Security of critical information infrastructure of the Russian Federation

Main article: Critical information infrastructure of Russia

Cyber attacks on critical information infrastructure

Main article: Cyber attacks on critical information infrastructure

2024

Developing an innovative method to detect cyber attacks on industrial enterprises using digital vision

Scientists of the St. Petersburg Federal Research Center of the Russian Academy of Sciences in December 2024 presented a new technology for detecting cyber attacks on industrial infrastructure. The system uses the conversion of network traffic into images for subsequent analysis using computer vision. Read more here

Russian software manufacturers asked FSTEC to remove Android-based OS from the public sector and fuel and energy complex

The Association of Software Developers "Domestic Software" appealed to the Federal Service for Technical and Export Control with a proposal to develop proxy criteria for mobile operating systems based on Android. The letter to the FSTEC became known on November 27, 2024.

According to RBC, the initiative concerns operating systems developed on the basis of the Android Open Source Project and intended for use at critical information infrastructure facilities and in state corporations.

Russian software manufacturers ask FSTEC to remove Android OS from the public sector and fuel and energy complex

The head of the committee ARPP for the development of the ecosystem of Russian mobile products, the general director of the IT Research and Development Center "" ROSA Oleg Karpitsky pointed out several key risks of using AOSP, including the lack of regular security updates and assembly on foreign ones. servers

According to the electronic platform "Tenderplan," in 2024 devices with operating systems based on Android were purchased by the Ministry of Digital Development and the Ministry of Agriculture of the Krasnoyarsk Territory, the Analytical Center of the Perm Territory and other state structures.

Red Software Executive Director Mikhail Tolpyshkin said that their RED OS M system meets the proposed criteria, as it is being developed and assembled in Russia in a closed circuit.

Postgres Professional Co-founder and Deputy General Director Ivan Panchenko noted that the main risk of using AOSP in Russia is a critically low level of competence in this system.

In Russia, Yadro with KvadraOS, Red Software with RED OS M and Atol with ATOL OS are developing operating systems based on AOSP. In February 2024, the Aquarius group of companies also began developing its operating system.

AOSP is managed by Google, which can stop posting new versions to the public at any time, which creates additional risks for Russia's critical infrastructure.^[1]

The Ministry of Industry and Trade allocated ₽1 billion for research on the transfer of CII to Russian IT equipment

In November 2024, the Ministry of Industry and Trade of Russia announced a tender in the amount of ₽1 billion to organize the safe transition of critical information infrastructure (CII) facilities to trusted software and hardware complexes of Russian production.

We are talking about conducting research work, including checking the reliability of object categorization and analyzing transition plans to determine the key directions for the development of domestic microelectronics. The research will cover CII facilities in the defense, chemical, metallurgical and mining industries.

According to CNews, the contractor will be determined on December 2, 2024 by holding an auction. The project is being implemented within the framework of the state program "Scientific and Technological Development of Russia."

The Ministry of Industry and Trade allocated ₽1 billion for the transfer of KII to Russian equipment

Elena Kutz, Head of Expert and Analytical Department of ALMI Partner, pointed out the need to integrate new systems with existing platforms. According to her estimates, insufficient security of information systems causes more than 30% of incidents related to data leaks.

In accordance with the government decree of November 14, 2023 No. 1912, from September 1, 2024, KII subjects are prohibited from acquiring and using software and hardware complexes that are not trusted. The complete transition to the predominant use of trusted complexes should be completed by January 1, 2030.

In 2025 and 2026, it is planned to conduct at least 1000 expert assessments of the reliability of information on the categorization of CII objects annually. Based on the results of the inspections, proposals for compensatory safety measures will be formed for the period of implementation of the transition plans.

Kirill Semion, General Director of the National Competence Center for Holding Management Information Systems, noted the importance of optimizing the configuration of equipment and software in hardware and software complexes, emphasizing the shortage of standardized solutions in the market^[2]

As the Vedomosti newspaper notes, as of the end of 2024, the state does not have aggregated data on the real state of affairs in the field of import substitution. In this regard, the Ministry of Industry and Trade plans to create a system that will allow monitoring the implementation of plans for the transition to domestic solutions of all CII subjects. We are talking about defense, metallurgical, chemical and mining enterprises. The following works shall be performed within the project:

• Formation of proposals on compensatory measures ensuring the safety of significant CII facilities for the period of implementation of transition plans for the preferential use of trusted PACs;
• Analysis of transition plans sent by CII subjects in order to determine the requirements for information protection;
• Development of requirements for the information system in which incoming transition plans are processed and relevant registers are maintained;
• Formation of proposals for updating the Decree of the Government of the Russian Federation of November 14, 2023 No. 1912 "On the procedure for the transition of subjects of critical information infrastructure to the preferential use of trusted software and hardware systems on significant objects belonging to them."

