Protection of an APCS and other threats of Norilsk Nickel

TAdviser: On what principles your information security system is under construction?

Vladislav Gasumyanov: In JSC Norilsk Nickel MMC the information security system is constructed on three principles. The first is a development of the normative regulating documentation; the second – implementation of means of protecting; the third – increase in level of awareness of employees of the company in questions of information security.

For improvement of the specified tasks monitoring of critical business processes, their description is carried out to the companies on a permanent basis, the model of threats and the violator is under construction, the regulatory framework is improved, personnel training regarding questions of information security is provided and the IB new systems are implemented. All these actions have cyclic character.

TAdviser: What types of threat do you consider the most characteristic of your industry?

Vladislav Gasumyanov: It is not really correct to speak about characteristic types of threats on the industry, probably. At creation of model of the violator all possible types of threats are considered and there is their correlation on extent of impact on business processes. Considering more and more deep integration of an APCS into enterprise management systems, there are threats of unauthorized access to the PCS. This type of danger is priority.

TAdviser: How does the gradation of incidents of information security happen in your company?

Vladislav Gasumyanov: In the company the gradation of incidents of cybersecurity on the basis of weighting coefficients, i.e. on degree of a negative impact on critical business processes of the company is used. Such technique allows to select high-level incidents from lump and to focus attention to them.

TAdviser: What large projects in the field of IT security did you implement in 2014?

Vladislav Gasumyanov: Recently we observe a trend of involvement in business processes of the company of considerable number of mobile devices, such as tablet computers and smartphones. Also expansion of the list of staff of the company to which access from mobile devices to corporate information services is provided is noted.

Still a year ago used e-mail from mobile devices, generally company executives. Today non-management employees get access to this service that is caused by need of the round-the-clock online access to information.

The block of security of the company implemented the project on access control system implementation from mobile devices of employees of the company. Such measure will help to minimize risks of leaks of critical information.

With project implementation we got secure access to corporate resources, safety and confidentiality of information stored on the mobile device and also at loss or theft of the mobile device a system allows to block far off it or to clean.

TAdviser: Tell, please, what do you think of containerization of information? Some heads of Cybersecurity Departments in corporations deem such method of data protection appropriate, and some believe that the rights of workers thereby are violated.

Vladislav Gasumyanov: This approach to data protection allows to ensure safety of the data which are in RAM of the mobile device by their enciphering that is especially relevant during the work with special categories of data, such as trade secret and personal data. Considering that the park of mobile devices of the company for 90% consists of devices of production of Apple company, the possibility of embedding of the certified means of cryptographic information protection is absent. In view of features of the operating system of IOS Apple.

TAdviser: Whether you use analytical tools for identification of weak points in information security systems?

Vladislav Gasumyanov: Yes, more than seven years in Norilsk Nickel it is used means of the analysis of security of corporate information systems. Application of such solutions allows to automate process of identification of "weak" places in IT infrastructure of the company, to develop recommendations about their elimination.

TAdviser: What projects you are going to implement in the next two-three years? How will currency rate influence your plans?

Vladislav Gasumyanov: In the nearest future in the company the system of the electronic digital signature (PKI) with integration of the electronic document management system (EDMS) will be implemented. We expect ensuring control of integrity and authorship of the electronic documents processed and stored in EDMS from implementation. Considering the fact that PKI developer of the solution is the Russian company, influences of currency rates are minimum.

TAdviser: What main trends in the field of information security will prevail in your industry in the next two-three years?

Vladislav Gasumyanov: The first trend in the field of information security in industrial production are threats of unauthorized access to an APCS. Lately the considerable number of vulnerabilities in software of the APCS systems of the largest global manufacturers is revealed. I will note that the period of elimination of the revealed vulnerabilities often is big in view of complexity of an APCS and vulnerability can be operated for years. All perfectly should understand what effects can be.

The second trend, in my opinion, is protection of cloud services, and both public, and private. Considering world trends of migration of infrastructure in "clouds", this activity needs also to pay close attention. The third trend is a protection of mobile devices.