Chapter 16: Security and Resilience Challenges for the Critical Infrastructures of the Communications Sector

This chapter introduces the main challenges for critical infrastructures in the communication sector. Specifically, the chapter will review the current threats that arise upon cyber and physical systems interconnection. At the same time, security strategies exploiting both the features (cyber and physical) of critical infrastructures will be introduced.

The Internet of Things (IoT) (Lin et al., 2017) revolution has brought the presence of the Internet in almost everything and has changed several aspects of our daily lives. The IoT technology, indeed, allows the massive introduction of Cyber-physical Systems (CPS) (Bordel et al., 2017), that provide embedded intelligence, smart actuation, monitoring, and control to the peripheral nodes at the network edge. Relevant examples of CPS are represented by Critical Infrastructures (CIs), such as water distribution systems, smart grids, or telecommunication systems. CIs are of paramount importance in economy and social-being of citizens; therefore, they ask for protection against threats able to affect their operating level and, subsequently, the quality of our lives (Massel, 2018).

Threats for CIs are commonly divided into two classes (i.e., planned and unplanned), according to the possibility of forecasting them. Unplanned threats are represented by non-intentional human errors or natural disasters. In the last few years, the prevention of failure induced by extreme weather events is becoming more challenging, since climate changes make them more frequent and intense (Labelle et al., 2008). Planned threats are mainly represented by cyberat-tacks. CIs have been the predominant target of several attacks that propagated due to domino effects.

Regardless the type of threat, the design and the development of resilience strategies are fundamental for protecting CIs. Specifically, CIs should be able to recover quickly from failures: they should be able to cope with either known or unknown threats according to the well-known paradigm detect, absorb, recover, and adapt (Sterbenz et al., 2014). To this aim, CIs need to be equipped with detection tools to successfully identify a threat and reduce its impact. Moreover, a CI should react to the system performance degradation provoked by the threat guaranteeing a certain Quality of Service (QoS).

Among CIs, a key role is played by telecommunication networks: they are essential to support and maintain public and private services. Private businesses, government agencies, and other bodies rely on phone and Internet services provided by telecommunications networks to carry out daily operations. Telecommunication networks also supply services to health and social life. Since telecommunications are pivotal infrastructures, their protection requires more concern. This feature is becoming even more critical facing the 5G revolution. The extensive use of programmable platforms and exponential growth of connected devices require paradigms and tools to protect complex and flexible architectures.

Although since 2002 Universal Service Directive requires telecom companies to maintain the security and resilience of their networks (European Commission, 2002), there is no security and resilience standard for this CI. Commonly, the resiliency is addressed by using redundancy: most critical segments of the infrastructure are duplicated, and back-up power supplies are installed. Moreover, cyber and physical security issues are considered as independent, while recent events demonstrate that cyber-physical can affect the physical systems (Center for Strategic and International Studies, 2020; Computer Emergency Response Team-Coordination Center, 2020).

In this chapter, we address the security and resilience challenges for telecommunication infrastructure. To this aim, we provide an overview of the current and future structure of the telecommunication networks in Section 16.2; we classify the threats for telecommunication systems in Section 16.3 in order to understand the challenges in building a resilient system as detailed in Section 16.4. Finally, we draw some conclusive remarks in Section 16.5.

Telecommunication networks exploit physical infrastructure for connecting users. They can be decomposed into two main components:

• The core (backbone) networks;

• The access networks.

The core network provides connectivity between sub-networks carrying a large amount of data. Core networks of different countries are implemented mainly by fiber infrastructure and the satellite links. Radio signals from satellite are used to connect remote communities, oil rigs, ships, and airplanes. The used radio frequency spectrum and the paths of their orbits are registered by the International Telecommunication Union (ITU). Telecommunication networks rely on information from global positioning system (GPS) satellites to synchronize with each other. Recently, several concerns have been raised about the cyber and physical securityof both the undersea and the satellite links that carrya large number of global communications (Rishi Sunak, 2017): this aspect needs to be addressed when designing a securityand resilience strategy. The access network is the component supplying the user with access to services. According to the type ofaccess provided bytelecommu-nication operators to users, traditionally networks have been further classified as:

• Fixed-line networks;

• Mobile networks.

