A total of 157 telecom outages were reported by the 28 EU member states and 2 EFTA countries, as part of the EU-wide telecom security breach reporting for the year 2018. Today ENISA, the EU Agency for Cybersecurity, publishes the 8th annual report on telecom security incidents, analyzing root causes, impact, and trends.

For the full report please visit: Annual Report Telecom Security Incidents 2018

In total the incident reports add up to 960 million user hours lost, i.e. an average of around 2 hours per subscriber per year. User hours is a metric that is used to quantify the impact of an incident, by multiplying the number of subscribers affected and the duration of the incident.

Natural phenomena are the dominant root cause, accounting for 480 million user hours, i.e. 50%.

System failures are the most common root cause with 67% of the incidents, but for the first year natural phenomena account for more impact in user hours. System failures are often hardware failures and software bugs.

Over the last few years there is a big increase in the overall impact of natural phenomena, and at the same time a drop in the impact of system failures.

15% of the incidents involved a power cut, but incidents caused by power cuts account for 496 million user hours lost, i.e. more than half of the total impact.

Powergrid dependencies are increasingly important for the EU’s telecom sector. Many incidents follow the pattern of natural phenomena (storm, wildfire, etc), power grid outage, communication service outage. Across the EU authorities and providers are working to address this issue, ensuring continuity with backup power supplies, addressing weaknesses, and developing other contingency measures.

Udo Helmbrecht, the Executive Director of ENISA, says: "It has been 10 years since ENISA started working closely with the telecom sector and the telecom NRAs to implement the security requirements of the EU telecom legislation. The NIS directive, which came into effect in 2018, extends these security requirements to many other critical sectors. For ENISA however, the telecom sector remains an important focus area. The new European Electronic Communications code, the revision of the e-Privacy directive and the recent discussions around the deployment of 5G again show how critical this sector is for Europe."

CIRAS – Cyber Incident Reporting and Analysis System

To support the incident reporting process ENISA developed CIRAS, a tool for reporting security incidents. An anonimized set of data is publicly available allowing visual and custom analysis, for specific services, assets, or root causes. https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/visual-tool

Multi annual trends in a nutshell

Looking back at the last 7 years of annual incident reporting we see a few trends:

The total number of reported incidents across the EU has stabilized at around 160 per year.

The average size of incidents, in terms of impact, is dropping rapidly. This may be due to changes in network architecture and/or lower reporting thresholds.

Overall impact of natural phenomena is trending up rapidly since 2016, while system failures are decreasing in size.

For each root cause category the number of incidents is relatively stable: around 65% of incidents are system failures, 20% human errors, 10% natural phenomena, 5% malicious actions.

ENISA steps up its efforts to support the EU Member States ENISA is closely working with European national regulatory authorities and experts from the private sector to prepare the ground for the upcoming changes generated by the European Electronic Communications Code EECC. At the same time, ENISA is identifying and exploiting synergies between the different pieces of EU legislation, addressing cross-cutting issues, cross-sector dependencies, and cross-border supervision.

Background information

In the EU, electronic communication providers have to notify significant security incidents to the National Regulatory authority (NRA) in their country. At the start of every calendar year the NRAs send a summary about these incidents to ENISA. This document, the Annual Report Telecom Security Incidents 2018, covers the incidents reported by NRAs for 2018 and gives an anonymised, aggregated EU-wide overview of telecom security incidents.

Security breach reporting has been part of the EU’s telecom regulatory framework since the 2009 reform of the telecom package: Article 13a of the Framework directive (2009/140/EC) came into force in 2011. The breach reporting in Article 13a focuses on security incidents with significant impact on the operation of services, i.e. outages of the electronic communication networks and/or services.

At the end of 2020 the new European Electronic Communications Code (EECC) comes into effect, extending the scope of breach reporting, to include also confidentiality breaches for instance, and extending services in scope, to include also (over the top) interpersonal communication services like Whatsapp and Skype. ENISA is currently working with the NRAs to prepare the ground for reporting and security supervision under the EECC.

The Article 13a Expert Group was started by ENISA, under the auspices of the European Commission, back in 2010 with the goal of bringing together experts from NRAs from across the EU to agree on a practical and harmonized approach to the security supervision requirements in Article 13a and to agree on an efficient and effective incident reporting process. The group is now chaired by Warna Munzebrock, a representative of the Dutch Radiocommunications agency. The Article 13 expert group meets 3 times per year and its work and deliverables can be found at: https://resilience.enisa.europa.eu/article-13

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS