The cross-Canada internet and wireless outages caused by last week’s incident at Rogers Communications should make corporate telecom and IT decision-makers think carefully about telecom resiliency in the services they buy.
There is help: In 2006 the U.K.’s National Infrastructure Security Co-ordination Centre issued a good practice guide to help organizations there make those decisions. The advice is still good and applies to organizations in any country.
Here are some of the highlights:
–know your communications system requirements. Identify communications systems that are deemed mission-critical, and which carry a high risk to the organization if they are disrupted;
–analyze the threats and vulnerabilities to the mission-critical high-risk services (for example, natural disaster, malicious attack, single point of failure, commercial dependency, lack of transparency);
–challenge the service provider to explain the marketing statements made on its resilience and availability. In some cases, you might need to ensure that you are talking to the right provider representative;
–focus on the services you require, not the technology;
–apply rigorous due diligence in selecting the service provider, including assurance that they have visibility and control over the services they deploy to ensure that separacy (which ensures that specified circuits are physically separated throughout the network so that there are no common exchanges, interconnection points, or cable routes) and diversity (which ensures that the specified circuits are not routed over the same cables or transmission systems) is provided and maintained. Also ensure they have adequate contingency plans in place to recover from a disaster.
— recognize that high availability and high resilience services will cost more than standard services, but don’t use cost as the main criterion when procuring these services.
The report differentiates between best practices (measures that can be taken to guarantee resilience, irrespective of cost) and good practices (measures that provide a degree of resilience relating to corporate risk strategy).
One option for organizations is paying for internet failover, where the provider switches to a different network if the main network goes down. Many ISPs — including Bell, Rogers and Telus — provide this service. For example, a wired service may switch to a wireless service. However, the report makes clear that telecom and IT buyers have to clarify if the failover is to an alternate network from the same provider. That may not provide the needed resiliency.
The U.K. report suggests organizations ask themselves questions like:
–do you have a full and complete list of your business-critical telecommunications services, and the critical systems that support them, as well as ranking those services by criticality?
–can you identify the telecommunications services that support your critical systems and name them in a way that you and the provider know you’re talking about the same thing?
–are you aware of where in the provider’s core network your network services connect, how they are connected, and the physical routings they take once they leave your premises?
–if you are using dual providers, are you confident that there are no physical routings or points of failure common to both providers?
–within your own premises do you have visibility of your telecommunications services all the way into the provider’s duct? Are any parts of the cabling, for example, exposed to external contractors or others beyond your control? Are there any third-party components, such as ADSL routers, which may fall between areas of responsibility?
–do all of your services leave your premises in the same cable? Are they all in the same duct?
–do you know if critical services are routed via different network components so that a failure of one component will not affect all critical services?
–when you order new services, do you discuss your existing services to ensure there are no dangerous assumptions made about separacy or diversity?
–do you regularly review your specific resilience requirements with your provider?
–do you have primary and alternate methods for contacting your provider (e.g. telephone, e-mail). Have you provided your provider with alternative contact details for your own response teams? Have you discussed your respective emergency plans with your provider?
The U.K. report also suggests questions to ask the provider. One of the most important is:
–can we work together on business continuity planning and disaster recovery, including testing to provide network assurance?
In 2019, Todd Rychecky, vice president of Americas for Opengear, wrote a column with similar advice, including this: “By continually reminding those outside of the IT department how much money network resilience can save the organization, IT teams within telecom organizations will have greater luck implementing resilience into their networks.”