NIS2 and Communications: Asset Management for Telecom Operators

In November 2016, an attack on Deutsche Telekom left 900,000 customer routers without service in Germany. Mirai malware attempted to recruit routers into a botnet, but a code bug caused devices to reboot in a loop. Customers lost internet, telephony, and television for days. The attack exploited a vulnerability in the TR-069 protocol of routers — devices the operator had deployed but whose firmware was not updated.

Telecommunications are the digital backbone of society. A failure at one operator affects millions of people and businesses.

Why NIS2 applies to communications

NIS2 classifies electronic communications network providers as essential entities (Annex I). This includes telecom operators, ISPs, communications service providers, and network infrastructure managers.

• Complete network inventory: every node, antenna, router, and switch must be documented
• Incident management: 24/72-hour notification identifying affected assets and user impact
• Service continuity: redundancy plans requiring exact network topology knowledge
• Supply chain security: control over manufacturer equipment (Huawei, Ericsson, Nokia) and firmware
• Fines up to 10 million euros or 2% of turnover

Real incidents in telecommunications

• Vodafone Portugal, 2022: A devastating cyberattack left millions of customers without service for days. Voice, data, SMS, and television services were affected. The 4G network was partially inoperable. The attack compromised internal network management systems.
• Kyivstar (Ukraine), 2023: Ukraine’s largest mobile operator suffered an attack that destroyed much of its IT infrastructure. 24 million customers lost service. The attackers (linked to Sandworm/GRU) had accessed the network for months, mapping assets before the destructive attack.
• SolarWinds and telecoms, 2020: The SolarWinds supply chain attack compromised multiple telecom operators globally. Attackers had access to network management systems for months undetected.

Why exhaustive asset control is essential

• Telecom networks are enormous. Thousands of base stations, millions of meters of fiber, hundreds of exchanges, dozens of datacenters. Without an automated, up-to-date inventory, visibility is impossible.
• Every network device is an attack point. A compromised access network router can redirect traffic, intercept communications, or serve as an entry point to the backbone. You need to know every device’s firmware version.
• Customer premises equipment (CPE) is your responsibility. The routers and ONTs you deploy in homes and businesses are part of your attack surface. The Deutsche Telekom case showed that 900,000 unpatched devices can destroy your reputation.
• Telecom regulation adds to NIS2. Beyond NIS2, the European Electronic Communications Code imposes additional security obligations. A complete asset inventory is a prerequisite for complying with both.

What you need to control

• Base stations: Antennas, radio equipment, cell controllers, with location and configuration
• Backbone network: Core routers, aggregation switches, firewalls, DWDM, with topology and capacity
• Fiber infrastructure: Nodes, splice boxes, splitters, ONTs, with routes and connections
• Customer premises equipment (CPE): Routers, ONTs, set-top boxes, with firmware version and model
• Own datacenters: Servers, storage, network equipment, UPS, cooling
• Management systems: OSS/BSS, monitoring systems, provisioning platforms

Metrica Control scales to manage telecom operator inventories: from the rooftop antenna to the customer router. With full traceability by location, model, firmware, and incident history, ready for NIS2.