CERT-FI service description (RFC 2350)

The National Cyber Security Centre Finland is the home of the national and governmental CSIRT in Finland, the CERT Finland (CERT-FI). NCSC-FI is part of the Finnish Communications Regulatory Authority (FICORA).


1. Document Information

This document describes the computer security incident response (CSIRT) functions of the National Cyber Security Centre Finland (NCSC-FI) in accordance with RFC 2350.

1.1 Date of Last Update

This document was last updated 2017-04-04.

1.2 Distribution List for Notifications

There is no distribution list for notifications in relation to this document. The document is publicly available.

1.3 Locations where this Document May Be Found

The document will be posted on NCSC-FI's website and can be accessed by following this link:

https://ncsc.fi/en/activities/rfc2350.html

2. Contact Information

2.1 Name of the Team

Since 1 January 2014 the team name has been The National Cyber Security Centre Finland, abbreviated NCSC-FI.

The old team names CERT Finland and CERT-FI continue to be recognised but are not actively endorsed anymore.

2.2 Address

The NCSC-FI website can be found at https://ncsc.fi/

Visiting and postal address is:

The National Cyber Security Centre Finland
Finnish Communications Regulatory Authority
Itämerenkatu 3 A
P. O. Box 313
FI-00180 HELSINKI
Finland

2.3 Time Zone

NCSC-FI Coordination Centre operates in Helsinki, Finland which is in the Eastern European Time Zone (EET, UTC+2h). Finland observes summer time arrangements as indicated in the EU directive 2000/84/EC.

The DST offsets in Finland are applied as follows

  • UTC+3h (EEST) summertime between the last Sunday of March and the last Sunday of October
  • UTC+2h (EET) otherwise.

2.4 Telephone Number

  • NCSC-FI Coordination Centre: +358 295 390 230.
  • NCSC-FI media enquiries: +358 295 390 248.
  • FICORA switchboard: +358 259 390 100.

2.5 Facsimile Number

None.

2.6 Other Telecommunication

NCSC-FI has access to video and teleconferencing systems.

NCSC-FI Duty Officer has a direct 24/7 phone number. Available by request only.

NCSC-FI utilises the national authorities' TETRA network VIRVE to communicate with other security authorities and operators of critical infrastructure.

The NCSC-FI team members' phone numbers are under the +358 295 390 prefix.

2.7 Electronic Mail Address

NCSC-FI Coordination Centre can be reached by e-mail at CERT (at) ficora.fi.

The Vulnerability Coordination team at NCSC-FI can be reached by e-mail at VulnCoord (at) ficora.fi.

Information about other e-mail addresses and web-based contact forms can be found at NCSC-FI's web site.

2.8 Public Keys and Encryption Information

NCSC-FI supports PGP for encryption and signing. Information about the current and historic keys along with their intended usage can be found on the following NCSC-FI web page:

All employees of the Finnish Communications Authority have X.509 certificates issued by the Population Register Center. The public keys can be obtained from JULHA.FI service:

Support for other encryption methods and key management schemes is subject to bilateral and multilateral agreements.

NOTE: Before sending protectively marked information, contact NCSC-FI for instructions on the proper encryption scheme and transport channel.

2.9 Team Members

The director of NCSC-FI is Mr. Jarkko Saarimäki. The head of Coordination Centre is Mr. Arttu Lehmuskallio and the head of Situational Awareness Services is Mrs. Jarna Hartikainen.

Team representative for Trusted Introducer and FIRST is Mr. Kauto Huopio.

Information about other team members is available by request.

2.10 Other Information

NCSC-FI Facebook page: https://www.facebook.com/NCSC.FI

NCSC-FI Twitter profile (@CERTFI): https://twitter.com/CERTFI

NCSC-FI makes use of dedicated IRC and Jabber chatrooms.

2.11 Points of Customer Contact

Customers and fellow incident response teams are encouraged make use of the contact forms, e-mail addresses, encryption keys and phone numbers listed on NCSC-FI's web site.

Privileged customers have been communicated the preferred contact details via alternate channels.

3. Charter

3.1 Mission Statement

The mission of the National Cyber Security Centre Finland is:

  • to develop the operational reliability and security of communications networks and services
  • to increase public trust in the use of electronic services by strengthening national information security
  • to step up the agency's efforts in technical steering and supervision with regard to the information security and preparedness in public communications networks and services.

3.2 Constituency

The National Cyber Security Centre is the National CSIRT of Finland and a CSIRT of last-resort in cases where reporter cannot find more direct reporting contact in Finland. NCSC-FI welcomes all incident reports of signifigance to Finnish interests regardless of the reporter’s nationality or affiliation.


Telecommunications providers have a legal obligation to report NCSC-FI about major information security incidents, threats to information security and faults and disturbances.

NCSC-FI is the Finnish GovCERT as per agreement with Ministry of Finance.

Critical Infrastructure Providers benefit from CSIRT services provided by NCSC-FI as per agreement with the National Emergency Supply Agency.

3.3 Sponsorship and/or Affiliation

The National Cyber Security Centre Finland is one of the four divisions within the Finnish Communications Regulatory Authory. The agency is situated under the governmental branch of Ministry of Transport and Communications.

Additionally, the National Cyber Security Centre Finland reports to other competent authorities in the following situations

NCSC-FI is funded by information security fees collected from the telecommunications providers, allocations from the state budget and proceeds from contracts with Ministry of Finance and NESA.

