CYBER INCIDENT REPORTING GUIDANCE Industry Reporting Arrangements for Incident Response DfT Cyber Security Team CYBER@DFT.GSI.GOV.UK
Introduction The Department for Transport (DfT) has produced this cyber incident reporting guidance in collaboration with the National Cyber Security Centre (NCSC) to provide instructions for the transport sector regarding the reporting of cyber incidents. It is aimed at transport organisations (including asset owners and operators) in the modes of Aviation, Rail, Road and Maritime. The aim of this guidance is to set out to industry clear reporting methods for significant cyber security incidents to be reported to DfT and the NCSC and where appropriate, fraud and cyber-crime being reported to the National Crime Agency (NCA), through Action Fraud. This guidance will support organisations development of effective incident management and response plans. It is the responsibility of each organisation to implement these plans and assign responsibilities for reporting such incidents. Organisations are encouraged to incorporate this new guidance into existing incident response and disaster recovery procedures and to ensure that it is exercised on a regular basis. This guidance does not replace any existing regulatory reporting requirements, specifically: To the DfT under the Rail Security Regulations; To the Civil Aviation Authority (CAA) under the Mandatory Occurrence Reporting regime. Network and Information Systems (NIS) Directive Additional mandatory incident reporting requirements, which are separate to this guidance, are currently being introduced in the UK in the form of the Network and Information Systems (NIS) Directive. This directive comes into force in May 2018. As Competent Authority, DfT will issue further communications as this new directive is transposed into UK law. Further guidance will be shared with Operators of Essential Services that will specify the additional reporting requirements and thresholds. Roles and Responsibilities DfT, NCSC, NCA and Action Fraud all work closely together not only on cyber security issues that impact on transport but also on wider policy issues. Department for Transport (DfT) DfT is the Lead Government Department (LGD) for incidents that impact on transport; this includes cyber incidents. DfT will lead on the management of realworld operational impacts and provide the wider policy response. Our dedicated cyber security transport team are also on hand to provide guidance and support as required.
The NCSC The NCSC is the UK s technical authority on cyber security. Its main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. It works with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management, underpinned by world class research and innovation. The NCSC identifies and responds to incidents which might impact the UK s national security or economic wellbeing, and/or which have the potential to cause major impact to the continued operation of an organisation. In the event of significant cyber security incidents, it provides direct technical support and cross government coordination of response activities. The National Cyber Crime Unit (NCCU) (part of the National Crime Agency - NCA) The National Cyber Crime Unit (NCCU), part of the National Crime Agency, is the UK's lead for tackling the threat from serious and organised cybercrime. The NCCU leads, supports and coordinates cyber law enforcement activity across the UK, working with partners to provide specialist cyber support and expertise across law enforcement. It works closely with NCSC, Regional Cyber Crime Units, and Police Forces to build an effective cyber response across the UK. Action Fraud Action Fraud is the UK s national fraud and cyber-crime reporting centre for England, Wales and Northern Ireland, providing a central point of contact for citizens and businesses. The National Fraud Intelligence Bureau (NFIB), also hosted by the City of London Police (CoLP), acts upon the information and crimes reported to Action Fraud, developing and disseminating crime packages for investigation locally, regionally and nationally, and executing a range of disruption and crime prevention techniques for victims across all sectors to target criminality and engineer out the threat from fraud and cyber-crime. What is a Cyber Security Incident? The NCSC defines a cyber security incident as: A breach of a system s security in order to affect its integrity or availability; The unauthorised access or attempted access to a system. And may include: attempts to gain unauthorised access to a system and/or to data; the unauthorised use of systems and/or data; modification of a system's firmware, software or hardware without the systemowner's consent; and malicious disruption and/or denial of service.
