ID 68 Industry status Implemented / Current
Relevant good
practices
Description
A dedicated organisation (team, governance, plans, communication interfaces) is defined and trained
to solve crisis. Crisis organisation should involve senior managers from different departments, such as
engineering, operations, security, legal, logistics, communications, media relations and liaison
officers.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.0 2.5
Measure profile
Name Funding of umbrella resilience measures
Measure ID 66 Industry status Future
Relevant good
practices
Description
To find funding for required resilience measures above and beyond the responsibilities of the
network operators.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.0 1.67
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 46
8. Commercial challenges Customer requirements and the business case
Public communication networks are, for the most part, owned and operated by private
organisations. In order to maintain their capability to operate, generating revenues from the services
they provide must be one of the primary objectives of these organisations. Thus, it is not surprising
that they are constantly examining the business case for their investments and expenditures.
As such, it is important to take into consideration customer requirements. Customers increasingly
rely upon networks for their continuity. At the same time, their needs change as they require and
access new services. Although corporate customers can view resiliency as added value, there still
seems to be limited customer preparedness for spending that would support the development of
resilient services (B01)18.
For the mass market, resilience would not be a differentiator since customers are not yet capable of
factoring resilience into their purchasing choices. Thus, resiliency is considered as a cost centre and
investments are usually prioritised towards the development of new services and functionalities
due to tough competition from other operators (B02). The value added to the end-customer must
be visible.
Costs of resilience and performance indicators
Selling resilience projects internally is also a complex matter, since the challenge to security is that,
when business processes run smoothly (ie, the security or resiliency team has done a good job), the
investment is questioned; but also, should something go wrong with the availability of business
processes, the investment is equally challenged. The key to selling resiliency internally is to provide
quantitative figures that demonstrate business benefit (B04).
Presenting a positive ROI and the value added to the customer should be the next objective pursued.
It is important to be able to quantify the financial impact and ROI of resilience measures, but
appropriate KPIs are lacking (B03). This element is also important for the development of
appropriate national and international public policies on resilience.
Special case: virtual (mobile) network operators
Another business case with an uncertain financial model for resilience is the ‘sharing’ of operator’s
networks with virtual (mobile) network operators (VMNOs), whose operational focus is not on
security and resilience but in selling revenue generating services. Nevertheless, even if VMNOs or
alternative operators do not own the network infrastructures, they are still bound by a set of
national and international regulatory requirements associated with service availability and resilience
in general. However, this conflicts with the focus of VMNOs and alternative operators on achieving
high operational margins by keeping costs as low as possible. This means that resilience issues or
requirements may be addressed in insufficient ways due to pressure to keep costs low (B05).
18
Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the
annexes. Commercial challenges are coded with the initial letter B followed by a two digit number, eg, (B01).
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 47
The rather short-term strategies of many VMNOs that are implemented through price erosion result
in competitive pressures being increased and may lead operators to reduce their focus on resilience
in order to become more cost efficient and competitive compared to the VMNOs. Thus measures
that help maintaining the balance in spending for resilience measures proportional to the types and
size of network providers can overall increase the adoption of measures for resilience.
Third parties and outsourcing
The increased demand for the deployment of new services as well as the pressure to cut-down on
service costs gives rise to the human resource challenge. In house know-how and experience on
new services and technology, if available, is limited, at least initially (B06).
Therefore, the engagement of third parties in providing innovative equipment and implementing the
various technology platforms is required. In many cases, this involves outsourcing important parts of
network operations and service delivery. In order to properly manage all categories of third parties
involved in service provision, numerous kinds of contracts and contract fulfilment practices need
to be developed (B07).
Third parties can be divided into several categories, each requiring differing approaches in their
management. A third party:
for fibre infrastructure could be a ROW provider who digs up the fibre cable and thus
disrupts service;
for the transmission technology platform could be a maintenance provider;
for the IP protocol could be an interconnection provider who undertakes change activities
that prevent packet delivery or cause degradation, etc.
Some of these categories are made up of consultants, who bring in knowledge of new technologies
and processes. Such consultants, with advanced operational and technical skills, are an important
resource for continuity of operations and knowledge transfer. Their unavailability could have direct
operational impacts on pivotal activities or operations. At the same time, external consultants with
‘low skill levels’ could, instead, be managed using standard outsourcing contracts. When contracting
for outsourcing services, identifying critical consultants who must be subject to internal human
resource management practices is not always straightforward (B08).
Whilst communication operators are outsourcing and engaging in complex partnering programmes,
the due diligence of these relationships when it comes to security (and hence resilience) is rather
limited (B09). Hence network providers must be alerted on the threats that could be faced, such as
the need to reconsider resilience arrangements, but there is a lack of provisions in the contracts for
addressing this need. Furthermore, in other cases, backing off from a failing contract can be onerous
if, as a result, the internal know-how will be no longer present.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 48
Commercial challenges: measures
Customer requirements and the business case
Measure profile
Name Assess and promote customer awareness of resilience issues and needs
Measure ID 45 Industry status Future
Relevant good practices
Description
It is necessary to assess customer awareness of resilience issues. Since resiliency is a relatively new issue, it is not clear how many customers understand it as a qualitative characteristic of a service and how it relates to their portfolios. There are sectors where the need for resilience is obvious and this has led businesses to maintaining their own infrastructure (eg, in banking) in order to guarantee desirable levels of availability. This need for awareness has grown among other sectors through regulatory requirements regarding data protection, continuity capabilities and availability.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.2 2.2 1.5
Measure profile
Name Identify levels of resilience required in critical infrastructures
Measure ID 46 Industry status Current
Relevant good
practices
Description
Identifying the levels of resilience required in critical infrastructures (eg, financial organisations as
mentioned above) and understanding critical processes is necessary. A clear view of the requirements
will facilitate implementation and the justification of the expenditure.
