May 2017 - Cybersecurity | IoT | Networks

Current Challenges in EU Telecom Security

What is the current state of security for telecommunications in Europe and what are the challenges telecom companies are facing to keep our communication secure? Dr Dan Tofan, from the EU Cyber Security Agency, ENISA, gives insight into the challenges.

ENISA main building

Source: ENISA, Ulf Bergstrom

In 1962-1963, Joseph Carl Robnett Licklider developed the early idea of what we currently call the Internet. Through a series of essays, he came up with the concept of “Intergalactic Computer Network” as “[…] a thinking center that will incorporate the functions of present-day libraries together with anticipated advances in information storage and retrieval […]. […] a network of such centers, connected to one another by wide-band communication lines and to individual users by leased-wire services. In such a system, the speed of the computers would be balanced, and the cost of the gigantic memories and the sophisticated programs would be divided by the number of users” [1]. 

Today, the Internet represents much more than what Licklider has envisioned. With a global average Internet speed of 5.6 Mbps [2] (going way over 10-15 Mbps in Europe, Australia and North America), the Internet has basically become more than just a communication network, it has become a way of life. From watching TV, movies, and listening to music to online shopping and online banking, the number of activities that can be done online is practically indefinite now. 

The Internet (electronic telecommunication networks) is transforming the way people engage in their everyday lives. Economic development is strongly related to the existence and well-functioning of the telecommunication networks. Electronic communication services also play a significant role in national security, emergency response and in the economic development of a country [3]. As a result, any impairment affecting the basic infrastructure we use for the transfer of information can result in severe consequences for most of the stakeholders involved. Therefore, the infrastructure used for sustaining our new way of life must be protected by all means possible.

Resilience is a key issue for ENISA, when we talk about networks and services in Telecom. As the EU’s Cyber Security Agency (ENISA or the Agency) we have been dealing with the Telecom sector for almost 8 years now, analyzing the specific threats, and trying to increase the resilience of the EU’s cyber infrastructure. ENISA has developed several studies  in the area of Telecom Security and is also running the only EU-wide security related group of national telecom regulators (Art. 13a working group). There is also an official mandate of the Agency, given by the Art. 13a of the 2009 Telecom Framework Directive and that is to collect and analyze the EU-wide incidents related to disturbances in electronic communications.

The extensive experience gathered by ENISA within this timeframe has allowed us to picture, to some extent, the challenges that this sector will face from now on in terms of security. This article represents a comprehensive summary of two types of challenges that the telecom industry must overcome in the coming years: technical and political.

Legacy infrastructure and IoT

On the technical level, we might begin by mentioning that, although the sector has a certain tradition/history and it's developing fast, in some cases it’s only the business model that evolves without the corresponding technical part also. From technology-focused networks, we are migrating now towards service-focused (or user-focused) and indeed some parts of the networks must undergo some transformations, but providers still rely on legacy infrastructure and protocols to deliver their services. A good example in this case is within interconnect security area, mainly SS7 and DIAMETER [4] related issues. Security issues within these protocols are still there, without a clear fix/solution in the near future, and we might have to stick with them until new options are available. The industry has identified workarounds, but the risk is still there.

5G is the new industry solution for delivering high speed mobile Internet to an increasing number of devices. The EC already has an ambitious plan to launch fully commercial 5G networks by the end of the 2020 [5]. Nevertheless, 5G still lacks a well-defined set of standards. More than that, most of the political initiatives in the area are totally lacking the security component, although there are plenty of technical documents underlining this necessity. The new networks will have to rely also on some legacy infrastructure and assure the compatibility with previous standards. Any initiative in this area should seriously consider the security implications. Ignoring the security considerations in developing 5G standards and specification could seriously impact the future of this new technology and the security and privacy of billions of users (and devices). 

IoT is also becoming a security concern for providers. More and more vulnerable devices are connected online and, in some cases, they become an internal threat for the users and for the network itself. The increasing number of vulnerabilities found in network and consumer devices represent a serious gap that must be taken care of by the providers. From unwanted malicious traffic within the network to disturbances and unavailability of services, the number of possible threats is this area is constantly increasing. An example of the consequences of the increasing number of vulnerable devices is the appearance of the also called IoT-based botnets (such as Mirai), intensively used for launching massive DDoS attacks with intensities of over 300 Gbps [6]. 

