network resilience and security: challenges and measures · 2017-10-03 · network resilience and...

Network Resilience and Security:

Challenges and Measures

Report of the ENISA Virtual Working Group on

Network Providers’ Resilience Measures

December 2009

Page ii

Change History

Version Date Editor Description

1.0 22/12/2009 ENISA - Initial Release. Based on 4.6.1-proof-read + comments 4.6.3

Page iii

Virtual working group members

Carpio, Manuel Telefonica, Spain

Chataignon, Jean-Luc FT-Orange, France

Clarke, Dave Telefónica O2, UK

Constantin, Daniel SC Romtelecom SA, Romania

De Lutiis, Paolo Telecom Italia, Italy

Gomez, Juan Carlos Telefonica, Spain

Lockwood, Shaun BT,UK

Markoulidakis, Yannis Vodafone, Greece

Stevens, Joe Interoute, Czech Republic

Strakadounas, Kostas Forthnet, Greece

Tinguely, Nicolas Swisscom, Switzerland

Van Leeuwen, John KPN, The Netherlands

ENISA Secretariat:

Koutsouris, Charalampos

Dr. Marinos, Louis

Page iv

Table of Contents

Executive summary .............................................................................................................................. 1

Goals and target audience ................................................................................................................... 3

1. Introduction ................................................................................................................................ 5

Definitions used in this work ................................................................................................................ 6

Abbreviations ....................................................................................................................................... 7

Problem statement............................................................................................................................... 7

Scope, objectives and outcomes ........................................................................................................ 10

Approach ............................................................................................................................................ 11

How to use this document ................................................................................................................. 12

2. Public communication network challenges and counter-measures ......................................... 14

About the measure ratings ................................................................................................................. 15

3. Infrastructure challenges .......................................................................................................... 17

Infrastructure challenges: measures .................................................................................................. 19

4. Technology platform challenges ............................................................................................... 25

Technology platform challenge: measures ........................................................................................ 27

6. Operational process and people challenges ............................................................................. 32

Operations challenges: measures ...................................................................................................... 33

7. Organisational continuity challenges ........................................................................................ 37

Organisational continuity: measures ................................................................................................. 39

8. Commercial challenges ............................................................................................................. 46

Commercial challenges: measures ..................................................................................................... 48

9. Regulatory challenges ............................................................................................................... 52

Regulatory challenges: measures ....................................................................................................... 52

10. Conclusions ............................................................................................................................... 53

Annex A: Measures ratings ................................................................................................................. 56

Annex B: EU / Member State level measures .................................................................................... 60

Page v

Annex C: Mapping Measures to Challenges ....................................................................................... 61

Annex D: Mapping Threats to Challenges .......................................................................................... 67

Network Resilience and Security: Challenges and Measures

22 Dec. 09 ENISA Virtual Working Group on Network Provider Resilience Measures Page 1

Executive summary The lengthy experience of telecom operators has indicated that certain processes and measures

associated with resilience, business continuity and security are mandatory for ensuring appropriate

levels of performance in business operations. All operators agree that these topics are very wide

ranging and that their application should match the nature of each particular operator and local

market conditions. In addition, any investment associated with these topics has an immediate

negative impact on profits and yet it is uncertain as to how, or if, a return on investment (ROI) can

be achieved. Thus, it is difficult for operators to assess the appropriate level of effort and cost that

should be allocated to these matters.

As a result, a wide variety of practices are applied by operators in terms of processes, organizational

structures, design principles and investments. In an attempt to provide a contribution on this

matter, ENISA established a virtual working group (VWG), consisting of representatives from various

European telecom operators, to undertake the task of elaborating on resilience, business continuity

and security issues.

The VWG has identified key challenges in the area of resilience which are common to most

operators. Relevant measures and, where possible, applied practices to counter these challenges

have also been provided. Key challenges were identified in the areas of infrastructures, technology

platforms, operational processes and people, and organisational continuity, as well as commercial

and regulatory challenges.

Members of the group have provided perceived ratings1, based on their experience, on the effort,

cost and time needed to implement the proposed counter-measures. These measures are relevant

both for authorities who need to implement supportive actions for resilience and for the network

providers who are aiming to align their approaches with the suggestions elaborated by the group.

In brief, the identified challenges and related counter-measures are as follows:

Infrastructures face challenges from increased density, limited diversity and in some cases capacity,

while increased shared risk highlights the importance of management and maintenance induced

vulnerabilities. Related counter-measures include:

transparency of shared physical infrastructures and identification of critical parts;

interconnection and peering, good practices for operation and maintenance;

defined responsibilities for shared infrastructure management;

shared infrastructure or co-location – development of resilience ratings and KPIs.

Technology platforms and innovation by the vendors is what produces evolution. However, late

standardisation and testing, integration mismatches, retrofitting functionality to protocols and

inherent security limitations in the protocols are examples of the challenges to be faced in this area.

Related counter-measures include:

1 The ratings and status of measures are average figures based on experts’ perception and don't reflect the

individual opinion of their organisations.



availability of resilience, business continuity, risk management and information security skills

within new project teams;

delivery of risk assessment information and risk mitigation practices for new deployments by

vendors;

platform deployment, including incident detection and incident management functions.

Operational processes and people need to adapt to complexity and to achieve the integration of

technology and processes. In the meantime, error probability and recovery times increase and are

further affected by the learning curve of personnel. Processes are not performing well when inter-

dependencies call for collaboration across organisational or country borders. At the same time,

networks are exposed to a larger variety of threats with potentially cascading impacts. Related

counter-measures include:

uptake and use of existing standards and best practices;

assigning high priority and specific resources to the detection and mitigation of cyber–

threats;

routinely collecting and analysing measurements for indicators of resilience and acting upon

them.

Organisational continuity is challenged by emerging threats that stress the pro-activeness of

organisations and their capacity to align practices with policies in a timely manner. At the same time

the resilience of public communications networks requires enlarging the scope of continuity beyond

the borders of a single organisation. Thus, coordination and the relevant costs have to be taken up

by authorities. However, at the moment, neither customers nor authorities can describe adequately

their needs or assess their fulfilment. At the same time, commercial limitations confine business

continuity exercises to desktop exercises or procedural testing, thus ensuring that the validity of

business continuity plans is also limited. Relevant counter-measures include:

establishment of a crisis incident management organisation;

establishment of ownership for the components of critical infrastructure and maintenance of

permanent trustworthy communication channels;

making responsibilities for resilience an inherent part of professional behaviour and societal

responsibility;

creating an extroversive attitude to incident response for high magnitude incidents (eg,

through cross-sector communication and structures for coordination and collaboration);

development of exercise tactics for business continuity that will increase trust in a minimal

probability of failure due to technology or people.

Commercial and regulatory challenges limit the capacity of network providers to invest in and

achieve higher levels of resilience in their networks. Currently, customer spending on resilience is

limited and network providers have no way to establish the actual ROI of their investments. Due to

customer demand, time to market and budgetary pressures, outsourcing contracts and SLAs are

increasing, thus making the establishment of due diligence a difficult task. Moreover, virtual mobile

network operators (VMNOs) are also pressed by higher budget limitations and resilience spending

may be questioned even more. At the same time, the lack of harmonisation in regulations obstructs

standardisation which is a primary need for building resilient networks. Relevant counter-measures

include:



establishment of criteria (qualitative and quantitative) for the measurement of resilience;

generation of a flexible operational framework for data collection on the performance of

resilience measures and the enablement of confidential benchmarking exercises;

restricting outsourcing to the ‘do’ or (eventually) ‘act’ dimensions, with ‘plan’ and ‘check’

steering the activities performed within the company;

defining third-party responsibilities for security and resilience in SLAs;

promotion by network providers of complementary regulatory initiatives to support and

encourage collective measures for resilience.

National and EU authority measures

Finally, the group identified a number of counter-measures that should be considered in terms of

national and EU-wide initiatives to coordinate resilience activities, including:

pan-European coordination for cross-border risks;

collaboration with national authorities for the protection of critical infrastructure;

promotion of regulatory initiatives that complement, support and encourage the

organisation of resilience measures;

EU-wide monitoring and early warning systems on external threats;

establishment or participation in national infrastructure emergency plans;

creating a voluntary ‘virtual’ database of cable infrastructure to protect against accidents

during digging works;

identification of the levels of resilience required in critical infrastructures;

infrastructure interdependencies – focusing on identifying practical issues and the mitigation

of risk;

tracking the exposures of technology platforms and mitigating them at the EU level;

tracking disruptions to infrastructure and utilities at the EU or national levels;

having regulators check the availability of necessary functions at the level of VMNOs in order

to provide resilience measures.

The challenges and counter-measures discussed can play an important role in shaping a picture of

the hurdles all network operators, regardless of their size and maturity, will have to face in several

cases. The proposed measure ratings can help resilience managers in network providers to

understand trends in the mitigation towards resiliency. When combined with the targets for

resilience presented in this work, this information can set the first level vision for resilience in public

communication networks. Further elaboration of the information provided can be the starting point

for forming a constructive agenda for collaboration between public and private stakeholders in the

area of resilience.

Goals and target audience

This document is intended for two categories of stakeholders in the resilience of public

communications networks. The first category consists of the decision-makers and resilience

managers of telecommunication organisations and Internet service providers (ISPs). This work can

be leveraged to compare and, if desired, to update their internal approaches to resilience with the

information provided by the experts of this working group. Ideally, the stakeholders will contribute

their experiences by providing feedback on this document and enriching areas where they can see a

potential for improvement.



The second category of stakeholders consists of policy-makers in the EU and Member States. This

stakeholder group has the opportunity to understand the perspectives of the industry on the

challenges to resilience and the current and future measures seen as appropriate for mitigating

these challenges. Measures that require an EU-wide approach and that can benefit from a broad

public and private partnership at the EU level are especially relevant to this group of stakeholders.



1. Introduction Telecommunication networks and information systems are an essential factor in economic and social

development. Computing and networking are now ubiquitous utilities, similar to the supply of

electricity, transport or water. At the same time the convergence of communication networks,

media, content, services and devices is growing, increasing the European Union's dependency on

these communications networks and the supporting infrastructure and technologies that sustain

them.

As a consequence, the telecommunications infrastructures constitute vital infrastructure and

communications platforms for Europe's citizens, corporations, industry and governments. A brief

review of the critical infrastructure sectors in the EU that have already been identified2 reveals the

extent of dependency (and in many cases interdependency) between industry sectors and the

communication networks.

ICT systems, such as SCADA and process control systems in the critical industry sectors of energy,

water, food, chemical and nuclear industries, demonstrate a vital dependency on resilient

communication networks. Financial and medical services require the timely exchange of information

for the execution of critical processing that may affect economic welfare and the protection of

human life. Terrestrial transport networks depend on communication networks to facilitate public

transport and the logistics of critical services for EU citizens. Air traffic control and tourism would not

function should communications networks be disrupted. Public order and emergency services

require communications to protect public welfare, as do national and local governments to maintain

order and administer government services for citizens. Any extended disruption to the

communications networks providing telephony and Internet services would result in civil unrest and

endanger the public welfare.

While in a person’s mind the communications network may seem to be just a single entity, in reality,

especially since the deregulation of communications, more and more telecommunication

organizations are part of the puzzle of the communications infrastructure both in the EU and

globally. What used to be a network owned by public entities is now owned mostly by private

companies, yet it is considered a public communications network. EU regulations recognise this

complexity in today’s communication networks and define a public communications network as ’an

electronic communications network that offers publicly available services’3.

Summarising the relevant EU definitions we can say that the expression public communications

network means an electronic communication network that is used wholly or mainly for the provision

of electronic communication services available to the public and that supports the transfer of

2 EU ECI sectors: Energy; Nuclear industry; ICT; Water; Food; Health; Finance; Transport; Chemical industry;

Space and research facilities. See Annex2, COM(2005) 576 final, GREEN PAPER ON A EUROPEAN PROGRAMME FOR CRITICAL INFRASTRUCTURE PROTECTION http://eur- lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0576en01.pdf 3

DIRECTIVE 2002/21/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 March 2002 on a

common regulatory framework for electronic communications networks and services http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0033:0050:EN:PDF



information between network termination points, including network elements which are not active4.

It is clear that the definition of public communication networks does not differentiate public from

private networks on the basis of their ownership but rather on the types of traffic they convey. Thus,

a private interconnection between two internet service providers that is governed by a private

agreement and SLA arrangements is still a component of a public communications network as long

as the traffic conveyed through it is offered as a publicly available service.

The European Union’s dependency on public services provided through communications networks

demonstrates the need to ensure the resiliency of our networks. We use the term resilient to

characterise networks that ‘provide and maintain an acceptable level of service in the face of faults

(unintentional, intentional, or naturally caused) affecting their normal operation’5. In that respect, a

resilient network must exhibit the ability to protect itself from damage, sustain a minimum service

level when under load or a failure has occurred, and provide for effective and timely mitigation and

recovery mechanisms.

Our communication networks have been designed and built with redundancy and fault recovery

mechanisms that contribute to the high levels of availability reported by the operators. However,

the increased dependency of the EU on, and the complexity of, the communications networks that

provide public services require further assessment and the encouragement of best practices in

resiliency in order to improve network availability and protect against extended disruptions. In this

work, the virtual working group (VWG) explores the path to overcoming the barriers of the past and

reaching even higher levels of resilience.

Definitions used in this work

Challenge: is understood as an obstacle to achieving resilience. Furthermore, it can facilitate the

collapse of resilience targets through the materialisation of threats.

Public communications network: defines an electronic communication network that is used wholly

or mainly for the provision of electronic communication services available to the public and that

supports the transfer of information between network termination points, including network

elements which are passive (non active). Network components can be cabling systems for radio

wave transmission and power supplies, connectors, etc. (VWG definition – contributed by RAND

Europe)

Public communications network: means an electronic communications network used wholly or

mainly for the provision of publicly available electronic communications. (EU Regulations6)

4 Passive (non-active) network components can be cabling systems for radio wave transmission and power

supply, connectors, etc. 5 ENISA – Trust on Infrastructure – About Resilience http://www.enisa.europa.eu/act/it/inf/inf

6 For a more detailed definition of electronic communications network, electronic communications service,

please consult EU (DIRECTIVE 2002/21/EC

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0033:0050:EN:PDF).

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0033:0050:EN:PDF



Network resilience: ‘resilient’ characterises networks that provide and maintain an acceptable level

of service in the face of faults (unintentional, intentional, or naturally caused) affecting their normal

operation. (ENISA – Trust on Infrastructure)

User: any organisation providing a public communications network that uses a shared network

component or infrastructure.

End-user: any customer, being a physical or legal entity, that uses the transport service offered by a

public communications network for a fee.

TIER-1 networks: a network that can reach every other network on the Internet using multiple

interconnections without purchasing IP transit or paying settlements. (Adapted from Wikipedia)

Tier-2 networks: An Internet service provider who engages in the practice of peering with other networks, but who still purchases IP transit to reach some portion of the Internet. (Wikipedia)

Rights of way (ROW): allow an undertaking to install facilities on, over or under public or private

properties. When a competent authority considers an application for the granting of rights of way, it

must act on the basis of transparent procedures, applied without discrimination and without delay.

(Directive 2002/21/EC of the European Parliament)

Indefeasible right of use (IRU): is a contractual agreement between the operators of a

communications cable, such as a submarine communications cable or a fibre optic network, and a

client. An IRU “shall mean the exclusive, unrestricted, and indefeasible right to use the relevant

capacity (including equipment, fibres or capacity) for any legal purpose. (Wikipedia)

Abbreviations

IMS IP Multimedia Subsystem

IRU Indefeasible rights of use

BSS Business support systems

CAPEX Capital Expenditure

NETEX Network Expenditure

NGAN Next Generation Access Networks

OSS Operations support systems

PCN Public Communication Networks

ROI Return on Investment

ROW Right of way

Tech Technology

Problem statement

The need for resilient public communication networks is recognised as an important topic both by the industry and public bodies. Individual operators of public communication networks are pursuing uninterruptible service provision through enhanced technologies, redundant systems, processes, etc. Yet, as the public communications networks are in effect composed of numerous individual

http://en.wikipedia.org/wiki/Internet

http://en.wikipedia.org/wiki/Internet_transit

http://en.wikipedia.org/wiki/Internet_service_provider

http://en.wikipedia.org/wiki/Peering

http://en.wikipedia.org/wiki/IP_transit

http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi%21celexplus%21prod%21DocNumber&lg=en&type_doc=Directive&an_doc=2002&nu_doc=21

http://en.wikipedia.org/wiki/Contract

http://en.wikipedia.org/wiki/Submarine_communications_cable



networks, the overall result reflects the strong and the weak points of their individual approaches. A survey7 conducted by ENISA indicated the problems faced by the industry:

New threats, dynamic risk and constant network evolution pose a demanding environment

for engineering and operating resilient networks where threat identification and risk

management approaches must evolve.

Linking between different management processes is a challenging endeavour while holistic

resilience management is still evolving.

Business continuity exercises have a critical role to play in preparedness and as a culture

building and evolution enhancing mechanism, yet complex testing types have still not been

widely adopted.

Coping with third-party dependencies as well as inter-infrastructure dependencies is

challenging.

Though it is clear that network operators are investing in most of these areas, reaching

maturity takes time. This fact brings us to the challenge of small-sized companies and new

entrants to the market that tend to fall short in RM and BCM capacities. How do we avoid

the weakest link in resilience?

In the context of this working group, the members faced further problems in addressing resilience in

public communications networks, stemming from the broadness of the definitions of these terms:

The current trend of providing more and more services transforms many of the traditional

network operators into service providers and mixes the provision of a public communication

network and the service offerings that utilise the transmission service of these networks. As

a consequence, defining the scope of this work around public communications networks was

a difficult task. It involved a clear understanding of the term ‘public communications

networks’, which encompasses privately-owned infrastructures and a large variety of private

commercial agreements, as well as publicly-owned infrastructures, but excludes most of the

services offered.

As public communication networks cover a wide range of networks the group was faced with

the task of following an approach that was generic enough to cover most cases and yet

specific enough to provide a useful outcome that provides specific measures. Thus,

addressing the following issues was part of the problem:

o Financing, economic impact and feasibility of the task: the key assumption here is that

profitable companies take measures in the area of resilience in order to ensure their

successful and profitable operation in the long run. At the same time they must be

profitable organizations, which means that, as they operate in a highly competitive

environment, they need a strong focus on profitable marketing activities and optimized

investment plans.

7 www.enisa.europa.eu/doc/pdf/deliverables/enisa_network_provider_measures_on_resilience.pdf

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_network_provider_measures_on_resilience.pdf



o Who are the users and what are their requirements?

o What level of resilience do they need?

o What is the exact measure of resilience we are using?

After several discussions the group managed to identify workable answers to these questions, which

in turn allowed a list of counter-measures to the identified challenges to resilience to be compiled as

well as a list of the threats that are of concern when discussing resilience. The measures identified

target not only network operators but also authorities at the national and EU levels.



Scope, objectives and outcomes

Voice and data services offered over the public communications networks today support critical

applications in several identified critical sectors. Currently, besides the broad areas mentioned in EU

documents, an exhaustive enumeration of the services and their users is neither available nor can

the required resilience levels of the end-to-end services be adequately measured and defined.

Thus, the scope of this work is set around the common denominator of public communication

networks across EU Member States. This common denominator is the core networks of the various

telecommunication providers across the EU, including their interconnections at national level as well

as across borders, and their interconnection with countries outside the EU.

The scope of work also includes other critical components that are necessary for the resilience of

public communication networks and these include operation support systems (OSS), the business

support systems (BSS) of organisations and the corresponding organisational structures including

people. The application services offered at the network edges, as well as end-user access, are not

within the scope of this work.

The overall resilience targets set as a working assumption for this work are that core public

communication networks across the EU:

1. remain seamlessly interconnected and provide the same perceived feeling of a ‘single’

communications platform they offer under normal conditions albeit at a reduced but

acceptable service level;

2. be able to differentiate services and offer the desired level of resilience when EU Member

States finally need or wish to define their exact requirements;

3. exhibit the ability to protect against threats and recover from their effects in due time;

4. exhibit agility and re-configurability to support authorities in emergency communications

and crisis situations.

To this end, the ENISA virtual working group has settled on the following objectives for the public communication networks in its scope of work:

To identify and discuss the key challenges to resilience in public communication networks.

To identify measures and practices to address challenges and safeguard resilience. While there is a plethora of guidance on several of the areas with a relevance to resilience, we are still missing important information. The level at which measures have penetrated the industry , as well as their usefulness and applicability in public communications networks, are the kinds of information needed to boost their uptake or to point out the need for other measures that might be more appropriate.

Working towards the fulfilment of the stated objectives, the VWG has achieved the following

outcomes which should prove to be useful input for all interested stakeholders:

1. Endorsed a definition of public communication networks as commonly understood by its

members.



2. Identified and agreed on a common set of targets for resilience in public communication

networks.

3. Identified and grouped logically the challenges that prevent achievement of the resilience

targets set or that facilitate their collapse through the materialisation of threats.

4. Produced a mapping of threats to the agreed challenges. This map can be used in two ways:

a. to obtain a brief overview of the threat landscape and the possible consequences for

resilience;

b. by organisations, to factor in measures already in place that address threats or prevent

their consequences, and thereby identify their posture regarding resilience.

5. Proposed measures with a national or an EU scope.

6. Provided indications of industry adoption of the proposed measures and their expected

impact in terms of benefits to resilience, cost, time and effort. The ratings are based on the

perceptions of the experts and should be treated only as estimates.

Approach

This work began with a brainstorming session that took place during the first meeting of the group

and through initial email interactions. The analysis revealed a set of challenges the participants had

to face when addressing issues concerning resilience for the public communication networks they

operate.

A challenge is understood to be an obstacle to achieving resilience. Furthermore, it can facilitate the

collapse of targets for resilience through the materialisation of threats. The challenges identified

were grouped into six areas, four asset challenge areas and two environmental challenge areas:

The four asset challenge areas are:

infrastructures: shared buildings and locations, power, facility systems, fibre cables,

indefeasible rights of use and rights of way, backhaul connectivity physical routings, cable

landing stations, national border crossings of physical fibre routings, interconnection

locations and Internet exchange points (IXPs);

technology platforms: protocols, hardware and software implementation, operational

support systems (OSS) and business support systems (BSS);

operational processes and people: processes for network management and operations,

including problem and incident management, change and configuration management,

capacity and inventory management, etc;

organisational continuity: responsibilities and resources for continuity and resilience,

training and awareness, stakeholder relationships and interdependencies, cross-team

collaboration, crisis communications and assurance through exercises.

The two environmental challenge areas are:



commercial environment: customer requirements, outsourcing to third parties, investment

feasibility and availability of finance;

regulation: EU harmonization of regulatory requirements for networks, disunity of data

protection and retention laws, intercepts and monitoring.

The presence of these challenges significantly limits the capabilities of public communication

networks to achieve and maintain resilience, thus taking mitigating action is required. At the same

time, the difficulty of identifying counter-measures when no clear targets for resilience exist was

raised. Based on the argumentation presented in the scope of work section of this document, the

group agreed on the targets for resilience and suggested a series of related measures.

The discussions of challenges often led to the identification of relevant threats. The attempt to

understand the effect of the threats in the presence of the challenges to the fulfilment of the targets

for resilience was not attempted, as the group noted that there was not enough information on the

exact assets involved. Consequently, attempting to evaluate the exact impact of these threats was

not feasible due to limited resources.

How to use this document

This document is the result of discussions among the members of the ENISA virtual working group

on the topic of the resilience of public communications networks. The group has focused on the

challenges faced by network operators and possible measures for addressing them. The challenges

and the measures are discussed in chapters 3 to 9. Each of these chapters contains the measures

relevant to a particular challenge area. When a measure is relevant to more than one area, it can

only be found in the area that was considered the most relevant.

For a complete mapping of challenges to measures the reader should consult the tables in Annexes

A and B. Measures that are suggested for action at the level of the EU or Member States are listed in

Annex C. In addition, where relevant threats were identified, they have been recorded in Annex D to

serve as a rough sketch of the threat landscape and as a reference for the interested reader.

Executive summary, target audience and goals: provides a quick understanding of what this work is

about.

Chapter 1: serves as an introduction to the problem and presents the scope of this work and the

outcomes achieved. You should read this chapter if you intend to understand in detail any of the

following chapters.

Chapter 2: provides a brief overview of the challenges and a note on understanding the profiles of

the measures.

Chapters 3 – 8: describe the challenges in the individual challenge areas and provide full profiles of

the relevant measures. It examines, in detail, what the network operators find challenging and the

counter-measures they are using, currently implementing or thinking about using in the future. It

provides insight as to how costly, time intensive, and beneficial these measures are perceived to be.

Chapter 9: concludes this work and provides some indication as to how it may possibly be used.



Annex A: Measure ratings: contains the full list of counter-measures, including their rating in terms

of ‘time to implement’, ‘implementation cost’, ‘impact on resilience’, etc.

Annex B: EU & Member State level measures: indicates the measures proposed to authorities in the

EU or Member States.

Annex C: Mapping measures to challenges: contains a list of the challenges and the relevant

measures for mitigation.

Annex D: Mapping threats to challenges: lists threats to resilience in the presence of challenges. Are

our measures good enough against these threats even in the presence of challenges? Do we need to

adapt some of our measures? This list is just a start.



2. Public communication network challenges and counter-

measures The following chapters discuss the challenges identified by the experts in the working group.

Challenges are marked in bold and a numbering scheme is used to identify the challenges in each

challenge area.

The numbering scheme uses a letter (I – Infrastructure, T – Technology, O – Operational process and

people, B – Commercial, R – Regulatory) and a two digit number. In addition, the challenges are

assigned a title in order to convey their meaning in just a single line.

The full list of challenges is as follows:

I01 - Logical diversity v physical cable routing density and separacy I02 - Limited diversity, capacity and pinch points, backhaul, cable landing stations, cable border crossings, submarine cables I03 – EU traffic concentration at IXPs and high magnitude events I04 - Private interconnections, unknown effects on resilience I05 - Interconnection or peering = location, protocol, policy I06 - Shared risks of poor infrastructure management I07 - Shared infrastructure, majority vote = cumbersome vulnerability management I08 - Infrastructure management, individual v collective responsibility for mitigation T01 - Emerging technologies = unknown impact on resilience T02 - Assessing the maturity of technologies and implementations T03 - New techs and their implementations bring functionality and vulnerability T04 - Old tech issues, scalability, vulnerable, costly maintenance T05 - IP control plane retrofitted with functionality T07 - End point devices used for attacks T08 - Late standardisation and interoperability testing O01 - Standardisation and tech – process integration O02 - Complexity and integration = many human errors, slow recovery O03 - New skills, human learning curve O05 - Operational risk variety O06 - Cascading impact of operational errors (eg, BGP mis-configuration) O07 - Operational processes do not reflect network infrastructure inter-dependency O08 - Cross border operator presence, information sharing, communication and collaboration C01 - Limited foresight to emerging and future risks and threats C02 - Effort to balance policies and practices or processes C03 - Projects may miss resilience considerations or expertise C04 - Resiliency management needs multi-discipline teams not easily available C05 - Crisis staffing requirements C06 - Network failures can cause a domino effect C07 - PCN continuity cannot be restricted within organisational boundaries C08 - Authorities and customers – fuzzy requirements and direction C09 - Borders of responsibility jeopardize collective mitigation C10 - Ownership and cost of coordinating EU wide resilience C11 - Slow communication and decision-making C12 - Management reluctance to tackle risks of BC testing



C13 - Limited assurance of BC plans B01 - Limited customer spending on resilience services B02 - New development priority over resilience B03 - Lack of KPIs and ROI for resilience B04 - Resilience expenditure must prove business benefit B05 - Resiliency in VMNOs pressed by budget B06 - Rapid deployments = limited internal know-how B07 - Multitude of contracting agreements (SLAs) B08 - Critical consultants as single point of failure B09 - Difficulties of due diligence in outsourcing R01 - Lack of harmonization in EU regulations obstructs standardisation

As far as counter-measures are concerned, they are provided for each challenge area in a separate

sub-section. Each measure is described in a measure profile card, like the one shown below.

