How to implement the provisions of the Act on the National Cybersecurity System

Wioletta Woźniak-Kubuj:

We would like to welcome you to another webinar organised by EXATEL. Today’s meeting will be hosted by myself, Wioletta Woźniak-Kubuj, together with my colleague Paweł Deyk. In today’s webinar, we will introduce you to the requirements of the Act on NCS and present the obligations that the Act imposes on you as Local Government Units (LGUs). During the first part of the presentation, Paweł and I will provide you with information on the Act and the security measures as well as EXATEL’s offer that can help you meet its requirements. When the first part is finished, there will be a Q&A panel.

Why should our clients consider the Act on the National Cybersecurity System? What is so special about it and which aspects they should pay attention to?

Paweł Deyk:

Let’s start with the fact that this Act is not a new regulation, as it came into force last year. It explains the relevant terms and specifies obligations imposed on public entities. All Local Government Units are deemed public entities, therefore the Act – apart from the operators of essential services, who maintain the infrastructure related to the country’s security – is explicitly applicable to LGUs performing public tasks.

I would like us now to systematise the terms used in the Act. In today’s webinar we are going to refer to them. The first term is an incident, meaning any event that has or could have an adverse effect on cybersecurity. Cybersecurity is understood as the resistance of information systems to actions that breach confidentiality, integrity, availability and authenticity of processed data or services related to them. Importantly, the Act also specifies an incident in a public entity as a distinct type of incident. Operators of essential services distinguish between substantial and critical incidents, in case of public entities the focus should be primarily placed on incidents that cause or may cause a reduction in the quality of services provided, i.e. the tasks carried out in public interest by the entities. These can be e-services or services related to the daily work of offices and various departments. You perform a great deal of these public tasks.

Each incident has to be handled, which means all procedures that enable the detection, recording, analysis, classification and prioritisation. Moreover, corrective actions have to be taken and the impact of an incident must be limited. Incident management is a broader notion, signifying i.a. incident handling, finding correlations between various incidents, removing the causes of their occurrence, and developing conclusions resulting from incident handling. It is useful to be acquainted with these terms from the beginning; thus we can be sure that we are on the same page.

We are also talking about specific requirements resulting from the Act, covering almost the entire Chapter 5 which deals with the obligations of public entities. The most important requirement pertains to management of incident occurring in a public entity. The fact that an incident has occurred must be notified within 24 hours. Thus, in addition to managing the incident, it must be reported without undue delay, that is no later than 24 hours after the occurrence, to the appropriate CSIRT (CSIRT NASK in most cases). The public entity is obliged to ensure incident handling – from its recording, through analysis up to impact assessment. In addition, the citizens, for the benefit of whom public tasks are performed, should have access to knowledge necessary to understand cybersecurity threats. Importantly, the person who will report and contact the CSIRT with regard to the incident shall be designated and indicated to them.

Wioletta:

In the following slides, we will show you some examples of cybersecurity incidents that occurred in the public sector. Paweł, when you will be discussing them, please tell us whether in accordance with the Act they should be treated as incidents or not.

Paweł:

One example, that attendees of conferences may be familiar with, is malware infected computers at an office in Oleśnica. Ransomware caused a lockdown of both user systems and servers that were responsible for storing data related to geographic information systems. This included land plots and a database related to the owners of these plots and land. I think there is little doubt that this was an incident in a public entity, as the operation of a portal providing e-services to citizens was blocked. Moreover, data integrity has been breach and there was a possibility that the locked data might not have been properly recovered from backups. It was doubtful whether the service would work in the same way after the incident and whether the information in the system was subject to manipulation.

Another example is quite recent and has received fair amount of media coverage. I am talking about the Poznańskie Centrum Świadczeń (social welfare centre in Poznań), in which a manager of the IT team defrauded a considerable amount of money intended for multi-child families. The IT specialist, thanks to authorisations that gave him access to the system, created users without real identities in order to set up a mechanism for disbursement of public funds. In this case we are also dealing with an incident in a public entity because data authenticity was violated. If fake users appear in e-service systems, we cannot talk about data authenticity. Moreover, the IT specialist utilised the authorisations that weren’t granted to him so a computer crime was committed in this case. He may have had the authorisations of the administrator in the system, but he certainly wasn’t allowed to enter data not requested by citizens.

Wioletta:

If we have already detected an incident and know it has taken place, what can we do – how and where should we report it? How does the process of notification about an accident look like?

