Critical Information Infrastructure of Russia

Critical information infrastructure of the Russian Federation (CII) means a set of automated systems for managing production and technological processes of critical facilities of the Russian Federation and ensuring their interaction information and telecommunication networks, as well as IT systems and communication networks designed to solve the problems of state management, ensuring defense capability, security and law enforcement.

Critical Information Infrastructure Security

Main article: Security of critical information infrastructure of the Russian Federation

Criminal cases on unlawful impact on the CII of the Russian Federation

Main article: Criminal cases on unlawful impact on the critical information infrastructure of the Russian Federation

Critical infrastructure in healthcare

Main article: Critical infrastructure in health care

State system of detection, prevention and elimination of consequences of computer attacks system

Main article: State system for detection, prevention and elimination of consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks)

2024: Bill on the transition of critical objects to Russian software submitted to the State Duma

The Russian government has submitted to the State Duma a bill that can empower the Cabinet of Ministers to determine in each industry the types of information systems that will need to be classified as significant objects of critical information infrastructure. All of them will have to switch to domestic software from 2025. This was announced on March 22, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

The draft federal law is aimed at ensuring the technological independence and security of critical information infrastructure RUSSIAN FEDERATION in the conditions introduced in relation to Russia sanctions and in the presence of risks of violation of the operability of critical information infrastructure facilities due to the introduction of such sanctions, the explanatory note to the document says.

The bill enshrines precisely the rules for the transition of critical infrastructure to Russian software, said Anton Nemkin.

According to the presidential decree signed in March 2022, state-owned companies can no longer purchase foreign software for use at significant critical information infrastructure facilities. From January 1, 2025, a complete ban on the use of foreign software at significant CII facilities should come into force. The bill in question gives the Cabinet of Ministers the authority to determine in each industry the types of information systems that will need to be classified as significant objects of critical information infrastructure, taking into account industry features, the deputy explained.

At the same time, the government will establish the timing of the transition to Russian IT products - they will be linked to the readiness of domestic decisions.

As of March 2024, the owner of particular InformSystems independently determines whether or not to classify the CII object as significant. At the same time, companies can often specifically minimize the number of such systems, which are defined as significant objects of CII in order to reduce their costs. The bill will make it possible to establish for each industry a special list of objects at which the use of Russian software and electronic products will be mandatory.

If we talk about areas where it is necessary to accelerate the transition to, domestic software then first of all, we are talking about subjects of critical information infrastructure, which include state bodies enterprises or those individual entrepreneurs using information systems in critical industries, such as,,, and health care science transport communication power others. In total, in our March to the country 2024, there are more than 50 thousand KII facilities run by more than 5 thousand organizations. As previously noted in, the urgent Ministry of Digital Development need for remains import substitution in about 10 percent of IT solutions supplied by foreign vendors. Replacing this 10 percent may be the most difficult part of the import substitution program, as it is associated with the most complex and expensive software, the development of which requires a long cycle and a large number of highly qualified developers. However, there is no doubt that our developers will cope with this task if they are supported at the appropriate level, "added Anton Nemkin.

2023

Mishustin obliged key KII subjects to use only domestic IT solutions and instructed departments to develop transition plans

Prime Minister Mikhail Mishustin signed a decree on the transition of subjects of critical information infrastructure (CII) to Russian IT solutions. This became known in mid-November 2023.

According to TASS, citing a resolution signed by the head of the Cabinet of Ministers, the transition of government agencies and key enterprises of the Russian Federation to domestic software and equipment will take place from September 1, 2024 to January 1, 2030. Industry plans for the transition of critical infrastructure entities to trusted software and hardware complexes must be approved by September 1, 2024. This work is entrusted to the Ministry of Industry and Trade, the Ministry of Health, the Ministry of Education and Science, the Ministry of Transport, the Ministry of Digital Development, the Ministry of Energy, the Ministry of Finance, Rosreestr, the Bank of Russia, Rosatom and Roskosmos.

It is assumed that plans for the transition to trusted equipment and software of organizations that directly own significant objects of critical information infrastructure will be approved by January 1, 2025.

"Trusted hardware and software complex" is defined in the document as "a hardware and software complex that simultaneously meets all the criteria for recognizing hardware and software complexes as trusted hardware and software complexes specified in the appendix" (information on the hardware and software complex is contained in the unified register of Russian radio electronic products, the software meets the requirements for use by state authorities, etc.).

According to the draft government decree developed by the Ministry of Industry and Trade, the transition to domestic PAC is aimed "at ensuring the technological independence and security of the critical information infrastructure of the Russian Federation within the framework of the implementation of the presidential decree" On measures to ensure the technological independence and security of the critical information infrastructure of the Russian Federation^[1]

The Ministry of Digital Development of the Russian Federation will include the localization of equipment production in the assessment of the independence of CII

On October 9, 2023, it became known that the Ministry of Digital Development of the Russian Federation intends to expand the list of criteria for assessing the technological independence of critical information infrastructure (CII). The list will include a requirement to localize the production of equipment.

From January 1, 2025, in accordance with the norms enshrined at the legislative level, it is prohibited to use foreign software at significant facilities of the CII. In addition, government agencies and organizations will not be able to use information protection tools originating from unfriendly countries. These rules are designed to ensure the security of the Russian CII in the current geopolitical situation, which provoked an increase in the intensity of cyber attacks.

However, the adopted documents do not provide for the principle of localization of the development and production of hardware solutions. In this regard, Prime Minister Mikhail Mishustin in June 2023 instructed the Ministry of Digital Development "to work out the issue of forming a system for assessing the level of compliance of KII with the requirements for technological independence." Based on the results of the work done, the department proposed an approach based on an analysis of the availability of domestic developments, production lines of high-tech products, the necessary personnel resources, scientific and technological reserves for the owners of KII.

The new assessment system will make it possible to understand how the owners of KII facilities are ready for the transition to domestic software and hardware, as well as for their development and introduction into production by 2025. It is noted that the developments of the Ministry of Digital Development will form the basis of the system of indicators of technological sovereignty, which is mentioned in the Concept of Technological Development until 2030. In accordance with this document, Russia "must have its own scientific, personnel and technological base of critical and end-to-end technologies." We are talking about organizing the production of high-tech products such as microelectronics, modern machines, robotics, aerospace technology, drones, medical and telecommunications equipment.^[2]

Putin attributed the owners of ICT systems in the field of real estate registration to the subjects of KII

The President Russia Vladimir Putin signed a law on expanding the list of subjects critical information infrastructure (), CUES supplementing it with ICT systems in the field of state real estate registration. The corresponding document was published on the official portal of legal information on July 10, 2023.

Changes are being made to the law "On the Security of the Critical Information Infrastructure of the Russian Federation." According to the new rules, government agencies, state institutions, legal entities and individual entrepreneurs have been added to the subjects of critical information infrastructure, who, on the right of ownership, lease or on another basis, own information systems operating in the field of state registration of rights to real estate and transactions with it.

As Alexander Weinberg, a member of the Federation Council Committee on Constitutional Legislation and State Building, explained, the law will allow "to implement a set of measures to detect, prevent and eliminate the consequences of computer attacks carried out against objects in this area."

Previously, the subjects of CII included state bodies, state institutions, Russian legal entities and (or) individual entrepreneurs who own, lease or otherwise legally own information systems, information and telecommunication networks, automated management systems operating in the field of health, science, transport, communications, power, banking and other areas of the financial market, fuel and energy complex, in the field of atomic energy, defense, rocket and space, mining, metallurgical and chemical industries, Russian legal entities and (or) individual entrepreneurs that ensure the interaction of these systems or networks.

Federal Law

The Ministry of Digital Development has prepared a law on critical information infrastructure

On May 18, 2023, it became known that the Ministry of Digital Development, Communications and Mass Media of the Russian Federation (Ministry of Digital Media) is working on a new bill concerning the country's critical information infrastructure (CII).

In March 2022, the president Russia Vladimir Putin signed a decree prohibiting government agencies and state-owned companies from using foreign goods software at KII facilities. Such structures are obliged to switch to domestic developments from January 1, 2025. Senior analyst for information security the Digital Economy Leagues Elena Kamyshnaya, according to the newspaper "," Sheets clarified that the subjects of the CII include state bodies and organizations operating the relevant systems. We are talking about structures in the sectors, health care science, transport communications, banking, power engineering specialists as well as the fuel and energy complex, which have critical infrastructure facilities.

As noted by Kamyshnaya, organizations can themselves determine the importance of objects and do not classify them as CII. Demyan Ramensky, Head of Information Security at CorpSoft24, explains that strict technical and organizational requirements in terms of reliability and protection are provided for the most significant objects of CII. Therefore, some market participants deliberately underestimate the category of importance of their systems: due to this, the criteria of regulators are also reduced.

The new bill prepared by the Ministry of Digital Development envisages the introduction of principles for determining the criticality of infrastructure. The document, in particular, established criteria for the formation of a list of CII objects, as well as spelled out the timing of the transition to Russian software. In the future, the list must be agreed with a government agency or a Russian legal entity that (which) "performs the functions of developing state policy and (or) regulatory legal regulation in the established area in terms of the subjects of the CII subordinate to them."

As Vedomosti clarifies, referring to sources in the government and IT companies, the draft document has already been agreed with interested parties: it is being prepared for submission to the State Duma.^[3]

2022

Government closes loophole for foreign software purchases

Russian companies playing the role of subjects of critical information infrastructure (CII) will be banned from purchasing foreign software, even if it has no domestic analogues. The corresponding recommendations on the formation of industry action plans for the transition to Russian software were approved by the Government of the Russian Federation at the end of August 2022.

As Vedomosti writes with reference to this document, the share of Russian and Eurasian software at significant KII facilities in the industry should grow by the end of 2022 compared to the end of August by 10%. By the end of 2023, this share should exceed the initial indicators by 40%. And for the period 2024-2027. all software at CII facilities should be 100% domestic.

The representative of Ministry of Digital Development reminded the newspaper that from January 1, 2025, state bodies and state-owned companies are prohibited from using foreign software at significant facilities of the KII (by presidential decree of March 30, 2022). How the methodological recommendations will be technically implemented, he refused to clarify. Alexey Smirnov, chairman of the board of directors of BASEALT, explained that by the beginning of 2025, Russian companies can purchase foreign versions of software in agreement with the government. Russian developers have gained an advantage when participating in public procurement since 2016, when the law "On import substitution" came into force, Smirnov recalled.

Previously, companies announced excessive functionality to weed out other software and obtain permission to buy foreign software, Roman Karpov, director of strategy and technology development at Axiom JDK of Bellsoft, told the publication.

