Letzte Aktualisierung am 13. Januar 2023.
In the EU, telecom operators notify significant security incidents to their national authorities. At the start of every calendar year, the national authorities send a summary of these reports to ENISA. This report, the Annual Report Telecom Security Incidents 2020, provides anonymised and aggregated information about major telecom security incidents in 2020.
Security incident reporting has been part of the EU’s telecom regulatory framework since the 2009 reform of the telecom package: Article 13a of the Framework Directive (2009/140/EC) came into force in 2011. The European Electronic Communications Code (EECC) (2018/1972) repeals and replaces the Framework Directive. It reinforces the provisions for reporting incidents, clarifying what incidents fall within its scope and the notification criteria.
Malicious actions doubled in 2021. In 2020, incidents marked as malicious actions represented 4% of the total, a number which rose to 8% in 2021. Moreover, it is interesting to highlight the significant increase in DDoS attacks compared to 2020 when only four such incidents had been reported resulting in 1 million user hours lost. By comparison, in 2021 ten DDoS related incidents were reported, leading to a loss of 55 million user hours. These results are consistent with the findings of the ENISA Threat Landscape that point to an increase in DDoS attacks and a general increase in attacks against availability of services.
System failures continue to dominate in terms of impact, but the downward trend continues. System failures accounted for 363 million user hours lost, compared to 419 million user hours in 2020. Despite the skewed nature of the 2021 results, it is noteworthy that there was a 14% decrease in user hours lost, whereas in terms of the number of incidents in 2021 they represent 59% of the total compared to 61% in 2020. This highlights the growing maturity of electronic communication providers in handling and containing the impact of system failures.
Incidents caused by human errors remain at the same level as in 2020. Around a quarter (23%) of total incidents have human errors as a root cause (a slight decrease compared to 26% in 2020), however 91% of the total user hours lost have been lost due to this kind of incident. These results however are skewed due to the OTT communication services incident reporting issues mentioned above.
In 2021, there was a noteworthy decrease in incidents flagged as failures by third parties. Only 22% of incidents were reported as being related to third-party failures compared to 29% in 2020 and 32% in 2019. No third-party failures related to malicious actions were reported. Overall, the finding suggests that electronic communication providers have started introducing targeted security controls to better protect their supply chains, echoing the relevant ENISA calls for attention.
It is interesting to note the impact of incidents related to malicious actions on lost user hours. Interestingly, in 2021 lost user hours increased five times (from 13 million lost user hours in 2019 and 2020 to 70 million lost user hours in 2021). While the number of incidents doubled in 2021 compared to 2020, the significant increase in their related impact highlights the need to take further action in containing the adverse effect of such incidents.
2020 HIGHLIGHTS & Executive Summary – System Failures on the Rise
In 2020, half of the total user hours lost were due to system failures (50%) and almost half was lost due to human errors (41%).
All reports mention user hours lost due to high load caused by the COVID-19 pandemic.
Over the course of 10 years, EU Member States reported a total of 1263 telecom security incidents.
STATISTICS EXTRACTED FROM ANNUAL SUMMARY REPORTING PROCESS 2020
The 2020 annual summary reporting process contains reports of 170 incidents submitted by national authorities from 26 EU Member States and 2 EFTA countries. The total user hours lost, derived by multiplying for each incident the number of users and the number of hours, was 841 million user hours. These numbers are in line with those of previous years, as can be seen in the following graphic.
THE KEY TAKEAWAYS FROM 2020 INCIDENTS
- Faulty software changes/updates are a major factor in terms of impact: In 2020, incidents related to faulty software changes/updates resulted in 346M user hours lost, which corresponds to roughly 40% of the total user hours lost. In this year’s report, we dive into the numbers relating to faulty software changes (see chapter 4).
- System failures continue to dominate in terms of impact: System failures represent around a half of the total user hours lost (419 million user hours, 50% of total). They are also the most frequent root cause of incidents: 61% of the total reported incidents.
