Network Attacks - cqr2008.ieee-cqr.orgcqr2008.ieee-cqr.org/Day 3/Session 9/Andy Slater.pdf · 88400 Primary Connection Points (the green cabs by the road ... Taxi firms. RedCare

Network Attacks

What is the scale of the task, just how big is the Network?

Openreach looks after the ‘first mile’ of network, from the exchange through to homes and businesses.

Kaizen Change Team 3

What makes up the component parts of the first mile?

In excess of 5600 Telephone Exchanges.

88400 Primary Connection Points (the green cabs by the road side).

37.9 million Exchange side cable pairs.

42.8 million Distribution side cable pairs.

7.5 million Exchange Only cable pairs (cable direct from the exchange).

8 million cable joints.

That’s a massive amount of Copper !!


The Openreach Network would need many “eyes”

to police it!

- -

88.4kPCP

37.9M E Side Pairs

7.5M Direct FedCable Pairs

1.6M OH DP’s2.3M other DP’s

8M EO / D Side Joints

42.8M D Side Pairs

28.96M Exchange Lines

SCP

5600 or so Exchanges


Overview of the problem

Copper prices have more than doubled in the last four years as China is importing huge quantities of the conductive metals,

this is driving a wave of thefts across the globe from South Africa and the US to Italy and the UK.

Over the last 18 months there has been an increased number of attacks on the network involving cuts, arson & theft of live cable.

Thefts of live cable are indiscriminate and pose a threat to community safety, with subsequent risk to BT‘s reputation and revenue.

The price of copper shows no sign of falling and Openreach needs to radically change it’s attitude to security particularly in the network.


What is the size of the Impact?

On average 14,000 End Users experience a loss in service each month.

On average that’s 168,000 End Users a year.How many other crimes have so many victims?

As much as 90,000 total days per month when end-user lines were out of service. [Data from vandalism stats]

Or put another way that’s just over 1 million out of service days a year.


Who are some of these End Users who have lost their service so far ?

Blue Light Services - Eltham

Air Traffic Control - Stansted.

Thurleigh Airfield.

Ministry Of Defence.

Doctor Surgeries.

DVLA.

City Councils.

Borough Councils.

Post Offices.

Business Parks.

Shopping Centres.

Bingo Hall’s.

Taxi firms.

RedCare.

Retail Parks.

Internet Cafes.

Plus many thousands of Homes which have lost Alarm Lines, Care Lines, Broadband Services & Telephone Lines


Any Cable will do!

The perpetrators of these Network Attacks act with no regard to the consequences of their actions and the impact that they have on society, from a wellbeing and economical view point.

At least one instance is recorded where an Internet Café ceased trading due to prolonged and repeat Network Attacks.


Reported Network Attacks

October 2007 – 188 attacks

November 2007 – 197 attacks

December 2007 – 156 attacks

January 2008 – 169 attacks

February 2008 – 164 attacks

Total – 874 attacks

Although since October the attack profile is on a slight downward trend, the actual impact has increased due to larger cables being targeted. These larger cables carry a greater number of circuits due to their increased capacity and the time required to restore service is longer.

150

160

170

180

190

200

Oct-07 Nov-07 Dec-07 Jan-08 Feb-08

Num

ber o

f Atta

cks


When do these attacks take place? (last 5 months data)

0

20

40

60

80

100

120

140

00:00 01:00 02:00 03:00 07:00 08:00 09:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 21:00 22:00 23:00

Time of Attack (24hrs)

Num

ber

of A

ttack

s


What is the cost of these Network Attacks to Openreach?

The following cost data is based on a sample size of 119 reported Network Attacks between the Period October 07 and February 08.

Average cost per Network Attack - £6.8k

Multiply the average cost by the number of reported attacks between October 07 and February 08 (5 months).

Total average cost for period - £5.9mTotal average cost for 12 months - £14.2m

Potential liability for loss of service.Monthly average liability cost - £360k


Cable theft & copper price trends

020406080

100120140160180200

Apr

-06

May

-06

Jun-

06

Jul-0

6

Aug

-06

Sep

-06

Oct

-06

Nov

-06

Dec

-06

Jan-

07

Feb-

07

Mar

-07

Apr

-07

May

-07

Jun-

07

Jul-0

7

Aug

-07

Sep

-07

Oct

-07

Nov

-07

Dec

-07

Jan-

08

Feb-

08

Loss

£k

Cu Price

TEC cable

Netw ork cable

Total cable

$6.5k/t

$8.5k/t

Network damage and copper price trends

100120140160180200220240

May-06

Jul-0

6Sep-0

6Nov-

06Ja

n-07Mar-0

7May-0

7Ju

l-07

Sep-07

Nov-07

Jan-08

Mar-08

May-08

Jul-0

8

Loss

£k

Netw ork damage

$6.5k/t $8.5k/t

cu price

Trend 2 shows an illustration of the impact of network damage in the access network which is outpacing the commodity price for copper. Whilst less copper overall is being stolen the damage element is greater leading to service impact and customer outages. Evidence suggests that thieves are taking smaller amounts of cable in some areas but that cuts at the duct mouth joints are leading to significant replacement of cable and increased engineering time/effort to resolve

The commodity price of copper metal has increased significantly since May 06. this graph shows that total cable theft has dropped against that trend line mainly with the reduction in theft from TECs as consequence of removal of surplus cable [an attraction for theft]. Furthermore additional security initiatives such as cable containment and containment locking. Plus significant investigative work and a number of arrests and seizure of financial gains from thieves. Despite the decline of theft from TECs theft from the access network has increased significantly


Where do we want to be3 - 6 months– a full understanding of financial and customer impact to define strategic financial

support required to build business case for mitigating action– customer impact data used for ongoing debate with government on taking more

proactive action, to help review both the UK community impact and any judicial reassessments to stem the problem and to review policing priorities with a view to developing pan UK targeting in this area

