0x00

Who we are and what we do

GOVCERT.LU is the central contact point for all types of IT incidents that could pose a threat to the information systems of the national government and other public or private infrastructure operators that are considered critical. Find out more about our missions and learn about the various areas of operation and tasks falling under the responsibility of GOVCERT.LU.

0x01

Our mission

In our ever more interconnected world, cyberattacks are becoming more and more widespread and it is becoming increasingly challenging to combat them.

Thanks to its open attitude towards the possibilities and challenges of information and communication technologies, Luxembourg is developing into a global player in the ICT field and is increasingly prioritising the protection against cyberattacks.

GOVCERT.LU acts at both national and international level in order to protect the Grand Duchy from cyberattacks, to guarantee local businesses an attractive, secure and reliable environment and to protect the privacy and fundamental rights of its citizens.

We are the central contact point for all types of cyber-related incidents that could compromise the information systems of the government and other public or private infrastructure operators that are considered critical. In this context, critical infrastructure refers to any facility, system or part thereof that is essential for safeguarding the vital interests or essential needs of all or part of the country or its population.

In order to fulfil our missions, we are mandated to cover both classified and unclassified infrastructures at different levels. The GOVCERT.LU team aims to respond to incidents and initiate appropriate measures, to detect and prevent serious incidents at an early stage, and to guarantee a better coordination between state actors when security incidents occur.

By way of national law, GOVCERT.LU has been mandated to act as the official national point of contact for all national and international Cyber Security Incident Response Teams – or CERTs for short.

On the one hand, our team is responsible for gathering and disseminating information on security incidents affecting information and communication systems in Luxembourg. On the other hand, we operate as the contact point for cybersecurity for all natural and legal persons, entities and bodies, both at national and international level.

Once our team receives security-related information, we are responsible for conveying it to the various CERTs in charge of the affected sector. If no CERT exists for that particular sector, we will directly contact the victim of the attack. We will also provide information on specific contact points within the relevant sector.

Moreover, there is a specialised intervention team in charge of operating as the official national point of contact for all foreign military CERTs and ensuring a service that monitors, detects, alerts and reacts to computer attacks and large-scale security incidents affecting the army’s networks and information systems within the territory of the Grand Duchy.

0x02

Incident Response

GOVCERT.LU is authorised to handle and to address all types of information security incidents - involving both classified and unclassified information - which occur or threaten to occur in the constituency’s networks, systems and services.

In this context, GOVCERT.LU supports the members of its constituency with a set of reactive and proactive services. This means that we coordinate all activities in relation to incident response, and we provide support, help and advice all along the different stages of the management of the incident:

  • Incident Triage

    • Investigating whether an incident has indeed occurred
    • Determining the extent of the incident

  • Incident Coordination

    • Determining the initial cause of the incident (vulnerability exploited)
    • Contact with other sites which may be involved
    • Encouraging contact with the constituency and/or appropriate law enforcement officials, if necessary
    • Coordinating response to (Distributed) Denial of Service incidents
    • Sending a report to other CSIRTs
    • If necessary, alerting users

  • Incident Resolution

    • Removing vulnerabilities
    • Safeguarding the security of the system and protecting it against possible side effects of the incident
    • Evaluating whether certain actions are likely to yield results in proportion to their cost and risk, in particular those actions aimed at a possible prosecution or disciplinary action: collecting evidence, observation of an incident in progress, setting traps for intruders, etc.
    • Collecting statistics concerning incidents which affect or involve its constituency, before distributing relevant information in the community in order to assist its protection against known attacks
    • Collecting, preserving, documenting, and analysing evidence from a compromised computer system in order to determine necessary changes to the system and to assist in the reconstruction of events leading up to the incident
0x03

Proactive Activities

Our proactive activities are designed to detect and minimise the impact of cyberattacks on any systems or networks. We are in charge of alerting the members and partners of our constituency at an early stage in order to protect their networks and possibly prevent them from becoming a target.

In this context, our team of cybersecurity experts offers a comprehensive range of services and security solutions:

  • Anti-phishing notifications and closure of malicious websites
  • Detection of compromised (infected) systems
  • Notification of stolen credentials
  • Notification of malware targeting the constituency
  • General security announcements (non-public)
  • Development of security tools
  • Malware analysis
  • Vulnerability notification
0x04

National Contingency Plan

In the event of a serious technical vulnerability or cyberattack threatening to affect the information system of the private and public sectors on a large scale, the national contingency plan is activated. This means that several managing bodies are convened in order to promptly react to the incident and initiate immediate appropriate countermeasures.

From this point on, the Crisis Unit initiates and coordinates all actions and ensures that all necessary measures are taken to avert any damage as best and as quickly as possible.

The Director of GOVCERT.LU is a member of this Crisis Unit and also chairs the Cyber Risk Assessment Unit (CERC). The latter is responsible for monitoring all critical national incidents and threats related to computer and network security. They constantly keep the Crisis Unit up to date with the latest developments in this area.

The Cyber Risk Assessment Unit is made up of a team of experts who provide enhanced monitoring and vulnerability analysis within the framework of the National Contingency Plan. Depending on the nature of the attack, they identify potential targets and make sure that any potentially threatened information systems are updated and protected.

Once an attack is confirmed, the unit initiates protective measures and takes preventive action in order to safeguard potential attack targets from any possible damage. If necessary, they even have the option of partially or completely isolating a specific attack target.

In the event of a serious cyber threat, the government informs the public via the website www.infocrise.lu.