Alert Level Information

What Do the Different Alert Level Colors Indicate?

  • GREEN or LOW indicates a low risk. No unusual activity exists beyond the normal concern for known hacking activities, known viruses, or other malicious activity.
    • Examples:
      • Normal probing of the network
      • Low-risk viruses
    • Actions:
      • Continue routine preventive measures, including the application of vendor security patches and updates to anti-virus software signature files on a regular basis.
      • Continue routine security monitoring.
      • Ensure personnel receive proper training on cybersecurity policies.
    • Notification:
      • No notification is warranted if a state is currently at this level.
      • Notification via our website will be done concurrently with the Alert Level change.
  • BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
    • Examples:
      • A critical vulnerability is discovered but no exploits are reported.
      • A critical vulnerability is being exploited but there has been no significant impact.
      • A new virus is discovered with the potential to spread quickly.
      • There are credible warnings of increased probes or scans.
      • A compromise of non-critical system(s) did not result in loss of data.
    • Actions:
      • Continue recommended actions from previous level.
      • Identify vulnerable systems.
      • Implement appropriate countermeasures to protect vulnerable systems.
      • When available, test and implement patches, install anti-virus updates, etc., in the next regular cycle.
    • Notification:
      • Notification via our website will be done concurrently with the Alert Level change.
  • YELLOW or ELEVATED indicates a significant risk due to increased hacking, virus, or other malicious activity that compromises systems or diminishes service. At this level, there are known vulnerabilities that are being exploited with a moderate level of damage or disruption, or the potential for significant damage or disruption is high.
    • Examples:
      • An exploit for a critical vulnerability exists that has the potential for significant damage.
      • A critical vulnerability is being exploited and there has been a moderate impact.
      • There is a compromise of a secure or critical system(s) containing sensitive information.
      • There is a compromise of a critical system(s) containing non-sensitive information if appropriate.
      • A virus is spreading quickly throughout the Internet, causing excessive network traffic.
      • There is a distributed denial of service attack.
    • Actions:
      • Continue recommended actions from previous levels.
      • Identify vulnerable systems.
      • Increase monitoring of critical systems.
      • Immediately implement appropriate countermeasures to protect vulnerable critical systems.
      • When available, test and implement patches, install anti-virus updates, etc., as soon as possible.
    • Notification:
      • Notification to the Multi-State ISAC via secure portal email will be given when a state upgrades its Alert Level to Yellow or Elevated.
      • Notification via our website will be done concurrently with the Alert Level change.
      • Notification to the Multi-State ISAC via secure portal will be given when the National Alert Level is raised to Yellow or Elevated. A national conference call for members will also be hosted by the Multi-State ISAC.
  • ORANGE or HIGH indicates a high risk of increased hacking, virus, or other malicious cyber activity that targets or compromises core infrastructure, causes multiple service outages, causes multiple system compromises, or compromises critical infrastructure. At this level, vulnerabilities are being exploited with a high level of damage or disruption, or the potential for severe damage or disruption is high.
    • Examples:
      • An exploit for a critical vulnerability exists that has the potential for severe damage.
      • A critical vulnerability is being exploited and there has been significant impact.
      • Attackers have gained administrative privileges on compromised systems.
      • There are multiple damaging or disruptive virus attacks.
      • There are multiple denial of service attacks against critical infrastructure services.
    • Actions:
      • Continue recommended actions from previous levels.
      • Closely monitor security mechanisms, including firewalls, web log files, anti-virus gateways, system log files, etc., for unusual activity.
      • Consider limiting or shutting down less critical connections to external networks such as the Internet.
      • Consider isolating less mission-critical internal networks to contain or limit the potential of an incident.
      • Consider the use of alternative methods of communication, such as phone, fax, or radio in lieu of email and other forms of electronic communication.
      • When available, test and implement patches, anti-virus updates, etc., immediately.
    • Notification:
      • Notification to the Multi-State ISAC via secure portal email will be given when a state upgrades its Alert Level to Orange or High. A national conference call for members may also be hosted by the Multi-State ISAC with the permission and input of the affected state.
      • Notification via the Multi-State ISAC’s website will be done concurrently with the Alert Level change.
      • Notification to the Multi-State ISAC via secure portal will be given when the National Alert Level is raised to Orange or High. A national conference call for members will also be hosted by the Multi-State ISAC.
  • RED or SEVERE indicates a severe risk of hacking, virus, or other malicious activity resulting in widespread outages and/or significantly destructive compromises to systems with no known remedy or debilitates one or more critical infrastructure sectors. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of Critical Infrastructure Assets.
    • Examples:
      • Complete network failures
      • Mission-critical application failures
      • Compromise or loss of administrative controls of critical system
      • Loss of critical supervisory control and data acquisition (SCADA) systems
      • Potential for or actual loss of lives or significant impact on the health or economic security of the state
    • Actions:
      • Continue recommended actions from previous levels.
      • Shut down connections to the Internet and external business partners until appropriate corrective actions are taken.
      • Isolate internal networks to contain or limit the damage or disruption.
      • Use alternative methods of communication, such as phone, fax, or radio as necessary in lieu of email and other forms of electronic communication.
    • Notification:
      • Notification to the Multi-State ISAC via secure portal email will be given when a state upgrades its Alert Level to Red or Severe. A national conference call for members may also be hosted by the Multi-State ISAC with the permission and input of the affected state.
      • Notification via our website will be done concurrently with the Alert Level change.
      • Notification to the Multi-State ISAC via secure portal will be given when the National Alert Level is raised to Red or Severe. A national conference call for members will also be hosted by the Multi-State ISAC.