Despite the efforts of the operators to address this measure, it is proposed that this initiative should
be undertaken at the EU or national level. The key issue here is to identify the gap between the level
of resilience that should exist at the pan-European level and the level of resilience that operators
provide anyway according to their usual practices in network design and operation.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 2.0 2.5
Measure profile
Name Communicate the resilience characteristics of the service to customers
Measure ID 47 Industry status Current
Relevant good
practices
According to licensing obligations, contracts should provide for a certain minimum
level of service availability as well as impose an obligation on the operator to
update the public on service outages. Further and more detailed communication of
the resilience of the service to the customers is not always easy. Apart from
business customers who are resilience aware and sensitive to such issues, the plain
consumer finds it difficult to understand the role of resilience and for that reason
operators do not promote or differentiate their products based on resilience.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 49
Description
Resilience characteristics have to be communicated as an element of the service to customers. Based
on the importance of their business processes, customers can decide the level of QoS (quality of
service) they want with respect to resilience.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.7 1.8
Measure profile
Name Marketing of resilience to both private and public organisations to enhance level
of awareness and develop market
Measure ID 48 Industry status Future
Relevant good
practices
Description
Launch awareness campaigns targeted at specific sectors and the respective decision-makers.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.3 2.2 1.2
Measure profile
Name Regulators to check the availability of necessary functions at the level of VMNOs in order to ensure resilience measures are provided
Measure ID 49 Industry status Future
Relevant good
practices
Description
Resilience requirements to be fulfilled by VMNOs have to be part of their service provision according
to regulatory requirements.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.5 1.5 1.8
Costs of resilience and performance indicators
Measure profile
Name Establish criteria (qualitative and quantitative) to measure resilience
Measure ID 50 Industry status Future
Relevant good
practices
Within an organization, there are specific measures to characterise resilience in
the various parts of the network and the organization. Risk assessment and BCP
teams are responsible for maintaining an end-to-end picture and proposing
relevant measures in weaker areas.
Description
It is necessary to establish criteria (qualitative and quantitative) to measure resilience. The
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 50
establishment of a set of common performance indicators would lead to two advantages: it would
allow for the exchange of information and also agreement on the same concepts. This is a very critical
task for an organization to ensure self-awareness and adoption of the appropriate measures.
It would be useful to frame resiliency and BCM in terms of outcomes (what can be done if you have a
problem) rather than using ‘85% completed’ type figures.
Moreover, the VWG saw the possibility of deriving performance indicators which could be shared
anonymously and these might include:
the % of IT budget to security
the security awareness budget per employee (expressed in monetary terms)
% turnover to network resilience
% BC (business continuity) to network resilience
% of employees working on BC who belong to IT areas
% of external employees working on BC
rotation of external employees working on BC
average hours of training on network resilience per employee working on BC
the % of incidents with an impact on clients of more than 1 hour.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.7 1.8 2.3
Measure profile
Name Generate a flexible operational framework for gathering data on resilience
performance measures to enable a confidential benchmarking exercise to take
place (see also KPIs)
Measure ID 51 Industry status Future
Relevant good practices
Shared good practice: some operators make use of such benchmarks internally between their own networks in order to share best practice and ensure a proper level of resilience.
Description
Data on security incidents, measures, threats and risks have to be prepared. The activities of security
or resiliency teams have to be actively communicated to maintain the necessary awareness of the
(good) work that is being performed (eg, to counter the attitude that ‘everything runs smoothly, so
why do we need a security investment?’).
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.0 1.9 2.3
Third parties and outsourcing
Measure profile
Name Outsourcing should be restricted to the ‘do’ or eventually to the ‘act’ dimensions.
‘Plan’ and ‘check’ should stay within the company as they are steering activities.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 51
Measure ID 52 Industry status Implemented
Relevant good
practices
Successful outsourcing agreements rely on appropriately planned contracts and
SLAs and the ability of the operator to control and enforce the SLA.
Description
Outsourcing, if not properly designed and controlled, may deliver gaps in resilience. The act of
outsourcing is a cost-efficiency initiative, but avoiding resilience gaps must not be considered a cost
centre. The first point of attention when deciding to engage a third party is the detailed selection and
definition of the scope of the contract by cautiously selecting the activities to be outsourced. The
organisation should not lose the ability to control the process and the assurance that it delivers as
expected. A useful approach to this end is the separation of the activities into the four phases of the
PDCA model (plan–do–check–act). Activities that fall under the ‘do’ phase are the first candidates for
outsourcing. The organisation has the process under control through the activities that are part of the
‘plan’ phase and can provide assurance on the delivered outcome through the activities taking place
in the ‘check’ phase. The activities under the ‘act’ phase require careful consideration as they
constitute the basis for improving business processes and locating the causes of inefficiencies, but at
the same time they can benefit from knowledgeable external consultants.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.8 2.0 2.4
Measure profile
Name Third party contracts must address topics relevant to security and resilience
within an SLA
Measure ID 53 Industry status Implemented
Relevant good
practices
Shared good practice: standard practice in contracts. All contracts are reviewed by
the security department, which is considered a standard requirement from third
parties.
