RFC 2350

1. Document information

This document contains a description of Kaspersky ICS CERT according to RFC 2350. It provides basic information about the Kaspersky ICS CERT, its channels of communication, roles, responsibilities and the service it offers.

1.1. Date of last update

Version 1: 2020/09/24

1.2. Distribution list for notifications

There is no distribution list for notifications.

1.3. Locations where this document may be found

The current version of this document can always be found at https://ics-cert.kaspersky.com/rfc-2350/.

1.4. Authenticating this document

This document has been signed with the PGP key of Kaspersky ICS CERT. For more details, please see section 2.8.

1.5. Document identification

Title: “RFC 2350 Kaspersky ICS CERT”

Version: 1.0

Document Date: 2020/09/24

Expiration: This document is valid until superseded by a later version.

2. Contact information

2.1 Name of the team

Kaspersky Industrial Systems Emergency Response Team.

Short name: Kaspersky ICS CERT

2.2. Address

Kaspersky ICS CERT

39A/3 Leningradskoe Shosse

Moscow, 125212

Russian Federation

2.3. Time zone

CET +1 hour during the summer time and +2 hours during the winter time

2.4. Telephone number

+7 495 797 87 00

2.5. Facsimile number

+7-495-797-8709

2.6. Other telecommunication

None.

2.7. Electronic mail address

The preferred method to contact the Kaspersky ICS CERT team for general inquiries is to send an e-mail to the address ics-cert@kaspersky.com which is monitored by our security experts during hours of operation (open 9am to 8pm UTC-5).

2.8. Incident reporting

To report an incident, please fill in the application form at https://ics-cert.kaspersky.com/contacts/.

2.9. Public keys and encryption information

PGP is used for functional exchanges between Kaspersky ICS CERT and its Partners (incident reports, alerts etc) https://ics-cert.kaspersky.com/KICSCERT-57DDD676-public.asc

2.10. Team members

• Head of Kaspersky ICS CERT: Evgeny Goncharov;
• Head of Technology Associations, Analytics and Standards: Viacheslav Zolotnikov;
• Head of ICS CERT Products: Mikhail Berezin;
• Head of ICS CERT Vulnerability Research and Assessment: Artem Zinenko.

The team includes 30 staff members.

2.11. Other information

Kaspersky ICS CERT is an accredited CERT by Carnegie Mellon University.  

Individuals from Kaspersky ICS CERT hold membership in the following organizations:

Regulatory and EU projects:

• ENISA Expert group on Industry 4.0 (EICS)
• Horizon 2020 CITADEL project

Industrial Consortia Membership:

• Industrial Internet Consortium
  • GlobalPlatform, TEE Committee

Standardisation Membership in SDOs :

• ISO/IEC SC41 (IoT) (Reference Architecture, Trustworthiness standards)
• ISO/IEC JTC1/AG8 (Meta-Architecture and Trustworthiness)
• ITU-T SG20 (Internet of things (IoT) and smart cities and communities (SC&C))
• IEEE-SA (P2413 “IoT Architectural Framework” and P2418 “Blockchain for IoT”)
• Members of national Russian Technical Committees : TC22, TC26, TC194, TC362
• OPC Foundation

3. Charter

3.1. Mission statement

Kaspersky Industrial Control Systems Computer Emergency Response Team (ICS CERT) is a special Kaspersky project that aims to accumulate expertise in Industrial Control Systems and Industrial Internet of things cybersecurity and to share knowledge within Kaspersky, with Kaspersky customers and partners and wider audiences, including industrial facility owners, operators, industrial sector regulators and cyber security researchers.

3.2. Constituency

The constituency of Kaspersky ICS CERT is a private and public sector. Kaspersky ICS CERT provides its services to industrial facility owners and operators, OT integrators, industrial sector regulators, IT/OT cyber security providers, and research teams. Pro-active security reports, such as emerging threat alerts, threat landscape analysis reports, and vulnerability advisories as well as materials containing generic analytics are publicly provided for the wider audience.

3.3. Sponsorship and/or affiliation

Kaspersky ICS CERT is a part of Kaspersky – global cybersecurity company that provides deep threat intelligence and security expertise to protect businesses, critical infrastructure, governments and consumers around the globe (https://www.kaspersky.com/about).

