As we import telecom equipment, it must be ensured that it does not pose a threat to the country’s security. Malwares such as virus, worm, trojan horse etc. spread through public Internet i.e. cyberspace, and try to attack network elements having an IP address. Telecom systems are generally not affected as they are largely isolated from the public Internet. However, there is always the possibility of malware being embedded in the systems being imported from hostile states.

The ‘Stuxnet’, it is believed by cyber expert, was used to sabotage the uranium enrichment facility in Natanz, Iran where the Scada — Supervisory Control and Data Acquisition system was deployed obtained from Siemens. The student attack disrupted the functioning of the PLCs (  programmable logic controllers ). The speeds of thousands of centrifuges were dramatically changed; thus damaging them. Their operational capacity dropped by 30 per cent. It was officially admitted. It is speculated that the supplier of Scada and outside agencies must have collaborated in this attack.

There are instances of sabotaged industries plants and other high value infrastructure — power plants, nuclear installation, defence equipment.

It is easier to detect computer worm affecting the Windows operating system. It is difficult to do so for malware hidden in large volume of software/firmware designed for industrial control systems such as telecom which do not employ well-known operating systems or programming languages.

The Home Ministry banned the import of Chinese telecom equipment in 2010. To ensure the equipment is free from hidden malware, it was proposed that the source code ( running into millions of lines ) be deposited in on escrow account. The Chinese MNCs Huawei/ZTE agreed to meet this requirement. The European and the US MNCs refused to comply. Their plea was that it is proprietary software. The Chinese companies felt that it is next to impossible to detect a few lines of malicious source code—malware written in a low level programming language. Besides just like ‘star war’ programme, the telecom was real time software. Even if we have the initial version in the escrow account, it does not solve the problem. Software is never frozen. It keeps on evolving. Patches for upgrades are usually received by the telecom operators. Even these can carry malware. Due to protests, this stringent requirement is now removed.

The Chinese equipment has been supplied to telecoms even in the public sector ( BSNL/MTNL).

DOT is finalizing a telecom security policy. It is proposed to set up a Certification Centre to test imported equipment. It is proposed that a centre can be set up at IISC, Bangalore in collaboration with an MNC.

It is a matter of concern that many private licensed operators have outsourced to MNCs the functions of operations and maintenance.

Telecom systems are operated through hundreds of man-machine commands. Some of these commands are also given by foreign engineers from remote terminals. Hidden malware can be activated by these commands. Alternatively, it can be activated by an internal process triggered by a time stamp. A patch could be used as input to transfer the malware. 2G-3G operators treat telecom systems as ‘black boxes’ and depend totally on equipment vendors for technical problem solving.

A multi-layered approach called ‘defence-in-depth’ is proposed. The layers include.

*  policies and procedures

*  awareness and training

*  network segmentation

*  access control measures

*  physical security measures

*  system hardening e.g. patch management and system monitoring.