About DOE Button Organization Button News Button Contact Us Button


Entire Site
CIAC
US Department of Energy Seal and Header Photo
Science and Technology Button Energy Sources Button Energy Efficiency Button The Environment Button Prices and Trends Button National Security Button Safety and Health Button
Office of the Cheif Information Officer
CIAC Home
About CIAC
Bulletins
Latest
High Risk
Revised
Bulletin Archive
Technical Bulletins
Search
C-Notes
Recent C-Notes
C-Notes Archive
Security Links
Advanced Search
Contact CIAC

You are the 73003rd visitor to CIAC.

Quick Reference Header
ciac rss news feed


ciac logo

CIAC Incident Reporting Procedures for U.S. Department of Energy Facilities/Contractors Only
Last updated: 10/26/07

Scope

DOE CIO Policies

DOE CIO Guidance

DOE CIO Guidance Incident Management TMR-9 requires that all Department of Energy elements, the National Nuclear Security Administration (NNSA), Program Secretarial Offices, and other DOE organizations which have access to DOE cyber systems report cyber security incidents to the Computer Incident Advisory Capability (CIAC). This document outlines reporting procedures to facilitate your reporting and CIAC's response activity.

CIAC should be informed of all reportable cyber security incidents specified in DOE TMR-9. CIAC will work with your site management to determine the severity or significance of any cyber security incident.

back to top

Reportable Cyber Security Incidents

All DOE organizations will develop and document procedures for reporting cyber security incidents in their Cyber Security Program Plans (CSPPs) or similar documents for classified systems. DOE organizations will report cyber security related incidents that are significant or unusually persistent and meet one or more of the following criteria:

  1. Characterize and categorize cyber security incidents according to their potential to cause damage to information and information systems based on two criteria: Incident Type and Security Category. These criteria are used to determine the time frame for reporting incidents to the CIAC.
    1. Incident Types
       
      1. Type 1 incidents are successful incidents that potentially create serious breaches of DOE cyber security or have the potential to generate negative media interest. The following are defined as Type 1 incidents.
        1. System Compromise/Intrusion. All unintentional or intentional instances of system compromise or intrusion by unauthorized persons must be reported, including user-level compromises, root (administrator) compromises, and instances in which users exceed privilege levels.
        2. Loss, Theft, or Missing. All instances of the loss of, theft of, or missing laptop computers; and all instances of the loss of, theft of, or missing IT resources, including media, that contained Sensitive Unclassified Information (SUI) or national security information.
        3. Web Site Defacement. All instances of a defaced Web site must be reported.
        4. Malicious Code. All instances of successful infection or persistent attempts at infection by malicious code, such as viruses, Trojan horses, or worms, must be reported.
        5. Denial of Service. Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of a network must be reported. Critical services are determined through Business Impact Analyses in the Contingency Planning process.
        6. Critical Infrastructure Protection (CIP). Any activity that adversely affects an asset identified as critical infrastructure must be reported. CIP assets are identified through the Contingency Planning process.
        7. Unauthorized Use. Any activity that adversely affects an information system’s normal, baseline performance and/or is not recognized as being related to Senior DOE Management mission is to be reported. Unauthorized use includes, but is not limited to, port scanning that excessively degrades performance; IP (Internet protocol) spoofing; network reconnaissance; monitoring; hacking into DOE servers and other non-DOE servers; running traffic-generating applications that generate unnecessary network broadcast storms or drive large amounts of traffic to DOE computers; or using illegal (or misusing copyrighted) software images, applications, data, and music. Unauthorized use can involve using DOE systems to break the law.
        8. Information Compromise. Any unauthorized disclosure of information that is released from control to entities that do not require the information to accomplish an official Government function such as may occur due to inadequate clearing, purging, or destruction of media and related equipment or transmitting information to an unauthorized entity.
           
      2. Type 2 incidents are attempted incidents that pose potential long-term threats to DOE cyber security interests or that may degrade the overall effectiveness of the Department’s cyber security posture. The following are the currently defined Type 2 incidents.
        1. Attempted Intrusion. A significant and/or persistent attempted intrusion is an exploit that stands out above the daily activity or noise level, as determined by the system owner, and would result in unauthorized access (compromise) if the system were not protected.
        2. Reconnaissance Activity. Persistent surveillance and resource mapping probes and scans are those that stand out above the daily activity or noise level and represent activity that is designed to collect information about vulnerabilities in a network and to map network resources and available services. The Senior DOE Management PCSP must document the parameters for collecting and reporting data on surveillance probes and scans.
           
