CERT-In latest directives on Cyber Incidents
Background: Cyber threat landscape is changing rapidly. Several cybercrime & cyber-attacks are rising. In view of changing geopolitical situation across the globe, state-sponsored threat actors are on a mission. Nations critical infrastructure & major organizations are on the radar of these actors & getting hit every day. CERT-In - The Indian Computer Emergency Response Team, actively monitoring the cyber-attacks on Indian entities, has been forecasting & alerting organizations on various emerging threats. It also helps them to handle cyber security incidents & issues guidelines, advisories, vulnerability notes and whitepapers etc. from time to time. It observes that lack of security incident reporting has been adversely impacting the nation’s safety. Also in several instances, when an incident is reported, the requisite information is either sometimes not found available or readily not available with the impacted organization or with its service providers/data centres etc. Such primary information is essential to carry out the analysis, investigation and coordination as per the process of law. CERT-In wants to fill this gap with these directives.
Purpose: These directions have been issued to augment and strengthen cyber security in the country. With these directives, CERT-In is enforcing the timely reporting of any cyber incident & pushing organizations to revamp their infrastructure to capture the information, required for the investigation of such incidents.
Applicable to: All organizations (services providers, intermediaries, data centres, body corporate, etc.) irrespective of their line of business, type and size.
Applicable from: 28 th June 2022*
*(Note: CERT-In has recently extended the timeline for MSMEs, CSPs & VPN service providers to comply with these cyber incident directives by 25th Sept 2022. For other organizations, it's already into effect.)
What are the expectations from the organizations?
Network time synchronization with NPL or NIC: All organizations shall synchronize all their ICT systems clocks s to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers.
Reporting of cyber incidents: Any organization shall mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. The incidents can be reported to CERT-In via email (email@example.com), Phone (1800-11-4949) and Fax (1800-11-6969). The details regarding methods and formats of reporting cyber security incidents are also published on the website of CERT-In www.cert-in.org.in and will be updated from time to time.
Appoint a Single Point of Contact: All organizations shall designate a Point of Contact to interface with CERT-In. The Information related to a Point of Contact shall be sent to CERT-In in the designated format released by them. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
Storage of logs for 180 days: All organizations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.
Additional guidelines for specific industries
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
- Validated names of subscribers/customers hiring the services.
- Period of hire including dates.
- IPs allotted to / being used by the members.
- Email address and IP address and time stamp used at the time of registration/on boarding.
- The purpose of hiring services.
- Validated address and contact numbers.
- Ownership pattern of the subscribers/customers hiring services.
The virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for five years.
Types of cyber security incidents mandatorily to be reported by the organizations to CERT-In
Below are the types of security incidents, which if any organization encounters or comes to know of, they shall report to CERT-In within 6 hours in the format issued by the body.
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access to IT systems/data
- Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites etc.
- Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/ Spyware/Ransomware/Crypto miners
- Attack on servers such as Database, Mail and DNS and network devices such as Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks
- Attacks on Applications such as E-Governance, E-Commerce etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incidents affecting Digital Payment systems
- Attacks through Malicious Mobile Apps
- Fake mobile Apps
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning.
We hope now you have got an idea of the CERT-In's expectations from the organizations in regards to the cyber incidents. If you are thinking about how you can prepare and address the requirements, then hiring a cybersecurity expert should be the decision to take. A cyber security consultant can help you prepare and implement the right cyber security strategies to meet the compliance outlined by the CERT-In as per their latest directives.
Cybersec Knights are one of the esteemed service providers in this space that you can reach out to. You can reach us at firstname.lastname@example.org.