Readers can find out whether the industry has already adopted a particular measure in the industry

status column. The expected positive impact of the measure is given in the ‘impact on resilience’

field while monetary cost and time to implement are also given in their respective fields.

The reader should note that the measures are rated according to the perceptions of the experts, so

the ratings only provides estimates and are not exact assessments of the measures.

Measure profile

Name Measure name – short and as descriptive as possible

Measure ID A number

for

identifying

measures

in

annexes

Industry status Implemented / Current / Future (Keep one)

Describes the current implementation status.

Implemented == the measure had already been

implemented a long time ago

Current == recently implemented or under

implementation

Future == could be considered in the future

Relevant good

practices

Experience of the members referring to their own practices or standards used

Description

A more detailed description of the measure; some implementation information may be given.

Measure rating (Low =1 , Medium=2, High=3)

Time to implement Implementation cost Impact on resilience

The experts’ perceptions of implementation: what is or would be the cost in time and money and the expected outcome. Used to provide an estimate of usefulness versus cost and to identify measures that can offer quick wins == low cost, short time to implement and high impact.

About the measure ratings

These ratings were provided confidentially by the members of the group and are based on their

perception and not on official corporate data. The intent of this effort is to provide estimates and



indicators, thus interpretation of this table as a prescription for solutions to problems in resilience

must be avoided.

The numbers provided as a rating in the fields ‘time to implement’, ‘implementation cost’ and

‘impact on resilience’ range from 1=Low to 3=High. The ratings have decimals as they are the

average of the individual ratings provided, eg, for ‘time to implement’:

Rating colour coding

In Annex A: Measures ratings, you can find a table of all measures that include the measure ratings.

To allow for a better illustration of the perception of the experts, we have chosen to colour the

individual cells relevant to the rating in green, yellow or red. The table below provides the legend for

the colour scheme used. You should also note that for the ‘impact on resilience’ rating, the green

zone has a much higher threshold compared to the other ratings. This was chosen in order to make

measures perceived to be really helpful stand out from the crowd.

Time to implement Time <1.8 1.8<=Time<=2.2 Time >2.2

Cost Cost <1.8 1.8<=Cost<=2.2 Cost >2.2

Impact on resilience

(benefit)

Impact <1.8 1.8<=Impact<2.5 Impact>=2.50

Table 1 - Measure rating colour legend

Industry Status

The field ‘industry status’ provides a rather rough indication of what the majority of the experts said

about the status of implementation. The term ‘majority’ can simply mean just one vote more than

the dissenting opinion, so it is not representative of the distribution of the status of implementation

among voters. The possible status can be one of the seven states listed below:

Field value Meaning

I implemented

IC equal number of votes between ‘implemented’ and ‘currently being or recently

implemented’

C currently under implementation or recently implemented

CF equal number of votes for ‘currently implemented’ and ‘possible future

implementation’

F a candidate for future implementation

ICF equal number of votes for all three options.

Table 2 : Measures rating - Industry status legend

n

Tin

i

1



3. Infrastructure challenges Convergence on the network infrastructure is promoting the sharing of many of its parts. Network

operators tend to share most infrastructures for operational and cost efficiency reasons. Cable

landing stations, fibre crossings at national borders, public and private peering8 locations, sharing

physical space, power and HVAC in co-location centres are long existing forms of sharing. In addition,

the virtualisation of physical connectivity leads to the sharing of resources, such as radio frequencies

and lambdas in fibres, blurring the distinction between physical infrastructure and technology logical

resources.

Continual improvements in transmission and processors on DWDM technology platforms have

increased the number of wavelengths on fibre infrastructure. These technological innovations,

aligned with deregulation, market demand and the competitive environment, have significantly

increased capacity while using the same fibre infrastructure. Network operators, instead of building

dark fibre infrastructure and purchasing associated rights of way (ROW), have leased capacity or

procured indefeasible rights of use (IRUs) to sustain networks and avoid the expense associated with

laying and managing fibre infrastructure. Thus a high number of logical connections over far fewer

and more densely routed physical cables are generating diverse logical architectures in which

separacy in the routing of physical cable is not assured (I01)9.

In addition, cable landing stations, underwater sea cables and fibre crossing locations at national

borders are in many cases concentrated at specific locations due to the characteristics of the terrain

or a focus on cost control and efficiency in design; in these situations diversity and redundancy is

limited. The selection of locations for cable landing stations has, in several cases, resulted in remote

installations with limited options for backhaul connectivity to the core networks. Limited diversity

and capacity of cable landing stations, submarine cables, backhaul connectivity and border

crossing locations can jeopardise backbone connectivity (I02).

The interconnection of networks is exhibiting signs that high percentages of traffic are being

concentrated at a few large Internet exchange points (IXPs). These locations provide an excellent

opportunity for Internet peering and reduced transit costs. In addition, the peering locations of the

IXPs are increasingly being used to implement private interconnections not governed by ‘traditional’

public peering agreements. The value of a presence in an IXP location gets higher as the number of

participants increase, as the opportunities for interconnection agreements are also increasing. Thus,

IXP locations now have an even greater criticality for the continuity of the European backbone –

especially, when considering threats of high magnitude, diverse IXP locations in the same city or

even in the same country may just not be enough for those locations that service an important

percentage of EU traffic (I03).

In addition, throughout the EU we can still find countries that have only a single local IXP and several

countries with just two IXP locations. In such cases, loss of a single peering location has the potential

to damage the health of the backbone connectivity inside national borders and increase the load on

8 A settlement free interconnection of networks for exchange of traffic.

9 Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the

annexes. Infrastructure challenges are coded with the initial letter I followed by a two digit number, eg, (I01).



international IXPs that will need to route national traffic. Larger and more experienced ISPs mitigate

this by establishing multiple private peering and public peering connections across multiple EU

countries.

Private interconnection and peering or transit agreements are still taking place in several locations

where operators may meet (co-location centres) or through direct point-to-point connections. These

private interconnections are driven by traffic requirements and information about them is in general

only known to the interconnecting organisations. As such it is not possible to identify and take into

account the effects of private interconnections on resiliency without extensive involvement by the

industry (I04).

There are international organizations which track peering capacity for research purposes, such

as CAIDA10, but no similar organization exists, with industry participation, that is focused on the

evolution of the pan-European networks. Overall network interconnections (referred to as peerings

when they concern the Internet Protocol) are effectuated in three different levels: the policy or

service exchange agreement level (transit or peering), the technology or protocol level, and the

physical point(s) of the interconnection. While the physical aspects of the interconnection have

been discussed in this section, the protocol and policy aspects need also to be taken into account

(I05).

On the policy side, several business reasons or disputes may drive decisions to terminate

interconnection or peering, in some cases in an ungraceful manner. The resulting loss of an

interconnection can cause country-wide segmentation of connectivity or severe service degradation.

On the Internet when TIER-1 networks are involved, even the segmentation of Internet space is

possible. Redundant interconnections (N+1) are an absolute requirement to limit the effects a

peering termination as is the case for any critical component of a system.

Other policy decisions may also prevent the establishment of private or public peering in the first

place. The decision to peer is influenced heavily by CAPEX and NETEX requirements, which are driven

by business and commercial objectives. The peering agreements are based on traffic ratios between

networks, similar to interconnect agreements between PSTN service providers. Measurements of

traffic flows determine the feasibility of a peering agreement where ISP with equal demand between

their IP networks agree through a peering arrangement to share costs for exchanging traffic (routes)

and deliver services. Unbalanced traffic ratios between networks result in unequal costs to support

traffic requirements prohibiting peering, thus often limiting the resiliency capabilities of smaller ISP

networks.

Typically smaller operators, tier two or below, compensate by entering into transit agreements to

augment capabilities to deliver traffic. These additional costs, both CAPEX and NETEX to fulfil service

delivery often constrict resiliency or force smaller ISPs to depend more heavily on public exchange

points for their service delivery. Consequently even larger amounts of IP capacity are concentrating

into single termination points.

10 The Cooperative Association for Internet Data Analysis; http://www.caida.org/home/



A variety of other threats from targeted attacks, accidents directly or indirectly targeting these

infrastructures, as well as natural disasters, can have severe impacts. Management of infrastructures

and protection against those threats is essential but, with the trend in infrastructure sharing

expanding to active equipment and complete network sites, the shared risk is now even more

profound. Thus, when vulnerabilities arise from poor management and maintenance practices,

these will affect all services of all users sharing this component (I06).

Depending on the management model, cumbersome handling of vulnerabilities may arise where a

majority vote of different organisations is required to implement an overall mitigation or

resilience strategy (I07). The degree of inter-dependence and the multitude of infrastructure

owners complicate the development of the overall understanding required to handle the shared

risks. Handling of shared risk requires additional motivation to enable infrastructure management

to see through the individual responsibilities and act collectively for mitigation (I08).

Infrastructure challenges: measures

Measure profile

Name Transparency of shared physical infrastructures and identification of critical parts

Measure ID 07 Industry status Implemented

Relevant good

practices

- Design of shared infrastructure with proper resilience rules (eg, international

interconnect carriers having more than one physical path with fully separated

physical infrastructures)

- Each network operator should have access to the information on the actual

level of resilience provided through shared infrastructures and take necessary

measures (eg, using two different international inter-connection carriers with

separated infrastructures).

Description

Transparency of shared physical infrastructures and identification of critical parts, such as submarine

fibre cables, cable landing stations and national fibre crossings, is required. Obtaining information on

the levels of resilience in the shared infrastructure at the design stage can facilitate easier

implementation with no time delays.



1.8 1.7 2.1

Measure profile

Name Interconnection and peering – operation and maintenance of good practices


Relevant good

practices

Description

Promote and adopt good practices for the operation and maintenance of interconnections and

peerings throughout the industry. Such practices must be widely known and accepted as references

(eg, best current practices).





1.8 1.6 2.0

Measure profile

Name Interconnections and peering – code of ethics

Measure ID 13 Industry status Future

Relevant good

practices

Description

Develop a code of ethics for peer relationships and termination of peering or interconnections



2.0 1.3 1.2

Measure profile

Name Shared infrastructure – management responsibilities


Relevant good

practices

Description

Responsibilities for managing the functions of shared components have to be clearly defined. This

should be implemented by means of clear SLAs for all parties sharing this component, stating the

responsibilities for maintenance and management (including monitoring) of the component. Error

messages, malfunctions and security incidents that are tracked have to be communicated to all users

of the component.



2.3 1.7 2.3

Measure profile

Name Critical assets (including shared infrastructure and third party services) included

within the scope of information security management

Measure ID 02 Industry status Current

Relevant good

practices

BS7799

Description

Information security cannot be confined only to internal components. Lists of external partners or

service providers and externally-owned components have to be maintained and the provision of their

service has to be monitored. In the case where external providers have access to internal information



resources, controls have to be in place in order to maintain the necessary level of security.



2.3 2.0 2.5

Measure profile

Name Shared infrastructure components included in risk assessments and business

impact assessments


Relevant good

practices

Description

Each user of shared components (ie, components that are external to the organisations) has to assess

the risks that are connected to the usage of those components. This includes organisational (eg,

personnel issues), impact of non-availability, procedures to deal with information security incidents,

and potential damages. The assessed level of risk has to be acceptable and must comply with existing

internal security policies, ie, an incident or failure should not jeopardise the businesses of the users of

the shared components. In these considerations, physical security is also of major importance.



2.4 2.0 2.5

Measure profile

Name Shared component (infrastructure or service) – audit results communicated to

users


Relevant good

practices

Description

To verify that the agreed responsibilities are being carried out by the provider of shared equipment,

the user of a service (ie, of a component) has the right to be informed of the results of audits that

take place in the organisation of the ‘owner’ of the shared equipment.



2.0 2.0 1.1

Measure profile

Name Shared infrastructure – incidents reporting made a mutual obligation through

appropriate interfaces and procedures

Measure ID 05 Industry status Current / Future



Relevant good

practices

Description

The user of the shared component has to provide the appropriate interfaces to enable the (mutual)

communication of incidents regarding the shared components.



1.5 1.6 1.3

Measure profile

Name Shared infrastructure or co-location – develop resilience ratings and KPIs


Relevant good

practices

Description

Development of KPIs concerning resilience and, in particular, resilience in the design of common

networks. The goal is to create an operating environment where the sharing of infrastructure does

not expose operators to additional risks. The same approach should also apply in the case of co-

location where common physical and network resilience has to be identified.



2.0 1.8 2.0

Measure profile

Name Infrastructure interdependencies – focus on identifying practical issues and risk

mitigation


Relevant good

practices

Description

The issue of infrastructure interdependencies deserves special attention as it can lead to major

outages of critical infrastructure components spanning different sectors (eg, electricity grid). Effort

has to be invested in practical issues concerning the identification of infrastructure dependencies and

the mitigation of existing risks. Infrastructure owners must identify their own needs and promote

mitigating solutions, engaging the corresponding infrastructure owners and national or EU structures.



2.0 2.0 2.8

Measure profile



Name Incident reporting and communication to stakeholders


Relevant good

practices

Description

Information about security breaches has to be collected and communicated between infrastructure

owners or operators to mutually inform each other and also the customer base.



1.9 1.3 1.5

Measure profile

Name Critical infrastructure – component owners establish and maintain permanent

trustworthy communication channels


Relevant good

practices

Description

A communication channel between relevant operators of (components of) critical infrastructures has

to be established. The coordination of such expert groups might be headed by public authorities, ie,

public crisis management teams.



2.4 1.7 2.6

Measure profile

Name Exercises to include communication channels and emergency plan testing with

inter-dependant critical infrastructures


Relevant good

practices

Description

Exercises that include a provider of critical infrastructure have to be carried out in order to check the

effectiveness of established communications and the available emergency plans.



