AltNet UK Broadband Engineers Unfairly Accused of Exposing Sites to Cyber Attack UPDATE2
A major UK newspaper has suggested that some alternative broadband operators, many of which are deploying new gigabit-capable full fibre ISP networks, are being “lazy” by failing to hand over information about “when and where they are working on BT’s network“, which allegedly risks “exposing hospitals and banks to cyber attacks“.
According to the Telegraph (paywall) and their “industry sources“, the lack of associated record keeping is leaving “companies blind to who has access to critical network infrastructure …. allowing saboteurs to take advantage.” One source added that the UK’s digital networks “could be targeted by criminals or hostile state actors, and we wouldn’t know … operators are effectively blind to who is working in their network, and where.”
Several incidents are highlighted, such as one in which a hospital and financial institution in central London “were taken offline after someone gained access to the network and cut through a cable“, as well as another where two people used a van to “tear broadband cables out of the ground” (sounds like copper cable theft). In addition to deliberate sabotage by criminals, engineers working in crowded ducts are said by the piece to “frequently damage cables belonging to rival companies“, which adds to the problem.
The article claims that compliance rates with the related requirements are already low and still falling. CityFibre is given as one example, where almost half of the jobs they had completed by the end of October 2023 had no whereabouts information. Compliance on ongoing jobs is allegedly, albeit tentatively, said to have dropped to just 23%. We have asked CityFibre about this, but have yet to receive a response.
Tim Creswick, CEO of London Biz ISP Vorboss, said:
“This is exactly why, unlike most other operators, Vorboss doesn’t use third party contractors in our network. It is the only way you can guarantee that your teams comply with these requirements which are essential to controlling what is happening on these critical networks.”
Katie Milligan, Openreach CCO, said:
“The safety of our people, partners and anyone who comes into contact with the Openreach network is always our number one priority. We’re continuing to work closely with the industry and Ofcom to make sure that any work happening on our network is not only recorded properly, but completed safely and securely.”
However, while it may be fair to say that compliance with the relevant rules in this area are in need of improvement (network operators have already been discussing this), we do think it’s perhaps a bit of a stretch to sensationalise that with “exposing hospitals and banks to cyber attacks“. But let’s take a deeper dive here.
What are the Whereabouts Requirements?
Context is important for this, and the original Telegraph piece doesn’t provide much. But to simplify, Openreach’s regulated Physical Infrastructure Access (PIA) product, which enables rival network operators to run their own fibre optic cables over or through OR’s existing poles and cable ducts, includes a “mandatory requirement” for related contractors to record their “whereabouts” when working on or in their network.
Openreach does this out of a concern that a company which is surveying or installing new cables using their network could accidentally damage other cables (either Openreach’s or an altnet’s), thus they need information which helps them to resolve the knock-on issues from that damage quickly. Basically, who is working on their network and when they’re working is important from a service quality, safety and public liability perspective.
Openreach’s Whereabouts Description
The recording of your contractor whereabouts when working on or in our network is important and necessary to enable us to ensure the integrity of our network and quickly identify if unauthorised personnel are accessing it e.g. in the case of cable theft.
This will also enable audits to take place and it will provide an audit trail for both you and us should any damage or highway breach occur. The completion of Whereabouts also enables us to check and complete checks to confirm that the contractor’s operatives are accredited for the work they are undertaking and they must have their identification at all times.
It is a mandatory requirement that you must notify us prior to working on or in our network and advise us whether you are doing the work yourselves or you are using a third party and if you are using a third party, the name of that third party. You must do this using the Map Tool Whereabouts can be submitted up to +/- 7 days in advance from the day of submission and for repair/damage up to 28 days retrospectively.
Such a record typically includes the name of the contractor on site, their contact number, details of the activity being undertaken (e.g. overhead survey), date and time attending site (this can be up to 7 days in advance from the day of submission), postcode, street name and, if available, the street works permit or notice number.
