The National Cyber Security Centre Finland is the home of the national and governmental CSIRT in Finland, the CERT Finland (CERT-FI). NCSC-FI is part of the Finnish Transport and Communications Agency (TRAFICOM).
1. Document Information
This document describes the computer security incident response (CSIRT) functions of the National Cyber Security Centre Finland (NCSC-FI) in accordance with RFC 2350 (Ulkoinen linkki).
1.1 Date of Last Update
This document was last updated 2023-10-03.
1.2 Distribution List for Notifications
There is no distribution list for notifications in relation to this document. The document is publicly available.
1.3 Locations where this Document May Be Found
The document will be posted on NCSC-FI's website and can be accessed by following this link:
https://www.kyberturvallisuuskeskus.fi/en/our-activities/cert/rfc2350 (Ulkoinen linkki)
2. Contact Information
2.1 Name of the Team
Since 1 January 2014 the team name has been The National Cyber Security Centre Finland, abbreviated NCSC-FI.
The old team names CERT Finland and CERT-FI continue to be recognised but are not actively endorsed anymore.
2.2 Address
The NCSC-FI website can be found at https://www.ncsc.fi/ (Ulkoinen linkki)
Visiting and postal address is:
National Cyber Security Centre Finland
Finnish Transport and Communications Agency Traficom
Dynamicum, Erik Palménin aukio 1
P. O. Box 320
FI-00059 TRAFICOM
Finland
2.3 Time Zone
NCSC-FI Coordination Centre operates in Helsinki, Finland which is in the Eastern European Time Zone (EET, UTC+2h). Finland observes summer time arrangements as indicated in the EU directive 2000/84/EC (Ulkoinen linkki).
The DST offsets in Finland are applied as follows
- UTC+3h (EEST) summertime between the last Sunday of March and the last Sunday of October
- UTC+2h (EET) otherwise.
2.4 Telephone Number
- NCSC-FI Coordination Centre: +358 295 345 630.
- NCSC-FI media enquiries: +358 29 534 5648.
- TRAFICOM switchboard: +358 29 534 5000.
2.5 Facsimile Number
None.
2.6 Other Telecommunication
NCSC-FI has access to video and teleconferencing systems.
NCSC-FI Duty Officer has a direct 24/7 phone number. Available by request only.
NCSC-FI utilises the national authorities' TETRA network VIRVE to communicate with other security authorities and operators of critical infrastructure.
The NCSC-FI team members' phone numbers are under the +358 295 390 prefix.
2.7 Electronic Mail Address
NCSC-FI Coordination Centre can be reached by e-mail at CERT (at) traficom.fi.
The Vulnerability Coordination team at NCSC-FI can be reached by e-mail at VulnCoord (at) traficom.fi.
Information about other e-mail addresses and web-based contact forms can be found at NCSC-FI's web site.
2.8 Public Keys and Encryption Information
NCSC-FI supports PGP for encryption and signing. Information about the current and historic keys along with their intended usage can be found on the following NCSC-FI web page:
Support for other encryption methods and key management schemes are subject to bilateral and multilateral agreements.
NOTE: Before sending protectively marked information, contact NCSC-FI for instructions on the proper encryption scheme and transport channel.
2.9 Team Members
The director of NCSC-FI is listed in agency management contact details page:
Team representatives for Trusted Introducer (Ulkoinen linkki) and FIRST (Ulkoinen linkki) are listed in their members directories
Information about other team members is available by request.
2.10 Other Information
NCSC-FI Facebook page: https://www.facebook.com/NCSC.FI
NCSC-FI Twitter profile (@CERTFI): https://twitter.com/CERTFI
NCSC-FI makes use of dedicated restricted access chatrooms.
2.11 Points of Customer Contact
Customers and fellow incident response teams are encouraged make use of the contact forms, e-mail addresses, encryption keys and phone numbers listed on NCSC-FI's web site:
Privileged customers have been communicated the preferred contact details via alternate channels.