2.2 2.5 2.4



Measure profile

Name Participation in forums addressing cross-organisational collaboration issues


Relevant good

practices

Description

Participation in dialogue to identify technical and operational interfaces, responsibility structures, the

role of public organisations, best practices in cross-cutting security issues, vendor or provider

interdependencies, and risk structures that span organisational limits.



1.3 1.2 1.5

Measure profile

Name Protection of critical infrastructure – collaboration with national authorities

Measure ID 11 Industry status Implemented / Current

Relevant good

practices

Description

Maintenance of contacts with authorities coordinating the protection of critical infrastructure

nationwide.



1.8 1.3 2.3



4. Technology platform challenges Communication networks and technology are evolving in support of commercial requirements and

market trends. New products and services that increase the utilization of the networks are possible.

Computing innovations have drastically altered network architectures and the technologies used in

public communications networks. These newer technologies offer improvements over older ones

with features that fulfil new requirements and use more and more protocols to deliver functionality.

NGAN, IMS and others are examples of emerging technologies whose impact on the resilience of

the current telecommunication infrastructures is currently unknown (T01)11.

Emerging infrastructures are extremely complex and are actually composed of several ‘basic’

technologies and protocols defined by different standards developing organisations (SDOs) and fora

(eg, ITU-T, ETSI, GSMA, and IETF, just to list the main bodies). Time-to-market pressures lead to

implementation based on different versions of a standard or draft standard and compatibility is

uncertain. It is a fact that interoperability testing between different vendor solutions and

standardisation lags behind deployments (T08).

Recent events12, such as Interoperability and Plug tests13promoted by telcos are verifying these

interoperability problems. The tests show that, among different vendors, current implementations

are far from being fully interoperable. This situation increases the vulnerability to threats targeting

the resilience of emerging telecommunications infrastructures.

Another consequence of fast technological changes is the shortening of the lifecycles of equipment

to just a few years. This is a tremendous change compared to older technologies where the required

expertise and network management processes remained almost identical for decades (ie, the PSTN

network that is still in use today). In contrast, innovative equipment and various proprietary

platforms are now available, many of them produced by creative vendors who recently entered the

market. Given these developments, assessing the maturity of the technologies themselves as well

as the maturity of their implementations can be extremely hard (T02).

Furthermore, the network evolution leads to the co-existence of older and newer components and

platforms, which constitute an integrated mosaic of increasing complexity and interdependencies

across the various layers of the network. This is a necessary step as our networks migrate to new

architectures and technologies to achieve the gains in functionality required to meet present and

future demands. Still, we need to be aware of the risks of technology innovation and be prepared to

address them. During their lifecycles, each technology and product introduces vulnerabilities and

scalability issues that affect the network as a whole. Thus, while new technologies offer solutions to

well-known problems, they also introduce new vulnerabilities that need to be identified and

addressed (T03).

11

Challenges throughout the text have a code number in parenthesis for easy referencing in the tables in the

annexes. Technology challenges are coded with the initial letter T followed by a two digit number, eg, (T01).

12 Telecom Italia hosted the First ETSI IMS Interoperability Test Event, at the laboratories of Torino, from October 8th to 12th 2007, which focused on IMS NNI (Network-to-Network Interface) interoperability. 13 ETSI Plugtests T has hosted the 8th GPON Interoperability Test Event, from 22 to 26 June 2009, in Sophia Antipolis. For the latest Plugtest events: http://www.etsi.org/Website/OurServices/Plugtests/home.aspx.

http://www.etsi.org/Website/OurServices/Plugtests/home.aspx



While the deployment of new services, technologies and designs are getting much of the attention,

we also need to take into account existing infrastructures. Older technologies may be limiting the

network in terms of scalability or contain vulnerabilities that it may not be feasible to address

(T04). For example, much of the older equipment does not support current secure network access

and management protocols or cryptographic algorithms, as is the case with Secure Shell Access v

Telnet access and AES v DES crypto algorithms.

It is even possible that some equipment and technologies have to be used beyond their official end-

of-life as announced by vendors. This actually means that there will be no further support at all and

that vulnerabilities will never be fixed. In the cases where upgrades or fixes are available, they are

often too costly to be a feasible investment for technologies that will be phased out in coming years.

The same rule of increasing cost may apply to the overall maintenance of end-of-life technologies

because they become too costly as physical wear increases, personnel focuses on new technologies

and human skills decrease over time.

On the protocol side, limitations such as the IPv4 address space exhaustion and the lack of security

mechanisms in the initial design of critical protocols, such as BGP, impose scalability limitations and

introduce vulnerabilities. For example, the simple trust mechanisms used in BGP may allow for

routing information to be altered by unauthorised originators causing routing loops, blackholes,

network congestion and denial of service attacks14. The industry is already aware of and is tackling

the challenges of BGP, but as the control plane of IP networks is retrofitted with more

functionality, new threats and vulnerabilities are certain to surface (T05).

Attacks on the core protocols of the infrastructure have the potential to be highly damaging to

network availability and performance, as the effects can be propagated through interconnections

across multiple networks. Due to the propagating effects of an attack, a systemic failure that will

disrupt services and applications affecting other critical sectors is possible. Thus, protecting the

integrity of critical core protocols is essential. Protection covers the physical and logical security of

the network equipment and the avoidance of man-in-the-middle and trust or spoofing attacks, thus

preventing tampering with the protocols at the core. In this respect the security of the network and

of customer end-point devices has been identified as a major challenge (T07).

The lax security of end-user networks and devices allow the manifestation of many attack vectors

that give rise to several threats. Examples include Botnets, viruses, DDoS and the challenge of spam

emanating from compromised machines. Trends show that the number of attacks against network

components is increasing, as is the magnitude of these attacks.15 Though network operators are

familiar with dealing with these kinds of attacks, it is clear that they a pose a risk not only for end-

users but also to the resilience of the whole network. Thus, EU-wide tracking and mitigation

mechanisms could have the potential to increase the efficiency of mitigation.

14

A Survey of BGP Security, Kevin Butler, Toni Farley, Patrick McDaniel, Jennifer Rexford, 2005

15 Worldwide Infrastructure Security Report, Volume IV - Arbor Networks, October 2008,

www.arbornetworks.com/report

http://www.arbornetworks.com/report



Technology platform challenge: measures

Measure profile

Name New technologies platforms are assessed for resilience features and

compatibility


Relevant good

practices

Description

Security characteristics of newly introduced technologies have to be investigated by the network

owners before the implementation of new products and services, especially with regard to security,

resilience and contingency. Capabilities and pre-requisites for their availability and desired

performance have to be compatible with the intended use and deployment environment. This would

take into account co-existence with old technologies and the existing operational model.



2.6 2.7 3.0

Measure profile

Name Risk management used for critical components and processes


Relevant good

practices

Description

A threat, vulnerability and impact analysis has to be performed to identify risks. Following this, the

number of additional measures to be taken has to be identified.



2.2 2.0 2.4

Measure profile

Name Life cycle – design and implementation: new project teams to include resilience,

BC, RM, and IS experts


Relevant good

practices

Description

Organisations must include resilience in the agenda for a project from the early design stage of a new

product or service. Putting together project teams that include people with a background in business

or service continuity, risk management and information security will raise the importance of issues

that affect resilience.





2.2 2.2 3.0

Measure profile

Name Life cycle – design and implementation: vendor RFIs and RFQs to explicitly

request resilience considerations to be addressed


Relevant good

practices

Description

Requests to vendors in the form of RFIs and RFQs should be used to leverage the resilience aspects of

requested product or service.

For example, proposed architectures must describe clearly how different types of traffic (control,

management or end-user traffic) are transmitted, separated and protected. A communications matrix

should be requested where appropriate.



1.7 1.7 2.4

Measure profile

Name Life cycle – design and implementation: vendors to deliver risk assessment report

and risk mitigation practices for new deployments


Relevant good

practices

Description

Risk assessment reports covering the design and implementation of new products have to be part of

the delivered material for new products (especially concerning continuity and resilience issues). The

vendors have to suggest risk mitigation practices for new deployments. This can be considered as a

maturity characteristic of new products and their implementation.



1.8 2.0 2.6

Measure profile

Name Life cycle – design and implementation: full Integration with OSS or BSS to be

part of all deployment projects


Relevant good



practices

Description

The management of new technological components has to comply with or be adaptable to the

management practices followed in the existing network. Even in the case of a proprietary product,

integration with existing operational support services and business support services has to be carried

out.



2.5 2.7 2.6

Measure profile

Name Life cycle – design and implementation: new platforms assured compatibility

with existing infrastructure


Relevant good

practices

Description

Test environments have to be developed to extensively test new products with regard to their co-

existence with existing components.



2.3 2.6 2.9

Measure Profile

Name Life cycle – commissioning and acceptance: technology platform deployments

establish incident detection, response and incident management early in the

process


Relevant good

practices

Description

Starting from the initial stages of deployment, incident detection and incident management for

problems arising from new products and the transition process have to be in place.



2.2 2.0 2.4

Measure profile

Name Life cycle – commissioning and acceptance: technology platform acceptance

testing incorporating resilience features of the system




Relevant good

practices

Description

An acceptance process should be in existence before a new service is offered to the market. Testing

and validating the resilience features and the suitability of risk mitigation practices should be part of

the acceptance. Testing must be performed both at the component (node) and system level.

Make sure employees are fully engaged in testing and acceptance to benefit from engaging

with the vendor and of familiarising themselves with the technology and components.

In the future, testing scenarios could be leveraged for the planning of BC exercises.



2.0 2.2 2.3

Measure profile

Name End-point security practices – awareness raising


Relevant good

practices

Description

Awareness programmes have to be deployed to ‘educate’ end-users about how to securely cope with

their devices.



2.5 2.0 1.7

Measure profile

Name End-point access shutdown or quarantine


Relevant good

practices

Description

A possible solution to attacks initiating from end-points (end-user devices) is to shut down an access

point, albeit this might have implications from a commercial and data protection legislation point of

view.



1.4 1.6 2.2



Measure profile

Name End-user notification of incidents


Relevant good

practices

Description

End-users are put in the information exchange loop concerning security incidents and fraud.



1.8 1.4 1.3

Measure profile

Name End-user incentives for practising secure computing


Relevant good

practices

Description

Incentives for the secure usage of user-equipment might enhance user preparedness to maintain

equipment security.



1.5 1.3 1.6



6. Operational process and people challenges Networks are, by their nature, integrated and complex. As their evolution continues, standardizing

procedures and achieving full integration of network management processes within a changing

network is a continuous challenge (O01)16. Maintaining the ability to control both internal and

external agents to prevent disruption is as crucial as it is difficult. The successful implementation of

effective change and configuration controls is a primary reason our networks have achieved high

levels of availability.

However the increasing complexity, interoperability and integration aspects of the technology

directly influence the network management processes used to control the operation of the network.

As a consequence of the complexity and integration mismatches the probability of failures

increases, as does the duration of the resolution of problems (O02). For instance, implementation

of peering arrangements requires complex routing policies. Thus policy-based routing is difficult to

get right and an incompatibility or administrative error can easily hide parts of the internet.

It is evident that related personnel are an important factor and a challenge, since operational

mistakes or errors can have severe impacts. Moreover, there is always the threat of people (insiders,

disgruntled employees, etc) intentionally causing operational problems to the network. In all cases

(eg, mis-configuration of a router or a directed threat), the end result is nearly always the same. The

introduction of new technologies creates additional challenges of the human factor in two

respects: (a) due to the low experience of personnel during the initial period when a new

technology is being introduced (O03), and (b) in areas of technology where complexity increases

(O02).

When vulnerabilities arise from poor management and maintenance practices, these will affect all

services of all users sharing the particular component and all inter-dependent components. Indeed,

the network disruptions of small networks or providers can have an impact on the operations of

larger ones (O06); this is exemplified in the case of spam which can arise from small providers and

lead to a loss of service to a group of providers due to upstream service cut-off. In addressing

threats and risks that reach beyond organisational boundaries, organisations are interdependent;

this has to be reflected in their operational processes (O07).

A central instrument in overcoming these challenges is the availability of the correct information to

the people who are empowered and technically capable of acting on and mitigating them. As such, a

focus on monitoring and information sharing across stakeholders, supported by good internal and

external communications, is required. These elements should allow the pick-up of signs of failure to

initiate response and, if needed, crisis management procedures. Communication, information

sharing and collaboration are a key challenge, especially because of the global nature of the

network and the cross-border and international presence of operators (O08). Thus, technical

intelligence, monitoring and detection capabilities must be reinforced. In particular, intelligence that

offers situational awareness and early warning beyond the capabilities of a single network provider

can be very useful. It is also important to note that special attention should be directed to the

16


annexes. Operations challenges are coded with the initial letter O followed by a two digit number, eg, (O01).



service layer, due to significant new threats and the broad impact of potential failure, eg, VoIP

malfunctions.

Maintaining resilience requires effective confrontation of threats outside the exposure to expected

threats. The current (network management) processes need to be adapted to handle the blurred

areas of risk, from operational maintenance and fault resolution, resilience or BC plans, to the

maintenance of various proprietary platforms, throughout the lifespan of the technology (O05).

This requires comprehensive organisation that includes internal (organisation wide) and external

(vendors, suppliers, etc) resources. In this direction, several standards are available that can be

utilised by the organisations operating public communication networks to set the foundations for

taking the evolution of the operational process to the next level. While 100% availability of all

components is not possible, adaptability of the operational processes contributes to maintaining

resilience and minimizing the probability of failure and the duration of problem resolution.

Operations challenges: measures

Measure profile

Name Operational processes integrated with established information flows


Relevant good

practices

Description

Good integration of network management with other management disciplines within the

organisation seems to be a key issue in mastering the complexity of changing network technologies.

In this respect, integration with the management of risks, assets, security, continuity and incidents

are essential. Furthermore, the interfaces to mature change, release and problem management

processes are highly relevant.