3.4. Authority

Kaspersky ICS CERT performs its activities within the framework defined by Kaspersky Board of Directors. Being a privately held and funded team Kaspersky ICS CERT offers the wide range of ICS cyber security services, starting from the intelligence on the latest threats and security incidents with mitigation strategies and all the way up to vulnerability research and coordinated disclosure, including incident response and generic consultancy. Our actions are authorized, motivated and limited by contracts with our customers, cyber security best practices and recommendations from the respected institutions, our good faith and the laws of the countries we operate in.

4. Policies

4.1. Types of incidents and level of support

Kaspersky ICS CERT provides support to address various types of computer security incidents which occur, or threaten to occur, in our constituency (see 3.2). The level of support given by Kaspersky ICS CERT depends on the type and severity of the incident or issue, the type of constituency, the number of the users affected, and the resources available at the time of the incident. Special attention is given to the issues affecting critical infrastructure or wide range of industrial organizations.

The incidents we support include:

• Vulnerabilities in ICS/OT/IIoT products and technologies discovered by our team or reported to us by a third-party researcher. 
  • We provide responsible vulnerability information disclosure coordination with the vulnerable product vendors and other coordination bodies;
  • We assist vulnerable product vendors in the technical vulnerability analysis, remediation and disclosure strategy development and the vulnerability fix evaluation;
  • When needed, we help the vulnerable product vendor to issue a CVE record for the vulnerability;
  • When needed, we assist the vulnerable product vendor in creation and checking its own vulnerability advisory prior to its publication;
  • We provide our customers and public audience with information on the vulnerabilities discovered by us and reported to us in the form of vulnerability advisories and research reports, both public and private.
• Attacks on industrial organizations and ICS/OT environments.
  • We monitor ICS threat landscape changes using our own telemetry data coming from ICS computers protected by Kaspersky products, which are connected to our global KSN network, the information coming from our private connections and public sources to detect and analyze emerging threats to ICS environments and industrial organizations. We issue alerts and reports – both public and private – on the threats detected and analyzed to help organizations protect and remediate.
  • We handle requests coming from Kaspersky customers, IT/OT security research organizations and wider audience to help them investigate computer incidents that have occurred in ICS/OT networks, triggered by either a targeted attack or a mass-spread malware outbreak. The result would be a custom report delivered privately to the organization.

4.2. Co-operation, interaction and disclosure of information

Kaspersky ICS CERT cooperates with other organizations in the field of cybersecurity, such as other ICS/OT security providers, national CERT teams, international organizations and individual security researchers.  The cooperation includes the exchange of information on threat landscape, vulnerabilities and attacks industrial facilities.

When sharing information with third-party organizations we follow the minimal information necessary principals, to only provide the information absolutely needed to prevent an incident and to remediate its consequences.

When disposing the information we follow the customer contract terms, cyber security best practices and recommendations from the respected institutions, and the laws of the countries we operate in.

The privacy of reports, partners and its constituents are ensured by Kaspersky ICS CERT in compliance with very latest legal requirements including local and regional legislation, such as the GDPR in Europe. All data processed and/or transferred is robustly secured through encryption, segregated storage, strict data access policies and by applying other modern cyber security methodology and state of the art technology.

When classifying cyber security information Kaspersky ICS CERT follows international, reginal and local legislation requirements. We also support the Information Sharing Traffic Light Protocol (ISTLP; https://ics-cert.kaspersky.com/away?url=https%3A%2F%2Fwww.first.org%2Ftlp%2Fdocs%2Ftlp-v1.pdf).

Kaspersky ICS CERT handles all incident-related information privately submitted to us by our customers and third-parties, as well all the customer or a third-party information discovered by ourselves while performing research and investigation activities  as confidential per default, and will only forward it to concerned parties in order to resolve specific incidents when consent is implicit or expressly given. If we believe a public safety might be at risk, and if not specifically limited by a contract or a law, we may decide to partially disclose information on the threat, in an anonymized form and only technical part of it essential to prevent an incident and to remediate its consequences.

