1. Introduction

A 1:99 optical splitter costs less than a patch cord, fits inside a handhole, and removes 0.044 dB from the line. That figure is not a vendor claim or a laboratory curiosity — it is arithmetic. Diverting 1% of the optical field leaves 99% in the fibre, and 10·log10(0.99) is −0.044 dB. Typical field OTDR splice-loss measurement uncertainty is a few hundredths of a decibel at best, and normal seasonal loss drift on a buried span exceeds 0.044 dB. The tap is not hidden by cleverness. It is hidden by measurement noise.

That single number frames the whole problem. Optical transport was engineered for availability and reach, and its instrumentation was designed to find faults — breaks, degradations, drifting amplifiers — not adversaries. An adversary who understands the instrumentation can operate inside its blind spots. Meanwhile the same transport layer now carries traffic whose confidentiality assumptions were formed when fibre was believed to be physically inaccessible. That assumption is obsolete. Cable landing station interception has been publicly documented, and the last four years have produced a steady record of deliberate physical interference with terrestrial and subsea fibre plant.

This article builds a threat model for the photonic layer and the management plane that drives it. A threat model is not a list of scary things. It is a structured mapping from adversary capability to attack class to observable to control. Each attack class is characterised by four properties: what physical or logical access it requires, what it costs the adversary in equipment and time, what it produces at the victim (loss of confidentiality, integrity, or availability), and — the property most often skipped — what measurable quantity changes when it happens. An attack with no observable is not undetectable in principle; it means no one has instrumented the right quantity.

1.1 Scope and Layer Boundaries

The scope here is the optical transport layer as defined by ITU-T G.872: the optical transmission section (OTS), the optical multiplex section (OMS), and the optical channel (OCh), plus the digital OTU and ODU layers that ride on them, plus the supervisory and management infrastructure that configures and monitors all of it. Client-layer security — Media Access Control Security (MACsec) per IEEE 802.1AE, IP Security (IPsec), Transport Layer Security (TLS) at the application — appears only where it interacts with optical-layer decisions. Passive optical network (PON) access threats are referenced for contrast but are not the focus; the point-to-point and meshed dense wavelength division multiplexing (DWDM) core is.

The layer boundary matters because it determines what an attack can and cannot reach. A transparent lightpath crossing five reconfigurable optical add-drop multiplexer (ROADM) nodes undergoes no electronic regeneration between its endpoints. Nothing in the middle inspects it, sanitises it, or re-frames it. Any perturbation of the optical field applied at hop three arrives at the far-end coherent receiver. That transparency is the reason optical bypass is economically attractive, and it is simultaneously the reason a local physical compromise has non-local consequences. The mechanism and the exposure are the same mechanism.

1.2 Why the Threat Model Is Different from an IT Threat Model

Three properties separate optical-layer threat modelling from conventional network security work.

The medium carries analogue state, not just bits. An IP packet either arrives or does not. An optical channel arrives with a power, an optical signal-to-noise ratio (OSNR), a polarisation state, a chromatic dispersion accumulation, and a nonlinear phase history. An adversary can change any of these without touching a single bit of framing, and the effect is graded rather than binary. Degradation attacks that sit 1 dB below the forward error correction (FEC) threshold produce no alarm and no traffic loss, but they consume the margin that protects the service against the next real fault.

The control plane and the transport plane share the fibre. The optical supervisory channel (OSC) rides the same cable as the traffic it supervises, typically as an out-of-band wavelength around 1510 nm or, in OpenROADM implementations, as a 1000BASE-LX wayside channel carrying management traffic, Link Layer Discovery Protocol (LLDP) topology information, and laser safety control signalling. Anything that reaches the fibre reaches the supervision. This is the structural difference from an enterprise network where the management plane can be physically separated from the data plane.

Safety systems are automation with a physical actuator. Automatic laser shutdown (ALS) and automatic power reduction (APR), specified in ITU-T G.664, exist to keep human eyes safe near a broken fibre. They are also a remotely triggerable mechanism for turning off a transmitter. Any input path into the ALS decision — a loss-of-signal indication, an OSC message, a management command — is an availability attack surface, because the correct behaviour of the safety system is to shut the laser down.

1.3 What the Model Ranks and Why

The ranking axis used throughout is feasibility × blast radius, not novelty. A published attack that requires a coherent receiver, a phase-locked local oscillator, and eight hours of undisturbed access to a manhole ranks below an authenticated Network Configuration Protocol (NETCONF) session with a stale credential, because the second one is reachable from a laptop and reconfigures the whole line system. Engineering attention follows the ranking, not the research literature's sense of what is interesting.