    2. Security Categories characterize the potential impact of incidents that compromise DOE information and information systems. Such incidents may impact DOE operations, assets, individuals, mission, or reputation. Security categories identify the level of sensitivity and criticality of information and information systems by assessing the impact of the loss of confidentiality, integrity, and availability. Each of the security objectives—confidentiality, integrity, and availability—is assessed in the following manner.
      1. Low Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a limited adverse effect on DOE operations, assets, or individuals, including loss of secondary mission capability, requiring minor corrective actions or repairs.
      2. Moderate Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a serious adverse effect on DOE operations, assets, or individuals, including significant degradation, non-life threatening bodily harm, loss of privacy, or major damage, requiring extensive corrective actions or repairs.
      3. High Security Category. Loss of system confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on DOE operations, assets, or individuals. The incident could pose a threat to human life, cause the loss of mission capability, or result in the loss of major assets.
         
  2. Complete incident reports in a timely manner, and maintain all records. Incident management processes and procedures are included in Contingency Plan testing and integrated with Personally Identifiable Information incident reporting, Information Condition (INFOCON) processes and procedures, and each information system Contingency Plan.
    1. When a cyber security incident has occurred or is suspected to have occurred (potential incident), the affected site will immediately examine and document the pertinent facts and circumstances surrounding the event.
    2. The initial investigation of an event is completed within 24 hours. If the initial investigation of a potential incident cannot be completed within 24 hours, an initial report must be made within 26 hours. Once it is determined that an incident has occurred, the incident must be categorized according to Incident Type and Security Category, analyzed for impact to Senior DOE Management operations, and reported to CIAC within the time frames indicated in Table 1, in accordance with the process established in the applicable PCSP.
    3. All potential incident evaluations and incidents must be documented and local files retained.
    4. Required Time Frame for Reporting Cyber Security Incidents to the Computer Incident Advisory Capability
       

      Security Category

      Incident TypeLowModerateHigh
      Type 1Within 4 hoursWithin 2 hoursWithin 1 hour
      Type 2Within 1 weekWithin 48 hoursWithin 24 hours
    5. A monthly report on the status of incident resolution is to be required from all operating units whether or not any reportable successful or attempted cyber security incidents have occurred during the previous month.
       
  3. PII. Requirements for Reporting of Cyber Security Incidents Involving Personally Identifiable Information (PII). Senior DOE Management PCSPs are to direct operating units to develop, document, and implement policies and procedures for reporting incidents involving PII, in accordance with the following criteria.
    1. Establish, document, and implement procedures for reporting cyber security incidents related to PII in accordance with the processes and time frames outlined in this Guidance.
    2. Develop processes to notify the Information Owner once it has been determined that confidentiality of PII has been compromised.
    3. Ensure that all suspected or confirmed cyber security incidents involving media containing PII (including the physical loss/theft of computing devices) are reported to the DOE Cyber Incident Advisory Capability (CIAC) within 45 minutes of discovery. CIAC will report to the US-Computer Emergency Readiness Team (US-CERT) in accordance with its procedures.
    4. When reporting possible cyber security incidents involving PII, there should be sufficient reason to believe that a security breech has occurred and that PII is likely to have been involved. Otherwise, the incident should be reported following documented procedures for reporting all cyber security incidents.
    5. Reports to CIAC should be made via the CIAC AWARE portal, or alternatively by email to ciac@ciac.org, phone to 925-422-8193, or fax to 925-423-8002.

    back to top

    Reporting Procedures

    Incidents involving unclassified computer systems

    Report cyber security incidents involving unclassified systems as listed below. CIAC encourages sites to utilize the flexibility offered by e-mail whenever possible.

    • Non-urgent incidents. Send e-mail describing the cyber security incident to ciac@ciac.org. Alternatively, call the CIAC hotline at 925-422-8193, or fax information to 925-423-8002.
    • Incidents requiring immediate attention. If the cyber security incident requires priority handling, use the phrase "CIAC URGENT" in the e-mail subject line and a CIAC analyst will automatically be paged. You can also call the CIAC hotline at 925-422-8193, where an analyst will man the phone during the hours of M-F 0800-1700 EST. During off-hours, leave a voice mail with a return phone number, and a CIAC analyst will be automatically paged and contact you immediately. Please restrict the off-hours use of the incident hotline to only emergency situations.
    • Sensitive Information. Information about unclassified cyber security incidents of a sensitive nature should be sent protected with encrypted e-mail. To facilitate this process, supply CIAC with your public encryption key, either Entrust or PGP. Contact CIAC for guidance on how to transmit information securely if encrypted means are not available.
    • Automated scan detection and reporting. Some sites are utilizing automated methods for both detecting and reporting scans and probes. This provides CIAC with valuable data without undue burden on the site. If you are interested in using an automated tool, send e-mail to ciac@ciac.org.
    • Incidents involving classified computer systems. If the cyber security incident involves a classified system, call the CIAC STU number at 925-423-2604, or the CIAC Manager's STU at 925-422-0012. If you are not near a STU, call the CIAC hotline with a STU number and a time to return your call. Please note these are not incidents that involve the "leaking" of classified material onto an unclassified system.

