Executive Summary
This deliverable introduces a playbook for collaborative activities among SOCs and CERTs in the electricity sector. National incident response procedures are defined, which consist of containment, eradication, recovery, and reporting activities, and in which the current status is shared with CERTs in order to support a coordinated response to incidents and reduce the impact of incidents on the critical infrastructure. Specified rules determine the required levels of coordination with CERTs, i.e., when and how incidents are reported to CERTs according to their classification, severity, and functional and informational impact.
The methodology provided and utilized in the D6.8 deliverable results in the definition of the incident response strategy, incident response procedures, cooperation and communication strategy, information sharing mechanisms, formats of reports for national CERTs, and tools to exchange the reports. It presents the basis for implementing a toolset for reporting to CERTs, coordination and cooperation among different stakeholders, analysis of incidents, decision-making, and the selection of appropriate incident response procedures. A fully functional toolset integrates several components: a group collaboration system, a decision support system, a process execution engine, a knowledge repository, CTI exchange mechanisms, and the capabilities of data management systems and SIEM systems.
The compiled set of rules for efficient coordination of EPES operators and reporting to CERTs is based on compromised assets and classes of cybersecurity attacks. Assets and events are mapped to incident response procedures that include containment, eradication, recovery, reporting, and coordination activities and rules. The impacts and effects of cybersecurity events are assessed to select appropriate procedures. The assessment is performed with MCDM methods by determining the scope, severity, impact, and extent of the damage caused by the incident. The mapping considers compromised assets, cybersecurity events, vulnerabilities of assets, and national pilot scenarios with their attack trees.
Incident response procedures are modeled as process diagrams by using the SAPPAN tool. The standard BPMN notation and a common vocabulary are applied. At first, procedures are defined separately for national pilots to consider the specifics of regulations in different countries. On this basis, common rules for EPES are derived. They are aligned with European legislation, focusing particularly on the NIS 2 Directive, the CER Directive, and the Network Code on Cybersecurity.
In addition to incident response procedures and rules, D6.8 also provides the design and implementation of the supporting toolset. It is built on SAPPAN, MISP, TheHive, Cortex, and DSS. It supports all levels of SOC operations: L1, L2, and L3.
Finally, the proposed rules and tools are implemented. Key scenarios are verified dealing with the malware and phishing incident response procedures. These scenarios address reporting to CERTs through the standard NOKI object, CTI exchange with the MISP platform, playbook management and sharing by utilizing MISP and SAPPAN, playbook automation, and rules for efficient coordination of stakeholders within EPES communities.
