About DOE Button Organization Button News Button Contact Us Button
Search


Entire Site
CIO only
Link: Energy home page
Science and Technology Button Energy Sources Button Energy Efficiency Button The Environment Button Prices and Trends Button National Security Button Safety and Health Button
Office of the Chief Information Officer

Incident Response/Reporting Procedures
for U.S. Department of Energy Facilities/Contractors Only

Cyber Security Incident Reporting Procedures
      Scope
Reportable Cyber Security Incidents
Reporting Procedures
      Incidents involving unclassified computer systems
             - Non-urgent incidents
             - Incidents requiring immediate attention
             - Sensitive Information
             - Aggregated incident reports
             - Automated scan detection and reporting
      Incidents involving classified computer systems
Cyber Security Incident Report Content
      Incident Reporting Forms
Negative Reporting  (New)

Cyber Security Incident Reporting Procedures

Scope
DOE Notice 205.4 requires that all Department of Energy elements, the National Nuclear Security Administration (NNSA), Program Secretarial Offices, and other DOE organizations which have access to DOE cyber systems report cyber security incidents to the Computer Incident Advisory Capability (CIAC). This document outlines reporting procedures to facilitate your reporting and CIAC's response activity.

CIAC should be informed of all reportable cyber security incidents specified in N205.4. CIAC will work with your site management to determine the severity or significance of any cyber security incident.

Reportable Cyber Security Incidents

All DOE organizations will develop and document procedures for reporting cyber security incidents in their Cyber Security Program Plans (CSPPs) or similar documents for classified systems. DOE organizations will report cyber security related incidents that are significant or unusually persistent and meet one or more of the following criteria:

  1. Unauthorized Access. All attempts at unauthorized access, whether or not they are successful, even if unauthorized access is suspected but not yet proven.

  2. Malicious Code. Instances of malicious code such as viruses, Trojan horses, or worms.

  3. Denial of Service. Denial of service (successful or unsuccessful) that affects or threatens to affect a critical service or denies access to all or large portions of a site's network.

  4. Scans and Probes. Unauthorized network scans, probes, and attempted denial of service.

Reporting Procedures

Incidents involving unclassified computer systems
Report cyber security incidents involving unclassified systems as listed below. CIAC encourages sites to utilize the flexibility offered by e-mail whenever possible.

Non-urgent incidents
Send e-mail describing the cyber security incident to ciac@ciac.org. Alternatively, call the CIAC hotline at 925-422-8193, or fax information to 925-423-8002.

Incidents requiring immediate attention
If the cyber security incident requires priority handling, use the phrase "CIAC URGENT" in the e-mail subject line and a CIAC analyst will automatically be paged. You can also call the CIAC hotline at 925-422-8193, where an analyst will man the phone during the hours of M-F 0800-2100 EST. During off-hours, leave a voice mail with a return phone number, and a CIAC analyst will be automatically paged and contact you immediately. Please restrict the off-hours use of the incident hotline to only emergency situations.

Sensitive Information
Information about unclassified cyber security incidents of a sensitive nature should be sent protected with encrypted e-mail. To facilitate this process, supply CIAC with your public encryption key, either Entrust or PGP. Contact CIAC for guidance on how to transmit information securely if encrypted means are not available.

Aggregated incident reports
Some sites find it convenient to accumulate reports and send them weekly. To facilitate the logging of these incidents, please separate the incidents into the categories listed in the previous section (Unauthorized Access, Malicious Code, Denial of Service, and Scans and Probes).

Automated scan detection and reporting
Some sites are utilizing automated methods for both detecting and reporting scans and probes. This provides CIAC with valuable data without undue burden on the site. If you are interested in using an automated tool, send e-mail to ciac@ciac.org.

Incidents involving classified computer systems
If the cyber security incident involves a classified system, call the CIAC STU number at 925-423-2604, or the CIAC Manager's STU at 925-422-0012. If you are not near a STU, call the CIAC hotline with a STU number and a time to return your call. Please note these are not incidents that involve the "leaking" of classified material onto an unclassified system.