For example, it was stated that such and such an aircraft is needed, but in fact only the wing of the aircraft is used, - he gave an analogy.[4]

Mishustin instructed Ministry of Digital Development to establish requirements for the use of domestic ICT solutions in industries

The Prime Minister Mikhail Mishustin instructed Ministry of Digital Development RUSSIAN FEDERATION to establish requirements for the use of domestic ICT solutions in industries. The press service Governments of the Russian Federation announced this on September 23, 2022.

According to Mishustin's instructions, which he gave following the results of the strategic session held on September 13, 2022, the bill on the predominant use of domestic software, hardware and software systems, telecommunications equipment and electronic products should be submitted to the Cabinet of Ministers by November 1, 2022.

It is assumed that this document will establish requirements for the predominant use by all subjects of the critical information infrastructure of domestic software, software and hardware complexes, telecommunications equipment and electronic products (taking into account their readiness for mass implementation) at significant infrastructure facilities belonging to them. In addition, the bill should clarify the powers of industry departments in terms of classifying information systems as significant objects of critical information infrastructure.

{{quote 'It is important for us to ensure technological independence from the foreign software used, to stimulate demand for our products. This is very important in conditions of external pressure, - Mikhail Mishustin emphasized during his speech at the strategic session. }} As part of this work, by decision of the Government of the Russian Federation, 33 industrial competence centers were created, uniting more than 300 organizations. The most important niches and areas dominated by foreign software were also identified, and a pool of projects was formed, the implementation of which should ensure the solution of the task of achieving technological independence.^[5]

The government has found a new way to speed up import substitution in the software sector - key IT systems will be attributed to CII

On September 13, 2022, Prime Minister Mikhail Mishustin announced government plans to accelerate the transition of companies to domestic software by including new IT systems in the list of critical information infrastructure (CII) facilities.

We plan to classify all key types of systems and applications as critical information infrastructure. And for each of the positions, the Government will set a final deadline for the transition to Russian software, "Mishustin said at a strategic session on import substitution of software on September 13, 2022.

The Prime Minister called the situation in the field of software competitive, since already for 80% of foreign software there are Russian analogues, and two or more domestic options are presented in a third of the positions. Business has confirmed a critical dependence on imports for about 400 types of corporate software, Mishustin said. He added that the volume of annual private sector spending on the purchase of licenses, implementation and support is about 200 billion rubles.

At the same time, the prime minister believes that it is important for Russia "not to recreate the current functionality of foreign software products, but to launch its own companies that fully meet the needs of companies." He also said that the products should be export-oriented, and demanded that the developments should not be inferior to their imported counterparts.^[6]

Natalya Kasperskaya, chairman of the Association of Developers of Domestic Software Products, told Izvestia that it is also necessary to hear the opinion of the developers.

The Ministry of Digital Development gathered the opinions of various industries, which software they lack. The industries wrote their wishes. Unfortunately, these wishes were not missed, at least for now, through the opinions of the participants in the software development industry. This happened because a strict deadline was set for the provision of materials to the government and most of the developers simply did not have time to respond, "Kasperskaya explained.

Approved rules for the use of software on significant objects of critical information infrastructure

The Government of the Russian Federation approved the requirements for software used by authorities and state-owned companies at significant facilities of critical information infrastructure. In addition, the rules for coordinating the procurement of foreign and switching to domestic software have been approved. This was reported to TAdviser on August 26, 2022 in the Ministry of Digital Development of Russia.

The decree was prepared in pursuance of the Presidential Decree on measures to ensure the technological independence and security of the critical information infrastructure of the Russian Federation.

According to the approved requirements, only software included in the register of Russian or Eurasian software can be used at significant facilities of critical information infrastructure. Certain types of products must have a certificate confirming compliance with the requirements of the FSB and FSTEC of Russia.

At the same time, the purchase of foreign software must be agreed by the branch ministry. For purchases over 100 million rubles, additional approval of the commission is also required, which will be formed during the Ministry of Digital Development of Russia.

The Ministry of Digital Development of Russia will also monitor compliance by state-owned companies with the Rules for Coordinating Purchases of Foreign Software.

At the same time, ministries need to approve industry plans for the transition to Russian software at significant facilities of critical information infrastructure. On their basis, state-owned companies will have to form and approve individual transition plans.

The Ministry of Industry and Trade has developed a procedure for transferring critical infrastructure facilities to Russian software and equipment

The Ministry of Industry and Trade of the Russian Federation has developed a procedure for transferring critical information infrastructure (CII) facilities to Russian software and equipment. The corresponding draft government decree, developed by the department, has been published for public discussion.

According to the document, organizations will have to audit their KII facilities and develop a draft plan for the transition to "the predominant use of trusted software and hardware systems" - that is, those that include Russian electronic products and software located in the relevant registers of the Ministry of Industry and Trade and the Ministry of Digital Development.

The development, creation and maintenance of such PAC for CII will have to be carried out by a specially created scientific and production association (NGO). Its organization will be provided by the government of the Russian Federation.

The draft transition plan will include a list of used radioelectronic products, telecom equipment and software, depreciation periods and validity of rights to software, as well as proposals for the transition to trusted PAC, domestic hardware and software and possible sources of financing.

According to Daniyar Iskhakov, Deputy Director of the Consulting Department of Innostage Group of Companies, the transition plans drawn up and published will give manufacturers of Russian electronic products the opportunity to assess the required volumes and their technical and functional characteristics. This will allow us to purposefully work on the release of the equipment necessary for the market, he said in a conversation with RSpectr.

The Ministry of Industry and Trade proposes to plan the transition of KII to software and hardware complexes (PAC) with Russian components until April 2023. Monitoring of the transition of CII subjects to the predominant use of Russian software is planned to be assigned to. Ministry of Digital Development^{[7][8][9][10]}

Putin supported the ban on foreign software at non-state critical infrastructure facilities

On July 18, 2022, Russian President Vladimir Putin announced that he supports the ban on the use of foreign software at non-state critical information infrastructure (CII) facilities in the country. This ban was proposed by Deputy Prime Minister Dmitry Chernyshenko at a meeting of the Council for Strategic Development and National Projects.

Those proposals you have made will be supported. The draft decree - it is already being prepared - will be signed, Putin said.

Chernyshenko noted that it is necessary to determine special conditions for the use of existing foreign software, while work on domestic analogues has not yet been completed. He also clarified that it is important "to avoid such a situation when users mothball foreign decisions and will continue to work for them without developing." In this regard, the requirements for the use of domestic software should apply to all significant objects of KII, and not only to those that belong to government agencies and state-owned companies.

The Deputy Prime Minister of the Russian Federation also pointed out the need to solve the following problem - to ensure uniformity in categorizing all significant objects of CII, since situations often arise when the company itself does not classify important information systems as significant objects of CII.

Therefore, for each industry, the relevant federal department, together with the Ministry of Digital Development, the FSB and the FSTEC, must determine which types of information systems should be attributed to significant objects of the CII, - said the deputy head of the Cabinet.

According to these types of information systems in the context of industries, the government can already for all companies without restrictions set the deadlines for the mandatory replacement of foreign software with Russian, Chernyshenko added.^[11]

Putin banned the purchase of foreign software for critical infrastructure

On March 30, Russian President Vladimir Putin signed a decree^[12]" on measures to ensure the technological independence and security of the country's critical information infrastructure (CII), stating that:

• from March 31, 2022, customers (excluding organizations with municipal participation)procuring under the 223-FZ cannot procure a foreign one, software including as part of software and hardware systems, for the purpose of its use at the significant objects of the CII belonging to them, Russia as well as procure the services necessary for the use of this software at such objects, without coordinating the possibility of making purchases with the federal executive body authorized by the government;
• from January 1, 2025, state authorities, customers are prohibited from using foreign software at their significant CII facilities.

By the same decree, Putin instructed the government to approve within a month:

• requirements for software used by government agencies, customers at significant CII facilities belonging to them;
• rules for approval of purchases of foreign software for the purpose of its use by customers at significant objects of CII belonging to them, as well as procurement of services necessary for the use of this software at such objects;

And in a 6-month period, the president instructed the government to implement a set of measures aimed at ensuring the predominant use of domestic electronic products and telecom equipment by KII subjects at their significant KII facilities, including:

• determine the terms and procedure for the transition of CII subjects to the preferential use of trusted software and hardware systems at their significant CII facilities;
• ensure amendments to the legislation of the Russian Federation in accordance with this decree;
• ensure the creation and organization of the activities of a research and production association specializing in the development, production, technical support and service maintenance of trusted software and hardware systems for CII;
• organize training and retraining of personnel in the field of development, production, technical support and service maintenance of electronic products and telecom equipment;
• create a monitoring and control system in this area.

Control over the implementation of these rules is also entrusted to the government.

The Ministry of Digital Development is preparing a mechanism to counter the sale of rights to Russian software abroad

The Ministry of Digital Development will work out the issue of creating mechanisms for countering and responding in the event of the sale of rights to software products included in the register of domestic software to a foreign Julian. This follows from a letter (available to TAdviser) by Deputy Minister of Digital Development Maxim Parshin, sent at the end of March to RUSSOFT, APKIT, ARPP "Domestic Software" and the Center for Import Substitution Competencies in ICT, from which operational feedback on this initiative is expected. Read more here.

Due to problems with imported software in Russia, factories, water utilities and oil pipelines may stand up

There are about 10-15 imported software products that are widely used by leading Russian industrial enterprises, and restricting or stopping access to which carries critical risks. Such information was announced on March 22, 2022 in the IT company "Figure."

For example, these are the products Aveva () Wonderware in the manufacturing control area () MES for continuous production. The general director of "Figures" Igor Bogachev notes that they are used by most oil refining and metallurgical enterprises in. Russia

One of the popular products is Aveva's PI System data platform (originally developed by OSI Soft). If the vendor decides to revoke the licenses, then the largest oil refineries in Russia will be left without a dispatching system, says Bogachev. Moreover, according to Zyfra, 90% of continuous production in Russia use the PI System as a real-time database that collects industrial information, on the basis of which operational production management is carried out.

Some risks, errors associated specifically with this software system can essentially lead to the shutdown of most continuous production. We are talking about oil and gas, and about metallurgy, and about power, - said the general director of "Figures."

This includes Petroleum Experts products, which are widely used in the oil industry for integrated asset modeling and integrated hydrocarbon production planning.

Another example is data collection and level control products. SCADA Thus, Transneft Mosvodokanal the company's HMI/SCADA iFIX is used. In the GE first case - to control plugs, oil pumps, in the second case - water. These systems are critical. Their disconnection at Transneft may lead to a complete stop of oil and petroleum products transportation through the company's pipelines and the need to switch to manual local control, according to Zyfra.