Description
Topics that must be addressed within the SLA, besides the exact description of the service to be
delivered, are: information security requirements, physical security requirements, BCM requirements
and the engagement of third parties in the plans and expected performance levels, training and
awareness requirements, and legal requirements.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
1.6 1.9 2.9
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 52
9. Regulatory challenges Telecommunications networks and the provision of their services are regulated at the EU level
through directives and at the national level with more specific laws. Over the years, the regulations
and corresponding laws have been changing in attempts to address several issues such as telecoms
liberalisation, online crime, collaboration with law enforcement and privacy issues for end-users.
Synchronisation of the EU level directives with their adoption at the national level is subject to the
approaches taken by the individual Member States, which are influenced by their cultures and
constitutions, the interpretations of their law-makers and the needs of their markets. This situation
illustrates the lack of EU harmonization on regulatory requirements for networks that seriously
obstructs standardisation (which is what networks are built on) or even makes it next to
impossible to achieve (R01).
For example, the data protection retention laws, if not carefully weighted, can affect the ability to
plan due to the unavailability of historical traffic data. At the other extreme, there is the potential to
overload the systems with inordinate data collection and retention. This also increases the
implementation costs of the logging systems. Implementation of lawful intercepts and monitoring
capabilities introduces similar concerns.
It is thus obvious that a network spanning more than one EU Member State may be required to
implement contradictory laws. Overall, regulation complexity may have impacts that increase the
vulnerability of the implementation of fibre or facilities, voice or data, systems and products.
Regulatory challenges: measures
Measure profile
Name Promote harmonized regulatory initiatives that complement, support and
encourage resilient organisations
Measure ID 33 Industry status Current
Relevant good
practices
Description
Liaise with governments to proactively shape regulatory initiatives to reflect the actual profile
of the risks.
Harmonize regulatory requirements for resilience in EU members.
Measure rating (Low =1 , Medium=2, High=3)
Time to implement Implementation cost Impact on resilience
2.4 1.8 2.2
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 53
10. Conclusions This virtual working group (VWG) gathered experienced professionals together from network
operators throughout the EU Member States to discuss the challenges posed by resilience in public
communication networks. Our discussions exposed out many of these challenges and the efforts of
the network operators to address them. Despite the limited resources available, the group managed
to address a wide range of challenges and to provide valuable results.
Arriving at a common understanding of the key definitions for public communications networks and
resilience was a much needed step to successfully frame the work of this group and identify what
can be useful targets for resilience-related activities at the European level. Through the resilience
targets set, each category of stakeholders – be they network operators or authorities – can identify
the key activities and roles needed to successfully deal with the goal of resilient public
communications networks, both nationally and on a Europe–wide scale.
The challenges that were identified show that many things need to be done towards achieving
and/or sustaining the targets for resilience. At the same time, it became evident that achieving these
targets is not solely in the hands of network operators nor is it feasible in a single step. Rather, it
consists of a collective effort by multiple players that has to be undertaken at various levels (eg,
technological, organisational, legal, etc). Furthermore, the environmental aspects and challenges
described in the business and regulatory challenge areas depict the difficulty of undertaking large
investments in resilience without jeopardising the stability of organisations.
At the end of the day, network operators have to be profitable organizations. As they operate in a
highly competitive environment, this leads to a strong focus on lucrative marketing activities and
optimized investment plans. Stimulating market growth to sustain improvements in resilience is
much needed in this area. To this extent, the development of metrics to reflect the increase in both
resilience and ROI can be considered of key importance. In addition, supplying sufficient information
to regulators to promote resilience-friendly initiatives and regulation is also required.
The picture was completed by further challenges in the four areas identified: (physical)
infrastructures, technology platforms, operational processes and people, and organisational
continuity. Without a doubt these are areas where activities should be undertaken and measures –
some of them identified by the VWG – can be implemented to successfully cope with the challenges.
Diversity, density and sufficient capacity are central issues for infrastructures such as physical cable
routings, cable landing stations, fibre border crossings, backhaul connectivity and IXPs. The rating of
measures we undertook shows that mitigation of the risks to resilience should be directed towards
transparency in the infrastructures, the development of KPIs for resilience, and collaboration with
national authorities for critical infrastructure. Standard information security practices (ie, good
practices) should be also considered for the effective mitigation of risk at low costs.
Technology platforms offer their own challenges and, while innovation is the corner stone of their
evolution, the assessment of their maturity is still a primary challenge. Protection of the core
protocols from attacks is crucial in avoiding systemic failures. Vendors are required to support
technologies in all the steps of a project by explicitly addressing protection and overall resilience.
