Security of critical information infrastructure of the Russian Federation

Main article: Critical information infrastructure of Russia

2024

The concept of technological independence of KII was standardized. While temporarily

Rosstandart in early February 2024 published a preliminary standard PNST 905-2023^[1] "Critical Information Infrastructure. Trusted hardware and software complexes. Terms and definitions, "which defines the basic concepts in the field of trusted hardware and software systems (DPAK) for the critical information infrastructure of the Russian Federation.

The standard is preliminary and its validity period is limited - from April 1, 2024 to April 1, 2027. However, it is at this time that it is supposed to ensure the technological independence of the KII of the Russian Federation through import substitution, so the standard may be important for the entire domestic information security market.

The standard states that the terms established by it are recommended for use in all types of documentation and literature in the field of design, development and manufacture of DPAK and their components, as well as in the development of regulatory documents in this area. And if someone does not use the relevant terms, then questions will arise about his competence.

The key concepts of the document are the definitions of such terms as the technological independence of CII and a trusted software and hardware complex. This is "a state of critical information infrastructure, characterized by the possibility of its creation, stable, reliable functioning and development, including in conditions of restrictions in the availability of technologies and components" and "a software and hardware complex that meets the requirements of ensuring the technological independence of critical information infrastructure, functionality, reliability and security," respectively.

At the same time, a number of requirements are put forward for DPAK: just to ensure the technological independence of CII, functionality, reliability and security. To do this, DPAK must have a key technical solution (KTP), which is an integral part of it and essential for meeting the requirements listed above at all stages of the life cycle. What is a PTS is not specified, but the definition is very similar to domestic analogues of the TPM hardware module, which, apparently, will need to be installed in each DPAK.

In addition, the standard defines for DPAK a test site, electronic products (RAP) and electronic component base (ECB), which are used for its design, testing and operation.

There is also a definition for software, which is divided into four categories: built-in, system, application and special. All these categories of software must be stored in the code repository, which must be completely located in Russia.

PNST 905-2023 was developed by NPO Critical Information Systems (KIS) and the Engineering Safety expert organization. It was approved by the technical committee No. 167 of Rosstandart under the name "Software and hardware complexes for critical information infrastructure and software for them" at the end of last year - December 28, 2023 by order of Rosstandart No. 115-pnst.

The standard is preliminary, therefore Rosstandart accepts comments and additions to it, which should be sent to the department no later than 4 months before the completion of the action. The main standard will already be developed on their basis, but this is a completely different story.

Putin allowed transport security officers to shoot down drones

The Russian president signed a law allowing transport security officers to shoot down unmanned aerial vehicles. The corresponding document was published on January 30, 2024. Read more here.

2023

Repel 65,000 attacks on critical information infrastructure

Domestic specialists repelled more than 65 thousand attacks on critical information infrastructure (CII) facilities in 2023. Such information was shared by Deputy Prime Minister of the Russian Federation Chernyshenko, as reported on February 9, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

Critical information infrastructure facilities form the basis of the country's economic system, explained Anton Nemkin.

{{quote "In fact, these include the most important infrastructure facilities: state-owned companies,, banks enterprises industries scientific and organizations, facilities and. transport health care The assumption cyber attacks in this case can lead not only to the leakage of corporate, but also information information related to state secrets. In addition, a cyber incident for an indefinite time can disable the production processes of the organization, the deputy explained. }}

It is because of these reasons that the KII facilities are under close attention from the attackers, Nemkin emphasized.

Let me remind you that in the first half of 2022 alone, the total number of cyber attacks on Russian organizations increased 15 times, compared to the same period in 2021. Of course, the factor of international instability could not but affect here, "he said.

Switching from one system to another sometimes creates gaps in information security that attackers are actively exploiting. We are talking about vulnerabilities both in application software and in the infrastructure itself. At the same time, the optimal level of security largely depends on the speed of integration of new solutions, - said the deputy.

Almost a third of Russian companies with CII faced security incidents

32% of CII subjects experienced safety incidents of varying severity. At least 35% of them entail damage that can be estimated in financial losses. Downtime is the most common consequence of incidents, the cause of which is mainly called DDoS attacks and site hacks. In addition, the following negative consequences are cited: reputational damage, loss of data without recovery and direct financial damage. These data were obtained during the study conducted by K2 Tech. The company announced this on December 26, 2023.

The subjects of CII include organizations on which the work of transport, communication networks, the functioning of the financial system and state, medical and other services depend. Therefore, stopping their activities can cause serious damage to the life and health of people. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" should protect industry, banks, hospitals and other institutions and companies from cyber threats.

Although the law was passed in 2018, a significant number of companies admitted that they still do not know what solutions they will need to implement the requirements of the 187-FZ. 24% of respondents did not decide on the plans. 68% of respondents have a clear idea of ​ ​ the upcoming purchases, 8% found it difficult to answer. Due to the complexity of projects and import substitution requirements, companies are forced to purchase additional solutions and replace existing ones. The most popular class of SMT for December 2023 are firewalls. At the same time, many questions are associated with firewalls, because so far there are no Russian analogues comparable in performance to departed foreign vendors. In second place is the means of protection against malicious code. They are followed by network equipment, cryptographic protection and SIEM.

Many companies only began to work closely in 2023 to fulfill the requirements of the 187-FZ. This is due, firstly, to the emergence of 250 Presidential Decree, which spells out specific practical tasks that need to be completed, deadlines and responsible, and secondly, to the fact that in 2022 the business was focused on combating attacks and fulfilling the instructions of the FSTEC. As of December 2023, most companies are still at the start of implementation. The most important stage for the successful completion of the project is the qualitative categorization and audit of CII objects. More than half (57%) of companies partially or completely trust this process with external contractors. It saves a lot of time. When an organization performs an audit on its own, we sometimes encounter the fact that KII facilities are 3 times more than originally indicated, "said Andrey Zaikin, director of business development at K2 Cybersecurity.

Over the years, we have seen a significant increase in the maturity of our industrial customers in the field of information security. The problems that we have encountered before, such as the denial of the need to protect process control systems (APCS) and critical information infrastructure (CII), the absence of responsible persons for ensuring information security, the use of corporate solutions for protecting APCS, now fade into the background. Nevertheless, the development of the information security market of industrial infrastructures dictates the need to move from protecting CII facilities, primarily industrial automation systems, using passive monitoring, to more tightly integrating protective equipment into the perimeter of such systems and implementing active actions to respond to emerging incidents and (or) prevent them. Increasing customer readiness to implement such an approach in industrial networks is something that still has to be worked on, "said Andrey Bondyugin, head of the Kaspersky Lab industrial infrastructure protection projects support group.

Recently, the number of cyber attacks on supply chains has increased, as a result of which hackers inject malicious code into software on the side of a hacked IT company, which then imperceptibly enters customer infrastructure, for example, along with the next update. In terms of potential negative impact, such a cyber attack can really be compared with hacking a significant CII object, especially since a malicious module embedded in the software can enter the infrastructures of many CII subjects at once. One of the options for solving the problem could be the organization of a state service for checking the security of software and IPS, for example, using sandboxes, compositional analysis methods and static, dynamic, interactive analysis tools; after such a check of the absence of "bookmarks" in the distribution kit or service pack, the value of the installer hash sum can be placed in the publicly available register of reliable software, with which KII subjects will be checked without fail, "said Ruslan Rakhmetov, General Director of Security Vision.

The Ministry of Digital Development allocates 25.2 billion rubles for the development of GIS in the field of cybersecurity

On November 28, 2023, it became known that the Ministry of Digital Development of the Russian Federation intends to allocate 25.2 billion rubles for the development of state systems in the field of cybersecurity. The initiative is designed to speed up import substitution in this area, as well as increase the effectiveness of existing protection systems against hacker intrusions, malware, etc.

According to the Kommersant newspaper, the initiative is stated in the materials of the national project "Data Economics." The indicated amount of the Ministry of Digital Development proposes to invest in the period until 2030. It is planned that all foreign products in the field of information security (information security) will receive Russian analogues. This will help companies and government agencies to abandon import solutions, which is important in the conditions of the formed geopolitical situation.

Of the total amount of 25.2 billion rubles, the Ministry of Digital Development will allocate 7.1 billion rubles for the development of a new system for countering computer attacks "Multiskaner" based on State system of detection, prevention and elimination of consequences of computer attacks (state system for detecting, preventing and eliminating the consequences of computer attacks; controlled by the FSB). This platform will be able to process more than 90 million files per year. Multiscaner will become an analogue of the free American service VirusTotal, which analyzes objects for malicious code. The full implementation of the new protective complex is scheduled for 2025.

Another 3.7 billion rubles will go to the development of state systems Antifraud"" (countering fraudulent calls;) Roskomnadzor and "" Anti-phishing(blocking fraudulent sites; Ministry of Digital Development). The Ministry of Digital Development intends to spend approximately 2.4 billion rubles on assessing the security of key state information systems (GIS). About 12 billion rubles will be required for other cybersecurity systems, including cryptographic tools.

However, market participants say that the investments announced under the project "look somewhat overestimated" even taking into account inflation. At the same time, the commercial director of the Security Code, Fedor Dbar, emphasizes that "financing in itself does not guarantee any result."^[2]

FSTEC revealed hundreds of violations in the protection of Russia's information infrastructure

The Federal Service for Technical and Export Control (FSTEC), following an assessment of the security of critical information infrastructure in relation to 900 subjects, revealed about 600 violations. Pavel Zenkin, deputy head of the department's department, spoke about this in mid-November 2023. According to him, in terms of the number of violations detected, the situation has almost not changed compared to 2022.

These are all the same organizational measures: the subject does not know his objects of the critical information infrastructure that he has, does not know their architecture, specialists do not know that they work on AI objects and ensure their security. As for technical measures, there is also nothing new here - standard passwords, connection to external networks, vulnerability analysis is not carried out, threats are not blocked, - Zenkin said during the IT forum in Novosibirsk (quoted by RIA Novosti).

The representative of the FSTEC noted that since the start of the special military operation, the FSTEC of Russia has sent more than 160 measures to the subjects of the information infrastructure aimed at increasing the security of facilities, including vulnerability analysis and software updates in the context of the sanctions policy. According to Zenkin, hundreds of violations in the protection of Russia's information infrastructure are "just a colossal figure."

All the flaws that I said lead to incidents..., "he added.

In mid-November 2023, Deputy Director of FSTEC Vitaly Lyutikov noted that the main reason for the large number of vulnerabilities in the software of KII objects was the departure of foreign vendors who stopped supporting their solutions installed on the infrastructure of Russian customers.^[3]

"Here it is necessary to build vulnerability management processes in order to minimize at least critical ones," he said.

IT officials in Russia will be forced to comply with cybersecurity requirements

The Federal Service for Technical and Export Control (FSTEC) develops requirements for IT officials to ensure the information security of IT systems. The deputy head of the department Vitaly Lyutikov told about this on November 14, 2023.

According to him, cybersecurity requirements for state contractors providing IT development services are necessary because most hacks and data leaks from government information systems occur through development contractors, to which no mandatory requirements are imposed.

The number of threats is growing, the damage from them is increasing. All the old [threats] remain. These problems have to be solved at the legislative level, - said Lyutikov (quoted by Vedomosti).

He noted that FSTEC checked 40 thousand systems of critical information infrastructure and a third of them were sent for revision "in terms of reassessing possible damage" in case of violation of work during hacking. Almost every second system inspected by the Federal Service for Technical and Export Control contains critical vulnerabilities, Lutikov said.

According to the FSTEC, by mid-November 2023, about 19% of verified InformSystems were included in the register of KII facilities. For another 50% of InformSystems, categories are not assigned, and 31% of applications for assigning a particular category of significance are returned. At the same time, about 1.6 thousand requirements for the implementation of legislation in terms of security were sent to the owners of KII facilities.

The number of systems is growing, the number of objects included in the register of significant objects of CII is increasing. The problem is that operators or owners of CII facilities are trying to underestimate the damage, minimize and show when determining the facility that no consequences, no damage will occur. But those incidents that have occurred over the past two years, they indicate the opposite, "added the deputy director of FSTEC.[4]

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree that expanded the powers of the Federal Service for Technical and Export Control (FSTEC). The corresponding document was published in November 2023. More. here

FSB detained a citizen of the Russian Federation who entered the cyber intelligence of Ukraine to attack the Russian KII

FSB officers of the Russian Federation detained in the city of Belovo, Kemerovo Oblast, a Russian citizen who conducted illegal activities against the security of the Russian Federation. The detainee was charged with committing a crime under Art. 275 of the Criminal Code of Russia (high treason in the form of providing other assistance to a foreign organization), a preventive measure was chosen in the form of detention. Information about this was published on the official website of the FSB in a message dated October 31, 2023.

It was established that the detainee, with Internetmessenger the Ukrainian Ukraine computer attacks the help of, entered into a cyber unit operating in the interests of the intelligence services, which included using malicious software information resources from Russia, which led to a violation of the operability of the facilities. country's critical infrastructure

According to the FSB, investigative actions and operational-search measures were carried out in the addresses of residence and work of the defendant in the criminal case, as well as his connections, during which computer equipment and communications were seized, data were obtained confirming his anti-Russian activities.^[5]

The Ministry of Digital Development of the Russian Federation will oblige TV channels and telecom operators to create information security units

In mid-October 2023, it became known that the Ministry of Digital Development of the Russian Federation developed new requirements, according to which Russian companies - owners of the media (media), as well as operators of cellular communications and satellite television are obliged to create information security units (IS). The new rules will come into force on January 1, 2025.

According to the Vedomosti newspaper, the requirements apply to all channels of the first and second multiplexes, to Rossiyskaya Gazeta, ITAR-TASS and MIA Rossiya Segodnya. These organizations and telecom operators should switch to domestic means of protecting information, while the use of relevant solutions from unfriendly countries is prohibited. The information security division will become a kind of "internal auditor" of the IT infrastructure, as the number of cyber attacks on Russian companies is growing in light of the current geopolitical situation.

The new requirements partially duplicate the provisions of Decree No. 250 (adopted in May 2022), which applies to subjects of critical information infrastructure (CII). Such organizations are obliged to provide a certain standard of protection against emergencies and attempts and consequences of deliberate destructive impact on them. Market participants say that if the strict requirements of KII are extended to the entire operator business and the media, huge financial costs will be required.

In general, the size of investments in the creation of information security units depends on a number of parameters, including the number of employees in the organization, the volume of information infrastructure, etc. The minimum internal information security department will consist of a manager, an information security specialist and a personal data specialist. B1 partner Sergei Nikitchuk believes that, depending on the size of the business, compliance with the new requirements will require investments from 5 million to 50 million rubles a year. In addition, additional costs will be needed due to the need for import substitution of SSI.^[6]

Details of cyber attacks on Russian defense industry enterprises through Microsoft Office revealed

Positive Technologies experts Denis Kuvshinov and Maxim Andreev, with the participation of the Incident response and Threat intelligence PT Expert Security Center teams, prepared a detailed report with an analysis of the Trojan program they called MataDoor. The Trojan was previously spotted in Malwarebytes and Kaspersky Lab reports, where it was named MATAv5 and attributed as part of the activities of the Lazarus hacker group. Positive Technologies experts received a test sample at one of the defense industry enterprises in the fall of 2022.

Presumably, experts associate the initial vector of malware penetration into the enterprise infrastructure with the exploitation of a vulnerability in the Microsoft Internet Explorer component number CVE-2021-40444. Unfortunately, the same component is used in Microsoft Office office applications, which allows you to make an exploit that will start downloading and executing malicious code on the victim's machine. For a successful attack, the victim needs to download the document in DOCX format and open it for editing in Microsoft Office.

Letters containing documents with exploits for the CVE-2021-40444 vulnerability were sent according to researchers to Russian enterprises of the military-industrial complex in August-September 2022. Some of them related in content to the field of activity of the attacked enterprises, some were compiled in such a way as to simply attract the attention of the addressee. However, earlier - in September 2021 - Malwarebytes recorded and investigated similar mailings, but with a different exploit.

