RFC2350

Contact information for CERT@VDE according to RFC 2350

1 About this document

This document contains a public description of the contact information, charter, policies, and services of CERT@VDE (the “Computer Energency Response Team” at VDE Association for Electrical, Electronic & Information Technologies) according to RFC 2350 (Expectations for Computer Security Incident Response, https://www.ietf.org/rfc/rfc2350.txt). This Best Current Practice track document has become the de facto standard in the CERT community to list the important facts about a CERT and describe the services and operating procedures that can be expected of it.

1.1 Date of Last Update

This is version 0.9, published 2018-03-13.

1.2 Update Notifications

Update notifications are provided via RSS.

1.3 Locations where this Document May Be Found

The current version of this CSIRT description document is available from the CERT@VDE WWW site; its URL is https://cert.vde.com/en-us/contact/rfc2350/. Please make sure you are using the latest version.

1.4 Authenticating this Document

This document is delivered vis HTTPS. Please make sure that the website certificate was issued for “cert.vde.com” by “Let's Encrypt Authority X3”, and that it is displayed as valid by your browser.

2 Contact Information

2.1 Name of the Team

CERT@VDE

2.2 Address

CERT@VDE
VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V.
Stresemannallee 15
60596 Frankfurt am Main
Germany

2.3 Time Zone

Europe/Berlin (GMT+0100, and GMT+0200 from last Sunday in March to last Sunday in October)

2.4 Telephone Number

+49 69 6308 400

2.5 Facsimile Number

On request.

2.6 Other Telecommunication

None available.

2.7 Electronic Mail Address

info@cert.vde.com

This is a team address that reaches the person(s) on duty for CERT@VDE.

2.8 Public Keys and Other Encryption Information

PGP Key: 4096R/C3E3E8AD
PGP Fingerprint: F5F7 FFB6 32D9 EAC7 1E74  F344 0CF5 E79A C3E3 E8AD

2.7 World Wide Web

Internet-Website:  https://cert.vde.com

2.9 Team Members

Only employees of VDE Association for Electrical, Electronic & Information Technologies work for CERT@VDE. Their names are listed in the Trusted Introducer Directory (for TI accredited teams only).

2.10 Other Information

n/a

2.11 Points of Customer Contact

The CERT@VDE's hours of operation are generally restricted to regular business hours: Monday to Thursday, 09:00-16:00 CET, and Friday, 09:00-15:00 CET.

CERT@VDE does not operate during days the VDE Headquarters remain closed for business (December 24th and December 31st, all public holidays in the State of Hesse, Germany, and the following dates in 2018: April 30th, May 11th, June 1st, December 27th and December 28th).

3  Charter

3.1 Mission Statement

CERT@VDE assists SMEs in the industrial automation sector with the handling of vulnerabilities and product security incidents, enabling cross-organizational collaboration.

 CERT@VDE
  • Provides a neutral, trustworthy and secure platform for collaboration between vendors, preserving anonymity when requested.
  • Assists with the coordinated disclosure of vulnerabilities.
  • Enables exchange and discussion about methods and practices for product security.
  • Processes vulnerability information from multiple sources and provides it to the target constituency, i.e. vendors, integrators and users of Industrial control systems (ICS).
  • Organizes workshops for the industry.
  • Develops processes and best practices with its partners in the ICS industry.

3.2 Constituency

CERT@VDE addresses manufacturers, users, operators and integrators in the automation industry, with a focus on small and medium-sized enterprises. The services of CERT@VDE are oriented towards the needs of product security teams within our constituency.

3.2.1 Domains and IP Ranges

CERT@VDE is responsible for the IPv4 addresses in the network 80.146.226.0/27, as well as for all domains that resolve to these addresses (currently, only cert.vde.com is in use).

3.3 Sponsorship and Affiliation

CERT@VDE is a member of the German CERT alliance “Deutscher CERT-Verbund” (https://www.cert-verbund.de) and is an accredited member of Trusted Introducer (https://www.trusted-introducer.org). CERT@VDE will maintain cooperations with ICS-CERT (https://ics-cert.us-cert.gov), ENISA, BSI (German Federal Office for Information Security), and other organisations, according to the wishes of the constituency.

3.4 Authority

CERT@VDE's operation is based on voluntary cooperation of its supporters. It does not have formal authority to speak for its supporters or any other organisation, except as explicitly or implicitly authorised (e.g. to work with ICS-CERT on advisories without the need to confirm their content with the affected vendor). It has the mandate to process incoming vulnerability reports affecting its supporters, to publish advisories for their products in a coordinated disclosure process, to assign CVE IDs to vulnerabilities covered in those advisories, and to create entries in the NVD for these CVE IDs.

3.5 Reaction

CERT@VDE assists the target group with coping with safety gaps by structured information exchange and status analysis. On this purpose CERT@VDE accepts reports of IT-Security-Incidents and examines, evaluates and records them to coordinate and support the target group´s processing of IT-Security-Incidents.

3.6 Prevention

CERT@VDE will run a warning- and information system for IT-Security vulnerabilities and actual threats, to pass on product security information effectively from the target group to third parties, as well as from third parties to the target group. This enables the target group to take preventive actions for an emergency. CERT@VDE also assists with creating and developing IT-Security-Standards and Best Practices.

4  Policies

4.1 Types of Incidents and Level of Support

CERT@VDE is authorised to process vulnerability reports for products of its supporters. It is not authorised to handle security incidents within their organisations, but it will forward all incident reports to the proper contact persons. If you are not willing to share certain (or all) contact details, you can also report anonymously or pseudonymously. If you ask CERT@VDE to keep your contact information private, we will honour that request. Otherwise, for a proper and complete registration of vulnerabilities, we ask you to please include the following data:

Contact details:

  • Reporting organisation (if applicable)
  • Name of the reporter
  • Position/function within the organisation (if applicable)
  • E-mail address
  • Telephone number
  • Postal address

Your classification of the reported vulnerability:

  • CVSS vector
  • CWE
  • (alternatively: please describe the urgency and criticality of the vulnerability)

Information about the reported vulnerability:

  • Detailed technical description
  • Effects on availability, confidentiality and integrity of services, applications, processes or data
  • (if you report an incident, please add the time of occurrence, including timezone information)

4.2 Co-operation, Interaction and Disclosure of Information

Information about our disclosure policy (which is in German) will be added at a later date.

4.3 Communication and Authentication

In view of the types of information that CERT@VDE will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.

[Sections 5 and 6 of RFC 2350 will be left out, as CERT@VDE currently does not handle incidents within our constituency.]

7  Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT@VDE assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.