This includes assessing the risks and implementing their mitigation. Network providers must pay
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 54
attention to the whole life-cycle of all technologies and equipment used. At an early stage, new
project teams must be equipped with expertise in resilience, business continuity and information
security, and deployments need to include incident detection and management capabilities.
Operational processes need to follow existing standards and good practices in order to maintain
their effectiveness during security incidents, and to provide good integration and interoperability. In
particular, good practices for interconnection operations and maintenance are mentioned. Such
good practices are also helpful in addressing personnel learning curves for new skills and, coupled
with effective work instructions, can minimise errors and long recovery times.
The propagating effects of faults and attacks across networks require information sharing and good
communication across organisations for effective mitigation. This is even more challenging when it
involves organisations in different countries. With operational risks constantly increasing through
new threats appearing in the technology area, measures for mitigation are very important. Shutting
down or quarantining users is currently used to protect from relevant threats and it marginally
passes the threshold for being rated as very effective. At the same time, dedicated cyber threat
detection and mitigation capacity is a current measure that is seen as extremely important, though a
very costly one. An additional EU-wide monitoring and early warning system on external threats
would be a potentially very important improvement for handling risks. The need for resilience
metrics and KPIs is again documented and some members of the group actually undertake internal
benchmarking exercises to ensure a proper level of resilience.
Regarding the challenge area of organisational continuity, several counter-measures are relevant to
achieving better foresight for emerging risks and threats and in understanding the domino effects of
inter-dependencies with other critical infrastructures. A mature internal organisation will seek
continuous improvement and strike a balance between policies and practices. In addition, it is
broadly understood that co-ordination is needed for actions beyond the borders of a single
organisation. Again, the group believes that the EU and Member States have a vital role to play.
Yet, it is pointed out that authorities and customers are not completely aware of the requirements
imposed on them and thus they cannot check their fulfilment; consequently the steering of activities
relating to resilience is cumbersome. Extra motivation is needed to ensure individual organisations
and involved stakeholders contribute their part of the shared responsibility, especially where
measures in mitigation span areas of responsibility.
Facilitating regulation and public funding can support the implementation of counter-measures.
Other areas where such measures are still not delivering the desired results are: slow
communication, and decision-making structures that support emergency response and business
continuity where limited uptake of complex exercises limits the assurance of plans for continuity. For
these challenges, many of the counter-measures are rated as future enhancements, while others
have a mixed level of adoption by the industry. At the same time, many of these measures are
characterised as time consuming.
At national and EU levels, the following measures were identified as important:
pan-European coordination for cross-border risks, including required funding
collaboration with national authorities for the protection of critical infrastructure
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 55
promotion of regulatory initiatives that complement, support and encourage organising to
ensure resilience
establishing or participating in emergency plans for national infrastructure
tracking the exposures of technology platforms and progress in mitigation
tracking disruptions to infrastructure and utilities at EU or national level
identification of the levels of resilience required in critical infrastructures
establishing a volunteer ‘virtual’ database of cable infrastructure to protect against accidents
during digging works.
The challenges discussed, relevant threats and measures can play an important role in shaping a
picture of the hurdles every network operator, regardless of size and maturity, will have to face in
several cases. The proposed ratings for measures can help resilience managers in network providers
understand the trends in the mitigation of resilience in the industry. When combined with the
targets for resilience presented in this work, this information can set the first-level vision for
resilience in public communication networks. Further elaboration of the information provided can
be the starting point for forming a constructive agenda of collaboration between public and private
stakeholders in the area of resilience.
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 56
Annex A: Measures ratings The table in this Annex provides an overview of the identified measures and ratings. In addition, mapping to the relevant challenges is provided. The right
most part of the table contains the measure rating calculated on the basis of a confidential rating exercise completed by the majority of the group
members. When interpreting these ratings you should take into account that they are based on the perception of the experts and not in official corporate
data. The intent of this effort is to provide indications and directions; thus interpretation of this table as a prescription for solutions to problems in
resilience is to be avoided. Please consult the section, About the measure rating, in Chapter 2 for help in reading and understanding the ratings.
