CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Similar documents
Cyber Security Strategy

Regulating Cyber: the UK s plans for the NIS Directive

THE STRATEGIC POLICING REQUIREMENT. July 2012

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

The UK s National Cyber Security Strategy

Action Fraud & the NFIB. DS Martina MCGRILLEN

Cyber Crime Update. Mark Brett Programme Director February 2016

Workshop on Cyber Security & Cyber Crime Policies. Policies for African Diplomats

Heavy Vehicle Cyber Security Bulletin

Information Security Incident

Digital Health Cyber Security Centre

Information Security Controls Policy

Cyber Security of ETCS

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

ENISA s Position on the NIS Directive

October 2018 ISPA CYBER SECURITY SURVEY 2018

CYBERAID + The Cyber Solution for UK SMEs THBGROUP.COM

The Regional Cyber Crime Unit response to Cyber Crime

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Cyber Crime Seminar 8 December 2015

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

CYBER RESILIENCE & INCIDENT RESPONSE

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

PHISHING ATTACK TARGETING UNIVERSITY STUDENTS MAY 2016

Breach Notification Form

New Zealand National Cyber Security Centre Incident Summary

The NIS Directive and Cybersecurity in

Unit 3 Cyber security

Global Security Advisor

Cyber Resilience. Think18. Felicity March IBM Corporation

FOREWORD DR PHILIP SMITH MBE CHAIRMAN MILTON KEYNES BUSINESS LEADERS PARTNERSHIP

Information Security Controls Policy

Responding to Cybercrime:

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Bradford J. Willke. 19 September 2007

Sussex Police Business Crime Strategy

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Upcoming PIPEDA Changes What is changing and what to do about it

EU policy on Network and Information Security & Critical Information Infrastructures Protection

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Data Breach Incident Management Policy

PERSON SPECIFICATION. Cyber PROTECT Officer. Job Title: Status: Established

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Cyber Security Program

ISAO SO Product Outline

ILM Whistle-blowing Policy for Centres, Providers and Candidates

National Policy and Guiding Principles

Privacy Policy Statement Last update 25 th May 2018.

2 ESF 2 Communications

Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

Her Majesty the Queen in Right of Canada, Cat. No.: PS4-66/2014E-PDF ISBN:

Cybersecurity, safety and resilience - Airline perspective

Directive on Security of Network and Information Systems

Overview of the Federal Interagency Operational Plans

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Business Continuity Policy

Rohana Palliyaguru Director -Operations Sri Lanka CERT CC APCERT AGM and Conference, 24 th October 2018 Shanghai, China MINISTRY OF TELECOMMUNICATION

NHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17)

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

FEMA Region III Cyber Security Program

Stopsley Community Primary School. Data Breach Policy

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Resilience in London

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

1. To provide an update on the development of the SPA Assurance Map.

Privacy Policy Premium Carpet Care Ltd

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

Privacy Policy. England Athletics Limited commitment to Privacy. Introduction. The information we collect about you. The information provided to us

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

Serious Organised Crime Agency Collaborative Partnership s Work! Howard Lamb SOCA e-crime

Ofcom guidance on security requirements in sections 105A to D of the Communications Act Version

National Policing Community Security Policy

ASEAN COOPERATION ON DISASTER MANAGEMENT. Disaster Management & Humanitarian Assistance Division, ASEAN Secretariat

External Supplier Control Obligations. Cyber Security

CYBER INSURANCE: MANAGING THE RISK

The Office of Infrastructure Protection

ENISA EU Threat Landscape

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

Nationwide Suspicious Activity Reporting. Crime Stoppers USA Training Conference New Orleans September 2018

Professional Training Course - Cybercrime Investigation Body of Knowledge -

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

LINCOLNSHIRE POLICE CYBER CRIME STRATEGY. Professionalism Respect Integrity Dedication Empathy

West Midlands Regional Cyber Crime Unit

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

Putting security first for critical online brand assets. cscdigitalbrand.services

locuz.com SOC Services

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Information Security Strategy

NIS Directive : Call for Proposals

NDIS Quality and Safeguards Commission. Incident Management System Guidance

Directive on security of network and information systems (NIS): State of Play

Transcription:

CYBER INCIDENT REPORTING GUIDANCE Industry Reporting Arrangements for Incident Response DfT Cyber Security Team CYBER@DFT.GSI.GOV.UK

Introduction The Department for Transport (DfT) has produced this cyber incident reporting guidance in collaboration with the National Cyber Security Centre (NCSC) to provide instructions for the transport sector regarding the reporting of cyber incidents. It is aimed at transport organisations (including asset owners and operators) in the modes of Aviation, Rail, Road and Maritime. The aim of this guidance is to set out to industry clear reporting methods for significant cyber security incidents to be reported to DfT and the NCSC and where appropriate, fraud and cyber-crime being reported to the National Crime Agency (NCA), through Action Fraud. This guidance will support organisations development of effective incident management and response plans. It is the responsibility of each organisation to implement these plans and assign responsibilities for reporting such incidents. Organisations are encouraged to incorporate this new guidance into existing incident response and disaster recovery procedures and to ensure that it is exercised on a regular basis. This guidance does not replace any existing regulatory reporting requirements, specifically: To the DfT under the Rail Security Regulations; To the Civil Aviation Authority (CAA) under the Mandatory Occurrence Reporting regime. Network and Information Systems (NIS) Directive Additional mandatory incident reporting requirements, which are separate to this guidance, are currently being introduced in the UK in the form of the Network and Information Systems (NIS) Directive. This directive comes into force in May 2018. As Competent Authority, DfT will issue further communications as this new directive is transposed into UK law. Further guidance will be shared with Operators of Essential Services that will specify the additional reporting requirements and thresholds. Roles and Responsibilities DfT, NCSC, NCA and Action Fraud all work closely together not only on cyber security issues that impact on transport but also on wider policy issues. Department for Transport (DfT) DfT is the Lead Government Department (LGD) for incidents that impact on transport; this includes cyber incidents. DfT will lead on the management of realworld operational impacts and provide the wider policy response. Our dedicated cyber security transport team are also on hand to provide guidance and support as required.

The NCSC The NCSC is the UK s technical authority on cyber security. Its main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. It works with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management, underpinned by world class research and innovation. The NCSC identifies and responds to incidents which might impact the UK s national security or economic wellbeing, and/or which have the potential to cause major impact to the continued operation of an organisation. In the event of significant cyber security incidents, it provides direct technical support and cross government coordination of response activities. The National Cyber Crime Unit (NCCU) (part of the National Crime Agency - NCA) The National Cyber Crime Unit (NCCU), part of the National Crime Agency, is the UK's lead for tackling the threat from serious and organised cybercrime. The NCCU leads, supports and coordinates cyber law enforcement activity across the UK, working with partners to provide specialist cyber support and expertise across law enforcement. It works closely with NCSC, Regional Cyber Crime Units, and Police Forces to build an effective cyber response across the UK. Action Fraud Action Fraud is the UK s national fraud and cyber-crime reporting centre for England, Wales and Northern Ireland, providing a central point of contact for citizens and businesses. The National Fraud Intelligence Bureau (NFIB), also hosted by the City of London Police (CoLP), acts upon the information and crimes reported to Action Fraud, developing and disseminating crime packages for investigation locally, regionally and nationally, and executing a range of disruption and crime prevention techniques for victims across all sectors to target criminality and engineer out the threat from fraud and cyber-crime. What is a Cyber Security Incident? The NCSC defines a cyber security incident as: A breach of a system s security in order to affect its integrity or availability; The unauthorised access or attempted access to a system. And may include: attempts to gain unauthorised access to a system and/or to data; the unauthorised use of systems and/or data; modification of a system's firmware, software or hardware without the systemowner's consent; and malicious disruption and/or denial of service.