– additional investigators provided and targeted towards detection/ apprehension working specifically on cable theft

– Use of Crimestoppers to get the message into the public domain and to secure greater public an community interest / intelligence and support

– risk assessment completed for people safety, financial loss /impact, community / customer impact and security standards against horizon scanning of the problem growth

– full rolling log of all events with action taken and storybook of improvements and benefits


Where do we want to be (2)Long term 6-12 months– increased number of arrests with Openreach / BT becoming less attractive as a

target– reduction in successful attacks across the network prioritised on "E" side– a shift in the society view of impact of cable theft driven through the ACPO

[Association of Chief Police Officers] positioning to the Home Office leading to greater government engagement

– Next generation security product both physical and electronic injected into the network through capital funded programme of work. Programme fully imbedded and working to target

– availability of Personal alarming where we believe our engineering workforce will be at risk as perpetrators look for others ways of gaining access to copper cable as we lock down the network

– fully intelligence led trend analysis to enable targeting of perpetrators and prioritisation of protection by geographic location

– security as BAU into network planning process- all replaced/ maintained plant has security added as part of business as usual


Where do we want to be (3)Horizon scanning - 5 years– in high impact areas [HOT spots] replace copper with fibre solution based on

risk assessment, attack trends and intelligence and customer service provision against cost benefits

– all vulnerable high impact areas of the network secured– Higher level of government sentencing through lobbying regarding community

impact– 40% of "D" side access network secured in set geographic locations -

dependant on funding availability– increased people security measures



What we are doing securing the networkReactive security upgrades to the network following an attack

Crime analysis to identify areas with a raised vulnerability

Proactive security upgrades where there is deemed to be a raised vulnerability.

Operational engagement to identify vulnerable areas.

Security patrols mobile/static where appropriate.

Development of new more cost effective security products.

Feedback process for intelligence.

Welding of covers in exceptional circumstances.

Engagement with the community.


Security Products

Current Products

Lockable Carriageway covers

Plates Plant protection

PCP locks

New Products

Lockable footway covers

New lockable carriageway cover

Hinged Footway and Carriageway covers

Adjustable Plates Plant Protection.


Plates Plant Protection (Enhanced Security)


PCP (KABA Cabinet Shield Lock)

PCP (Barnet Cabinet Lock 2A)

Products for protection of above ground plant


Products for protection of underground plant

Lockable Carriageway Covers No 1, 2 & 3


Norenco Hinged Cover


Norenco Hinged Cover


Engaging with the Operations teams

The Kaizen team continue to facilitate the Network Attack workshops, which are all about engagement with the Field Operational teams who are suffering from particularly high levels of Network Attacks.

These events have been supported by the Openreach Business Continuity senior team, BT Security Investigations plus several senior field managers from the field teams effected, along with a number of security leads including the Director of Security, BT Operate.

Feedback shows that both the field and security teams really value these sessions, and the Kaizen team are facilitating some more over the next few weeks.


Engaging with the Operations teams - Communications

The openreach security team have been liaising with local operations managers to provide close-up support and briefing material, where appropriate

Use of SMS text messaging to alert teams to network attacks in their area

Working with regional security champions to help raise awareness

Provision of Impact Template (for attacks involving cables over 300 pair) to ensure true impact of attacks are identified and passed to Group Investigations


Engaging with the experts

The Kaizen team are setting up a meeting of minds workshop to scope the potential for making our cables more resistant to theft or attack by adopting the 3 D’s (Deter, Delay and Detect).

Invited attendees so far:– B3 Cable Solutions– BT Investigations– Optex Europe (manufacture of specialist internal and external

detection technology)– Field Operations


Engaging with Government and Law Enforcement

Security Managers of affected companies lobbied for more action

Government wrote to the Association of Chief Police Officers

Task group set up under the Chairmanship of the British Transport Police

Associated trade bodies, other enforcement agencies and Government departments have come together to obtain a co-ordinated view on

the extent of current legislation and

the effectiveness of enforcement


Initial findings on the current position

Cross Sector Metal Thefts Action Group formed

Metal theft will remain a problem for at least five more years

Copper, lead, aluminium, nickel, zinc, tin, bronze all targeted

Police estimate consequential loss to UK sectors at £180m p.a.

Police concern of secondary entry by children where theft is from a high voltage enclosure


National Metal Theft Taskforce

Cross Sector Metal Thefts Action Group formed

Four regionally based teams

Dedicated command team

Supported by police intelligence resources


Openreach Mitigation

Blackspot Analysis of network attacks

Cabinet Security Uplift Programme (1000 Cabinets Per annum)

Network Security Uplift (£1 m Reactive)

Network Security Uplift (£1 m Proactive)

Development of new security products

Network Attack Workshops & Audio Calls

Security Briefings


When and where security is applied

Following an attack on the network.

When requested and paid for by customers.

When serving a sensitive site (Government, MOD etc).

Exchange Manholes and pinch points in the network.

When attacks/crime in an area indicate that plant is vulnerable,

When the network is thought to be at high risk.


Your Help is needed

• To identify “hotspots” for network security uplift.• To agree the criteria for cabinet security uplift. • Identify suitable Single Points of Contact and resource to plan &

progress security uplift. • To get all Security incidents reported to the Police and BT

Security on 0800 321 999. • Ensure network security locks are refitted.• Ensure missing/broken security locks are reported via A1024

process. (0808 100 1024)


End

Documents

Network Attacks - cqr2008.ieee-cqr.orgcqr2008.ieee-cqr.org/Day 3/Session 9/Andy Slater.pdf · 88400 Primary Connection Points (the green cabs by the road ... Taxi firms. RedCare