CSIRT Description for CERT PSE ================================= 1. Document Information The document contains a description of CERT PSE according to RFC 2350. Document provides basic information about CERT PSE, such as: - prospect for contact, - description of responsibility, - services offered. 1.1 Date of the last update Version 2.01, published on April 19, 2017. 1.2 Distribution List for Notifications Currently, CERT PSE does not use any distribution lists to notify about changes in this document. 1.3 Locations where this Document is shared The current version of this CERT description document is available on the CERT PSE website; its URL adress: http://cert.pse.pl/txt/rfc2350.txt Please make sure you are using the latest version. 1.4 Document Authentication This document has been signed with the CERT PSE PGP key. Signatures can also be found on our website: http://cert.pse.pl/pgp/ 2. Contact information 2.1 Name of the team Computer Incident Response Team - CERT PSE 2.2 Team short name CERT PSE 2.3 Address CERT PSE Polskie Sieci Elektroenergetyczne S.A. ul. Warszawska 165 05-520 Konstancin-Jeziorna Poland 2.4 Time zone Central European Time UTC + 1 Central European Summer Time UTC + 2 (from the last Sunday in March to the last Sunday in October) 2.5 Telephone number +48 22 242 1996 2.6 Fax number +48 22 242 2323 (note: this is not a fax with encryption) 2.7 Email address cert@pse.pl 2.8 Information about public keys and encryption CERT PSE has a PGP key which key identifier is: 0 × 1FC84641, the key imprint is: 27FD 35DE CCD9 AC10 CE47 E201 6650 30CD 1FC8 4641 The key and its signatures can be found on our website - http://cert.pse.pl/pgp/ 2.9 Other information General information about CERT PSE, as well as links to various recommended security resources, can be found at http://cert.pse.pl/ CERT PSE publishes short messages about current events in the following Twitter account https://twitter.com/CERTPSE 2.10 Team members The CERT PSE team consists of experienced experts in the field of cyber security issues: Head of the CERT PSE team - Piotr Gołębiewski 2.11 Points of Customer contact The preferred method to contact CERT PSE is e-mail ; an email sent to this address will be handled to the responsible person or will be immediately forwarded to the appropriate substitute. If urgent assistance is needed, please add "urgent" in the title of the message. We encourage our clients to use PGP encryption when sending confidential information to CERT PSE. If it is not possible to use e-mail (or is not indicated for security reasons), you can contact CERT PSE by phone during normal business hours. CERT PSE's working hours are usually limited to normal working hours (07:00 - 16:00 CET / CEST from Monday to Friday, excluding public holidays). If possible, please submit your application using form mentioned in item 6. 3. Statute 3.1 Statement of goals The goal of the CERT PSE team is to take actions to minimize the probability of cyber security incidents, and to minimize the effect of their occurrence in a group of their users (in the scope of services rendered). The main goals of CERT PSE are: - promoting online security; - handling security incidents; - achieve fruitful cooperation among other power companies; - supporting the energy community in raising security knowledge. 3.2 Constituency The CERT PSE users community is the PSE S.A. community The CERT PSE district is: - ASN: 47876; - IP: 91.208.150.2/24 and 91.209.155.0/24; - Domain: pse.pl, pse-online.pl, pse-operator.pl, pse-polnoc.pl, pse-wschod.pl, pse-zachod.pl, pse-poludnie.pl, pse.com.pl, zrkdt .pl, energo-lex.pl, elektroenergetyka.org 3.3 Sponsor and / or affiliation CERT PSE is financed by Polskie Sieci Elektroenergetyczne S.A., of which it is formally part. 3.4 Competence CERT PSE operates under the auspices of PSE S.A. and with the authorization delegated by PSE S. A. CERT PSE expects cooperation with system administrators and users (clients) in the network of PSE S.A. and as far as possible, avoids subordinate relations. However, if the circumstances warrant it, CERT PSE has the right to take the measures it deems appropriate to properly deal with the incident. 4. Policies 4.1 Types of incidents and level of support CERT PSE is authorized to deal with all types of computer security incidents that occur or threaten to occur in PSA S.A. networks. The level of support provided by CERT PSE will vary depending on the type and severity of the incident or problem, the type of user, the size of the user community affected and the resources of CERT PSE at that time. Incidents will be prioritized depending on their apparent severity and extent. 4.2 Cooperation, interaction and disclosure of information CERT PSE exchanges all necessary information with other CERT teams as well as with stakeholder administrators. No personal data or general data are exchanged, unless necessary. All sensitive data (such as personal data, system configurations, known vulnerabilities) are encrypted if they need to be transmitted in an unsecured environment. CERT PSE declares comprehensive support for Information Sharing Traffic Light Protocol (ISTLP, https://www.trusted-introducer.org/ISTLPv11.pdf). Information sent and marked in accordance with ISTLP is processed in an appropriate manner. 4.3 Communication and authentication CERT PSE uses GPG encryption to ensure confidentiality and integrity of communication. All sensitive information that is sent by email is encrypted. Incident messages sent by CERT PSE staff are signed with a GPG key (see section 2.8) and encrypted when they contain sensitive information. Unencrypted emails will be considered unsafe, but they will be sufficient for sending low sensitive data. 5. Services provided by CERT 5.1 Incidents response CERT PSE supports organizations in handling incidents related to ICT security in both technical and organizational terms. CERT PSE's capabilities cover the entire incident response process: - preparation; - detection and analysis; - restrictions, liquidation and recovery; - drawing conclusions, analyzing collected evidence and recommendations. CERT PSE supports system administrators in handling incidents in the field of technical and organizational aspects. In particular, it provides assistance or advice on the following aspects of incident management: 5.1.1 Sorting incidents, which includes: - testing whether the incident actually occurred; - definition of the scope of the incident. 5.1.2 Coordination of incidents, which includes: - facilitating contact with other websites which may be affected; - determining the initial cause of the incident (vulnerability used); - facilitating contact with relevant law enforcement officers, if necessary; - creating reports for other CERT teams; - creating user notices, if applicable. 5.1.3 Incidents resolving CERT PSE provides advices, but does not provide physical assistance to employees from the internal network of PSE S.A. with respect to the Rules of Conduct in the event of a suspected security incident at PSE. This includes: - closing the security gap. - system protection against the effects of an incident. - an assessment if certain actions may produce effects in proportion to their costs and risks, in particular actions aiming at possible criminal prosecution or disciplinary proceedings: collecting evidence after the fact, observing the incident in progress, setting traps for intruders, etc. - collecting evidence of an incident. In addition, CERT PSE collects statistics on processed incidents and, if necessary, notifies the community to help protect against known attacks. 5.2 Proactive activities CERT PSE coordinates and maintains the following services to the extent possible depending on its resources: - Information services via the following channels: - website: http://cert.pse.pl/ - twitter: http://twitter.com/CERTPSE - Training and educational services. - Media monitoring services for various existing resources. 6. Incident reporting forms CERT PSE has created a local form for reporting incidents to the CERT PSE team. We strongly encourage anyone who reports an incident to complete it (although this is not required). Current version of the form is available at: http://cert.pse.pl/kontakt/ 7. Disclaimers While preparing information, notifications and alerts all precautions will be taken, CERT PSE shall not be liable for errors or omissions or damages resulting from the use of information contained in this document.