In general, as noted, the contractor will have to develop requirements for an information system that will contain plans for the transition of CII subjects to trusted PACs.<

The vast majority of CII facilities do not have a minimum level of protection

According to the results of monitoring conducted by the FSTEC, it turned out that 89% of critical information infrastructure facilities do not have a minimum level of protection.

Earlier, the FSTEC of Russia developed a methodology for assessing the indicator of the state of information protection at critical information infrastructure (CII) facilities. This was announced on November 7, 2024 by the press service of Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technology and Communications.

The purpose of the methodology is to assess the degree of achievement by state authorities and organizations of the minimum necessary level of protection of information that does not constitute a state secret, and the level of security of significant CII objects from the most common security threats.

From the 100 domestic organizations conducted on the basis of the information security architecture monitoring methodology, it turned out that the vast majority of them do not have a minimum level of protection. As the head of the FSTEC department, Sergei Bondarenko, explained, the insecurity of organizations means that critical infrastructure facilities can become an easy target for attackers.

In 2024, the share of highly critical attacks increased - immediately by 66%. We are talking about attacks, the result of which was a real violation of business processes. At the same time, the largest share - almost 70% - of highly critical attacks fell on the critical information infrastructure. For the same period in 2023, the figure was about 46%, - said the deputy.

This includes, for example, InformSystems in the field of health care. A successful cyber attack can lead to a shutdown of life support systems, an incorrectly diagnosed and, as a result, causing real harm to the health of citizens. Therefore, such a state of affairs is simply unacceptable, - said the deputy. - Weak security is typical not only for CII facilities. According to Roskomnadzor, 90% of organizations are not protected from external attacks. I think this problem is relevant for the entire industry.

Earlier, FSTEC published a draft order suggesting amendments to the current requirements for the safe storage of data not related to state secrets and processed by government agencies, as well as CII facilities. The main goal of the proposed amendments is to increase the protection of organizations from possible DDoS attacks. So, they want to oblige them to store information about attackers' attacks for three years, as well as expand the data channel to ensure the passage of a twofold amount of traffic.

CII facilities should work smoothly, the stability of the majority depends on this. industries economies The proposed changes would complement existing infrastructure protection models. In addition, the introduction of a requirement for storing information about incidents will make it possible to form a database of incidents and analyze in detail the actions of attackers, "Nemkin concluded.

FSTEC has developed time limits for work to ensure the safety of CII

In early November 2024, it became known that the Federal Service for Technical and Export Control () FSTEC and the Russian Federation Ministry of Labour and Social Protection determined the time limits for work to ensure the safety of facilities (). critical information infrastructure CUES

Elena Torbenko, head of the FSTEC department of Russia, spoke about the initiative. We are talking about the order of the Ministry of Labor No. 31ndsp - "Typical intersectoral time standards for work to ensure the security of significant objects of the critical information infrastructure of the Russian Federation." Standards are required to justify the need to increase personnel in the field of information security in organizations.

FSTEC has developed time limits for ensuring the safety of CII

The order has a stamp "for official use," and therefore, to familiarize yourself with it, you need to contact the FSTEC. It is known to define the following parameters:

• Time limits for categorization of CII objects;
• Time limits for the construction of the safety system and implementation of measures to ensure the safety of ZOKII (a significant object of CII);
• Time limits for ensuring safety of ZOKII during their operation;
• Time limits for planning ZOKII safety measures;
• Time limits for ZOKII safety assurance during their decommissioning;
• Time limits for preparation of proposals on organization of training and raising of awareness of employees operating, ensuring functioning, and other employees involved in ZOKII safety, on ZOKII safety issues;
• Time limits for monitoring the safety status of ZOKII;

In general, as noted, the order determines the norms of labor costs for all types of work provided for by law in the field of ensuring the security of significant objects of critical information infrastructure in Russia.^[3]

FSTEC presented a formula by which the service assesses the state of protection of CII facilities

The Federal Service for Technical and Export Control (FSTEC) has developed a formula on the basis of which the state of protection of critical information infrastructure ( CII ) facilities in Russia is assessed . TAdviser reviewed the proposed methodology in early November 2024.