- Incidents caused by human errors remain at the same level as in 2019: More than a quarter (26%) of total incidents have human errors as a root cause and 41% of the total user hours lost were due human errors.
- Third-party failures remain at the same level as 2019: Almost a third of incidents were also flagged as third-party failures (29%), ie incidents that originated in a third party, say a utility company, a contractor, a supplier, etc. This number is consistent with 2019, but has tripled compared to 2018, when it was just 9%.
ENISA offers an online visual tool for analysing incidents, which can be used to generate custom graphs. See: https://www.enisa.europa.eu/topics/incident-reporting/cybersecurityincident-report-and-analysis-system-visual-analysis/visual-tool.
Over the last couple of years, we see the following trends:
- System failures continue to be the most frequent cause of incidents (61%), but their average size is trending downwards: Every year system failures have been the most common category of root causes. Since 2016 the average size of these incidents has been decreasing; however, between 2019 and 2020 we observe a slight increase in user hours lost due to system failures, and a corresponding decrease in hours lost due to natural phenomena as well as due to malicious actions.
- Number of incidents stabilizing: The total number of incidents reported is stabilizing at around 160 annually. Over the period 2014-2020, a consistent number of incidents have been reported and this is stabilizing at around 160 incidents per year.
- User hours lost stabilizing at a new low: User hours lost have been stabilizing over the last three years at around 900 million a year. During these three years, stabilization in the number of user hours lost (around 900 million hours lost) was noticeable with the number of incidents approximating 160 each year.
- Human errors are trending up: The percentage of incidents caused by human errors has been trending up since 2016. In 2020 they accounted for 26% of the total number of incidents.
- Especially in 2020 and because of the COVID-19 pandemic, providers had to deal with major surges and shifts in usage and traffic patterns from the start of the pandemic. This gradually stabilised to what is now considered the new normal. The general take away from the pandemic is that services and networks have been resilient during the crisis, despite major changes in usage and traffic. We should not omit mentioning, however, that some countries pointed out – in the context of ENISA’s relevant information-gathering exercise from the NRAs concerning the status of networks during the first months of 2020 – that there were physical attacks to base stations, masts or other telecommunication equipment, possibly related to theories that 5G can be harmful and even responsible for the COVID-19 pandemic.
Currently the focus of the national authorities for telecom security is on the transposition and implementation of the EECC, which brings several changes. The incident reporting requirements in Article 40 of the EECC have a broader scope including explicitly, for example, breaches of confidentiality. In the context of the new EECC, targeted attacks, involving for instance those using SS7 protocol vulnerabilities, SIM Swapping frauds, attacks using the Flubot malware or even more extended attacks that cause no outages, such as a wiretap on an undersea cable or a BGP hijack, would be reportable under Article 40 of the EECC.
ENISA will continue to work with national authorities as well as the NIS Cooperation group to find and exploit synergies between different pieces of EU legislation, particularly when it comes to incident reporting and cross-border supervision.
Extremwetterlagen verursachten 2017 fast ein Fünftel der (Telekom)Netzausfälle in Europa
Die europäischen Telekommunikations- und Internetbetreiber meldeten im vergangenen Jahr insgesamt 169 größere Netzausfälle an die Behörden. Dabei wirkten sich immerhin 51 Prozent der Fälle auch auf die Mobilkommunikation aus. Im Schnitt waren eine Million Nutzer von einem einzigen Netzausfall betroffen, berichtet die Europäische Agentur für Netz- und Informationssicherheit ENISA in ihrem jetzt vorgestellten Jahresbericht , der die Meldungen der europäischen Netzregulierungsbehörden zusammenfasst.
System failures are the dominant root cause of reported incidents: Most incidents reported were caused by system failures (62% of the incidents) as a root cause. Often these are hardware failures or software bugs.