Measures & Challenges Measure rating
ID Title Challenge IDs
Tim
e t
o
imp
lem
en
t
Co
st
Imp
act
on
re
silie
nce
Ind
ust
ry
stat
us
1 Shared infrastructure management responsibilities I07 I08 2,3 1,7 2,3 I
2 Critical assets (including shared infrastructure and third party services) are within the scope of information security management
I01 I02 I06 B08 B09 2,3 2,0 2,5
C
3 Shared infrastructure components included in risk assessments and business impact assessments
I01 I02 I03 I04 I08 C06 2,4 2,0 2,4
I
4 Shared component (infrastructure or service) audits results are communicated to the users
I01 I02 I03 I06 I08 O05 2,0 2,0 1,1
F
5 Shared infrastructure incidents reporting is a mutual obligation, requiring appropriate interfaces and procedures
I06 I08 O07 O08 1,5 1,6 1,3
CF
6 Shared infrastructure or co-location - develop resilience ratings and KPIs I01 I02 I03 I07 O05 B03 2,0 1,8 2,0 C
7 Transparency of shared physical infrastructures and identification of critical parts
I01 I02 I04 O05 1,8 1,7 2,1
I
8 Owners of critical infrastructure components establish and maintain permanent trustworthy communication channels
I08 C07 2,4 1,7 2,6
CF
9 Exercises include communication channels and emergency plan testing with inter-dependant critical infrastructures
I06 C09 C11 2,2 2,5 2,4
F
10 Participate in forums addressing cross-organisational collaboration issues I08 C06 C11 1,3 1,2 1,5 I
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 57
11 Collaborate with national authorities for critical infrastructure protection I08 C06 C11 1,8 1,3 2,3 IC
12 Interconnection & peering, operation and maintenance good practices I05 I06 O06 O07 1,8 1,6 2,0 I
13 Interconnections & Peering code of ethics I05 O08 B07 2,0 1,3 1,2 F
14 New technologyplatforms are assessed for resilience features and compatibility
T01 T02 T08 2,6 2,7 3,0
I
15 Risk Management used for critical components and processes T03 T04 O05 2,2 2,0 2,4 IC
16 End-point security practices, awareness raising T07 2,5 2,0 1,7 C
17 End-point access shutdown or quarantine T07 O05 O05 1,4 1,6 2,2 C
18 End-user notification of incidents T07 1,8 1,4 1,3 F
19 End-user incentives for practicing secure computing T07 1,5 1,3 1,6 C
20 Incident reporting and communication to stakeholders I06 I08 1,9 1,3 1,5 C
21 Operational processes are integrated with established information flows O01 2,3 2,1 2,7 I
22 Cyber threats detection & mitigation is a high priority assigned specific resources
O02 O06 2,5 2,7 3,0
C
23 Operations & Network Management personnel participate in schemes for knowledge sharing with vendors
O02 O03 O05 O08 B06 1,6 1,3 1,8
I
25 Operations and network management uptake and usage of existing standards and best practices
O01 O02 O03 O05 2,0 2,1 2,8
C
26 Design documentation of procedures and work instructions for effective use under high pressure
O02 B06 1,5 1,5 2,4
IC
27 Operational process measurements for resilience indicators are routinely collected analysed and acted upon
O05 O02 1,8 1,6 2,5
F
28 Network monitoring is used and data analysed and acted upon O06 O05 2,0 2,3 2,7 IC
29 Proactively structure operational responses for incidents requiring third party participation
O07 C09 C11 B09 C13 2,2 2,2 2,0
F
30 Business continuity organisation aims for continuous improvement C01 C02 2,2 2,2 2,7 IC
31 BC Organisation seamlessly integrates organisational and operational resiliency
C02 C03 C04 2,3 2,2 2,6
C
32 Resilience responsibilities are part of professional behaviour & societal responsibility
C05 C08 C09 C12 2,3 1,8 2,4
C
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 58
33 Promote regulatory initiatives that complement, support and encourage resilience organisation
C07 C09 C10 C12 R01 2,4 1,8 2,2
C
34 Balanced pro-active and re-active strategies C01 C03 C05 C13 2,0 1,9 2,2 IC
35 Extroversive attitude to addressing high magnitude incidents (cross sector communication, coordination and collaboration structure)
C06 C07 2,5 2,1 2,7
C
36 EU wide monitoring and early warning on external threats C01 C04 C07 O08 2,0 1,8 2,4 C
37 Establish / participate in National infrastructure emergency plans C06 C07 C10 2,5 2,4 2,3 IC
38 Pan-European coordination for cross-border risks C07 C10 C11 2,6 2,2 2,4 F
39 Volunteer “virtual” database of cable infrastructure against digging works accidents
I01 C07 C10 1,8 1,4 2,3
F
41 BC exercises –Senior management awareness C12 1,7 1,3 1,9 C
42 BC exercises of non-technical parts of the plan C13 2,3 2,0 2,1 ICF
43 BC exercising tactics to increase trust in technology and minimise failure probability
C12 C13 2,0 1,8 2,2
ICF
44 Assurance of business continuity preparedness C13 2,3 2,1 2,3 IC
45 Assess & promote customer awareness of resilience issues and needs B01 B03 B04 2,2 2,2 1,5 F
46 Identify levels of resilience required in critical infrastructures B01 B03 B05 C07 2,0 2,0 2,5 C
47 Communicate to customers the resilience characteristics of the service B01 B02 B03 B05 2,0 1,7 1,8 C
48 Marketing of resilience for both private and public organisations to enhance level of awareness and “generate” market
B01 B02 B03 B04 2,3 2,2 1,2
F
49 Regulators should check the availability of necessary functions at the level of VMNOs in order to provide resilience measures
B05 1,5 1,5 1,8
F
50 Establish criteria (qualitative, quantitative) to measure resilience B04 B05 O05 1,7 1,8 2,3 F
51
Generate a flexible operational framework for gathering data on resilience performance measures to enable a confidential benchmarking exercise to take place (see also KPIs)
B03 B04 O03 O05
2,0 1,9 2,3
F
52
Outsourcing should be restricted to the “Do” or eventually “Act” dimensions, Plan and Check should stay within the company as they are steering activities
B07 B08 B09
1,8 2,0 2,4
I
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 59
53 Third party contracts must address topics relevant to security and resilience within an SLA
B07 1,6 1,9 2,9
I
54 Infrastructure interdependencies – Focus on identifying practical issues and risk mitigation
I08 C07 C09 2,0 2,0 2,8
F
55 Life Cycle - Design & Implementation: New project teams include Resilience, BC, RM, IS experts
T03 C03
2,2 2,2 3,0 C
56 Life Cycle - Design & Implementation: Vendor RFIs and RFQs explicitly request resilience considerations to be addressed
T01 T02
1,7 1,7 2,4 I
57 Life Cycle - Design & Implementation: Vendors to deliver risk assessment report and risk mitigation practices for new deployments
T03 T05 O05 1,8 2,0 2,6
C
58 Life Cycle - Design & Implementation: Full Integration with OSS/BSS is part of all deployment projects
T02 T03 O01 O02 2,5 2,7 2,6
I
59 Life Cycle - Design & Implementation: New platforms assured compatibility with existing infrastructure
T03 T04 2,3 2,6 2,9
I
60
Life Cycle - Commissioning & Acceptance: Technology platform deployments establish Incident detection, response and Incident Management early in the process.