And if a similar thing happens in Mosvodokanal, then the risk is associated with interruptions in the water supply of many areas of the metropolis. In this case, you can switch to semi-automatic local control of processes, pumps and valves and restore water supply, but this would require doubling the staff of operators.

At most Russian refineries, according to Figures, the DCS class software (distributed control systems, DCS) of Honeywell, Emerson, ABB, Yokogawa is used for primary and deep oil processing plants. Turning off the DCS leads to a shutdown of the plants, explains the general director of Zyfras.

The more engineering knowledge in the software, the more difficult it is to import, "Igor Bogachev said in a conversation with TAdviser. - For example, different CAD/CAM systems or geological digital modeling systems are the most difficult for import substitution.

Some risks associated with the use of imported software, which have been discussed for more than one year, have already come. For example, SAP denied Power Machines support for the cloud platform, effectively banning access to it, says Igor Bogachev. Other Western vendors began to restrict access to cloud services after the start of the special operation of the Russian Armed Forces in Ukraine.

Some customers reassure themselves that cloud solutions can be disabled, and the software deployed on their own servers cannot be disabled, but in the case of critical systems, the risks are associated not only with a potential shutdown, Bogachev says. In any software, especially complex, there are errors, and it needs constant support. The risk is that critical systems depend on a developer who works in other countries, in other economies, and that a system that for some reason has started to work with errors cannot be fixed if the developer is unavailable. In this case, your own support service will not help much, since it does not have the source code of the solutions.

Since the end of February, against the backdrop of a special operation by the Russian Armed Forces in Ukraine, many technology companies have staged a demarche from Russia or announced restrictions on their activities in the country, including support services. The aforementioned Aveva did not make such statements, but Schneider Electric, of which it is a division, in March announced the suspension of investments in Russia and new projects in Russia and Belarus^[13]. The suspension or termination of activities in Russia was also reported by the above GE, Honeywell, Emerson. ABB announced the suspension of orders from Russia.

The "Zyfra" believes that now it is necessary to quickly enough on the scale of the country and each specific enterprise to create an operational plan, if not even import substitution, then at least reduce the risks associated with the fact that critical systems can simply stop functioning, he said.

The problem of dependence of industrial enterprises on foreign software is being worked out jointly with regulators and the industry. So, last week a meeting was held in Ministry of Digital Development, which was attended by representatives of the authorities, the Competence Center for Import Substitution in the field of ICT, domestic industrial enterprises, including Rosatom and UEC, and software developers. The goal was to understand what to do and how quickly you can move.

At the exit there should be initiatives for the targeted cultivation of domestic products to replace imported ones. For this, on the one hand, initiatives should be born, and on the other hand, there should be budget funds, "Bogachev told TAdviser.

According to Figures estimates, 60% of Western industrial software can be replaced with ready-made Russian counterparts, another 40% of developments must be added.

2021

The presidential administration criticized the project of transferring government agencies, banks and the defense industry to domestic IT solutions

As it became known on November 17, 2021, the State Legal Administration (GPU) of the president criticized the project developed by the Ministry of Digital Development on economic measures to ensure the technological independence and security of information infrastructure facilities (CII).

This document proposes to establish a single period for the transition of KII to domestic equipment and software - January 1, 2023. The GPU said that the draft presidential decree did not assess the possibility of fulfilling these requirements within the specified period.

In addition, the initiative of the Ministry of Digital Development may contradict the Constitution, since the department proposes to impose import substitution on a wide range of persons, but their rights and freedoms can be limited only in order to ensure the country's defense and state security exclusively by federal law, according to the GPU.

Another subject of criticism of the State Legal Department of the President is related to the proposal to impose on the Government of the Russian Federation the obligation to approve the transition procedure and requirements for software and equipment at CII facilities. The fact is that the directions of state policy in the field of security of the KII are authorized to determine the president, explained in the GPU.

According to a source Kommersant in one of the banks, criticism of the GPU will help delay the adoption of the dcumentum, which hits all critical industries - from banks to metallurgists.

There are many unresolved questions: what to do if the bank has "self-written" software, and if the software is on an "outsider"? The transition period is very aggressive. It is possible, but it must be smooth, otherwise there will be a threat to security, - said the interlocutor.

Raiffeisen Bank senior analyst Sergey Libin agrees that Ministry of Digital Development wants to set a hard deadline for KII's transition to Russian IT solutions. Probably, such deadlines are associated with the desire of the authorities to spur the development of the necessary software, he believes.^[14]

The transfer of CII to Russian hardware and software may entail "unreasonable costs" of business and the state

The Russian Ministry of Economy criticized the Ministry of Digital Development Finance's plan for import substitution at critical information infrastructure (CII) facilities. This became known on May 14, 2021.

The draft act identified provisions that introduce excessive administrative and other restrictions and obligations for subjects of entrepreneurial and other activities or contribute to their introduction, as well as contribute to the emergence of unreasonable expenses of subjects of entrepreneurial and other activities or contribute to the emergence of unreasonable expenditures of budgets of all levels of the budget system of the Russian Federation, "- said in the response of the Ministry of Economy.

The draft decree of the Government of Russia of the Ministry of Digital Development published on February 2, 2021. Its public discussion lasted until March 1, 2021.

The draft government decree prepared by the Ministry of Digital Development, among other things, makes a proposal to analyze foreign software and hardware used for May 2021 in companies. In the response of the Ministry of Economy to this project, it is indicated that the criteria for such an analysis are "insufficiently defined."

The ministry also believes that these criteria do not take into account "the difference in the cost and delivery time of such software and equipment."

In this regard, in the absence of the possibility of supplying equipment and software in the necessary time, as well as at a cost significantly exceeding the foreign analogue, the planned regulation can negatively affect the functioning of the subjects of the CII both in terms of providing services to the population and the financial and economic activities of the subjects of entrepreneurial activity, - said in the conclusion of the Ministry of Economy.

The experts of the ministry propose to introduce such regulation not immediately, but in several stages, taking into account the timing of the supply of Russian equipment and depending on the importance of CII facilities.

However, the criteria for such approval are not established either by the draft act or by other regulatory legal acts, "the report says[15].

Expenses of enterprises when switching to Russian IT solutions may exceed 1 trillion rubles

With the introduction of requirements for the mandatory transfer of IT systems of critical information infrastructure (CII) facilities to Russian software and hardware solutions, business costs may exceed 1 trillion rubles. This assessment was given by the President of the Russian Union of Industrialists and Entrepreneurs (RSPP) Alexander Shokhin in a letter sent to the head of government Mikhail Mishustin.

As RBC writes with reference to this appeal, its authors ask the Cabinet of Ministers to instruct the relevant departments to finalize, together with business, amendments to the legislation prepared by the Ministry of Digital Development and the mechanism for the gradual transition to Russian software.

A Ministry of Digital Development spokesman told the publication that since May 2020, the ministry "has been in constant dialogue with commercial companies" regarding the preparation of requirements for the transition to Russian software.

According to Shokhin, the Ministry of Digital Development imposes the same requirements on the owners of critical information infrastructure, which are of different importance for Russia's information security.

For example, KII facilities at the nuclear power plant and in the mass services market (private bank, telecom operator, clinic, sale of transport tickets and others) have different assessments of security risks for software and equipment, and also radically differ in the level of importance for the country's information security and its defense capability, - said the head of the Russian Union of Industrialists and Entrepreneurs.

In addition, he pointed out that the data of the Ministry of Digital Development on the presence of analogues of foreign equipment and software on the Russian market are at odds with reality. According to the Russian Union of Industrialists and Entrepreneurs, by April 2021, only 49 out of 3827 positions of Russian electronic products "theoretically" can be used in production. The rest are either not enough, or they do not allow the uninterrupted and efficient operation of the industry.^[16]

Penalties imposed for breaches of critical IT infrastructure protection

At the end of January 2021, the State Duma adopted in the first reading a bill developed by the Government of the Russian Federation on fines for violating the security requirements of critical information infrastructure (CII).

Thus, the maximum fine of 100 thousand rubles is introduced for violation of the requirements for the creation of security systems for significant objects of CII and ensuring their functioning or the requirements for ensuring the safety of significant objects of critical information infrastructure established by federal laws and other regulatory legal acts adopted in accordance with them, if such actions (inaction) do not contain a criminal offense.

Violation of the "procedure for informing about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks," according to the text of the bill, will threaten officials with a fine of 10 thousand to 50 thousand rubles, and legal entities - from 100 thousand to 500 thousand rubles.

In addition, for violation of the procedure for exchanging data on incidents between subjects of such infrastructure, foreign authorized bodies, international organizations and NGOs working in the field of responding to cyber threats, fines are provided for officials - from 20 thousand to 50 thousand rubles, for legal entities - from 100 thousand to 500 thousand rubles.

The explanatory note states that the current legislation on the security of the information infrastructure of government agencies, banks, industry and defense is not fully implemented, which poses a threat to its security.

In particular, an example of a large-scale cyber attack in 2017 is given, when a large number of computer equipment in a number of state-owned companies was hit. virus encoder WannaCry It took up to three days to restore the information infrastructure. The reason for the damage was the failure to comply with the established requirements, including the requirement for timely update. software^[17]

The Ministry of Digital Development proposes to accelerate the transition of banks and fuel and energy complex to Russian IT solutions

On January 18, 2021, it became known about Ministry of Digital Development of the Russian Federation 's proposal to accelerate the transition to domestic for critical information infrastructure facilities for a year. These include networks and IT systems of government agencies, as well as state and private enterprises of the defense industry, power, fuel and nuclear industry, transport, credit and financial sector, etc.

Previously, Ministry of Digital Development assumed the migration of such objects for the predominant use of Russian software until January 1, 2024, and Russian equipment until January 1, 2025. The new draft decree of the President of the Russian Federation, published on the portal of draft regulatory legal acts, indicates the following terms: until 2023 and 2024, respectively.

As the Russian Information Agency in the Ministry of Digital Development explained to TASS, the decision to change the deadlines was made on the basis of proposals received during the public discussion of the project, including positions on the readiness of Russian developers to provide the economy with Russian solutions.

According to the draft, the priority is the use of Russian software and/or equipment in the presence of relevant Russian analogues.

The most difficult thing to switch to Russian software and equipment will be for structures with significant objects CUES are automated process control systems: they usually have a long and complex implementation cycle, says Information securityCROC Evgeny Druzhinin, a leading expert in the company's direction. First of all, this applies to such industries as power, the fuel and energy complex, the metallurgical and chemical industries, the nuclear industry, he said. To sheets""

In 2020, the head of the Ministry of Industry and Trade Denis Manturov said that the share of Russian companies in the equipment market for critical information infrastructure is about 15-20%, mainly due to purchases for state needs.^[18]

The Ministry of Digital Development has developed requirements for software and equipment for CII facilities

In January 2021, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation presented finalized requirements for software and equipment for critical infrastructure facilities (CII). The corresponding document is published on the federal portal of draft regulatory legal acts.

