With a Resolution of January 3, 2023, published in the Official Gazette No. 7 of January 10, 2023, the Agency for National Cybersecurity (“ACN”) has identified the taxonomy of incidents involving assets other than ICT assets identified by the standards constituting the national security perimeter, which are also subject to mandatory notification to the Agency.
The Resolution is the result of the implementation of Article 3-bis of the so-called Perimeter Decree (Law-decree No. 105 of Sept. 21, 2019 converted with amendments by Law No. 133 of Nov. 18, 2019), by which the ACN was given the task of establishing the taxonomy of security incidents.
Following the entry into force of the Resolution, entities included in the national security perimeter will also have to notify ACN of the security incidents related to ICT assets which are not included in the national cybersecurity perimeter within a 72-hour deadline. The above deadline runs from the time when the subject becomes aware of a security incident. The notification must be made through appropriate communication channels and in the manner established by the Computer Security Incident Response Team (Italian CSIRT), which is available at https://www.csirt.gov.it.
The Resolution consists of only four articles that refer to an Annex (Annex A, identifying the incident categories, their description, and the identification code necessary for the notification). In addition, Section 2 of Annex A lists the events that entities in scope to the national cybersecurity perimeter might to notify in the same manner as provided in Article 1, paragraph 3-bis, of the Perimeter Decree.
Pursuant to the Resolution, an incident is defined as: “any event of an accidental or intentional nature that results in the malfunctioning, interruption, even partial, or improper use of networks, information systems or computer services“.
The categories indicated by the Resolution are briefly described below, but please consult the official text for more information and details:
- Initial access (Initial exploitation)
The subject has evidence of unauthorized access to company’s systems and network.
The subject has evidence of non-authorized execution of code or malwares on the systems and network
- Installation (Establish persistence)
The subject has evidence that an external agent has gained IT higher-level privileges or is employing unauthorized practices designed to: (a) obtain IT higher-level privileges; (b) maintain malicious code or malware in the network or grant unauthorized access; (c) avoid detection during a compromise attempt.
The subject has evidence of the use of unauthorized practices aimed at: (a) perform reconnaissancè activities to gain knowledge about the system and internal network; (b) acquire, from within the network, valid credentials for authentication to network resources or find unauthorized copies; (c) access, control, or execute code among internal network resources.
The subject has evidence of the use of unauthorized practices aimed at: (a) searching for and/or collect, from within the network, confidential and/or sensitive data or detect their presence outside the systems authorized to process them; (b) exfiltrating data from within the network to external resources; (c) inhibiting the intervention of safety, security, and “quality assurance” functions of industrial control systems set up to respond to a service disruption or abnormal state; (d) manipulating, disabling, or damaging the physical control processes of industrial control systems; (e)manipulating, degrading, disrupting, or destroying systems, services, or data (e.g. Denial of Services or Distributed Denial of Services).
- Reconnaissance (Reconnaissance) referring to spearphishing activities
Techniques designed to collect, actively or passively, information that can potentially be exploited for subsequent activitiess (e.g., spearphishing campaigns).
The Resolution enters into force on January 25, 2023, so there is not much time left for directly or indirectly impacted operators to update internal processes to address the reporting requirements.