Clearly this is an important process, albeit one that seems to be much more about assigning responsibility and related record keeping than attack prevention. Put another way, we highly doubt that securing full compliance would magically prevent such problems / attacks from occurring. In addition, it’s not usually the engineers themselves that submit the whereabouts details (unless the AltNet has bespoke tooling for interfacing with OR’s map tool).
Most underground chambers, street cabinets and poles can only be secured up to a point and as we’ve seen over the decades, preventing physical attacks by a concerted individual or criminal gang is incredibly difficult. Criminals aren’t going to fill in a form to make your life as an operator any easier, and it remains questionable to suggest that full compliance with the above could truly enable Openreach to “quickly identify if unauthorised personnel are accessing” their network (i.e. although it would help to eliminate disruption caused by legitimate works during a live fault investigation).
Not to mention that ripping cables out of the ground or cutting them is not strictly a “cyber attack” and typically relates more to vandalism or cable theft, which is a different kettle of fish – one that is perhaps more relevant to Openreach’s older copper cables than modern fibre builds (fibre has no value to cable thieves, but can be accidentally damaged by the same activity).
In any case, the hospital or bank concerned should also be using adequate redundancy, as well as good internal system security and encryption, to ensure that any tampering with external cables (either to disrupt or intercept their data traffic) does not prevent their ability to securely process data. But once again, this is not really relevant to PIA.
The whereabouts process itself also has its own set of issues, such as with the confusion that can sometimes be created when more than one operator is working on the same area of network infrastructure. Similarly, some alternative networks have previously alleged that Openreach may use the whereabouts records to influence their own FTTP builds (i.e. anti-competitively speaking), which is something they strongly deny.
In short, compliance with this requirement does seem to be in need of improvement, but as one operator told us, “that’s an entirely separate issue to both cyber-security risks and infrastructure theft.” Indeed, if we’re going to talk about cyber-security, then there are a lot of other areas for BT and Openreach to improve too (e.g. more/better CCTV coverage at exchanges, better locks / doors etc.). But everything has a cost.
UPDATE 3rd Jan 2024 @ 4:34pm
We’ve had a comment from INCA, which represents a lot of AltNets.
A Spokesperson for INCA told ISPreview:
“INCA encourages all members to adhere to compliance rules and also participate in INCA’s own working group supporting Altnets using PIA. INCA will continue to actively engage Openreach, Office of the Telecoms Adjudicator and Ofcom to improve the way that PIA operates.
Importantly, this news highlights the need for BT/Openreach’s PIA infrastructure to be separated into its own independent entity as proposed in the INCA Policy Report
https://www.inca.coop/sites/default/files/policy/INCA-Policy-Report-Sept2023.pdf
If physical infrastructure was operated by an independent organisation then BT/Openreach would run the same risk of non-compliance, on whereabouts and health & safety, as the rest of the sector and face the same risk of suspension from using the infrastructure. Accepting that this will not happen in the short term, INCA advocates for an independent body to be established to monitor health & safety and PIA compliance issues.”
UPDATE 4th Jan 2024 @ 9:50am
We’ve had a response from CityFibre, which also notes that the 23% compliance figure given in the original Telegraph piece is misleading because it reflects unfinished / in progress jobs. According to Openreach’s data, CF’s compliance against closed jobs (NOIs / Notice of Intent) is actually 54%, but this too has a caveat.
Altnets are typically only required to complete whereabouts information when accessing the network on a main (Primary) NOI. If that company is installing in more than one duct in the same area using PIA, further whereabouts information is not required because the equipment is all installed at the same time (i.e. it makes little sense to record four visits when only one has happened).
However, because a user of PIA records only one visit, the Openreach systems show one visit yet may show more than one piece of infrastructure installed – giving an incorrect impression that there is a significant non-compliance. Openreach is said to have acknowledged this issue. Meanwhile, CityFibre suggests its own calculations are averaging over 71% compliance in 2023 (the OTA is said to have suggested that anything over 70% is good).
