CIAC Incident Reporting Procedures
for U.S. Department of Energy Facilities/Contractors Only
Last updated: 10/26/07
Scope
DOE CIO Policies
DOE CIO Guidance
DOE
CIO Guidance Incident Management TMR-9 requires that all Department of Energy elements, the National Nuclear Security
Administration (NNSA), Program Secretarial Offices, and other DOE organizations which have access to DOE cyber systems report
cyber security incidents to the Computer Incident Advisory Capability (CIAC). This document outlines reporting procedures to
facilitate your reporting and CIAC's response activity.
CIAC should be informed of all reportable cyber security incidents specified in
DOE TMR-9. CIAC will work with your site management to determine the severity or significance
of any cyber security incident.
back to top
Reportable Cyber Security Incidents
All DOE organizations will develop and document procedures for reporting cyber security
incidents in their Cyber Security Program Plans (CSPPs) or similar documents for
classified systems. DOE organizations will report cyber security related incidents that
are significant or unusually persistent and meet one or more of the following criteria:
- Characterize and categorize
cyber security incidents according to
their
potential to cause damage to
information and information systems
based on
two criteria: Incident Type and
Security Category. These criteria are
used to
determine the time frame for
reporting incidents to the CIAC.
- Incident Types
-
Type 1
incidents are successful incidents
that potentially create
serious breaches of DOE cyber
security or have the potential to
generate negative media interest.
The following are defined as Type
1 incidents.
-
System
Compromise/Intrusion. All
unintentional or intentional
instances of system compromise or
intrusion by unauthorized
persons must be reported, including
user-level compromises,
root (administrator) compromises,
and instances in which users
exceed privilege levels.
- Loss,
Theft, or Missing. All instances of
the loss of, theft of, or
missing laptop computers; and all
instances of the loss of, theft
of, or missing IT resources,
including media, that contained
Sensitive Unclassified Information
(SUI) or national security
information.
-
Web
Site Defacement. All instances of a
defaced Web site
must be reported.
-
Malicious Code. All instances of
successful infection or
persistent attempts at infection by
malicious code, such as
viruses, Trojan horses, or worms,
must be reported.
- Denial
of Service. Intentional or
unintentional denial of service
(successful or persistent attempts)
that affects or threatens to
affect a critical service or denies
access to all or one or more
large portions of a network must be
reported. Critical services
are determined through Business
Impact Analyses in the
Contingency Planning process.
-
Critical Infrastructure Protection
(CIP). Any activity that
adversely affects an asset
identified as critical infrastructure
must be reported. CIP assets are
identified through the
Contingency Planning process.
-
Unauthorized Use. Any activity that
adversely affects an
information system’s normal,
baseline performance and/or is
not recognized as being related to
Senior DOE Management
mission is to be reported.
Unauthorized use includes, but is not
limited to, port scanning that
excessively degrades performance;
IP (Internet protocol) spoofing;
network reconnaissance;
monitoring; hacking into DOE
servers and other non-DOE
servers; running traffic-generating
applications that generate
unnecessary network broadcast
storms or drive large amounts of
traffic to DOE computers; or using
illegal (or misusing
copyrighted) software images,
applications, data, and music.
Unauthorized use can involve using
DOE systems to break the
law.
-
Information Compromise. Any
unauthorized disclosure of
information that is released from
control to entities that do not
require the information to
accomplish an official Government
function such as may occur due to
inadequate clearing, purging,
or destruction of media and related
equipment or transmitting
information to an unauthorized
entity.
- Type 2
incidents are attempted incidents that
pose potential long-term
threats to DOE cyber security
interests or that may degrade the
overall effectiveness of the
Department’s cyber security posture.
The following are the currently
defined Type 2 incidents.
-
Attempted Intrusion. A significant
and/or persistent attempted
intrusion is an exploit that stands
out above the daily activity or
noise level, as determined by the
system owner, and would
result in unauthorized access
(compromise) if the system were
not protected.
-
Reconnaissance Activity. Persistent
surveillance and resource
mapping probes and scans are those
that stand out above the
daily activity or noise level and
represent activity that is
designed to collect information
about vulnerabilities in a
network and to map network
resources and available services.
The Senior DOE Management PCSP must
document the
parameters for collecting and
reporting data on surveillance
probes and scans.
-
Security Categories
characterize the potential impact of
incidents that
compromise DOE information and
information systems. Such incidents
may impact DOE operations, assets,
individuals, mission, or reputation.