3.4 Authority

As a governmental agency, the tasks and mandate of NCSC-FI and its parent organisation FICORA is stated in the law. The applicable laws with relevance to the CSIRT duties of NCSC-FI are as follows:

  • Act on Communications Administration (625/2001)
  • Government Decree on Communications Administration (60/2004 and 761/2006, not available in English)
  • Act on the Protection of Privacy in Electronic Communications (516/2004)
  • Communications Market Act (393/2003)
  • Act on Strong Electronic Identification and Electronic Signatures (617/2009)
  • Government Decree on information security in central government (681/2010)
  • Act on the communications and information security audits (1406/2011, not translated)
  • Act on the International Information Security Requirements (588/2004, not translated).

NCSC-FI's role as a National CSIRT of Finland is based on the act and decree on Communications Administration and Act on the Protection of Privacy in Electronic Communications.

NCSC-FI's role as the GovCERT of Finland is based on a mutual agreement between Ministry of Finance and FICORA.

4. Policies

4.1 Types of Incidents and Level of Support

For statistical purposes, the incident reports are divided in the following categories:

  • Vulnerabilities
  • Malware
  • Scan
  • System break-in
  • Denial-of-service attack
  • Information security problem
  • Social engineering.

The automated bulk incident reporting system Autoreporter provides technical reports in a wide range of categories such as reporting a large number of varying types of bot malware (e.g. ZeuS, Conficker, ZeroAccess), web server break-ins, denial of service attacks and worm-like behaviour.

The early-warning system HAVARO categorises the incidents in RED, yellow and green, based on the severity of the incident.

The vulnerability advisories produced by NCSC-FI are categorised based on the target type, exploit method, anticipated outcome and the existence of a supported fix or documented workaroud.

The table below describes the level of support for the relevant customer groups.

CERT-FI Services - Levels of Support

4.2 Co-operation, Interaction and Disclosure of Information

NCSC-FI is governed by the Act on the Openness of Government Activities (621/1999), according to which all Official documents must be public, unless specifically otherwise stated in the law. Exceptions to the opennes principle are detailed in

  • section 24 of the Act on the Openness of Government Activities
  • Government Decree on information security in central government (681/2010) and
  • act on the international information security requirements (588/2004, not translated).

NCSC-FI has a legal mandate to receive, handle and share cyber security information, including telecommunications identification data, that facilitates the investigation of network and information security incidents and threats.

4.3 Communication and Authentication

The preferred method for secure communication is PGP signed and encrypted e-mail. All official NCSC-FI keys have been signed with the key signing key (0xFF324434), which can be found on the NCSC-FI web page.

All NCSC-FI staff members carry a personal ID and have been provided X.509 certificates for electronic signing and e-mail encryption.

NOTE: Before sending protectively marked information, contact NCSC-FI for instructions on the proper encryption scheme and transport channel.

5. Services

5.1 Incident Response


NCSC-FI is the national CSIRT of Finland. NCSC-FI provides incident response coordination services that fascilitate other CSIRTs, the system administrators and network owners in their mission to keep their networks secure.

NCSC-FI operates tools such as bulk incident reporting system Autoreporter and early-warning system HAVARO to gather information about incidents of relevance to Finland.

The NCSC-FI can mandate telecommunications providers to take corrective action to support incident response. As a GovCERT of Finland, NCSC-FI can initiate action in governmental organisations.

5.1.1. Incident Triage

NCSC-FI prioritises cyber security incidents or information security threats affect the following:

  • Critical public communications networks and services or a significant number of end users
  • Classified communications and information systems or systems accredited for use by NCSC-FI
  • Provision of and usage of electronic signatures or the functions of a certificate authority
  • Critical Infrastructure Providers in Finland
  • Government organisations
  • National security of Finland and its international partners, most notably Nordic countries and EU
  • Notable number of internet users and international community at large
  • Finnish software and hardware vendors and service providers in the fields of ICT, ICS and Cyber Security.

5.1.2. Incident Coordination

NCSC-FI supports key incident response stakeholders by providing coordinatory services such as:

  • information sharing, proxying and anonymisation
  • contact and collaboration networks
  • technical analysis
  • situational awareness
  • legal expertise
  • regulatory oversight.

NCSC-FI tasks itself to connect parties with information with the parties with the need for the information. To be successful in this, NCSC-FI aspires to reach all relevant ICT and ICS operators and security officials in Finland and maintain good operational contacts with fellow CSIRTs around the world.

5.1.3. Incident Resolution

The responsibility to design, deploy and operate the systems and services in a secure manner and resolve incidents remains at all times on the owners of the said systems and services. The end users have a responsibility of their own actions.

NCSC-FI can provide coordinatory services, provide legal guidance and has limited possibilities to assist in artifact analysis.

5.2 Proactive Activities

NCSC-FI actively participates in information sharing and awareness building activities. NCSC-FI produces topical articles, advisories, alerts and instructions. Most of the material is in the public domain.

Software vulnerabilities pose a significant threat to the society. NCSC-FI tasks itself in linking the vulnerability finders and the vendors by providing Vulnerability Coordination services.

6. Incident Reporting Forms

The preferred method for reporting an incident to NCSC-FI is through the contact form.

The telecommunications providers are encouraged to take use of the forms accompanying the FICORA regulation #9 (on information security) or #57 (faults and disturbances).

The automated bulk incident reporting system Autoreporter accepts the common machine-readable formats such as csv, "Team Cymru" format, IODEF. Autoreporter also supports proprietary non-binary formats. Autoreporter supports batch-processing and as-it-happens reporting.

Singular incident reports can also be submitted in free-form fashion via e-mail.

7. Disclaimers

None.

Key words: Information security , CERT-FI , Encryption , Brochure

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248