2.3 2.1 2.7

Measure profile

Name Detection and mitigation of cyber threats given a high priority and assigned

specific resources


Relevant good

practices

Shared good practice: while network operation centres (NOCs) focus on

monitoring network capacity, security operation centres (SOCs) concentrate on

detecting abnormal situations that could be interpreted as the possible beginnings

of attacks against operators’ networks. It has also been stated that an SOC,

moreover, should not have a geographical focus but should act as a global

overview body and undertake the monitoring of the entire network of the

organisations involved. Experience has shown that a threat that is rising in one

country will soon expand to others. Thus an operator should organise its individual

country SOCs to act as a global SOC, allowing the early and joint mitigation of



threats inside their networks.

Description

The differences in scope between the various management disciplines has to be clear: particular

attention, for example, has to be given to the notion of monitoring, detecting and responding to

cyber incidents and the differences, in terms of operational functionalities, between network

operation centres (NOCs) and security operation centres (SOCs). Adequate resources have to be

assigned, including specialised expertise on the detection and mitigation of cyber threats.



2.5 2.7 3.0

Measure profile

Name Operations and network management – personnel participate in schemes for

knowledge sharing with vendors


Relevant good

practices

Description

Given the novel functionalities incorporated in new components and the concomitantly reduced

experience in technology administration and management issues, knowledge and information sharing

has to be enforced in order to more effectively master challenges in the introduction or adaptation of

network management activities. Schemes for the exchange of information and for sharing existing

(non-competitive) knowledge between operators and vendors of components have to in place.



1.6 1.3 1.8

Measure profile

Name Operations and network management – uptake and use of existing standards

and best practices


Relevant good

practices

Description

Orientation towards existing network management standards and good practices (both technological

and operational) is a key issue to be enforced for new products and services. Compliance with such

standards has to be evident through the functional and qualitative characteristics of new products

(including the deployment process).

Special attention must be given to a defined process for patch management, in order to maintain

critical systems and platforms up to date and to close known vulnerabilities.





2.0 2.1 2.8

Measure profile

Name Design documentation of procedures and work instructions for effective use

under high pressure


Relevant good

practices

Description

Documentation of network management practices has to be oriented towards practical issues, thus

allowing for good usability in situations of failure and emergency.



1.5 1.5 2.4

Measure profile

Name Operational process measurements for resilience indicators routinely collected,

analysed and acted upon


Relevant good

practices

Description

The effectiveness of network management practices, especially those relevant to resilience issues,

has to be measurable. Indicators of adaptability, early detection, mean time to respond, false

negative assessments leading to incidents, etc, are required.



1.8 1.6 2.5

Measure profile

Name Network monitoring used, and data analysed and acted upon


Relevant good

practices

Description

Network measurements (eg, capacity measurements, performance measurements, failure rates, QoS

parameters, etc) have to be introduced, collected and monitored for all vital network components

(eg, availability and performance management).





2.0 2.3 2.7

Measure profile

Name Proactively structure operational responses to incidents requiring third party

participation


Relevant good

practices

Description

Operational processes must be designed and structured to address threats and risks reaching beyond

organisational boundaries and must exhibit the ability to locate, communicate, share information,

collaborate, and act in concert with external stakeholders. Personnel must expect to encounter and

address both imaginable and unthinkable scenarios.



2.2 2.2 2.0



7. Organisational continuity challenges Every modern organization realizes the value of dedicating some resources to the prevention of

expensive damages that would likely occur should such preventive measures not be taken. For

example, companies operating IT components use intrusion detection and response systems in an

attempt to detect computer intrusions and then activate defensive measures to minimise the

ensuing damage. This is a proactive approach to protecting a company's infrastructure that

contributes to its resilience, but IT and technology platforms are not the only resources that need to

be resilient. Resilience calls for an ability to ‘provide and maintain an acceptable level of service in

the face of faults’. As such there must be the ability to proactively recognise and adapt to changes

that may lead to disruption in either a slow or abrupt way (C01)17.

In some companies resilience related awareness or activity is event driven. For example, the

mitigation of personnel unavailability may be driven by Bird Flu or Swine Fever and thus be reactive

in nature. The organisation’s policies must reflect its strategy to address such risks but this is still not

sufficient. If no proactive permanent precautions exist to cope with the occurrence of such events

then plans to maintain critical activities in these worst case scenarios will likely fail. This illustrates

the difference between policies (good for strategy) and process (good for operational reactive

actions). What is needed is the alignment of practice with policy (C02).

The role of the business continuity management team is to provide the tools and techniques for

effective plans, business impact assessments and exercises to ensure the organisation is equipped to

achieve the right balance between proactive and reactive measures. Proactive measures must be

integrated in the networks, products and services right from the planning phase through to

implementation. The consideration of security, resilience and business continuity requirements

during the early design phases of networks and processes is the only way to ensure that risks are

identified and owned and the appropriate mitigation strategies are followed. Otherwise projects to

bolt on these aspects at a later stage will find obtaining the required resources and budgets almost

impossible. It is thus necessary to get designers and security people together when technological,

implementation or business projects are in their infancy (C03). This is to ensure that resilience and

continuity are part of the delivered result.

The availability of the critical staff necessary to run the business, but who are not limited to technical

personnel, is a primary challenge. There are hardly any reactive strategies that can be implemented

without the involvement of personnel. No matter how automated companies are, a critical mass of

people must be available to handle processes and manage data, infrastructure and technology

(C05).

There are various threats, ranging from outbreaks of infectious diseases through staff kidnappings

and transport strikes to natural disasters such as floods, which may cause critical staff to be

unavailable. To ensure the business can resume operations and recover, the incident management

team has to be prepared to react with the support of plans and technical teams. The variety of

threats affecting infrastructure, people, processes and technology demands that people with

17


annexes. Challenges to continuity are coded with the initial letter C followed by a two digit number, eg, (C01).



diverse backgrounds need to be engaged to successfully manage resilience and respond to

incidents (C04).

Using the challenge of personnel as an example we can recognise the need to factor in dependencies

with other critical sectors that may, directly or indirectly, affect critical resources or processes. As

regards personnel, dependencies on the transportation and health sectors can be noted. More

dependencies can be recognised for infrastructures, technology platforms and the operational

processes in the energy sector and the intra-sector dependence of ICT, etc. Recognition of the direct

dependencies of critical organisational processes to infrastructures, as well as assessment of the

risks to these assets, is well understood by corporate management.

This is in marked contrast to the hurdle to an understanding of the inter-dependencies that have

developed due to the prevalence of communication technologies. As communications are now an

indispensable component of operations in most critical sectors, disruptions in public communication

networks can be one of the initiating events for a domino disruption of other critical infrastructures.

In effect, a failure of networks can be a cause of failure for their own dependencies in other

sectors. Understanding (inter-)dependencies is critical in avoiding domino failures that have

society-wide consequences (C06). Measures need to be in place to understand the complete supply

chain and not just to focus on internal resilience when the weakest link may lie within third parties.

It is evident that continuity organisation for the resilience of public communication networks

cannot be restricted within the boundaries of organisations owning and operating the networks

(C07). Information required for planning the continuity of inter-dependencies lies with the individual

owners and users and their engagement is necessary. In reality, obtaining the required information

is not a straightforward process, and even when engaging customers and authorities, it is difficult

for these stakeholders to inspect their requirements and control their interests (C08).

In addition, the apparent multitude of infrastructure owners complicates responsibilities, especially

at interconnection points and border crossings where additional motivation to enable

infrastructure management to see beyond their individual responsibilities and act collectively for

mitigation is required (C09). Such an endeavour at the EU level requires major efforts in

coordination and collaborative activities which network providers cannot take up on their own. It is

the governments and EU bodies that should take the lead in these activities. At the same time it is

required of these stakeholders that they have a clear understanding of their needs, which is a

challenge in its own right. Taking up responsibility to scope continuity activities for the good of EU

citizens and bear the costs of such coordination is a major challenge (C10).

Collaboration among the different parties that need to be involved has to be expanded beyond

planning to active participation in the response to incidents, and this leads to yet another challenge,

that of effective communication, command and control, as the increasing number of parties and

levels of authority lead to increased complexity and slow communications and decision-making

(C11). We must remain mindful that communications lay at the heart of both our own activities and

those of our customers; thus we and our customers expect services to be available even during the

coordination of incident response and management.

An indispensable component of organisational continuity is the implementation of business

continuity exercises. There is broad agreement on the limited senior management attention paid to



full scale BCM testing as this might have a disproportional impact on service delivery (C12).

Therefore the standard practice, often dictated by commercial limitations, is table (desktop)

exercises or procedural testing involving senior management. In some cases, occurrences of failures

(eg, power or equipment outages) reinforce the feeling that the measures tend to work putting off

people from additional testing. As a result, functional or technical BC exercises do not take place.

Experience at the level of national exercises also shows that, in those cases, technical testing is not

present. This situation with limited exercises adds an additional challenge with regard to the

effectiveness of existing BC plans within and between organisations (C13). Improvements in our

processes and our capabilities, as well as demonstration of continuous improvement, involve the

conduct of exercises at the appropriate level. Technical testing of communications or IT systems,

desktop walk-throughs of the elements of a plan, simulated full-scale exercises, and finally a full, live

invocation of the plan should also be considered.

Organisational continuity: measures

Measure profile

Name The organisation of business continuity to aim for continuous improvement


Relevant good

practices

BS25999, ISO27001

Shared good practice: use standards as a guide to implementation. Leverage the

learning capability from audits, exercises and incidents.

Description

Identify lessons to be learned and ensure that risks are understood and where possible mitigated. We

must utilise prior knowledge of faults in order to shape an expected envelope of faults or incidents

against which we can prepare. Achieving pro-activeness will allow the development of the predictive

ability required for resilience. BCM units within organisations have to take advantage of real life

events as cases for analysis and demonstrate the need for resilience and mitigation of risk. Analysed

disasters can serve as scenarios for test plans.



2.2 2.2 2.7

Measure profile

Name Balanced pro-active and re-active strategies


Relevant good

practices

Description

Pro-activeness and re-activeness are not opposing forces but rather complementary ones. Proactive

and reactive strategies for mitigating security risks have to be balanced and mutually tuned up. Extra

effort in pro-active measures that can help in localising the effect of incidents can be preferable to

over-engineered re-active strategies.





2.0 1.9 2.2

Measure profile

Name BC organisation seamlessly integrates organisational and operational resiliency


Relevant good

practices

Implement a BCM life-cycle using the ‘plan-do-check-act’ methodology.

To avoid incurring greater overheads, create a balance between politics, people

and goals.

Description

Resilience or security governance (politics, people and goals) must be embedded throughout the

entire company but must not create too much overhead. Embedding culture does not always incur

great cost, but it is a lengthy process, especially for large organisations, and a continuous one. The

first step is implementation of a business continuity management system (BCMS) that includes

measures around the BCM lifecycle and implementation of the plan-do-check-act methodology.



2.3 2.2 2.6

Measure profile

Name Responsibilities for resilience are part of professional behaviour and sociel

responsibility


Relevant good

practices

Description

‘We must remain mindful that communications is at the heart of both our customers’ activities and

our own, and our customers expect the services to be available.’ Awareness activities at all levels are

required. The awareness of senior management, especially, must be reinforced.



2.3 1.8 2.4

Measure profile

Name Extroversive attitude to addressing high magnitude incidents (cross-sector

communication, coordination, and collaboration structures)


Relevant good

practices

Description

Today, many of the risks faced by individual operators are considered and evaluated. However, given



the high degree of dependencies in technical and organisational interfaces (see challenges), there are

numerous risks that are beyond the mitigation strategies of each individual operator. Such threats

and risks cannot be managed and mitigated effectively by a single organisational function. To manage

such risks, cross-sector communication, coordination and a structure for collaboration have to be

established. Risk of systemic or extended disruptions at regional or national level can be effectively

mitigated with shared resources from industry and government. Companies need to account for this

risk by identifying all inter-dependencies. We are only as strong as our weakest link.



2.5 2.1 2.7

Measure profile

Name EU-wide monitoring and early warning on external threats


Relevant good

practices

Shared good practice: some organisations have individually established contacts

with authorities.

Description

Monitoring and early warning on external threats to the network’s information security or resilience

(could include physical, environmental, and/or geopolitical risks)

Extra support from authorities, governments or the EU is seen as required to build a threat radar with

early warning notifications based on weak signals analysis (not only at the technical level).



2.0 1.8 2.4

Measure profile

Name Tracking of exposures of technology platform and mitigation at EU level


Relevant good

practices

Description

Hardware and software vulnerabilities and risk tracking and resolution. A form of shared intelligence,

as network failures effect all. Includes coordinated actions and tracking the progress of mitigation for

critical exposures.



2.0 2.0 2.5

Measure profile

Name Tracking disruption of infrastructure and utilities at EU or National level




Relevant good

practices

Description

Tracking disruptions with intra-sector and inter-sector effects at the EU or national level. This would

need broad cross-sector collaboration that could be facilitated by governmental or EU coordination.



1.8 1.5 2.4

Measure profile

Name Establish or participate in national infrastructure emergency plans

Measure ID 37 Industry status Implemented / Current / Future (Keep one)

Relevant good

practices

Description

National cross-sector emergency procedures have to be established under the responsibility of

(neutral or independent) public organisations. For effective deployment of such structures, public-

private partnerships have to be considered. Scenarios that need to be tested to ensure that plans and

communication channels are agreed and understood need to be identified.



Measure profile

Name Pan-European coordination for cross-border risks


Relevant good

practices

Description

Pan-European structures need to be established in order to manage risks that span national borders

or national responsibilities. This coordination is seen by network operators as a resource intensive

task beyond their financial capabilities and should be driven by authorities at EU level. This measure

could be directed at :

1) Protection availability: best practices, contracts, responsibilities for parties which interconnect international networks 2) Disaster recovery: how we work together cross-border or pan–European.



2.6 2.2 2.4

Measure profile

Name Volunteer ‘virtual’ database of cable infrastructure against accidents during



digging works


Relevant good

practices

Example of implementation in Australia:

http://www.dialbeforeyoudig.com.au/1100/

Description

Establishment of voluntary on-demand information-sharing scheme with third parties to avoid cable

damages due to digging works.