The NCSC defines a significant cyber security incident as: I. a cyber incident causing a significant disruptive event to an essential service; impact on UK s national security or economic wellbeing; or the potential to cause major impact to the continued operation of an organisation. II. III. Relevant incidents affecting the transport sector may also be reported by third parties, such as Managed Service Providers. Who should I report an incident to? The following principles apply for the reporting of cyber security incidents: Is it a cyber-security incident? If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue. Reporting fraud and cyber-crime If you are experiencing a live cyber-crime attack or have experienced online fraud or a cyber-crime (this includes any criminal act dealing with computers and networks and traditional crimes conducted through the internet, such as scams, distributed denial of service (DDOS) attacks and hacking extortion) you should report this to Action Fraud. Reporting significant cyber-security incidents If you assess that your organisation is a victim of a significant cyber-security incident (as defined above) you should report the incident to the NCSC Incident Management team. You should also report the incident to DfT as your Lead Government Department. Under certain circumstances it will be necessary to notify the Information Commissioners Office 1. How to report an incident You should assess which organisation(s) you need to notify and provide as much information about the incident as possible. The template at the end of this guidance sets out the type of information that is required to report a cyber incident. You should use the tables in the Annex for incident reporting, this includes contact details. Press and Media Communications NCSC will be default initial communications lead for all cyber incidents it triages. It will be responsible for developing and disseminating lines following a cyber incident and agreeing these with DfT and other organisations as required. 1 https://ico.org.uk/for-organisations/report-a-breach/

DfT, NCSC and NCA will work collaboratively with the victim organisation to agree appropriate communications handling. Victim organisations are asked to liaise with DfT, NCSC and NCA, as appropriate, before releasing any statements or media releases on the incident. DfT s communications team can facilitate contact between victim organisations and NCSC / NCA if needed. We also strongly encourage organisations to share contact details with DfT / NCSC and NCA in order to build good working relationships. What happens once an incident is reported? The incident information will be triaged and categorised by either the NCSC, or Action Fraud, to determine the correct level and type of support required. The NCSC or Action Fraud/NCA will then engage and contact your organisation, as soon as is reasonably practicable, to provide support or guidance. A post-incident lessons learned process may be conducted for the most serious incidents. This will be led by DfT or the NCSC.

Find Out More National Cyber Security Centre Incident Management - https://www.ncsc.gov.uk/incident-management Cyber Security Information Sharing Partnership (CiSP) - www.ncsc.gov.uk/cisp CiSP is a secure joint industry and Government initiative for exchanging cyber-threat information. Membership provides you with vital threat information and information on ongoing incidents. DfT can act as your sponsor, follow joining instructions on the link above and contact cyber@dft.gsi.gov.uk for sponsorship details. 10 Steps to Cyber Security - www.ncsc.gov.uk/guidance/10-steps-cyber-security The National Cyber Security Centre s website gives further advice on how to protect your systems from a range of cyber and information security threats. Action Fraud - http://www.actionfraud.police.uk/about-us The National Cyber Crime Unit - http://www.nationalcrimeagency.gov.uk/aboutus/what-we-do/national-cyber-crime-unit Media and Press Contacts Department for Transport In office hours: 0207 944 3021 Out of hours: 0207 944 4292 NCSC NCSC media team e-mail (24/7): pressoffice@ncsc.gov.uk NCSC media team telephone (24/7): 07468 838 893

DfT Cyber Incident Response Information Capture This form is intended to be used by the victim to capture initial information of a cyber incident to be sent to DfT. It does not constitute a joint report to NCSC and organisations should make appropriate reporting direct to each organisation including DfT and NCSC. Please fill in this form as fully as possible and send it to the DfT/NCSC email addresses in the annex attached. Points to Capture Name of person reporting: Role in the company: Work Phone: Mobile Phone: Email Address: Name of the Organisation and the essential service it provides Internal incident ID number or name: Date and Time Incident Detected Date and Time Incident Reported Type of Incident Incident status Detected incident / suspected incident Incident stage Ongoing / ended / ongoing but managed Cyber Incidents - Please provide a summary of your understanding of the incident, including any impact to services and/or users, including: Incident type How the incident was discovered Duration Location of the incident (s) Services/systems affected Impact on those services/systems Impact on safety to staff or public Suspected cause Whether there is any known or likely cross-border impact Any other relevant information What investigations and/or mitigations have you or a third party performed or plan to perform. Response

Who else has been informed about this incident? (NCSC, NCA, Action Fraud etc) What are your planned next steps?

General Guidance - ANNEX

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback