One recent example of attacks in the sector: The country's largest telecom network - BSNL - faced a botnet attack which affected the information built into modems used for BSNL's broadband services across the country. Over 2,000 customers were affected, with many facing issues with their broadband connectivity for over three days. The malware attacked internal modems in the National Internet Backbone of the BSNL.
Similarly, MTNL connectivity issues arose due to malware attack. For over three days, both BSNL and MTNL networks were down across states in India. The offices of BSNL and MTNL were flooded with complaints.
One problem area is that this industry is dependent on third-party operators and outsourced partners, which increases the potential to be vulnerable.
Last month, personal data of over 100 million customers was compromised when Reliance Jio suffered a major data breach. The data had leaked onto a website in what analysts said could be the first ever large-scale breach at an Indian telecom operator.
Given the complexity of the telecom industry and the way it functions, security industry experts aren't surprised that more and more attacks are targeting this sector. One problem area is that this industry is dependent on third-party operators and outsourced partners, which increases the potential to be vulnerable.
"The telecom industry is very complex, and most of its customer support activity is outsourced to the third-party operators who have direct access to customer details. If there is a vulnerability on their network, attackers can easily get hold of customer information," says Delhi-based Felix Mohan, CEO of CISO Cybersecurity and former CISO of Bharti Airtel.
Reasons for Attacks
Telecom is one of the sectors which is constantly introducing newer technology. Every year, the market gets flooded with advanced handsets. There is also mushrooming of companies in the app space. Meanwhile, companies continue to rely on certain legacy systems and technology as well, thus creating gaps. "It is through these gaps that hacks can occur," Mohan says. "For example, though many in the urban areas use 4G networks, in rural areas, 2G is still prevalent."
Then there's the problem of value-added service providers. Telecom operators depend on VAS providers to differentiate themselves from their competition. These providers are mostly startups, and network security may not be a priority. "VAS providers have direct access to mobile switching centers, or MSCs, considered the centerpiece of a network switching subsystem. So anyone having direct access to these service providers can access MSCs, making them vulnerable to breaches," says Inderjeet Barara, a consulting CISO.
India already has imposed a number of security regulations on the telecom industry. In fact, there are strict penalties if telecom operators fail to adhere to proper security guidelines. The question then is: Why don't we hear of any strict penalties when breaches happen in this industry?
One of the reasons is that multiple agencies are involved. The telecom industry is governed by NCIIPC, the National Critical Information Infrastructure Protection Centre; DoT, the Department of Telecom; TRAI, the Telecom Regulatory Authority of India; and NTRO, the National Technical Research Organization. These organizations often get into conflict with each other, resulting in confusion for the industry.
Target for Nation-State Attack
Espionage by nation-states, which is focusing on electronic intelligence gathering, is targeting communication and telecom networks.
In India, the telecom sector is dominated by Chinese companies, and India doesn't have a good political relationship with China.
Some security practitioners speculate that China could have been involved in some recent cyberattacks and breaches in the telecom sector.
"The Chinese, due to their significant cost advantage, are able to garner lion's share of the telecom market in India. Due to geopolitical issues, China gains a strategic advantage by snooping on Indian telecom networks," says C.N. Shashidhar, founder & CEO at SecuriT Consultancy Services.
China is spending significant resources to acquire access to sensitive technologies, including telecom, in its quest to become the dominant super power, and the Chinese companies have followed their government's directives in this domain, Shashidhar asserts.
Need for Strong Audits and Controls
Given that telecom equipment comes from other nations and third-party operators control customer data, there needs to be strong enforcement of regulations and audit controls, which is lacking. "Testing needs to be severe and the government should conduct unannounced audits," Mohan says.
Security experts say that to help prevent malware attacks:
- Telecom companies should conduct regular security checks.
- India should create a national cybersecurity center and risk guidelines exclusively for the sector.
- Government should pass a regulation imposing penalties if it's found that a breach has happened due to the fault of equipment manufacturers
In a recent development, the Indian government has asked several smartphone makers across the world to share security related information that they follow.
According to news reports, the Ministry of Electronics and IT has directed 21, mainly Chinese, mobile manufacturers to share security procedures and processes they follow to ensure the security of mobile phones sold in India, following multiple reports of data leakage and online theft across several platforms.