A major UK newspaper has suggested that some alternative broadband operators, many of which are deploying new gigabit-capable full fibre ISP networks, are being “lazy” by failing to hand over information about “when and where they are working on BT’s network“, which allegedly risks “exposing hospitals and banks to cyber attacks“.
According to the Telegraph (paywall) and their “industry sources“, the lack of associated record keeping is leaving “companies blind to who has access to critical network infrastructure …. allowing saboteurs to take advantage.” One source added that the UK’s digital networks “could be targeted by criminals or hostile state actors, and we wouldn’t know … operators are effectively blind to who is working in their network, and where.”
NOTE: The article confuses matters somewhat by conflating BT with Openreach’s areas of responsibility.
Several incidents are highlighted, such as one in which a hospital and financial institution in central London “were taken offline after someone gained access to the network and cut through a cable“, as well as another where two people used a van to “tear broadband cables out of the ground” (sounds like copper cable theft). In addition to deliberate sabotage by criminals, engineers working in crowded ducts are said by the piece to “frequently damage cables belonging to rival companies“, which adds to the problem.
The article claims that compliance rates with the related requirements are already low and still falling. CityFibre is given as one example, where almost half of the jobs they had completed by the end of October 2023 had no whereabouts information. Compliance on ongoing jobs is allegedly, albeit tentatively, said to have dropped to just 23%. We have asked CityFibre about this, but have yet to receive a response.
NOTE: Openreach does not disclose compliance rates among its own engineers.
Tim Creswick, CEO of London Biz ISP Vorboss, said:
“This is exactly why, unlike most other operators, Vorboss doesn’t use third party contractors in our network. It is the only way you can guarantee that your teams comply with these requirements which are essential to controlling what is happening on these critical networks.”
Katie Milligan, Openreach CCO, said:
“The safety of our people, partners and anyone who comes into contact with the Openreach network is always our number one priority. We’re continuing to work closely with the industry and Ofcom to make sure that any work happening on our network is not only recorded properly, but completed safely and securely.”
However, while it may be fair to say that compliance with the relevant rules in this area are in need of improvement (network operators have already been discussing this), we do think it’s perhaps a bit of a stretch to sensationalise that with “exposing hospitals and banks to cyber attacks“. But let’s take a deeper dive here.
What are the Whereabouts Requirements?
Context is important for this, and the original Telegraph piece doesn’t provide much. But to simplify, Openreach’s regulated Physical Infrastructure Access (PIA) product, which enables rival network operators to run their own fibre optic cables over or through OR’s existing poles and cable ducts, includes a “mandatory requirement” for related contractors to record their “whereabouts” when working on or in their network.
Openreach does this out of a concern that a company which is surveying or installing new cables using their network could accidentally damage other cables (either Openreach’s or an altnet’s), thus they need information which helps them to resolve the knock-on issues from that damage quickly. Basically, who is working on their network and when they’re working is important from a service quality, safety and public liability perspective.
Openreach’s Whereabouts Description
The recording of your contractor whereabouts when working on or in our network is important and necessary to enable us to ensure the integrity of our network and quickly identify if unauthorised personnel are accessing it e.g. in the case of cable theft.
This will also enable audits to take place and it will provide an audit trail for both you and us should any damage or highway breach occur. The completion of Whereabouts also enables us to check and complete checks to confirm that the contractor’s operatives are accredited for the work they are undertaking and they must have their identification at all times.
It is a mandatory requirement that you must notify us prior to working on or in our network and advise us whether you are doing the work yourselves or you are using a third party and if you are using a third party, the name of that third party. You must do this using the Map Tool Whereabouts can be submitted up to +/- 7 days in advance from the day of submission and for repair/damage up to 28 days retrospectively.
Such a record typically includes the name of the contractor on site, their contact number, details of the activity being undertaken (e.g. overhead survey), date and time attending site (this can be up to 7 days in advance from the day of submission), postcode, street name and, if available, the street works permit or notice number.
Clearly this is an important process, albeit one that seems to be much more about assigning responsibility and related record keeping than attack prevention. Put another way, we highly doubt that securing full compliance would magically prevent such problems / attacks from occurring. In addition, it’s not usually the engineers themselves that submit the whereabouts details (unless the AltNet has bespoke tooling for interfacing with OR’s map tool).