Annual Incident Reports 2017, ENISA
62,1 Prozent der Netzausfälle konnten auf Systemversagen zurückgeführt werden, die auf dem Versagen von Hardware sowie auf Softwarefehlern basierten. 18,3 Prozent der Vorfälle gingen auf menschliches Versagen und nur 2,4 Prozent auf kriminelle Handlungen wie Denial-of-Service-Attacken oder Kabeldiebstähle zurück. Diese Zahlen bewegen sich im Rahmen der letzten Jahre.
Unüblich ist jedoch der hohe Anteil von 17,2 Prozent, den Naturphänomene im vergangenen Jahr an den Netzwerkausfällen hatten. Zu diesen Phänomenen zählen starke Schneefälle, Eis, Sturm, Überflutungen und nicht zu kontrollierende Waldbrände. In den drei Jahren zuvor hatten diese nur 5 Prozent der Ausfälle verursacht. Die ENISA erkennt in den Zahlen einen Aufwärtstrend und warnt: „Netzbetreiber in der Europäischen Union werden sich mit Naturphänomenen weiterhin befassen müssen, da Extremwetterlagen aufgrund des Klimawandels häufiger werden.“
Stromausfälle spielen insgesamt mit 22 Prozent eine wichtige Rolle, wobei die ENISA betont, dass in den üblichen Ausfallszenarien Stürme oder Waldbrände als Ursache angenommen werden.
Hier zeigt sich wieder einmal, wie die Realität von unserer Wahrnehmung abweicht. Cyber-Angriff stehen in der Wahrnehmung wahrscheinlich ganz oben. Gleichzeitig sind sie nur für einen sehr kleinen Teil von Infrastrukturausfällen verantwortlich. Siehe dazu auch bereits den ENISA Annual Incident Reports 2015 – Telecom Sector, wo auch das Thema Stromausfall bereits thematisiert wurde. Wir sehen in diesem Bereich bereits im Alltag viele Herausforderungen. Die Frage ist, wie sich das dann alles nach einem weitreichenden Infrastrukturausfall auswirken wird. Hier zeichnen sich umfassende Unsicherheiten ab. Siehe etwa auch Schwachstelle Kondensator
Die European Union Agency for Network and Information Security (ENISA) gibt einen jährlichen Bericht zu den IT-Vorfällen im Telekommunikationssektor heraus, die gem. Article 13a durch die Mitgliedstaaten an die ENISA zu melden sind. Der aktuelle Bericht zeigt einmal mehr auf, dass die Hauptursache von Systemausfällen nicht auf Cyber-Angriffe oder Schadsoftware zurückzuführen ist. Siehe etwas dazu auch den Bericht Power Supply Dependencies in the Electronic Communications Sector (2013).
Annual Incident Reports 2015
Analysis of Article 13a annual incident reports in the telecom sector
For the fifth year, ENISA publishes the annual report about significant outage incidents in the European electronic communications sector, which are reported to ENISA and the European Commission (EC) under Article 13a of the Framework Directive (2009/140/EC), by the National Regulatory Authorities (NRAs) of the different EU Member States.
This report covers the incidents that occurred in 2015 and it gives an aggregated analysis of the incident reports about severe outages across the EU. This report does not include details about individual countries or providers. The aim of the incident reporting scheme is to provide transparency to society and to learn from past incidents in the electronic communications sector in order to systematically improve the security in the networks and services.
This report provides an overview on an aggregated level of what services and network assets are impacted and the root causes of the incidents. Conclusions on the main patterns of incidents are drawn, contributing to discussions at policy level on strategic measures to improve the security in the electronic communications sector.
The main conclusions from this year’s incident reporting are the following:
- 138 major incidents reported: This year 21 countries including two EFTA countries reported 138 significant incidents that occurred in 2015 while 9 countries reported they had no significant incidents.
- Mobile internet most affected service: In 2015 most incidents affected mobile internet (44% of all reported incidents). Mobile internet and mobile telephony were the predominant affected services in the previous years also, except for 2014 where fixed telephony was the most affected.
- Impact on emergency calls: In 15 % of the incidents there were problems in reaching the 112 emergency services, a small decrease since the previous year.