Security categories identify the
level of sensitivity and criticality
of
information and information systems
by assessing the impact of the loss
of confidentiality, integrity, and
availability. Each of the security
objectives—confidentiality,
integrity, and availability—is
assessed in the
following manner.
-
Low
Security Category. Loss of system
confidentiality, integrity, or
availability could be expected to
have a limited adverse effect on
DOE operations, assets, or
individuals, including loss of
secondary
mission capability, requiring minor
corrective actions or repairs.
-
Moderate Security Category. Loss of
system confidentiality,
integrity, or availability could be
expected to have a serious adverse
effect on DOE operations, assets,
or individuals, including
significant degradation, non-life
threatening bodily harm, loss of
privacy, or major damage, requiring
extensive corrective actions or
repairs.
- High
Security Category. Loss of system
confidentiality, integrity, or
availability could be expected to
have a severe or catastrophic
adverse effect on DOE operations,
assets, or individuals. The
incident could pose a threat to
human life, cause the loss of mission
capability, or result in the loss
of major assets.
- Complete incident reports in a timely manner, and maintain all records.
Incident management processes and procedures are included in Contingency
Plan testing and integrated with Personally Identifiable Information incident
reporting, Information Condition (INFOCON) processes and procedures, and each
information system Contingency Plan.
- When a cyber security incident has occurred or is suspected to have
occurred (potential incident), the affected site will immediately examine
and document the pertinent facts and circumstances surrounding the
event.
- The initial investigation of an event is completed within 24 hours. If the
initial investigation of a potential incident cannot be completed within 24
hours, an initial report must be made within 26 hours. Once it is
determined that an incident has occurred, the incident must be
categorized according to Incident Type and Security Category, analyzed
for impact to Senior DOE Management operations, and reported to
CIAC within the time frames indicated in Table 1, in accordance with
the process established in the applicable PCSP.
- All potential incident evaluations and incidents must be documented and
local files retained.
-
Required Time Frame for Reporting Cyber Security Incidents
to the Computer Incident Advisory Capability
|
Security Category |
Incident Type | Low | Moderate | High |
Type 1 | Within 4 hours | Within 2 hours | Within 1 hour |
Type 2 | Within 1 week | Within 48 hours | Within 24 hours |
-
A monthly report on the status of incident resolution is to be required
from all operating units whether or not any reportable successful or
attempted cyber security incidents have occurred during the previous
month.
-
PII. Requirements for Reporting of Cyber Security Incidents Involving Personally
Identifiable Information (PII). Senior DOE Management PCSPs are to direct
operating units to develop, document, and implement policies and procedures for
reporting incidents involving PII, in accordance with the following criteria.
- Establish, document, and implement procedures for reporting cyber security
incidents related to PII in accordance with the processes and time frames
outlined in this Guidance.
- Develop processes to notify the Information Owner once it has been
determined that confidentiality of PII has been compromised.
- Ensure that all suspected or confirmed cyber security incidents involving
media containing PII (including the physical loss/theft of computing devices)
are reported to the DOE Cyber Incident Advisory Capability (CIAC) within
45 minutes of discovery. CIAC will report to the US-Computer Emergency Readiness
Team (US-CERT) in accordance with its procedures.
- When reporting possible cyber security incidents involving PII, there should
be sufficient reason to believe that a security breech has occurred and that PII
is likely to have been involved. Otherwise, the incident should be reported
following documented procedures for reporting all cyber security incidents.
- Reports to CIAC should be made via the CIAC AWARE portal, or
alternatively by email to ciac@ciac.org, phone to 925-422-8193, or fax to
925-423-8002.
back to top
Reporting Procedures
Incidents involving unclassified computer systems
Report cyber security incidents involving unclassified systems as listed below. CIAC encourages sites to utilize the flexibility offered by e-mail whenever possible.
- Non-urgent incidents. Send e-mail describing the cyber security incident to ciac@ciac.org. Alternatively, call the CIAC hotline at 925-422-8193, or fax information to 925-423-8002.
- Incidents requiring immediate attention. If the cyber security incident requires priority handling, use the phrase "CIAC URGENT" in the e-mail subject line and a CIAC analyst will automatically be paged. You can also call the CIAC hotline at 925-422-8193, where an analyst will man the phone during the hours of M-F 0800-1700 EST. During off-hours, leave a voice mail with a return phone number, and a CIAC analyst will be automatically paged and contact you immediately. Please restrict the off-hours use of the incident hotline to only emergency situations.
