Information security of an APCS QUO

Technology aspects

If physical security of crucial objects can be solved at the highest level, then some problems of the information security (IS) cause a number of questions. These problems are not unique for an APCS QUO — they meet also in corporate networks. But despite different degree of criticality, their prevalence in the first and second case it is incomparable: in corporate networks such problems more often happen are solved, in an APCS QUO — is much more rare. It is caused by several delusions:

• as if it is enough to provide defense of perimeter of an APCS at the logical and physical levels (firewalling, the access and inside control);
• allegedly the APCS is safe because the hacker will never understand how she works;
• it is considered that 'our' are not interesting to an APCS to the attacks.

According to the statistics a NIST (National Institute of Standards and Technology), published in 'The security guidance of automated control systems' (Guide to Industrial Control Systems (ICS) Security, Special publication 800-82), the most dangerous the aimed external attacks are. Though at the same time they and the smallest. Inadvertent threats and angry employees including being^[1] are considered as the most probable^[2].

Software update

As a rule, installation of security updates on the APCS components is performed very seldom. It is caused by several factors:

• need of continuity of technology process (for installation of updating reset/switching off of an APCS can be required);
• inadmissibility of automatic update and need of preliminary testing of updates owing to criticality of an APCS QUO;
• dependence on software developer of an APCS.

The lack of timely updates allows malefactors to do harm to a system, using the known vulnerabilities of software. For all system components and software the latest security updates provided by producers should be set.

Access control and password policy

For work at operator/dispatching workstations administrative accounts with lungs for search or guessing by passwords are often used. At the same time they can be 'sewn up' with very unsafe method and be stored (to be transferred) in open form. And sometimes these passwords can not be at all.

Thus, it is enough to get physical access to the APCS this component further to compromise all system. As justification owners of an APCS QUO usually point to the requirement of continuity of technology (production) process or monitoring. According to them, identification procedures and authentications of users (operators and managers), it is difficult to them to remember long passwords, can prevent this continuity. As a countervailing measure they consider sufficient the organization of the high access and inside security.

But whether is valid it enough? To answer the matter, it is possible to remember internal violators, social engineering and also normal viral infections which can result in deplorable results.

Incident management

Cybersecurity incident management processes are, as a rule, not documented and are not performed properly. Meanwhile the enterprise needs to define what events and on what APCS components should be traced and also who and how often should perform their monitoring and the analysis.

Characteristic example: on risk assessment results installation of restrictions on the number of attempts of password entry can be recognized dangerous in terms of ensuring continuity of technology process. But in that case as a countervailing measure monitoring of events of the wrong password entry shall be conducted. This measure can timely help to reveal infection of the APCS components with the malware which often is followed by attempts of selection of passwords for further infection and distribution.

The lack of a monitoring system of cybersecurity events and responses to incidents does not allow to trace quickly arising critical events and destructive actions of malefactors timely to take necessary and adequate measures of counteraction. At the same time it is difficult to carry the organization of a system of the centralized collecting and the analysis of events of cybersecurity to expensive procedures. At least, she does not demand purchase of hardware and software systems which cost much.

Monitoring of network infrastructure of an APCS

Monitoring of network infrastructure of an APCS QUO is often limited to detection of faults or failures of network equipment. For lack of sensors of invasions it is impossible to define attacks on network resources and to timely counteract them. It is especially critical if the technology network is connected to corporate, and corporate — to the Internet.

Taking into account requirements to the continuity of technology processes it is recommended to use the systems of passive detection of invasions which will perform the analysis of network traffic without intervention in data transfer processes.

Awareness of employees in the field of cybersecurity

One more vital issue for safety of an APCS QUO is lack of information in the field of cybersecurity of the personnel servicing an APCS. Knowledge and observance of the simplest rules of information security can prevent at least implementation of inadvertent security risks of an APCS. And understanding that the security service traces and controls actions of service staff can reduce the probability of implementation of deliberate threats.

The cybersecurity problems mentioned above do not exhaust all list. At the same time it should be noted that owners of an APCS QUO, domestic and foreign regulators, cybersecurity integrators even more often correctly estimate their criticality and need to solve them.

Questions of regulation

Role of FSTEC in providing Information Security

FSTEC of Russia according to regulations on federal service performs powers on security of the key systems of information infrastructure, including – security in an APCS of crucial objects.

The priority in it is given to security of management systems of the MIC organizations, entity management systems atomic and hydropower, production and transportation of oil and gas, management of transport. FSTEC notes that objects of such organizations are not only under close attention of the terrorist organizations, but also under attention of foreign intelligence agencies. Violation of work of automated systems on these objects can lead to death of people, to technology and environmental disasters, loss of a state administration and to other emergencies.

Crucial objects of nuclear sector - in priorities on providing Information Security

Regulatory legal acts of FSTEC

Among measures for information security support (cybersecurity) of automated systems of crucial objects – development of regulatory legal acts, methodical documents, national standards. The main documents of FSTEC for providing Information Security of crucial objects existing as of the middle of 2015 is the document group, published by service in 2007. Among them - basic model of security risks and a technique of determination of relevant security risks in the key systems of information infrastructure.

