169 telecom incidents reported, extreme weather major factor

Back to News

Today ENISA publishes its annual report on major telecom security incidents that occurred in 2017 in the EU.

The full report can be consulted at: Annual report Telecom security incidents 2017

  • 169 incidents were reported by national telecom regulatory authorities in 2017 (NRAs)
  • System failures dominate: 62% of incidents are system failures, mainly hardware failures and software bugs
  • Major increase of extreme weather as a cause: 17% of incidents caused by natural phenomena
  • Power cuts hurt telecom services: 22% of incidents are due to power outages

Almost a fifth of the reported incidents (17%) were caused by natural phenomena, such as heavy snow, ice, storms and wildfires. This is significantly higher than the previous 3 years, when natural phenomena accounted for only 5% of the incidents. Natural phenomena will continue to be a concern for telecom providers across the EU, with extreme weather becoming more common due to climate change.

62% of the telecom security incidents in 2017 were system failures, such as hardware failures, software bugs or faulty software updates. In all years prior to reporting, system failures accounted for 60% to 80% of total incidents.

More than half of the incidents reported have an impact on mobile telephony and internet in the EU. This confirms the shift of the last years. Fixed telephony was the most affected service only in the early years of reporting.

With 22% of incidents due to power cuts, dependency of telecoms on the power grid is clear. A common scenario starts with a storm or wildfire which causes a power cut, and leads to a mobile network outage soon after.

Only a small 2% of the incidents were due to malicious actions, such as denial of service attacks and cable theft. The year before, this was at 5%. The multi-annual trend for malicious actions has been below 10%.

The document gives an aggregated overview of the annual summary reports sent to ENISA by the NRAs of the 28 EU Member States, Norway and Switzerland.

There are clear trends emerging from the report. While the number of incidents reported has steadily increased over the years, from 76 in 2012 to 169 in 2017, the size of the incidents has gotten smaller on average. This is due to a combination of telecom providers reporting smaller incidents and NRAs using lower breach reporting thresholds.

Udo Helmbrecht, Director of ENISA, says: “Security breach reporting is a hallmark of EU cybersecurity legislation. Breach reporting is important for national regulators and for policy makers, because it reveals information about the actual number of security incidents, their impact, and trends. ENISA looks forward to the adoption of the new European code for electronic communications, which broadens the scope of supervision and is necessary in the context of a fast-changing landscape of electronic communications.”

Root cause categories of incidents 2012-2017

Combining data from the annual reports going back to 2012, we can see multi-annual trends. The trend graph below shows the root cause categories of incidents over the years (percentages). The ‘third party failures’ category is used as a flag on top of the other four root cause categories.

Scatter plot of incidents (duration and number of users) 2012-2017

Combining the data from annual reports going back to 2012 (more than 700 incidents), we can see the duration (hours) and number of customers impacted. The scatter plot below shows the distribution of all years combined.

Background information

Since 2010, ENISA has been supporting the EU countries with breach reporting, developing guidelines and tools for authorities, setting workable thresholds. ENISA is part of the ‘Article 13a’ expert group on security measures and incident reporting, which aims to have a harmonized implementation, a level playing field across the EU, when it comes to telecom security. This simplifies compliance and reduces overhead for EU telecom providers.

ENISA also analyses cross-cutting issues, common root causes and trends, collaborating with NRAs and the private sector. For example, in 2018 ENISA published an ‘EU state-of-play’ report on legacy interconnection protocols like SS7, an old protocol that can easily be exploited for illegal surveillance and interception. In 2016, ENISA surveyed telecom providers across the board to map out which security measures they had put in place.

In 2014, ENISA published recommendations for providers on how to address security requirements when dealing with ICT equipment vendors and suppliers of outsourced services for core operations, because issues with ICT equipment were a major cause of reported outages.

In 2013, when it became clear that cable cuts due to civil works were a major cause of incidents, ENISA published a whitepaper with good practices on how to reduce underground cable cuts.

The process of incident reporting by telecom providers and the subsequent summary reporting by telecom authorities to ENISA started in 2011.

Mandatory breach reporting has been part of the EU’s telecom regulatory framework since the 2009 reform of the telecom package, which came into force in 2011 (Article 13a of the Framework directive, 2009/140/EC). In the following years, breach-reporting requirements were included in the EU eIDAS regulation and the EU’s NIS directive.

Currently, security breach reporting is mandatory for incidents causing disruptions (i.e. outages). In June, the European Parliament and Council reached an agreement on an update of the legal framework called the European Electronic Communications Code (EECC). The EECC covers not only traditional telecom providers, but also over-the-top communications services. In the EECC, breach reporting will be extended to cover not only outages, but also other security breaches like, for example, confidentiality breaches.

Electronic communication providers in the EU have to notify significant security incidents to the national telecom regulatory authorities (NRAs) in each EU member state. Every year, the NRAs report summaries about the most significant incidents, based on a set of agreed thresholds.

Incident reporting is key for the NRAs to understand issues and trends. The positive impact of breach reporting legislation, like Article 13a, was confirmed in an independent impact assessment of telecom security legislation.