This draft government decree establishes the Ministry of Digital Development and the Ministry of Industry and Trade responsible for observing the draft order in terms of software and in terms of telecommunications equipment and electronic products, respectively.

The draft requirements are aimed at establishing the criteria that software, telecommunication equipment and electronic products must meet, as well as the conditions that are necessary for their use at CII facilities.

In addition, the document provides for the possibility of sending lists of used and (or) foreign software, telecommunication equipment and electronic products planned for use, analogues of which are absent in the unified register of Russian programs for electronic computers and databases or the unified register of programs for electronic computers and databases from the member states of the Eurasian Economic Union and (or) in the unified register of Russian electronic products.

In a conversation with ComNews, Roman Bobryshev, head of the competence center for computing complexes at Technoserv, noted that this initiative should Ministry of Digital Development contribute to the development of the process of transferring CII facilities to the predominant use of Russian IT solutions, if only because it indicates the procedure for actions that must be carried out, and the timing will also be determined.^{[19] [20]}

2020

Business asked for a phased transition of banks and fuel and energy complex to Russian equipment and software

At the end of November 2020 Russian Union of Industrialists and Entrepreneurs (RSPP) , he gave his conclusion Ministry of Digital Development to the draft presidential decree on critical information infrastructure the transition of facilities () CUES to domestic ON and equipment until January 1, 2024 and January 1, 2025, respectively.

The RSPP commission on communications and information and communication technologies considered this format wrong. The equipment is primary, so the proposed transition sequence will lead to inefficient costs: companies will be forced to install Russian software on existing imported equipment, and a year later transfer this software to new Russian devices and adapt to them, the commission said in its conclusion, excerpts from which lead. "Kommersant

The union notes that, as a rule, IT solutions from foreign manufacturers are used at KII facilities, which are often absent in Russia or represented by domestic counterparts that are significantly inferior in functionality, therefore, the initiatives of the Ministry of Digital Development can lead to a halt in business processes and mass services in the field of communications, Internet services, banking, medicine, etc. In addition, according to the Russian Union of Industrialists and Entrepreneurs, the bill in its current form can force businesses to change their investment plans. The conclusion provides data according to which one of the metallurgical companies estimated the cost of installing Russian software and equipment at 10 billion rubles.

The transition period does not take into account the need for such a large-scale restructuring to act in stages, it is both costly and risky, the head of the center agrees. IT consulting MDT "Zyfra" Olga Molyarchuk In her opinion, the connectivity and consistency of domestic IT solutions and equipment have not yet reached the level of global counterparts, which requires significant efforts to select and test the business.^[21]

Banks asked to transfer control over the transition to Russian software to the Central Bank

At the end of November 2020, it became known about the position of the Association of Banks of Russia (ADB) regarding control over the transition of credit institutions to domestic software. According to the organization, the Central Bank of the Russian Federation should oversee this issue, not the Ministry of Digital Development of the Russian Federation, since the department does not understand the specifics of the banking industry.

The fact that he will be responsible for the issues of software import substitution banks is Ministry of Digital Development stated in the draft presidential decree prepared by the ministry, RUSSIAN FEDERATION which was published at the end of October 2020. In this case, control over data constituting bank secrecy may be lost, the ADB warned in letters sent to the Ministry of Digital Development, and the Ministry of Economic Development Central Bank Ministry of Justice.

According to the authors of the appeal, banks will lose the opportunity to use their own developed software that is not included in the register of domestic software. In addition, the draft decree establishes the timing of the transition to domestic software, not taking into account the fact that the register simply does not contain the programs necessary for bankers, the ADB said in a letter, excerpts from which are quoted by Vedomosti.

The Ministry of Digital Development also proposes to soften the impossible deadlines for the transfer of critical information infrastructure (CII, this includes, among other things, the IT systems of banks) to domestic software and equipment, shifting them from 2021 to 2024-2025.

It takes more time to develop complex software, especially in the banking sector, said To the businessman"" the executive director Artezio (part of the GC LANIT""). Pavel Adylin Domestic companies are faced with the task of catching up in three years, and ideally surpassing world leaders in software solutions, he notes. The lag of equipment and software manufacturers from the industry does not allow a super-fast transition, but the new deadlines are feasible, the head of the information security department believes. ICD Vyacheslav Kasimov^[22][23]

IT-Business asked Putin not to delay the transition of banks and fuel and energy complex to Russian software and equipment

As it became known on November 20, 2020, the Association of Software Product Developers () ARPP "Domestic Software" and the Association of Russian Developers and Electronics Manufacturers () ARPE Russia Vladimir Putin sent a letter to the President with a request to prevent the postponement of the transition to the use of Russian equipment software and in industries with critical information infrastructure (). CUES

According to the authors of the appeal, Russia it is in difficult conditions of external sanctions and intense competition with leading IT powers, "which creates an obvious state security threat in the form of the loss of digital, and behind it national sovereignty."

According to RBC, the chairman of the board of ARPP "Domestic Software" Natalya Kasperskaya and the executive director of ARPE Ivan Pokrovsky indicate that it will be in the coming years that programs for the digitalization of the economy will be implemented and if the transition to domestic software and equipment is postponed, then "this will make it dependent on foreign vendors not only the information technology industry, but in general the economy and the public administration system." The authors admit that the imminent transfer of owners of critical information infrastructure to Russian software and equipment has risks indicated by the owners of such objects. But the heads of the associations insist that "the growing risks of information security and technological dependence do not allow postponing the import substitution process."

The decree prepared by the Ministry of Digital Development on a 3-year delay in the introduction of Russian solutions at the KII facilities in the ARPP and ARPE was called the machinations of a number of market participants who want to continue purchasing and introducing foreign technologies.

The Ministry of Digital Development says that the department decided to extend the transition to domestic products after market participants expressed several concerns, including those related to:

• a significant level of costs required for the transition;
• the importance of maintaining continuity in transition conditions;
• unwillingness of domestic software developers and hardware manufacturers to meet their needs.^[24]

Banks asked the Central Bank to postpone the transition to Russian equipment and software

As it became known on November 11, 2020 Association of Banks "Russia" (ADB) , she sent to the deputy chairman CENTRAL BANK Dmitry Skobelkin with a request to postpone the mandatory transition of owners () critical information infrastructure to CUES the use of mainly domestic software and hardware products.

According to RBC, the Ministry of Digital Development has already extended the transition from the beginning of 2022 to January 1, 2024 for software and January 1, 2025 for equipment. However, this, the association explained, will not be enough to fully replace 85% of the used IT solutions.

At the same time, in some categories of software and equipment on the market there are no Russian analogues that "provide the required functionality and information security," the letter says.

The need for large-scale costs will inevitably affect the volume and quality of financial services provided by banks to the population and the real sector of the economy. We estimate that the reduction in the capital of banks will lead to a reduction in the size of lending in the amount of 5-7 trillion rubles, which will negatively affect the country's economy, the association stressed.

The ARB also asked the Bank of Russia not to include software and equipment that they developed themselves in a special register, but to allow their use. Other proposals include the creation of lightweight rules for entering the register for solutions that are developed by companies from banking groups and are used only within the bank. It is proposed to entrust the Central Bank with the functions of monitoring import substitution processes in the financial market.

According to ARB Vice President Alexei Voilukov, new proposals from banks were formulated following a survey in which 28 credit institutions participated, nine of which are TOP-20 in terms of assets. The Bank of Russia will study new proposals, a representative of the Central Bank said.^[25]

Reaction of the IT industry to the new timing of the transition of KII owners to Russian software and equipment

TAdviser found out the opinion of representatives of the IT industry about the new timing of the transition to mainly domestic software (software) and equipment of owners of critical information infrastructure (CII). On October 29, 2020, the Ministry of Digital Development submitted for public discussion a draft presidential order, according to which the owners of KII should switch to domestic software until January 1, 2024, and to Russian equipment until January 1, 2025#^[26]. The document also gives the government the right to approve the requirements for software and equipment used at critical information infrastructure (CII) facilities, and the procedure for switching to Russian solutions.

In May 2020, Ministry of Digital Development invited KII owners to do this faster: switch to the predominant use of domestic software from 2021, to Russian equipment from 2022. Despite the fact that deadlines have shifted, the majority of respondents surveyed by TAdviser still consider them too tough.

The transition time is quite short, and their realism will depend on the financial capabilities of the owners of the CII, said Alexander Buravtsov, director of security at MyOffice.

Most likely, the implementation of the new provisions will lead to an increase in the planned amount of costs. In addition, for system owners, the transition to the predominant use of Russian software and equipment is fraught with a number of difficulties that may be caused by the lack of domestic analogues or the necessary functionality. In the process of piloting and pilot operation of new equipment and software, CII companies may also experience errors and malfunctions of their systems. Moreover, restructuring to new solutions will be required not only for the main activity, but also for security systems, - Alexander Buravtsov informed TAdviser.

The transition procedure presented Ministry of Digital Development, in his opinion, leaves the owners of the CII the opportunity to justify the need to use foreign equipment and purchase foreign software. This fact will undoubtedly affect the implementation of state programs and national projects that are aimed at developing domestic decisions.

Leaves ambiguity and the term "predominant use of Russian software and equipment": - the text of the documents does not define the criteria for compliance with such an indicator, which causes misunderstanding among the owners of CII. The same applies to the possibility of using software and equipment that are not included in the registers of domestic software and equipment, - said Alexander Buravtsov.

In addition, according to him, the requirements oblige the subjects of the CII to provide the possibility of modernization, warranty and technical support for deployed software and equipment by Russian organizations that are not under direct or indirect foreign control.

Such measures will lead to the creation by foreign vendors of independent representative offices in Russia, which will be able to supply foreign solutions under the pretext of modernizing the existing technological base, - said Alexander Buravtsov.

At the same time, in his opinion, the developed transition procedure can be called standard and it is familiar to market participants.

Unfortunately, the transition procedure does not provide for the stage of transferring KII to domestic solutions, the document requires all work to be carried out at once, - said Alexander Buravtsov.

According to Softline expert on the protection of critical information infrastructure Maxim Prokhorov, it will be difficult for most enterprises to completely rebuild the infrastructure without compromising the quality of work in the short time stated by the Ministry of Digital Development.

Many organizations will have to update up to 80% of the infrastructure, and this is not only about information protection tools, but also other functional solutions. This requires a lot of labor, temporary and financial investments. The most difficult thing is for industrial enterprises in which there is a technological segment, since it is very important for them to choose solutions that will not interfere with the operation of the APCS. Fortunately, Russian manufacturers of information protection tools have long paid attention to working with this segment and produce solutions that integrate well with systems operating at customers, "Maxim Prokhorov told TAdviser.

