EU releases comprehensive risk assessment report on cybersecurity, resilience of communication networks

EU Member States, backed by the European Commission and ENISA, the EU’s Cybersecurity Agency, released this week a report detailing the cybersecurity and resilience of Europe’s communication infrastructures and networks. The data represents a significant advancement in the collaborative efforts at the EU level to enhance the security of telecommunications, further building on the progress made in the area of 5G cybersecurity.

As a follow-up to the Nevers Call of 9 March 2022 and building on the coordinated work already done at the EU level to strengthen the security of 5G networks, Member States conducted a risk assessment on Europe’s communications infrastructures and networks. 

Titled ‘Cybersecurity and resiliency of Europe’s communications infrastructures and networks: Follow-up to the Nevers Call of 9 March 2022,’ the risk assessment report identifies the scope, encompassing both threats and scenarios, has been collaboratively determined by Member States. This assessment, along with a gap analysis, concentrates on the risks posed by cyber-attacks to the EU’s communication networks and infrastructures. It includes physical attacks on networks and information systems, aligning with the comprehensive approach advocated by the NIS2 directive. 

The assessment considers threats from hostile third countries, including nation-state hackers, organized crime groups, and hacktivists supporting nation states. Identified threats to communication networks and infrastructure range from wipers and ransomware attacks to supply chain attacks, physical assaults, and sabotage. These threats exploit existing vulnerabilities and pose a significant risk to the security and resilience of the EU’s connectivity infrastructure.

Last June, the EU member states, with the support of the European Commission and ENISA, published a second progress report on the implementation of the EU Toolbox on 5G cybersecurity, which aims to address risks related to the cybersecurity of 5G networks. The report provides an updated overview of the state of play of the implementation of the Toolbox by member states and covers the implementation of the strategic and technical measures of the EU Toolbox.

In light of these insights from the latest report, and supplementing the nine risk scenarios previously identified in the EU’s Coordinated risk assessment of 5G networks, the report outlines ten additional risk scenarios of strategic significance to the Union. Examples include a supply chain attack aimed at accessing operators’ infrastructure or a coordinated physical sabotage of digital infrastructure. 

Among the main threats identified in this risk assessment and of strategic importance from an EU perspective include ransomware attacks, whose objective is to encrypt files and demand a ransom for decryption keys, impacting the cybersecurity landscape recently. Wiper attacks, using similar methods but aiming to delete or irreversibly encrypt data, are often executed by state actors or hacktivist groups, unlike ransomware attacks, which are usually the work of organized crime groups. Recovery from a large-scale wiper or ransomware attack on critical infrastructure could be prolonged and challenging.

The risk assessment report pointed out that supply chain attacks typically unfold in two stages – initially targeting a supplier’s network or systems, such as introducing a vulnerability in hardware or software, followed by an attack on the actual target, like a communications network operator. These attacks can be orchestrated by state actors, organized crime, or hacktivist groups and are particularly impactful as they enable attackers to simultaneously target multiple operators. 

An example is the SolarWinds incident, which affected hundreds of critical entities worldwide. Supply chain attacks are appealing to attackers because they can bypass the defenses of telecom operators or service providers by exploiting the potentially weaker defenses of suppliers. The risk is heightened by suppliers’ regular access to equipment for maintenance, offering ample opportunity for exploitation.

In cyber-attacks targeting managed service providers (MSPs) or other third-party services, attackers indirectly aim at telecom or service providers to bypass their defenses. This method, akin to supply chain attacks, can be executed by state actors, organized crime, hacktivists, or even less sophisticated attackers, depending on the security measures of the MSP or third party. These providers often have regular access to systems for support, maintenance, and updates, making them attractive targets.