A consideration that needs to be addressed is overcoming limitations due to perceived or actual data

sensitivity. Careful use of shared data, anonymisation and trusted third parties to handle requests

and, possibly, the delivery of the needed information could be considered.



1.8 1.4 2.3

Measure profile

Name BC exercises – senior management awareness


Relevant good

practices

Description

Enhance awareness of senior management concerning necessity of BC testing. Present clearly the

tactics used to minimise service failures.

Involve managers in crisis or incident management and strategic teams (silver and gold teams) and

engage them in desktop exercises.



1.7 1.3 2.3

Measure profile

Name BC exercises on non-technical parts of the plan

Measure ID 42 Industry status Implemented / Current / Future

Relevant good

practices

Description

Perform ‘real’ exercises on critical non-technical parts of BC plan. Increase the maturity of non-

technical parts of BC plan and avoid exercising bottlenecks from the lack of trust in technology

measures.



2.3 2.0 2.1



Measure profile

Name Use BC exercising tactics to increase trust in technology and minimise probability

of failure

Measure ID 43 Industry status Implemented / Current / Future

Relevant good

practices

Description

In order to minimise the impact of failure during an exercise, some of the following tactics could be

used:

Identify time windows to test the recovery of technical components without affecting

operations. This can be challenging due to global, 24-hour nature of businesses; however, as

examples, night periods where usage is low or vacation or holiday periods where a great

percentage of the population is away could be used for testing.

Identify sub-systems that can be tested without affecting important parts of the operated

services. Increase trust in the technology controls.

Avoid keeping systems in-service for prolonged periods without soft-resets, lest risks from

the accumulation of unsaved configuration changes and uncertain system states increase.



2.0 1.8 2.2

Measure profile

Name Assurance of preparedness for business continuity actions


Relevant good

practices

Description

Increase BC assurance by trying to measure:

the understanding of BC plans by individuals; add to key staff roles and job descriptions;

The availability of resources and the actual RTO and RPO that can be achieved.

Increase the complexity of exercises gradually, building trust on the operational capabilities of

technical measures.

Large organisations cannot wait to gain understanding but in the mean time must ensure adherence

to BC policies and processes.



2.3 2.1 2.3

Measure profile



Name Establish a crisis or incident management organisation


Relevant good

practices

Description

A dedicated organisation (team, governance, plans, communication interfaces) is defined and trained

to solve crisis. Crisis organisation should involve senior managers from different departments, such as

engineering, operations, security, legal, logistics, communications, media relations and liaison

officers.



2.3 2.0 2.5

Measure profile

Name Funding of umbrella resilience measures


Relevant good

practices

Description

To find funding for required resilience measures above and beyond the responsibilities of the

network operators.



2.0 1.0 1.67



8. Commercial challenges Customer requirements and the business case

Public communication networks are, for the most part, owned and operated by private

organisations. In order to maintain their capability to operate, generating revenues from the services

they provide must be one of the primary objectives of these organisations. Thus, it is not surprising

that they are constantly examining the business case for their investments and expenditures.

As such, it is important to take into consideration customer requirements. Customers increasingly

rely upon networks for their continuity. At the same time, their needs change as they require and

access new services. Although corporate customers can view resiliency as added value, there still

seems to be limited customer preparedness for spending that would support the development of

resilient services (B01)18.

For the mass market, resilience would not be a differentiator since customers are not yet capable of

factoring resilience into their purchasing choices. Thus, resiliency is considered as a cost centre and

investments are usually prioritised towards the development of new services and functionalities

due to tough competition from other operators (B02). The value added to the end-customer must

be visible.

Costs of resilience and performance indicators

Selling resilience projects internally is also a complex matter, since the challenge to security is that,

when business processes run smoothly (ie, the security or resiliency team has done a good job), the

investment is questioned; but also, should something go wrong with the availability of business

processes, the investment is equally challenged. The key to selling resiliency internally is to provide

quantitative figures that demonstrate business benefit (B04).

Presenting a positive ROI and the value added to the customer should be the next objective pursued.

It is important to be able to quantify the financial impact and ROI of resilience measures, but

appropriate KPIs are lacking (B03). This element is also important for the development of

appropriate national and international public policies on resilience.

Special case: virtual (mobile) network operators

Another business case with an uncertain financial model for resilience is the ‘sharing’ of operator’s

networks with virtual (mobile) network operators (VMNOs), whose operational focus is not on

security and resilience but in selling revenue generating services. Nevertheless, even if VMNOs or

alternative operators do not own the network infrastructures, they are still bound by a set of

national and international regulatory requirements associated with service availability and resilience

in general. However, this conflicts with the focus of VMNOs and alternative operators on achieving

high operational margins by keeping costs as low as possible. This means that resilience issues or

requirements may be addressed in insufficient ways due to pressure to keep costs low (B05).

18


annexes. Commercial challenges are coded with the initial letter B followed by a two digit number, eg, (B01).



The rather short-term strategies of many VMNOs that are implemented through price erosion result

in competitive pressures being increased and may lead operators to reduce their focus on resilience

in order to become more cost efficient and competitive compared to the VMNOs. Thus measures

that help maintaining the balance in spending for resilience measures proportional to the types and

size of network providers can overall increase the adoption of measures for resilience.

Third parties and outsourcing

The increased demand for the deployment of new services as well as the pressure to cut-down on

service costs gives rise to the human resource challenge. In house know-how and experience on

new services and technology, if available, is limited, at least initially (B06).

Therefore, the engagement of third parties in providing innovative equipment and implementing the

various technology platforms is required. In many cases, this involves outsourcing important parts of

network operations and service delivery. In order to properly manage all categories of third parties

involved in service provision, numerous kinds of contracts and contract fulfilment practices need

to be developed (B07).

Third parties can be divided into several categories, each requiring differing approaches in their

management. A third party:

for fibre infrastructure could be a ROW provider who digs up the fibre cable and thus

disrupts service;

for the transmission technology platform could be a maintenance provider;

for the IP protocol could be an interconnection provider who undertakes change activities

that prevent packet delivery or cause degradation, etc.

Some of these categories are made up of consultants, who bring in knowledge of new technologies

and processes. Such consultants, with advanced operational and technical skills, are an important

resource for continuity of operations and knowledge transfer. Their unavailability could have direct

operational impacts on pivotal activities or operations. At the same time, external consultants with

‘low skill levels’ could, instead, be managed using standard outsourcing contracts. When contracting

for outsourcing services, identifying critical consultants who must be subject to internal human

resource management practices is not always straightforward (B08).

Whilst communication operators are outsourcing and engaging in complex partnering programmes,

the due diligence of these relationships when it comes to security (and hence resilience) is rather

limited (B09). Hence network providers must be alerted on the threats that could be faced, such as

the need to reconsider resilience arrangements, but there is a lack of provisions in the contracts for

addressing this need. Furthermore, in other cases, backing off from a failing contract can be onerous

if, as a result, the internal know-how will be no longer present.



Commercial challenges: measures

Customer requirements and the business case

Measure profile

Name Assess and promote customer awareness of resilience issues and needs


Relevant good practices

Description

It is necessary to assess customer awareness of resilience issues. Since resiliency is a relatively new issue, it is not clear how many customers understand it as a qualitative characteristic of a service and how it relates to their portfolios. There are sectors where the need for resilience is obvious and this has led businesses to maintaining their own infrastructure (eg, in banking) in order to guarantee desirable levels of availability. This need for awareness has grown among other sectors through regulatory requirements regarding data protection, continuity capabilities and availability.



2.2 2.2 1.5

Measure profile

Name Identify levels of resilience required in critical infrastructures


Relevant good

practices

Description

Identifying the levels of resilience required in critical infrastructures (eg, financial organisations as

mentioned above) and understanding critical processes is necessary. A clear view of the requirements

will facilitate implementation and the justification of the expenditure.

Despite the efforts of the operators to address this measure, it is proposed that this initiative should

be undertaken at the EU or national level. The key issue here is to identify the gap between the level

of resilience that should exist at the pan-European level and the level of resilience that operators

provide anyway according to their usual practices in network design and operation.



2.0 2.0 2.5

Measure profile

Name Communicate the resilience characteristics of the service to customers


Relevant good

practices

According to licensing obligations, contracts should provide for a certain minimum

level of service availability as well as impose an obligation on the operator to

update the public on service outages. Further and more detailed communication of

the resilience of the service to the customers is not always easy. Apart from

business customers who are resilience aware and sensitive to such issues, the plain

consumer finds it difficult to understand the role of resilience and for that reason

operators do not promote or differentiate their products based on resilience.



Description

Resilience characteristics have to be communicated as an element of the service to customers. Based

on the importance of their business processes, customers can decide the level of QoS (quality of

service) they want with respect to resilience.



2.0 1.7 1.8

Measure profile

Name Marketing of resilience to both private and public organisations to enhance level

of awareness and develop market


Relevant good

practices

Description

Launch awareness campaigns targeted at specific sectors and the respective decision-makers.



2.3 2.2 1.2

Measure profile

Name Regulators to check the availability of necessary functions at the level of VMNOs in order to ensure resilience measures are provided


Relevant good

practices

Description

Resilience requirements to be fulfilled by VMNOs have to be part of their service provision according

to regulatory requirements.



1.5 1.5 1.8

Costs of resilience and performance indicators

Measure profile

Name Establish criteria (qualitative and quantitative) to measure resilience


Relevant good

practices

Within an organization, there are specific measures to characterise resilience in

the various parts of the network and the organization. Risk assessment and BCP

teams are responsible for maintaining an end-to-end picture and proposing

relevant measures in weaker areas.

Description

It is necessary to establish criteria (qualitative and quantitative) to measure resilience. The



establishment of a set of common performance indicators would lead to two advantages: it would

allow for the exchange of information and also agreement on the same concepts. This is a very critical

task for an organization to ensure self-awareness and adoption of the appropriate measures.

It would be useful to frame resiliency and BCM in terms of outcomes (what can be done if you have a

problem) rather than using ‘85% completed’ type figures.

Moreover, the VWG saw the possibility of deriving performance indicators which could be shared

anonymously and these might include:

the % of IT budget to security

the security awareness budget per employee (expressed in monetary terms)

% turnover to network resilience

% BC (business continuity) to network resilience

% of employees working on BC who belong to IT areas

% of external employees working on BC

rotation of external employees working on BC

average hours of training on network resilience per employee working on BC

the % of incidents with an impact on clients of more than 1 hour.



1.7 1.8 2.3

Measure profile

Name Generate a flexible operational framework for gathering data on resilience

performance measures to enable a confidential benchmarking exercise to take

place (see also KPIs)


Relevant good practices

Shared good practice: some operators make use of such benchmarks internally between their own networks in order to share best practice and ensure a proper level of resilience.

Description

Data on security incidents, measures, threats and risks have to be prepared. The activities of security

or resiliency teams have to be actively communicated to maintain the necessary awareness of the

(good) work that is being performed (eg, to counter the attitude that ‘everything runs smoothly, so

why do we need a security investment?’).



2.0 1.9 2.3

Third parties and outsourcing

Measure profile

Name Outsourcing should be restricted to the ‘do’ or eventually to the ‘act’ dimensions.

‘Plan’ and ‘check’ should stay within the company as they are steering activities.




Relevant good

practices

Successful outsourcing agreements rely on appropriately planned contracts and

SLAs and the ability of the operator to control and enforce the SLA.

Description

Outsourcing, if not properly designed and controlled, may deliver gaps in resilience. The act of

outsourcing is a cost-efficiency initiative, but avoiding resilience gaps must not be considered a cost

centre. The first point of attention when deciding to engage a third party is the detailed selection and

definition of the scope of the contract by cautiously selecting the activities to be outsourced. The

organisation should not lose the ability to control the process and the assurance that it delivers as

expected. A useful approach to this end is the separation of the activities into the four phases of the

PDCA model (plan–do–check–act). Activities that fall under the ‘do’ phase are the first candidates for

outsourcing. The organisation has the process under control through the activities that are part of the

‘plan’ phase and can provide assurance on the delivered outcome through the activities taking place

in the ‘check’ phase. The activities under the ‘act’ phase require careful consideration as they

constitute the basis for improving business processes and locating the causes of inefficiencies, but at

the same time they can benefit from knowledgeable external consultants.



1.8 2.0 2.4

Measure profile

Name Third party contracts must address topics relevant to security and resilience

within an SLA


Relevant good

practices

Shared good practice: standard practice in contracts. All contracts are reviewed by

the security department, which is considered a standard requirement from third

parties.

Description

Topics that must be addressed within the SLA, besides the exact description of the service to be

delivered, are: information security requirements, physical security requirements, BCM requirements

and the engagement of third parties in the plans and expected performance levels, training and

awareness requirements, and legal requirements.



1.6 1.9 2.9



9. Regulatory challenges Telecommunications networks and the provision of their services are regulated at the EU level

through directives and at the national level with more specific laws. Over the years, the regulations

and corresponding laws have been changing in attempts to address several issues such as telecoms

liberalisation, online crime, collaboration with law enforcement and privacy issues for end-users.

Synchronisation of the EU level directives with their adoption at the national level is subject to the

approaches taken by the individual Member States, which are influenced by their cultures and

constitutions, the interpretations of their law-makers and the needs of their markets. This situation

illustrates the lack of EU harmonization on regulatory requirements for networks that seriously

obstructs standardisation (which is what networks are built on) or even makes it next to

impossible to achieve (R01).

For example, the data protection retention laws, if not carefully weighted, can affect the ability to

plan due to the unavailability of historical traffic data. At the other extreme, there is the potential to

overload the systems with inordinate data collection and retention. This also increases the

implementation costs of the logging systems. Implementation of lawful intercepts and monitoring

capabilities introduces similar concerns.

It is thus obvious that a network spanning more than one EU Member State may be required to

implement contradictory laws. Overall, regulation complexity may have impacts that increase the

vulnerability of the implementation of fibre or facilities, voice or data, systems and products.