The output is a posture, not a product list. For each attack class the article names the physical mechanism, the boundary where the mechanism stops working, the observable that changes, the detection method that reads that observable, the realistic detection latency, and the hardening control that removes or shrinks the exposure. Where a control does not exist — and there are several — the article says so rather than substituting an aspiration.

Takeaway: The photonic layer's security properties follow from its engineering properties. Transparency gives optical bypass its economics and gives a local tap non-local reach. Analogue state gives coherent modulation its capacity and gives a degradation attack a place to hide below alarm thresholds. Shared-fibre supervision gives amplifier control its simplicity and puts the control plane inside the adversary's physical reach. Every exposure in this article is the shadow of a design decision that was correct on its own terms.

2. Documented Incidents and Prior Work

Threat models built on speculation age badly. This section anchors the model in what has actually been observed, separating documented incidents from experimental results and from theoretical analysis, because those three evidence classes carry different weight in a design decision.

2.1 Physical Interference with Fibre Plant

The record of deliberate physical interference with fibre infrastructure is now long enough to be treated as a design input rather than an outlier. In October 2022, coordinated cuts to fibre cables paralysed rail traffic across northern Germany. France experienced precise cuts to backbone cables linking Paris to Lyon, Strasbourg and Lille, disrupting internet service across several regions. Both events shared a characteristic that matters for defence: the attacker did not need to understand optics. They needed to know where the cable was and to cut more than one of them.

The subsea record is denser. Documented Baltic Sea incidents include damage to the Nord Stream pipelines in September 2022, the EE-S1 data cable in October 2023, the BCS East-West Interlink and C-Lion1 cables in November 2024, the Estlink 2 power cable in December 2024, and a Latvian State Radio and Television Centre fibre cable in January 2025. On 31 December 2025, the Finnish operator Elisa observed a significant data disruption on a fibre route between Helsinki and Tallinn; Finnish authorities took control of the vessel Fitburg and escorted it to port. Outside the Baltic, the PEACE submarine cable in the Red Sea suffered critical damage in October 2025, and the West Africa Cable System experienced disruptions affecting Cameroon and the Central African Republic in the same period.

Attribution remains genuinely contested, and the article does not resolve it. The Finnish Security and Intelligence Service publicly reassessed Baltic Sea cable investigations and found no evidence of deliberate Russian state activity, while U.S. legislative activity — the Undersea Cable Control Act passed by the House in September 2025 and the Strategic Subsea Cables Act of 2026 (S.3249, 119th Congress), which would require sanctions on foreign persons responsible for sabotage of critical undersea infrastructure — proceeds on a sabotage premise. What is not contested is the base rate. The International Cable Protection Committee reports that 150 to 200 subsea cable faults occur globally every year, the large majority from fishing gear, anchors and natural abrasion. As of April 2025, 597 subsea cables were in operation or under construction, carrying an estimated 99% of international data traffic.

Base rate discipline

Anchor drag and fishing gear cause most cable faults, and they produce the same OTDR signature as sabotage. A detection system that flags "cable damage" has not distinguished a threat from a trawler. Useful discrimination comes from correlation — vessel automatic identification system tracks, timing across multiple cables, whether the fault sits at a known survey point — not from the optical measurement alone. Designing the optical monitoring system as if it were an attribution system is the most common way to build an unusable alarm stream.

2.2 Interception at Scale

Passive interception of fibre traffic at cable landing stations has been publicly disclosed. The GCHQ Tempora programme, revealed in 2013, involved tapping fibre-optic cables and inspecting large volumes of transit traffic. The technical significance for a threat model is not the political question. It is the demonstration that interception at a landing station is an engineering problem that has been solved at scale by a well-resourced actor. Any confidentiality argument that rests on "nobody would go to the trouble" has a counterexample.

2.3 Experimental and Analytical Results

The research literature supplies the parameters the incident record does not. A 2026 survey of optical network security published in Electronics consolidates the current position and supplies several figures worth carrying forward.

For macro-bend tapping of standard single-mode fibre conforming to ITU-T G.652.D, the survey reports a critical bend radius of approximately 14 mm as the threshold at which usable light escapes the core, and recommends that operational monitoring flag any unexpected attenuation exceeding 3 dB as a possible tampering event. The 3 dB figure is a coarse threshold — it is an upper bound on how clumsy a tap has to be before conventional power monitoring notices, not a detection capability. A competent tap operates two orders of magnitude below it.