T03 T05 O05
2,2 2,0 2,4
IC
61 Life Cycle - Commissioning & Acceptance: Technologyplatform acceptance testing incorporates resilience features of the system
T02 T03 C12 C13 2,0 2,2 2,3
I
62 Tracking of technology platform exposures and mitigation at EU level C04 C09 2,0 2,0 2,5 C
63 Tracking infrastructure and utilities disruption at EU or National level C06 C09 1,8 1,5 2,4 CF
66 Funding of umbrella resilience measures C09 C10 2.0 1.0 1.67 F
68 Crisis/Incident Management Organisation C02 C04 1,8 1,8 2,6 IC
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 60
Annex B: EU / Member State level measures
ID Title
Tim
e 2
Imp
l
Co
st
Imp
act
on
Re
silie
nce
Ind
ust
ry
Stat
us
10 Participate in forums addressing cross-organisational collaboration issues 1,3 1,2 1,5 I
11 Collaborate with national authorities for critical infrastructure protection 1,8 1,3 2,3 IC
33 Promote regulatory initiatives that complement, support and encourage resilience organisation 2,4 1,8 2,2 C
36 EU wide monitoring and early warning on external threats 2,0 1,8 2,4 C
37 Establish / participate in National infrastructure emergency plans 2,5 2.4 2.3 IC
38 Pan-European coordination for cross-border risks 2.6 2.2 2.4 F
39 Volunteer “virtual” database of cable infrastructure against digging works accidents 1.8 1.4 2.3 F
46 Identify levels of resilience required in critical infrastructures 2.0 2.0 2.5 C
49
Regulators should check the availability of necessary functions at the level of VMNOs in order to provide resilience
measures
1.5 1.5 1.8 F
54 Infrastructure interdependencies – Focus on identifying practical issues and risk mitigation 2.0 2.0 2.8 F
62 Tracking of technology platform exposures and mitigation at EU level 2.0 2.0 2.5 C
63 Tracking infrastructure and utilities disruption at EU or National level 1.8 1.5 2.4 CF
66 Funding of umbrella resilience measures 2,00 1,00 1,67 F
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 61
Annex C: Mapping Measures to Challenges
Infrastructure Challenges & Measures
ID Description Measures ID
I01 - Logical diversity v physical
cable routing density and
separacy
a high number of logical connections over far fewer and more densely routed
physical cables are generating diverse logical architectures in which separacy
in the routing of physical cable is not assured
02 03 04 06 07 39
I02 - Limited diversity, Capacity
& pinch points, backhaul, cable
landing stations, cable border
crossings, submarine cables
Limited diversity and capacity of cable landing stations, submarine cables,
backhaul connectivity and border crossing locations can jeopardise backbone
connectivity.
02 03 04 06 07
I03 - EU traffic concentration at IXPs and high magnitude events
Especially when considering threats of high magnitude IXP diverse locations
in the same city or even in the same country may just not be enough for
those locations that service an important percentage of the EU traffic.
03 04 06
I04 - private interconnections,
unknown effects to resilience
it is not possible to identify and take into account the effects of private
interconnections to the resiliency without an extensive involvement of the
industry.
03 07
I05 - Interconnection/peering = Location, Protocol, Policy
While the physical aspects of the interconnection have been discussed in this
section the protocol and policy aspects need also to be taken into account.
12 13
I06 - Shared risks of poor
infrastructure management
When vulnerabilities arise from poor management and maintenance
practices, these will affect all services of all users sharing this component.
02 04 05 09 12 20
I07 - Shared Infrastructure,
majority vote = cumbersome
vulnerability management
Cumbersome handling of vulnerabilities may arise where a majority vote of
different organisations is required to implement an overall mitigation /
resilience strategy.
01 02 06
I08 - Infrastructure
management, individual vs.
collective responsibility for
mitigation
Handling of shared risk requires extra motivation to enable infrastructure
management to see through the individual responsibilities and act
collectively for the mitigation.
01 03 04 05 08 10 11 20 54
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 62
Technology Challenges & Measures
ID Description Measures ID
T01 - Emerging technologies = unknown impact to resilience
Emerging technologies whose impact on the resilience of the current
telecommunication infrastructures is currently unknown
14 56
T02 - Assessing the maturity of techs and implementations
Assessing the maturity of the technologies themselves as well as the
maturity of the implementations can be extremely hard.
