Charter

Mission Statement

Article 17 of the royal decree of 10 October 2014 about the creation of the Cybersecurity Centre Belgium (CCB) takes over the management of the Cyber Emergency Response Team (CERT) service, created in the former Federal Public Service Information and Communication Technologies (FEDICT).

This article indicates that this service’s missions are: “[…] to detect, observe and analyse online security problems and so continuously inform users in that regard”. [1]

By the application of this disposition, the old FEDICT CERT service is integrated inside the CCB, and therefore the CCB takes over all the above-mentioned missions.

As an administrative service of the CCB, CERT takes part to all other legal missions of the CCB.

Cybersecurity refers to all measures that ensure the confidentiality, the availability and the integrity of Information and Communication Technologies (ICT): technical measures, but also user awareness measures.

Cybersecurity is not about the use of ICT only as a means of activism, terrorism, espionage, subversion, or generally criminal. These deeds are the responsibility of other services than CERT.be (police, State security, etc.). Moreover, the identification of the authors of crimes is not within CERT’s purview. However, any attempt against the confidentiality, the integrity and the availability of ICT systems, for whatever reason, is a cybersecurity problem.

[1] Arrêté royal du 10 octobre 2014 portant création du Centre pour la Cybersécurité Belgique,» M.B.,21 novembre 2014, p. 91395.

Constituency

CERT’s constituency is divided into the following categories:

• Operators of essential eervices and critical infrastructure

• Operators of essential public services

• Administrative authorities

• Private moral persons

• Greater Public

Sponsoring organization

CERT is an administrative service of the Centre for Cybersecurity Belgium (CCB), under the authority of the Prime Minister.

Authority

CERT only has the authority that would be vested by the NIS Directive’s Belgian transposition. 

2. Directive (UE) 2016/1148 du Parlement européen et du Conseil du 6 juillet 2016 concernant des mesures destinées à assurer un niveau élevé commun de sécurité des réseaux et des systèmes d'information dans l'Union,» Journal Officiel de l'Union Européenne,19 juillet 2016.

Policies

Types of Incidents and Level of Support

CERT handles any incident linked to an information or network system located on the Belgian territory or any internet domain in “.be”. The level of support depends on the gravity of the incident and the quality of the correspondent.

Priority within the constituency is as follows:

1. Operators of essential services and critical infrasturctures;
   Operators of essential public services;

2. Administrative authorities;

3. Private moral persons ;

4. Public-at-large.

Co-operation, Interaction and Disclosure of Information

CERT treats the information it is handed according to the current Belgian legislation. CERT is therefore careful to protect personal data and sensitive information it receives.

As specified in the Cyber Emergency Plan, CERT coordinates the activities of the different stakeholders in the case of a national cybersecurity incident. In the case of a national cyber security crisis, CERT works together with the Crisis Centre in order to coordinate the activities of the different stakeholders.

When it is necessary to communicate personal data in order to handle an incident, CERT will be careful to only send the required minimum of information.

Information sent by email and encrypted with CERT’s PGP key will only be stored encrypted and will only be deciphered when required. If a transfer of this information is necessary, that transfer will also be PGP encrypted. 

CERT uses and respects the Traffic Light Protocol as described by FIRST (version 1.0).

As much as possible, CERT will share its experience with its peers and its constituency, provided this doesn’t contravene the above provisions. Special attention will be given to the following groups: EGC, TF-CSIRT, FIRST et le EU CSIRTs Network.

Only specifically CCB-designated persons will have contact with the press.

Forum of Incident Response and Security Teams (FIRST), «Traffic Light Protocol (TLP) - FIRST Standards Definitions and Usage Guidance — Version 1.0,» 16 08 2016, www.first.org/tlp/

European Governmental CERTs

Task Force – Cooperation of Cyber Security Incident Response Teams

Forum of Incident Response Teams

Communication and Authentication

CERT can be joined by email at incident@ccb.belgium.be. A PGP key is associated with this address:

pub rsa4096 2024-01-09 [SC] [expires: 2025-02-12]
049F 8D17 B802 5C1F 63E0 5633 7FD9 7294 6884 2545
uid [ full ] CCB Incident 2024 <incident@ccb.belgium.be>
sub rsa4096 2024-01-09 [E] [expires: 2025-02-12]

 

CERT has personnel cleared to handle classified information in the sense of the Law of 11 December 1998 pertaining to information classification, security clearances and security advice

Loi du 11 décembre 1998 relative à la classification et aux habilitations, attestations et avis de sécurité,» M.B.,7 mai 1999, p. 15752.