Regulatory challenges: measures

Measure profile

Name Promote harmonized regulatory initiatives that complement, support and

encourage resilient organisations


Relevant good

practices

Description

Liaise with governments to proactively shape regulatory initiatives to reflect the actual profile

of the risks.

Harmonize regulatory requirements for resilience in EU members.



2.4 1.8 2.2



10. Conclusions This virtual working group (VWG) gathered experienced professionals together from network

operators throughout the EU Member States to discuss the challenges posed by resilience in public

communication networks. Our discussions exposed out many of these challenges and the efforts of

the network operators to address them. Despite the limited resources available, the group managed

to address a wide range of challenges and to provide valuable results.

Arriving at a common understanding of the key definitions for public communications networks and

resilience was a much needed step to successfully frame the work of this group and identify what

can be useful targets for resilience-related activities at the European level. Through the resilience

targets set, each category of stakeholders – be they network operators or authorities – can identify

the key activities and roles needed to successfully deal with the goal of resilient public

communications networks, both nationally and on a Europe–wide scale.

The challenges that were identified show that many things need to be done towards achieving

and/or sustaining the targets for resilience. At the same time, it became evident that achieving these

targets is not solely in the hands of network operators nor is it feasible in a single step. Rather, it

consists of a collective effort by multiple players that has to be undertaken at various levels (eg,

technological, organisational, legal, etc). Furthermore, the environmental aspects and challenges

described in the business and regulatory challenge areas depict the difficulty of undertaking large

investments in resilience without jeopardising the stability of organisations.

At the end of the day, network operators have to be profitable organizations. As they operate in a

highly competitive environment, this leads to a strong focus on lucrative marketing activities and

optimized investment plans. Stimulating market growth to sustain improvements in resilience is

much needed in this area. To this extent, the development of metrics to reflect the increase in both

resilience and ROI can be considered of key importance. In addition, supplying sufficient information

to regulators to promote resilience-friendly initiatives and regulation is also required.

The picture was completed by further challenges in the four areas identified: (physical)

infrastructures, technology platforms, operational processes and people, and organisational

continuity. Without a doubt these are areas where activities should be undertaken and measures –

some of them identified by the VWG – can be implemented to successfully cope with the challenges.

Diversity, density and sufficient capacity are central issues for infrastructures such as physical cable

routings, cable landing stations, fibre border crossings, backhaul connectivity and IXPs. The rating of

measures we undertook shows that mitigation of the risks to resilience should be directed towards

transparency in the infrastructures, the development of KPIs for resilience, and collaboration with

national authorities for critical infrastructure. Standard information security practices (ie, good

practices) should be also considered for the effective mitigation of risk at low costs.

Technology platforms offer their own challenges and, while innovation is the corner stone of their

evolution, the assessment of their maturity is still a primary challenge. Protection of the core

protocols from attacks is crucial in avoiding systemic failures. Vendors are required to support

technologies in all the steps of a project by explicitly addressing protection and overall resilience.

This includes assessing the risks and implementing their mitigation. Network providers must pay



attention to the whole life-cycle of all technologies and equipment used. At an early stage, new

project teams must be equipped with expertise in resilience, business continuity and information

security, and deployments need to include incident detection and management capabilities.

Operational processes need to follow existing standards and good practices in order to maintain

their effectiveness during security incidents, and to provide good integration and interoperability. In

particular, good practices for interconnection operations and maintenance are mentioned. Such

good practices are also helpful in addressing personnel learning curves for new skills and, coupled

with effective work instructions, can minimise errors and long recovery times.

The propagating effects of faults and attacks across networks require information sharing and good

communication across organisations for effective mitigation. This is even more challenging when it

involves organisations in different countries. With operational risks constantly increasing through

new threats appearing in the technology area, measures for mitigation are very important. Shutting

down or quarantining users is currently used to protect from relevant threats and it marginally

passes the threshold for being rated as very effective. At the same time, dedicated cyber threat

detection and mitigation capacity is a current measure that is seen as extremely important, though a

very costly one. An additional EU-wide monitoring and early warning system on external threats

would be a potentially very important improvement for handling risks. The need for resilience

metrics and KPIs is again documented and some members of the group actually undertake internal

benchmarking exercises to ensure a proper level of resilience.

Regarding the challenge area of organisational continuity, several counter-measures are relevant to

achieving better foresight for emerging risks and threats and in understanding the domino effects of

inter-dependencies with other critical infrastructures. A mature internal organisation will seek

continuous improvement and strike a balance between policies and practices. In addition, it is

broadly understood that co-ordination is needed for actions beyond the borders of a single

organisation. Again, the group believes that the EU and Member States have a vital role to play.

Yet, it is pointed out that authorities and customers are not completely aware of the requirements

imposed on them and thus they cannot check their fulfilment; consequently the steering of activities

relating to resilience is cumbersome. Extra motivation is needed to ensure individual organisations

and involved stakeholders contribute their part of the shared responsibility, especially where

measures in mitigation span areas of responsibility.

Facilitating regulation and public funding can support the implementation of counter-measures.

Other areas where such measures are still not delivering the desired results are: slow

communication, and decision-making structures that support emergency response and business

continuity where limited uptake of complex exercises limits the assurance of plans for continuity. For

these challenges, many of the counter-measures are rated as future enhancements, while others

have a mixed level of adoption by the industry. At the same time, many of these measures are

characterised as time consuming.

At national and EU levels, the following measures were identified as important:

pan-European coordination for cross-border risks, including required funding

collaboration with national authorities for the protection of critical infrastructure



promotion of regulatory initiatives that complement, support and encourage organising to

ensure resilience

establishing or participating in emergency plans for national infrastructure

tracking the exposures of technology platforms and progress in mitigation

tracking disruptions to infrastructure and utilities at EU or national level

identification of the levels of resilience required in critical infrastructures

establishing a volunteer ‘virtual’ database of cable infrastructure to protect against accidents

during digging works.

The challenges discussed, relevant threats and measures can play an important role in shaping a

picture of the hurdles every network operator, regardless of size and maturity, will have to face in

several cases. The proposed ratings for measures can help resilience managers in network providers

understand the trends in the mitigation of resilience in the industry. When combined with the

targets for resilience presented in this work, this information can set the first-level vision for

resilience in public communication networks. Further elaboration of the information provided can

be the starting point for forming a constructive agenda of collaboration between public and private

stakeholders in the area of resilience.



Annex A: Measures ratings The table in this Annex provides an overview of the identified measures and ratings. In addition, mapping to the relevant challenges is provided. The right

most part of the table contains the measure rating calculated on the basis of a confidential rating exercise completed by the majority of the group

members. When interpreting these ratings you should take into account that they are based on the perception of the experts and not in official corporate

data. The intent of this effort is to provide indications and directions; thus interpretation of this table as a prescription for solutions to problems in

resilience is to be avoided. Please consult the section, About the measure rating, in Chapter 2 for help in reading and understanding the ratings.

Measures & Challenges Measure rating

ID Title Challenge IDs

Tim

e t

o

imp

lem

en

t

Co

st

Imp

act

on

re

silie

nce

Ind

ust

ry

stat

us

1 Shared infrastructure management responsibilities I07 I08 2,3 1,7 2,3 I

2 Critical assets (including shared infrastructure and third party services) are within the scope of information security management

I01 I02 I06 B08 B09 2,3 2,0 2,5

C

3 Shared infrastructure components included in risk assessments and business impact assessments

I01 I02 I03 I04 I08 C06 2,4 2,0 2,4

I

4 Shared component (infrastructure or service) audits results are communicated to the users

I01 I02 I03 I06 I08 O05 2,0 2,0 1,1

F

5 Shared infrastructure incidents reporting is a mutual obligation, requiring appropriate interfaces and procedures

I06 I08 O07 O08 1,5 1,6 1,3

CF

6 Shared infrastructure or co-location - develop resilience ratings and KPIs I01 I02 I03 I07 O05 B03 2,0 1,8 2,0 C

7 Transparency of shared physical infrastructures and identification of critical parts

I01 I02 I04 O05 1,8 1,7 2,1

I

8 Owners of critical infrastructure components establish and maintain permanent trustworthy communication channels

I08 C07 2,4 1,7 2,6

CF

9 Exercises include communication channels and emergency plan testing with inter-dependant critical infrastructures

I06 C09 C11 2,2 2,5 2,4

F

10 Participate in forums addressing cross-organisational collaboration issues I08 C06 C11 1,3 1,2 1,5 I



11 Collaborate with national authorities for critical infrastructure protection I08 C06 C11 1,8 1,3 2,3 IC

12 Interconnection & peering, operation and maintenance good practices I05 I06 O06 O07 1,8 1,6 2,0 I

13 Interconnections & Peering code of ethics I05 O08 B07 2,0 1,3 1,2 F

14 New technologyplatforms are assessed for resilience features and compatibility

T01 T02 T08 2,6 2,7 3,0

I

15 Risk Management used for critical components and processes T03 T04 O05 2,2 2,0 2,4 IC

16 End-point security practices, awareness raising T07 2,5 2,0 1,7 C

17 End-point access shutdown or quarantine T07 O05 O05 1,4 1,6 2,2 C

18 End-user notification of incidents T07 1,8 1,4 1,3 F

19 End-user incentives for practicing secure computing T07 1,5 1,3 1,6 C

20 Incident reporting and communication to stakeholders I06 I08 1,9 1,3 1,5 C

21 Operational processes are integrated with established information flows O01 2,3 2,1 2,7 I

22 Cyber threats detection & mitigation is a high priority assigned specific resources

O02 O06 2,5 2,7 3,0

C

23 Operations & Network Management personnel participate in schemes for knowledge sharing with vendors

O02 O03 O05 O08 B06 1,6 1,3 1,8

I

25 Operations and network management uptake and usage of existing standards and best practices

O01 O02 O03 O05 2,0 2,1 2,8

C

26 Design documentation of procedures and work instructions for effective use under high pressure

O02 B06 1,5 1,5 2,4

IC

27 Operational process measurements for resilience indicators are routinely collected analysed and acted upon

O05 O02 1,8 1,6 2,5

F

28 Network monitoring is used and data analysed and acted upon O06 O05 2,0 2,3 2,7 IC

29 Proactively structure operational responses for incidents requiring third party participation

O07 C09 C11 B09 C13 2,2 2,2 2,0

F

30 Business continuity organisation aims for continuous improvement C01 C02 2,2 2,2 2,7 IC

31 BC Organisation seamlessly integrates organisational and operational resiliency

C02 C03 C04 2,3 2,2 2,6

C

32 Resilience responsibilities are part of professional behaviour & societal responsibility

C05 C08 C09 C12 2,3 1,8 2,4

C



33 Promote regulatory initiatives that complement, support and encourage resilience organisation

C07 C09 C10 C12 R01 2,4 1,8 2,2

C

34 Balanced pro-active and re-active strategies C01 C03 C05 C13 2,0 1,9 2,2 IC

35 Extroversive attitude to addressing high magnitude incidents (cross sector communication, coordination and collaboration structure)

C06 C07 2,5 2,1 2,7

C

36 EU wide monitoring and early warning on external threats C01 C04 C07 O08 2,0 1,8 2,4 C

37 Establish / participate in National infrastructure emergency plans C06 C07 C10 2,5 2,4 2,3 IC

38 Pan-European coordination for cross-border risks C07 C10 C11 2,6 2,2 2,4 F

39 Volunteer “virtual” database of cable infrastructure against digging works accidents

I01 C07 C10 1,8 1,4 2,3

F

41 BC exercises –Senior management awareness C12 1,7 1,3 1,9 C

42 BC exercises of non-technical parts of the plan C13 2,3 2,0 2,1 ICF

43 BC exercising tactics to increase trust in technology and minimise failure probability

C12 C13 2,0 1,8 2,2

ICF

44 Assurance of business continuity preparedness C13 2,3 2,1 2,3 IC

45 Assess & promote customer awareness of resilience issues and needs B01 B03 B04 2,2 2,2 1,5 F

46 Identify levels of resilience required in critical infrastructures B01 B03 B05 C07 2,0 2,0 2,5 C

47 Communicate to customers the resilience characteristics of the service B01 B02 B03 B05 2,0 1,7 1,8 C

48 Marketing of resilience for both private and public organisations to enhance level of awareness and “generate” market

B01 B02 B03 B04 2,3 2,2 1,2

F

49 Regulators should check the availability of necessary functions at the level of VMNOs in order to provide resilience measures

B05 1,5 1,5 1,8

F

50 Establish criteria (qualitative, quantitative) to measure resilience B04 B05 O05 1,7 1,8 2,3 F

51

Generate a flexible operational framework for gathering data on resilience performance measures to enable a confidential benchmarking exercise to take place (see also KPIs)

B03 B04 O03 O05

2,0 1,9 2,3

F

52

Outsourcing should be restricted to the “Do” or eventually “Act” dimensions, Plan and Check should stay within the company as they are steering activities

B07 B08 B09

1,8 2,0 2,4

I



53 Third party contracts must address topics relevant to security and resilience within an SLA

B07 1,6 1,9 2,9

I

54 Infrastructure interdependencies – Focus on identifying practical issues and risk mitigation

I08 C07 C09 2,0 2,0 2,8

F

55 Life Cycle - Design & Implementation: New project teams include Resilience, BC, RM, IS experts

T03 C03

2,2 2,2 3,0 C

56 Life Cycle - Design & Implementation: Vendor RFIs and RFQs explicitly request resilience considerations to be addressed

T01 T02

1,7 1,7 2,4 I

57 Life Cycle - Design & Implementation: Vendors to deliver risk assessment report and risk mitigation practices for new deployments

T03 T05 O05 1,8 2,0 2,6

C

58 Life Cycle - Design & Implementation: Full Integration with OSS/BSS is part of all deployment projects

T02 T03 O01 O02 2,5 2,7 2,6

I

59 Life Cycle - Design & Implementation: New platforms assured compatibility with existing infrastructure

T03 T04 2,3 2,6 2,9

I

60

Life Cycle - Commissioning & Acceptance: Technology platform deployments establish Incident detection, response and Incident Management early in the process.