New regulations for a new telecom environment

On the political level, 2017 might be an interesting year at the EU level. First of all, we have a New Telecom Code proposal, with substantial improvements on the security component. Built on the general objectives such as ensuring a high-level of security of networks and services, adapting to technological changes and ensure consistency with other regulatory initiatives (GDPR, NIS Directive), bringing more harmonization at EU level, the new code is expected to be adopted by the end of the year or early 2018. Among the improvements we can mention: 

  • widening the scope to include also number-independent (Ni) interpersonal communications services (ICS) (also called OTTs),
  • a comprehensive definition of security (focused on availability, integrity,
    confidentiality, and authenticity of the data and services),
  • clear criteria to be taken into account when notifying incidents. 

Most of these improvements were also suggested within the study “Impact evaluation on the implementation of Article 13a incident reporting scheme within EU” (), developed in 2016 by ENISA and the Art. 13a working group, which performs an evaluation of the current EU-level regulations regarding security in telecommunications. 

The Network and Information Security Directive (NISD) is another important piece of EU legislation that will definitely impact Telecom providers. Although the directive “should not apply to public communication networks or publicly available electronic communication services” [7], there are some types of services the directive applies to, that can usually be found within the Telecom industry; mainly DNS, cloud, and IXPs. To all these types of services, new requirements in the area of security measures and incident notification will be applied. As most of the providers are in some way or another offering, or relying upon, these types of services, they will also have to accommodate these regulations. ENISA has already started the work in this area by producing guidelines for both incident reporting and security measures

Last, but not least, providers also have to take into account the new provisions of the GDPR. The new data protection regulation comes into force with stronger requirements that will also impact telecom providers.

Telecom security not weak at all

Nevertheless, the providers are also keeping the bar high in terms of security measures implemented to protect their networks. According to the study “Analysis of security measures deployed by e-communication providers”, recently published by ENISA, a large majority of EU providers have deployed a good level of basic security controls. The study, based on a previously published list of desirable security measures, had the purpose of identifying the level of compliance of EU providers, and identifying real measures implemented by the industry. The majority of providers within EU have generally displayed a high operational maturity in terms of security. In areas like “Security of Systems and Facilities” and “Business Continuity Management” the maturity level has proved to be quite high.

As conclusions … 

As time passes, the telecom industry, which now has a certain maturity among other IT-related businesses, will face numerous new challenges – legal, business-related and technical ones. Cyber security within telecommunications has developed exponentially in the last decade, as more threats appear, technology evolves and business requirements change. Being prepared to take action might be troublesome, costly and difficult, but in the end it’s part of the evolution process. Telecom operators must, though, be prepared to overcome challenges that may occur. 

ENISA is committed to continuously supporting the telecom sector in all cyber security-related issues. ENISA’s experts are engaged with the communities, both public and private, in a constant search for problems to be solved. If you see us, don’t hesitate to approach us and tell us your issues. We are aware that security is not a goal, but a permanent process, and that traditional businesses like telecom providers are faced with more and complex challenges as they develop through time.

References:
1. Man-Computer Symbiosis, J. C. R. Licklider, IRE Transactions on Human Factors in Electronics, volume HFE-1, pages 4-11, March 1960, available at: https://groups.csail.mit.edu/medg/people/psz/Licklider.html
2. https://www.fastmetrics.com/internet-connection-speed-by-country.php
3. Impact evaluation on the implementation of Article 13a incident reporting scheme within EU, ENISA, 2016, Available at: https://www.enisa.europa.eu/publications/impact-evaluation-article13a.
4. SS7, DIAMETER: Set of protocols used in the interconnection of the Telecom networks.
5. 5G for Europe: An Action Plan, EC Communication, 2016. Available at: https://ec.europa.eu/digital-single-market/en/news/communication-5g-europe-action-plan-and-accompanying-staff-working-document
6. Akamai’s [state of the internet] / security report Q4 2016; available at: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf
7. NIS Directive, Recital (7), http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L1148&from=EN

More on network and cyber security can be found at eco International and in the dotmagazine issue "Are you being targeted?"

Dr. Dan Tofan is a cyber-security expert, with more than 10 years of experience, gathered in EU level institutions or working groups, national governmental agencies as well as in the academic and private sectors. He holds a PhD in computer science as well as a number of international certifications in the areas of cyber security and project management. Since May 2015, he joined ENISA as an expert, being responsible for all mandatory incident reporting activities developed by the Agency in areas like telecom, trust service providers and NIS directive.


Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.