Paweł:

First of all, having detected an incident, we should visit CSIRT NASK website, where an incident report form is available. There you can select the option that you are a public entity. A public entity, together with other entities, must provide details of the entity reporting the incident, data of the reporting party, a detailed description of the incident and its impact. We include information regrading the cause of the incident while trying to understand what exactly has happened and why. We also describe what impact the incident had on public tasks, therefore we need to indicate which public task it was related to, the number of users that could have been affected, the time of incident occurrence and detection as well as specify its duration (if the incident is over), the geographical scope, the cause, course, and impact. We should assess, as much as we are able to within those 24 hours, the impact of the incident and both the preventive (were the appropriate security measures implemented?) and corrective actions (what did we do after the incident to prevent the situation from happening again?). Any other relevant information is also welcome. What else can happen after such a notification is sent? The CSIRT will certainly contact you in order to fill in any information that was missing in the notification. It will also indicate any missing information that the reporting entity may have, which may be deemed as necessary for example by law enforcement agencies.

Wioletta:

Could you list the most common threats that we have encountered among our clients from public administration or local governments? Which happen the most frequently?

Paweł:

We have briefly covered the topic at the conferences. Problems that arise most often are standard cybercrimes that we hear about – among others theft of financial resources, swapping the contents of websites (when we talk about damages to organisation’s image) or data leaks, which can occur in any organisation, as sensitive data kept in offices is a “tasty treat” for cyber criminals. Additionally, frequent problems include any incidents involving misinformation or impersonation of a specific organisation or sending emails that imitate a given entity. For example the Social Insurance Institution (ZUS) has recently fallen victim to hackers impersonating them. Aforementioned ransomware or DDoS attacks are the cause of any loss of access to data or similar problems. Most frequently we deal with these two types of attacks owing to the fact that they are the cheapest, easiest to carry out and very often are provided as a service in the cybercrime world. These services cost less and less and have full client support. That is why there are so many of such attacks and you will encounter them frequently.

Wioletta:

EXATEL offers a wide range of cybersecurity services. How could we help our clients to defend against these attacks? We have showed a slide with clients – mostly from the public sector – who gave us their trust. EXATEL is responsible for the entire OST 112 network. We provide our security services to the Sejm (Lower House of Parliament), the Senate, the Chancellery of the Prime Minister, the National Electoral Commission, The Agency for Restructuring and Modernisation of Agriculture (ARMA) and the Ministry of the Interior and Administration. Not to mention many commercial and energy entities or large key banks who are also our clients. Which services can we offer to our clients?

Paweł:

Due to the different needs of various clients, we will focus here on two types of services from our portfolio that seem to be the most interesting for offices, especially for LGUs. One of them is protection against DDoS attacks, which consists of analysis of Internet traffic by a monitoring probe. It is a probe detecting traffic profiles; if the traffic shows any signs of a DDoS attack, it is redirected to a filtering unit in the EXATEL network. This unit filters network traffic, rejects the malicious traffic and releases the clean traffic back to the client’s network. Additionally it is worth mentioning that in our company DDoS will be soon provided within our own TAMA solution, which we have been building completely on our own, therefore, we have full control over its code and the devices. This is an exception on the market. Thanks to the fact that we are developing this solution from scratch, we can take into account all the needs of our clients and their previous experiences with such services. So far we have been providing that service and (partially) will continue to do so on Arbor’s platform – Netscout.

Another solution worth considering is Managed Firewall. In the first model, we use our central firewalls maintained by EXATEL engineers in our company. Traffic is then directed from the edge devices to our Data Center and, after passing through the Managed Firewall, returns to the client. In the second model we use the hardware available at the client’s location. In addition to the fact that the protection includes automatic verification on firewalls, the entire device management, configuration preparation, deployment, subsequent maintenance of policies on the firewall rules and all updates are created by EXATEL’s engineers, thus saving your time during the performance of daily tasks related to managing the network.

Wioletta:

During the conferences, we mentioned to you that EXATEL has prepared special promotional packages for two solutions – DDoS and Managed Firewall. The first solution is used for protection against volumetric attacks (DDoS attacks). In the package we offer such protection on a 100mbps link in fiber optic technology, so it is a symmetrical 100/100 connection. The contract is concluded for a period of 24 months. This comprehensive service, i.e. the link together with security, costs PLN 300 per month. Our second offer is the so-called optimal network protection. In this case you also receive a 100mbps fiber connection, protection against DDoS attacks and protection of network traffic to and from the Internet (firewall). The firewall service is provided to you in a managed version, which means that we, as EXATEL, install and configure it at your location, manage policies, inform you about incidents that occur and take over the entire service management. Both offers are valid until the end of February next year.