14 56 58 61
T03 - New techs & Implementations bring functionality & vulnerability
while new technologies offer solutions to well known problems they still
introduce new vulnerabilities that need to be identified and addressed
15 55 57 58 59 60 61
T04 - Old technologiesissues, scalability, vulnerable, costly maintenance
Older technologies may be limiting the network in terms of scalability or
contain vulnerabilities that may not be feasible to address
15 59
T05 - IP Control plane retrofitted with functionality
As the control plane of IP networks is retrofitted with more functionality
new threats and vulnerabilities are certain to surface.
56 57 60
T07 - End point devices used for attacks
In this respect the security of the network and of customer end point
devices has been identified as a major challenge
16 17 18 19
T08 - Late standardisation & interoperability testing
It is a fact that interoperability testing between different vendor solutions
and standardisation lacks behind the deployments
14
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 63
Operations Challenges & Measures
ID Description Measures ID
O01 - Standardisation & Technology- Process integration
standardizing procedures and achieving the full integration of the network management processes with the changing network is a continuous challenge.
21 25
O02 - Complexity and integration=Many human errors, slow recovery
As a consequence of the complexity and the integration mismatches the probability for failures and human error increases as well as the duration of the problem resolution.
22 23 25 26 27 58
O03 - New skills, human learning curve
challenge of human factor due to the low experience of personnel for the first period of technology introduction
23 25 51
O05 - Operational risk variety The current (network management) processes need to be adapted to handle the blur areas of operational risk from operational maintenance and fault resolution, resilience / BC plans, to maintaining the various proprietary platforms through the lifespan of the technology
04 50
06 51
07 57
15 60
17 23 25 27 28
O06 - Cascading impact of operational errors (e.g. BGP mis-configuration)
network disruptions of small networks or providers can have an impact on the operations of larger one;
22 28 12
O07 - Operational processes do not reflect network infrastructure inter-dependency
Organisations are interdependent for addressing those threats and risks reaching beyond organisational boundaries,
22 24 29 05 12
O08 - Cross border operator presence, info sharing, communication and collaboration
Communication, information sharing and collaboration are a key challenge especially because of the global nature of the network and cross border and international operator presence.
05 13 23 24 36
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 64
Commercial – Regulatory Challenges & Measures
ID Description Measures ID
B01 - Limited customer spending in resilient services
still there seems to be limited customer preparedness for spending that would support the development of resilient services
45 46 47 48
B02 - New development priority over resilience
resiliency is considered as a cost centre and investments are usually prioritised towards the development of new services and functionalities due to tough competition from other operators.
47 48 64
B03 - Lack of resilience KPIs - ROI
It is important to be able to quantify the financial impact and ROI of resilience measures, but appropriate KPIs are lacking
45 46 47 48 51 06
B04 - Resilience expenditure must prove business benefit
The key to selling resiliency internally is to provide quantitative figures that demonstrate business benefit.
45 48 50 51
B05 - Resiliency in VMNOs pressed by budget
This means that resilience issues or requirements may be addressed in insufficient ways due to pressure in keeping costs low.
46 47 49 50
B06 - Rapid deployments = limited internal know-how
In house know-how and experience on new services and technology, if available, is limited, at least initially
23 26
B07 - Multitude of contracting agreements (SLAs)
In order to properly manage all categories of third parties involved in service provision, numerous kinds of contracts and contract fulfilment practices have to be developed.
13 52 53
B08 - Critical consultants as single point of failure
Identifying critical consultants that must be subject to internal human resource management practices is not always straightforward.
02 52
B09 - Difficulties of due diligence in outsourcing
the due diligence of these relationships when it comes to security (and hence resilience) is rather limited.
02 29 52
R01 - Lack of harmonization in EU regulations obstructs standardisation
The lack of EU harmonization on regulatory requirements for networks that seriously obstructs standardisation (which is what networks are built on) or even makes it next to impossible to achieve
33
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 65
Continuity – Regulatory Challenges & Measures
ID Description Measures ID
C01 - Limited foresight to
emerging and future risk and
threats
There must be the ability to proactively recognise and adapt to changes that may lead to disruption in either a slow or abrupt way.
30 34 36
C02 - Effort to balance policies
and practices/processes
This illustrates the difference between policies (good for strategy) and process (good for operational reactive actions). What is needed is the alignment of practice with policy.
30 31 68
C03 - Projects may miss
resilience considerations /
expertise
It is thus necessary to get designers and security people together when technological, implementation or business projects are in their infancy
31 34 55
C04 - Resiliency management
needs multi-discipline teams
not easily available
The variety of threats affecting infrastructure, people, processes and technology demands that people with diverse backgrounds need to be engaged to successfully manage resilience and respond to incidents
31 36 62 68
C05 - Crisis staffing
requirements
a critical mass of people must be available to handle process and manage data, infrastructure and technology.