The same survey reports measured feasibility of passive attacks using 1:99 splitter insertion with negligible insertion loss and crosstalk, and confirms that such attacks leak usable signal from all channels on a WDM link with minimal disturbance. For active attacks, controlled experiments have verified that localised, near-receiver interference substantially deteriorates throughput and stability in realistic setups — establishing jamming as an operational technique rather than a theoretical model. The survey identifies ROADM and wavelength selective switch (WSS) nodes, and spans traversing erbium-doped fibre amplifiers (EDFAs), as the points of highest sensitivity, because filter isolation, gain equalisation and channel loading all have to be balanced against resilience to hostile power excursions.

Earlier foundational work established the tap mechanism taxonomy that the field still uses — fibre bending, optical splitting, evanescent coupling, scattering, and V-groove coupling — and noted that most of these require altering the physical characteristics of the fibre. That constraint is the root of every detection method discussed in remote fibre test systems used in managed optical fibre networks: if the adversary must change the fibre, the fibre can be interrogated for the change.

2.4 Standards Coverage and Its Gaps

Optical transport standards address security unevenly, and knowing where the coverage stops is more useful than knowing where it exists.

Table 1: Standards Coverage of Optical Layer Security Functions
StandardWhat it specifiesSecurity relevanceGap it leaves
ITU-T G.872Optical transport network architecture: OTS, OMS, OCh, ODU and OTU layeringDefines the layer boundaries a threat model needsArchitecture only; no adversary model
ITU-T G.709OTN interfaces, frame structure, general communication channels (GCC0/1/2), trail trace identifierGCC provides an in-band management path; TTI provides path identificationTTI is an identifier, not an authenticator — it is plaintext and forgeable
ITU-T G.874OTN element management: fault, configuration, performance and security managementNames security management as a management functionSpecifies the management model, not cryptographic mechanisms
ITU-T G.664Optical safety procedures: ALS and APR, restart pulse timingThe safety automation that an availability attack can driveWritten against accidental fibre breaks, not adversarial LOS injection
ITU-T G.873.1Linear OTN protection; APS channel in ODUk overheadProtection switching restores availability after a cutAPS bytes are unauthenticated overhead
ITU-T G.7712Data communication network architecture for transport managementDefines the DCN that carries control trafficDCN isolation is an operator design choice, not a mandate
IEC 60825-1 / 60825-2Laser product safety classification and hazard levelsBounds the optical power an attacker can legitimately encounterSafety framing; power injection by an attacker is out of scope
IEEE 802.1AE (MACsec)Hop-by-hop Ethernet frame confidentiality and integrityThe most widely deployed real countermeasure to tappingClient layer; leaves optical overhead and OSC in the clear
IETF RFC 6241 (NETCONF)Configuration protocol over SSH, TCP port 830The transport for most optical management todayMandates a secure transport; does not mandate how credentials are managed
NIST FIPS 203 / 204 / 205ML-KEM, ML-DSA and SLH-DSA post-quantum algorithmsThe replacement set for key establishment and signaturesStandards exist; optical vendor implementation status varies widely

The gap column is the interesting one. There is no ITU-T Recommendation that specifies an authenticated optical supervisory channel. The trail trace identifier in G.709 was designed to catch misconnection, not impersonation, and it does exactly what it was designed to do. The security work that exists — MACsec, NETCONF over Secure Shell (SSH), TLS — was imported from the packet and IT worlds and stops at the boundaries those worlds cared about. The optical overhead itself, the OSC, and the amplifier control loops sit outside all of it.

Practical Example — reading the standards gap on a real link

Consider a 400G coherent wavelength crossing four ROADM nodes between two data centres, carrying MACsec-encrypted client Ethernet. The payload is confidential: a tap yields ciphertext. But the OTN overhead is not encrypted, so a tap still yields the trail trace identifier, which typically encodes source and destination node names configured by the operator — a topology map, handed over in plaintext. The OSC is not authenticated, so an adversary with span access can inject supervision messages. And the OTU-layer FEC statistics are readable from the tapped signal, which tells the adversary the link's margin — that is, how much degradation the link will absorb before anyone notices. MACsec solved the payload problem completely and left three others untouched. That is not a criticism of MACsec; it is the definition of its scope.

Takeaway: The incident record establishes that physical interference is routine and interception is proven; the research record supplies the parameters (14 mm critical bend radius, 1:99 splitters with negligible insertion loss, near-receiver jamming verified experimentally); and the standards record establishes that no specification authenticates optical supervision. Design against the intersection: an adversary with span access, cheap passive components, and an unauthenticated control channel to talk to.