Paweł, is it possible for our clients to receive support when reporting and handling an incident? Let’s assume that a client has their own security systems and has detected an incident, but they do not know how to report it to the right unit. Can EXATEL somehow help their clients?

Paweł:

Yes, absolutely. A team of EXATEL security engineers at the client’s disposal is one of our main assets. They work in Security Operations Center (SOC), which offers three lines of support. The first line of SOC is the monitoring department; in spare time, they also looks for threats that are mentioned on the Internet. The second line handles the process of responding to breaches, which also means working with clients on incident handling. The third line is responsible for dealing with the most complex threats that the previous lines failed to handle and prepares advanced malware analysis, penetration tests, security process reviews as well as performs other tasks, both scheduled and resulting from the incident. Here, we oversee all clients to whom we provide cybersecurity services. We monitor information received from our partners scattered around the Internet and as SOC we additionally meet all the requirements for operators who provide security services under the NCS. To sum up, we can provide security services to both operators of essential services and public entities under and in accordance with all requirements of the Act.

The most important benefit of SOC is that you are provided with monitoring and handling of security incidents. You can get a much more accurate and better understanding of how the network and security works and fill in staffing gaps, which – as we know very well – is one of the more acute problems of the public sector. It also helps to comply with the new regulations and grants peace of mind, because you can always call a professional when you are not sure what to do.

Wioletta:

We are aware that clients from the public sector always have a tight budget for IT and security services. Will our clients be able to afford this service?

Paweł:

We are aware of the budgetary constraints as well as the difficulties in convincing people in managerial positions to make such expenditures. We offer a trusted, customised SOC service, which we have temporarily called Assistance. Within this service you can use up a given amount of working days under e.g. 24-month contract. The number of days is of course limited, but the technical assistance and support possibilities include support in responding to security incidents when they occur. You can report such an incident within 24 hours, but it may turn out that the amount of information you obtained from logs, devices and various security platforms is too little and you require support in collecting information and determining the causes as well as effects. Then, as a form of a supplement to the notification sent to CSIRT, you can use the information that our SOC will collect. In a way this is a form of forensic analysis, which means securing the data of devices that have been affected by an incident. Additionally, if such an incident does not occur, we can provide assistance during reconfiguration of security systems and network devices; we can handle the analysis of software (that you suspect is malicious), as well as conduct security audits and communications testing. The services will be provided on limited scale due to the specific amount of working days in which our team is available. The last issue is the organisational part – support in terms of processes and procedures, which is equally crucial for the authorities overseeing sectors within the NCS. Security Policy and Information Security Management System will also be important for the purpose of subsequent assessment of compliance and conducting regular audits. These factors will influence the authority’s assessment within the scope of the organisation’s attention to security and mitigation of the potential impact of cyber attacks.

Q&A

Wioletta: What is the difference between incident handling for a public entity and operators of essential services?

Paweł: From a technical standpoint, there is not much difference here. The operators of essential services must also handle the incident and report it to the CSIRT. The main difference consists in the distinction between the types of priorities. Incidents can be either substantial or critical and operators of essential services need to address the classification of the priority. As a public entity, it is up to us to report any incidents that may or have actually affected the systems supporting public tasks.

Wioletta: In your subsequent question, I suspect you are referring to a personal data leak incident. Such an incident must be reported to the Personal Data Protection Office if the integrity of personal data is lost or compromised. In that case, should we expect two inspections? Is it necessary to report such incident to CSIRT NASK and to the Personal Data Protection Office? Will there be an inspection within the scope of GDPR as well as NCS compliance?

Paweł: As far as the NCS is concerned, it does not in any way waive the obligations arising from the General Data Protection Regulation. Therefore, I think that in case of data leak, you should report the incident. For other incidents, perhaps reporting to the CSIRT will suffice, however, in the case of data leak, you definitely need to report that to thePersonal Data Protection Office as well. Should you expect an inspection? It is hard to say. Certainly both institutions will want to complete the information on the notification sent to them and, depending on their assessment of the degree of security and readiness to handle such incidents in the organisation, there is a risk of some consequences. However, it is worth reporting the incident. Moreover, CSIRT NASK encourages public entities to report all incidents – not only those that clearly qualify as a public entity incident – but any events that raise concerns. That also includes e-mails that are suspected of phishing or containing malware. CSIRT highly encourages reporting such events and I think it is the right approach. If you receive our Assistance service, we can help you to complete this information with data that you might have omitted (for instance that your computer is locked or that someone unauthorised tried to log into it). Perhaps the analysis will reveal a bit more information about the potential sources from which the attack occurred, what software was used and will allow for conducting further, professional assessment of its impact.