The NCSC defines a significant cyber security incident as: I. a cyber incident causing a significant disruptive event to an essential service; impact on UK s national security or economic wellbeing; or the potential to cause major impact to the continued operation of an organisation. II. III. Relevant incidents affecting the transport sector may also be reported by third parties, such as Managed Service Providers. Who should I report an incident to? The following principles apply for the reporting of cyber security incidents: Is it a cyber-security incident? If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue. Reporting fraud and cyber-crime If you are experiencing a live cyber-crime attack or have experienced online fraud or a cyber-crime (this includes any criminal act dealing with computers and networks and traditional crimes conducted through the internet, such as scams, distributed denial of service (DDOS) attacks and hacking extortion) you should report this to Action Fraud. Reporting significant cyber-security incidents If you assess that your organisation is a victim of a significant cyber-security incident (as defined above) you should report the incident to the NCSC Incident Management team. You should also report the incident to DfT as your Lead Government Department. Under certain circumstances it will be necessary to notify the Information Commissioners Office 1. How to report an incident You should assess which organisation(s) you need to notify and provide as much information about the incident as possible. The template at the end of this guidance sets out the type of information that is required to report a cyber incident. You should use the tables in the Annex for incident reporting, this includes contact details. Press and Media Communications NCSC will be default initial communications lead for all cyber incidents it triages. It will be responsible for developing and disseminating lines following a cyber incident and agreeing these with DfT and other organisations as required. 1 https://ico.org.uk/for-organisations/report-a-breach/
DfT, NCSC and NCA will work collaboratively with the victim organisation to agree appropriate communications handling. Victim organisations are asked to liaise with DfT, NCSC and NCA, as appropriate, before releasing any statements or media releases on the incident. DfT s communications team can facilitate contact between victim organisations and NCSC / NCA if needed. We also strongly encourage organisations to share contact details with DfT / NCSC and NCA in order to build good working relationships. What happens once an incident is reported? The incident information will be triaged and categorised by either the NCSC, or Action Fraud, to determine the correct level and type of support required. The NCSC or Action Fraud/NCA will then engage and contact your organisation, as soon as is reasonably practicable, to provide support or guidance. A post-incident lessons learned process may be conducted for the most serious incidents. This will be led by DfT or the NCSC.
Find Out More National Cyber Security Centre Incident Management - https://www.ncsc.gov.uk/incident-management Cyber Security Information Sharing Partnership (CiSP) - www.ncsc.gov.uk/cisp CiSP is a secure joint industry and Government initiative for exchanging cyber-threat information. Membership provides you with vital threat information and information on ongoing incidents. DfT can act as your sponsor, follow joining instructions on the link above and contact cyber@dft.gsi.gov.uk for sponsorship details. 10 Steps to Cyber Security - www.ncsc.gov.uk/guidance/10-steps-cyber-security The National Cyber Security Centre s website gives further advice on how to protect your systems from a range of cyber and information security threats. Action Fraud - http://www.actionfraud.police.uk/about-us The National Cyber Crime Unit - http://www.nationalcrimeagency.gov.uk/aboutus/what-we-do/national-cyber-crime-unit Media and Press Contacts Department for Transport In office hours: 0207 944 3021 Out of hours: 0207 944 4292 NCSC NCSC media team e-mail (24/7): pressoffice@ncsc.gov.uk NCSC media team telephone (24/7): 07468 838 893
DfT Cyber Incident Response Information Capture This form is intended to be used by the victim to capture initial information of a cyber incident to be sent to DfT. It does not constitute a joint report to NCSC and organisations should make appropriate reporting direct to each organisation including DfT and NCSC. Please fill in this form as fully as possible and send it to the DfT/NCSC email addresses in the annex attached. Points to Capture Name of person reporting: Role in the company: Work Phone: Mobile Phone: Email Address: Name of the Organisation and the essential service it provides Internal incident ID number or name: Date and Time Incident Detected Date and Time Incident Reported Type of Incident Incident status Detected incident / suspected incident Incident stage Ongoing / ended / ongoing but managed Cyber Incidents - Please provide a summary of your understanding of the incident, including any impact to services and/or users, including: Incident type How the incident was discovered Duration Location of the incident (s) Services/systems affected Impact on those services/systems Impact on safety to staff or public Suspected cause Whether there is any known or likely cross-border impact Any other relevant information What investigations and/or mitigations have you or a third party performed or plan to perform. Response
Who else has been informed about this incident? (NCSC, NCA, Action Fraud etc) What are your planned next steps?
General Guidance - ANNEX