Letters with a vulnerability exploit should CVE-2021-40444 prompt the user to activate the document editing mode, which is a prerequisite for working it out. These letters used a specific design of the text, which was supposed to encourage the user to turn on the editing mode and change the font color to a more contrasting one. When editing mode is enabled, malicious code is downloaded and executed from the resource controlled by the attackers. Therefore, if your employees received and viewed letters with non-contrast or other inconvenient design, then it is worth examining your infrastructure using the compromise indicators that the researchers published in the report.

It should be noted that MataDoor is focused on long-term hidden functioning in a compromised system. Its files are named after names similar to legal software installed on infected devices. In addition, a number of samples had a valid digital signature. Also, the identified executables and libraries were processed with a Themida protector to complicate their analysis and detection.

The malware itself is a modular Trojan, which consists of a kernel (orchestrator) and modules (plugins), which just provide all the black work of the malware, depending on which computer it is installed on. MataDoor also provided infrastructure for its modules to transfer data to the control server and asynchronously execute commands loaded from it. Thus, MataDoor can be used both to steal valuable, secret or personal information, and to introduce listening, tracking components and logic bombs. The damage caused by the detected malware and its brothers is still difficult to assess - in each individual case, a thorough investigation must be carried out.

Government May Ease Import Substitution Requirements in Critical Information Infrastructure

The requirements of the decree of President Vladimir Putin on the transfer of critical information infrastructure (CII) facilities to domestic solutions may be mitigated. In accordance with the decree signed on March 30, 2022, all software and hardware complexes (PAC) at KII facilities should be replaced by domestic ones by January 1, 2025.

But for PACS, it is possible to extend until the end of the service life of existing solutions. Such an amendment to the decree was developed by the Ministry of Industry and Trade, a federal official told Vedomosti and confirmed by a top manager of one of the oil and gas companies. According to them, the document was submitted to the government.

Ministry of Digital Development will create a software registry for critical information infrastructure objects

On August 7, 2023, it became known that the Ministry of Digital Development of the Russian Federation developed a new bill on the security of critical information infrastructure (CII). The document in the future will lead to the formation of a special register of software allowed for use in CII systems.

According to the Kommersant newspaper, the document "empowers the government to determine for each industry (and not just state-owned companies) standard solutions that will be attributed to KII facilities, as well as establish for them the timing of the transition to Russian solutions." In addition, it is planned to select typical IT solutions that will be classified as CII facilities. In other words, information systems used in certain industries will be equated directly to CII objects.

As of the beginning of August 2023, the subjects of the KII include government agencies, organizations in the field of communications, health, science, transport, power, banking, the fuel and energy complex and other significant sectors of the economy.

Categorizing the InformSystems themselves of significant industries, in fact, will expand the scope of the law by including objects that were not previously such. And this will lead to the emergence of a register of software recommended for use in enterprises and organizations in various sectors of the economy.

Market participants believe that the new bill will contribute to the fact that it will be easier for specialists in KII subjects to categorize based on government-approved lists. On the other hand, it could "strengthen regulatory barriers for the industry." Belonging to the CII imposes on organizations a number of working conditions, including security and import substitution. According to the decree of the President of the Russian Federation of March 2022, government agencies and state-owned companies are prohibited from using foreign software at KII facilities from January 1, 2025.^[7]

Ministry of Digital Development of the Russian Federation asked government agencies to create an additional IT infrastructure with georeservation

On August 4, 2023, it became known that the Ministry of Digital Development of the Russian Federation sent methodological recommendations to the departments to strengthen the stability of information infrastructure. In particular, it is proposed to back up communication channels and ensure the geographical distribution of data centers (data centers).

According to the Kommersant newspaper, the IT systems of federal departments belong to the critical information infrastructure (CII). In the current geopolitical situation, the number of cyber attacks on such resources has increased significantly, which leads to the need to strengthen protection. Redundancy of communication channels is required if, for example, in a data center where one or more departments store data, access is organized on a single line. In the event of a cyber attack or physical damage to the network channel, access to the department's information system will not be possible.

Against the background of new threats in cyberspace, an effective protective solution can be the creation of geodistributed virtual and physical data centers with backup communication channels. If this is not possible, then at least it is necessary to connect additional communication channels to the information system, which will be built along geographically different routes.

Market participants say that the recommendations of the Ministry of Digital Development have already influenced, among other things, the growth in demand for the placement of data in regional data centers. Thus, some Russian companies transfer the processing and storage of information from data centers in the Moscow region beyond the Urals. Providers note an increase in demand in the cloud services segment Yekaterinburg in and. Novosibirsk However, the formation IT infrastructures with georeservation and the deployment of additional information transmission channels will entail an increase in the costs of departments for information infrastructure. Costs can rise by 10% due to the need to lease additional servers and create auxiliary network channels.^[8]

Real estate data in Russia will protect against cyber attacks

At the end of June 2023 State Duma , it adopted in the third (final) reading amendments to the federal law "On Security" critical information infrastructure RUSSIAN FEDERATION in terms of clarifying the subjects of critical information infrastructure.

The document refers to such subjects information systems, information and telecommunication networks and automated control systems operating in the field of state real estate registration. In addition, CUES persons who own such systems and networks will also be considered subjects.

This initiative, according to its authors, will allow extending to the real estate sector a set of measures that are used by the state to protect critical information infrastructure. New norms are being introduced to ensure the security of real estate registration data "to protect them from hacker attacks and abduction," says Vasily Piskarev, chairman of the Duma security committee.

One can only assume the consequences of hackers' attempts to hack into databases and, for example, change data on real estate owners or simply steal this information for fraudulent purposes, he said.

The adoption of the bill will make it possible to implement a set of measures to detect, prevent and eliminate the consequences of computer attacks carried out against objects of this sphere, and will create conditions for countering crimes, the explanation to the document says.

Nikita Chaplin, a member of the Committee on Budget and Taxes, stressed that it is extremely important to pay special attention to protection against theft of registration data in the field of real estate, especially when it comes to the critical information infrastructure of the Russian Federation. At the same time, he noted that the Russian special services successfully repel attacks.^[9]

The FSB Cyber ​ ​ Security Center records the growth of cyber attacks through IT contractors. What is recommended to do

Cyber ​ ​ attacks on the information systems of government agencies and subjects of critical information infrastructure (CII) through the supply chain, through the IT infrastructure of contractors in the National Coordination Center for Computer Incidents (NCCC), subordinate to the FSB, are called one of the key trends in 2023.

NKCKI expert Andrei Rayevsky, speaking at an international conference on information security on June 6, explained that often the IT contractor develops and submits a project, but he still has administrator rights for author supervision or further support of the system. And there is a tendency to penetrate the infrastructure of government agencies and KII entities through the administrative rights of the IT contractor.

At the same time, at the legislative level, there are no requirements in the field of information security for the information systems of such contractors. According to the expert, the NKCKI is thinking about providing for requirements at the legislative level, first of all, for IT contractors performing work for government agencies and KII entities.

NCCC, for its part, recommends that customers, within the framework of technical assignments for IT projects, prescribe requirements for the information security of contractors' IT resources. And some serious organizations are already doing this, notes Andrei Rayevsky.

In addition, NCCCA recommends limiting the number of privileged users from among contractors who are assigned to their systems.

There are domestic developments in the market in the field of privileged access tools. Their use becomes very relevant. NKCKI believes that it is worth taking a closer look at these developments.

It is also necessary to monitor the appearance of information about leaks and computer incidents in contractors, and in the event of such leaks in relation to their information resources, it is necessary to ask developers to respond and investigate the causes of leaks.

FSB approved the procedure for monitoring the security of sites of CII subjects

On June 2, 2023, the Federal Security Service of the Russian Federation (FSB) approved the procedure for monitoring the security of sites of subjects of critical information infrastructure (CII).

We are talking about resources belonging to the federal executive bodies, the highest executive bodies of state power of the constituent entities of the Russian Federation, state funds, state corporations (companies) and other organizations created on the basis of federal laws. In addition, the document applies to strategic enterprises and joint-stock companies, backbone organizations of the Russian economy, as well as legal entities that are subjects of CII.

It is said that monitoring is carried out in order to assess the ability of information resources of organizations to counter threats to information security. Relevant work will be carried out by the FSB Information Protection and Special Communications Center and territorial security agencies. Monitoring includes information systems (including sites on the Internet), information and telecommunication networks and automated control systems.

According to the order of the FSB, organizations must send to the e-mail address monitoring@fsb.ru information about domain names and external network addresses of their information resources, as well as about changes in such names and e-mail addresses. Security monitoring is carried out continuously and includes the collection and analysis of information and documents about the information resources used; identification of functioning services and detection of vulnerabilities; assessment of system security. Identification of working resources and search for potential problems are carried out remotely without first notifying organizations of the start of work.^[10]

FSTEC calls on government agencies and banks to disable access to corporate mail through foreign IP

On March 21, 2023, it became known about the recommendations in terms of information security, which the Federal Service for Technical Export Control (FSTEC) to security entities of critical information infrastructure (CII - government agencies, communications, finance, fuel and energy complex, telecom operators, etc.).

In particular, as Kommersant"" writes with reference to the presentation, FSTEC the department calls for disabling remote access to critical nodes and networks, prohibiting open relay (allowing servers you to uncontrollably pass mail through yourself), as well as interaction through e-mail with foreign IP addresses.

FSTEC explained that these measures will further protect the postal systems of significant companies in the Russian Federation related to KII. FSTEC also recalled the need to record the actions of all privileged users in the IT systems of CII facilities to combat possible "internal violators," including those who ensure the technological processes of companies as part of an outsource or involved in the work of third-party employees from other departments.

The "Informzaschita" called it a good practice to disable direct remote access to control interfaces and prohibit open relay. Restriction of foreign addresses is a measure that has already been applied by state institutions without special negative consequences for themselves, but it is not always possible to apply such a practice for CII subjects, since companies can interact with counterparties who use foreign IP addresses, the company noted.

The proposed restrictions do not apply to all computers of the subject of KII, but only to those that are part of the critical infrastructure, said Yevgeny Altovsky, head of the information and analytical service of the OD "Information for All." He considers the ban on interaction with foreign IP addresses excessive, since their ownership changes regularly. KII subjects will have to check every time who owns the IP address of the correspondent's mail server, the expert clarifies.^[11]

FSTEK explained what to do if the owner of the CII does not have money for an information security system to ensure its protection

Following the results of the measures taken, the state control FSTEC revealed typical problems in the field of protection of significant objects. critical information infrastructure On March 15, 2023, Elena Torbenko, head of the Russian FSTEC department, spoke about them at an event dedicated to information security APCS critical facilities.

Significant objects of CII, we recall, include such objects of CII, which are assigned one of the categories of significance, and they are included in the corresponding register maintained by the FSTEC.

According to Elena Torbenko, the financial problem of creating a security system for significant KII facilities is one of the main ones. At the same time, when the object is assigned a category of significance in 2019-2020, and in 2023 FSTEC sees that the creation of an information protection subsystem is planned only for 2024-2025, this is negligence, a representative of the regulator said.

Failure to comply with legal requirements is liability. It's good if it's administrative. And if an incident occurs on this issue, it will already be criminal liability.

There is no need to shove the task now - "it was not me, it was before me, we do not have funding." If you cannot implement technical measures, then you need something compensating - organizational measures. They do not require significant costs, - said Elena Torbenko.

If, for example, in an organization in an industrial system with a life cycle of 5-10 years, they cannot implement certain measures, for example, install an antivirus there, then an organizational measure should be applied: leave some intermediate place where an appropriate check of information carriers that work in a significant system, in an industrial facility, explained the representative of FSTEC.

Or, if an organization cannot set a password policy and division of roles, this can be done organizationally, classically - by logging.

Most of these organizational, "zero" measures, as we call them, have already been implemented as part of your industrial safety measures. Just use them in your significant object, document and live in peace, - recommended the head of the FSTEC department of Russia. - But, nevertheless, it is necessary to create a subsystem, including taking into account the organizational measures that you can apply in your significant objects.

Another main problem identified is that the actual composition of such objects does not correspond to what the subjects of the CII provided to the FSTEC earlier. Information about them is not updated. This leads to the fact that neither FSTEC nor NCCC can often warn CII subjects in time about the problems, threats and dangers that arise in the current situation.

The next common problem is that technological facilities are connected to corporate systems, and formally the organization believes that there is no Internet access, but the corporate system often interacts with the Internet without using additional information protection tools.

The minimum protection on the perimeter of your significant CII facility, the minimum means of protection and measures on the perimeter of your corporate system lead to the fact that the offender can safely act on your systems. Statistics show that before the manifestation of the offender in the system, he can be there for up to several months, - said the representative of the FSTEC.

As for the implementation of the rules for categorizing significant objects of CII, here FSTEC indicates that the categorization often does not take into account the interaction of such objects with other objects. Organizations often forget that one object can depend on another in its functioning. As a result, FSTEC is faced with the fact that dependent objects have different categories, which also carries security threats.

And in some organizations they do this: they divide their CII objects into separate small subsystems, trying to be excluded from the register of significant CII objects. But this will not pass, assured Elena Torbenko. From those who do this, the regulator requires to justify the interaction of these objects.

In addition, there is an underestimation of damage that may lead to the termination or violation of the functioning of significant objects of CII. Experts from other ministries are involved in this problem at FSTEC to help develop the necessary methods and recommendations.

The number of cyber attacks through contractors has grown 2 times. National Center for Computer Incidents - on the main trends of 2022

The National Coordination Center for Computer Incidents (NCCCA) states that the situation in the Russian information space in 2022 was significantly influenced by the conduct of the SVO in Ukraine. An "unprecedented in scale" cyber campaign was launched against Russia, the main goals of which are to disable the information infrastructure and unauthorized access to the IT systems of organizations and enterprises of various sectors of the critical information infrastructure of the Russian Federation. At an industry event on February 7, NKCKI Deputy Director Nikolai Murashov summed up key trends in the field of cyber threats for 2022.

The number of computer attacks on objects of the Russian information infrastructure in 2022 increased significantly. At the same time, there is an increase in the speed of implementation of threats: from the moment information about threats appears - for example, the publication of information about vulnerabilities - it sometimes takes only a few hours to practical implementation.

Increasing the availability of hacker tools: specialized resources regularly publish the source codes of attack software, as well as detailed information about computer incidents for their further analysis.

There are "politicized unfriendly actions" of the international cyber community. Thus, the international community for responding to cyber threats FIRST (Forum of Incident Response and Security Teams) has stopped working with Russian computer incident response centers. This decision confirms the concern expressed earlier by the NCCCA about the declarative nature of the approach of some countries to solving the problem of creating a peaceful, stable and secure ICT environment, Nikolai Murashov believes.

In 2022, the number of attacks through the supplier chain increased: these are integrators, security manufacturers, service providers and other business partners. The number of attacks through contractors over the year increased by 2 times, according to the information available to the NCCCA. Having gained access to the contractor's infrastructure, the attackers find themselves inside the target system.

In 2022, massive attacks on root DNS servers, disconnecting providers from large trunk channels, embedding malware in widely used elements of web pages, and the appearance of malicious code in software updates - both freely distributed and commercial - were recorded.

A feature of DDos attacks in recent months has been a truly large number of their participants. As soon as possible, Telegram channels were formed, in which ordinary people were agitated, participants were instructed, target designation was coordinated, and elements of attacks were distributed.

At the same time, a large amount of DDoS attacks was a cover for more serious impacts. Many computer attacks were aimed at stealing information from the systems of organizations and disabling technological processes.

One of the trends was attacks using ransomware to obtain a ransom. As targets, attackers chose solvent organizations in which data encryption could disrupt the functioning of the main business processes. Therefore, they showed interest in large companies, including industrial enterprises.

Attackers pay great attention to attacks that can have significant public resonance, many data leaks are published. At the same time, according to the NKCKI, in pursuit of information feed and public resonance, attackers often give information from previously leaked leaks as new ones, make compilations from data obtained from public sources. It is not uncommon for small organizations to be hacked for leaking from key government systems or critical information infrastructure facilities. This raises the alleged significance of the event, says Nikolai Murashov.

Separately, the NCCCI notes threats associated with a possible violation of information protection tools. Termination of their support by manufacturers, mass revocation of certificates and other restrictions can have a negative impact on the functioning of the Russian segment of the Internet.