3. Threat Model Framework for the Photonic Layer

A threat model needs three components before it produces anything useful: an adversary taxonomy that says who is in scope, an asset and objective taxonomy that says what they are trying to achieve, and a mapping between them that produces the attack classes. This section builds all three, then applies them to the transport architecture.

3.1 Adversary Capability Tiers

Capability tiers are defined by access and equipment, because those are the two constraints that actually bind. Motivation is not a design input — it changes weekly and cannot be measured.

Table 2: Adversary Capability Tiers for the Optical Layer
TierAccess availableEquipmentAttack classes unlockedTime on target
T1 — OpportunistOutside plant: handholes, roadside cabinets, aerial spansHand tools, cable cutterFibre cut, connector contamination< 10 min
T2 — Equipped intruderOutside plant plus a splice enclosure or patch panelClip-on coupler, 1:99 splitter, fusion splicer, power meterPassive tap, splitter insertion, crude in-band injection1–4 h
T3 — Insider at the nodeColocation rack, monitor ports, craft interfaceTunable source, optical spectrum analyser, laptopAlien wavelength injection, monitor-port tap, ALS triggering, craft-port configuration changeRecurring
T4 — Management plane adversaryDCN, controller northbound or southbound interface, credential storeLaptop, valid or stolen credentialsPath manipulation, spectrum reassignment, amplifier retargeting, telemetry falsification, mass ALSPersistent
T5 — Supply chain and state-levelLanding station, vendor build chain, firmwareCoherent receiver, phase-locked LO, implant capabilityBulk interception, persistent implant, correlated multi-cable disruptionUnbounded

The tier structure carries one non-obvious result. Tiers T1 through T3 are bounded by physical access, which is bounded by geography and time. Tier T4 is bounded by neither. A management-plane adversary reaches every node the controller reaches, simultaneously, from anywhere, and their actions are executed by the network's own trusted automation. That is why the ranking in Section 9 places control-plane compromise above every purely optical technique despite the optical techniques being more interesting physics.

3.2 Assets and Adversary Objectives

Four assets are exposed at the optical layer, and each maps to a distinct objective.

  • Payload confidentiality. The bits inside the OCh. Objective: recover them. Requires a tap plus a coherent receiver plus, if the client is encrypted, a cryptographic break or a harvest-now-decrypt-later strategy.
  • Service availability. The lightpath's existence. Objective: remove it. Achievable by cutting fibre, by driving OSNR below the FEC threshold, or by making the network's own protection and safety automation remove the service on the adversary's behalf.
  • Margin. The dB of OSNR the design holds in reserve above the FEC threshold. Objective: consume it without triggering an alarm. This asset is invisible to most operators as an asset at all, which is exactly what makes it attractive.
  • Topology and configuration knowledge. Trail trace identifiers, LLDP adjacency, controller topology databases, spectrum occupancy. Objective: map the network to target the other three assets efficiently. Frequently the first objective in a real campaign and the one with the fewest controls.

The margin asset deserves elaboration because it is the one the model treats differently from prior work. A well-designed 400G link across a regional route might hold 3 to 4 dB of OSNR margin above its FEC threshold at end of life. An adversary who consumes 2 dB of that margin causes no service impact, no alarm, and no ticket. What they have done is convert a link that survives its next amplifier degradation into a link that does not. The attack's payload is delivered later, by an unrelated fault, and the forensic trail points at the fault. For the OSNR arithmetic that sets those margins, the OSNR fundamentals reference gives the 58-form planning equation and the cascaded-amplifier accumulation that this attack exploits.

3.3 The Attack Surface Map

Figure 1 places the attack classes on the architecture rather than listing them abstractly. The four numbered injection points correspond to the four structural exposures the rest of the article works through: the span, the ROADM degree, the supervisory channel, and the data communication network.

