A reading of the ENISA Annual Incident Reports 2012

ENISA issued the ENISA Annual Incident Reports 2012 on significant incidents in the electronic communications sector, which were reported to national regulators in 2012.

ENISA published the ENISA Annual Incident Reports 2012, a document that provides an overview of the process and an aggregated analysis of the 79 incident reports of severe outages of electronic communication networks or services which were reported by national regulators last year. ENISA with the National Regulatory Authorities (NRAs) of the different EU Member States discuss specific types of incidents, mandated by Article 13a of the Framework Directive (2009/140/EC). The following image illustrates the incident report flow:

 

 

This is the second “ENISA Annual Incident Reports” study proposed by the European Union Agency for Network and Information Security, it covers the incidents occurred in 2012 not including detailed information on countries and incidents. The report focuses on an aggregate analysis of the incidents highlighting their impact and causes.

Within European Union 18 countries reported 79 significant incidents meanwhile 9 countries reported no significant incidents, the majority of incidents affected mobile with an average of 1,8 million users per incident, a sensible increase if compared to the previous year.

Exactly as occurred last year most incidents affected mobile telephony or the mobile Internet, experts consider that mobile services are more at risk of large-scale outages.

The high figure of affected users is compatible with large diffusion of mobile devices and wide coverage of mobile infrastructures. Unfortunately in 37% of the reported incidents, the emergency number 112 was impacted, emergency services were hit on 63% of the cases meanwhile interconnections were affected in 11% of the reported incidents.

Following a short list of examples of incidents proposed by the ENISA Annual Incident Reports.

• Overload caused the VoIP outage (hours, thousands, system failure)
• Faulty upgrade halted IP-base traffic (hours, millions, human error)
• Cable theft causing fiber optic cable break (hours, thousands, malicious attack)
• DDoS attacks on DNS affected mobile Internet (hours, millions, malicious attack)
• Big storm affecting power supply causing large scale outage (days, millions, natural disaster)
• Configuration error (hours, millions, configuration error)
• Vandalism by former employee affected DSL (days, thousands, malicious attack)
• Faulty software update affected mobile telephony (hours, thousands, software failure)
• Submarine cable cut from anchorage (hours, thousands, third party)

The root cause for the incident is the “System failures” (76 % of the incidents) followed by software bugs, the ENISA Annual Incident Reports also stated that the assets most often affected by system failures were switches (e.g. Routers with 20% ) and home location registers (16%).

The ENISA Annual Incident Reports document proposed also the impact of the incidents in terms of “user-hours lost”, Third party failure accounted for 36502 hours  followed by Natural phenomena cause at 20283 hours  and System failures at 19842.

Following the key figures proposed in the conclusions of the study:

• Mobile networks most affected: Most incidents affected mobile telephony or mobile Internet (about 50 % of the incidents respectively).
• Mobile network outages affect many users: Incidents affecting mobile telephony or mobile Internet affected most users (around 1,8 million users per incident). This is consistent with the high penetration rate of mobile telephony and mobile Internet.
• Emergency Service are affected by incidents: In 37 % of the incidents there was impact on emergency calls using the emergency number 112.
• System failures are the most common root cause: Most incidents were caused by root causes in the category “System failures” (75 % of the incidents). This was the most common root cause category also for each of the four services (fixed and mobile telephony and fixed and mobile Internet). In the category “System failures”, hardware failures were the most common cause, followed by software bugs. The assets most often affected by system failures were switches (e.g. routers and local exchange points) and home location registers.
• Third party failures and overload affect many users: Incidents categorized with the root cause third party failures, mostly power supply failures, affected around 2.8 Million users on average. Incidents involving the detailed cause overload affected around 9.4 million users on average.
• Natural phenomena cause long lasting incidents: Incidents caused by natural phenomena (mainly storms and heavy snowfall) lasted around 36 hours on average.
• Overload and power failures have most impact: Incidents caused by overload followed by power failures respectively had most impact in terms of number of users times duration.
• Switches and home location registers mostly affected by incidents: Overall, switches and home location registers were the network components or assets most affected by incidents.

Pierluigi Paganini

(Security Affairs – brain hacking, security)