To increase the effectiveness of countering the aggravated threats to information security, it is necessary to activate and consolidate the forces and technical means of the subjects of the critical information infrastructure, Nikolai Murashov noted.

NCCCA also cited statistics on connections to the State system of detection, prevention and elimination of consequences of computer attacks system: 1,277 new participants joined it, and their total number now exceeds 3.5 thousand.

Owners of critical IT systems for Russia are stepping on the old rake. FSTEC named typical safety errors

In 2022, representatives of the FSTEC, as part of measures to implement measures by KII entities to protect their facilities, made visits to more than 700 organizations. As a result, representatives of the regulator saw "disappointing results," Elena Torbenko, head of the Russian FSTEC department, said at an industry conference on February 7, 2023.

A number of problematic issues that have been relevant for several years remain unresolved. Among organizations in various areas, typical errors were identified that create the possibility of implementing threats to the security of CII facilities. The representative of FSTEC voiced them.

First of all, on the components of significant CII objects in the perimeter of the organization, there are ON vulnerabilities of a critical level of danger that can be exploited, including due to vulnerabilities in the system architecture.

Security analysis by KII subjects is not carried out, says Elena Torbenko. - Colleagues, if you do not have your own specialists and resources at the expense of which you could do this, it is allowed to attract licensees, because the perimeter security analysis is an analysis of the system that the intruder encounters in the first place. If you leave "holes" there, you leave an open door for the intruder to enter your system.

In addition, FSTEC is still faced with the fact that on significant objects, including the information protection tools used for them, there are default passwords. I.e. software purchased, installed, and pre-installed passwords remained in it. This is also essentially an invitation for the offender to exploit the vulnerability.

The measures that the subject of CII implements are in some cases formal: they are insufficient to ensure full protection of significant objects. At the same time, if it is impossible to implement certain measures at significant facilities, compensating measures are not applied, says the representative of FSTEC. The regulator is faced with the fact that antivirus protection is not installed in information components. And where it is impossible to install an antivirus in automated control systems, additional measures for checking the media that are are not implemented.

Another typical error is the use of unaccounted media, which can be malware peddlers in an organization's systems. And cases of encryption of industrial systems are already found in practice.

Some KII subjects also do not consider it expedient to delineate access rights to systems, Elena Torbenko cited another example. Accordingly, an ordinary operator can do anything from under his account, for example, bring CII objects into a freelance mode of operation.

Interaction with the supply chain remains a problem - that is, with those who serve the systems of CII subjects both in terms of ensuring security and their regular functioning. In some cases, there is no complete control over such an external organization, the contractual relationship does not provide for the issue that suppliers must comply with the requirements of the law and also ensure the safety of CII facilities.

And I'm not talking about such classic violations as controlling machine media, disabling unused USB ports, etc. - that is, the measures that have been used in information systems since time immemorial, "added Elena Torbenko.

The FSTEC representative also said that in 2022, CII subjects continued to work on identifying their IT facilities as CII facilities, classifying them as significant and creating security systems for them. In 2022, the number of objects classified as significant more than doubled compared to 2021, according to the FSTEC.

2022

The number of cyber attacks on the Russian public sector has grown several times

In 2022, the number of attacks on the Russian public sector approximately doubled or tripled compared to a year ago. About this "Vedomosti" told an analyst of the data of the cybersecurity monitoring center IZ: SOC of the company "Informzaschita" Shamil Chich (the publication was published on January 16, 2023). Read more here.

FSTEC has developed a methodology for assessing cybersecurity for government agencies

The Federal Service for Technical Export Control (FSTEC) has developed a new methodology for assessing the degree of information security in government agencies and organizations with state participation, as well as in companies with critical information infrastructure (CII; these are banks, telecom operators, representatives of the fuel and energy complex, etc.). This became known on November 23, 2022. Read more here.

Almost half of Russian departments were subjected to cyber attacks

In the 12-month period, which ended in June 2022, almost half (46.6%) of Russian departments faced cyber attacks. Moreover, in 15% of cases, hacker attacks were repeated. This is stated in the study of the Center for Training Leaders and Teams of Digital Transformation of the RANEPA, published in mid-September 2022.

According to the report, excerpts from which Vedomosti cites, 69.6% of attacks on government agencies were carried out using viruses and ransomware, which mainly penetrate through corporate mail or malicious sites. 51.1% of respondents called DoS and DDoS attacks, 46.7% called phishing attacks, 38% called attacks on the corporate network and password hacking, 30.4% called data leakage and unauthorized access.

The main targets of offenders in 73.9% of cases were sites and web applications of departments. This percentage is explained by the fact that at present most employees and customers interact through digital services.

Only 31.9% of state organizations were not subjected to cyber attacks. One in five organizations found it difficult to answer this question.

The survey involved 302 civil servants of various levels from 75 regions and all federal districts. These were respondents with different official status - from digital transformation leaders and senior managers to ordinary employees. The center clarified that the survey participants were segmented by the level of IT competencies and a number of questions were asked only to specialized specialists (92 people).

According to Luka Safonov, technical director of Sinclit JSC, the percentage of attacks on the Russian public sector is much higher.

I think about 90% of Russian departments and structures have recently been attacked by both schoolchildren opposed to Russia and foreign hackers, Safonov said in mid-September 2022. He added that about 10% of the attacks could have been successful.[12]

Sberbank said that organized cyber war is being waged against Russia

In the current realities, software in the field is of particular importance, cyber security"because right now Russia it is organized against, the cyber war purpose of which is to disable everything," country's critical infrastructure said the Deputy Chairman of the Board in early September 2022. Sberbank Stanislav Kuznetsov

In his opinion, only Russian solutions should be applied at significant facilities of the country's critical infrastructure by 2025. As for cybersecurity systems, they need to use exclusively domestic developments, regardless of their scale.

According to Stanislav Kuznetsov, much has been done in this regard, but two areas require special attention and the connection of state institutions - this is the protection of clouds and the protection of highly loaded systems, because for large companies there are still no competitive solutions here.

At the heart of the confrontation to cybercriminals are cyber defense centers, and they should primarily have. In domestic software Sberbank, there is such a center, and in it 90% - the development of Sberbank. However, there are few such centers in the country as a whole - we counted only five. I would like them to be much more, - said the top manager. bank

As he added, Sberbank feels the influence of cyber warfare: over the last quarter, Sberbank withstood about 450 DDoS attacks, and 350 were reflected by its subsidiaries. This is the same as in the last five years. The main activity of criminals is focused on three areas: network attacks, phishing and. telephone fraud Technological solutions, including the creation of a library of voices criminals, allow such actions to be resisted, which allows you to successfully combat telephone fraud.

So, Sberbank has several developments in the field of cybersecurity. Among them are the anti-fraud system, which prevents 99% of telephone fraud, and the cyber threat analysis system. And the bank is ready to share such systems, Stanislav Kuznetsov emphasized.

In the field of cybersecurity, we have only two years left to make another breakthrough and provide our own developments to protect the entire perimeter of the state. Critical infrastructure is used by the largest companies in the country, and it is very important to have reliable protection, because in a cyber war, any mistakes and non-competitive decisions can lead to catastrophic consequences. And it is important not only to unite efforts - there should be a more active role of the state, - the Deputy Chairman of the Management Board of Sberbank is convinced.

According to Stanislav Kuznetsov, in order to successfully solve, the task of switching to domestic software a single governing body is needed, as well as uniform rules and requirements, unified processes that apply to both the state and business. Another sensitive topic is training. Here you cannot do without a state, since it is in the state that an order for personnel is formed. As of the beginning of September 2022, about 5 thousand specialists in the field work in the country, and cyber security it is necessary - 20 times more.

The top manager of Sberbank also added that it is not enough just to have a register of Russian decisions - you need to understand which of them can really be used and in which business segments. It takes an audit of these decisions to understand what stage we are at and what needs to be done. And such work should be carried out under the umbrella of state institutions.

The representative of Sberbank also drew attention to the situation with telephone fraud. On the one hand, the level of cyber literacy is growing, and people are less and less likely to disclose confidential information about their accounts to swindlers. On the other hand, it is important to resist this, including by law. First of all, it is necessary to suppress the still existing practice of providing number substitution without passport data, which is still sinned by some regional telecom companies, thereby helping criminals deceive citizens.

The Ministry of Digital Development creates a register of unacceptable cyber violations

On August 23, 2022, it became known about the decision of the Ministry of Digital Development of the Russian Federation to launch a register of unacceptable events in information security for government agencies and critical information infrastructure (CII) facilities.

The registry will first include scenarios that are dangerous for the IT sphere, which companies "should not be allowed under any conditions." These threats should be identified by auditors together with the heads of the assessed organizations, an informed source told Kommersant.

Companies will also have to determine which of the events may be characteristic of them and report on it. to the government According to another interlocutor of the publication, after that they will monitor the absence of such violations. cyber security

Information about the creation of a register of unacceptable events in the field of cybersecurity was confirmed to the newspaper by the Ministry of Digital Development. They said that within the framework of the presidential decree, a number of organizations and bodies were supposed to conduct a security analysis and submit a report to the government. The work done has shown that unacceptable events need to be systematized. The Ministry of Digital Development clarified that the register will be ready by the end of 2022.

Independent cybersecurity expert Alexei Lukatsky said that now companies are sending abstract formulations to the Ministry of Digital Development about security risks, which are not behind understanding the problem. According to him, in the case of the register, it will be possible "to show clearly what each company should protect itself from." The expert assures that it is not just a list that is important, but "verification of each event, its demonstration."

According to him, responsible company leaders should understand, for example, that it is possible to stop equipment, what loss the enterprise will incur and what it needs to do so that this does not happen.

Then the register will become a starting point in assessing the vulnerability of companies from all areas, "Lukatsky said.[13]

Chinese hackers attacked Russian defense enterprises

Chinese-language cyber group attacks defense enterprises state agencies and in, Russia countries Eastern and. Europe This was announced Afghanistan on August 8, 2022 by "."Kaspersky Lab

In total, during the investigation, experts revealed attacks on more than a dozen organizations. Presumably, the target of the attackers was cyber espionage. Experts suggest that the identified series of attacks may be related to the activities of the Chinese-speaking cyber group TA 428. It used new modifications of previously known backdoors.

In some cases, the attackers managed to completely seize the IT infrastructure. To do this, they used well-prepared phishing emails. They contained internal information that was not available in public sources at the time of its use by cybercriminals, including F.I.O. employees working with confidential information, and internal code names of projects. Microsoft Word documents with malicious code exploiting the CVE-2017-11882 vulnerability were attached to phishing emails. It allows the malware to gain control of the infected system without additional actions from the user, the user is not even required to enable macro execution.

As the main tool for developing the attack, attackers used the Ladon utility with the ability to scan the network, search and exploit vulnerabilities, and steal passwords. At the final stage, they seized the domain controller and then gained full control over the workstations and servers of interest to the attackers of the organization. Having received the necessary rights, the attackers proceeded to search and download files containing confidential data to their servers deployed in different countries. These same servers were used to control malware.

Targeted phishing remains one of the most pressing threats to industrial enterprises and government agencies. The series of attacks we discovered is not the first, apparently, in a malicious campaign. Since attackers are successful, we assume that such attacks could happen again in the future. Enterprises and state organizations need to be on the lookout and carry out appropriate work to prepare for repelling complex targeted threats, "said Vyacheslav Kopeitsev, senior expert at Kaspersky ICS CERT.

APT31 cyber group attacks Russian fuel and energy complex and media

In April 2022, PT Expert Security Center specialists from Positive Technologies identified an attack on a number of Russian organizations (media and energy companies) using a malicious document during daily threat monitoring. Representatives of Positive Technologies reported this to TAdviser on August 4, 2022. Read more here.

A special type of malware has appeared in Russia, threatening government agencies and industry

On July 27, 2022, Positive Technologies specialists warned of the appearance in Russia of a special type of malware that threatens government agencies and industry. We are talking about the so-called bootkits, which are launched before the operating system boots. Read more here.

The Government of the Russian Federation has established requirements for top managers responsible for cybersecurity in government agencies and corporations

As it became known at the end of June 2022, the Government of the Russian Federation established requirements for top managers responsible for cybersecurity in state bodies and corporations. The provisions were developed by decree of the President of the Russian Federation Vladimir Putin, according to which responsibility for cyber risks falls on the deputy heads of enterprises.

As Kommersant writes with reference to a government document, the person responsible for ensuring information security is obliged to have a higher specialized education "no lower than a specialist or a master's degree" or undergo vocational training. In addition, he must understand the "impact of information technologies on the work of the organization," ways to build information systems, including restricting access, ensuring the security of the company's internal networks. The specialist should be familiar with "the main threats to cybersecurity, the prerequisites for their occurrence and possible ways of their implementation," as well as their consequences.

Representatives of Group-IB and InfoWatch, in a conversation with the newspaper, explained that in fact, the new requirements describe information security experts with practice and expertise over the years, of which there are not so many in the country now, and the training of current leaders will take a lot of time and funding that should have been laid down last year. Since this was not done, government agencies will have to find resources to prepare leadership as a matter of urgency from other items of expenditure. But even so, the training process can drag on or be interrupted if an employee quits and the company has to look for new personnel to replace him.

The requirements of the model provision will require costs, in particular, for measures to analyze and assess the state of information security of the organization, said Ivan Melekhin, director of the IZ: SOC cyber attack monitoring and counteraction center at Informzaschita.^[14]

Mishustin approved a list of organizations that need to conduct an audit of the security of their IT systems

In June 2022, Prime Minister Mikhail Mishustin signed Decree No. 1661-r. With this document, the Chairman of the Government of the Russian Federation approved the list of organizations that need to conduct an audit of the security of their IT systems.

The list includes the Ministry of Health, the Ministry of Education and Science, the Ministry of Industry and Trade, the Ministry of Transport, the Ministry of Finance, the Ministry of Digital Development, the Ministry of Energy, the Ministry of Emergency Situations, the Federal Tax Service, Rosreestr, the Treasury, the FFOMS, the Moscow government, the government of St. Petersburg and another 58 key organizations in various fields of activity.

The listed departments and companies need to take measures to assess the level of security of their information systems with the involvement of organizations that have the appropriate licenses of the FSB of Russia and the FSTEC of Russia. The results of the audit will be sent to the government, the information will be taken into account when developing measures to ensure the security of information resources of the Russian Federation, the ministry explained.

In June 2022, the Ministry of Digital Development of the Russian Federation published a standard terms of reference for the implementation of work to assess the level of security of information infrastructure. The department indicated the need to solve the following problems:

• identification and consolidation of strategic risks (unacceptable events) of information security;
• identification of information infrastructure vulnerabilities that can be exploited by external and internal violators for unauthorized actions aimed at violation of confidentiality properties, integrity, availability of processed information, as well as technical information processing means, as a result of which their normal operation mode may be violated, which will lead to unacceptable events;
• identification of deficiencies in the information protection tools and software products used, as well as assessment of the possibility of their use by the offender;
• checking the practical possibility of exploiting vulnerabilities (using the example of the most critical ones);
• obtaining an assessment of the current level of security based on objective evidence;
• development of an information infrastructure modernization roadmap.

The list of key bodies (organizations) that need to take measures to assess the level of security of their information systems can be found here.

Presidential administration: 90% of Russia's public sector infrastructure was subjected to cyber attacks

Since the start of the Russian special operation in Ukraine (June 24, 2022), about 90% of the infrastructure of the public sector of the Russian Federation has faced cyber attacks to one degree or another. This was announced on June 16, 2022 by the head of the department of the Presidential Administration of the Russian Federation for the development of information and communication technologies and communication infrastructure Tatyana Matveeva. Read more here.

Cyber ​ ​ group, attacking the public sector, electricity and aerospace industry in Russia discovered

On May 17, 2022, the company Positive Technologies announced that its expert center (safety PT Expert Security Center, PT ESC) had discovered another cybercriminal grouping. Russia malefactors attacked In at least five organizations, in - Georgia one, and the exact number of victims in is still Mongolia unknown. Among the goals attacking identified by Positive Technologies specialists state institutions are enterprises from aviation space and industries electrical power. More. here

Vladimir Putin demanded to strengthen measures in the field of information security and create a state system for the protection of information

Russian President Vladimir Putin during the broadcast of the Security Council of the Russian Federation on May 20, 2022 said that the country is under constant cyber attacks, which are coordinated and applied from different countries. According to him, this is not done by lone hackers, but by government agencies. He recalled that the armies of hotel countries include cyber warfare.