Services

Some of the services below are available for only part of CERT's constituency. The full table is available in our charter.

Reactive Services

Reactive services aim at answering calls for assistance, notifications, and generally at any and all threat or attack against the CERT’s constituency’s systems.

• Alerts and Warnings

This service consists of the publication of information describing an attack, an alert, a threat, etc. and in the providing of short-term actions recommendations that allow facing the problem.

• Incident Handling

• Incident Analysis

At the request of a member of its constituency, CERT will make a post mortemanalysis of a cybersecurity incident. The goal of this analysis will be to identify the extent of the incident and the damage done, its root cause, and possibly recommendations.

• On-site incident handling

At the request of certain members of its constituency, CERT will dispatch specialists in order to assist local teams in handling a specific incident.

• Incident Response Coordination

CERT coordinates, in relationship with the concerned partners, the handling of incidents. In the case of a serious incident, the Cyber Emergency Plan can be activated.

• Incident Response Support

CERT provides its constituency with its support in handling security incidents. This support takes the form of advice by email or phone, help in data analysis, etc.

• Vulnerability Handling - response coordination

When a vulnerability is found in some software product, CERT can, on request, coordinate mitigation and communication efforts between the different parties involved (researcher, software vendor, users, etc.). It may be that CERT

• Artefact Analysis

An artefact is a trace of an intrusion or attempt at the intrusion on an ICT system. Log files and systems information are examples of artefacts.

CERT may analyse artefacts submitted by some categories of its constituency. CERT may have to work with external third parties in order to provide this service.

Proactive Services

Proactive services aim at improving the constituency’s security infrastructure and processes before an incident occur or is detected.

• Announcements

CERT provides announcements via its web site and if necessary private channels in order to warn its constituency of risks caused by newly-found vulnerabilities or the existence of new threat vectors.

• Technology Watch

CERT performs a continuous technology watch in the field of cyber security and information security in the broadest sense. This watch feeds CERT’s other services and allows it to keep on top of the latest evolutions in the field.

• Detection, observation and analysis of security problems

CERT’s mission is to detect, observe and analyse online security problems. It is thus, therefore, the central contact point for the notification of security incidents and information about cyber three.

Arrêté royal du 10 octobre 2014 portant création du Centre pour la Cybersécurité Belgique,» M.B.,21 novembre 2014, p. 91395.

• Security audits / Penetration tests

On request, CERT may, depending on resources availability, perform an audit or a penetration test of the infrastructure (or part thereof) of its constituency. CERT may have to work with external third parties in order to provide this service.

• Security-Related Information Dissemination

CERT publishes when necessary guidance documents or links to such documents, that may be of interest for its constituency.

Security Quality Management Services

These services aim at using the findings and lessons learned from the practice of the various reactive services.

• Awareness raising

CERT takes part in the CCB’s awareness raising campaigns.

• Education / Training

CERT has the possibility to develop training about its areas of expertise and to organise training sessions.

Awareness Building

CERT takes part in the CCB’s awareness raising campaigns.

Incident Reporting Forms

As far as possible, please use the following Incident Reporting Form.

CERT Incident Reporting Form

The following form has been developed to ease gathering incident information. If you believe you have been involved in an incident, please complete - as much as possible - the following form, and send it to cert@cert.be.

This information will be treated confidentially, as per our Information Disclosure Policy.

I am: an individual user / a business / a government service / a (non-profit) organisation / an institution of vital importance

I want to: report an incident / get support regarding an incident

email:

telephone:

Type of Incident: I don't know / PC/Network has been hacked / PC/Network has been infected by a virus / Received phishing message / CEO Fraud / Scam / DDoS attack / Other

When did the incident take place?:

Has the incident been resolved? Yes / No

Have you reported the incident to the police? Yes / No

More information:

Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained within.