As a value characterizing the current state of information protection (ensuring the security of CII facilities) in the organization, the Kzi indicator is used. It reflects the degree of achievement of the minimum required level of information protection against typical current security threats in the time interval selected for assessment, under the specified operating conditions of information systems, automated control systems, information and telecommunication networks and other informatization objects.

FSTEC has developed a formula by which the level of protection of CII facilities is assessed

In order to evaluate the Kzi security indicator, the values of the individual safety indicators kji are determined, where j is the number of the group of individual safety indicators, i is the number of the individual indicator in the corresponding group. Particular indicators kji characterize the implementation in the organization of certain measures to protect information from current threats. Calculation of Kzi protection index is carried out according to the following formula:

Kzi=(k11 + k12 + k13) R1 + (k21 + k22 +... + k2i) R2 + (k31 + k32 +... + k3i) R3 + (k41 + k42 +... + k4i) R4, where Rj is the weight coefficient of the j-th group of partial safety indicators.

If Kzi is equal to 1, this means that a minimum level of protection is provided against typical current threats to information security. With Kzi in the range from 0.75 to 1, the minimum level of protection against current threats is not provided, and there are prerequisites for the implementation of attacks. If the indicator is less than 0.75, then there is a real possibility of implementing current threats to information security.^[4]

The first certification body for trusted hardware and software systems has appeared in Russia

In Russia, in October 2024, the first certification body for trusted software and hardware systems (PAC) for critical information infrastructure (CII) was registered. The new structure was created on the basis of JSC Atomenergoproekt, which is part of the state corporation Rosatom, as part of the implementation of the presidential decree on measures to ensure the technological independence and safety of the Russian KII. Read more here

In Russia, created ANO "Digital Horizon" for the introduction of IT solutions in critical infrastructure

On October 1, 2024, a new autonomous non-profit organization (ANO) "Digital Horizon" was officially presented in Moscow. The project aims to develop and implement advanced technologies in key sectors of the country's economy, in particular in the field of critical information infrastructure. Read more here

The Ministry of Industry and Trade is allocated 553 million rubles to create a cybersecurity center in industry

The federal budget of Russia will allocate ₽553 million to create and ensure the activities of the industry competence center for information security in industry. The decision on financing was made in September 2024 within the framework of the federal project "Information Security" of the national program "Digital Economy."

According to CNews, the curator of this event is the Ministry of Industry and Trade of the Russian Federation. The competence center was created on the basis of the Gamma research and production enterprise subordinate to the ministry, which has been the parent organization for the protection of information in the structure of the Ministry of Industry and Trade since 1991.

Programmer

The main tasks of the center include the detection, prevention and elimination of the consequences of computer attacks on the information resources of Russian industrial enterprises. In addition, the center will assess the degree of security of facilities, analyze the causes of computer incidents and collect data on the state of information security in the industry.

During the project implementation, it is planned to develop a standard technological solution for creating early warning subsystems for information security threats. Guidelines for departmental monitoring of the state of work on categorization of critical information infrastructure facilities will also be prepared.

The relevance of the creation of such a center is due to a sharp increase in the number of cyber attacks on Russian industrial enterprises since 2022. According to the monitoring and response center, in cyber attacks MTS RED SOC the first half of 2024, more than 22 thousand attacks on industrial companies were reflected, of which about 15% had critical status.

Roman Safiullin, Head of Information Protection at InfoWatch Arma, notes the difficulty of ensuring information security at industrial facilities due to their uniqueness and the need for an individual approach to each enterprise. He also points to a shortage of safety specialists in automated process control systems.^[5]

The government changed the procedure for categorizing CII objects, giving rise to many questions

On September 19, the Government of the Russian Federation adopted Resolution No. 1281 on amending the Decree of the Government of the Russian Federation of February 8, 2018 No. 127. The latter previously determined the procedure for categorizing critical information infrastructure (CII) objects, which has been in effect so far. The current change to this procedure consists of three points:

• Invalidate the requirement to form a list of objects subject to categorization (subclause "d" of paragraph 5 of Resolution No. 127);
• Remove from the authority of the categorization commission the possibility of forming a list of objects and assessing the need to categorize the objects being created (exclusion of the relevant powers from subparagraph "c" of paragraph 14 of Resolution No. 127);
• The requirement for coordinating the list with regulators, as well as all deadlines, including the following, has been removed: "The maximum categorization period should not exceed one year from the date of approval by the subject of the CII of the list of objects" (the entire paragraph 15 of Resolution No. 127 has been removed).