In this regard, Vladimir Putin proposed to strengthen measures to protect the digital space and create a state information protection system in Russia.

I consider it expedient to consider the creation of a state information protection system. I also expect from you specific proposals on what additional steps should be taken to ensure the sustainable operation of the information infrastructure in the authorities and public administration, - said Vladimir Putin at a meeting of the Security Council of the Russian Federation.

According to him, it is important to minimize the risks of leaks of confidential information and personal data of citizens, as well as improve the mechanisms for protecting critical objects on which the country's defense capability, stable development of the economic and social sphere directly depend. The actions of government agencies in the field of information security should be coordinated at the strategic level, and the heads of organizations will be personally responsible for the implementation of the prescribed measures.

The president called the transition to domestic hardware and software one of the main steps. Moreover, according to him, it is necessary not only to copy existing Western solutions, but also to create your own.

Today we can say that cyber aggression against us, as well as the sanctions attack on Russia in general, failed. In general, we were ready for this attack, and this is the result of the systematic work that has been carried out in recent years, "said Vladimir Putin.

Vladimir Putin noted that one of the tools of sanctions pressure on Russia was restrictions on foreign information technologies, programs and products. A number of Western suppliers unilaterally stopped technical support in Russia for their equipment. Cases of restriction of work or even blocking of programs after their update have become more frequent. According to him, this should be taken into account when using Russian companies, authorities and management authorities previously established and introducing new foreign information technologies and products.

Tasks	Comments by Russian President Vladimir Putin
Усовершенствовать и донастраивать механизмы обеспечения information security of industry critical facilities, on which the country's defense capability, stable development of the economy and social sphere directly depend	So far, there are no structural units for information protection for a third of such facilities. Meanwhile, such units should be created as quickly as possible, and they include specialized specialists who know the industry specifics well. At the same time, coordination of the actions of all structures for ensuring information security of critical facilities should be fixed at the strategic level, and personal responsibility for solving these issues in accordance with the provision of Decree No. 250 is assigned to the heads of organizations.
Повысить защищенность информационных систем и сетей связи в государственных органах. Проведенные в 2021 году проверки показали, что большинство действующих там ресурсов уязвимы для массированных атак, для деструктивного внешнего воздействия, тем более при использовании зарубежных технологий последнего поколения	It is necessary to strengthen the defense of the domestic digital space - there should be no weak places. It is fundamentally important to negate the risks of leaks of confidential information and personal data of citizens, including through stricter control of the rules for the use of official equipment, communications, communications. It is necessary to consider the creation of a state information protection system. The President expects concrete proposals from the Security Council participants on what additional steps should be taken to ensure the sustainable operation of the information infrastructure in authorities and public administration.
Кардинально снизить риски, связанные с использованием зарубежных программ, вычислительной техники и телекоммуникационного оборудования.	The government needs to create a modern Russian electronic component base in the shortest possible time. It is necessary to develop and implement domestic technological equipment for this, including those necessary for the production of software and hardware systems. Part of the work has already been completed: a national crisis headquarters has been created to prevent targeted computer attacks. In each federal district, information security commissions have been formed under the plenipotentiary representatives of the President of Russia.

Mishustin approved the procedure for conducting an experiment to increase the level of protection of GIS

In mid-May 2022, Prime Minister Mikhail Mishustin signed a decree approving an experiment to increase the level of security of state information systems (GIS) of federal executive bodies (FOIV) and institutions subordinate to them.

As follows from the document, the experiment will be conducted by the Ministry of Digital Development from May 16, 2022 to March 30, 2023 as part of the federal project "Information Security" of the national program "Digital Economy." The purpose of the experiment will be to assess the level of security of GIS, inventory of protection systems, as well as identify shortcomings in infrastructure, architectural and organizational solutions. As a result, it is planned to develop a list of measures to neutralize GIS vulnerabilities.

According TASS to the press service of the Ministry of Digital Development, as part of the experiment, FOIV or their subordinate institutions will be able to apply for work to improve the security of GIS.

The Ministry of Digital Development with the involvement of leading commercial companies in the field of information security will hold measures that will assess the current level of GIS security, check the practical possibility of exploiting vulnerabilities, and identify shortcomings in the GIS protection system, the press service of the department explained.

As a result of the experiment, Ministry of Digital Development, together with the FSB of Russia and the Federal Service for Technical and Export Control of Russia, will develop and provide the participants in the experiment with recommendations for neutralizing GIS vulnerabilities.

In addition, the Ministry of Digital Development will have to:

• ensure the conclusion of cooperation agreements and organize the implementation of work to increase the level of protection of the GIS of the participants in the experiment;
• monitor the progress of elimination of deficiencies (vulnerabilities) identified within the framework of the experiment^[15]

Putin signed a decree on the creation of cybersecurity departments in medical organizations

In early May 2022, the president Russia Vladimir Putin signed a decree creating a separate cyber security one at facilities critical information infrastructure (), CUES including institutions. health care Such structures should be headed by one of the deputy heads of the organization. His duties, as well as the functions of the department government , will be approved within a month.

According to the document, cybersecurity departments are obliged to cooperate in the FSB, provide service employees with unhindered access (including remote) to information resources for monitoring, follow their instructions, data based on the results of the audit.

From January 1, 2025, when providing cybersecurity to health care institutions and other CII facilities, it is forbidden to use data protection tools made in unfriendly countries. The equipment of firms that are under the direct or indirect control of an unfriendly country affiliated with it also falls under the ban.

Explanations on the application of the decree will be given by the Ministry of Finance and the Central Bank, follows from the decree. The government was instructed to approve the list of persons under sanctions within 10 days and determine additional criteria for classifying transactions as prohibited.

The activity of cybercriminals in relation to medical institutions is steadily growing. By 2022, medicine is one of the three leaders in the number of various kinds of cyber attacks, second only to government agencies and industry, displacing banks and financial companies from the top.

The variety of information systems in different medical and preventive institutions (LPUs), which can be public, private and departmental, leads to the fact that different approaches to information protection are applied. Often, the protection of systems in LPUs is fragmented, which complicates their cyber protection.^[16]"

Created an interdepartmental commission of the Security Council of the Russian Federation to ensure the technological sovereignty of the country in the field of CII development

By presidential decree, an interdepartmental commission of the Security Council was created in Russia to ensure the country's technological sovereignty]] in the development of critical information infrastructure (CII). This was announced on April 25, 2022 by IVK. The main task of the commission will be to develop measures to ensure the safety of CII. Read more here.

Positive Technologies: government agencies are the worst protected from cyber attacks

In Russia, state bodies are worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies. Experts made the corresponding statement in mid-April 2022.

Federal ministries and departments show the least degree of readiness for cyber attacks. Officials are now forced to live in the paradigm of the past time - said Maxim Filippov, director of business development at Positive Technologies in Russia.

According to him, the procurement procedures are defined 44-FZ, 223-FZ. In order to purchase some kind of means of protection, which by April 2022 has become more relevant than ever, or to allow experts to their facilities to conduct a retrospective investigation or reconfiguration of means of protection, they need to go through a large number of difficult procedures. They do not have time to respond, and the dynamics and types of attacks change every minute. If you do not quickly detect and respond, then there will be nothing to protect, Filippov said.

He also pointed out that state structures and companies with state participation are opponents of information exchange with experts about past cyber attacks.

Government agencies are afraid of publicizing these incidents even in the circle of expert companies. This is not at all clear to me personally. In the current environment, collaboration with experts who are focused on ensuring the security of infrastructure in cyberspace, they need as air, he added.

Positive Technologies Business Development Director cited data according to which the activity on cyber attacks on companies and government agencies in the Russian Federation from late February to mid-April 2022 increased 100 times, while banks were most prepared for cyber attacks, and least of all - federal departments and companies with state participation.^[17]

FSTEC creates a system for secure development of software for 0.5 billion rubles

On February 16, 2022, the Federal Service for Technical and Export Control (FSTEC) of Russia announced a tender for "creating a unified environment for the development of safe domestic software." The initial (maximum) contract price is 510 million rubles. Read more here.

2021

The number of criminal cases due to attacks on government agencies and banks in Russia has tripled

In 2021, 70 criminal cases were opened in Russia due to cyber attacks and other unlawful impact on critical information infrastructure (CII - IT systems of government agencies, banks, transport, fuel and nuclear industry, power, etc.) against 22 a year earlier. This is evidenced by the data of the InfoWatch study conducted using statistics from the Ministry of Internal Affairs and data from the state automated system "Justice." Read more here.

More than 90% of attacks by highly professional groups are directed at critical infrastructure facilities

The vast majority (92%) of cyber attacks committed by highly professional attackers in 2021 were aimed at critical information infrastructure (CII) facilities. Most often, the attention of highly qualified hackers - cyber recruits and pro-government groups - was attracted by state organizations, power enterprises, industry and the military-industrial complex. Such figures were announced on December 7, 2021 by the vice-president of Rostelecom for cybersecurity, the general director of Rostelecom-Solar Igor Lyapunov.

In total, according to a study by Rostelecom-Solar, in 2021, over 300 attacks carried out by professional attackers were recorded, which is one third higher than in 2020. Most of the attacks were carried out by groups with an average qualification - cyber crime. Such hackers use customized tools, available HPE and vulnerabilities, social engineering, and their main goal is to directly monetize an attack using encryption, mining or cash withdrawal.

Highly professional groups accounted for 18% of the attacks committed during the reporting period. Such cybercriminals use complex tools: self-written software, 0-day vulnerabilities, previously implemented "bookmarks." As a rule, they are aimed at custom work, cyber espionage, hacktivism, complete seizure of infrastructure, and their victims are large businesses and CII facilities.

Such attacks are almost always targeted, so at first attackers carefully study the attacked organization. Moreover, cyber recruits and pro-government groups conduct reconnaissance not only against the victim's IT perimeter, but also against its contractors, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center at Rostelecom-Solar. - These groups are well acquainted with the logic of the basic means of information protection, which allows them to remain unnoticed for a long time. And the damage from their actions can amount to hundreds of millions of rubles. If we are talking about CII, then there are also risks associated with the impact on the country's economy as a whole, the security of citizens and the political situation.

The key techniques used by professional hackers to hack the perimeter have changed slightly over the year. Phishing still occupies a leading position among medium-level attackers (60% of attacks), which is explained by its cheapness and mass.

In 50% of attacks, highly qualified hackers exploit web vulnerabilities. This is due to the fact that web applications of CII objects and state authorities (for example, corporate portals or web mail) are still poorly protected and have a huge number of errors. In addition, highly professional attackers more often than cybercriminal resort to attacks through a contractor, an increase in the number of which has been observed for several years. Phishing, on the contrary, is used by them only in 2% of cases. The most popular hacking techniques in 2021 also added exploitation of vulnerabilities in MS Exchange, which were published at the end of 2020.

As a year earlier, cybercriminals most often used startup mechanisms and system services to secure inside the network. And for the development of the overwhelming number of attacks - remote services RDP, SMB, SSH. In particular, this is due to the massive transition to remote operation: companies have begun to actively use these protocols, which allow organizing remote access to files and devices.

Ministry of Digital Development will check the safety of its GIS for almost 150 million rubles

Ministry of Digital Development is ready to pay 149,681,625,9 rubles for an independent security check of state information systems (GIS), including mobile applications. Information about this appeared at the end of October on the public procurement portal. The winner of the tender will be determined in early December 2021. The GIS check should be completed on March 30, 2022.

The Ministry did not answer the question about the purpose of the GIS check and did not specify which systems they plan to check. The ministry itself and through subordinate structures is responsible for more than 30 GIS, including:

• "Unified Portal of State and Municipal Services (Functions)" (State Public services Portal);
• "Unified System of Interdepartmental Electronic Interaction" (SMEV);
• "Unified Identification and Authentication System" (ESIA);
• "State Information System of Housing and Communal Services" (GIS Housing and Communal Services);
• "Unified Interdepartmental Information and Statistical System" (UIISS);
• "Federal Portal of Public Service and Management Personnel";
• Unified Regulatory Reference Information System (ESNSI);
• "The official website of the Russian Federation in the information and telecommunication network" Internet "for posting information about the bidding" (Portal Gosprodazh)
• "AIS" Management of departmental and regional informatization ";
• IS "Independent Registrar," etc.

In Russia, in accordance with the provisions of Federal Law No. 149-FZ of the 27.07.2006 "On Information, Information Technologies and Information Protection," FSTEC (Federal Service for Technical and Export Control) is responsible for the verification and certification of GIS. Accordingly, all requirements for GIS are spelled out in FSTEC Order No. 17 of February 11, 2013 "On Approval of Requirements for the Protection of Information Not Constituting State Secrets Contained in State Information Systems." Conducting its own inspections of GIS by state authorities is not regulated in the legislation.

Alexey Lukatsky, a security business consultant at Cisco Systems, commenting on the tender, noted that the business regularly checks information systems for vulnerabilities. In large international companies, scheduled checks of information protection systems are carried out once every six months, and sometimes once a quarter. Due to the lack of information security budgets, state structures conduct such checks much less often, or even do not conduct them at all.

The practice of regularly checking GIS, according to the expert, appeared in Russia only a few years ago. When vulnerabilities are detected, they are most often fixed using "patches" or reconfiguration of information security systems. If we are talking about architecture defects, then a TA is formed for the revision of the information security system.

According to Alexei Lukatsky, the price of services for finding vulnerabilities in information security systems depends on the scale of the tested GIS and the depth of analysis.

Hacker group attacking Russian fuel and energy complex and aviation industry discovered

At the end of September 2021, it became known about the appearance of a new hacker group ChamelGang, which was seen in attacks on critical information infrastructure, including in Russia. Read more here.

How to protect critical infrastructure. Review of a large expert discussion

As part of the ITSF-2021 Digital Forum held in June, a discussion panel was held on the information security of critical infrastructure. Experts discussed a wide range of issues, including: the practice of implementing FZ-187, categorizing CII, import substitution, assessing damage under various threats, and much more. The session was moderated by an independent information security expert Alexei Lukatsky. Read more here.

Mission impossible: banks will soften the conditions for the transition to domestic software and equipment

On July 16, 2021, the working group on the transition of financial organizations to domestic software and equipment under the State Duma Committee on the Financial Market received approval from regulators of several proposals for draft acts in the field of import substitution in the financial sector. This was announced at an online meeting with the press by Anatoly Aksakov, head of the State Duma Committee on the Financial Market.

Import substitution in the financial sector, we recall, is carried out in connection with the instructions of the president in the field of ensuring the security of critical information infrastructure (CII).

One of the critical issues raised at the meeting of the working group with the participation of regulators was the timing of the transition of CII subjects in the financial sector to domestic software and equipment. The current deadline is designated 2023, but banks have repeatedly criticized such a deadline as hardly achievable, and several times asked to shift the transition dates until 2028.

Anatoly Aksakov said that, despite the wishes of the bankers, the timing will still be quite tough. However, it was possible to agree on a compromise: it turned out to agree with the regulators on a delay situation when import substitution can be delayed even for a period later than 2023, if by this time the financial sector's KII constituent organizations have not yet expired their licenses for imported software already in use or the depreciation period for imported equipment is not yet suitable.

Switching to domestic software and equipment means very high costs, because you need to write off the old one and essentially pay for licenses, despite the fact that you are switching to your Russian counterpart. And now we were allowed to wait for the expiration of software licenses and the timing of the write-off of depreciation equipment and then switch to Russian counterparts. This means that the costs of the banking industry will be significantly reduced, which is a significant criterion for the stability of the banking sector in our country, "says Maria Shevchenko, chairman of the working group, member of the Association of Russian Banks, chairman of the board of directors of Kiwi Bank. - It removed, probably, the main contradictions between participants.

Thus, despite the fact that the transition period to domestic software and equipment for CII subjects in the financial sector will remain tight, banks will have more flexibility in planning. CII banks will have to develop transition plans taking into account the validity of software licenses and depreciation of equipment, choosing Russian analogues according to the lists agreed with the Bank of Russia.

