The European Union Agency for Cybersecurity publishes the aggregated data and analysis of the incident reports for telecom services and trust services.
Why is incident reporting important?
The major objective of telecom services and trust services incident reporting is to help national authorities with their supervision tasks, to map cybersecurity trends as well crosscutting issues and sector weaknesses. Aggregating this information is important to understand gaps and to identify and address emerging issues.
ENISA has been supporting the EU telecom security authorities since 2011 and the supervisory bodies for EU trust services since 2016 on the respective incident reporting. The role of ENISA is to develop procedures, information gathering templates and data processing tools in relation to these incidents and to publish a report every year on the previous year’s incidents.
What are the key takeaways of the reports on 2020 incidents?
The annual report on telecom security incidents for 2020 reveals that faulty software changes and/or updates constitute a major aggravating factor in terms of impact resulting in 346 million hours lost which is equivalent to 40 % of the total number of hours lost.
System failures continue to dominate as the most frequent cause of incidents leading to severe adverse impact.
The total of incidents caused by human errors or third-party failures remain similar to the levels seen in 2019.
The multiannual trends show that although system failures continue to be the most frequent cause of incidents (61%), these incidents are decreasing in size.
The analysis also reveals that incidents cause by human errors have been on the increase between 2016 and 2020, reaching 26% of the total number of incidents.
The annual report on trust services incidents also reveals system failures remain the dominant root cause of incidents with human errors ranking second.
Overall, the level of severity remains steadily low, which indicates that Trust Service Providers (TSPs) report more incidents, even those that are less severe.
In 2020, 69% of total incidents had an impact on qualified trust services when compared with approximately 33% of incidents reported on non-qualified trust services. The study highlights a concern over non-qualified trust services incidents considered to be under reported although such services are very widely used. A good example of this is website certificates used by 80 % of websites globally. The rather limited number of incident reports on non-qualified trust services under the eIDAS regulation suggests there is still under-reporting in the specific market. Nevertheless, it is worth mentioning that one Member State reported 11 incidents during 2020.
Besides, the analysis also revealed PDF sign-in vulnerabilities with the emerging of new “shadow attacks” affecting a wide range of software products.
The information collected and analysed in the telecom and trust services security incident reports is stored on CIRAS, an online visual tool that allows the analysis of incidents and can be used to generate custom graphs.