Attack surface map of a transparent DWDM chain and its supervision Three stacked planes. The top plane holds the SDN controller, element manager, craft jump host and time and authentication services, all connected to a data communication network bus. The middle plane holds the photonic chain: terminal A, ROADM A, two in-line amplifiers, ROADM B and terminal B, linked by fibre spans, with an optical supervisory channel running beneath them. Four numbered injection points mark the passive tap on a span, the alien wavelength or jamming injection at a ROADM degree, supervision spoofing on the optical supervisory channel, and control plane compromise on the data communication network. The bottom band describes each injection point with its adversary tier and quantified signature. Optical Layer Attack Surface: Transport Plane, Supervision and Control Transparent chain — no electronic regeneration between Terminal A and Terminal B MANAGEMENT AND CONTROL PLANE PHOTONIC TRANSPORT PLANE SDN Controller / PCE path computation, spectrum assignment Element Manager config, alarms, performance bins Craft / Jump Host local console, vendor toolchain Time and Auth Services NTP, RADIUS/TACACS+, certificate authority DCN bus — NETCONF/SSH 830, gNMI/TLS Terminal A coherent Tx/Rx −10 dBm add ROADM A WSS degree 6–9 dB add loss ILA 1 EDFA NF 4–6 dB ILA 2 EDFA NF 4–6 dB ROADM B WSS degree OCM per port Terminal B coherent Tx/Rx FEC counters Optical supervisory channel — wayside 1000BASE-LX: management, LLDP adjacency, laser safety signalling — unauthenticated 1 2 3 4 1 Passive tap on span Tier T2 · handhole access, 1–4 h 1:99 splitter → 0.044 dB insertion loss Signature: OTDR step only, no reflection 2 Injection at ROADM degree Tier T3 · monitor port or degree fibre In-band jam or alien carrier past the WSS Signature: OSNR falls, channel power flat 3 Supervision spoofing Tier T2–T3 · OSC has no authentication Forged LLDP or forced LOS drives ALS Signature: adjacency change, no cut on OTDR 4 Control plane compromise Tier T4 · credential, not a fibre Reaches every element the controller reaches Signature: config drift vs declared state
Figure 1: Attack surface of a transparent DWDM chain and its supervision. The photonic plane carries traffic between transponders through ROADM degrees and in-line amplifiers with no electronic regeneration in between. The supervisory channel rides the same cable. The data communication network reaches every element from a central controller. Injection points 1 and 2 require physical access and are geographically bounded; points 3 and 4 are reachable logically and are not.

3.4 The Detection Observable Principle

The organising principle of the whole model: every attack class is defined by the quantity it changes, and that quantity is the only thing a defender can act on. An attack with no observable has not been made undetectable — it has been made unmeasured. The distinction is operationally decisive because it converts "we cannot detect taps" into "we do not currently measure return loss with enough resolution or often enough," which is a budget question rather than a physics question.

Table 3: Attack Class to Detection Observable Mapping
Attack classPhysical or logical mechanismObservable that changesWhere it is measured
Macro-bend tapBend below ~14 mm radius couples core light into cladding and outLocalised insertion loss; OTDR trace step; no reflectionRemote fibre test system, dark fibre or in-band OTDR
Splitter insertionFusion-spliced 1:99 coupler diverts a fixed power fractionTwo splice events and a fixed loss step; possible reflectance changeOTDR trace differential against baseline
Clip-on / evanescent couplerIndex-matched coupling through stripped claddingVery small loss step; polarisation-dependent loss changeHigh-resolution OTDR; polarisation monitoring
In-band jammingCarrier or noise injected on the victim's frequency slotOSNR fall with signal power constant; pre-FEC BER riseOptical channel monitor; transponder FEC counters
Out-of-band jammingHigh power in adjacent slot; EDFA gain competitionPer-channel power tilt; total OMS power rise; gain excursionAmplifier input/output power telemetry; OCM spectrum
Alien wavelength injectionUnauthorised carrier passing ROADM filteringSpectral line at an unprovisioned frequencyOptical channel monitor spectral sweep
ALS / APR triggeringForced loss-of-signal or forged safety signalling shuts transmittersCorrelated LOS and shutdown across elements with no cut signatureAlarm correlation against OTDR fault localisation
OSC spoofingInjected supervision frames on the wayside channelLLDP adjacency change; unexpected topology updateController topology database; OSC frame audit
Control plane compromiseAuthenticated configuration change via a compromised pathConfiguration drift against intended stateContinuous reconciliation against a declared source of truth
Telemetry falsificationReported performance decoupled from physical realityDisagreement between independent measurement sourcesCross-check of OCM, transponder and amplifier readings
Premium Article — Free 20% Preview

Read the Full Analysis with Premium

The remaining 80% of this article — the design numbers, trade-offs and field guidance — is part of MapYourTech Premium, along with the full premium library, courses and professional tools.

Instant access · Cancel anytime · 48-hour trial available
Sanjay Yadav

Optical Communications & Network Automation Expert | Author of 3 Books for Optical Engineers | Founder, MapYourTech

Optical networking engineer with nearly two decades of experience across DWDM, OTN, coherent optics, submarine systems, and cloud infrastructure. Founder of MapYourTech.

Follow on LinkedIn