32 34
C06 - Network failures can
cause a domino effect
a failure of networks can be a cause of failure for their own dependencies in other sectors. Understanding (inter-)dependencies is critical in avoiding domino failures that have society-wide consequences
03 10 11 35 37 63
C07 - PCN continuity cannot be
scoped on organisational
boundaries
continuity organisation for the resilience of public communication networks cannot be restricted within the boundaries of organisations owning and operating the networks
08 33 35 36 37 38 39 46 54
C08 - Authorities, customer
fuzzy requirements and
direction
Even when engaging customers and authorities it is difficult for these stakeholders to inspect their requirements and control their interest
32
C09 - Borders of responsibility
jeopardize collective mitigation
additional motivation to enable infrastructure management to see beyond their individual responsibilities and act collectively for mitigation is required
32 33 62 63 66 09 29 54
C10 - Ownership and cost of
coordinating EU wide resilience
Taking up the responsibility to scope continuity activities for the good of EU citizens and bear the costs of such coordination is a major challenge.
33 37 38 39 66
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 66
C11 - Slow communication and
decision making
the increasing number of parties and levels of authority lead to increased complexity and slow communications and decision making.
09 10 11 29 38
C12 - Management reluctance
to tackle risks of BC testing
Limited senior management attention to full scale BCM testing as this might have a disproportional impact on service delivery.
32 33 41 43 61
C13 - Limited assurance of BC
plans
This situation (limited exercises) adds an additional challenge with regard to the effectiveness of existing BC plans within and between organisations.
29 34 42 43 44 61
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 67
Annex D: Mapping Threats to Challenges
Threats 2 Challenges
Infr
astr
uct
ure
Tech
no
logy
Op
erat
ion
s
Co
nti
nu
ity
Co
mm
erci
al
Re
gula
tory
Resources (e.g. technical/organisational components, staff, buildings, etc.) as Single-Points-Of-Failure
X X X
Unavailability of, problems with Shared Infrastructure (Buildings/ROW) X X
Failing of ROI/Financial Investment X X
Infrastructure degradation (non-malicious) X X
Ineffective, immature Operations/Service Management X X
Ineffective, immature Capacity /Inventory Management X X
Ineffective, immature Change/Configuration Management X X
Human error X X X X X
Ineffective, immature Human Resource Management X X X X
Ineffective, immature Continuity Planning X X X X X
Power/Facility failures X X X X
Ineffective, immature Technology Maintenance (Hardware/Software) X X X
Poor implementation design X X X
Ineffective, immature Network/Systems Management X X X X X
Ineffective, immature Out-Network-Management, problems with Interconnects X X X X
Internal Security threats X X X X X
Problems with peering/transit X X X
Loss of data integrity X X X X X
Network Management process unavailability (due to facility failure or other incident affecting OSS)
X X X X
Lack of awareness regarding resilience issues (added retrospectively) X X X
ROW (Public/Private) degradation/disruption X X X X
Physical malicious disruption/attacks (direct/indirect) X X X X X
Infrastructure disruption (non-malicious) X X X X X
Environmental influences (e.g. weather, radiation, earthquakes, etc.) X X X X
3rd Party failures (contracted/non-contracted) X X X X X
Unfavourable market conditions X X X
Non-compliance to regulatory requirements (direct/indirect) X X X
Imprecise, misleading regulatory definition (direct/indirect)
Unavailability of, problems with Shared Infrastructure X X X X
Shared infrastructure failures (peering exchanged/capacity) X X X
Shared infrastructure failures (transit/peering) X X X
Malicious disruption/attacks (direct/indirect) X X X X X
Network malicious attacks, malware, exploits, affecting the integrity of core network components, such as routers
X
Network malicious attacks, DDOS affecting critical network elements X
Network Hardware/Software failures/degradation X X X X
Technology failures X X X X
Technology failures/BUGs X
Police/Agency intercepts (direct/indirect) X X
Fraud (Telephony/VOIP) X X X X
Network Resilience and Security: Challenges and Measures
22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 68
Fraud (IP/VOIP) X X X
Fraud/Phishing X X X
Network Malicious Attacks (Malware, SPIT, etc.) X X X
Malware/Access and code attacks X X X X
ET16 External partner is lacking awareness of resilience issues (added retrospectively)
X X X
Operational errors exacerbated by frequent changes of the operating environment (technology/network evolution)
X X
Sabotage / Insider threat X X
Bogus HW/SW implementations X
Introduction of zero-days vulnerabilities due to the new components and changes in configurations.
X
Late problems detection (e.g. late detection of problems delay the initiation of crisis management procedures)
X
Inadequate/immature measures to contain threats DoS, SPAM, SPIT X
Deciding on common resilience requirements periodical readjustment and customization
X X
Planning and deployment efforts to accommodate each participating operator's capacity needs as well as resilience
X
The loss of infrastructure diversity and thus resilience that provides the presence of separate base stations, for each operator
X
BGP mis-configuration X
Lose the control of the services and infrastructures, loss of technology platforms integrity, the network nodes are “owned” by adversaries
X
Ineffective monitoring of third parties X
Uncontrolled sub-contracting practices by third parties X
Unethical behaviour of third party X
Over dependence / lock-in on a single contractor for network provision/operation.
X
SLA violations; regulation/law violations X
Overestimating the costs of countermeasures /underestimating the impact of failures
X
ct of failures X