    back to top

    Cyber Security Incident Report Content

    CIAC is available to all sites that need assistance in cyber security incident handling and gathering of incident information. In reporting cyber-related incidents to CIAC, provide as much detailed information as possible about how the incident occurred, what occurred, its impact, and what preventive measures have been implemented. Supply any log file information from the compromised system(s), routers, and/or firewalls in the communication path. CIAC will analyze this information and provide you with a detailed report regarding each unauthorized compromise.

    CIAC understands that this information is not always readily available; however, any details you can provide will help with our analysis. Even if you have resolved the incident yourself, your report and analysis is valuable to CIAC in comparing this incident with those reported by other sites. It further assists CIAC in analyzing the DOE corporate threat and providing DOE and the NNSA with guidance. In assessing the significance and reporting of such cyber security incidents, the reporting organization must consider the following questions:

    How?

    • How was access gained?
    • What vulnerability was exploited?
    • How was the incident detected?

    What?

    • What type of information was the compromised system processing (classified or unclassified -- OUO, UCNI, NNPI, Export Controlled)?
    • What service did the system provide (DNS, key asset servers, firewall, VPN gateways, IDS)?
    • What level of access did the intruder gain?
    • What hacking tools and/or techniques were used?
    • What did the intruder delete, modify, or steal?
    • What unauthorized data collection programs, such as sniffers, were installed?
    • What was the impact of the attack?
    • What preventative measures have been (are being) implemented?

    Who?

    • Determine responsible party's identification, usually IP address(es) or host name(s).
    • Does the compromise involve a country on the DOE Sensitive Country List?

    When?

    • When was the cyber security incident detected?
    • When did the cyber security incident actually occur?

    back to top

    Incident Reporting Form:

    For your convenience, the Word documents listed below can be used to send CIAC the information described above.

    • DOE CIAC Cyber Security Incident Report    - for compromised systems

    • back to top

      Negative Reporting - 2/27/04

      Negative Reporting is a new requirement for all DOE/NNSA sites and is effective immediately per the Department of Energy memorandum concerning Cyber Security Incident Reporting. To address this, CIAC prefers to receive sites' negative reporting through e-mail. Please contact CIAC at ciac@ciac.org to work out any issues with this.

      These instructions apply if your site has no incidents to report for the month.

      To indicate there have been no incidents for a given month at your site, please send an e-mail to ciac@ciac.org. The e-mail should contain the following:

      In the Subject line, please type: CIAC NEGATIVE REPORT

      In the body of the message, please type the following (including the sentence "No incidents to report"):

      • Your Name  =  your name (Example: John Doe)
      • Job Title(s) - Optional  =  your title(s) (Example: ISSM, Network Security Lead)
      • Site  =  your site's acronym(Example: DOE-HQ)
      • Reporting Month  =  the 3-letter abbreviation for the month you are reporting (Example: MAR)

      "No incidents to report"

      Description of the Fields Above:

      Your name: This information is necessary for CIAC to verify or track multiple reports from sites. Your name should include First name and Last name in that order.

      Job Title(s) - Optional: Your job title describes your responsibilities especially in regard to incident reporting. For example, do you have a security specific job title, such as ISSM or CPPM for a site, or if no security title, please indicate any computer related title, such as Network Manager or Systems Administrator.

      Site: CIAC prefers the acronyms for sites, such as BNL or LANL, but if you are unsure of an acronym, please provide the whole name.

      Reporting Month: This is the month for which you are providing a negative report. A month is from the 1st day through the last day of that month. 3 letter abbreviations are preferred (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec).

      No incidents to report: This phrase should show up in the body exactly as shown.

      back to top

      Disclaimer
      This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
The White House www.USA.gov E-gov IQ FOIA
U.S. Department of Energy | 1000 Independence Ave., SW | Washington, DC 20585
1-800-dial-DOE | f/202-586-4403