A CityFibre spokesperson told ISPreview:
“BT Openreach’s whereabouts report, from which this data is sourced, is fundamentally flawed as it significantly under-reports compliance. We have shared this concern with Openreach as we believe our compliance to be over 70%, a level the OTA have suggested should be considered ‘good’.
CityFibre is by far the biggest user of PIA and works extremely closely with BT Openreach on its development of the product and compliance metrics. We continue to be one of the leading advocates pushing for all builders to improve their recording of whereabouts information.”
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« 2023 H2 – UK Full Fibre Broadband Cover Reaches 60.5 Percent
Openreach Says UK Broadband Usage Increased by 9% in 2023 »
Latest UK ISP News
- FTTP (5581)
- BT (3530)
- Politics (2553)
- Openreach (2311)
- Business (2284)
- Building Digital UK (2253)
- FTTC (2050)
- Mobile Broadband (1991)
- Statistics (1799)
- 4G (1681)
- Virgin Media (1639)
- Ofcom Regulation (1472)
- Fibre Optic (1406)
- Wireless Internet (1400)
- FTTH (1382)
To be fair, everyone in the industry knows that the whole Openreach PIA arrangements have become like the wild west, with Alt nets and/or their contractors deliberately not reporting whereabouts and completions in a timely manner. The reasons for this include, commercial and not wanting competitors to know where they have laid infrastructure for as long as possible, liability where if they damage other operators cables (especially existing copper) while pulling their new fibre through the ducts, they simply walk away without anyone knowing they had been there, and not registering completed work for as long as possible so as to delay the date they start paying Openreach from.
Ultimately, in such a free for all environment that all these operators are now part of and which isn’t being policed by ofcom effectively, what stops anyone from donning a high vis vest opening up some chambers in the street and damaging large spine cables to strategic buildings be that banks, data centres, or government buildings, etc., without anyone noticing or caring.
And I disagree that cutting cables to a building like this is not a cyber attack. Its as much a cyber attack as someone cutting an under sea cable.
In order to be considered a “cyber attack”, the definitions generally require that the attacker be trying to gain unauthorized access to a computer, computing system or computer network – typically via a live link from another computer system (hence the ‘cyber’ part). But in the examples given, none of that is the case, which categorises it more as a different type of physical attack/damage. But that’s another debate.
“what stops anyone from donning a high vis vest opening up some chambers in the street and damaging large spine cables to strategic buildings be that banks, data centres, or government buildings, etc., without anyone noticing or caring.”
Certainly not the whereabouts requirements. None of that will stop this sort of activity as criminals don’t fill in the official forms. Better practical policing of CNI, faster responses by Openreach engineers, more security at site access points, better use of CCTV etc. will all help, but come at a cost and hence there are always practical / economic limitations.
The real world equivalent of ‘Clickbait’ is about the only thing left that sells newspapers. Questionable ‘reporting’ is not really a new problem, but it makes a change from propaganda.
What a load of crap, like most things The Telegraph puts out
Such a safety critical system and is in BT/Openreaches control then why would Alt Nets be the one to blame here…. as has been quite rightly pointed out, just another load of dying media’s gasps for attention.
It would be like Network Rail not ensuring lines where safe to travel on after maintenance by a contractor, being in the shoes of the contractor I’ve had many of long end of posession waits for Network Rail to check and sign off all is well for us too go home.
There isn’t really a valid comparison to Network Rail. NR isn’t required to let competitors build lines on its land. Anyone working on the infrastructure is there because Network Rail is paying them to do so.
I’d love to see OR require that one of their people supervises every open manhole but the altnets would run to Ofcom straight away and claim it’s anticompetitive or other guff.
With the damage altnets are doing to existing plant, It’s about time Openreach clamped down on the cowboys and what their big boots are treading on.
