PNST 1021-2025

The acronym PNST stands for Preliminary National Standard. This is a standardization document that is accepted for a limited period. The goal is to gain experience in the process of applying the PNST for the possible subsequent development on its basis of a full-fledged permanent national standard - GOST. In particular, PNST 1021-2025 was developed by EOS Tech together with the Russian Institute of Standardization, and it will operate from March 1, 2026 to March 1, 2029.

History

2025: Adoption of the Standard

In early November, Rosstandart published the full text of the preliminary standard PNST 1021-2025 "Machine Safety. Information Security Issues in Functional Security Management Systems. " Experts of the technical committee of Rosstandart No. 58 "Functional Safety" prepared the document for publication.

𝓲

Фото: Ideogram

During the development of PNST 1021-2025, the regulatory provisions of the international document IEC TS 63047:2023^[1] "Machine Safety. Information Security Issues in Functional Security Management Systems. " This international standard identifies issues related to threats and vulnerabilities that are addressed in the development and implementation of Safety-Related Control System (SCS) machine control systems. In fact, this document defines how information security affects accident protection systems that provide functional security.

In particular, in the published document, the authors gave the following definition of functional safety: "part of general safety due to the use of a machine and a machine control system, which depends on the correct functioning of safety-related control systems and other risk mitigation measures." Although the standard mainly deals with the use of SCS as part of machine control systems, in practice this concept also applies to technological processes with their APCS.

The new standard is aimed at solving one of the key problems - the lack of a unified approach to ensuring security in systems on which technological and production processes directly depend, - explained to TAdviser the need to adopt such a document Kirill Levkin, project manager of MD Audit. - We are talking about the intersection of information security and functional security: protecting not only data, but also the logic of controlling equipment, automation, sensors. The standard helps to eliminate the gap between information security specialists and APCS engineers by establishing uniform requirements for the design, testing and operation of systems, where a failure or failure can lead to physical consequences.

Safety functions implemented by SCS mechanisms in electrical, electronic and programmable systems, in accordance with the adopted PNST, should ensure the level of safety completeness that meets the requirements of GOST R IEC 61508-4 "Functional Safety of Electrical, Electronic, Programmable Electronic Systems Related to Safety," the current version of which was adopted in 2012.

A key element of the relationship between information and functional security is the risk of violation of the information protection of SCS mechanisms, which may lead to a failure or incorrect actions of emergency safety functions. To prevent such impact, PNST 1021-2025 defines the following actions: assessment of the possibility of implementing threats to information security and development of a strategy for reducing risks of information security violation in SCS.

𝓲

Фото: Rosstandart

To do this, SCS shall provide for the following information security mechanisms:

• Identification and authentication of subjects and access objects;
• Control of access of subjects to objects;
• Recording of security events;
• Intrusion detection and anti-virus protection;
• Analysis of information security;
• Ensure data integrity and availability
• SCS hardware protection;
• Protection of the SCS information system and data channels.

The main part of the standard is devoted to the disclosure of these mechanisms in application to machine control systems. It also has a requirement to protect data from corruption and inform the user about possible violations, although in the above list these requirements are implemented using integrity mechanisms and information security analysis, respectively.

The standard should solve the problems of various cyber threats for control systems, "said Alexey Korobchenko, head of the information security department of Security Code, to TAdviser. - This is, for example, the introduction of malicious software, unauthorized access, exploitation of existing vulnerabilities. It is worth noting that these threats have a very high level of criticality, since they can lead not only to the failure of the company's services, but also to a halt in operating activities. In addition, the standard will allow you to combine classical information security and the specifics of protecting industrial IT infrastructures.

According to the expert, this specificity is primarily due to a set of software, for example, APCS, which often has unique characteristics, because enterprises often develop solutions for their needs. Another problem that is sometimes observed in industrial companies is not the highest level of information security maturity. Therefore, with the help of the new standard, companies will be able to develop a basic approach to assessing information security risks and develop an adequate security system on its basis, taking into account certain features. The document sets the basic rules, albeit of a high level, and how they will be interpreted on the ground, what processes will be built to meet the requirements in the first place, this will already be visible in the future.

The adoption of the standard will be an important step towards the maturity of the Russian information security market: it creates a regulatory framework for the integration of cybersecurity into industrial and infrastructure systems, says Kirill Levkin. - This will increase the demand for specialized solutions, auditors, certified means of protection and specialists working at the intersection of information security and engineering disciplines. In addition, the standard contributes to import independence, since it sets technical and organizational requirements adapted to Russian practice, which will allow building internal standards and certification without focusing on foreign models like IEC 62443[2].

Notes