Network intrusions, often aimed at espionage, data exfiltration, or setting the stage for further cyber-attacks, are stealthy and challenging to detect, with potentially long-term and unpredictable effects. While typically the work of state actors for espionage, organized crime groups also engage in such activities to acquire valuable data for sale, blackmail, or further cyber-attacks. Public electronic communications networks are prime targets for espionage, making the detection and prevention of network intrusions a critical challenge for telecom operators, especially against sophisticated state actors. 

DDoS (distributed denial of service) attacks, which overload networks or systems with excessive traffic to render them inoperable, can be launched by state actors, organized crime groups, hacktivists, or even inexperienced attackers. While telecom operators typically have robust defenses against DDoS attacks due to their control over networks, operators in other critical sectors may not be as well-prepared, though commercial services are available to mitigate large-scale DDoS attacks.

Physical attacks and sabotage on data centers, underground and submarine cables, cable landing points, or satellite stations pose significant risks due to the exposed nature of this infrastructure, such as submarine cables in international waters. Some Member States depend heavily on a few key international connections and lack efficient alternatives for rerouting traffic. A coordinated attack, especially on submarine cables, could severely disrupt network functionality and continuity, with repairs being challenging due to deep water or ice-covered locations and the limited availability of cable repair ships.

A state actor from a third country might coerce suppliers to implant backdoors or vulnerabilities in their products to enable cyberattacks that align with their national interests. The risk level is significantly affected by the supplier’s network access and risk profile. The inclusion of high-risk supplier technology in a Member State’s infrastructure heightens the potential for major network disruptions, which could stem from supply cut-offs, service failures, update issues, or exploited backdoors. Suppliers often have regular access to systems for support, maintenance, and updates, increasing the risk. Additionally, supply chain risks include potential extortion by threatening to halt updates or services.

The report also identified power cuts are a major concern for telecom operators, whatever their nature. A cyber-attack might target the EU’s power grid, taking it down locally, in order to cause outages of the radio network, in a particular region, for example a border region. Power cuts could also affect submarine cables which rely on repeaters.

Telecom operators and service providers can be targeted by insiders, for example compromised personnel, who operate as agents for a nation state or an organized crime group. The impact of these attacks depends on how much access the insider has to sensitive data or critical infrastructure. This risk may be aggravated if operators outsource key business processes, particularly to third countries. 

To mitigate these risks, the report puts forward recommendations for Member States, the Commission and ENISA, to be implemented with the support of the Body of European Regulators for Electronic Communications. 

As regards strategic aspects, the report recommends to assess resilience of international interconnections; assess criticality, resilience and redundancy of core Internet infrastructure, such as submarine cables; implement the recommendations related to suppliers in the second Progress Report on the EU Toolbox implementation; and create transparency on the landscape of suppliers and managed service provider or managed security service provider used for fixed networks, fiber technology, submarine cables, satellite networks and other important ICT suppliers. 

It also suggests involving the electronic communications sector in cyber exercises and operational collaboration; fostering information sharing and improving situational awareness about threats for operators; providing funding support to operators for technical measures against cyber attacks in their networks; exchanging good practices among national authorities about physical attacks on digital infrastructure; and extending physical stress testing of critical infrastructure to include digital infrastructure.

In conclusion, the risk assessment report said that given the criticality of the infrastructures and networks in scope and in view of the fast-evolving threat landscape, and without prejudice to the Member States’ competencies as regards national security, Member States, Commission and ENISA are encouraged to implement these resilience-enhancing measures as soon as possible, based on the work that has already started on the implementation of some of the recommendations. 

Furthermore, the report also provides information on the ongoing cross-sector cyber risk evaluation and scenarios on the telecommunication and part of the energy sectors requested by the Council conclusions on the EU’s Cyber Posture. 

Last July, the European Commission adopted a list of essential services in the eleven sectors covered by the Critical Entities Resilience Directive (CER), in a move to boost resilience and step forward to identify critical entities for key sectors. Member States will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026. They will use this list of essential services to carry out risk assessments and identify critical entities. Once identified, the critical entities will have to take measures to enhance their resilience.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.