The inclusion of the Bank of Russia in the import substitution procedure as a profile regulator was another important achievement of the working group following the discussion. According to Anatoly Aksakov, the Bank of Russia will participate, including in the selection of domestic software, equipment for financial institutions, for their subsequent implementation in the financial market. Banks will be guided by these lists when drawing up their import substitution plans.

At the same time, given that the Bank of Russia itself is a subject of the implementation of the law on the security of CII, that is, it will also have to introduce domestic solutions, it will be very attentive to what is proposed to the financial sector, Aksakov noted.

We are grateful to the Bank of Russia for its assistance in this process, as well as the Ministry of Digital Development for supporting the proposal. This innovation will allow synchronizing the process of transition to preferential import substitution in the financial sector with the current requirements for the subjects of this market, taking into account their characteristics and minimizing possible risks for the financial system, says Maria Shevchenko.

In addition, they say in the working group, agreements were reached on the distribution of import substitution requirements only for significant objects of CII. And for those who do not have categories of significance, the provisions will be advisory in nature. This will allow you to focus on the most important objects for the state.

Now it remains to wait for the release of documents that would legalize the agreements reached with the regulators. We are talking about the draft presidential decree, the draft government decree, which approves the requirements for software and equipment and the procedure for switching to preferential import substitution. Separately, there is also a government decree No. 1236 with requirements for software to be entered into the register of Russian software, and as of July, changes are also being developed to it: in particular, to simplify the process of including in the register of domestic software solutions developed by the banks themselves. The working group expects that the documents will be ready by the fall of 2021, and will enter into force from March 2022.

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%. This became known on July 12, 2021.

In 2020, the figure also increased, but by only 40%. Ransomware mainly attacked the educational and scientific spheres, as well as the industry. They accounted for 30% of the total number of attacks.

The Russian company Group-IB has calculated that 40% of all attacks are carried out by "classic" cybercriminals. But the remaining 60% are accounted for by pro-government agencies of other states.

Industrial companies are attacked by ransomware in most cases. It turns out that every large company is a potential victim for cybercriminals. And the amount of buybacks is increasing.

Experts predict that the number of cyber attacks in the future will only increase, and the amounts requested by fraudsters will grow^[18]

8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure

On June 24, 2021, Group-IB announced that on average, 8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure. In the first half of 2021, almost 3 times more attacks on critical infrastructure facilities were recorded in Russia than in the entire 2019.

Problems with maintaining the IT infrastructure of organizations are caused by a lack of resources, outdated software and an often unfinished patch management process (the process of closing vulnerabilities thanks to timely software updates), which means they are a potential target for cybercriminals, Group-IB said.

As of June 2021, according to Group-IB Threat Intelligence & Attribution, a total of 137 groups, of which 122 cyber-criminal groups and 15 pro-state groups, are aimed at critical infrastructure. The main motivation of cybercriminal groups is still financial, most of them are "ransomware," that is, hackers attacking organizations for ransom for decryption. The goals of pro-government hacker groups are espionage, sabotage and sabotage. Group-IB cites statistics: the number of attacks on critical infrastructure in the world has grown 12 times since 2019.

In the first 6 months of 2021, 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% by pro-state attackers.

Russia and the USA want to create expert group on cyber security for the purpose of protection CUES from cyber attacks

Presidents of Russia and the USA want to create expert group on cyber security. However both parties are sure that the opponent collects data on the enterprises of critical infrastructure and makes the hacker attacks against colleagues.

The United States has repeatedly asked Russia to stop hacking against American companies. However, Russia does not remain in debt: they are sure that most hacker attacks on critical infrastructure () CUES are carried out from the United States.

A meeting of the leaders of the two states took place in Geneva on June 16, 2021. Russian President Vladimir Putin, before meeting with US President Joe Biden, said that the issue of cybersecurity is one of the most important on a global scale.

"Because all sorts of disconnections of entire systems lead to very serious consequences. And this, it turns out, is possible, "Vladimir Putin said in an interview on the Russia 1 TV channel.

Following the talks, the leaders discussed the creation of an expert group on cybersecurity. Joe Biden said that cyber attacks should not be carried out on critical infrastructure.

"We agreed to instruct to work out which targets should not be subjected to cyber attacks." But, Joe Biden promised, if the agreements are violated, the United States will react.

During the summit, Putin and Biden agreed to begin consultations in this area and involve experts to discuss issues of protection against hacker attacks. Joe Biden has proposed a list of 16 infrastructure sectors against which cyber attacks will be banned.^[19]

Every tenth IT infrastructure of government agencies, banks and fuel and energy complex in the Russian Federation is infected with the virus

In early June 2021, it became known that every tenth of IT infrastructure state agencies banks, ENERGY INDUSTRY transport and defense institutions were infected. virus Such data led to the company "."Rostelecom-Solar

According to experts, even low-skill hackers can successfully attack critical information infrastructure, and most of the vulnerabilities in such networks have existed for more than 10 years.

Experts explain this situation by the fact that the software update process is absent in more than 90% of organizations, and the average time to install updates is more than 42 days.

The most common vulnerabilities in KII: Heartbleed, EternalBlue, which appeared in 2011 (in 2017 it caused the spread of the WannaCry ransomware) and BlueKeep, discovered in 2019. All of them are actively used by hackers to implement cyber attacks.

The study notes that the COVID-19 coronavirus pandemic has significantly weakened the IT perimeters. Over the year, by the beginning of June 2021, the number of automated process control systems (APCS) available from the Internet increased by more than 60%.

In addition, almost 2 times the number of hosts with a vulnerable SMB protocol has increased. This is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are especially dangerous, as they allow hackers to remotely run arbitrary code without authentication, infecting malware on all computers connected to the local network.

The main problem in internal networks in the company "Rostelecom-Solar" called incorrect password management. Weak and dictionary passwords are extremely common, which allow an attacker to penetrate the internal network of the organization. Password matching is used by both amateur hackers and professional attackers.^[20]

The mysterious hacker group has been "hanging" in the IT infrastructures of federal government agencies in Russia for three years

The National Coordination Center for Computer Incidents (NCCC) of the FSB of Russia and Rostelecom-Solar in May 2021, at a meeting with journalists, spoke about the identification of a series of targeted attacks by professional cyber groups on Russian federal executive bodies (FOIV).

Based on the complexity of the means and methods used by the attackers, as well as the speed of their work and the level of training, we have reason to believe that this group has resources at the level of a foreign special service, "said Nikolai Murashov, deputy director of the NKCKI FSB of Russia.

The attacks were identified in 2020. And the story of the discovery began at the end of 2019, when Rostelecom-Solar provided IT security to one of the government agencies, the company said. Then an attempt was discovered to touch one of the customer's protection servers. Usually attacks of this kind are not detected by standard means of protection and antiviruses: these were traces that quickly disappeared, but gave a clue to understand what is happening, where the group came from and what methods it uses.

As a result of the analysis, it turned out that the same group was present in the systems and other FNIVs. Moreover, the first signs of presence dated back to 2017. That is, for more than 3 years the group worked and carried out its actions in the IT infrastructures of state organizations, says Igor Lyapunov, vice president for information security at Rostelecom.

The names of the attacked government agencies are not specifically named - for security reasons. The number of attacked FOIVs in the NKCKI also preferred not to specify.

In all the identified operations, the main targets of the attackers were complete compromise of the IT infrastructure, as well as theft of confidential information, such as mail correspondence, general and limited access files, infrastructure and logic schemes, etc., according to an analysis conducted by the NKCKI FSB of Russia and Rostelecom-Solar.

The damage, from our point of view, is rather reputational, - said the deputy director of the NKCKI FSB of Russia, answering a TAdviser question about the damage caused by the group.

Nikolai Murashov added that the information constituting state secrets could not be stolen in this way. He also recalled that in Russia there are about 40 types of secrets, including tax, medical, and many others. Here, certain information that contained partially personal data and the like could have been taken out of the system, says a representative of the NCCCA.

But, in my opinion, the most important thing in the functioning of this system is that it was designed for a long term, - said the representative of the NKCKI FSB of Russia, answering TAdviser questions. "It's like a system that just in case exists. They penetrate and then very neatly... After all, colleagues talked about how carefully they acted. That is, all the actions of such an attack were designed for the long term.

The tools used by cyberplayers were professional, very complex and allowed hidden movement inside the IT infrastructure, says Igor Lyapunov. And the level of consolidation in the infrastructure was very extensive: attackers created up to 10-15 different access channels.

This level of attack is not the result of the activities of ordinary commercial groups. There is no possibility of monetization, and the cost of such an attack is large, since it requires very specialized software, Rostelecom notes.

And to penetrate FOIV infrastructures, attackers used three main attack vectors : phishing; exploitation of vulnerabilities in web applications published on the Internet; hacking the infrastructure of contractors (Trusted Relationship).

It is noteworthy that the malware developed by the attackers to unload the collected data was used by the cloud storage facilities of the Russian companies Yandex and VK (formerly Mail.ru Group), and in its network activity it disguised itself as legitimate utilities Yandex.Disk and Disk-O produced by these companies, the NKCKI of the FSB of Russia and Rostelecom-Solar found Rostelecom-Solar.

The State Duma approved fines for violation of the security of critical IT infrastructure

On May 18, 2021, the State Duma of the Russian Federation adopted in the third (final) reading a bill on fines for violating the security of critical information infrastructure. We are talking about systems in the fields of health care, science, transport, communications, power, banking, etc.

According to the new standards, which should enter into force on September 1, 2021, fines will be threatened for violations of the requirements for the creation of security systems for significant objects of critical information infrastructure, ensuring their operation and security. Their amount will be from 10,000 to 50,000 rubles for officials and from 50,000 to 100,000 rubles for legal entities.

For violation of the "procedure for informing about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks" will be punished even more seriously: fines will range from 10,000 to 50,000 rubles for officials, from 100,000 to 500,000 rubles for legal entities.

For violations of the procedure for exchanging data on incidents between subjects of such infrastructure, foreign authorized bodies, international organizations and NGOs working in the field of responding to cyber threats, fines are provided: for officials - from 20,000 to 50,000 rubles, for legal entities - from 100,000 to 500,000 rubles.

According to the explanatory note to the bill, "the size of the proposed fines takes into account the average salary of heads of structural units for ensuring information security."

As noted, TASS Information Agency of Russia justifying virus encoder WannaCry the need for the adoption of the law, the authors point to the attack recorded in 2017 using, which hit a large number of computer equipment in a number of state-owned companies, which took up to three days to restore. The reason for the damage was the failure to comply with the established requirements, including the requirement for timely update. software^[21]

Cyber ​ ​ attacks through contractors hit banks and enterprises of the fuel and energy complex in Russia

At the end of March 2021, a service for protecting information assets Rostelecom-Solar published a study in which it reported a twofold increase in the number of attacks on objects critical information infrastructure (:, CUES banks enterprises ENERGY INDUSTRY , etc.) by penetrating through the contractor's infrastructure (supply chain method) in 2020. cyber attacks Solar JSOC The Rostelecom-Solar Monitoring and Response Center identified and reflected over 1.9 million, which is attacks 73% more than in 2019.

According to experts, hacking a contractor has become the most effective method for penetrating infrastructure targeted for cybercriminals, including, as a rule, the largest federal public sector organizations and KII facilities. This is also confirmed by international experience. At the end of 2020, it became known about the hacking of the developer company, ON SolarWinds as a result of which such clients as,, Microsoft Cisco FireEye as well as several key ministries and departments suffered. USA Solar JSOC records similar attempts at attacks on authorities and objects. Russia

The active use of the supply chain method is associated with an increase in the number of more complex targeted attacks. In addition, organizations are increasingly outsourcing part of their internal processes, but they rarely monitor their own infrastructure and practically do not control the connection points of third-party companies to their network. As a result, the problem can remain out of focus for a long time. This is what led to the growth of such attacks in 2020.

Rostelecom The company "-Solar" noted that the growing popularity of the supply chain method indicates not just a change in the technical specifics of attacks, but the emergence of a new key threat cyber security at the state level. However, there is no clear solution to how to minimize risks yet. Even a contractor certified by the regulator for compliance with information security standards can be successfully attacked by attackers. At the same time, the customer company does not have the ability to directly control the level of information security protection of the outsourcer, experts added.

Obviously, advanced ART groups will increasingly use the supply chain technique, so the information security community needs to develop a fundamental approach to solving the problem as soon as possible, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center at Rostelecom-Solar.

Also, for the first time since 2017, Solar JSOC experts record an increase in violations committed by internal users - ordinary employees of companies. More than half (53%) of internal incidents were related to: information leaks by switching to, remote operation mode employees began to commit violations, including theft and draining, data which they would not dare to do in the office. In addition, pandemic it has led to an increase in violations regarding access to. Internet It is not only about visiting suspicious sites from a worker. computer Remote workers could also gain illegitimate access to the company's closed resources, since it is VPN difficult to correctly segment the corporate network on the basis.

The most common tool for external attackers has become malware, and the main way to deliver it to the victim's infrastructure is phishing emails, most of which have speculated on the topic of COVID-19. At the same time, there is a significant increase (by a third) in the number of attacks using ransomware: during the period of mass "remote control," when many companies have weakened information security, this already simple method of monetization has become even more popular.

In 2020, the number of attacks aimed at gaining control over infrastructure increased by 30%, while the number of attacks aimed at stealing funds increased slightly (by less than 10%). This indicates a significant increase in the qualifications of attackers and the complication of their tools.

2020 Report on Attacks and Tools of Professional Groups

Detection of more than 6300 vulnerable CCTV cameras at critical infrastructure facilities of the Russian Federation

On March 12, 2021, it became known about the vulnerability of more than 6,300 video surveillance cameras installed at critical infrastructure facilities and industrial enterprises in Russia. Due to flaws in this equipment, it is easy to hack.

The vulnerability of cameras at power plants, industrial enterprises, gas stations, etc., was reported in the company Avast with reference to the data of the search engine for internet of things Shodan.io. - IP the addresses of these cameras are open, and cybercriminals can access them, experts said To the businessman.

Access to a number of cameras today is protected by the simplest passwords that can be easily selected, Igor Bederov, general director of Internet Search, confirmed to the publication. Such cameras, he said, can be placed, including in banks, which potentially threatens to leak credit card data and customer passports. On the basis of open IP cameras, an illegal video surveillance or analytics system can be organized, Bederov admitted. If you supplement such a system with facial recognition modules, you get a total surveillance system, he said.

Ekaterina Rudaya, an expert at the laboratory of practical security analysis of the Information Security Center of Jet Infosystems, in a conversation with RBC, noted that data from cameras, for example, can serve as a source of information about human movement.

If desired, an attacker can map the movement of a person around the city. In case, of course, if the quality from the cameras allows you to recognize a certain person. This problem is unlikely to concern most citizens, since it is difficult to imagine that a simple programmer or teacher will be monitored. But in any case, the very fact of having the opportunity cannot be considered the norm to which you can safely close your eyes, "she explained.[22][23] in Russia

Cisco expert: Until there are criminal cases, business will not seriously invest in the implementation of the law on critical infrastructure

At the beginning of 2021, FSTEC announced its intentions to strengthen control over the implementation of the law on the security of critical information infrastructure (CII) in Russia ( 187-FZ). The agency plans to increase the number of inspections, including with the participation of the prosecutor's office, to involve industry departments in the work on bringing KII facilities in line with the requirements of the law. In addition, in addition to the liability already provided for in the Criminal Code, the introduction of administrative responsibility for non-compliance with the law on the security of CII, which provides for fines, is on the way.

Cisco cybersecurity expert Alexei Lukatsky believes that tightening control by the FSTEC over the implementation of this law will attract the interest of the owners of KII facilities to ensure their safety, but not earlier than in a year and a half. This is due to the fact that the first checks at FSTEC will begin in the second half of 2021, and while a small number of them are planned, not enough to talk about the trend, he explained to Tadviser.

And until there are real fines or initiated criminal cases brought to the verdict, Russian business will not seriously invest in ensuring legislative requirements, unfortunately. Because there are a lot of costs, and the benefit is completely unobvious, - believes Alexey Lukatsky.

Speaking about threats to CII facilities, the expert separately stopped at the APCS.

