Cyber Incident Reporting
Cyber incidents continue to be an increasing concern for state, local and academic institutions within North Carolina.
Every year, there has been a noted increase of attacks in the form of ransomware, data exfiltration and extortion and others, which have devastating impact to the state’s critical infrastructure. This trend is forecasted to continue and remain a pervasive occurrence in the upcoming years.
Reporting cyber incidents as they occur is a method to reduce the risk to citizen-facing services and sensitive data. In doing so, the state is able to provide subject matter experts, resources, and assistance in various forms ranging from consultation and guidance, to deployment of the N.C. Joint Cyber Security Task Force to assist as needed. Incidents should be reported even if your agency is not requesting assistance.
N.C. Joint Cybersecurity Task Force
The N.C. Joint Cybersecurity Task Force is comprised of law enforcement, emergency management, N.C. National Guard Cyber, the Local Government IT Strike Team, state IT/cyber specialists and federal agencies.
This team provides incident coordination, resource support and technical assistance to reduce the impact to the affected organization, mitigate vulnerabilities and offers on-scene response personnel to aid in incident recovery.
When supporting the affected organization, the various members of the Joint Cybersecurity Task Force work in tandem to leverage their collective response expertise, apply their knowledge of cyberthreats, preserve key evidence and use their combined authorities and capabilities both to minimize asset vulnerability and bring malicious actors to justice.
A cyber incident is an event that could jeopardize the confidentiality, integrity or availability of critical infrastructure (i.e., first responder networks, water, energy, etc.) and information systems. Reporting should take place within 24 hours of confirmation.
Cyber incidents resulting in significant damage are of particular concern to the state. Pursuant to N.C.G.S. 143B-1379, all local government entities must report all cyber incidents that might:
- Result in a significant loss of data, system availability or control of systems
- Have an impact on a large number of victims
- Indicate unauthorized access to, or malicious software present on, critical information technology systems
- Affect critical infrastructure or core government functions
- Impact national security, economic security, or public health and safety
Examples include but are not limited to:
- Malware
- Denial of service
- Ransomware
- Large-scale hardware (server) disruptions
Incident reporting by private sector organizations is not mandated; however, it is highly encouraged.
A cyber incident may be reported at various stages, even when complete information might not be available. Helpful information could include but is not limited to:
- Who you are
- Who experienced the incident
- What sort of incident occurred
- How and when the incident was initially detected
- What response actions have already been taken
- Who has been notified
The Statewide Cybersecurity Incident Report form is designed to collect all relevant information to assist with response.
The state has multiple means to report cyber incidents, as indicated in the following table.
| State Agencies | Local Governments, Academic Institutions & Private Sector Entities |
|---|---|
| Contact the NCDIT Customer Support Center at 800-722-3946. | Report cybersecurity incidents to the N.C. Joint Cyber Security Task Force by contacting the N.C. Emergency Management 24-Hour Watch Center, at NCEOC@ncdps.gov or at 1-800-858-0368. |
| Use the Statewide Cybersecurity Incident Report form. | For general inquiries or support, contact the N.C. Joint Cyber Security Task Force at ncisaac@ncsbi.gov. |
| Contact the Enterprise Security and Risk Management Office at DIT.ThreatManagement@nc.gov. |
Regardless of which method is used, the data is consolidated, tracked and acted on by the Joint Cyber Security Task Force. The state entity (e.g., N.C. Department of Public Safety or N.C. Department of Information Technology) receiving the initial report, will ensure coordination with relevant CSTF members.
Please note, this reporting does not override any other mandated federal reporting requirements.
Upon receiving a report of a cyber incident, the Joint Cyber Security Task Force will establish a scoping call with the impacted entity to address the high-level activities outlined in the following table.
| Response Type | Description |
|---|---|
| Incident response | This includes conducting forensics to identify root-cause, damage assessment and mitigation, and coordination with law enforcement activities as needed. Lastly, it includes information-sharing of indicators of compromise. |
| Recovery response | This effort could include establishing best practice recovery methods, system hardening, restoration of services and infrastructure rebuild. |
Mission-Critical Support
Providing for effective public safety and implementing adequate homeland security measures to protect all North Carolinians, whether physical or in cyberspace, should be our singular focus.
To be successful, it will take a whole of government and whole of community approach requiring partnership, coordination, and collaboration across public, private, non-profit, and non-governmental organizations. Your organization is a mission critical part of this approach as we strive to protect all North Carolinians.