Changes adopted by the Government of the Russian Federation are placed on one sheet

In fact, the adopted resolution means that a whole stage is removed from the categorization process - the preparation of a list of objects that are subject to categorization. However, it was from the registration of this list that the year that was allocated for the categorization of objects was previously counted, and now the deadlines seem to be becoming less defined. So, according to Daniil Socol, the owner of the Nota Kupol project developed by Nota (Holding T1):

The stage of forming a list of objects for categorization was critical in the process of implementing Resolution No. 127, as it served as a start for further categorization and protection of objects, as well as a signal to the regulator that work on the subject of CII had begun. Without a formal list and the requirements of its approval with the FSTEC of Russia (sending the list within 5 days after approval), there are risks of missing and incorrectly identifying critical objects of CII.

However, experts believe that the list of CII objects that are subject to categorization still needs to be compiled after the changes adopted by the government.

Nobody canceled the stage of forming the list of KII objects as such, "Oleg Nesterovsky, deputy director of the ARinteg consulting and audit department, explained to TAdviser. - Duplication is excluded. Subparagraph "c" of paragraph 5 of Resolution No. 127 already implies the formation of the specified list, namely: the definition of critical information infrastructure facilities that process the information necessary to ensure critical processes, and (or) control, control or monitor critical processes. Regarding the abolition of the maximum term for categorizing CII objects, this is a big question. We are waiting for the clarifications of the regulator.

It should be noted that the categorization procedure is now changing video. The government has already appointed responsible regulators for each industry of those listed in Law No. 187-FZ "On the Safety of the CII of the Russian Federation," for the implementation of which Resolution No. 127 was adopted. Now they have all prepared lists of typical CII facilities in each specific industry, and they must control the process of categorizing their wards in accordance with these industry lists.

The stage of forming a list of CII objects for categorization was important as long as the country formed lists of standard sectoral objects of critical information infrastructure operating in various areas established by paragraph 8 of Article 2 No. 187-FZ "On the Safety of the CII of the Russian Federation," Maxim Fokin, head of certification and secure development of the MSVSFERA OS (Softline Group of Companies). - To date, such lists have been formed in full, and it makes no sense to form lists of objects for categorization by the forces of KII subjects, since this process was quite difficult and incomprehensible for such organizations. When forming lists on the ground, much depended on the competence of specialists operating in various subjects of the CII.

According to the expert, the independent formation of the list of objects by the organization (subject of CII) led to the formation of an excess list of CII objects. In some cases, companies "forgot" to add objects that were really important for the state to the lists. That is why the government tried to attract regulators in the relevant industries to form lists.

Now you can simply take ready-made lists of typical industry objects of CII and correlate with the objects of your organization, which will allow you to unambiguously identify all objects of CII in organizations. This will help to reduce the time of work on categorizing CII facilities by an order of magnitude, unload the regulator, reduce the costs of organizations to ensure the safety of redundant facilities, as well as ensure the protection of CII facilities key to the state's information security.

For KII subjects, such changes facilitate the process of categorizing and coordinating the list of KII objects, especially when it is necessary to exclude an object from the Russian base FSTEC , on the other hand, give more opportunities to make a mistake in determining KII objects, - said Daniil Socol. - The regulator's work is complicated by the fact that the formation of the list helped state bodies and regulators to control the process of starting categorization and ensure compliance with the norms and requirements of the legislation, as well as determined the period for which it was necessary to categorize. Without a clear stage of registration of the list, it may be difficult for the regulator to establish specific terms of categorization on the subject of CII. There will be no changes for the subjects of CII, the work on determining the list of objects will remain the same, while recommendations on typical CII objects, which are adopted in industry regulators, can be used.

Oleg Nesterovsky expressed a similar opinion on simplifying the procedure for forming lists of KII objects:

Lists of typical industry objects of CII are used to form a list of CII objects, but are not exhaustive. They do not exclude the presence of other IEs, ITCS, APCS, implementing and providing critical processes. The order of generation of the list of objects to be categorized does not change.

Only the issue of coordinating the list with FSTEC or other regulators remains. However, experts cannot independently answer it and expect clarification from regulators.