How Is the Alert Level Determined?

The Alert Level is determined using the following threat severity formula:

Severity = (Criticality + Lethality) – (System Countermeasures + Network Countermeasures)

  • Lethality: How likely is it that the attack will do damage?
    (Value = Potential Damage)

    • 5: Exploit exists. Attacker could gain root or administrator privileges. Attacker could commit denial of service.
    • 4: Exploit exists. Attacker could gain user level access privileges. Attacker could commit denial of service.
    • 3: No known exploit exists. Attacker could gain root or administrator privileges. Attacker could commit degradation of service.
    • 2: No known exploit exists. Attacker could gain user level access privileges.
    • 1: No known exploit exists. Attacker could not gain access.
  • Criticality: What is the target of the attack?
    (Value = Target)

    • 5: Core services such as critical routers, firewalls, VPNs, IDS systems, DNS servers, or authentication servers
    • 4: Email, web, database, and critical application servers
    • 3: Less critical application servers
    • 2: Business desktop systems
    • 1: Home users
  • System Countermeasures: What host-based preventive measures are in place?
    (Value = Countermeasure)

    • 5: Current operating system with applicable patches applied. Server has been hardened and verified via vulnerability scan. Running host-based IDS or integrity checker. Anti-virus signature exists and has been applied to target systems.
    • 4: Current operating system with applicable patches applied. Operating system has been hardened. Anti-virus signature exists and has been applied to target systems.
    • 3: Current operating system with fairly up-to-date patches applied. Anti-virus signatures are current.
    • 2: Current operating system but missing some applicable patches. Anti-virus signature either does not exist or has not been applied to target systems.
    • 1: Older operating systems, including Windows NT 3.51, Solaris 2.6, Windows 95/98/ME. No anti-virus software protection.
  • Network Countermeasures: What network-based preventive measures are in place?
    (Value = Countermeasure)

    • 5: Restrictive (i.e., “deny all except what is allowed”) firewall. Firewall rules have been validated by penetration testing. All external connections including VPNs go through (not around) the firewall. Network-based IDS is implemented. Email gateway filters attachments used by this virus.
    • 4: Restrictive firewall. External connections (VPNs, wireless, Internet, business partners, etc.) are protected by a firewall. Email gateway filters attachments used by this virus.
    • 3: Restrictive firewall. Email gateway filters common executable attachments.
    • 2: Permissive firewall (i.e., ”accept all but”) or allowed service (e.g., HTTP, SMTP). Email gateway does not filter all attachments used by this virus.
    • 1: No firewall implemented. Email gateway does not filter any attachments.

Using the result from the formula defined above, the Alert Level Indicator would generally reflect severity levels as follows:

  • Alert Level Indicator – Severity
    • Green – Low : -8 to -5
    • Blue – Guarded : -4 to -2
    • Yellow – Elevated : -1 to +2
    • Orange – High : +3 to +5
    • Red – Severe : +6 to +8