- System failures are the dominant root cause of incidents: Most incidents were caused by system failures or technical failures (70 % of the incidents) as a root cause. This has been the dominant root cause for all the reporting years so far. In the system failures category, software bugs and hardware failures were the most common causes affecting switches and routers, and mobile base stations.
- Human errors affected on average more user connections per incident: In 2015 human errors was the root cause category involving most users affected, around 2.6 million user connections on average per incident. The second place was taken by system failures with 2.4 million user connections on average per incident.
- Malicious actions are not focused on causing disruptions: the total number of incidents caused by malicious actions dropped to 2.5% from higher previous values (9.6% in 2014). This may indicate that the malicious actions are not necessarily aiming at causing unavailability of services, but might have other objectives.
- Malicious actions started causing long lasting incidents: Incidents caused by malicious actions (e.g. DDoS), although the volume was not high, had most impact in terms of duration, on average almost two days per incident.
- New services affected: TV broadcasting / Cable TV Networks (14%) and SMS/MMS (13%), public email (5%), IPTV (4,4%), VOIP services (3,7%) were the most affected services among the new ones that started being collected from this year.
These patterns need particular attention when carrying out risk and vulnerability assessments in the electronic communications sector.
Bereits im Bericht 2012 bzw. im Sonderbericht Power Supply Dependencies in the Electronic Communications Sector standen Stromausfälle an dritter Stelle als Ursache für Systemausfälle. Hier ist anscheinend in den letzten Jahren keine wesentliche Verbesserung eingetreten.
Auch wenn dieser Bericht klar aufzeigt, dass die Hauptursache für Systemausfälle im Telekommunikationssektor Systemfehler und menschliches Versagen sind, sollten die aktuellen Eskalationen nicht unterschätzt werden. Denn während die Folgen der hier aufgezeigten Ausfälle eher begrenzt bleiben, können durch schwere Cyber-Angriffe/-vorfälle Kettenreaktionen mit nicht absehbaren Folgen ausgelöst werden. Wie immer gilt auch hier ein sowohl-als-auch-Denken, bzw. die Ambivalenz, die zu beachten ist.
Electronic communications are the backbone of the EU’s digital society. Article 13a of the EU’s electronic communications Framework directive asks EU Member States to ensure the security and resilience of public electronic communications networks and services. As part of the implementation of Article 13a, National Regulatory Authorities (NRAs) in the EU collect reports about incidents with a significant impact on the electronic communications networks and services. Yearly, ENISA publishes an annual report which summarizes these incident reports and provides an aggregate analysis of major outages. As can be seen in the ENISA annual report, power cuts are a dominant cause of severe network and service outages in the EU’s electronic communications sector. In the report “Power Supply Dependencies in the Electronic Communications Sector”, we study these incidents in more detail and we make recommendations to NRAs and electronic communications service providers and to some extent also to actors in the energy sector as well as civil protection authorities. Our recommendations are aimed at improving the electronic communications sector’s ability to withstand and act efficiently after power cuts.
The diagram below shows the average impact per cause per reported incident from 2012. The impact is calculated as affected user connections times the duration of the incidents in hours.
We found that:
- A majority of EU Member States have implemented more general resilience policies through legislation, whereas a minority of the Member States have implemented policies that are directly linked to resilience against power cuts.
- A majority of the NRAs do not and may even lack suitable input to perform risk assessments that include power cuts. It is also noted that the national use of state funding and publicprivate partnerships to address power cut resilience are exceptions rather than the norm within the EU.
- Resilience against power cuts is lower in access networks closer to customers than for network elements that carry traffic for a large number of customers. Mobile networks tend to be more vulnerable to power cuts compared to fixed networks.
- A majority of NRAs believe that current protection levels are not adequate and they would like to see power cut resilience to become a market differentiating factor for network and providers.
- A review of incident reports from 2011 and 2012 shows that a significant number of power cuts led to more severe service disruptions than what would have been the case had existing protection measures worked as intended.