Orange says software bug to blame for outage

It hasn't been a very comfortable couple of weeks for France's Orange. Since experiencing a major network outage that prevented nearly 12,000 calls to emergency services over a seven-hour period, the group has been engaged in a major internal inquiry to find out what went so catastrophically wrong on the night of June 2.

The culprit has now been named and shamed. Apparently, it was all down to a software bug and not caused by a cyberattack – although Orange said the latter scenario was ruled out from the beginning.

Cybersecurity agency ANSSI is nevertheless running a separate two-month audit of the breakdown at the request of the government.

Figure 1: Busy signal: The network outage prevented nearly 12,000 calls to emergency services over a seven-hour period.
(Source: Mathias P.R. Reding on Unsplash)

In France, Orange is the sole operator responsible for centralizing and dispatching all emergency calls. Without naming names, the operator said the software failure has now been identified by its partner and supplier of the equipment concerned, and a fix has been issued.

Heart of the problem

It seems the problem lay with the interconnection between mobile voice and voice-over-IP (VoIP) services on the one hand and the PSTN switched network on the other, which relies on a "call server" platform. The PSTN network is of course where most emergency numbers are hosted.

A bug in the call server software was activated "following the application of standard reconnection commands," said Orange, in a statement. Even though redundancy had been created over six different sites, the service still failed.

The operator also had to admit that the incident occurred following a network modernization operation that was initiated in early May to increase capacity in response to growing traffic.

Could do better

The investigation recognized the quick response of Orange's technical teams but said that the company could have done better in alerting the public authorities, the emergency services and the media to the problem.

Want to know more about security? Check out our dedicated security channel here on Light Reading.

In a number of recommendations, Orange's audit department said that the maximum time for triggering a crisis committee when such a problem occurs should be reduced from two hours to 30 minutes.

Furthermore, support will be given toward accelerating the migration of public service call centers and businesses from PSTN to IP technology "in order to strengthen the resilience of this equipment."

Related posts:

— Anne Morris, contributing editor, special to Light Reading