4.3. Communication and authentication

For correspondence not containing sensitive information Kaspersky ICS CERT uses conventional methods such as unencrypted e-mail or fax. To ensure the security of communication that involves sensitive information, PGP-encrypted e-mail or telephone will be used.

5. Services

Kaspersky ICS CERT provides both real-time services to address emerging threats, such as threat information sharing, cyberattack analysis and incident response and non-real-time proactive activities such as awareness-raising ones and security framework development for ICS/IIoT environments.

5.1. Incident response

Kaspersky ICS CERT assists its constituency in handling the technical aspects of cyber incidents. It includes technical data analysis and assistance and/or advice with the following aspects of incident management:

5.1.2. Incident technical analysis:

• Supporting digital artifacts collection to analyze and resolve the incident from remote; or
• Conducting a technical analysis of systems compromised or affected during the incident on sight;
• Performing deep technical analysis of incident related data and digital artifacts;
• Aligning the information discovered with the bigger picture and knowledge on relevant adversary, toolsets, malicious infrastructure, attack campaign and TTPs of similar attacks based on information gathered from other sources, both Kaspersky private and public;
• Creating report on the technical analysis results.

5.1.3. Incident resolution / mitigation tactics and strategy

• Supporting elimination of the root cause of the security incident and its effects;
• Advising on the recovery of systems compromised or affected; and
• Documenting lessons learned.

5.2. ICS/OT threat intelligence

Kaspersky ICS CERT provides real-time and periodic threat intelligence reporting and information sharing services to address emerging threats to ICS/OT infrastructures and industrial organizations, including (but not limited to):

• Maintaining the important ICS/OT cyber security public news feed;
• Delivering private threat intelligence alerts and reports to our customers and organizations, targeted by the attack;
• Publishing announcements and security alerts concerning emerging security threats for the wider range of industrial organizations;
• Providing its customers with tailored threat intelligence research reports, based on the particular customer need and requirements;
• Publishing periodic threat landscape research reports for Industrial Control Systems;
• Providing our customer with ICS threat IoCs data feeds to help them detect and prevent threats in real-time, and to analyze and attribute attacks and incidents.

5.3. ICS/IIoT vulnerability research and coordinated information disclosure

On the request from our customers, to support various Kaspersky products development and services delivery and on our own – for the sake of public safety purposes – Kaspersky ICS CERT performs wide range of ICS/IoT/IIoT vulnerability research, analysis and remediation activities, including (but not limited to):

• ICS/IoT/IIoT products and technologies security analysis and vulnerability research;
• Handling reports from other Kaspersky teams and 3-rd-party security researchers on ICS/IoT/IIoT vulnerabilities discovered;
• Privately contacting vulnerable product vendors to report the vulnerability and to perform other steps and activities essential for coordinated vulnerability disclosure;
• Assisting vulnerable product vendors in the technical vulnerability analysis, remediation and disclosure strategy development and the vulnerability fix evaluation;
• Assisting the vulnerable product vendor in creation and checking its own vulnerability advisory prior to its publication;
• Helping the vulnerable product vendor to issue a CVE record for the vulnerability;
• Maintaining our private ICS/IIoT vulnerability advisory database; to support Kaspersky product and service development and threat hunting activities;
• Provide our customers and ICS infrastructure owners and operators with private and public vulnerability advisories and potential attack detection signatures to support them in performing vulnerability assessment and remediation activities;

5.4. Proactive activities

Kaspersky ICS CERT performs a wide range of awareness raising and security framework development activities, such as

1. Conducting security awareness training for industrial organizations personnel;
2. Conducting expert ICS/IIoT security training to IT/OT security professionals;
3. Organizing CTF competitions and Red/Blue team exercises;
4. Providing online security webinars on emerging ICS/OT security topics;
5. Working with international associations and working groups on IoT/IIoT cyber security frameworks, standards and recommendations.
6. Providing training and webinars on new security framework developed.

6. Incident reporting forms

To report an incident to Kaspersky ICS CERT, please visit https://ics-cert.kaspersky.com/contacts/.

7. Disclaimers

While every precaution will be taken in the preparation, handling and delivery of information, notifications and alerts, Kaspersky ICS CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.