3. Charter
3.1 Mission Statement
The mission of the National Cyber Security Centre Finland is:
- to develop the operational reliability and security of communications networks and services
- to increase public trust in the use of electronic services by strengthening national information security
- to step up the agency's efforts in technical steering and supervision with regard to the information security and preparedness in public communications networks and services.
3.2 Constituency
The National Cyber Security Centre is the National CSIRT of Finland and a CSIRT of last-resort in cases where reporter cannot find more direct reporting contact in Finland. NCSC-FI welcomes all incident reports of significance to Finnish interests regardless of the reporter’s nationality or affiliation.
Telecommunications providers have a legal obligation to report NCSC-FI about major information security incidents, threats to information security and faults and disturbances.
NCSC-FI is the Finnish GovCERT as per agreement with Ministry of Finance.
Critical Infrastructure Providers benefit from CSIRT services provided by NCSC-FI as per agreement with the National Emergency Supply Agency.
3.3 Sponsorship and/or Affiliation
The National Cyber Security Centre Finland is one of the four divisions within the Finnish Transport and Communications Agency (Ulkoinen linkki). The agency is situated under the governmental branch of Ministry of Transport and Communications (Ulkoinen linkki).
Additionally, the National Cyber Security Centre Finland reports to other competent authorities in the following situations
- The Ministry for Foreign Affairs (Ulkoinen linkki) is the competent authority on issues pertinent to the National Security Authority, or the NSA of Finland (Ulkoinen linkki) . NCSA-FI function of the NCSC-FI is one of the Designated Security Authorities (DSA) in Finland appointed by the NSA.
- Ministry of Finance (Ulkoinen linkki) is competent authority on issues having reference to information security in government institutions (GovCERT role (Ulkoinen linkki)) and handling of domestic classified information (NCSA-FI role (Ulkoinen linkki))
- National Emergency Supply Agency (NESA) (Ulkoinen linkki) oversees the protection of the Critical Infrastructure Providers in Finland (CERT-FI role (Ulkoinen linkki)).
NCSC-FI is funded by information security fees collected from the telecommunications providers, allocations from the state budget and proceeds from contracts with Ministry of Finance and NESA.
3.4 Authority
As a governmental agency, the tasks and mandate of NCSC-FI and its parent organisation TRAFICOM is stated in the law. The applicable laws with relevance to the CSIRT duties of NCSC-FI are as follows:
- Act on Communications Administration (625/2001 (Ulkoinen linkki))
- Government Decree on Communications Administration (60/2004 and 761/2006, not available in English)
- Act on the Protection of Privacy in Electronic Communications (516/2004 (Ulkoinen linkki))
- Communications Market Act (393/2003 (Ulkoinen linkki))
- Act on Strong Electronic Identification and Electronic Signatures (617/2009 (Ulkoinen linkki))
- Government Decree on information security in central government (681/2010 (Ulkoinen linkki))
- Act on the communications and information security audits (1406/2011, not translated)
- Act on the International Information Security Requirements (588/2004, not translated).
NCSC-FI's role as a National CSIRT of Finland is based on the act and decree on Communications Administration and Act on the Protection of Privacy in Electronic Communications.
NCSC-FI's role as the GovCERT of Finland is based on a mutual agreement between Ministry of Finance and FICORA.
4. Policies
4.1 Types of Incidents and Level of Support
For statistical purposes, the incident reports are divided in the following categories:
- Vulnerability
- Malware
- Scam
- Data breach
- Denial-of-Service attack
- Phishing
- IoT
- APT
- Disruption of service
- Data leak
- Spam
- False positive
The automated bulk incident reporting system Autoreporter provides technical reports in a wide range of categories such as reporting a large number of varying types of bot malware (e.g. ZeuS, Conficker, ZeroAccess), web server break-ins, denial of service attacks and worm-like behavior.
The early-warning system HAVARO categorises the incidents in RED, yellow and green, based on the severity of the incident.
