As reporting requirements for cyber breaches were made law last month, the Cybersecurity and Infrastructure Security Agency has been hard at work on what the specifics are. The organization has now published a quick guide on what kind of incidents critical infrastructure entities should share with the government.
Here are their ten key elements to share
The Incident date and time
The Incident location
The Type of observed activity
A detailed narrative of the event
The number of people or systems affected
The Company/Organization name
A Point of Contact details
The severity of the event
The Critical Infrastructure Sector, if known.
And anyone else you informed.
Specifically, the types of activity to share with CISA.
- Unauthorized access to your system
- Denial of Service (DOS) attacks that last more than 12 hours
- Malicious code on your systems, including variants if known
- Targeted and repeated scans against services on your systems
- Repeated attempts to gain unauthorized access to your system
- Email or mobile messages associated with phishing attempts or successes **
- Ransomware against Critical Infrastructure, including variant and ransom details if known
Next up will be some of the specific rules of the reporting.
Why do we care?
Tactically, either your IT services provider has this down to a science… or this list is your starting point for fixing your process. While I don’t have data on it, I have this feeling it’s one of two extremes here.
Sure, these are critical infrastructure entities. For now. If you don’t think this will spread, my response is that you’re not paying attention. Assume it doesn’t become a legal requirement to law enforcement soon… it will come to your insurance company. Or your customer’s insurance company.
And I suspect “did you report to law enforcement” will be one of the questions they ask.
It’s also clear CISA is moving – that law only passed a month ago. They’ll be moving quickly to ensure that guidelines are in place.