The fixed-line network provides the connection to end customer by means of cables, through which a user can make phone calls, receive TV signals, or connect to the Internet. Its core network is composed of copper and fiber optic cables, having high bandwidth to connect switches and route communication. The access network is mainly composed by copper paired wires connecting the users; however, in the last few years, the use of fiber optic lines for the last mile is increased.

Mobile networks connect users to the network via wireless transmission technologies. Therefore, a mobile access network consists of base stations that communicate with the user handsets by using radio signals. Base stations provide access to the network over a limited area (i.e., the cell). The access network is connected to a backbone infrastructure composed of mobile switching centers using fixed-line (fiber optic cables) or radio links.

Fixed and mobile networks have mostly been developed separately. However, the rapid evolution of 5G mobile technologies leads to higher fiber demand, thus boosting the convergence of networks. Indeed, the new mobile technologies allow the development of a novel set of applications (Agiwal et al., 2016), mainly focused on the fulfillment of user requirements. To this aim, the Quality of Experience (QoE) is replacing the QoS in the management of the networks. According to Qualinet (Brunnström et al., 2013), QoE can be defined as: “The degree of delight or annoyance of the user of an application or service. It results from the fulfillment of his or her expectations with respect to the utility and/or enjoyment of the application or service in the light of the user’s personality and current state. “ As can be noticed, the fulfillment of the QoE requirement is much more demanding than that of QoS. From the telecommunication point of view, the main challenge is the development of optimized self-organized networks able to timely provide services. Software Defined Network and cloud technologies may represent appropriate tools to allocate the available resources. However, the increasing demand for connectivity enables the antenna densification process, i.e., the deployment of cells covering a small area. Concerning the security issue, the novel architectures provide redundancy by design; however, novel CPS threats will emerge due to the increased number of attack surfaces.

In Euchner et al. (2015), the requirements, that need to be taken into account when facing the challenge of securing a telecommunication system, are:

• The parties involved;

• The assets that need to be protected;

• The threats against which those assets must be protected;

• The vulnerabilities associated with the assets and the environment; • The overall risk to the assets from those threats and vulnerabilities.

Concerning the parties involved, the main role is played by customers/ subscribers: they expect that the network is available and that the services offered are reachable, especially in emergency scenarios. Public authorities ask for security by directive and legislation to guarantee service availability, privacy protection, and fair competition. Network operators and services providers need to preserve their operating level and business so that to meet the demand of customers, business partners, and the requirements of public authorities.

The assets are represented by the personnel, the infrastructure (communication and computing devices, equipment, and facilities), the information and data, and the services provided.

A security threat is defined as a potential violation of security, that is: a possible danger that might exploit a vulnerability or weaknesses of the system to breach security and, therefore, to lead to risky impact. As stated previously, threats can be regarded either as unplanned/accidental or planned/intentional (Jones et al., 2012). Moreover, they can be either active or passive; active threats significantly affect information and/or operation in the system, while the passive ones do not provide any change in the information and/or operation of the corresponding systems.

About the telecommunication security threats and related risks, different classification can be drawn according to different purposes. Therefore, in the literature, several threat classification schemes have been proposed, upon the basis of a variety of criteria. Understanding the potential threats is of paramount importance to deeply get insights on the security and resilient challenges for the telecommunication systems. To this aim, we consider the Recommendation ITU-T X.1205 (ITU-T, 2008) that provides a taxonomy of security threats from an organizational point of view, along with a discussion of the threats at the various layers of a network. Specifically, we consider three different types of threats, according to the part of the systems affected, that is:

• Physical threats;

• Cyber threats;

• Cyber-physical threats.

The physical threats affect the physical assets (i.e., communication and computing devices, equipment, and facilities), the cyber threats exploit vulnerabilities in the cyber space to harm the digital assets, and the cyber-physical threats exploit vulnerabilities in the cyber space to disrupt the physical assets. Moreover, we also analyze Advanced Persistent Threat (APT), that is considered the most demanding threat to detect and defend against to date.

In the following, these types of threats and APT for telecommunication infrastructure are reviewed to further understand the security challenges.

