‘Critical’ Telstra glitch could be targeted by bad actors

Cybersecurity experts warn that the ripple effect of this week’s massive Telstra outage has exposed just how vulnerable Australia is to potential future attacks on critical infrastructure.
The outage not only left millions of customers without mobile phone coverage, but also shut down large parts of regional passenger rail networks and crippled business operators relying on digital payments.
Cybersecurity expert Dennis Desmond has warned that adversaries may now be more likely to attack our supply chains, knowing that untested software could potentially be the culprit.
“This clearly shows that various systems are interconnected, providing additional targeting data to the adversary,” the University of the Sunshine Coast cybersecurity expert said of Wednesday’s outage.
“For example, if I know that the transport system is connected to a particular telecommunications provider, that gives me a much better idea of how to target various systems to take down critical infrastructure in Australia,” Dr Desmond told NewsWire.
Any bad actor looking to target Australia now has more “critical intelligence” about our critical infrastructure, including how long it will take for systems to recover.
“This also shows that there is a long recovery period for multiple interconnected systems and that these systems are not as resilient as they should be at a time when such a large percentage of the population relies on the services and products they provide,” Dr Desmond said.
“Whenever there is an outage, such as the previous outages we saw with Optus and Vodafone, it often gives a nation-state-backed adversary better information on how to disrupt systems in the event of a cyber war or conventional war.”
Dr Desmond recommends people keep a spare phone on a different network, carry cash and create communication plans with their families, such as Wi-Fi-based communication devices, walkie-talkies and a physical meeting point.
As of late Friday, Telstra was still unable to publicly disclose the root cause of the outage in the early hours of Wednesday morning.
Responding to questions about the root cause and vulnerability to attack, a Telstra spokesperson said the telco’s investigation was ongoing.
“Precise timing is fundamental to the operation of any modern mobile network. The telecommunications industry globally, as well as cyber and infrastructure experts, recognize the importance of maintaining flexible and diverse timing resources to support network reliability,” the spokesperson said.
“We have launched a full investigation into this incident. This will include assessing what further steps we can take to ensure the reliability and durability of the options we use for precision timing.”

In a statement on Wednesday, Telstra chief financial officer Michael Ackland attributed the outage to a “time synchronization issue” caused by “a glitch in the software that resets the GPS timer.”
The issue was first detected at 4.30am affecting “a number of nodes that help keep time on our mobile network”.
However, it took the telco several hours for the network to be restored to service.
Flinders University computer science expert Paul Gardner-Stephen told NewsWire that the Telstra outage showed how deeply Australian systems are tied to systems such as GPS, commonly known as location, navigation and timing systems, and in this case network time protocol.
“In this case, the GPS hasn’t lost its usability, but the difference between what the GPS tells the time and (as I understand the problem) what Telstra’s systems are telling them is the cause of the problem,” Associate Professor Gardner-Stephen said.
“So it becomes clear that interference in any of these legs can cause widespread problems, such as the closure of rail logistics in a measurable part of the country due to the lack of adequate fallback provisions when forced to operate offline or fully analogue,” he said.
Prof Gardner-Stephen said the outage did not reveal over-reliance on Telstra, but rather “our over-reliance on the proper functioning of critical cyber services and facilities which are actually quite fragile”.


A response to protection against disruption was evident at South Australia’s traffic lights, which switched from the optimum method of operation to a simpler model system.
“It broke down beautifully,” Prof Gardner-Stephen said.
“Compare this to a complete shutdown of the rail system, where a contingency plan with manual signal operations would likely allow for at least some of the normal rail traffic to operate safely,” he said.
While experts and the telecommunications industry await an explanation from Telstra as to the root cause, Dr Desmond said the cause could be protected against repeat error if a software glitch or coding error was to blame.
If the time synchronization issue was caused by a patch or upgrade, this may also be fixed in the future.
If untested software is to blame, Dr Desmond sees major problems.
“Before any software can be implemented into an operational system, it must first be run in a virtual simulation or through a closed system sandboxed within the laboratory to determine potential negative consequences,” he said.
“Untested software should never be deployed into an operational system, especially critical infrastructure, without testing and evaluation. Secondly, this was a bad decision.”