We see the attention of cybercriminals to APCS, we see that they are trying their hand, developing malicious code that carries out some kind of intelligence activity - that is, collecting data on the internal assets of industrial sites. But so far, in the conditions of low informatization of industrial sites and a lack of understanding of how these attacks can be monetized, attackers do not actively use this in their activities, - said a Cisco cybersecurity expert.

And the rest of the CII facilities are mainly business and office systems that are no different from what was not previously called CII facilities. Lukatsky noted that attacks on banking systems, which now belong to KII facilities, on office systems of industrial, transport, state-owned enterprises both happened earlier and occur.

As for industrial enterprises, in particular, here attacks are most often carried out not on APCS, but on office systems: for example, on those responsible for transport, supply management, shop work, etc., after which attackers demand a ransom for restoring management functions, but not hacking the industrial sites themselves.

However, this does not mean that there will be no more attacks on APCS in the future, when attackers learn to use hacks to monetize their actions, Aleksey Lukatsky emphasized. And the problem for most industrial enterprises is that their APCSs use outdated protocols and components that are susceptible to attacks.

According to FSTEC, a total of 55% of the most significant systems and networks related to CII do not use the required means of protection against computer attacks (for more details, see the block below).

55% of the systems of the most significant critical infrastructure are poorly protected from hacker attacks - FSTEC

Speaking To the State Duma at the end of February 2021 in defense of a bill involving the introduction of administrative fines for violating the security law critical information infrastructure (), CUES the deputy director FSTEC Russia Vitaly Lyutikov cited the indicators of the current level of its protection.

Since the entry into force in 2018, the 187-FZ on the safety of CII has identified more than 50 thousand CII facilities, of which 10 thousand are classified as the most significant systems and networks to be protected in accordance with the established requirements. An analysis of their security status showed that 55% of systems and networks do not use the required means of protection against computer attacks, Lyutikov said. And 25% of KII subjects do not have specialized specialists.

According to the State system of detection, prevention and elimination of consequences of computer attacks system, in 2020 more than 120 thousand impacts on the information infrastructure of the Russian Federation were identified, added the deputy director of FSTEC.

Under these conditions, there is a real threat of violation of the functioning of control systems for critical and potentially dangerous objects of the most significant sectors of the economy, - said Lyutikov.

Vitaly Lyutikov noted that the categorization of CII facilities provided for by the 187-FZ is the basis for taking the necessary protective measures. As of February 2021, more than 700 KII subjects did not categorize within the deadlines set by the government, Vitaly Lyutikov said. Safety requirements at their facilities have not been implemented.

In 2020, 507 computer incidents occurred at KII facilities, of which only 3% were timely provided to State system of detection, prevention and elimination of consequences of computer attacks.

The bill on establishing administrative responsibility for violating the legislation in the field of ensuring the security of the CII was prepared by the FSTEC together with the FSB in pursuance of the instructions of the President of the Russian Federation, Lyutikov recalled. It is proposed to introduce two articles into the administrative code of the Russian Federation: on violation of requirements in the field of ensuring the safety of CII and on failure to provide information provided for by law in the field of ensuring the security of CII. For offenses under these articles, it is proposed to introduce the imposition of fines on officials up to 50 thousand rubles, on legal entities - up to 500 thousand rubles.

The amount of fines was determined on the basis of an assessment of the consequences of computer attacks using the WannaCry ransomware virus that occurred on certain state-owned companies in 2017, "Vitaly Lyutikov explained, speaking in the State Duma.

The FSTEC expects that the adoption of the bill will encourage the subjects of the CII to timely adopt protection measures at their CII facilities. Earlier, representatives of the department noted a low percentage of 187-FZ execution and spoke about strengthening work in order to speed up its execution. For this, FSTEC, among other things, connected the prosecutor's office and strengthens inspections.

The bill on the introduction of administrative responsibility, considered in the State Duma and already past the first reading, was prepared back in 2019. He entered the State Duma in November 2020. By the second reading, it has yet to be finalized.

Earlier, following public discussions and public consultations, the document caused comments from market participants and regulators. Thus, the Ministry of Economic Development and Trade earlier in its conclusion on the assessment of the regulatory impact on the bill noted that in the Criminal Code of the Russian Federation (Part 3 of Art. 274.1) criminal liability has already been established, which provides, among other things, imprisonment for up to 6 years for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in CII and related systems and networks, or rules for access to them, if this caused harm to CII.

The Ministry of Economic Development believes that the additional establishment of administrative responsibility measures should be synchronized with a simultaneous decrease in criminal liability measures.

In addition, the adoption of the bill may be fraught with the risk of imposing additional expenditures on the budget, the Ministry of Economic Development noted. According to the information provided by the executive authorities of the constituent entities of the Russian Federation, significant expenses are required to fulfill the requirements of the 187-FZ. For example, the executive authorities of the Republic of Khakassia require financial costs in the amount of more than 200 million rubles to implement the established requirements.

FSTEK has found a way to combat evaders from the implementation of the law on the protection of critical IT infrastructure. He was tested on the Ministry of Energy

Alexey Kubarev, Deputy Head of the FSTEC Department, speaking at a security conference in February 2021, noted the low level of implementation of the federal law on the security of critical information infrastructure (CII) and announced plans to develop interaction with the Federal Security Agency as one of the measures to improve this situation. FSTEC already has experience in such interaction with the Ministry of Energy.

We have a wonderful experience with the Ministry of Energy of Russia, which we liked. With the help of specialized state authorities, it is more convenient for us to work, so we will expand this practice to other areas, - said Alexey Kubarev.

Evgeny Novikov, head of the department for ensuring the safety of fuel and energy facilities and CII of the department for economic security of the fuel and energy sector of the Ministry of Energy, at the same conference noted that the main regulators in the field of the security law of CII (187-FZ) are the government of the Russian Federation, FSTEC and the FSB. But in agreement with the FSTEC, the Ministry of Energy in its field can also develop additional requirements for ensuring the safety of significant objects of CII, taking into account the peculiarities of their functioning in the field of fuel and energy complex.

The representative of the Ministry of Energy recalled that there are three main stages of the implementation of the 187-FZ: categorization of the CII facility, ensuring its safety and ensuring interaction with State system of detection, prevention and elimination of consequences of computer attacks. The problems of categorizing CII objects in the fuel and energy complex have industry specifics. Firstly, this is a very large amount of documents that need to be prepared and provided.

At one time, we received information from FSTEK that buses bring data on the categorization of the facility, - said Evgeny Novikov.

Second, there is also an industry law on the safety of fuel and energy complex facilities (256-FZ) and a law on the industrial safety of hazardous production facilities (116-FZ), with which the results of categorization must be coordinated.

And, finally, there is a functional specificity of the fuel and energy complex enterprises. It turns out that for each object, depending on the fuel and energy sector, there should be a different methodology, Novikov explained. With the assistance of the Gubkin Russian State University of Oil and Gas. The Ministry of Energy has developed general methodological recommendations for the definition and categorization of objects of the CII fuel and energy complex and agreed on them with the FSTEC.

The methodological instructions developed by the Ministry of Energy of Russia are currently the only ones developed by the state authority, - said the representative of the Ministry of Energy.

In addition, the department conducts a number of other measures to implement 187-FZ and information security in general. So, for example, under the Ministry of Energy, an interdepartmental commission was created to coordinate the security of the CII fuel and energy complex.

Also at the end of 2020, a departmental information security center State system of detection, prevention and elimination of consequences of computer attacks was introduced under the Ministry of Energy. His area of ​ ​ responsibility includes subordinate enterprises and information resources of the ministry itself.

Now we are considering the issue of expanding this functionality to the entire fuel and energy complex: at least try to exchange with some corporate centers, connect analytical centers, "said Evgeny Novikov.

In addition, the Ministry of Energy now has the obligation to organize command and staff training and cyber exercises in the fuel and energy complex. The department has already carried out trial events, FSTEC and the FSB actively participated in them.

According to Novikov, almost all large organizations of the fuel and energy complex have already been categorized, presented data to the FSTEC. But the subjects of CII are also small organizations.

Three months ago, an organization came out of, in my opinion, the Yamalo-Nenets district, saying that they had received a letter from us about some 187-FZ. To be honest, I almost sat down. What area do you work in? That is, ignorance of the law does not exempt from its implementation, - said Yevgeny Novikov.

For more information on the problems with the implementation of the CII safety law and the measures to strengthen control that FSTEC plans to take, see the block below.

FSTEK: the law on the protection of critical infrastructure is being implemented poorly, the prosecutor's office is connected, inspections are intensifying

The Federal Law on the Security of Critical Information Infrastructure (CII) of the Russian Federation (187-FZ) has been in effect for three years. Alexey Kubarev, Deputy Head of the FSTEC Department, in February 2021, speaking at a security conference, summed up some of the results of the implementation of this law.

In accordance with the 187-FZ, it was required to categorize CII facilities, create and ensure the functioning of safety systems for significant CII facilities, take measures to ensure the safety of these facilities and interact with State system of detection, prevention and elimination of consequences of computer attacks.

And in 2019, a government decree was issued, according to which the subjects of the CII had to prepare and submit to the FSTEC of Russia a list of CII objects subject to categorization by September 1 of the same year.

According to FSTEC estimates, the percentage of implementation by the subjects of the federal law turned out to be extremely low. And the department plans to fight this, said Alexey Kubarev.

In the process of organizing work to consider information about the objects of KII, FSTEC encountered a number of phenomena.

First, many are trying to evade the implementation of federal law by saying "We are not a subject of CII," despite the fact that all direct and indirect signs indicate this. Another way to evade implementation is "We do not have CII objects that need to be categorized." We will also fight this, and we already know about what needs to be done, "said Alexey Kubarev.

According to the representative of the FSTEC, there are still those who are in no hurry, and violate the deadlines for providing lists of KII facilities. In addition, there is an observation that organizations do not notify the regulator about all the CII facilities they have. In addition to problems with the compilation of lists of CII objects within the deadlines established by government decisions, problems arise at the stage of categorizing objects according to the lists drawn up. This is a violation of the deadlines, and an artificial understatement of the categories of significance of existing CII objects.

Often we have to insist that the APCS of a hazardous production facility cannot be without a category, especially since it controls, ensures the safety of this facility. In about 30% of the incoming information, we have to argue with the subject of KII, - said Kubarev.

In addition, at the stage of categorizing an organization, it happens that they provide inaccurate information about CII objects and do not take into account all indicators.

The representative of the FSTEC recalled that in accordance with government decree No. 127 of February 2018, it is necessary to provide FSTEC and information on newly created CII facilities. This is necessary in order to lay in the TA for the creation of a significant object measures and funds for ensuring security. Many do not fulfill this either.

As for the next stage in the 187-FZ - the creation and provision of the functioning of security systems for significant CII facilities - and there are many problems here. In addition to the slowness in the implementation of the federal law, which has been mentioned more than once, often the subjects of the CII underestimate the potential of the violator and have problems with the security forces, the representative of the FSTEC stated.

In some organizations, the safety of significant objects is provided by economic security units, in some - in general, legal services. For me, this is a paradox, "says Alexey Kubarev.

He also noted problems with security tools: at many facilities, especially for APCS, only anti-virus protection and standard operating systems tools are used. This is not enough to counter serious threats.

The representative of the FSTEC recalled the government decree No. 743, valid since January 2020. According to him, when connecting a CII object to public networks, such a connection must be coordinated with FSTEC. The FSTEC itself, in pursuance of this decision, developed and approved the corresponding order.

And we sit, we wait. And what is the result? For more than a year, not a single appeal has been received to coordinate the connection to us, - stated Alexey Kubarev. - I have great doubts that out of thousands of significant objects, none initiated a connection to public networks. We will deal with this.

In 2021, Kubarev says, the FSTEC decided to significantly increase the implementation of the federal law on the safety of CII. And for this, the department plans to carry out appropriate measures.

Let me remind you that since last year, prosecutors have been actively working on the subjects of critical information infrastructure, and moreover, even on potential subjects. They conduct events, field inspections, we participate in them. And for our part, we will connect the relevant federal authorities, the Bank of Russia, state corporations in order to increase the percentage of implementation of the federal law, "says Alexey Kubarev.

He added that since 2021, FSTEC has had grounds for scheduled inspections, which the department plans to do to carry out state control over the implementation of federal law. Alexey Kubarev assured that the purpose of such control is not punishment, but the provision of methodological assistance to the subjects of KII, but at the same time noted that "good should be with fists," which FSTEC will soon provide itself with.

A federal law on amending the Administrative Code regarding the introduction of administrative responsibility for violation of the norms of legislation on the safety of CII was developed and submitted to the State Duma. It passed the first reading safely, and, I think, in 2-4 months it will be approved, - explained the representative of the FSTEC.

FSTEK creates an OS verification center for the public sector

On February 11, 2021, it became known about the plans of the Federal Service for Technical and Export Control (FSTEC) to create a center for security studies of operating systems on the Linux kernel . 300 million rubles have been allocated for the implementation of this project, the winner of the tender will be chosen by March 2, 2021. Read more here.

2020

120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia

More than 120 thousand hacker attacks were committed on the critical information infrastructure of Russia (this includes the IT systems of government agencies, banks, the fuel and energy complex, etc.) in 2020 . This figure was announced on June 24, 2021 by the Secretary of the Security Council of the Russian Federation, Army General Nikolai Patrushev.

According to him, cyberspace is increasingly becoming the scene of the fight against "geopolitical opponents," and Russia is regularly subjected to computer attacks.

Most of them were carried out from the United States, Germany and the Netherlands, and were directed against the objects of public administration, the military-industrial complex, health care, transport, science and education of our country, he said.

As the Secretary of the Security Council noted, Russia advocates non-politicized cooperation between countries to create a global cybersecurity system.

Russia advocates the development of international cooperation in the interests of the formation of a global international legal regime that ensures the safe and equal use of information and communication technologies, he stressed in an interview with Rossiyskaya Gazeta.

On June 24, 2021, Group-IB cited data according to which three times as many attacks on critical infrastructure objects were registered in Russia in the first half of 2020 than in the entire 2019. 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% - by pro-state attackers.

Nikita Kislitsin, head of the Network Security Department of Group-IB, noted that about 8 out of 10 Russian industrial enterprises have problems with servicing the IT infrastructure.

According to experts, problems with servicing the IT infrastructure of organizations are caused by a lack of resources, outdated software and often an unfinished patch management process.^[24]

An increase in the number of cyber attacks on authorities by 2 times - FSB information security center

More than half (58%) of cyber attacks in Russia in 2020 fell on state authorities, while in 2019 this share was 27%. Such data at the end of April 2021 were cited by the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI; coordinates the detection, prevention and elimination of the consequences of computer attacks on critical information infrastructure in Russia and response to computer incidents) Nikolai Murashov.

An analysis of the data conducted by the NCCCA showed that if in 2019 the largest share of computer attacks was aimed at the credit and financial sector - 33%, then in 2020 - at the information resources of state authorities and industrial enterprises, Murashov said at an online briefing (quoted by RIA Novosti).

According to him, the share of hacker attacks on the IT systems of industrial enterprises in 2020 reached 38% against 18% a year earlier.

Earlier, Secretary of the Security Council of the Russian Federation Nikolai Patrushev said that the intensity of foreign intelligence in cyberspace has increased significantly against the background of the aggravation of the situation in the world, and the number of hacker attacks on Russian information resources in 2020 increased 1.6 times.

Patrushev noted the annual growth of hacker attacks on the IT resources of authorities and companies "in order to block them, gain access to protected data banks and covert management of information systems."

At the same time, the issue of exploiting vulnerabilities of software used in government agencies and organizations for intelligence purposes remains relevant. More than 30% of the identified vulnerabilities can be used remotely to conduct computer attacks on the information infrastructure, "said the Secretary of the Security Council of the Russian Federation.[25]

CII and state organizations became the main targets of advanced cyber groups

According to statistics Rostelecom"," in 2020, the monitoring and response center cyber attacks Solar JSOC recorded more than 200 hacker attacks from professional cyber groups, including massive attempts to influence entire industries and sectors. economies This was announced on December 1, 2020. In Solar (formerly Rostelecom-Solar) about 30 cases, attackers of the highest level of training and qualifications - cyber recruits and cyber groups pursuing foreign interests - were behind the attacks. states Among the most common targets are facilities critical information infrastructure of Russia.

