How to fulfill the requirements of law 187-FZ on security of critical information infrastructure? Recommendations of Step Logic

The federal law "About Security of Critical Information Infrastructure of the Russian Federation" of 7/26/2017 N 187-FZ became effective on January 1, 2018 and entered concepts of objects and subjects of the critical information infrastructure (CII) and also an obligation of the organizations for security of objects of KII.

Subjects of KII to which requirements of the law extend are the public and commercial institutions working in the spheres forming a basis of functioning of the state: health care, science, transport, communication, power, banking sector and other spheres of financial market, fuel and energy complex, in the field of atomic energy, defense, space-rocket, mining, metallurgical and chemical industry. Objects of KII are understood as the information systems (IS), the information and telecommunications networks (ITN), the automated control systems (ACS) of subjects of KII.

The organizations are obliged to ensure safety of objects of critical information infrastructure

According to requirements of the law, the enterprise and organization should carry out categorization of the objects of KII and notify on results FSTEC Russia. The recommended term – January, 2019. However now many organizations or did not begin categorization of the objects yet, or are in the beginning of a way. At the same time a number of the companies and enterprises has no understanding not only how to carry out categorization, but also whether they fall in general under operation of this Federal Law.

In article prepared by the expert of Step Logic company the optimal variant of implementation of requirements for protection of objects of KII is offered, it is specified what it is worth paying attention when carrying out these works to and also it is told about the factors influencing the cost of such projects.

What to begin with?

The very first question which it is necessary to answer: whether your organization by the subject of KII is. For this purpose the regulator (FSTEC Russia) recommends to perform search of thirteen types of activity specified in the text of the law in charters, RCEAP, licenses ^[1]. If your enterprise corresponds to this criterion, it is necessary to start categorization of objects.

Why to categorization you should not treat as the next formality

Without categorization of objects of KII it is impossible to define necessary technical and organizational measures of protection. Further amounts of works in the field of cybersecurity depend on results of categorization.

In case of investigations of incidents of cybersecurity the situation when the attracted bodies set violations in protection of objects of KII on an absence reason of categorization or its understating is possible. It can cause criminal liability according to the Criminal Code of the Russian Federation (Article 274.1).

Besides, introduction at the beginning of 2019 of the administrative responsibility for incorrect categorization of objects of KII and violation of fixed terms is already announced. Terms of categorization will be tightly regulated, and if not to begin process in advance, there is a probability not to keep within them.

Categorization – to give to the contractor or to conduct independently?

Many organizations prefer to give this part of works to contractors. There is a set of examples when the customer asks not only to carry out categorization, but also in general "bring all objects of KII into accord with 187-FZ". Specialists of Step Logic recommend to perform categorization independently and if to involve third-party contractors, then only to consultation on private questions.

First, according to the legislation, all responsibility for decision making lays down only on the head of the organization and the commission including heads of divisions and other ranking officers, but not on contract organization.

Secondly, a categorization basis – assessment of effects from violations of functioning of critical processes and the corresponding objects of KII. Integrators and consultants a priori cannot know all parts and nuances of your activity, all possible effects and their interrelations. By experience of Step Logic, even within group the same processes sometimes are implemented differently, and such nuances can have significant effect on results of categorization. Therefore third-party specialists, having studied, for example, ten plants, will not be able quickly and ideally to describe the eleventh without its inspection – all information as a result will be requested from responsibles again. Thus, the data array is provided for categorization by the organization, and the essence of services of contractors in 90% of cases consists available at them the fulfilled templates and report forms and also the available experience with the specific sphere.

Thirdly, in order that the contractor could carry out qualitatively categorization, he needs to study completely all business processes of the organization, its infrastructure, activity indicators (agreements, financial statements, other statistics). It is obvious that in this case the project will take not one month, but the cost of works can be estimated at millions of rubles if it is about large enterprises or groups. As far as it is justified taking into account told above?

Carrying out categorization by own efforts is another occasion to understand in details business processes of the organization, to estimate all risks and to answer the main issue: to what effects can lead insufficient observance of organizational and technical measures of protection of information. It is important to understand it the organization, including at further implementation of measures of protection and justification of the corresponding projects.

If you decided to conduct categorization independently, it is possible to receive answers to single questions from the following sources:

• By phone number of a hot line FSTEC Russia: 8 (499) 246-11-89, on methodical charges of the regulator and conferences where specialists of FSTEC act;
• In a detailed technique of categorization of objects of KII from Step Logic with templates of necessary documents and answers to frequently asked questions. The technique extends on a grant basis, is available to downloading on the website of the company and is constantly updated taking into account interaction with the regulator and the got experience;
• On profile resources (for example, a chat of KII 187-FZ in Telegram);
• It is also possible to involve consultants to the solution of specific questions. But in this case this private opinion based on subjective knowledge and experience, and it will not always be correct. It is better to compare information from several sources.

Categorization is executed. What's next?

Further steps will differ depending on whether the organization has significant objects of KII based on categorization.