Telling about a regulatory framework of security of an APCS of critical objects within the "Security of Crucial Objects of Energy Industry" conference in June, 2015, the deputy head of department of FSTEC Dmitry Shevtsov in the report noted that the most important document issued by their service regarding providing Information Security of an APCS of crucial objects is order No. 31. The document was published in March, 2014, and in 2015 was registered by the Ministry of Justice of the Russian Federation.

This order approves requirements to ensuring data protection in an APCS on crucial objects, potentially dangerous objects and also on objects of the increased danger to life and human health and the environment. According to Shevtsov, specialists of FSB,Ministry of Energy,Minpromtorg,Ministry of Transport,Roskosmos,Rosatom,Gazprom and some other the state and private organizations under which authority crucial objects are were involved in development of these requirements. When developing the document not only the Russian experience, but also the best practices of the foreign states was considered.

The representative of FSTEC also explained that the order defines flexible approach on the instructions of requirements to ensuring data protection in automated control systems which allows to consider and neutralize all relevant threats for the object owner and also allows to consider all structurally functional characteristics and nuances of this object.

In 2016-2017 in development of order No. 31 of FSTEC is going to issue the methodical document defining information measures of protection in automated control systems. The technique of determination of security risks of information in automated control systems and a number of models of standard threats of cybersecurity for different types of management systems will become one more document. Also it is going to issue the methodical documents describing an order of identification and elimination of vulnerabilities in automated control systems and an order of response to incidents.

APCS cybersecurity level: results of checks

FSTEC notes that in most the state and private companies which have crucial objects considerable attention is paid to questions of security of an APCS. In Rosatom state corporation, in Gazprom,Rosneft,RusHydro,FGC UES and some other the integrated structures the industry corporate standards regulating questions of security of an APCS are entered. These standards at the heart of the rely on regulatory legal acts and methodical documents. According to Dmitry Shevtsov, his service considers development of such standards positive practice and is ready to support this work which is carried out by the companies.

At the same time, there are also bad points concerning security of information in an APCS in the companies which come to light according to the results of the inspections which are carried out by service, Dmitry Shevtsov notes. So, in separate an APCS practically does not have the mechanisms providing protection of systems against external information threats. Insufficient attention is paid to questions of protection against unauthorized access and threats from the internal violator, measures for safe network interconnection are not taken.

"The analysis of the revealed shortcomings shows that the majority of problems in this area are connected with attempt of implementation of measures for data protection already at a stage of acceptance of an APCS in operation, but not at early stages of their creation. By our estimates, shortcomings of protection of an APCS of crucial objects are in most cases caused by lack of due attention from heads under whose authority objects are", - Dmitry Shevtsov says.

One more important problem which is seen in FSTEC is the unwillingness of ACS developers to implement measures of protection at a stage of their development. As a result all responsibility lays down on shoulders of those who operate these systems, and often at a stage of operation it is impossible to take these measures, Shevtsov noted: a system already works, it cannot be stopped and to difficult replace its some elements.

"With respect thereto we consider it necessary to take only measures for information security at all stages of lifecycle of an APCS", - Dmitry Shevtsov summarized.

Questions of security of crucial objects are regulated by a number of industry legal acts: it and the Federal Law about security of objects of energy industry, about transport security, about industrial security of production facilities, about use of atomic energy, etc. These legal acts set regulations according to which on crucial objects and potentially dangerous objects measures for ensuring their safe functioning should be taken.

Dmitry Shevtsov notes that in general such measures are taken, however in the majority have organizational character, and not enough attention is paid to questions of technical protection of an APCS against threats of cybersecurity. At the same time, automation of the majority of crucial objects reached such level that safety of their functioning is inseparably linked with information security of an APCS, he added.

"Lebed, cancer and pike": other regulators

It is important to note that order No. 31 of FSTEC though is the important document in providing Information Security of an APCS of crucial objects, but, in fact, has no binding character to application for the organizations under whose authority such objects are. This document is applied at acceptance by the owner of an ACS of the decision on need of data protection, and in FSTEC consider necessary its application for this purpose.

In addition to FSTEC regulation of security issues of information infrastructure of crucial objects is performed also by other organizations – FSB and Rostekhnadzor. However as of the middle of 2015 the list fully of the regulatory legal acts supplementing each other from all regulators which would order the general mandatory standards of providing Information Security of an APCS of crucial objects is not created yet.

On expectations of market participants to which TAdviser communicated over "and" in this question the federal law on security of crucial information infrastructure drafted by FSB should place points. In August, 2013 FSB^[3] published] two bills regulating this area. The first of them defines at the expense of what in Russia safety of critical information infrastructure is ensured and sets the principles of ensuring such activity and also power of state agencies in the field.

The second bill defines measures of responsibility for violation of the legislation on security of critical information infrastructure. At the same time on an equal basis with disciplinary, civil and administrative for violation of the developed FSB of the law also criminal liability is provided.

In 2014 it was expected that these bills will be adopted in 2015, however in already new year, according to market participants, FSB specifies time frames of adoption of law now 2016. Dmitry Shevtsov from FSTEC noted that after emergence of this federal law it has to become clear whether the key order of their service in the field of providing Information Security of an APCS of crucial objects is obligatory or not.

You See Also

Security of the operational technologies (OT)

Notes