Most underground chambers, street cabinets and poles can only be secured up to a point and as we’ve seen over the decades, preventing physical attacks by a concerted individual or criminal gang is incredibly difficult. Criminals aren’t going to fill in a form to make your life as an operator any easier, and it remains questionable to suggest that full compliance with the above could truly enable Openreach to “quickly identify if unauthorised personnel are accessing” their network (i.e. although it would help to eliminate disruption caused by legitimate works during a live fault investigation).
Not to mention that ripping cables out of the ground or cutting them is not strictly a “cyber attack” and typically relates more to vandalism or cable theft, which is a different kettle of fish – one that is perhaps more relevant to Openreach’s older copper cables than modern fibre builds (fibre has no value to cable thieves, but can be accidentally damaged by the same activity).
In any case, the hospital or bank concerned should also be using adequate redundancy, as well as good internal system security and encryption, to ensure that any tampering with external cables (either to disrupt or intercept their data traffic) does not prevent their ability to securely process data. But once again, this is not really relevant to PIA.
The whereabouts process itself also has its own set of issues, such as with the confusion that can sometimes be created when more than one operator is working on the same area of network infrastructure. Similarly, some alternative networks have previously alleged that Openreach may use the whereabouts records to influence their own FTTP builds (i.e. anti-competitively speaking), which is something they strongly deny.
In short, compliance with this requirement does seem to be in need of improvement, but as one operator told us, “that’s an entirely separate issue to both cyber-security risks and infrastructure theft.” Indeed, if we’re going to talk about cyber-security, then there are a lot of other areas for BT and Openreach to improve too (e.g. more/better CCTV coverage at exchanges, better locks / doors etc.). But everything has a cost.
NOTE: Openreach has already seen over 500,000 consumers and businesses connected by 169 altnets via their infrastructure, and collectively, they now use over 40% of their poles and 50% of their ducts.
UPDATE 3rd Jan 2024 @ 4:34pm
We’ve had a comment from INCA, which represents a lot of AltNets.
A Spokesperson for INCA told ISPreview:
“INCA encourages all members to adhere to compliance rules and also participate in INCA’s own working group supporting Altnets using PIA. INCA will continue to actively engage Openreach, Office of the Telecoms Adjudicator and Ofcom to improve the way that PIA operates.
Importantly, this news highlights the need for BT/Openreach’s PIA infrastructure to be separated into its own independent entity as proposed in the INCA Policy Report
https://www.inca.coop/sites/default/files/policy/INCA-Policy-Report-Sept2023.pdf
If physical infrastructure was operated by an independent organisation then BT/Openreach would run the same risk of non-compliance, on whereabouts and health & safety, as the rest of the sector and face the same risk of suspension from using the infrastructure. Accepting that this will not happen in the short term, INCA advocates for an independent body to be established to monitor health & safety and PIA compliance issues.”
UPDATE 4th Jan 2024 @ 9:50am
We’ve had a response from CityFibre, which also notes that the 23% compliance figure given in the original Telegraph piece is misleading because it reflects unfinished / in progress jobs. According to Openreach’s data, CF’s compliance against closed jobs (NOIs / Notice of Intent) is actually 54%, but this too has a caveat.
Altnets are typically only required to complete whereabouts information when accessing the network on a main (Primary) NOI. If that company is installing in more than one duct in the same area using PIA, further whereabouts information is not required because the equipment is all installed at the same time (i.e. it makes little sense to record four visits when only one has happened).
However, because a user of PIA records only one visit, the Openreach systems show one visit yet may show more than one piece of infrastructure installed – giving an incorrect impression that there is significant non-compliance. Openreach is said to have acknowledged this issue. Meanwhile, CityFibre suggests its own calculations are averaging over 71% compliance in 2023 (the OTA is said to have suggested that anything over 70% is good).
A CityFibre spokesperson told ISPreview:
“BT Openreach’s whereabouts report, from which this data is sourced, is fundamentally flawed as it significantly under-reports compliance. We have shared this concern with Openreach as we believe our compliance to be over 70%, a level the OTA have suggested should be considered ‘good’.
CityFibre is by far the biggest user of PIA and works extremely closely with BT Openreach on its development of the product and compliance metrics. We continue to be one of the leading advocates pushing for all builders to improve their recording of whereabouts information.”