If there are no significant objects, then the additional requirements on protection of objects of KII defined FSTEC Russia are not required. But it does not mean that it is necessary to protect nothing – quite possibly that after assessment of possible damage at incidents the organization itself will review importance of security of the resources and will be interested in implementation of additional measures of protection. According to requirements 187-FZ, it will be necessary to provide interaction with State system of detection, prevention and elimination of consequences of computer attacks regarding providing data on cybersecurity incidents. Parts according to the transmitted data and the organization of interaction can be found in the relevant orders of FSB of Russia and methodical documents NKTSKI (the body responsible for operating State system of detection, prevention and elimination of consequences of computer attacks).

If the organization has significant objects of KII, then it will need to implement a security system for data protection of objects according to regulating documents of FSTEC of Russia.

Project organization on protection of objects of KII. Recommendations

Taking into account high loading of departments and departments on cybersecurity and the shortages of profile specialists in the organizations, these works usually implement in the form of projects with involvement of contractors. Further we will consider recommendations "on the other side of barricades" as often the organizations drive themselves into a corner, and because of banal inaccuracies in problem definition receive not those results which expected.

1. Segment the project

You should not integrate all "turnkey" works in one project (agreement). There are several stages on which result the volume of all subsequent works therefore before their end the contractor will not be able correctly to estimate terms and the project budget depends. Respectively, will be or dumping and not too qualitative result, in case of amount of works are higher expected, or, on the contrary, attempt to be repawned for closing of the risks. Therefore in Step Logic recommend to break the project into stages and to implement them consistently, starting the next stage only after end previous:

• Categorization of objects. At this stage the field of further works – the list of objects of KII and their border actually is defined;
• Development of requirements of cybersecurity. It is a key stage at which assessment of threats is performed and requirements to necessary actions and means of protecting form or the possibility of use of the existing measures of protection is proved;
• All subsequent works connected with implementation of measures, defined at the second stage.

2. Use results of the previous works

Quite often objects of KII are also personal data information systems (ISPDN) and/or the state information systems (SIS). In such cases it is necessary to fulfill the requirements of regulating documents from several spheres. It is worth putting audit of the projects which are already executed earlier into operation and to answer the following questions:

• Whether correspond each other "old" and Novaya Gazeta of model of threats, executed for the same system – for example, for GIS (ISPDN) which became also an object of KII?
• As far as there correspond the requirements for data protection implemented earlier new what of the existing means of protecting are going to be used for protection of an object of KII?
• As far as do the existing normative and methodical documents of the organization for cybersecurity correspond to new requirements?

3. You should not invent the bicycle

In orders of FSTEC [1] No. 235 and No. 239 all works, their maintenance and documentation which should be developed in the project progress on protection of an object of KII are in an explicit form defined. When forming a task for works it is recommended to adhere strictly to these formulations accurately to carry out an assigned task and not to increase terms and the project budget. Even insignificant adjustment can sometimes entail notable changes in the project.

4. Use means of protecting, "undergone conformity assessment"

Use of the certified means of protecting not in all cases is obligatory. Not to drive itself and the contractor into a corner, state in requirements a formulation from regulating documents: "use of the means of protecting which underwent conformity assessment". The competent contractor himself will define need of use of the certified means of protecting and a possibility of use of alternatives.

The factors influencing the cost of works on implementation of requirements 187-FZ

Finally it is necessary to raise the important question – the cost of projects, to be exact, of factors which can affect it.

Amount of works. The most part of works is directly connected with number of objects of KII in the organization as all objects need to be studied separately, to understand their interrelations, integration into the general infrastructure. Besides, many obligatory documents are developed for each object. Measures of protection regarding cases can also separately be implemented for objects.

Possible optimization. It is recommended to enlarge objects of KII at categorization. If 10 systems implement one technology process and are placed in uniform network segment, then they can be generalized (regarding cases it should be done even with distribution of the increased category of the importance on all systems).

Heterogeneity of objects. If in the organizations of 20 "office" ICs located in standard a LAN, then amount of works is smaller, than, for example, for 10 "office" ICs and 10 APCS. These types of systems differ in architecture, will have different risks of cybersecurity and approaches to their protection.

Centralization. For groups it makes sense to carry out works within the centralized project. In this case the standardized approach using standard documents and project solutions will be provided. The total volume of subjects to protection will remain the same, but the coefficient of typification of systems will increase that will allow to reduce the total cost of works.

Maturity of the existing providing Information Security processes. If in the organization projects on protection ISPDN, GIS, an APCS are already implemented, there is a cybersecurity management system with the adjusted processes, such as risk management, monitoring and identification of incidents of cybersecurity, configuration management, etc., then it is very probable that the project will come down to competent justification of sufficiency of the existing measures and providing links to the corresponding documentation.

Belonging to public authorities. For objects of KII which are GIS there are relevant requirements for use of the certified measures of protection and certification of objects. If these requirements were not fulfilled yet, then it considerably will influence increase in the budget and terms of works. For legal entities it is recommended not to include these requirements in tasks for works as they are not obligatory.

Author: Denis Pashchenko, leading analyst of department of consulting and information security audit of Step Logic

Notes