On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.” In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”
CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks. The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves.
Overview. The Fact Sheet urges critical infrastructure owners and operators and their government partners to undertake three overarching steps: (1) observe the activity; (2) act to mitigate the threat; and (3) report the event. The Fact Sheet also provides guidance on the types of activities that should be shared with CISA and the “ten key elements” that should be included in any incident report.
Types of Activities to Report. The Fact Sheet explains that entities should report the following types of activities:
- Unauthorized access to a system;
- Denial of Service (“DOS”) attacks that last more than 12 hours;
- Malicious code on systems, including variants of the code, if known;
- Targeted and repeated scans against system services;
- Repeated attempts to gain unauthorized access to a system;
- Email or mobile messages associated with phishing attempts or successes; and
- Ransomware attacks against critical infrastructure, including the ransomware variant and ransom details, if known.
Elements of an Incident Report. The Fact Sheet describes the “10 key elements” of an incident report, the first nine of which are considered a priority:
- Incident date and time;
- Incident location;
- Type of observed activity;
- Detailed narrative of the event;
- Number of people or systems affected;
- Company/organization name;
- Point of contact details;
- Severity of event;
- Critical infrastructure sector, if known; and
- Anyone else that was informed of the incident.
Reporting Mechanism and Post-Reporting Response. The Fact Sheet provides multiple reporting mechanisms. CISA encourages information sharing through its Incident Reporting Form or, alternatively, by emailing Report@cisa.gov and providing as much detail as possible. The Fact Sheet further explains that CISA will triage the reports it receives and may share anonymized information about the activity with others. It may also contact the reporting entity, using an official CISA account, for further details.
Additional Resources. The Fact Sheet notes that CISA “partners with the Anti-Phishing Working Group . . . to collect phishing email messages, mobile messages and website locations to help people avoid becoming victims of phishing scams,” and phishing information can be shared with CISA through firstname.lastname@example.org.
Next Steps. The publication of the Fact Sheet comes shortly after the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) which, once implemented, will establish mandatory cyber incident and ransomware payment reporting requirements for critical infrastructure entities. CISA states in the Fact Sheet that it will undertake a rulemaking process to implement CIRCIA, but will continue to encourage voluntary information sharing about cyber-related events in the interim. Critical infrastructure owners and operators may find it useful to review and familiarize themselves with these reporting mechanisms in advance of the implementation of CIRCIA, as these requirements may ultimately provide insight into the procedures that will be required under CIRCIA once it is implemented.