Outage Reporting in the US

Transcription

1 Outage Reporting in the US Richard Krock September, 2010

2 Outage Reporting in the US Formal Processes Other Processes Best Practices Proposed Requirements ARECI guidance on information sharing 2 R. Krock September 2010

3 FCC Outage Reporting Criteria Outages requiring reporting Reporting requirements Timeliness Follow-up information Outage Reporting tool NORS DIRS 3 R. Krock September 2010

4 Outages requiring reporting Outages of 30 minutes or more that affect: Wireline, Wireless, Cable telephony Wireless Mobile Switching Center (MSC) IEC 90,000 Real time or 30,000 Historical Blocked Calls Transport SS7 Airport E911 Other Special Facilities (Military, nuclear, etc.) Satellite 4 R. Krock September 2010

5 Impact Thresholds Previously, reporting was required when 30,000 users were out of service for 30 minutes or more Now the threshold is 900,000 User minutes = 30,000 users for 30 minutes = 15,000 users for 60 minutes = 1000 users for 900 minutes Etc. = 1 user for 625 days DS3 user minutes 1350 DS3s minutes (Outage duration) x # of DS3 circuits that were affected DS3-Simplex Greater than 5 Days 5 R. Krock September 2010

6 FCC Reporting Requirements Electronic notification is required within 120 minutes of discovery An Initial Report, containing all pertinent information available related to the outage, is required within 72 hours Notifications (and perhaps initial reports) may be withdrawn if it is determined that the outage did not meet the reporting criteria A Final Report, containing all pertinent information related to the outage, including anything new or changed since initial report reported, is required within 30 days Web based NORS (Network Outage Reporting System) is the mandated method of reporting. Fines can be levied for non-compliance DHS receives copies of all filed events 6 R. Krock September 2010

7 Final Report Information The Final Report must include (among other things): Root cause Contributing factors Steps taken to prevent reoccurrence Best Practices that might have prevented the outage or reduced its effect Best Practices used to diminish the effect of the Outage Analysis of Best Practices Outage information is not made publically available The Network Reliability Steering Committee (NRSC) provides companies with the opportunity to voluntarily share FCC reported outage data with a trusted 3 rd party for analysis to identify opportunities for reliability improvements. 7 R. Krock September 2010

8 Industry Led Outage Reporting Initiative (ILORI) Proposed by industry in 2004 Voluntary outage reporting Industry developed web site for outage reporting Report types: Initial Final Monthly positive reporting confirming all outages had been reported FCC official site appears to be modeled after ILORI 8 R. Krock September 2010

9 9 R. Krock September 2010 This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002

10 10 R. Krock September 2010 This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002

11 Disaster Reporting Disaster Information Reporting System (DIRS) Activated for specific areas Suspends need to comply with normal reporting in the affected area Provider required to submit new or updated DIRS reports at least every 24 hours for the affected area Measures progress of restoration efforts Voluntary industry/fcc process Template based online system DIRS-Lite is based less formal Data is shared with government agencies 11 R. Krock September 2010

12 Sharing outage information through the National Coordinating Center (NCC) Information sharing during times of crisis Not a legal requirement Sharing of outage information with NCC and other NCC members, which includes competitors Occurs in a trusted environment Facilitates Mutual Aid between operators Allows NCC to help providers navigate government agencies Που δεν ακούει τσου φίλους του, ευκαριστάει τσ' οχτρούς του." Μοναχός σου χόρευε, κι' όσο θέλεις πήδα. 12 R. Krock September 2010

13 Existing Best Practices US Network Operators and Service Providers should establish processes for NOC-to-NOC (Network Operations Center) peer communications for critical network activities (e.g., scheduled maintenance, upgrades and outages) Network Operators, Service Providers and Equipment Suppliers should adopt an industry uniform method of reporting and tracking significant service outages (e.g., TL-9000 standard outage template) Network Operators and Service Providers who are required by the government to file outage reports for major network outages should ensure that such reports do not unnecessarily contain information that discloses specific network vulnerabilities, in order to prevent such information from being unnecessarily available in public access R. Krock September 2010

14 Existing Best Practices Europe EU Network Operators and Service Providers should establish processes for NOC-to-NOC (Network Operations Centre) peer communications for critical network activities (e.g., scheduled maintenance, upgrades and outages) R. Krock September 2010

15 Best Practices Network Reliability Steering Committee (NRSC) Proposals Service providers and network operators should consider providing approved operations personnel with near real time visibility to all current service or network impacting events. [network, human, disaster recovery] Network operators, service providers and equipment suppliers should gather data as available during and following outage restoration to allow for robust post-mortem analysis in order to support effective corrective or preventative actions. [ disaster recovery, network operations] Network operators, service providers, and equipment suppliers should develop job aids and training on how to access systems required for outage reporting and how to use the appropriate systems to report outages. [network operations, training] Network operators and service providers should document the manual calculations required to meet regulatory outage reporting requirements and make them available to personnel responsible for outage reporting. [network operations, training] 15 R. Krock September 2010

16 Proposed new outage reporting requirements National Broadband Plan Recommendation 16.6: The FCC should expand its outage reporting requirements to broadband service providers. Recommendation 16.7: The FCC should create a voluntary cybersecurity certification program. Recommendation 16.8: The FCC and the Department of Homeland Security (DHS) should create a cybersecurity information reporting system (CIRS) 16 R. Krock September 2010

17 ARECI guidance on Information Sharing Recommendation 4 Member States and the Private Sector should establish formal means for sharing information that can improve the protection and rapid restoration of infrastructure critical to the reliability of communications within and throughout Europe. Required Commitments To sustain the viability of this Recommendation, Member States and the Private Sector must be committed to defined courses. Specifically, (a) Private Sector enterprises that own critical communications infrastructure must jointly establish a trusted environment for sharing information to improve the protection and rapid restoration of that infrastructure. (b) Private Sector service providers, network operators and equipment suppliers must be willing to share threat and outage information within a trusted environment within the industry for the common good. (c) Government authorities must be willing to share threat and other sensitive information with providers of critical communications infrastructure, and safeguard information related to critical infrastructure provided by industry. 17 R. Krock September 2010

18 R. Krock September 2010