Absolutely. Only Jansen-approved networks should be using Openreach ducts.
BT have more than enough of their own cowboys. A few months ago there was a cabinet where the doors were left open and one of their chamber covers was not put on correctly. Try getting hold of Openreach to get that sorted, No wonder I call them Out of reach.
I have heard about some of their contractors, not saying that all Alt nets are perfect, Zzoomm have had a few complaints over the couple of years they have been rolling out their network here.
But when they were doing the trench up where I live, I even had someone ask if I wanted a hand to get my bike over it. Electric bike, pretty heavy.
I think this story is just a way to make Alt nets look bad, Openreach worrying a bit, are they, now they have not got such a large monopoly?
I can assure you, if Altnets were damaging OR plant at any great scale like you say OR would be making a huge fuss. Openreach engineers and contractors on the other hand, there is documented stories of them cutting CP cables and using them as draw cords.
And OR linespeople accessing on-prem plant they’re not authorised to, stealing a pair to provide service in the building, and thereby breaking another building tenant’s ISDN30 service.
Fortunately it was 4-wire ISDN30 and on a short enough run to be migrated to 2-pair for comparatively rapid resolution.
And not forgetting a Kelly contractor to OR stealing the pair to my house somewhere on its 3.5Km run. On a Friday afternoon. Before a bank holiday weekend.
Really, the altnets and their contractors are in no way the only guilty parties here.
OR Contractors cut our properly documented PIA cable – no recompense. They then damaged the cable in another spot on the same run and were caught in the act. Their response was “it’s only FTTP”. In fact the cable connected a data centre to a carrier’s core network. No recompense from OR.
I’m sure Openreach would be the first to admit that there are examples of poor practice from all parties. Are you saying they shouldn’t be trying to improve matters?
I think I have lost service to a second home (not occupied at the time) via OR engineers not doing what they should when “improving” a neighbour’s line, and a fault call placed some weeks later also did not restore service.
Fortunately I can migrate to a wireless 5G home broadband service instead and can make do without an landline, so it is OR’s loss (and fortunately it happened out of contract with my current ISP, so could just cancel them)
Related question: Does anyone have experience in getting A&A to port a landline onto their SIP platform, to be accessed via a 5G home broadband provided by Three? Three says that don’t support 3rd party SIP on their 5G service.
@MikeT – pound to a penny there’s CGNAT on the Three connection, so A&A SIP would be, ahem, less than optimal. Your best bet is to invest £10 pcm in A&A L2TP service. It’s what I’ve done in the same position as you (except my connectivity was over EE 4G, now Starlink).
If CGNAT is OK for the rest of your traffic, the new £2 pm L2TP light service would suffice.
Having inside knowledge of Cityfibre this really doesn’t surprise me, it’s a company in complete chaos.
Cityfibre’s top executives are too busy stuffing as much money into their pockets, as quickly as possible to care about network security.
They’ve realised the wheels are falling off their gravy train and need to milk every last drop from their investors while they can, meanwhile discarding long term, loyal employees onto the redundancy pile.
Sad but true.
Yes we know you were made redundant from CF. Loose the hate. You need to move on now…
@Time…
Shout me down, but one day you’ll wake up and see the damage Cityfibre have done to this market.
Have to agree, this kind of headline shows a growing concern from genuine journalists to pump out content that gets engagement!
With the rise of ad-blockers, the accountants at the top (always a worrying trend when they start running a business as they don’t see profit) start leaning hard on the management to tell the poor people on the ground to publish stuff to “up the numbers” or hit a certain “indicator”
This site isn’t too guilty but gets an occasional humdinger, maybe January is a tight month for ISP Reviews owners!
This promotes sloppy journalism and some stories like this make it through the cracks unfortunately.
Typical of the Tory press. They are the first to complain about paperwork and regulation, but on a quiet news day they have a pop at something they dislike (the Internet). The “solution” to this problem is lots more paperwork and snooper cameras.