Physical threats damage the physical infrastructure of telecommunication networks and can be either planned or unplanned (Jones et al., 2012; Electronic Communications Resilience and Response Group, 2004).

The planned threats are related to intentional events, motivated by financial gain, internal sabotage, terrorism, and vandalism. Example of planned physical threats are damages to the transmission equipment (telecom pillars, antenna, buildings, etc.), by using weapons or drones, copper or fiber optics cables theft to interrupt network services, or signal jamming to disrupt wireless networks.

Unplanned threats can be roughly divided into two main categories. The first one is related to hardware and/or software failure due to unintentional human actions; the second one concerns natural hazards. The most common cause of telecommunication failure, as reported by ENISA (European Union Agency for Network and Information Security) every year since 2012 (ENISA, 2019), is associated with power breakdown: lack offuel for backup generators, excavators shearing through cables, anchors damaging undersea cable are examples of this type of threat. It is worth noticing that power and telecommunication infrastructures rely on each other: on the one hand, the telecommunication infrastructures depend on continuous supply of power and, on the other hand, the electrical power industry depends on telecoms to run their extensive network of generators and grid distribution. Although the intentional damages can seriously harm telecommunication networks, according to ENISA reports the most prolonged disrupts are caused by natural hazards (i.e., weather events, seismic activity, fire, and explosions). Flooding, strong winds, lightning, cold weather, and heatwaves can affect telecommunication physical assets either directly or indirectly by damaging the power infrastructures. Furthermore, changes in the near-Earth space environment can influence the performances of the telecommunication systems.

Concerning the planned events, some prevention actions need to be set-up, by applying suitable frameworks and related measures. Concerning unplanned events, only mitigation strategies could be applied due to the unpredictable characteristics ofthe incidents. It is worth mentioning that due to climate change, natural hazards are becoming more frequent.

Cyber threats affect the telecommunication operation, software system, and services. They can be divided into intentional and accidental, like the physical ones.

The unplanned threats are represented by system and software failures. System failures occur when the performances of a telecommunication system are downgraded due to system errors. The challenge is to avoid the single points of failure by enhancing resilience strategies. However, not all parts ofthe network can be made redundant and, in these cases, the complementary restore and repair procedures need to be strengthened. The software failures are usually related to bugs in the algorithms that control the equipment. Although errors in software are acceptable for personal computers, a telecommunication network cannot bear crashes and delays in services. The most challenging software issue is represented by the systemic or common-mode failure; in this case, a software error in one network node causes the same fault to occur in other connected nodes, leading to a runaway failure of the whole network.

The planned cyber threats are related to hacking activities and attacks. They include both typical cyberattacks and specific ones, tailored to the specific infrastructure(s). The eavesdropping aims at breaching the system or service, to spoof the user identity, to disclose information (privacy breach or data leak), and to gain knowledge on the system. The man in the middle attack covertly intercepts the communication between two nodes, records the information, and even alters it. The denial of service (DoS) targets at making a resource unavailable to the users by temporarily or indefinitely disrupting services of a host connected to the Internet. A denial-of-service attack floods systems, servers, or networks with traffic to spill over resources and bandwidth; as a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this sort of attack. A semantic attack is devoted to change and disseminate correct and/or incorrect information to cover tracks of malicious activities. Attacks launched by malicious codes include the execution of viruses, worms, Trojan horses, and active Web scripts aiming at destroying or stealing information. They represent well-known computer security threats, since a computer virus is a program written to alter the way a computer operates, without the permission or knowledge ofthe user. Avirus replicates and executes itself, usually doing damage to the computer in the process. Cyber threats most connected with infrastructure are related to vulnerabilities in system security procedures, hardware design, internal controls, or software code. They could be exploited to gain unauthorized access, to manipulate the integrity or to affect the availability of both classified or sensitive information and non-sensitive information of protocols, procedures, and equipment. One of the main weakness is represented by the legacy protocols: some protocols, indeed, are old and were designed without considering future security issues. Concerning equipment, backdoor attacks and device compromise are mighty threats. Regarding the first, it is set up by software development companies or hardware providers that leave a single point of failure in order to obtain access to a system or application found in production. The second one hits the devices used in telecommunication networks (e.g., home routers): once they are compromised, malicious attackers can anonymously access services. The zero-day exploit is a cyberattack that occurs on the same day a weakness is announced in software, just before a patch or a solution is provided. A Structured Query Language (SQL) injection targets SQL servers by introducing malicious code into vulnerable website and retrieving data and information. The most challenging attack, however, is represented by phishing, since it includes the human in the attack loop. Phishing is an example of social engineering techniques, based on email spoofing and instant messages. It is the fraudulent attempt to gain sensitive information (usernames, password, personal identification number, credit card numbers, etc.) by appearing as a request from reputable sources.