Cyber Security Incident Report Content

CIAC is available to all sites that need assistance in cyber security incident handling and gathering of incident information. In reporting cyber-related incidents to CIAC, provide as much detailed information as possible about how the incident occurred, what occurred, its impact, and what preventive measures have been implemented. Supply any log file information from the compromised system(s), routers, and/or firewalls in the communication path. CIAC will analyze this information and provide you with a detailed report regarding each unauthorized compromise.

CIAC understands that this information is not always readily available; however, any details you can provide will help with our analysis. Even if you have resolved the incident yourself, your report and analysis is valuable to CIAC in comparing this incident with those reported by other sites. It further assists CIAC in analyzing the DOE corporate threat and providing DOE and the NNSA with guidance. In assessing the significance and reporting of such cyber security incidents, the reporting organization must consider the following questions:

How?
- How was access gained? What vulnerability was exploited?
- How was the incident detected?

What?
- What type of information was the compromised system processing (classified or unclassified -- OUO, UCNI, NNPI, Export Controlled)?
- What service did the system provide (DNS, key asset servers, firewall, VPN gateways, IDS)?
- What level of access did the intruder gain?
- What hacking tools and/or techniques were used?
- What did the intruder delete, modify, or steal?
- What unauthorized data collection programs, such as sniffers, were installed?
- What was the impact of the attack?
- What preventative measures have been (are being) implemented?

Who?
- Determine responsible party's identification, usually IP address(es) or host name(s).
- Does the compromise involve a country on the DOE Sensitive Country List?

When?
- When was the cyber security incident detected?
- When did the cyber security incident actually occur?

Incident Reporting Forms:
For your convenience, the Word documents listed below can be used to send CIAC the information described above.

Compromise_Incident_Report_Template.doc   - for compromised systems
Worm_Incident_Report_Template.doc    - for worm infections
Malicious_Code_Incident_Report_Template.doc    - for trojans, viruses, and other non-worm mailicious code incidents

Negative Reporting - 2/27/04

Negative Reporting is a new requirement for all DOE/NNSA sites and is effective immediately per the Department of Energy memorandum concerning Cyber Security Incident Reporting. To address this, CIAC prefers to receive sites' negative reporting through e-mail. Please contact CIAC at ciac@ciac.org to work out any issues with this.

These instructions apply if your site has no incidents to report for the month.

To indicate there have been no incidents for a given month at your site, please send an e-mail to ciac@ciac.org. The e-mail should contain the following:

- In the Subject line, please type: CIAC NEGATIVE REPORT

- In the body of the message, please type the following (including the sentence "No incidents to report"):

Your Name  =  your name        (Example: John Doe)
Job Title(s) - Optional  =  your title(s)     (Example: ISSM, Network Security Lead)
Site  =  your site's acronym     (Example: DOE-HQ)
Reporting Month  =  the 3-letter abbreviation for the month you are reporting     (Example: MAR)

No incidents to report

----------------------------------
Description of the Fields Above:

Your name: This information is necessary for CIAC to verify or track multiple reports from sites. Your name should include First name and Last name in that order.

Job Title(s) - Optional: Your job title describes your responsibilities especially in regard to incident reporting. For example, do you have a security specific job title, such as ISSM or CPPM for a site, or if no security title, please indicate any computer related title, such as Network Manager or Systems Administrator.

Site: CIAC prefers the acronyms for sites, such as BNL or LANL, but if you are unsure of an acronym, please provide the whole name.

Reporting Month: This is the month for which you are providing a negative report. A month is from the 1st day through the last day of that month. 3 letter abbreviations are preferred (Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec).

No incidents to report: This phrase should show up in the body exactly as shown.

 

Last Updated: 7/9/2007
Link: The White House Link: USA.gov Link: E-gov Link: Information Quality (IQ) Link: Freedom of Information Act (FOIA)
U.S. Department of Energy | 1000 Independence Ave., SW | Washington, DC 20585
1-800-dial-DOE | f/202-586-4403