Guideline on Threats and Assets

4. Threats and causes

This section introduces a terminology (or dictionary) to speak about threats and causes.

We define a threat as follows 3:

Threat: A threat is an event or a circumstance which could cause a security incident.

This definition is based on the definition of a security incident as defined in the incident reporting guideline
(see also Section 2
(in the past).
The next section lists threat types. To explain what we mean with a threat type we give an example: A threat
type

cident.

4.1 Threat types

In this section we take a so- -
security of networks and services are in scope.

Note that this list of threat types is not exhaustive. We do not claim to make a taxonomy of threats here.
There are a lot of threat lists or taxonomies out there, that can be more or less useful, depending on the
situation, but this particular list has been defined within the Art. 13a expert group, and represents the most
common threat types used by the telecom sector, in regard to the mandatory incident reporting activities.
We have not used a specific order for these threats, but grouped them according to similarities. For example
we grouped natural phenomena together.

4.1.1 Heavy snow and ice

Heavy snowfall or ice can impact physical infrastructure, such as overland cables, base stations, overland
power supply lines, et cetera.

4.1.2 Heavy wind

Heavy wind can impact physical infrastructure, such as overland cables, base stations, overland power supply
lines, et cetera.

4.1.3 Flood
Floods can impact physical infrastructure, such as server rooms, collocation sites, et cetera.

4.1.4 Earthquake
Earthquakes can impact physical infrastructure, such as power supply lines, underground and overland
cables, sites, et cetera.

3 This definition is similar to the definition in ISO27K5, which defines a threat as the cause of an incident.

10
 Guideline on Threats and Assets

4.1.5 Wildfire
Wildfire can impact physical infrastructure, such as overland cables, overland power supply lines, collocation
sites, et cetera.

4.1.6 Fire
Fire 4 can damage physical infrastructure, such as cables, routers, server rooms, et cetera.

Note that this cause only covers accidental, unintentional instances of fire. For arson, see below.

Note that fire could also have an indirect impact, for example, when firefighters spray water or foam, or
when they give orders to turn off power generators.

4.1.7 Arson
Arson (a fire started intentionally) could damage physical infrastructure, such as cables, servers, sites, street
cabinets, et cetera.

Note there could also be an indirect impact, for example, when firefighters spray water or foam, or when
they give orders to turn off power generators.

4.1.8 Electromagnetic interference

Electrical circuits and radio signals can be affected by electromagnetic interference. This kind of interference
can be malicious (for example EMP guns), accidental (for example by a faulty transmitter) or part of a natural
phenomenon (e.g. solar storms).

4.1.9 Denial of Service attack

A Denial of Service (DoS) attack aims to overload network or information systems with traffic. DoS attacks
can have an impact on the continuity of networks or services.

4.1.10 Network traffic hijack

Attackers could change network routing or network addressing tables, which could have an impact on the
security of the services ,for example by altering BGP tables (BGP hijacks) or altering DNS zone files (DNS
poisoning).

4.1.11 Malware and viruses

Malware and viruses can affect network and information systems, such as servers and applications For
example, there have been cases where malware was used to attack routers which impacted the network
traffic of thousands of subscribers.

4.1.12 Advanced persistent threat

Advanced persistent threats, or APTs, are cyber attacks which are persistent (and stealthy, conspicuous),
which target a range of different systems, often moving from one system to the other. APTs usually involve
the manipulation of many different networks and information systems. For example an APT cou ld target first
a webserver, then the desktop computers of system administrators, and finally the firmware of core routers.

4.1.13 Hardware theft

Hardware theft could have an impact on networks and services, for example because thieves damage
systems. Particularly multi-purpose IT equipment, or valuable items, such as large batteries, can be attractive
for thieves.

4 Not to be confused with wildfire which is listed as separate cause.

11
 Guideline on Threats and Assets

4.1.14 Cable theft

Cable theft can have an impact on networks or services. For example, optical fiber cables could be cut when
copper thieves dig up the cable searching for copper.

4.1.15 Cable cut

Cable cuts, for example by an excavation machine or ship anchorage, can have an impact on networks or
services.