He also drew attention to the fact that the work on bringing information security infrastructure in line with Federal Law 187 in the subjects of KII was started two years ago, and industrial enterprises had previously faced the need to comply with the order of the FSTEC No. 31.

At the initial stage, the work was carried out without regard to import substitution. Many large organizations managed to implement the stages of categorization and design of information security systems, and someone has already switched to the procurement and implementation of foreign solutions with FSTEC certification, or passed compatibility tests. Today, these customers will be forced to perform part of the work again, - said Maxim Prokhorov.

At the initial stage, according to him, Softline recommends that its customers conduct a detailed audit and draw up a schedule for switching to domestic software and equipment.

Director of the Information Technology Department of "CROC" Maria Ukolova, speaking with TAdviser about the timing of the transition of subjects to the predominant use of Russian software and equipment, drew attention to the fact that "it seems that the period of 3 years has become a kind of standard for the government."

The same period is established, for example, in the orders of the Ministry of Digital Development No. 334, 334, 486. Although it must be admitted that until now it was a landmark to which the regulator urged to strive. And in principle, for small organizations, I think it is possible to make such a transition. For large companies, this time is clearly not enough. For three years, they only managed to deploy test stands. And the introduction of fines for violations of the requirements for KII complicates the situation, - said Maria Ukolova.

The most difficult thing to switch to the predominant use of Russian software and equipment will be for those subjects whose significant objects of CII are automated process control systems, since they usually have a long and complex life cycle. First of all, according to Ukolova, this applies to such industries as power, fuel and energy complex, metallurgical and chemical industries, and the field of atomic energy.

The lack of an ecosystem of domestic software can be difficult. We see that many solutions are created in isolation from each other, which interferes with their mutual integration and conflict-free work. Often KII is associated with its own or custom software development, - said Maria Ukolova.

In addition, according to her, as part of the transition to the predominant use of Russian software, it will be necessary to recreate the corresponding systems already on domestic platforms.

In this regard, I think that during the transition period it will be difficult to avoid the associated high costs, stretching the development time, the risks of failures and a decrease in productivity. Most likely, the banking sector will especially feel it. And I really want to hope that in addition to the stick in the form of fines, a carrot will also be prepared for companies, for example, in the form of reducing the tax burden depending on the resources spent, - said Maria Ukolova.

Building infrastructure and introducing Russian equipment into the existing IT system, when the old one is replaced with a new one, in her opinion, can also be difficult.

Companies often have different hardware installed, and it requires reconfiguration. For example, connect servers to a shared network. The configuration of monitoring systems often causes difficulties. Let me emphasize that in this case we are talking about Intel architecture. If all CII server equipment requires a transition to domestic processors, then this will further complicate the work of the IT service, since you will also have to think about the compatibility of the software solutions used with the new processor architecture, "said TAdviser Maria Ukolova.

She also added that in Russia there are manufacturers of servers and DSS, from which CROC collects combat systems for customers.

And, based on my work experience, I can say that, unfortunately, so far you can not choose domestic equipment for all tasks, "Maria Ukolova told TAdviser.

At the same time, she drew attention to the fact that, since the majority of KII subjects, in accordance with the requirements of the 187-FZ, are at the stage of designing security systems for KII facilities, it should not be difficult for them to make a choice in favor of Russian-made means of protection.

The situation is more complicated with the replacement of components that implement the production functions of KII facilities, since this work requires a rather serious redesign and modernization of functioning facilities, - Maria Ukolova is sure.

First Deputy Managing Director of Lanit-Integration Oleg Golovko, in a conversation with TAdviser, noted that, at first glance, the timing of the transition of KII subjects to the predominant use of Russian software and equipment is quite objective.

But if you understand the details, the following picture is obtained. KII subjects have three years to implement the requirements. Companies will definitely need some time to prepare - to form a transition action plan, budgets, relevant teams, etc. In an optimistic scenario, this may take about a year for companies in the SMB segment, not to mention large subjects of KII. It remains about two years to implement the requirements for the transition to domestic software. Such deadlines may not be enough. There is only one conclusion - if this presidential decree comes into force, there will be no time for rocking, and you need to "run" now, - said Oleg Golovko.

The Ministry of Digital Development postpones the transfer of banks and fuel and energy complex to Russian software for 2025

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation intends to postpone the transition to mainly Russian software for owners of critical information infrastructure (CII) from 2021 to 2024, and domestic equipment - from 2022 to 2025. This is stated in the draft presidential decree published by the department. RBC refers to the document on November 2, 2020 .

The previous deadline proposed by the Ministry of Digital Development is 2021 for the implementation of software and 2022 for equipment. The owners of the CII asked to postpone these deadlines.

Senior Vice President, Head of the Department of Organization and Management of IT VTBERGEY Bezbogov called the proposal to postpone the transition to the preferential use of domestic software and equipment for owners of critical information infrastructure a "positive signal." But, in his opinion, in new terms to implement such a large-scale project is "a difficult task."

The draft presidential decree, according to an explanatory note to it, was prepared by the Ministry of Digital Development in order to ensure the technological independence of critical information infrastructure. To do this, its owners must prioritize the use of Russian analogues of foreign software and equipment "if they allow, in terms of their technical characteristics, to fully" ensure the safety of facilities.

The owners of the CII must approve the plan for the transition to mainly domestic software and equipment by July 1, 2021. Foreign software and hardware products will be used if there are no domestic analogues for them. The owner of the critical information infrastructure will have to coordinate the use of foreign software with the Ministry of Digital Science, and equipment with the Ministry of Industry and Trade.^[27]

FSTEC signed a decree on the use of domestic software at critical infrastructure facilities

The order of the Federal Service for Technical and Export Control (FSTEC) on amending the Requirements for ensuring the safety of significant objects of the critical information infrastructure of the Russian Federation ( CII ) was signed and published on the official portal of legal information. This became known on September 16, 2020.

The changes are aimed at using mainly domestic software and equipment in the CII of the Russian Federation in order to ensure its technological independence and safety, as well as create conditions for the promotion of Russian products.

The changes relate to clarifying the conditions for choosing software and equipment used as part of significant objects of the critical information infrastructure, as well as the procedure for its adoption for operation at such objects.

The order was developed in pursuance of the president's instructions following the results of the special program "Direct Line with Vladimir Putin" on June 20, 2019^[28] of ^[29].

The Federation Council proposed that state corporations and state-owned companies be classified as objects of critical information infrastructure

The Federation Council proposed that state corporations and state-owned companies be classified as critical information infrastructure facilities. This became known on September 3, 2020.

Government of the Russian Federation The amendments to the federal law "On the Security of Critical Information Infrastructure" were sent for consideration. If the document is approved, then for companies with state participation, the procedure for switching domestic software to and equipment, IT the degree of their necessary localization, as well as cases of complete bans on the use of foreign solutions will be established. At the same time, changes to the legislation will take effect from January 1, 2021. For September 2020, the package of amendments is being considered, and in Ministry of Industry and Trade Ministry of Digital Development, Communications and Mass Media. Ministry of Justice RUSSIAN FEDERATION

The process of import substitution in state-owned companies has started, but it is regulated not by law, but by government directives. So, by January 1, 2021, enterprises must agree on plans to replace foreign licensed software until 2024. By this time, the share of domestic software should reach 60%. However, by the end of 2019, its share was only 10%.

The regulation of critical information infrastructure facilities, which includes state authorities, banks, transport, communications, healthcare facilities, is more stringent. President Vladimir Putin instructed to switch to the predominant use of domestic software on July 3, 2019, and FSTEC proposes to completely abandon foreign IT solutions at such facilities.

Experts believe that state-owned companies will have difficulties in switching to Russian-made software. Since there are often no products on the domestic software market that would fully cover the functionality of foreign programs^[30].

Central Bank: banks' transition to Russian software should be postponed until 2025

On August 12, 2020, it became known that the Central Bank of the Russian Federation agreed with Russian banks about the postponement of the transition of the financial sector to Russian software. While the initiative of the Ministry of Telecom and Mass Communications involves the transition to domestic software from 2021, to equipment - from 2022.

The Bank of Russia has considered the appeal of the Association of Banks of Russia on the issue of the planned transition to the priority use of Russian software and IT equipment at critical information infrastructure facilities and plans to send proposals to the Government of the Russian Federation and the Presidential Administration of the Russian Federation to postpone this transition by 4 years to 01.01.2025, the Association of Banks of Russia (ADB) said in a statement.

The Central Bank will also ask the government and the presidential administration to clarify the procedure for switching to the predominant use of Russian software and equipment, the document says.

The ADB claims that IT companies do not have enough capacity to implement a large-scale simultaneous transition of critical information infrastructure facilities to domestic software and equipment. Manufacturers will have to configure and refine software and equipment for the needs of credit institutions in a short time, which entails the risks of failures, errors and cybersecurity incidents.

Simultaneous replacement of all software and equipment "is considered extremely dangerous," as it can also lead to a malfunction of information systems, especially among banks whose services work around the clock seven days a week. Moreover, the replacement of IT equipment or proprietary software by banks is considered meaningless, since they meet all information security requirements and allow offering customers services and products "at the lowest price in the shortest possible time," according to the association.^[31]

FSTEC has developed a standard for monitoring information security of CII

On August 11, 2020, the Federal Service for Technical and Export Control (FSTEC) presented a standard for monitoring information security of IT systems related to critical information infrastructure (CII ).

As indicated in the explanatory note, the need to create a national standard GOST R "Information Protection. Information security monitoring. General provisions "is due to the need to control information security of complex automated systems. The development of the standard involves the following measures:

• analysis of safety events and other monitoring data;
• monitoring of information security;
• analysis and evaluation of information protection systems functioning;
• periodic analysis of changes in data security threats in IT systems that occur during operation.

It is noted that the standard does not establish requirements for software and software and hardware means of monitoring information security, as well as for measures related to the identification of computer incidents and responding to them.

Due to the development of a standard for cybersecurity, KII is planned:

• create conditions for the performance of work and the provision of services for monitoring cyber protection of IT systems;
• increase the effectiveness of the applied information security measures of CII subjects and other systems;

The FSTEC added that the development of the national standard GOST R "Information Protection. Information security monitoring. General Provisions "is carried out in accordance with the decision of the meeting of the subcommittee of the technical committee for standardization" Information Protection "(TK362) of May 17, 2018.