The vulnerability advisories produced by NCSC-FI are categorised based on the target type, exploit method, anticipated outcome and the existence of a supported fix or documented workaround.
4.2 Co-operation, Interaction and Disclosure of Information
NCSC-FI is governed by the Act on the Openness of Government Activities (621/1999 (Ulkoinen linkki)), according to which all Official documents must be public, unless specifically otherwise stated in the law. Exceptions to the opennes principle are detailed in
- section 24 of the Act on the Openness of Government Activities
- Government Decree on information security in central government (681/2010 (Ulkoinen linkki)) and
- act on the international information security requirements (588/2004, not translated).
NCSC-FI has a legal mandate to receive, handle and share cyber security information, including telecommunications identification data that facilitates the investigation of network and information security incidents and threats.
4.3 Communication and Authentication
The preferred method for secure communication is PGP signed and encrypted e-mail. All official NCSC-FI keys have been signed with the key signing key (0x19ED231E), which can be found on the NCSC-FI web page.
All NCSC-FI staff members carry a personal ID and have been provided X.509 certificates for electronic signing and e-mail encryption.
NOTE: Before sending protectively marked information, contact NCSC-FI for instructions on the proper encryption scheme and transport channel.
5. Services
5.1 Incident Response
NCSC-FI is the national CSIRT of Finland. NCSC-FI provides incident response coordination services that facilitate other CSIRTs, the system administrators and network owners in their mission to keep their networks secure.
NCSC-FI operates tools such as bulk incident reporting system Autoreporter and early-warning system HAVARO to gather information about incidents of relevance to Finland.
The NCSC-FI can mandate telecommunications providers to take corrective action to support incident response. As a GovCERT of Finland, NCSC-FI can initiate action in governmental organisations.
5.1.1. Incident Triage
NCSC-FI prioritises cyber security incidents or information security threats affect the following:
- Critical public communications networks and services or a significant number of end users
- Classified communications and information systems or systems accredited for use by NCSC-FI
- Provision of and usage of electronic signatures or the functions of a certificate authority
- Critical Infrastructure Providers in Finland
- Government organisations
- National security of Finland and its international partners, most notably Nordic countries and EU
- Notable number of internet users and international community at large
- Finnish software and hardware vendors and service providers in the fields of ICT, ICS and Cyber Security.
5.1.2. Incident Coordination
NCSC-FI supports key incident response stakeholders by providing coordination services such as:
- information sharing, proxying and anonymisation
- contact and collaboration networks
- technical analysis
- situational awareness
- legal expertise
- regulatory oversight.
NCSC-FI tasks itself to connect parties with information with the parties with the need for the information. To be successful in this, NCSC-FI aspires to reach all relevant ICT and ICS operators and security officials in Finland and maintain good operational contacts with fellow CSIRTs around the world.
5.1.3. Incident Resolution
The responsibility to design, deploy and operate the systems and services in a secure manner and resolve incidents remains at all times on the owners of the said systems and services. The end users have a responsibility of their own actions.
NCSC-FI can provide coordination services, provide legal guidance and has limited possibilities to assist in artifact analysis.
5.2 Proactive Activities
NCSC-FI actively participates in information sharing and awareness building activities. NCSC-FI produces topical articles, advisories, alerts and instructions. Most of the material is in the public domain.
Software vulnerabilities pose a significant threat to the society. NCSC-FI tasks itself in linking the vulnerability researchers and the vendors by providing Vulnerability Coordination (Ulkoinen linkki) services.
6. Incident Reporting Forms
The preferred method for reporting an incident to NCSC-FI is through the contact form (Ulkoinen linkki).
The automated bulk incident reporting system Autoreporter accepts the common machine-readable formats such as csv, "Team Cymru" format, IODEF. Autoreporter also supports proprietary non-binary formats. Autoreporter supports batch-processing and as-it-happens reporting.
Singular incident reports can also be submitted in free-form fashion via e-mail.
7. Disclaimers
None.