Critical Infrastructure Threat Information Sharing Framework A Reference Guide for the Critical Infrastructure Community October 2016 CRITICAL INFRASTRUCTURE THREAT INFORMATION SHARING FRAMEWORK Page intentionally left blank. CRITICAL INFRASTRUCTURE THREAT INFORMATION SHARING FRAMEWORK Contents Quick Reference Guide for Critical Infrastructure Owners and Operators, .................................. iii Report Threats and Incidents ...................................................................................................... iii Report Suspicious Activity ...................................................................................................... iii Report Suspected or Known Cyber Incidents .......................................................................... iv Report Physical Infrastructure Incidents .................................................................................. iv Become a Partner in the “If You See Something, Say Something™” Campaign ................... iv Receive Threat Information Relevant to Your Sector ................................................................ iv Access Threat Prevention and Protection Related Training and Exercises .............................. v Executive Summary ........................................................................................................................ 1 1 Introduction ............................................................................................................................... 3 1.1 Background ......................................................................................................................... 3 1.2 Purpose and Scope .............................................................................................................. 4 1.3 Audience ............................................................................................................................. 5 1.4 Guiding Principles .............................................................................................................. 5 1.5 Development Methodology ................................................................................................ 7 2 Overview of Critical Infrastructure Security and Resilience Threat Information Sharing ....... 9 2.1 Threat Information-Sharing Process ................................................................................. 11 2.2 Types of Entities Participating in the Threat Information-Sharing Process ..................... 17 2.2.1 Local and Regional Information Sharing Hubs .......................................................... 18 2.2.2 National Information Sharing Hubs ............................................................................ 19 2.2.3 Investigative Entities ................................................................................................... 19 2.2.4 Owners and Operators Operations Centers ................................................................. 20 2.2.5 Partnerships, Alliances, and Councils ......................................................................... 20 3 Threat Information Sharing Entity Descriptions..................................................................... 21 The Domestic Security Alliance Council (DSAC) .................................................................... 22 FBI Field Offices ....................................................................................................................... 23 Federal Sector-Specific Operations Centers .............................................................................. 24 Fusion Centers (State and Major Urban Area Fusion Centers) ................................................. 25 Information Sharing and Analysis Centers (ISACs) .................................................................. 26 Information Sharing and Analysis Organizations (ISAOs) ....................................................... 27 InfraGard .................................................................................................................................... 28 Investigative and/or Intelligence Entities (Non-Public-Facing) ................................................ 29 Local and State Law Enforcement Operations Centers ............................................................. 30 National Cybersecurity and Communications Integration Center (NCCIC) ............................. 31 i CRITICAL INFRASTRUCTURE THREAT INFORMATION SHARING FRAMEWORK National Infrastructure Coordinating Center (NICC) ................................................................ 33 Office of Intelligence and Analysis (DHS I&A) ....................................................................... 34 Overseas Security Advisory Council (OSAC) ........................................................................... 35 Owners and Operators Operations Centers ................................................................................ 36 Protective Security Advisor (PSA) Program ............................................................................. 37 Sector Coordinating Councils (SCCs) ....................................................................................... 38 Sector-Specific Agencies (SSAs) .............................................................................................. 40 United States Coast Guard (USCG) – Area Maritime Security Committees (AMSC) and Waves on the Waterfront (WOW) ................................................................................................ 43 4 Use Cases ................................................................................................................................ 45 4.1 Cyber Use Case: Havex and BlackEnergy (2014) ............................................................ 45 4.1.1 Background ................................................................................................................. 45 4.1.2 Threat Information Sharing......................................................................................... 46 4.2 Physical Use Case: Metcalf Electric Substation Incident (2013) ..................................... 51 4.2.1 Background ................................................................................................................. 51 4.2.2 Threat Information Sharing......................................................................................... 51 4.3 International Use Case: Westgate Mall Attack in Nairobi, Kenya (2013) ....................... 55 4.3.1 Background ................................................................................................................. 55 4.3.2 Threat Information Sharing......................................................................................... 55 4.4 National Special Security Event (NSSE) Use Case: 2013 Presidential Inauguration ...... 60 4.4.1 Background ................................................................................................................. 60 4.4.2 Pre-Event Threat Information Sharing Activities ....................................................... 60 4.4.3 Threat Information Sharing Activities during the Event ............................................ 62 List of Acronyms .......................................................................................................................... 64 Appendix A: Federal Operations Centers, .................................................................................... 69 Appendix B: Other Threat Information Sharing Entities Not Included in Section 3.0 or Appendix A ............................................................................................................................. 74 Appendix C: Entities with Critical Infrastructure Security and Resilience Program, Policy, and Mitigation Responsibilities .............................................................................................. 77 Appendix D: Threat Information Products ................................................................................... 81 Appendix E: Threat Information Mechanisms and Sources, and Tools to Assess Threats .......... 85 Appendix F: Targeted Threat and Security Engagements ............................................................ 93 Targeted Threat and Security Engagements .............................................................................. 93 Periodic Threat and Security Engagements ............................................................................... 94 Appendix G: Use Case Information Flow Maps........................................................................... 95 ii CRITICAL INFRASTRUCTURE THREAT INFORMATION SHARING FRAMEWORK Quick Reference Guide for Critical Infrastructure Owners and Operators1, 2 Report Threats and Incidents • In an emergency, call 9-1-1, report suspicious activity and threats to federal facilities at 1- 877-4FPS-411 (1-877-437-7411) • Contact your local law enforcement agency • Report through your organization’s appropriate internal reporting process • Directly report non-emergency threats and incidents to your nearest FBI field office at https://www.fbi.gov/contact-us/field or nearest international office at https://www.fbi.gov/contact-us/legat o Report threats and crime online at https://www.fbi.gov/report-threats-and-crime o Report suspicious activity involving chemical, biological, or radiological materials, by calling (toll-free) 1-855-TELL-FBI (1-855-835-5324) o Report an online scam or email hoax by filing