- Sensitive Information. Information about unclassified cyber security incidents of a sensitive nature should be sent protected with encrypted e-mail. To facilitate this process, supply CIAC with your public encryption key, either Entrust or PGP. Contact CIAC for guidance on how to transmit information securely if encrypted means are not available.
- Automated scan detection and reporting. Some sites are utilizing automated methods for both detecting and reporting scans and probes. This provides CIAC with valuable data without undue burden on the site. If you are interested in using an automated tool, send e-mail to ciac@ciac.org.
- Incidents involving classified computer systems. If the cyber security incident involves a classified system, call the CIAC STU number at 925-423-2604, or the CIAC Manager's STU at 925-422-0012. If you are not near a STU, call the CIAC hotline with a STU number and a time to return your call. Please note these are not incidents that involve the "leaking" of classified material onto an unclassified system.
back to top
Cyber Security Incident Report Content
CIAC is available to all sites that need assistance in cyber security incident handling and gathering of incident information. In reporting cyber-related incidents to CIAC, provide as much detailed information as possible about how the incident occurred, what occurred, its impact, and what preventive measures have been implemented. Supply any log file information from the compromised system(s), routers, and/or firewalls in the communication path. CIAC will analyze this information and provide you with a detailed report regarding each unauthorized compromise.
CIAC understands that this information is not always readily available; however, any details you can provide will help with our analysis. Even if you have resolved the incident yourself, your report and analysis is valuable to CIAC in comparing this incident with those reported by other sites. It further assists CIAC in analyzing the DOE corporate threat and providing DOE and the NNSA with guidance. In assessing the significance and reporting of such cyber security incidents, the reporting organization must consider the following questions:
How?
- How was access gained?
- What vulnerability was exploited?
- How was the incident detected?
What?
- What type of information was the compromised system processing (classified or unclassified -- OUO, UCNI, NNPI, Export Controlled)?
- What service did the system provide (DNS, key asset servers, firewall, VPN gateways, IDS)?
- What level of access did the intruder gain?
- What hacking tools and/or techniques were used?
- What did the intruder delete, modify, or steal?
- What unauthorized data collection programs, such as sniffers, were installed?
- What was the impact of the attack?
- What preventative measures have been (are being) implemented?
Who?
- Determine responsible party's identification, usually IP address(es) or host name(s).
- Does the compromise involve a country on the DOE Sensitive Country List?
When?
- When was the cyber security incident detected?
- When did the cyber security incident actually occur?
back to top
Incident Reporting Form:
For your convenience, the Word documents listed below can be used to send CIAC the information described above.
- DOE CIAC Cyber Security Incident Report - for compromised systems
-
back to top
Negative Reporting - 2/27/04
Negative Reporting is a new requirement for all DOE/NNSA sites and is effective immediately per the Department of Energy memorandum concerning Cyber Security Incident Reporting. To address this, CIAC prefers to receive sites' negative reporting through e-mail. Please contact CIAC at ciac@ciac.org to work out any issues with this.
These instructions apply if your site has no incidents to report for the month.
To indicate there have been no incidents for a given month at your site, please send an e-mail to ciac@ciac.org. The e-mail should contain the following:
In the Subject line, please type: CIAC NEGATIVE REPORT
In the body of the message, please type the following (including the sentence "No incidents to report"):
- Your Name = your name (Example: John Doe)
- Job Title(s) - Optional = your title(s) (Example: ISSM, Network Security Lead)
- Site = your site's acronym(Example: DOE-HQ)
- Reporting Month = the 3-letter abbreviation for the month you are reporting (Example: MAR)
"No incidents to report"
Description of the Fields Above:
Your name: This information is necessary for CIAC to verify or track multiple reports from sites. Your name should include First name and Last name in that order.
Job Title(s) - Optional: Your job title describes your responsibilities especially in regard to incident reporting. For example, do you have a security specific job title, such as ISSM or CPPM for a site, or if no security title, please indicate any computer related title, such as Network Manager or Systems Administrator.
Site: CIAC prefers the acronyms for sites, such as BNL or LANL, but if you are unsure of an acronym, please provide the whole name.
Reporting Month: This is the month for which you are providing a negative report. A month is from the 1st day through the last day of that month. 3 letter abbreviations are preferred (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec).
No incidents to report: This phrase should show up in the body exactly as shown.
back to top
Disclaimer
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. |
|
|