Orange has just been severely called to order by Anssi (National Information Systems Security Agency) after the tragic breakdown of emergency numbers occurred at the beginning of June . On the night of June 2 to 3 , many emergency call centers of the SAMU, the fire brigade or the Police had encountered technical difficulties preventing them from being reachable and from fulfilling their missions, coresulting in the death of at least five people, including that of a 28-month-old child in Vendee. At the end of an internal investigation, Orange, responsible like the other operators for the routing of emergency calls, then pointed out a software malfunction .
For Anssi, who submitted this Thursday his report - eagerly awaited - to the government, the error is however well to seek on the side of the Orange teams. Rare enough to be underlined, the cybersecurity gendarme did not take a glove to point out internal failures on the side of the incumbent, while automatically ruling out the possibility that the failure was which occurred following a cyberattack.
The ANSSI report - produced with the assistance of IGAS (General Inspectorate of Social Affairs), IGA (General Inspectorate of Social Affairs) administration), CCED (Commissariat aux communications eelectronic defense) and the CGE (General Council of the Economy) - affirms it straight away: "the combination of the sequence of actions carried out by Orange and the equipment manufacturer's software bug is sufficient to explain this failure ". For the Authority, the failure has its origin in the performance of a maintenance operation on VoIP equipment, carried out from Lille on June 2 at 4 p.m. by the incumbent operator, to allow an increase in capacity. 'calls in call processing centers, mainly connected to the Orange copper network.
A poorly executed maintenance operation
If the operation had been planned for a long time, it is indeed its poor execution by the Orange teams that would be at the origin of the disaster, details Anssi. At the end of the maintenance operation, the Authority notes that a new change of coThe call servers have been configured so that they can again communicate with the VoIP devices. It was following these configuration changes carried out simultaneously on all call servers by Orange that they experienced "a major malfunction", details the French cybersecurity gendarme.
And to note that the first operation carried out by Orange at the end of the maintenance operation "put all the call servers in a state which triggered a software bug". Specifically, this opened a route "for which there was no possible exit for calls." These then accumulated in the memory of the call server until it was overloaded, causing them to enter a regular boot loop without it being possible to administer them.
To summarize : the interconnection between IP calls and the incumbent's copper network encounters large air holes, rendering it inoperativepart of the calls made. Within an hour, Orange management was alerted that the operation was causing malfunctions in the routing of calls to emergency call processing centers.
After a period of floating, Orange sets up a crisis unit from 6:45 p.m. From 10 pm, the operator launches an emergency restart procedure, "which will allow a rollback of the changes made to the call servers", notes the ANSSI. This ends on June 3, at 2 a.m., while an improvement is already visible on the network the day before, from 11 p.m. It is only in the early morning that the situation returns to normal, as noted by Orange and the emergency services. However, the situation will not really be restored until June 4, after some "residual disturbances".
Insufficient internal arrangements
For Anssi, a only certainty: Orange wears the efull responsibility for this crisis. “Although we can expect that Orange will have internal monitoring mechanisms, allowing it to have a more precise and reactive vision of its network, the implementation of an adapted crisis management system the scale of this has been slower than that of the State ”, tackles the Authority in its conclusions. And to recall that the incumbent "took nearly an hour to realize that the failure affected in particular the emergency services, two hours to inform the authorities and nearly three hours to set up a device. adapted ".
For their part," the emergency services reacted quickly to a crisis for which they were not prepared, by quickly operating the escalation system ", greeted the French gendarme cybersecurity, while noting that these same services “have implemented many workarounds, despite the absence of advice from theoperator side ". So many initiatives which, according to the Authority, have "made it possible to considerably limit the consequences of this crisis, in terms of loss of opportunity or failure to intervene".
Orange is therefore taking action. for its grade, especially since, as Anssi reminds us, "even in the absence of a software bug, the execution of the command to open a route without opening an exit would have led to unsuccessful appeals ”. The Italian manufacturer Italtel, supplier of call servers, is for its part relatively spared by the cybersecurity policeman, who nevertheless recalls that certain modules of this "aging" equipment should have been the subject of a hardware update , which was carried out only a few days after the incident.
An action plan expected in September
The only mitigating circumstance for Orange, in the absence of a software bug on the call servers, the failure "would only have lasted for a relatively short time.short, until the output is defined by the second command ", notes the Authority. The fact remains that the incumbent is primarily responsible for the incident, especially as Anssi reminds us that a similar failure, which occurred in May 2018, "did not benefit operators or the call server project management team (MOE), when a software bug was also at the origin of the incident ".
" The chronology of events (. ..) highlights a problem of reactivity, with a late consideration of the problem of emergency numbers ", notes the Authority, which calls on Orange - and all competing operators - to learn the lessons that are needed. 'impose by reinforcing their crisis management structures, in particular by setting up alert escalation systems specific to emergency calls.
The government said on Thursday that it had taken note of the recommendations of Anssi. The executive details as well as a pthe action plan will be communicated to operators by the end of next September. Matignon should also refer to Arcep (Regulatory Authority for Electronic Communications and Posts) by the end of July, so that the telecoms gendarme can ensure that Orange has made its arrangements. to this failure. Finally, an adaptation of the regulatory framework should be carried out before the end of the year to strengthen the obligations weighing on operators.