The European Union Agency for Cybersecurity (ENISA) publishes a report on the subsea cable ecosystem and highlights today’s major cybersecurity challenges.
More than 97% of the world’s internet traffic passes through subsea cables at some point. Subsea cables are a vital component of the global internet infrastructure, and it is critical to protect them from cyberattacks, physical attacks and other threats.
What are the challenges?
With the growing reliance on the internet, and the growing amounts of data being transmitted, subsea cable incidents could cause outages and disruptions. The cable landing stations as well as subsea areas, where many cables are close to each other are considered weak points.
The International Cable Protection Committee in its 2022 report concludes that most subsea cable incidents are accidental, due to anchoring and fishing. Some cable incidents are caused by natural phenomena like underwater earthquakes. In rare cases, system failures are responsible for incidents.
Malicious actions such as sabotage attacks and espionage have to be considered also. Particularly, a coordinated sabotage attack on multiple cables at once could cause significant disruptions of internet connectivity. Repairing subsea cables is complex, takes a long time, and requires highly specialised cable repair ships, only few in the world. While eavesdropping on cables on the seabed is considered unlikely, accessing communications data at the cable landing stations or at cable landing points is feasible, and should be considered as a threat.
Global subsea cable ecosystem in a nutshell
- Subsea cables can fall under a wide range of regulatory regimes, laws and authorities. At national level, there may be several authorities involved in their protection, including national telecom authorities, authorities under the NIS Directive, cybersecurity agencies, national coastguard, military, etc.
- There are also international treaties in place to be considered, establishing universal norms and the legal boundaries of the sea,
- On the private sector side, the subsea cable ecosystem consists of undersea cable owners and operators, integrated suppliers, suppliers without a fleet, owners of installation and repair vessels, and undersea cable maintenance companies.
Key takeaways
- Accidental, unintentional damage through fishing or anchoring has so far been the cause of most subsea cable incidents.
- Natural phenomena such as undersea earthquakes or landslides can have a significant impact, especially in places where there is a high concentration of cables.
- Chokepoints, where many cables are installed close to each other, are single points of failure, where one physical attack could strain the cable repair capacity.
- Physical attacks and cyberattacks should be considered as threats for the subsea cables, the landing points, and the ICT at the landing points.
- There is a lack of information about the resilience, redundancy and capacity of subsea cables and further analysis is needed. The European Commission recently launched a dedicated study for this.
- At a national level, the mandate and supervision over the subsea cables should be clarified, to ensure that the cables and landing points are protected, and that chokepoints are avoided.
- National authorities should exchange good practices about subsea cable protection, involving also authorities for the energy sector, who have experience with protection of subsea power cables, as well as authorities under the Critical Entities Resilience Directive, whose experience with physical protection of critical infrastructure could be insightful.
What are subsea cables?
- There are about 400 subsea cables across the world, connecting islands, countries, regions, and continents. Subsea cables use optical fibre technology, transmitting electronic communications data at the speed of light. Subsea cables are about as thick as a garden hose. Subsea cables come on land at landing stations, where they connect to the land-based internet backbone, the underground cables. Landing stations can be at beaches or in ports.
Target audience
ENISA publishes this report to support national authorities in the EU Member States supervising telecom networks and core internet infrastructure, under the European Electronic Communications Code (EECC) and the Directive on measures for a high common level of cybersecurity across the Union (the NIS1 and the NIS2). Undersea cables are specifically mentioned in the NIS2 directive, and have to be addressed in national cybersecurity strategies.
Further Information
Subsea cables: What is at stake? – ENISA report 2023
Contact
For press questions and interviews, please contact press (at) enisa.europa.eu