RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/08/02 17:32:21

GOST R 71452-2024

Requirements for functional safety and protection of the industrial automation monitoring system (IACS) during the life cycle

Content

Scope

The standard contains requirements and recommendations for ensuring and confirming the functional security and protection of information at various stages of the life cycle. It helps coordinate risk assessment, design, management and operation processes, and prevents conflicts between functional security and information protection. The standard is not aimed at creating a completely new life cycle, but at developing requirements for coordinating functional security and protecting information based on life cycles of functional security, protecting information and other modern design processes.

This document is intended to apply to Industrial Automation Control Systems (IACS), including controlled equipment (CS) and safety related systems.

History

2024: A new GOST has been adopted, coordinating information security and functional safety at enterprises

Rosstandart at the end of July published the text of the GOST R standard 71452-2024[1] "Requirements for functional safety and protection of the industrial automation control system (IACS) throughout the life cycle," which is a translation of the international standard IEC/PAS 63325:2020, adopted in 2020. The Russian standard defines the procedures that companies must follow to coordinate actions to ensure the functional security of industrial facilities and information security. GOST comes into force on July 1, 2025.

Safety is defined in the standard as "no unacceptable risk," and functional safety is defined as the correctness of the functioning of all systems, including risk mitigation tools. And for information security (security) several definitions are given at once:

{{quote) measures taken to protect the system;

b) the state of the system, which is the result of the development and implementation of system protection measures;

c) the state of the system resources, which are protected from unauthorized access to them and unauthorized or accidental changes, destruction, as well as from loss;

(d) The ability of the computer system to ensure that unauthorized persons and systems are not able to modify or access the software and its data, but at the same time to ensure that it is possible for authorized persons and systems;

f) prevention of unauthorized or undesirable penetration, as well as interference with the serviceable and planned operation of the industrial automation and control system.}}

In general, the standard defines a set of two types of requirements - for the coordination of functional and information security management and for processes at different stages of the life cycle. The first set of requirements is to ensure that both functional security and information specialists participate in all stages of the life cycle of the industrial system, and that conflict resolution procedures between them are followed.

The second set of requirements defines the procedures that are most critical for each of the stages of the life cycle of the industrial system: when developing the concept of the system and localizing the scope of its application; for risk assessment; during development and implementation; during system operation and maintenance; and even for decommissioning and disposal. Key requirements, of course, are focused on the risk assessment stages and during system development and implementation, which details hazard and risk analysis with threat and vulnerability assessment, risk criteria, conflict resolution rules, and response to system failures or information protection events.

source = Rosstandart
Risk Assessment Coordination Scheme taking into account both functional and information security measures

File:Aquote1.png
It is too early to talk about the full readiness of Russian industrial companies, since the standard provides for technical management processes from the beginning of the life cycle, - explained to TAdviser the situation with the readiness of Russian companies to use the standard Ekaterina Rudina, head of the information security analyst group at Kaspersky Future Technologies Kaspersky Lab. - Existing enterprises need to adapt the provisions of the standard in order to coordinate the management of functional and information security. Nevertheless, at the beginning of new projects or during the modernization of production, it would be good to ensure accurate adherence to the recommendations of the standard.
File:Aquote2.png

According to Ekaterina Rudina, for the full implementation of the standard at industrial enterprises, it is necessary to formalize information security management procedures, in particular, to carry out a full risk assessment, and coordinate the activities of information security services with functional security management. For example, if the threat of process disruption due to a common cause failure is analyzed, then when assessing risks, it is necessary to consider the option of an incident with similar consequences, which can be implemented using a cyber attack. As a rule, such coordination requires interdisciplinary analysis and involvement of specialists of various profiles - technologists, engineers, specialists in the field of IT and information security.

The appendix to GOST lists possible measures to coordinate functional security and information protection at various stages of the life cycle, which lists the recommendations of the developers of the standard. In particular, the section "A.2.8 Integration of Information Protection Measures" lists the cyber defense mechanisms that should be integrated into functional security systems. In particular, these include access rights control systems, cryptographic information exchange protocols, solutions for managing vulnerabilities and changes, antivirus protection and tools for monitoring information security events.

There is also a requirement for developers of functional security systems to quickly eliminate detected vulnerabilities and errors. It creates a niche for developers of protective equipment who can adapt their products for industrial functional safety systems so that they meet the requirements of GOST.

File:Aquote1.png
The introduction of the GOST R 71452-2024 standard in domestic industrial companies is a serious test, "said Andrey Steblevsky, Business Development Director of DCLogic, in a conversation with TAdviser. - Readiness for this will depend on the maturity of existing control and security systems. Some large enterprises are already using advanced information security systems that comply with international standards, which should facilitate the transition to the requirements of the new standard. However, many companies, especially small and medium-sized companies, will require considerable time and resources to adapt their systems and processes to new regulations.
File:Aquote2.png

Moreover, the main problems may arise not with specific protection products, but when developing common approaches between functional security specialists and the information security service. The main purpose of functional safety is to protect against accidents in hazardous industries and to stop the consequences. It is regulated by separate legislation, which has been developing since the middle of the last century and has developed quite strict requirements for responding to dangerous events. Functional safety systems should promptly prevent accidents and dangerous consequences for others.

File:Aquote1.png
Now the emergence of the standard practically does not affect the information security market, but it can help in the future, - says Ekaterina Rudina. - The market for domestic means of protecting industrial infrastructures from cyber attacks already takes into account the specifics of protected systems and the specifics of risks. Those enterprises that still do not use means of protection against cyber attacks are unlikely to monitor GOSTs. The tool goes before the procedure, and this is quite correct in terms of the need to "extinguish fires" in the field of information security of the industrial ecosystem: when an attack is attacked, you must first repel the attack, and then build a more effective and coordinated defense against future threats. We expect an increase in the maturity of industry in terms of countering targeted threats, and from this point of view, interested enterprises, primarily in the field of CII, the new standard will help build a more integrated and sustainable protection system.
File:Aquote2.png

It should be noted that the translators of the standard are EOS Tech and the Russian Institute of Standardization, which carried out the procedure for its adoption through the technical committee of Rosstandart No. 58 "Functional Safety." At the same time, GOSTs on information security, which are developed by FSTEC to regulate CII facilities, usually pass through TC No. 362 "Information Protection."

In general, all GOSTs are advisory until the other is clearly spelled out in legislative acts. Whether FSTEC or another department will include in its orders regulating the information security of industrial facilities of the CII (for example, order of FSTEC No. 31), references to GOST R 71452-2024, is still unclear. In general, the concept of critical information infrastructure is broader - it includes both telecommunications and financial companies. Perhaps some departments will include this standard in their orders or guidelines for implementing the requirements for the protection of CII. There are many options for making a document mandatory, and which of them will be adopted is still unknown.

Notes