Rostelecom's analytical report is based on data on more than 140 large organizations - Solar JSOC customers in various sectors of the economy (banks, energy and oil and gas sector, government agencies, etc.), as well as on customer companies of the JSOC CERT cyber incident investigation center. In addition, the summary statistics take into account information about attacks and malware collected by the so-called honeypot traps on communication networks and data centers in the Russian Federation and data from other Russian and international CERTs.

According to Solar JSOC experts, the goal of the most professional hacker groups is usually destructive influences and cyber espionage. The damage from attacks of this class is measured not only by financial losses, but also by the impact on the country's economy as a whole, the safety of citizens and the political situation. Only collateral damage from infrastructure compromise, such as theft of personal data of employees and customers, regulatory and reputation risks, the possibility of developing new attacks, if cybercriminals succeed, could reach tens of millions of rubles. The cumulative damage from the full-scale implementation of this kind of attack would amount to several billion rubles.

The weak level of security of web applications at critical information infrastructure (CII) facilities and in government bodies contributed to the fact that this vector of attacks became the most popular among cybercriminals in 2020. In 45% of cases, hackers attacked precisely web applications, in another 35% - they used known and uncovered vulnerabilities in the perimeter of organizations.

After entering the infrastructure, cybercriminals tried to gain access to confidential information of the organization by accessing mail servers (85% of cases) and work computers of top officials, their deputies and secretaries (70% of cases). In parallel, cybercriminals sought to seize maximum control over the infrastructure by attacking the workstations of high-privilege IT administrators (80% of the time) and infrastructure IT management systems (75% of the time). At the same time, software aimed at hiding an attack from standard security tools was most often used; in 20% of attacks, hackers also used legitimate corporate or freely distributed utilities, masquerading as the actions of administrators and users.

It should be noted that the trend of the so-called supple chain attacks on state authorities and key enterprises of Russia is now gaining momentum. That is, attackers are increasingly attacking not the organization itself directly, but act through its contractor, who cares less about information security and at the same time has access to the infrastructure of the ultimate target of the attack. Therefore, it is very important to pay attention to the level of security of contractors and build a safe way of accessing their infrastructure, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center of Rostelecom-Solar.

Attacks by mid-level organized groups - cyber-crime - were aimed at direct monetization: withdrawing funds or obtaining a ransom for decrypting company data. The focus of their attention in 2020 remained the credit and financial sector. In 85% of cases, hackers tried to withdraw money from correspondent accounts and attacked various financial systems of companies. At the same time, in the market as a whole, Solar JSOC analysts note, there is a significant decrease in performance and a reduction in damage from attacks, reaching no more than several tens of millions of rubles.

The main weapon of cyber crime remains phishing, implemented due to the low level of literacy of company employees in the field of information security. In 74%, attackers used this, using social engineering to penetrate the infrastructure. To infect workstations and further develop a cyber group attack, massively available darknet-medium software (40% of cases) was used, as well as software for IT administration and security analysis (40% of cases).

Kemerovo resident convicted of cyber attacks on KII RF

Kemerovo resident was convicted of cyber attacks on the KII of the Russian Federation. This became known on November 27, 2020. Read more here.

Preparations for a spy attack by a Chinese APT group on Russian fuel and energy complex enterprises discovered

On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here.

FSTEC issued an order on the use of domestic software to protect CII

The Federal Service for Technical and Export Control (FSTEC) has published an order to use domestic software to protect critical information infrastructure (CII). The document is published on the official Internet portal of legal information.

The changes are aimed at using mainly Russian equipment and software in KII to increase technological independence and safety, as well as to promote domestic products.

The document regulates the clarification of the conditions for the selection of equipment and software for CII facilities, the procedure for its use and operation, as well as tests. At the same time, it is separately indicated that the provision regulating the tests comes into force on January 1, 2023, as well as another one, on the recognition of one of the outdated norms as invalid.

The order FSTEC Russia has nuances that experts are unhappy with. In particular, Alexey Lukatsky he noted:

The situation looks like the regulator "doesn't care how the requirements are met. The expert drew on the requirement to expand the ban on the use of elements of a significant object of the second category of CII.

Goodbye, Zoom clouds and update servers located outside, "Lukatsky of the Russian Federation explained.

The order of the Federal Service for Technical and Export Control on amending the requirements for ensuring the safety of significant objects of the critical information infrastructure of the Russian Federation was developed in pursuance of the instructions of the president following the results of the special program "Direct Line with Vladimir Putin" on June 20, 2019.

As the publication D-Russia reminds, during the "direct line," the president said that the authorities should provide a market for Russian programmers in sensitive industries for security and sovereignty, and also said that in order to import substitution, Russian corporations should be "forced" to purchase domestic [software] products.^[26]"

The Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure facilities

At the end of July 2020, it became known that the Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure (CII) facilities. The department explained this by the "redistribution of budget funds."

In connection with the optimization (reduction) of basic budgetary allocations in the formation of the draft federal law on the federal budget for 2021 and for the planning period 2022 and 2023, the competitive selection of projects for 2021, aimed at providing subsidies to the budgets of the constituent entities of the Russian Federation to bring the level of security of critical information infrastructure facilities to the requirements established by the legislation of the Russian Federation within the framework of the federal project "Information Security" of the national program "Digital Economy of the Russian Federation," canceled, the Ministry of Telecom and Mass Communications told the D-Russia.ru.

It is clarified that in 2019 a competition for receiving similar subsidies during 2020 took place. 36 regions took part in it, 12 winners were selected. In 2020-2021, it was planned to spend 250 million rubles on such subsidies, of which 150 million rubles - in 2020 for CII facilities of 1 and 2 categories of significance, 100 million rubles - in 2021 for CII facilities of 3 categories of significance.

At the end of July 2020  , the Ministry of Telecom and Mass Communications began collecting applications from the regions for subsidies in 2021 aimed at improving the security of significant critical information infrastructure facilities. It was assumed that subsidies will be provided from the federal budget to regional budgets to co-finance measures to ensure the sustainable operation of CII in the event of computer attacks.

However, the ministry canceled the collection of applications, and the message to the message address on the ministry's website gives the error "The page does not exist or was deleted" (code 404).^[27]

The Ministry of Telecom and Mass Communications of the Russian Federation approved the procedure for installing and operating cyber attack search tools in KII networks

The Ministry of Communications of the Russian Federation approved in June the procedure for installing and operating cyber attack search tools in KII networks .

The order of the department "On approval of the Procedure and Technical Conditions for the installation and operation of means designed to search for signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure facilities of the Russian Federation" On June 25, 2020^[28] was published on the official Internet portal of legal information.

In particular, the document indicates what stages the installation and operation of attack search tools consists of:

• determination of necessity and places of installation of attack search tools;
• installation of attack search tools, their connection to telecommunication networks and communication channels required to control attack search tools;
• setting up and checking the operability of the installed attack search tools;
• commissioning of installed attack search tools;
• ensuring continuous operation of attack search tools;
• maintenance, replacement and dismantling of installed means of search for attacks;
• ensuring the safety of the installed means of searching for attacks; monitoring operation of attack search means.

According to the order, the FSB sends to the telecom operator by registered mail with notification of the delivery of the following information and documents:

• information on the need to install attack search tools indicating the places of installation on the telecommunication network of the telecom operator;
• operational characteristics of the installed attack search tools;
• name of the organization (in case of involvement);
• surname, name, patronymic (if any), position of an official of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks or the name of the structural unit of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks responsible for the organization of work;
• instructions for operation of the attack search tool, installation of which is planned on the telecommunication network.

No later than 10 calendar days from the date of receipt of information, the telecom operator shall determine the officials of the telecom operator admitted to this information.

How to maintain the performance of the data center if key employees have contracted COVID-19 or are in quarantine

In March 2020, the Uptime Institute prepared recommendations on how to respond to the COVID-19 coronavirus pandemic in the data center industry. The report was released to help critical infrastructure operators prepare and respond to the impact of the new coronavirus. TAdviser has reviewed the document. Read more here.

The Ministry of Telecom and Mass Communications proposes to unify the procedure for installing means for searching for cyber attacks on CII objects

On February 27, 2020, TAdviser became known that the Ministry of Digital Development, Communications and Mass Media of the Russian Federation prepared a draft order^[29]CII^[30], regulating the installation and operation of means for finding signs of cyber attacks on critical information infrastructure of the country.

The order describes both the procedure for installation and operation of such means and the technical conditions for their use.

Attack finders themselves are identified as "automated telecommunication network control and monitoring system equipment." Such developments are subject to mandatory state certification in accordance with the current legislation.

The document provides for tripartite interaction between the authorized body of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (State system of detection, prevention and elimination of consequences of computer attacks), the authorized body in the field of communications, and telecom operators.

The means of searching for attacks themselves will belong to the Authorized Body of State system of detection, prevention and elimination of consequences of computer attacks and will be installed at the facility of critical information infrastructure at the expense of the same body. Continuity of operation of attack search means, on the other hand, shall be ensured by the telecom operator at his own expense in accordance with the technical specifications described in the draft order.

According to these conditions, the means of search for attacks should be installed in rooms where all conditions for their continuous functioning are provided, including stable and uninterrupted power supply (it is stipulated that the power allocated for the connection of the electric network "must exceed by at least 20 percent the power required in accordance with the operating manual of the attack search tools"), physical access control, temperature and humidity control, fire extinguishing equipment and, of course, Internet connection and connection to the network of the CII facility.

The key provision in this document is that the cyber attack search tools themselves should be supplied and on the balance sheet of the State system of detection, prevention and elimination of consequences of computer attacks bodies. That is, the state at the most practical level takes over the protection of CII facilities, using equipment certified for these purposes to avoid surprises, says Oleg Galushkin, CEO of SEQ (formerly SEC Consult Services)

2019

Hackers who hacked the IT systems of Russian Railways and S7 were given 10-13 years in prison

At the end of December 2019, the Basmanny District Court of Moscow sentenced three hackers accused of hacking into the ticket systems of Russian Railways and S7. In total, 29 people were involved in the case. Read more here.

Hackers have been preparing attacks on the fuel and energy complex for years

Hackers have been preparing attacks on enterprises in the fuel and energy sector for years. This was announced on November 14, 2019 by Positive Technologies.

According to experts, professional cyber groups conducting targeted attacks do not destructively attack immediately after penetration. They can control all systems of the enterprise for several years without taking any destructive action, but only stealing important information and waiting for the right moment to launch an attack.

During the investigation of one of the incidents, experts discovered that the TaskMasters group, which was engaged in the theft of confidential documents and espionage, had been in the infrastructure of the victim company for at least 8 years.

Basically, hackers attack the fuel and energy complex in order to disrupt its production process or to steal corporate information and damage its reputation. Only one in three attacks is aimed at stealing funds, and most often companies are faced with information leaks or data substitution and destruction.

Cyber ​ ​ attacks of the fuel and energy complex with information leakage account for 30% of the total number of incidents. In 26% of cases, data is destroyed or exchanged. 25% of enterprises surveyed said that after the attacks, the company's infrastructure is idle.

According to Alexei Novikov, director of the Positive Technologies security expert center, it is very difficult to detect a targeted attack at the time of intruders entering the system. It is easier and more efficient to disclose the activity of a hacker after entering the infrastructure, for example, when it moves between servers already on the internal network.

Such movements certainly leave artifacts in network traffic and on the nodes themselves, this allows you to detect the previous penetration retrospectively and eliminate the threat before  the attacker proceeds to active destructive actions or steals important information, Novikov said.[31]

The Ministry of Economic Development intends to ban the use of foreign software and equipment at the facilities of the Russian CII

On November 1, 2019, it became known that the Ministry of Economic Development is preparing amendments to the law "On the Security of Critical Information Infrastructure (CII)," which imply the replacement of foreign software and equipment at CII facilities with Russian ones. The order to prepare the amendments was given a few months ago by the Deputy Prime Minister Yury Borisov in charge of the defense industry. This was reported by RBC with reference to a letter from Deputy Minister of Economy Azer Talybov.

Talybov writes that in its current form, Russian laws do not allow the government to demand the use of only domestic software and equipment at KII facilities. For this to become possible, this rule must be prescribed in the law "On the safety of CII." The schedule for replacing foreign products with domestic products for existing CII facilities will be formed separately.

In addition, the law should prohibit foreign companies from interacting with networks and information systems of CII. That is, the ultimate beneficiaries of legal entities that do this should be Russian citizens who do not have dual citizenship. The same rule will affect individual entrepreneurs who work with KII. As a result, access of foreign states and their citizens to the service and development of KII will be minimized, Talybov believes.

The recipients of Talybov's letter are the board Military-Industrial Commission Russia headed by Borisov, the Federal Service for Technical and Export Control () FSTEC and. Ministry of Digital Development, Communications and Mass Media The Ministry of Telecom and Mass Communications replied that FSTEC Ministry of Industry and Trade is working on issues import substitution of foreign equipment on behalf of the government, and that KII will function more safely and sustainably using Russian, and the ON share of domestic developers on the market state procurements will grow. The authorities^[32]

Recorded about 17 thousand cyber attacks on KII in Russia

In August 2019, a representative of the Security Council said that in 2018, about 17 thousand cyber attacks per CUES century were recorded. Russia Attackers tried to install another 7 thousand objects. harmful ON About 38% of the attacks occurred - creditfinancial the authorities^[33]

ADE published methodological recommendations on categorization of CII objects in accordance with No. 187-FZ

On July 9, 2019, it became known that the Documentary Telecommunication Association (ADE) published guidelines for categorizing critical information infrastructure (CII) facilities. The document was developed on the basis of materials from telecom operators and other organizations - members of the ADE. Methodological recommendations are aimed at detailing and standardizing the procedure for categorizing CII objects, which is provided for by the Federal Law "On the Security of the Critical Information Infrastructure of the Russian Federation" dated July 26, 2017 No. 187-FZ.

The recommendations contain a set of rules on the basis of which operators should classify CII objects as different types. The published version of the document was agreed FSTEC Russia by the 8th Center FSB of Russia and can be used by telecom operator companies. When changing the regulatory framework, receiving comments and proposals based on the results of applying methodological recommendations, the association plans to make changes to the text of the methodology.

A federal official who wished to remain anonymous said that the association, in fact, is a public organization, its recommendations have no legal force.

When preparing the document, operators had to carry out analytical work on the categorization of objects. The recommendations were developed by market participants and agreed in working order with relevant bodies. Categorization is a necessary step in the implementation of FZ-187 requirements. The purpose of the methodology is to define criteria and unify the procedure in such a way that the results do not raise questions among industry regulators. We believe that operators will begin to use the document, and practice will show the need for further approval by the executive bodies,

The representative of the press service of MegaFon PJSC said that the published version of the document was agreed by the main FZ-187 regulators and can be used by telecom operators. The industry document is optional, but recommended by FSTEC and the FSB for use in the communications industry.

First of all, it is designed to help market participants in the performance of FZ-187. This is a consolidated vision of major industry players to implement the NPA's security requirements for CII. The recommendations are important, since FZ-187 and by-laws formulate general principles and measures to ensure the safety of CII, without going into industry specifics. The technique is an attempt to apply the norms formulated by the legislator to a specific operator infrastructure, it is of a purely applied nature, and this is its value. For the Big Four operators, of course, the document will be the main one. For other operators, we hope, too, since the application of methodological recommendations will contribute to a single and understandable information field in the process of interaction between the operator community and regulators,

The representative of the press service of MTS PJSC said that the recommendations will be used by telecom operators when categorizing critical information infrastructure (CII) facilities and building security systems for these facilities.

It seems that it would be more expedient to adopt a document in the form of a regulatory legal act of the regulator. So far, these are, in fact, recommendations. Telecom operators will decide for themselves on the possibility of using the technique. The work has already been partially carried out. MTS developed and sent to the FSTEC of Russia a list of objects of its own CII. In accordance with the plan, by the end of 2019 we will categorize these facilities. The methodology makes it possible to introduce certainty and uniformity in the approach to categorization of CII objects by telecom operators. The costs of MTS will be clear after the categorization of CII facilities,

A spokesman for Akado Telecom said the initiative to develop the recommendations was correct and timely.