Earlier in 2020, Deputy Prime Minister Yury Borisov instructed to prepare amendments to the law "On the Security of the Critical Information Infrastructure of the Russian Federation," which will gradually replace the foreign equipment used at these facilities with Russian analogues.^[32]"

The Ministry of Telecom and Mass Communications of the Russian Federation accepts applications from the regions for subsidies to improve the safety of CII

On July 31, 2020, it became known that the Ministry of Telecom and Mass Communications of the Russian Federation announced the collection of applications from the regions for receiving subsidies for projects to improve the safety of CII in 2021.

State support will be provided from the federal budget to the budgets of the constituent entities of the federation to co-finance measures to ensure the sustainable operation of critical information infrastructure facilities.

The projects are financed within the framework of the draft federal budget for 2021 and for the planning period 2022 and 2023. To participate in the selection, the regions need to send an application to the information security department of the Ministry of Communications, prepared in accordance with the rules for the provision and distribution of subsidies and the procedure for conducting competitive selection, as well as a completed table with information about projects, by August 25, 2020.

The rules for providing grant support were approved by Decree of the Government of the Russian Federation No. 1497 of November 22, 2019, the Ministry of Telecom and Mass^[33].

The transition of the banking sector to Russian software is estimated at 700 billion rubles

On July 24, 2020, it became known that the transition of the banking sector to Russian software could cost it more than 700 billion rubles. And the costs of individual banks, depending on their size and the scale of updating systems, can range from 90 million to 150 billion rubles. This assessment, together with IT companies, was made by the Association of Banks of Russia (ADB). The document was sent to the State Duma Committee on the Financial Market.

As Kommersant writes with reference to this letter, in only 1 out of 17 classes of software, the share of Russian software "exceeds 50% of use." In other cases, foreign software prevails, and in 10 classes its share is more than 90%. Own software in banks accounts for an average of less than 1.5%.

ADB estimated the costs of the banking system for the transition to domestic software in the amount of 5-7% of its own funds. The association believes that if you resort to such spending, this will affect the volume of lending - they will decrease by 5-7 trillion rubles.

The transfer of a complex wide-functional software complex from one system stack to another (change of DBMS, operating system) is a project for a period of two to three years, - comments the chairman of the board of CFTAndrey Visyashchev.

He added that after entering the new software, problems may arise with its performance, compatibility, scaling and reliability. Also, the development of analogues of the software used by banks will require from $1.5 million to $133.4 million.

ADB Vice President Alexei Voilukov believes that banks need about 5-7 years to switch to Russian software and equipment. ADB proposes to postpone the introduction of these requirements until 2027-2028.

VTB emphasizes that the proposed procedure for switching to domestic software is appropriate only for significant objects of the critical information structure.^[34]

The Association of Banks of Russia asks to postpone the transition to domestic software for 4 years

In mid-June 2020, it became known about a letter sent by the Association of Banks of Russia (ADB) to Prime Minister Mikhail Mishustin. It says about the request to postpone for four years the transfer of critical information infrastructure (CII) to domestic software.

According to bankers, the requirements developed by the Ministry of Telecom and Mass Communications "do not take into account the risks of large-scale interruptions in the functioning of KII facilities," and some points "in some cases are practically impossible."

According to the draft presidential decree and government decrees developed by the Ministry of Telecom and Mass Communications, owners of critical information infrastructure (CII) will be required to use Russian software from January 1, 2021, and Russian equipment from January 1, 2022.

 VTB Bank noted  that in six months it is impossible to analyze, test, purchase and implement new solutions without the threat of serious problems.  The company indicated that the current equipment and software was chosen as the most optimal and integrated into business processes. This took a significant share of profits for many years.

According to ADB, to replace all software and IT equipment, banks will have to spend more than 700 billion rubles at a time, and taking into account the timing, this amount may increase even more. And even at the same time, as the letter says, "the average replacement time, taking into account the continuity of operations and the constant transaction load of credit institutions, will be at least three years."

The transition of Russian banks to domestic software may take 5-7 years, said Dmitry Marinichev, representative of the Presidential Commissioner for the Protection of the Rights of Entrepreneurs in the Internet.

According to him, for the uninterrupted functioning of the banking system, the developers of domestic software will have to solve the issue of not transformation, but the smooth flow of one system into another.^[35]

The financial sector opposed the transition to Russian software

On June 8, 2020, it became known that the Association of Electronic Money and Money Transfer Market Participants (AED) sent a letter to the Ministry of Communications, in which it opposed the transfer of financial organizations to Russian software.

The AED believes that financial organizations will have to allocate 30% or more of their own funds for migration to domestic software, which includes expenses for licenses and equipment, employee training and integration costs. And this will negatively affect the strength of the banking sector in the face of falling profits.

AED participants noted that the proposed dates for the transition to domestic software from 2021 and equipment from 2022 should be adjusted, taking into account "the real level of risks for different infrastructure facilities, as well as the potential impact of new requirements on the stability of the provision of financial services."

The authors of the appeal argue that some widely used software products have no domestic analogues, since Russian developers have no incentives to create paid applications. According to AED participants, credit institutions use open source software, which is distributed free of charge, but is imported.

According to Kommersant, the National Council of the Financial Market also asks to postpone the transition: according to preliminary estimates, replacing software and equipment in medium-sized organizations will entail costs of several billion rubles, in large ones - several tens of billions.

Oksana Borisova, partner of the consulting group at IT KPMG in Russia and the CIS, considers it unrealistic to transfer banks to Russian software, given that testing usually takes one to several years to transfer data.^[36]

The Ministry of Telecom and Mass Communications proposed the timing of the transition of critical infrastructure to domestic software and equipment

On May 20, 2020, it became known that the Ministry of Telecom and Mass Communications proposes to oblige owners of critical information infrastructure (CII) to switch to the predominant use of Russian software from 2021, and equipment from January 1, 2022. Such deadlines are indicated in the draft presidential decree, which the department sent for approval to the Ministry of Industry and Trade, the FSB and the FSTEC.

According to the document referred to, RBC KII owners are invited to allow the use of only software from the registers of Russian and produced EEU in programs, and only the equipment mentioned in, register of Russian radio-electronic products except for cases when foreign products have no domestic analogues.

If foreign software and equipment are preserved, Russian organizations that are not under the direct or indirect control of foreign companies or citizens will have to be responsible for its technical support and modernization.

The authorities must approve the procedure for switching to domestic equipment and software until September 2020.

The office of  Deputy Prime Minister Yuri Borisov, who oversees the defense industry, noted that they support the initiative of the Ministry of Communications.

The document itself has not yet been seen, - a representative of the Deputy Prime Minister told RBC.

Experts interviewed by the publication agreed that it takes not six months, but several years to switch to domestic software and equipment. However, leaving foreign software and hardware should not be a surprise for the owners of KII - this has been discussed for a long time, said Andrei Zaikin, a representative of Kroka.

According to Elena Bocherova, executive director of Akronis Infozashchita, the adoption of the project in its current form "may mean a qualitative turn in the import substitution program, as it will go beyond the existing criteria, which affect mainly government agencies and some state-owned companies, to entire sectors of the economy^[37]

Elvis-Plus offered a secure solution for remote access to CII objects

On May 12, 2020, ELVIS-PLUS introduced a secure solution for remote access to critical information infrastructure facilities, which includes:

• a hardware thin client AGRARIAN AND INDUSTRIAL COMPLEX ZASTA-TK"" connecting to the network of the object CUES using terminal access VDI and with a high degree of security;
• ESMART Token GOST smart cards/USB tokens manufactured by ISBC for two-factor authentication and storage of user keys/certificates;
• a system for monitoring the actions of administrators and users based on CyberArk Privileged Access Security Solution or IT-Bastion SCADA solutions, which provides full control and monitoring of remote connections when performing tasks for administering and monitoring the functioning of CII objects. Read more here.

Astra Linux has developed instructions for organizing a secure "remote" for CII using Astra Linux SE

On March 27, 2020, the company Astra Linux announced that in connection with the distribution coronavirus , it has developed instructions that will help the OS Astra Linux Special Edition Smolensk release with special purpose tools (OS SN) to adjust the remote mode of operation and ensure the safety of facilities CUES in accordance with recommendations FSTEC Russia More details. here

FSTEC explains how to ensure the safety of remote work for employees of CII subjects

On March 26, 2020, TAdviser became known that the Federal Service for Technical and Export Control published a number of recommendations^[38] entities to ensure the security of critical information infrastructure entities in the context^[39] the COVID-19 coronavirus pandemic. These recommendations are entirely related to the remote work of employees of organizations related to CII.

As rightly stated in the recommendations, remote access of workers to critical information infrastructure facilities creates some risks. In particular, there are threats of unauthorized access and influence on objects related to CII.

The FSTEC publication directly states that it is unacceptable to provide remote access in remote mode for any control over the operating modes of industrial or technological equipment of automated production and technological process control systems of critical information infrastructure facilities.

Otherwise, it is recommended to centrally allocate to employees leaving for "remote work" computer equipment through which they can access working information, having previously carried out their inventory, equipped with antivirus tools and ensuring the identification of their MAC addresses on the servers of CII objects.

Access to working resources from such devices should be implemented using the "white list" method and only through VPN connections. It is not recommended to provide employees with access from personal devices. Moreover, it is proposed to block the installation of foreign software on operating SVTs.

FSTEC also advises to determine the list of information and information resources (programs, volumes, directories, files) located on the servers of critical information infrastructure objects, to which, in principle, remote access will be provided and assign the minimum necessary rights and privileges to users leaving for remote work.

It is strongly recommended to exclude the possibility of use of remote computer equipment by unauthorized persons; implement two-factor authentication to employees of remote SVTs so that one of the factors is provided by "a device separated from the critical information infrastructure object to which access is being made."

Among other recommendations - the formation of a separate domain for employees, which should be managed from the servers of the subject of the critical information infrastructure, and the assignment of a network (domain) name to each remote SVT; as well as monitoring the security of CII objects with maintaining logs of actions of remote TMS employees and their analysis, blocking a remote access session if the user is inactive for more than a set time.

It is also recommended - however, without any specifics - to ensure the ability to promptly respond and take measures to protect information in the event of computer incidents.

All the given recommendations of FSTEC on ensuring the security of remote work, on the one hand, are not new, on the other, they are universal. In fact, this is a compilation of best practices tested both in Russia and in the West. They are quite suitable for use not only during a pandemic and not only in relation to critical information infrastructure facilities. Ideally, these recommendations should be followed by any business in which at least some of the employees work remotely. In addition, the subjects of the critical information infrastructure "are recommended to be guided by the recommendations of the National Coordination Center for Computer Incidents and Information Security Monitoring Centers, which have the appropriate licenses of the FSTEC of Russia, on computer attacks in the context of the spread of coronavirus infection, including those posted on the web resource. safe-surf.ru believes Oleg Galushkin, CEO of SEC Consult Services

FSTEC sent similar recommendations to the federal executive bodies.