T03 T05 O05

2,2 2,0 2,4

IC

61 Life Cycle - Commissioning & Acceptance: Technologyplatform acceptance testing incorporates resilience features of the system

T02 T03 C12 C13 2,0 2,2 2,3

I

62 Tracking of technology platform exposures and mitigation at EU level C04 C09 2,0 2,0 2,5 C

63 Tracking infrastructure and utilities disruption at EU or National level C06 C09 1,8 1,5 2,4 CF

66 Funding of umbrella resilience measures C09 C10 2.0 1.0 1.67 F

68 Crisis/Incident Management Organisation C02 C04 1,8 1,8 2,6 IC



Annex B: EU / Member State level measures

ID Title

Tim

e 2

Imp

l

Co

st

Imp

act

on

Re

silie

nce

Ind

ust

ry

Stat

us

10 Participate in forums addressing cross-organisational collaboration issues 1,3 1,2 1,5 I

11 Collaborate with national authorities for critical infrastructure protection 1,8 1,3 2,3 IC

33 Promote regulatory initiatives that complement, support and encourage resilience organisation 2,4 1,8 2,2 C

36 EU wide monitoring and early warning on external threats 2,0 1,8 2,4 C

37 Establish / participate in National infrastructure emergency plans 2,5 2.4 2.3 IC

38 Pan-European coordination for cross-border risks 2.6 2.2 2.4 F

39 Volunteer “virtual” database of cable infrastructure against digging works accidents 1.8 1.4 2.3 F

46 Identify levels of resilience required in critical infrastructures 2.0 2.0 2.5 C

49

Regulators should check the availability of necessary functions at the level of VMNOs in order to provide resilience

measures

1.5 1.5 1.8 F

54 Infrastructure interdependencies – Focus on identifying practical issues and risk mitigation 2.0 2.0 2.8 F

62 Tracking of technology platform exposures and mitigation at EU level 2.0 2.0 2.5 C

63 Tracking infrastructure and utilities disruption at EU or National level 1.8 1.5 2.4 CF

66 Funding of umbrella resilience measures 2,00 1,00 1,67 F



Annex C: Mapping Measures to Challenges

Infrastructure Challenges & Measures

ID Description Measures ID

I01 - Logical diversity v physical

cable routing density and

separacy

a high number of logical connections over far fewer and more densely routed

physical cables are generating diverse logical architectures in which separacy

in the routing of physical cable is not assured

02 03 04 06 07 39

I02 - Limited diversity, Capacity

& pinch points, backhaul, cable

landing stations, cable border

crossings, submarine cables

Limited diversity and capacity of cable landing stations, submarine cables,

backhaul connectivity and border crossing locations can jeopardise backbone

connectivity.

02 03 04 06 07

I03 - EU traffic concentration at IXPs and high magnitude events

Especially when considering threats of high magnitude IXP diverse locations

in the same city or even in the same country may just not be enough for

those locations that service an important percentage of the EU traffic.

03 04 06

I04 - private interconnections,

unknown effects to resilience

it is not possible to identify and take into account the effects of private

interconnections to the resiliency without an extensive involvement of the

industry.

03 07

I05 - Interconnection/peering = Location, Protocol, Policy

While the physical aspects of the interconnection have been discussed in this

section the protocol and policy aspects need also to be taken into account.

12 13

I06 - Shared risks of poor

infrastructure management

When vulnerabilities arise from poor management and maintenance

practices, these will affect all services of all users sharing this component.

02 04 05 09 12 20

I07 - Shared Infrastructure,

majority vote = cumbersome

vulnerability management

Cumbersome handling of vulnerabilities may arise where a majority vote of

different organisations is required to implement an overall mitigation /

resilience strategy.

01 02 06

I08 - Infrastructure

management, individual vs.

collective responsibility for

mitigation

Handling of shared risk requires extra motivation to enable infrastructure

management to see through the individual responsibilities and act

collectively for the mitigation.

01 03 04 05 08 10 11 20 54



Technology Challenges & Measures


T01 - Emerging technologies = unknown impact to resilience

Emerging technologies whose impact on the resilience of the current

telecommunication infrastructures is currently unknown

14 56

T02 - Assessing the maturity of techs and implementations

Assessing the maturity of the technologies themselves as well as the

maturity of the implementations can be extremely hard.

14 56 58 61

T03 - New techs & Implementations bring functionality & vulnerability

while new technologies offer solutions to well known problems they still

introduce new vulnerabilities that need to be identified and addressed

15 55 57 58 59 60 61

T04 - Old technologiesissues, scalability, vulnerable, costly maintenance

Older technologies may be limiting the network in terms of scalability or

contain vulnerabilities that may not be feasible to address

15 59

T05 - IP Control plane retrofitted with functionality

As the control plane of IP networks is retrofitted with more functionality

new threats and vulnerabilities are certain to surface.

56 57 60

T07 - End point devices used for attacks

In this respect the security of the network and of customer end point

devices has been identified as a major challenge

16 17 18 19

T08 - Late standardisation & interoperability testing

It is a fact that interoperability testing between different vendor solutions

and standardisation lacks behind the deployments

14



Operations Challenges & Measures


O01 - Standardisation & Technology- Process integration

standardizing procedures and achieving the full integration of the network management processes with the changing network is a continuous challenge.

21 25

O02 - Complexity and integration=Many human errors, slow recovery

As a consequence of the complexity and the integration mismatches the probability for failures and human error increases as well as the duration of the problem resolution.

22 23 25 26 27 58

O03 - New skills, human learning curve

challenge of human factor due to the low experience of personnel for the first period of technology introduction

23 25 51

O05 - Operational risk variety The current (network management) processes need to be adapted to handle the blur areas of operational risk from operational maintenance and fault resolution, resilience / BC plans, to maintaining the various proprietary platforms through the lifespan of the technology

04 50

06 51

07 57

15 60

17 23 25 27 28

O06 - Cascading impact of operational errors (e.g. BGP mis-configuration)

network disruptions of small networks or providers can have an impact on the operations of larger one;

22 28 12

O07 - Operational processes do not reflect network infrastructure inter-dependency

Organisations are interdependent for addressing those threats and risks reaching beyond organisational boundaries,

22 24 29 05 12

O08 - Cross border operator presence, info sharing, communication and collaboration

Communication, information sharing and collaboration are a key challenge especially because of the global nature of the network and cross border and international operator presence.

05 13 23 24 36



Commercial – Regulatory Challenges & Measures


B01 - Limited customer spending in resilient services

still there seems to be limited customer preparedness for spending that would support the development of resilient services

45 46 47 48

B02 - New development priority over resilience

resiliency is considered as a cost centre and investments are usually prioritised towards the development of new services and functionalities due to tough competition from other operators.

47 48 64

B03 - Lack of resilience KPIs - ROI

It is important to be able to quantify the financial impact and ROI of resilience measures, but appropriate KPIs are lacking

45 46 47 48 51 06

B04 - Resilience expenditure must prove business benefit

The key to selling resiliency internally is to provide quantitative figures that demonstrate business benefit.

45 48 50 51

B05 - Resiliency in VMNOs pressed by budget

This means that resilience issues or requirements may be addressed in insufficient ways due to pressure in keeping costs low.

46 47 49 50

B06 - Rapid deployments = limited internal know-how

In house know-how and experience on new services and technology, if available, is limited, at least initially

23 26

B07 - Multitude of contracting agreements (SLAs)

In order to properly manage all categories of third parties involved in service provision, numerous kinds of contracts and contract fulfilment practices have to be developed.

13 52 53

B08 - Critical consultants as single point of failure

Identifying critical consultants that must be subject to internal human resource management practices is not always straightforward.

02 52

B09 - Difficulties of due diligence in outsourcing

the due diligence of these relationships when it comes to security (and hence resilience) is rather limited.

02 29 52

R01 - Lack of harmonization in EU regulations obstructs standardisation

The lack of EU harmonization on regulatory requirements for networks that seriously obstructs standardisation (which is what networks are built on) or even makes it next to impossible to achieve

33



Continuity – Regulatory Challenges & Measures


C01 - Limited foresight to

emerging and future risk and

threats

There must be the ability to proactively recognise and adapt to changes that may lead to disruption in either a slow or abrupt way.

30 34 36

C02 - Effort to balance policies

and practices/processes

This illustrates the difference between policies (good for strategy) and process (good for operational reactive actions). What is needed is the alignment of practice with policy.

30 31 68

C03 - Projects may miss

resilience considerations /

expertise

It is thus necessary to get designers and security people together when technological, implementation or business projects are in their infancy

31 34 55

C04 - Resiliency management

needs multi-discipline teams

not easily available

The variety of threats affecting infrastructure, people, processes and technology demands that people with diverse backgrounds need to be engaged to successfully manage resilience and respond to incidents

31 36 62 68

C05 - Crisis staffing

requirements

a critical mass of people must be available to handle process and manage data, infrastructure and technology.

32 34

C06 - Network failures can

cause a domino effect

a failure of networks can be a cause of failure for their own dependencies in other sectors. Understanding (inter-)dependencies is critical in avoiding domino failures that have society-wide consequences

03 10 11 35 37 63

C07 - PCN continuity cannot be

scoped on organisational

boundaries

continuity organisation for the resilience of public communication networks cannot be restricted within the boundaries of organisations owning and operating the networks

08 33 35 36 37 38 39 46 54

C08 - Authorities, customer

fuzzy requirements and

direction

Even when engaging customers and authorities it is difficult for these stakeholders to inspect their requirements and control their interest

32

C09 - Borders of responsibility

jeopardize collective mitigation

additional motivation to enable infrastructure management to see beyond their individual responsibilities and act collectively for mitigation is required

32 33 62 63 66 09 29 54

C10 - Ownership and cost of

coordinating EU wide resilience

Taking up the responsibility to scope continuity activities for the good of EU citizens and bear the costs of such coordination is a major challenge.

33 37 38 39 66



C11 - Slow communication and

decision making

the increasing number of parties and levels of authority lead to increased complexity and slow communications and decision making.

09 10 11 29 38

C12 - Management reluctance

to tackle risks of BC testing

Limited senior management attention to full scale BCM testing as this might have a disproportional impact on service delivery.

32 33 41 43 61

C13 - Limited assurance of BC

plans

This situation (limited exercises) adds an additional challenge with regard to the effectiveness of existing BC plans within and between organisations.

29 34 42 43 44 61



Annex D: Mapping Threats to Challenges

Threats 2 Challenges

Infr

astr

uct

ure

Tech

no

logy

Op

erat

ion

s

Co

nti

nu

ity

Co

mm

erci

al

Re

gula

tory

Resources (e.g. technical/organisational components, staff, buildings, etc.) as Single-Points-Of-Failure

X X X

Unavailability of, problems with Shared Infrastructure (Buildings/ROW) X X

Failing of ROI/Financial Investment X X

Infrastructure degradation (non-malicious) X X

Ineffective, immature Operations/Service Management X X

Ineffective, immature Capacity /Inventory Management X X

Ineffective, immature Change/Configuration Management X X

Human error X X X X X

Ineffective, immature Human Resource Management X X X X

Ineffective, immature Continuity Planning X X X X X

Power/Facility failures X X X X

Ineffective, immature Technology Maintenance (Hardware/Software) X X X

Poor implementation design X X X

Ineffective, immature Network/Systems Management X X X X X

Ineffective, immature Out-Network-Management, problems with Interconnects X X X X

Internal Security threats X X X X X

Problems with peering/transit X X X

Loss of data integrity X X X X X

Network Management process unavailability (due to facility failure or other incident affecting OSS)

X X X X

Lack of awareness regarding resilience issues (added retrospectively) X X X

ROW (Public/Private) degradation/disruption X X X X

Physical malicious disruption/attacks (direct/indirect) X X X X X

Infrastructure disruption (non-malicious) X X X X X

Environmental influences (e.g. weather, radiation, earthquakes, etc.) X X X X

3rd Party failures (contracted/non-contracted) X X X X X

Unfavourable market conditions X X X

Non-compliance to regulatory requirements (direct/indirect) X X X

Imprecise, misleading regulatory definition (direct/indirect)

Unavailability of, problems with Shared Infrastructure X X X X

Shared infrastructure failures (peering exchanged/capacity) X X X

Shared infrastructure failures (transit/peering) X X X

Malicious disruption/attacks (direct/indirect) X X X X X

Network malicious attacks, malware, exploits, affecting the integrity of core network components, such as routers

X

Network malicious attacks, DDOS affecting critical network elements X

Network Hardware/Software failures/degradation X X X X

Technology failures X X X X

Technology failures/BUGs X

Police/Agency intercepts (direct/indirect) X X

Fraud (Telephony/VOIP) X X X X



Fraud (IP/VOIP) X X X

Fraud/Phishing X X X

Network Malicious Attacks (Malware, SPIT, etc.) X X X

Malware/Access and code attacks X X X X

ET16 External partner is lacking awareness of resilience issues (added retrospectively)

X X X

Operational errors exacerbated by frequent changes of the operating environment (technology/network evolution)

X X

Sabotage / Insider threat X X

Bogus HW/SW implementations X

Introduction of zero-days vulnerabilities due to the new components and changes in configurations.

X

Late problems detection (e.g. late detection of problems delay the initiation of crisis management procedures)

X

Inadequate/immature measures to contain threats DoS, SPAM, SPIT X

Deciding on common resilience requirements periodical readjustment and customization

X X

Planning and deployment efforts to accommodate each participating operator's capacity needs as well as resilience

X

The loss of infrastructure diversity and thus resilience that provides the presence of separate base stations, for each operator

X

BGP mis-configuration X

Lose the control of the services and infrastructures, loss of technology platforms integrity, the network nodes are “owned” by adversaries

X

Ineffective monitoring of third parties X

Uncontrolled sub-contracting practices by third parties X

Unethical behaviour of third party X

Over dependence / lock-in on a single contractor for network provision/operation.

X

SLA violations; regulation/law violations X

Overestimating the costs of countermeasures /underestimating the impact of failures

X

ct of failures X

network resilience and security: challenges and measures · 2017-10-03 · network resilience and...

Documents