But, most likely, the document will need to be adjusted in accordance with changes in regulatory legal acts in terms of CII. In addition, in our opinion, the recommendations are aimed more at mobile operators than fixed communication networks. Therefore, we did not participate in their development. When categorizing CII facilities, our company is guided by government decree No. 127 and FSTEC orders,

The Ministry of Digital Development, Communications and Mass Media knows about this initiative of the Documentary Telecommunication Association, but did not agree on the document.

From 2020, FSTEC plans to introduce administrative responsibility for non-compliance with safety requirements for CII facilities ^[34]

Data on cyber attacks on critical facilities in the Russian Federation are leaking abroad. Companies break the law

Russian companies, whose duties include the management of critical infrastructure facilities, without the knowledge of the FSB, share data on cyber attacks with foreign colleagues. This was announced on Thursday, June 27, by RBC with reference to the materials of the Federal Service for Technical and Export Control (FSTEC), which in turn refers to the FSB. 

According to the law "On the Security of Critical Information Infrastructure," which has been in force since last year, companies managing critical infrastructure facilities are obliged to provide data about them to the Federal Service for Technical and Export Control (FSTEC) to assign them the appropriate category (safety requirements for each category are different). In addition, they are obliged to connect to the State System for the Detection, Prevention and Elimination of the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks) created by the FSB and report cyber attacks on their facilities to the National Coordination Center for Computer Incidents (NCCCA ).

However, not all companies comply with the requirements of the law and inform NCCCA about cyber attacks on their systems. For this reason, the center does not have complete information about incidents at critical infrastructure facilities, cannot adequately respond to them and make forecasts.

Be that as it may, companies exchange information about cyber attacks with foreign organizations. By this, they violate the orders of the FSB No. 367 and No. 368, according to which the exchange of data with foreign organizations must be coordinated with the FSTEC. However, the service did not receive a single appeal on this issue.

The FSTEC believes that the information provided to foreign companies about cyber attacks on critical infrastructure of the Russian Federation eventually falls into the hands of foreign special services, which can use it to assess the security status of the Russian critical infrastructure.

According to RBC, perhaps in this way companies are trying to avoid image and financial losses. But the practice of sending data abroad threatens primarily the companies themselves. Since the National Coordination Center for Computer Incidents of the NKCKI, controlled by the FSB, does not have complete information about the incidents, it cannot adequately respond to them and make accurate forecasts for the development of the situation, the FSTEC notes.

The Law "On the Security of Critical Information Infrastructure" has been in effect in Russia since 2018. Its main goal is to protect the country's most important enterprises from cyber attacks.

According to FSTEC, the law does not work in full force for several reasons. Firstly, last year the department already noted the lack of information about the "criticality" of its facilities from banks and telecom operators. Secondly, some of the by-laws that must approve the details of the interaction of organizations within the framework of this law have not yet been adopted.^[35] 

FSB formulated requirements for State system of detection, prevention and elimination of consequences of computer attacks means to protect the CII of the Russian Federation

On May 6, 2019 Federal Security Service , it issued an order "On approval of requirements for means intended for the detection, prevention and elimination of consequences computer attacks and response to computer incidents. More. here

FSTEC and FSB will introduce responsibility for violation of requirements for the critical IT infrastructure of Russia

On March 26, 2019, the Federal Portal of Draft Regulatory Legal Documents posted a notice of the beginning of the development of the draft federal law "On Amendments to the Code of Administrative Offenses of the Russian Federation (regarding the establishment of liability for violation of requirements for ensuring the safety of CII facilities)."

So far, this is only a notification about the start of work on the relevant document. Law No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" prescribes to structures in the management of which significant objects of the critical information infrastructure of the Russian Federation are located to comply with the requirements specified by law and regulatory acts to ensure the safety of such objects.

In particular, there is an article of the Criminal Code 274.1, which provides for criminal liability for unlawful impact on the critical information infrastructure of the Russian Federation.

However, there is no law defining cases when there was a failure to comply with these requirements, but it did not entail an unlawful impact on the CII.

In order to differentiate punishment depending on the public danger of consequences from violation of the requirements of the legislation of the Russian Federation on the safety of critical information infrastructure, it seems appropriate to introduce administrative responsibility for non-compliance by subjects of critical information infrastructure with the requirements for ensuring the security of significant objects of critical information infrastructure, established in accordance with federal law and other regulatory legal acts adopted in accordance with it, the project description says.

Critical information infrastructure needs legislation that would meet the ever-changing realities of information security, "said Dmitry Gvozdev, General Director of Information Technologies of the Future. - The process of forming this legislation is still far from over, there remain some gaps that need to be addressed as soon as possible. The development of administrative responsibility measures in this case is not so much a promise of new cars for the sake of the cars themselves, but a filling of gaps and an adequate delineation of responsibility in accordance with the likely threat. Ultimately, in the field of CII, even insignificant negligence can be unpredictably expensive.

The main developer of the project should be FSTEC, however, the Federal Security Service of the Russian Federation is indicated as co-executors.

The planned deadline for the adoption of the bill is January 2020. You can read the document departments = 48 & npa = 89944 here.

FSTEC proposes to prohibit the processing abroad of information related to the CII of Russia

On March 6, 2019, the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) published on the Federal Portal of Draft Regulatory Legal Acts a draft amendment to Order No. 239 "On Amendments to the Requirements for Ensuring the Safety of Significant Objects of the Critical Information Infrastructure of the Russian Federation."

The project contains a number of various clarifications, among which the requirements related to the equipment, software and procedures for processing information of critical infrastructure facilities are emphasized.

In particular, it is proposed to supplement paragraph 31 of the Order^[36] with the following paragraph:

The information storage and processing software and hardware included in the significant object of the 1st category of significance shall be located on the territory of the Russian Federation (except for cases when the specified funds are placed in foreign separate subdivisions of the subject of critical information infrastructure (branches, representative offices), as well as cases established by the legislation of the Russian Federation and (or) international treaties of the Russian Federation).

The previous version of the order did not impose such restrictions.

In fact, this means a ban on processing data related to critical infrastructure facilities of the first category of importance outside the territory of Russia, minus the exceptions stipulated, - said Dmitry Gvozdev, General Director of Information Technologies of the Future. - In general, this document is of a clarifying nature. The development of standards and rules by which the critical infrastructure of Russia should operate is a process that is still very far from completion: the number of stakeholders is large, and the risks are too high, so the regulation should be as detailed as possible. Accordingly, new amendments, additions and clarifications will be made in the future, and for a long time.

In addition, the document assumes to oblige the most significant enterprises of the critical infrastructure to use only routers certified for compliance with information security requirements. However, we are talking only about newly created or modernized objects of the CII and only the first (maximum) category of significance.

It is stipulated that if it is not possible to use only certified devices as border routers (that is, those through which access from the local network to the Internet is carried out), the security of actually used devices will have to be assessed as part of the acceptance or testing of significant objects.

The full text of the draft order is available npa = 89229 at this link.

2018

In 2018, about 4.3 billion cyber attacks were committed on the Russian Federation

According to the National Coordination Center for Computer Incidents, in 2018, more than 4.3 billion cyber attacks were carried out on critical infrastructures of the Russian Federation. This was announced in August 2019 by the Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov in an interview with Rossiyskaya Gazeta.

According to Khramov, the number of cyber attacks over the past six years has grown by 57%. If for the period from 2014 to 2015, cases of coordinated targeted attacks amounted to about 1.5 thousand per year, then in 2018 their number exceeded 17 thousand. Attacks aimed at disabling equipment of critical infrastructure facilities pose a particular danger.

Since the beginning of 2019, the introduction of malicious software on more than 7 thousand objects of critical infrastructures has been prevented. The targets of the attackers' attacks were objects of the credit and financial sphere (38% of all attacks), government bodies (35%), the defense industry (7%), the field of science and education (7%) and the health sector (3%).

According to the American company Webroot, in 2018, the United States accounted for 63% of Internet resources that distribute malware, while the share of China and Russia is only 5% and 3%, respectively.

FSB has prepared a procedure for informing about cyber attacks on KII facilities

The Federal Security Service of the Russian Federation has prepared a draft order approving the procedure for informing about cyber attacks on significant objects of critical information infrastructure (CII). The text of the project is available#^[37] on the federal portal of draft regulatory legal^[38].

"I order to approve the attached procedure for informing the FSB of Russia about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks carried out on significant objects of the critical information infrastructure of the Russian Federation," follows from the order.

As noted in the explanatory note, the project is aimed at improving legal regulation in the field of coordination of the activities of the subjects of the critical information infrastructure of the Russian Federation on the detection, prevention and elimination of the consequences of computer attacks and response to computer incidents.

According to the order, in the event of a computer incident, the subjects of the critical information infrastructure of the Russian Federation are obliged to immediately inform the National Coordination Center for Computer Incidents (NCCCA) about this. If there is no connection to this technical infrastructure, the information should be sent by fax, electronic and telephone to the addresses or telephone numbers of the NCCC indicated on the agency's website.

In addition, if the incident occurred at a KII facility operating in the banking and other spheres of the financial market, it is also necessary to inform the Central Bank of the Russian Federation.

CII subjects will also have to develop a plan for responding to computer incidents and taking measures to eliminate the consequences of computer attacks and conduct training at least once a year to work out the plan's activities.

Information about the protection of KII from cyber attacks was attributed to state secrets

Russian President Vladimir Putin signed a decree in March 2018, according to which information on the state of protection of critical information infrastructure (CII) from cyber attacks now refers to state secrets. The corresponding document was published on the portal of legal information^[39] of the^[40]

The decree supplements the list of information classified as state secrets, approved by decree of the President of the Russian Federation of November 30, 1995 No. 1203 "On approval of the list of information classified as state secrets," with a new paragraph. According to the document, such data now include information that discloses measures to ensure the security of the critical information infrastructure of the Russian Federation and information that discloses the state of security of CII against computer attacks.

Information FSB Federal Service for Technical and Export Control^[41] was also assigned to state secrets by authority^[42] such data^[43]

2017

What threatens for the unlawful impact on the critical IT infrastructure of Russia

On January 1, 2018, a 187-FZ comes into force in Russia - the law "On the Security of the Critical Information Infrastructure of the Russian Federation" and the amendments to the Criminal Code adopted simultaneously with it, describing the punishment for damage to the country's critical infrastructure.

Changes are made by Federal Law No. 194-FZ "On Amendments to the Criminal Code of the Russian Federation and Article 151 of the Criminal Procedure Code of the Russian Federation in connection with the adoption of the Federal Law" On the Security of the Critical Information Infrastructure of the Russian Federation. " In particular, chapter 28 of the Criminal Code of the Russian Federation is supplemented by article 2741, describing the punishment for "unlawful impact on the critical information infrastructure of the Russian Federation."^[44] "

According to the regulations of the 187-FZ, financial, transport, energy, telecommunications companies, as well as organizations in the field of health, science, fuel and energy complex, nuclear power and industry are subject to the new requirements.

Until February 20, 2019, companies that fall within the scope of the law are obliged to independently categorize CII facilities and coordinate them with FSTEC.

At the same time, this stage includes the creation of a categorization commission, the definition of processes within the framework of the company's main activities and the identification of the most critical of them. The next step is to form a list of CII objects and its coordination with the industry regulator (for example, for the healthcare sector, the Ministry of Health acts as such). After that, the list of objects is submitted as a notification to the FSTEC of Russia, and for each object from the list, the CII subject determines the category of significance, after which the categorization results are sent for approval to the FSTEC. Based on certain categories, the owner of KII facilities in the future needs to build protection.

The unlawful impact includes the creation, distribution and/or use of computer programs or other computer information that is knowingly used to destroy blocking, modifying, copying information in a critical infrastructure, or neutralizing the means of protecting said information.

In addition, sanctions will entail illegal access to protected computer information contained in the critical information infrastructure of the Russian Federation if it has caused harm to this infrastructure.

Penalties are also provided for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in a critical information structure, information systems, information and telecommunication networks, automated control systems and telecommunication networks related to the country's critical information infrastructure.

For the creation of malicious programs to affect the infrastructure of violators, forced labor for up to five years is expected with a possible restriction of freedom for up to two years or imprisonment for a period of two to five years with a fine of five hundred thousand to one million rubles or in the amount of wages or other income convicted for a period from one year to three years. For illegal access to protected computer information, forced labor is supposed for up to five years with a fine of 500 thousand to a million rubles, with possible restriction of freedom for up to two years, or imprisonment for a term of two to six years with a fine of five hundred thousand to one million rubles.

Violation of the rules for the operation of means of storing, processing or transferring protected computer information will be followed by forced labor for up to five years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. A possible imprisonment of up to six years is also envisaged.

If these acts are committed by a group of persons by preliminary conspiracy, organized by a group or a person using his official position, the severity of the punishment increases significantly: the law provides for a prison term of three to eight years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years.

If the same acts committed by a group of persons by prior conspiracy or using their official position entailed grave consequences, the perpetrators will receive a term of five to ten years with the deprivation of the right to hold certain positions or engage in certain activities for up to five years or without it.

The emergence of such a law is more than natural in the current environment, "said Georgy Lagoda, CEO of SEC Consult Services. - Attacks on critical infrastructure have ceased to be an abstraction, this is a hyperactive problem for all countries, including Russia. The law is clearly aimed at preventing internal attacks or violations that increase the vulnerability of infrastructure. The effectiveness of this law may be the subject of debate, but it is encouraging that the existence of the problem is recognized at the legislative level.

The law, as well as amendments to the Criminal Code, are themselves necessary, - said Dmitry Gvozdev, General Director of Technologies of the Future LLC, - The question, however, lies in real law enforcement practice. It depends on her whether these laws will work in principle.

The State Duma approved a package of bills with sanctions for attacks on critical infrastructure

The State Duma approved in January 2017 in the first reading a package of bills that provides for up to 10 years in prison for hackers targeted by the critical information infrastructure (CII) of the Russian Federation. If the bill is approved, the relevant amendments will be made to the Criminal Code of the Russian Federation, TASS news agency CNews^[45]

CII means information and telecommunication systems of state bodies. This also includes automated process control systems in the defense, fuel, rocket and space, nuclear, chemical, metallurgical and mining industries, as well as in the fields of health, communications, transport, power and finance.

Punishments for hackers

For example, for the creation or distribution of software designed to harm CII, hackers will be sent to forced labor for 5 years or imprisoned for the same period. Alternatively, it is possible to pay a fine in the amount of p500 thousand to p1 million. The fine can also be calculated based on the income of the criminal - in the amount of salary for a period from 1 year to 3 years.

If a hacker not only created/distributed a malicious program for CII, but also caused real damage to the infrastructure, he can spend from 5 to 10 years in prison. In addition, the offender will lose the opportunity to engage in some activities and work in appropriate positions for 5 years.

There is also punishment for illegal access to information contained in the CII, if this access is carried out using a malicious program and poses a threat to the infrastructure. The fine for this ranges from p1 million to p2 million, or equals the income of the criminal for the period from 3 to 5 years. As an option, it is possible to imprisonment for up to 6 years and a fine in the amount of p500 thousand to p1 million, or in the amount of salary for 1-3 years.

Other punishments

The bill offers penalties not only for causing intentional harm to the KII, but also for violating the rules for handling information contained there. This includes incorrect handling of the equipment on which this information is stored, processed and transmitted. The same item includes a violation of the rules for accessing data and CII systems if this poses a threat to the infrastructure.

For such actions, violators will be imprisoned for 6 years. Another option for punishment: 5 years of forced labor and a ban on some activities for 3 years. If not one person acts, but a group of persons who conspired in advance or use their official position, then they face imprisonment for a term of 3 to 8 years or 5 years of forced labor.

Ensuring safety

The bill considered today by the State Duma also describes the principles of ensuring the security of CII, imposes appropriate powers on government agencies and establishes the duties and responsibilities of infrastructure owners and operators. A special authorized federal body should be responsible for the safety of CII.

All CII facilities should be divided into categories, each category will receive its own safety standards. The separation will be carried out on the basis of the register of significant objects, the creation of which is stipulated by the bill. In addition, security systems will be created for KII, which will cooperate with the system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation. This system was created by presidential decree of January 15, 2013.

Notes