4.1.16 Power cut

Power cuts of the (public) power grid, can have an impact on infrastructure which relies on power, for
example base stations, sites, et cetera.

4.1.17 Power surge

Power surges, in the power supply of the main (public) power grid, could have an impact on electronic
devices connected to it.

4.1.18 Cooling outage

An outage of cooling systems can cause damage or malfunctioning of infrastructure.

4.1.19 Hardware failure

Hardware failures (when physical hardware breaks) could affect physical infrastructure such as servers,
routers, base stations, et cetera, and in this way have an impact on networks and services.

4.1.20 Software bug

Software bugs could have an impact on ICT systems, such as routers, servers, databases, et cetera, and in
this way impact networks or services. This type of threat also includes complex failures like network failures
when several systems fail to connect or otherwise work together.

4.1.21 Design error

Design errors could have an impact on the security of networks and services. For example, an HLR handling
3G and 4G traffic could be designed wrong causing outages.

4.1.22 Faulty hardware change/update

A change or update of hardware, for example, for maintenance, replacement, or renewal, could go wrong
and have a negative impact on networks or services.

4.1.23 Faulty software change/update

Software changes or updates, for example the installation of new software or software patches, could go
wrong and have a negative impact on the networks or services. Note that this threat includes software like

4.1.24 Overload
Overload of traffic and usage could impact the networks and services.

4.1.25 Fuel exhaustion

Backup power generators can run out of fuel, which could have an impact on electronic devices.

Note this is typically a secondary cause for an incident, when the primary cause is power cut.

12
 Guideline on Threats and Assets

4.1.26 Policy or procedure flaw

A flaw in a policy or procedure, or the absence of a policy or a procedure, could have a negative impact on
the networks or services.

4.1.27 Security shutdown

Security risks could force a provider to shut down a service, for example to have the time to patch a software
vulnerability.

4.2 Root cause categories

In this section we define 5 root cause categories. Unlike the detailed threats/causes (defined in the previous
section), root cause categories are broad categories describing the underlying problem.
Note that categorization of an incident in a specific root cause category often depends on the details and on
the judgement of the NRA. For example, suppose a storm causes a power cut of several hours, which causes
an outage because the fuel ran out in a backup power generators. Depending on the circumstances this may
be categorized as natural phenomena (storm), human error (forgot to refill the fuel), or a system failure
(refill procedure flawed).

Note that this list of root causes types is not exhaustive. We do not claim to make a taxonomy of root causes
here. There are a lot of root causes lists or taxonomies out there, that can be more or less useful, depending
on the situation, but this particular list has been defined within the Art. 13a expert group, and represents
the most common root causes used by the telecom sector, in regard to the mandatory incident reporting
activities.

4.2.1 Human errors

equipment or facilities, the use of tools, the execution of procedures, et cetera.

For example, suppose an employee of a provider made an error in following prescribed equipment
maintenance procedures. The maintenance error caused an outage. In this case the incident would be

4.2.2 System failures

includes the incidents caused by failures of a system, for example hardware
failures, software failures or errors in procedures or policies.

For example, if an HLR suddenly stops operating because of a software bug, which prevents all
subscribers from connecting, then this in .

4.2.3 Natural phenomena

includes the incidents caused by severe weather, earthquakes, floods,
wildfires, and so on.

For example, heavy winds cause a cable cut, causing outages, then the incident would be in the root
.

13
 Guideline on Threats and Assets

4.2.4 Malicious actions

includes the incidents caused by a deliberate act by someone or some
organisation.

For example, incidents which have a root cause like a fire started by employees as an act of sabotage,
the the hacking of the provid
systems, vandalism directed at street cabinets, and so on.

4.2.5 Third party failures

includes the incidents where the cause was not under direct control of
the provider, but some third-party5.

For example, an outage caused by a cable cut caused by a mistake by the operator of an excavation
machine used for a building a new road, would be categori
- .

5 In the incident reporting this category is now used as a flag, in combination wi th another root cause category.

14