Putin instructed the FSB to pay special attention to the protection of critical IT infrastructure

Russian President Vladimir Putin instructed the FSB to pay special attention to the protection of critical IT infrastructure. The head of state spoke about this at an expanded meeting of the board of the department, which took place on February 20, 2020.

In particular, Putin asked the FSB to focus on protecting the computer systems of authorities, state electronic services, telecom operators, banking organizations and large companies, to expand the capabilities of the state system for detecting, preventing and eliminating the consequences of computer attacks.

Now in a number of countries special centers have already been created for such actions, strategies for the preventive use of cyber means are being developed. With the rapid development of digital technologies, the power of such information weapons will certainly only increase. We need to take this not just into account, but accordingly, proactively build our work to protect the interests of Russia, "the president said.

He also noted that the FSB should transfer control over security in the development of 5G technologies and satellite communications.

In addition, Vladimir Putin drew attention to the importance of strengthening Russia's authority as a reliable international partner in the field of information security, primarily through the development of cooperation with other countries and organizations. A significant contribution to this should be made by the National Coordination Center for Computer Incidents (NCCCI), which was created in 2018, he stressed.

Among other things, the Russian leader noted the demand for the resources of "an international data bank on countering terrorism, to which seven more special services of foreign states and one specialized body of an international organization joined last year."^[40]

2019

Minek proposes to transfer banks, oil and energy facilities to Russian software and equipment

On November 1, 2019, it became known about the proposal of the Ministry of Economic Development to prohibit the use of foreign software and equipment in critical information infrastructure (CII) systems, including communication networks of banks, transport, oil and energy facilities.

This is stated in a letter from Deputy Minister of Economy Azer Talybov sent to the collegium of the Military-Industrial Commission of Russia, the Federal Service for Technical and Export Control (FSTEC) and the Ministry of Telecom and Mass Communications.

Talybov proposed to supplement the law "On the security of KII" with a norm obliging owners to use only Russian equipment and software, as well as prohibit foreign companies from "providing interaction" with networks and IT systems of critical infrastructure. 

The deputy minister also stated the need to consolidate at the legislative level the provision that legal entities that ensure the interaction of networks and critical infrastructure systems should have the ultimate beneficiaries of Russian citizens without dual citizenship. Similar requirements are expected to apply to individual entrepreneurs interacting with CII facilities.

This approach will reduce the level of access from foreign states and foreign citizens when servicing and developing critical information infrastructure facilities , he said.

The consultant information security Cisco Alexey Lukatsky says that, according to the FSB and FSTEC, about 1 million KII facilities operate in Russia, each of which consists of tens or hundreds of computers or other types of devices. According to experts, Russian manufacturers do not have the capacity to replace foreign ON and equipment at so many facilities.^[41]

Data on cyber attacks on critical facilities in the Russian Federation leak abroad

Russian companies, whose duties include the management of critical infrastructure facilities, without the knowledge of the FSB, share data on cyber attacks with foreign colleagues. This was announced on Thursday, June 27, by RBC with reference to the materials of the Federal Service for Technical and Export Control (FSTEC), which in turn refers to the FSB. Read more here.

FSTEC and FSB will introduce responsibility for violation of requirements for the critical IT infrastructure of Russia

On March 26, 2019, the Federal Portal of Draft Regulatory Legal Documents posted a notice of the beginning of the development of the draft federal law "On Amendments to the Code of Administrative Offenses of the Russian Federation (regarding the establishment of liability for violation of requirements for ensuring the safety of CII facilities)." Read more here.

The construction of the "sovereign Runet" has risen in price by 10 billion rubles

The implementation of the project of the sovereign Russian Internet will require more investment than the authors of the initiative stated. According to the updated Passport of the federal project "Information Security," published on the website of the ANO "Digital Economy," the costs of this project will grow by 10 billion rubles. compared to the previously named amount of^[42].

The publication of the updated Passport is the first official estimate of the cost of security of the Russian Internet. Earlier, this information was not freely available, and for the first time it became known about very approximate amounts only in early February 2019 from a statement by one of the authors of the initiative, Senator Andrei Klishas. According to him, the amount of investments in the project would exceed 20 billion rubles, without more accurate figures.

According to new estimates, the cost of ensuring the security of the Runet will exceed 30 billion rubles. (about $500 million at the Central Bank rate as of March 26, 2019). In total, the implementation of the projects listed in the new version of the Passport will require about 50 billion rubles.

FSTEC proposes to prohibit the processing abroad of information related to the CII of Russia

On March 6, 2019, the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) published on the Federal Portal of Draft Regulatory Legal Acts a draft amendment to Order No. 239 "On Amendments to the Requirements for Ensuring the Safety of Significant Objects of the Critical Information Infrastructure of the Russian Federation." Read more here.

Elements of the critical civil infrastructure of the Russian Federation were placed in a test virtual machine for 5 thousand rubles

The heating system of the whole region in turned out to Russia be in direct dependence on the functioning of one test, virtual machine rented for a penny from a large cloudy provider. This is social network Facebook the conclusion that follows from the publication in, made on January 28, 2019 by the company's development director. LanCloud Sergey Erin

When a virtual machine for 5,000 rubles was taken into the test in your cloud., placed a boiler room control system in it, and even the caliper's phone was not recorded, then they found you in social network. networks, and they say that the virtual girl hung something, and today you have every chance to get to the first channel in prime time as the culprit of freezing the population of the whole region, Erin wrote, attaching a screenshot of the correspondence with a representative of a certain organization, responsible, apparently, for the operation of heating systems in a large area.

The interlocutor of Erina, whose name and userpik are carefully disguised in the screenshot, asks to urgently ensure performance, servers since it "contains programs that are responsible for the performance of boiler houses in many settlements" (author's punctuation), and complains that if the "central dispatch center does not receive operational data from the server," the consequences will be "very bad": the damage will be millions and tens of millions. rubles^[43]

In a conversation with TAdviser correspondent Sergey Yerin categorically refused to name the client with whom he communicated, citing a confidentiality agreement and ethical considerations.

He also noted that all information can only be perceived as "very conditionally reliable."

But if we proceed from the fact that an unnamed client really installed boiler house management systems in the test virtual environment, then here we are talking at least about a critical violation of the most basic safety rules for critical systems.

The first thing to note is that LanCloud is responsible exclusively within the framework of the user agreement, if any, and the possibility of using test servers for critical infrastructure objects is definitely not spelled out there, "said Dmitry Gvozdev, CEO of Information Technologies of the Future. - And all other questions are related to incompetence or pathological desire to save money. Most likely, the situation is not unique, since there are no real mechanisms for tracking "initiatives on the ground," and until the problems arise, no one will know anything, and our domestic "maybe" can hide many similar situations.

The publication of Erina scored a significant number of bitter or mocking comments about "effective managers" making such decisions.

The day after the publication of TAdviser, Sergey Yerin told the publication that:

• "The screenshot with the indicated conversation was taken about 2 years ago, and at the moment everything described is not relevant. So that no one panics and tries to project these events on any current problems. "

• "You need to understand that the words of the Customer in the screenshot cannot be verified in any way, because we, as a service provider, do not have information about what is actually placed inside the virtual machines of clients. And with a high degree of probability, the client could simply "come up" with these arguments in order to prioritize the implementation of his application. "

• "And the last thing, so that there is also no speculation, from your screenshot on the site remove part of the text" and today you have every chance to get to the first channel in prime time, as the culprit of freezing the population of the whole region. " - since I inform you that the Client himself did not write this, this is my personal sarcastic conclusion made based on the criticality of the problem described by the client. Since this part of the text is ambiguous, and can be perceived as the words of the client in my address. Actually, from the screenshot of the correspondence with the client it is clear that he did not write this. "

• He deleted his publication on the social network Facebook "only because after the publication of the news, speculation arose around this post that some regions are freezing somewhere right now, due to the described event, and people turn to me for clarification and the search for those responsible, although I have nothing to do with it. I would also like to note that the purpose of the post was not to draw public attention to the problem (which most likely does not exist), but rather to show what potential risks and responsibilities may arise in us, like a cloud provider, even with customers for such small amounts as 5,000 rubles/month. "

2018

4.3 billion cyber attacks on Russian KII recorded

In 2018, 4.3 billion cyber attacks on critical information infrastructure (CII) of the Russian Federation were identified, this became known on December 12, 2018 from the Deputy Director of the National Coordination Center for Computer Incidents Nikolai Murashov. The expert noted that more than 25 million malicious influences were committed on the information infrastructure of the Russian World Cup alone.

In December 2017, the FSB, within the framework of the State System for the Detection, Prevention and Elimination of the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks), created the technical infrastructure of the National Coordination Center for Computer Incidents (NCCCA).

Representatives of the FSTEC stated that in 2019 it is planned to move to the stage of building a security system, within the framework of the measures prescribed by the law of the 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation." Deputy Director of FSTEC Vitaly Lyutikov said that the inventory and categorization of objects falling under the 187-FZ is underway, and only 500 objects have passed the procedure, and corresponding work is underway for another 25 thousand. According to him, out of 13 industries, power, the fuel and energy complex, the military-industrial complex and medicine are the most active, the least - telecom and banks. In 2019, the categorization process was planned to be completed and proceed to the next stage - the construction of a security system.

According to Nikolai Murashov, recently computer attacks, their sources and consequences are often discussed in foreign media. Western media are actively consolidating the thesis in public opinion: the Russian Federation is behind most of the attacks, it interferes in the political processes of other countries, including electoral ones. At the same time, the accusations are not confirmed by any reliable technical data that can be analyzed by experts. Also, according to Nikolai Murashov, foreign sources of information prefer not to remember that the information space of Russia is an integral part of the global and, as a result, shares all its problems. The information space of the Russian Federation is the target of sophisticated and well-organized computer attacks. Methods and means for preparing them are constantly being improved. Effective counteraction to these attacks is possible only within the framework of joint efforts of all interested parties. First of all, national authorized bodies in the field of their detection and warning

According to Nikolai Murashov, in many countries, including the United States, Great Britain and France, more than 40 large firms that develop malware are involved in the multi-billion dollar business.

The number of cyber attacks on critical information infrastructure has increased. This is due, on the one hand, to the different level of security of objects, and on the other, to the availability of information, when tools and information for committing attacks can be found in the public domain.

author '= Evgeny Goncharov, Head of ICS CERT of Kaspersky Lab In the coming years, we will see an increase and diversity of threats. This is due to two factors. Firstly, an increase in the number of automation systems and, as a result, control and information transmission channels inside the technological facility and connecting the facility with other facilities and the outside world, including via the Internet, as well as an increase in the variety of automation tools at the enterprise, which increases the attack surface and the complexity of protecting industrial enterprises. Secondly, an increase in the number of organizations and persons with direct or remote access to automation systems, which expands the capabilities of attackers in organizing and conducting attacks.