Cyber-physical threats encompass attacks to information systems that have an impact on physical assets (cyber to physical threats) and vice versa (physical to cyber threats), i.e., physical threats that disrupt the information systems. The physical to cyber threats can be accidental, whereas the cyber to physical attacks are always intentional.

According to Paridari et al. (2018), physical threats are represented by both physical intrusion and attacks to sensors and actuators resulting in system failure. The physical intrusion refers to an intruder that circumvents the physical security of an infrastructure in order to harm the cyber domain. The sensor or actuator attacks refers to a physical damage that brings to a system fault. In Paridari et al. (2018) also, cyber to physical threats are considered. Specifically, the most common attacks are network disruption to harm physical assets and electronic jamming to deliberate cause losses in physical assets. For a telecommunication system, the first cyber to physical threats is related to remote action in the cyber domain that cause failure in providing services due to physical issue (i.e., power shutdown). The second cause denial of service due to traffic overloads and can cause damages in the interconnected critical infrastructures (e.g., control systems of power distribution networks).

The main approach adopted to prevent cyber-physical threats in a CPS is by controlling its vulnerability; however, it constitutes a challenge. CPS, indeed, are composed by heterogeneous building blocks. From a hardware perspective, they are composed by different components (i.e., sensors, actuators, controllers, physical structures, and embedded systems). CPS also include firmware, communication channel, proprietary, and commercial software for controlling and monitoring the systems. Every single component as the whole integrated system represents an attack surface. Therefore, a fundamental task is to get insights on the vulnerability risk in order to identify missing pieces, gaps, and weak links. Another challenge is related to privacy preserving issues in the CPS: in a CPS, indeed, it is difficult to identify, trace, and examine the attacks, which may originate from, move between, and target at multiple CPS components. An in-depth understanding of the vulnerabilities, threats, and attacks is essential to the development of defence mechanisms.

Telecommunication infrastructures are rarely regarded as a CPS, although the exponential growth in the development and deployment of networked systems has brought impacts to almost all aspects of daily life. It is worth noticing, however, that telecommunication systems provide and manage the communication channels of all the other critical infrastructures (e.g., power distribution systems, water distribution systems, transportation networks, etc.); therefore, they are tightly related and interconnected with CPS. Moreover, the facilities ofa telecommunication system, as well as all the physical devices (i.e., antenna pillars, network control systems or wireless sensor networks) that the emerging 5G technologies foresee, make the telecommunication system itself a CPS (Hutchison and Sterbenz, 2018).

The most challenging threat to detect and defend against is considered the APT. An APT is a set of stealthy and continuous computer hacking processes, which gain unauthorized access to a computer network and remain undetected for an extended period. It is set up by group driven by political and/or economic motivations; the actors behind an APT have the capability and determination to achieve a specific target. An APT usually targets either private organizations, states or both, and requires a high degree of covertness over a long period of time.

As suggested by the name, it consists of three main components, namely advanced, persistent, and threat. The advanced component implies that sophisticated techniques are adopted: traditional espionage vectors, social engineering, human intelligence, and infiltration are used to gain access to a physical location to enable network attacks. Commonly, the main target is to place custom malicious code on one or multiple computers in order to accomplish a specific task. The persistent component implies that an external command and control system is continuously monitoring and extracting data from a specific target during the dwell time (i.e., the time an APT attack goes undetected). This provides to the attackers a significant amount of time to go through the attack cycle, propagate, and achieve the objective. The threat component involves human in orchestrating the attack (Alshamrani et al., 2019).