Wioletta: To sum up, in case of a data leak incident, we should report it both to the Personal Data Protection Office and CSIRT NASK. Will there be only two inspections? Is each and every incident followed by an inspection? I think this is a highly individual issue and it probably depends on how serious the incident was.

Wioletta: What is your opinion on the topic of cyber insurance? Is it a good idea to purchase it? If so, what extent should it cover?

Wioletta: Based on my experience and meetings with clients, attitudes towards cyber insurance differ. Some clients assume that despite having data leak protection, firewall, DDoS mitigation, and various other safeguards, there is no guarantee that various threats will not affect them. At the moment, there is no solution on the market that will grant us complete security. As a result, these clients acquire a cyber insurance policy to protect them from the financial consequences following an occurrence of an incident. Other clients think that the only protection they need is a cyber insurance policy and if anything happens the insurer will pay a penalty for them. We, as EXATEL, do not handle insurance policies, therefore we are not able to answer the question to what extent they are worth investing in. I always try to compare it to the comprehensive coverage – some people purchase it, others do not; some people add discount protection to it, others do not. It all depends on individual needs and capabilities. But whether you choose to acquire such a policy or not, and to what extent, it does not release you from an obligation of implementing protections against cybersecurity incidents.

Paweł: It also seems to me that the companies selling cyber insurance will be paying more and more attention to whether we have such protections. Just as it is hard to purchase an insurance policy on an apartment without a burglar alarm, the same will apply to cybersecurity systems.

Wioletta: Companies dealing with cyber insurance policies always verify whether and what kind of cybersecurity their client has implemented. Based on that, they estimate the risk of such an incident and if the organisation does not own any cybersecurity systems, the value of the policy might be lower or the insurance company will reserve the right to withdraw from the policy.

Paweł: It is definitely worth considering as an additional security measure. There is never 100% security, something can always occur and it is worth protecting yourself and your finances in this way.

Wiola: If we report an incident to CERT, will we receive any response from them? What are their rights? Can CERT conduct an inspection or impose a penalty?

Paweł: CERT will first and foremost try to collect all information related to the incident in order to minimize its impact and possibly inform other entities about the fact that some kind of cybersecurity threat is taking place in public institutions.

This invokes a question regarding CERT’s capabilities – their primary role is coordination, while competent authorities can carry out some inspections or verifications. In the case of NCS, there are no financial penalties, but some consequences associated with failure to exercise due diligence or to comply with various official obligations can arise. It is worth remembering that the CSIRT team is only responsible for handling incidents and helping the units that they oversee to deal with these incidents. The supervisory authorities on the other hand – according to the NCS – are responsible for all control elements and for preparing trainings. This is certainly relevant from your point of view. On our part, we also try to give you suggestions, but if you have any specific questions or issues that are difficult to resolve and are not directly covered by the Act – it is also worth contacting the Ministry of Digital Affairs, which, as the competent authority, will provide you with explanations and indicate relevant information.

Wioletta: Who can impose penalties on a public entity for failure to comply with its obligations under the Act on the National Cybersecurity System? What kind of penalties can be imposed?

Paweł: There is no information in the Act on financial penalties for public entities, however, significant penalties can be imposed on operators of essential services. Still, it does not exempt entities from their statutory obligations. In case of any doubts regarding the scope of responsibility of your organisation, you can refer to the Ministry of Digital Affairs’ website, where you will find relevant information pertaining to public entities. We are not able to answer all the questions, especially in the view of the fact that many answers depend on the interpretation of the question. We are also waiting for the first serious proceedings in order to see how the authorities react to such notifications in practice.

Wioletta: To which unit are we supposed to report incidents? Who is the head of this unit?

Local Government Units report all incidents related to NCS to CSIRT NASK. They receive your notification and cooperate with you in order to handle the incident; they tell you what should be done and in what way, ask additional questions.

Paweł: This team is in close contact with CERT NASK, so there is a full exchange of information between these teams. You do not report incidents to CSIRT NASK solely in case of maintaining Critical Infrastructures. These types of incidents must be reported to the CSIRT GOV – this is the only exception. Other public entities that do not have Critical Infrastructure report incidents to the CSIRT NASK.