The press of course would be most upset if other industries started demanding more regulation and supervision of them.
This post looks like BT legal team reviewed beforehand which is worrying, with the new contract agreements and descriptions, BT will stand Alt Nets down if no whereabouts recorded and seen working which is insane to think one bit of missing paperwork or system error could lead to that, when their own records are pitfull.
This is literally about making sure their own records are accurate and visible to all though? And even if wasn’t, why would two wrongs (everyone having bad records) make a right?
From a contractual level BT won’t breach themselves so two wrongs don’t make a right because the first wrong is deemed as different
It’s different because BT can’t have a contract with itself yes. But that doesn’t mean there aren’t internal controls. Perhaps they need tightening too, that’s not in dispute. But you can’t seriously be arguing that other companies should be free to work on the network without logging it?
The Alts are logging it anything above 70% is good but the new contract change means 1 minor slip and they get kicked off the network which is absurd
You’d be fine with trades people coming to work on your home, drilling through walls, lifting the roof tiles, looking in the basement, installing pipes and wires as long as they told you 70% of the time?
Yes as long as the job was done to a good standard i’d leave them to it.
Absolute nonsense.
Common sense you mean
“as long as the job was done to a good standard”
Errrrr, that’s the whole point.
Not all jobs are done to a good standard. Which means in your “common sense” world you’d have a damaged home and you wouldn’t have a clue who’d done it. Well done though, great argument.
I’d know they have done the works because of other documentation, whereabouts isn’t the only piece of information available.
Openreach, don’t even know where their own stuff is! Let alone have rapid systems of accountability in their own infrastructure! Quinn installed in Summer of 2022 in my street, it didn’t go live for another year and my flats have only just gone live just before Christmas.
My fibre install is now stalled due to the installation engineer not having a precise location on my connection point! “Near my flats” Was the description, that was a choice of 4 pits!
Netomnia are trying to install and they are struggling with the Council as well as Openreach!
One of the original concerns about letting 3rd parties install kit in bt cabinets and exchanges was that “foreign actors” could surreptitiously intercept or purposefully damage communications.
At that time the pstn was certified at secret, meaning secret information could be transmitted across it unencrypted mainly due to the integrity and security of the pstn to form point to point connections without being eavesdropped or intercepted. Obviously that goes away once bt had to let its competitors access to its infrastructure.
If I remember correctly it was the government at the times insistence that overruled advise from mi5 & gchq.
Can’t find the relevant links and can’t remember what the process of them opening up was called but here is an example of the pressure they where under, note the lack of ssl on the article as it wasn’t really a thing back then.
http://news.bbc.co.uk/1/hi/business/4021585.stm
Looks like we are coming full circle.
sorry but what NCSC calls “pre positioning” is the real threat to networks, all networks, not just the good old PSTN. If hostile actors want to target UK networks then it would be a lot simpler to embed people in UK Telcos and target the networks from within than to embed them and then start to sabotage other newtworks via abuse of the cumbersome PIA processes. I don’t recall ever being authorised to transmit secret over the PSTN without encryption.
An article worthy of the Daily Mail. The Telegraph has really let itself go as a serious newspaper, hasn’t it?
Laughing at the comment from Cityfibre’s spokesperson, fudging the figures as always!
Come on, we’re not stupid, everyone can see through your waffle!
Setting the cyber attack argument to one side. the main reason for one CP cutting another’s subduct and fibre is because the duct is full and they can’t be bothered to initiate civils work or to use someone else’s subduct as a rope to pull their subduct through rather than roping the duct properly. Lazy and unprofessional. Of the last 25 whereabouts queries that I have raised only two have come back with any results. Both of those were BT. The standard of ‘whereabouts’ queries is dreadful across the board. If the standard of compliance is that bad, it inevitably leaves a vulnerability for real threat-actors. The process needs rigor, and consequences.