Soon we will see attacks with a political coloration - both cyber espionage operations and sabotage. In the latter case, the attackers' priority goal is industrial enterprises and critical infrastructure. With a high degree of probability, hacking of cloud services is possible. We do not exclude that in 2019 a large CERT or SOC center will become a victim.

How to attack Russia's critical infrastructure in search of earnings

Several organizations related to have critical infrastructure Russia undergone a series, Security cyber attacks Internet Week reported on December 11, 2018. And if at first the security experts who studied them suspected that we were talking about a cyber campaign organized by any unfriendly special service, then further research showed that the attackers were most likely to act out of purely commercial interests.

The targets of the attacks were Rosneft and two dozen other large Russian organizations, including those belonging to such strategic industries as oil refining, gas and chemical industries, agriculture, etc. The attackers also tried to attack several large Russian exchanges.

To carry out attacks, sites were created that were almost indistinguishable from the legitimate web resources belonging to the above organizations. Domain names of fakes could differ from genuine ones by only one letter. Documents containing malicious code were distributed from fake sites. As experts have established, it was about a variation of the RedControl malware, which opens a backdoor in the target system and allows you to display confidential information.

Attack research was carried out by Cylance. Its experts drew attention to the fact that most of the affected organizations are somehow controlled by the Russian government, and suggested that we are talking about a politically motivated cyber campaign. However, the longer the research was carried out, the more Cylance specialists were convinced that we were talking about "ordinary" crime that had no political background.

How successful the attacks were, Cylance does not undertake to judge, since none of the attacked organizations is a client of the company. However, experts found that the campaign lasts at least three years.

Most likely, we are talking about a form of fraud called Business Email Compromise electronic correspondence. Attackers first collect data about specific persons using keyloggers, then conduct reconnaissance among the employees of this organization with whom the first victim contacts, and then try to lure new victims to their fake sites in order to collect additional information and access details.

In the process, attackers who have compromised dozens of mail accounts can log into them and change bank details on behalf of their real owners or in some other way transfer funds to accounts they control, "explained Kevin Levilli, director of threat research at Cylance.

Interestingly, Cylance experts found evidence that previously the same attackers attacked users of gaming platforms, in particular Steam. In all cases, hackers used the same malware, almost unchanged.

A year ago, the Russian company Group-IB drew attention to the creation of clone sites. The corresponding material was published by Forbes.^[44] At the same time, Cylance experts note that they are familiar with this publication, and that both they and Group-IB investigated the same cyber-criminal operation. Which, by the way, most likely continues.^[45]

It is likely that this campaign itself is financially motivated, "said Dmitry Gvozdev, General Director of Information Technologies of the Future. - But it cannot be ruled out that the data collected as a result of this operation can later be used by the special services of unfriendly countries to carry out quite real "cyber-military" attacks. The special services of all countries in one way or another interact with hackers, and it is unlikely to be a mistake to assume that in this case the attackers had their own curators in the relevant structures.

A detailed technical description of the campaign is available on the Cylance website.^[46]

KII operators will be obliged to inform the FSB about cyber attacks

As it became known in March 2018 FSB Russia , it plans to oblige owners of enterprises related to critical infrastructure to inform the Service about those directed at them. cyber attacks#^[47] The Federal Portal of Draft Regulatory Legal Acts published a draft order "On Approval of the Procedure for Informing the FSB of Russia about Computer Incidents, Responding to Them, Taking Measures to Eliminate the Consequences of Computer Attacks Carried Out against Significant Objects of the Critical Information Infrastructure of the Russian Federation" and an appendix to it describing the procedure itself. According to this document, the subjects of the CII will be obliged to report to the FSB "on all computer incidents related to the functioning of their property, lease or other legal basis of CII facilities."

Critical infrastructure entities will be required to immediately transmit information about the cyber attack to the National Coordination Center for Computer Incidents (NCCCA).

The creation of such a center was announced back in 2015. At the end of 2017, a draft order of the FSB director on the creation of this center was published, but this document has not yet been finally adopted. Its design option is available on the website www.garant.ru.^[48]

NCCCA will be called upon to coordinate all computer incident response activities and directly participate in such activities. Through it, information will be exchanged about computer incidents between CII subjects, between CII subjects and authorized bodies of other countries, as well as international non-governmental organizations and information security experts.

In addition, the center will inform the subjects of the CII on the detection, prevention and elimination of the consequences of computer attacks and response to computer incidents. The draft order notes that in cases where a computer incident is related to the functioning of a CII facility operating in the banking sector and in other areas of the financial market, simultaneously with informing the FSB of Russia about such a computer incident, the Central Bank of the Russian Federation is also informed.

The order instructs the subjects of the CII to prepare a plan for responding to computer incidents and taking measures to eliminate the consequences of computer attacks, which includes: technical characteristics and composition of significant CII objects; events (conditions), at the occurrence of which this plan is put into effect; measures to respond and eliminate the consequences of attacks, the time allotted for their implementation, and the forces of the CII subject responsible for carrying out measures to respond to computer incidents and taking measures to eliminate the consequences of computer attacks.

At least once a year, training on the development of this plan will be carried out at the facilities of the subject of KII, followed by the necessary adjustments.

The subjects of the CII are also instructed, together with the NCCCA, to develop and agree with the 8th center of the FSB of Russia a special regulation describing the conditions under which FSB officials will be involved in response to computer incidents.

Hardly anyone will dispute the need to involve experts from the Federal Security Service in measures to protect critical infrastructure during cyber attacks. But the relevant procedures should be strictly regulated, - said Roman Ginyatullin, an information security expert at SEQ (formerly SEC Consult Services). - It is surprising that the relevant regulations were not adopted earlier, given that discussions about the vulnerability of critical infrastructure around the world have been going on for several years, and there have been real incidents of multi-million dollar damage.

2017

Operators criticized the Runet infrastructure bill

The Big Four operators - VimpelCom, MegaFon, MTS and Tele2 - sent an appeal to the head of the Ministry of Communications Nikolai Nikiforov. In it, they expressed their assessments of the bill on the protection of the critical infrastructure of the Runet, writes Kommersant in October 2017.

The companies expressed fears that the document could deprive them of foreign shareholders with a share of more than 20%. They also reported that the information that 60% of Russian traffic passes through foreign exchange points is incorrect. According to their information, the real share is about 1%, since the cost of passing traffic through foreign routes is high. As a result, the authors of the letter are not clear why "traffic exchange points are assessed as critical infrastructure objects."

The Ministry of Telecom and Mass Communications told the publication that the ministry is conducting a "constructive dialogue" with operators on this issue. However, the Ministry of Economic Development is also ready to speak with a negative response to the bill, where they said that the document is still undergoing a regulatory impact assessment.

The Ministry of Finance criticized the bill on the critical infrastructure of the Runet

The Ministry of Finance sent a negative response to the bill of the Ministry of Communications, which involves measures to ensure the safety of the critical infrastructure of the Russian segment of the Internet in case of external impact. According to RBC, the main reason for the refusal was the lack of accurate information about the volumes and sources of financing.

"The presented financial and economic justification does not contain information about the amount of funds for the registration of [domains] and their part, planned on the GIS" Internet, "which does not allow to fully assess the costs of its creation and maintenance and assess the financial consequences of the adoption of the bill for the budgets of the budget system of Russia," the text of the review says.

According to the publication, the Ministry of Finance proposed to finalize the bill by submitting a financial and economic justification. According to observers, the costs of implementing the initiative of the Ministry of Telecom and Mass Communications can amount to about 1.5 billion rubles, plus annual costs of about 40 million rubles.

What threatens for the unlawful impact on the critical IT infrastructure of Russia

On January 1, 2018, the law "On the Security of the Critical Information Infrastructure of the Russian Federation" and the amendments to the Criminal Code adopted simultaneously with it, describing the punishment for damage to the country's critical infrastructure, come into force in Russia. Read more here.

Federation Council approves criminal liability for attacks on critical IT infrastructure

On July 19, it became known that Federation Council it approved the law "On Security," critical information infrastructure developed Federal Security Service (FSB) and introduced State Duma Government in December 2016. The document will enter into force from the beginning of 2018^[49]

The law introduces the classification of objects of critical information infrastructure and provides for the creation of a register of such objects, while determining the rights and obligations of both owners of objects and the bodies that protect these objects. The body, which will be responsible for ensuring the safety of infrastructure, has not yet been appointed.

The document also provides for the creation of a state system for the detection, prevention and elimination of the consequences of computer attacks on information security resources of Russia (State system of detection, prevention and elimination of consequences of computer attacks), which will ensure the collection and exchange of information about computer attacks.

Simultaneously with the approval of the law "On the Security of Critical Information Infrastructure of the Russian Federation," amendments to the laws "On Communications," "On State Secrets," "On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipal Control," as well as amendments to the Criminal Code of the Russian Federation. Thus, in chapter 28 of the Criminal Code "Crimes in the field of computer information" article 274.1 will appear, which provides for punishment for harm caused to objects of critical information infrastructure.

The State Duma allowed hackers to be imprisoned for 10 years for attacks on KII

In July 2017, the Lower House of the Russian Parliament adopted in the third, final, reading a bill criminalizing computer attacks on critical information infrastructure.^[50]

The bill provides that the Criminal Code will include an article "Unlawful impact on the critical information infrastructure of the Russian Federation," the maximum punishment for which will be 10 years in prison with a ban on holding certain positions or engaging in certain activities.

The Federation Council should approve the document and to sign to the Russian President. It is expected to take effect on January 1, 2018.

Criminal punishment for cyber attacks is part of a package of bills on critical information infrastructure submitted by the government to the State Duma in December 2016. The package of bills approved by the lower house of the Russian parliament, in particular, introduces the concept of "critical information infrastructure" and establishes the powers of government agencies to ensure its security.

2013: Decree of President Putin on the creation of a system for protecting information resources

In January 2013, President Vladimir Putin signed a decree on the creation in Russia of a system for detecting, preventing and eliminating the consequences of computer attacks on information resources located in the country and in diplomatic missions and consular offices of Russia abroad.

Its key tasks, in accordance with the presidential decree, should be to predict situations in the field of [[information security, ensure the interaction of IT resource owners in solving problems related to the detection and elimination of computer attacks with telecom operators and other organizations engaged in information protection activities. The list of tasks of the system also includes assessing the degree of protection of critical IT infrastructure from computer attacks and establishing the causes of such incidents.

Putin instructed the FSB to organize work on the creation of a state anti-hacker system .

Notes