APTs exploit Internet and/or infected media to breach the target system. Internet connections are used to send malicious payload via email attachments, peer-to-peer file sharing, or spear-phishing. Media infection may consist of infected Universal Serial Bus (USB) memory sticks, infected memory cards, or infected appliances. Furthermore, cyber threats (i.e., zero day attack, man in the middle, etc.) can be applied.

To date, every major business sector has recorded instances of attacks by advanced actors with specific goals seeking to steal, spy, or disrupt. The most famous APT for industrial control system is considered Stuxnet (Albright et al., 2010), while the world’s first global ransomware attack, Wannacry (Ghafur et al., 2019), was shown to be based on code produced by a known APT.

ENISA’s threat landscape report predicts that high-capability agents will specialize in the future on more off-the-shelf campaigns rather than custom techniques, so as to enhance stealthiness and further improve APT effectiveness (ENISA, 2019), showing that APTs exemplifythe advanced cyber threat due to increasing frequency, importance, and complexity in countering.

Resilience for a telecommunication system is defined as the capability of a network to prepare, prevent, protect, respond, and recover against a challenge by maintaining an acceptable qualityofservice (Thoma et al., 2016). Resilience is regarded as a major requirement as well as a design objective for CIs; however, it is of paramount importance for Internet that is the “critical infrastructure used by citizens, governments, and businesses” [as described ENISA (2019)].

Resilience represents a cross-cutting edge between information and network security, fault-tolerance, dependability (Avižienis et al., 2004), performabil-ity (Meyer, 1992), and network survivability (Ellison et al., 1997; Sterbenz et al., 2002). It is useful to underline that engineering resilience has a monetary cost: to this aim, it is critical to maximize the effectiveness of committed resources.

In telecommunication systems foreseen by the 5G architecture, the main resilience challenges are related to software-based networks. The radio access network allows to add/remove nodes by easily reconfiguring the network in an automated way. This capability enables the set-up of automatic redundant configuration, while introduces new security and resilience challenges, namely the risk ofaccepting a malicious node. Software-based networks, indeed, relyon centralized control that can represent a single point of failure. The key challenge is to make the control level resilient and secure in order to avoid the propagation ofattack and failure from this level to the data and application ones.

In the literature, two mitigating strategies are considered: the cross-layer fault management and the learning dynamic resource dependencies. The cross-layer fault management aims at timely diagnosing faults and attacks in order to set up recovery strategies to guarantee a suitable level of service. To achieve this goal, proper metrics to detect and identify system malfunctioning need to be defined: they are represented by the key performance indicators that may give relevant insights on the behavior of the system. By learning dynamic resource dependencies, it is possible to build a run-time model for the software-based network that allows to track faults and alarms.

Another challenge that arises considering software-based networks is related to network slicing that enables the coverage of different use cases (NGMN Members, 2015) by mapping virtual resources into physical infrastructure. In this case, the network resilience depends on the resilience of the slicing service and of the physical infrastructure. A fault on the physical layer, indeed, propagates into virtual resources.

This chapter analyzes the security and resilience of telecommunication systems considering the challenges that an improved connectivity may induce in CPS. Furthermore, the telecommunication infrastructure is regarded itself as a CPS. We investigated the novel challenges and the security issues arising when the next generation oftelecommunication systems is considered. The main concerns are related with the convergence between fixed and mobile networks, the exploitation of cyber threats to damage the physical layer, and the novel network technologies used by the 5G generation of mobile networks.

The challenges in security, however, can be considered also as opportunities. Resilient systems, indeed, can be easily set up by using the network functions vir-tualization, as foreseen by the ETSI (the European Telecommunications Standards Institute) (NFV ETSI Industry Specification Group, 2017). The future telecommunication systems, indeed, will be composed of Physical Network Functions that cannot be virtualized and Virtual Network Functions that run in commodity hardware. These two components will realize network services and /or application coordinated by an orchestrator, able to implement the appropriate policy. Here, the opportunity is to exploit the orchestrator also for security purposes. Finally, the networks virtualization and the software defined networking can be synergetically used to set up automatic network.