The Ministry of Digital Development assessed the import substitution of cybersecurity tools at KII facilities in Russia

The Ministry of Digital Development, Communications and Mass Media of Russia in September 2024 announced that the readiness for full import substitution of information protection tools at critical information infrastructure (CII) facilities is assessed as high. These data were announced in Moscow by the director of the cybersecurity department of the Ministry of Digital Science Yevgeny Khasin.

According to Hasin, most cybersecurity tools at KII facilities already have domestic counterparts. However, there are certain technological difficulties with high-performance protection systems, but active work is underway to improve their characteristics. He also confirmed that the postponement of the implementation of presidential decrees regarding the ban on the use of foreign software (software) and cybersecurity services is not planned.

The Ministry of Digital Development assessed the import substitution of cybersecurity tools at KII facilities in Russia

According to TASS, in addition, Ilya Massukh, director of the competence center for import substitution in the ICT sector, said that in some segments the replacement approached 100%. In particular, for firewalls and backup tools, this figure is 75-80%, and for databases and operating systems - about 50%. Massukh noted that most companies subject to the decrees take this issue seriously and will comply with all regulatory requirements on time.

In March 2022, Russian President Vladimir Putin signed a decree aimed at ensuring the technological independence and cybersecurity of Russia's critical information infrastructure. According to this decree, from March 31, 2022, a ban was introduced on the purchase of foreign software for CII facilities without the consent of authorized bodies. The ban also extended to purchases of services necessary to use such software.

In addition, the presidential decree establishes that from January 1, 2025, state authorities will be prohibited from using foreign software at CII facilities. This decision was made as part of a strategy to increase Russia's independence in the field of information technology and cybersecurity.^[6]

The Ministry of Industry and Trade decided to tighten the requirements for information security for trusted software and hardware systems

The Ministry of Industry and Trade in August 2024 on the federal portal of NPA projects published a proposal to amend^[7] of the Government of the^[8] in the PP-1912 "On the procedure for the transition of the subjects of^[9] to the preferential use of trusted PAC at their significant objects of the Russian Federation KII." The main changes are supposed to be made to the appendices to the rules approved in the PP-1912 for the transition of CII subjects to the preferential use of trusted PAC at their significant CII facilities.

In particular, Appendix No. 1 to the rules states that trusted are PACS that are contained not only in the register of Russian radio-electronic products, as was originally the case, but also in the register of Russian industrial products. Both registers are maintained by the Ministry of Industry and Trade, although the section Ministry of Digital Development^[10] has already appeared in the register of domestic software, which is supported by ^[11]. It contains 296 entries at the beginning of August.

The state register of trusted PACS does not exist today, "Valery Andreev, Ph.D. and Deputy General Director for Science and Development of IVK. - There is a register of PACS Ministry of Digital Development of the Russian Federation, but the criteria for the power of attorney of the software and hardware systems included in it are not spelled out anywhere, there are not even marks in the register about whether the PAC is trusted. The software part of PAC can be trusted - this is confirmed by the certificate of the FSTEC of Russia or the FSB of Russia. It can be entered into the Unified Register of Programs of the Ministry of Digital Development of the Russian Federation, but information about the presence of certificates on the product page is not provided. That is, the user, viewing the software tools of interest to him in the registry, cannot immediately find out whether they are certified.

An example of a registry entry of PACS of the Ministry of Digital Development. It can be seen that the device would be contained in the register of industrial products, therefore, according to the old Persia, PP No. 1912 would not be trusted

Actually, in PP No. 1912 there are criteria for trusted PAC (not for the register of PACS Ministry of Digital Development) - they are formulated just in Appendix No. 1 and consist of three points:

1. Inclusion of information about the device in the register of Russian radio electronic products^[12] and, if a change is made, in the register of Russian industrial products^[13]
2. Software complies with the requirements of Resolution No. 1478 of August 22, 2022;
3. If the PAC has security functions, then it must have the appropriate FSTEC and FSB certificates. If all these three points are completed, then the PAC is considered trusted.

An example of an entry from a single register of electronic products, where, in fact, information on both software certification and the device itself is missing.

For the third item, the project also provides for changes. If the PAC contains security functions, then the requirements of the FSTEC and the FSB will be presented not only to these mechanisms themselves, but also to electronic products that are part of this PAC. Moreover, information that the PAC itself and the element base used in it meet the requirements of the FSTEC and the FSB must be confirmed by certificates. Now there are not only devices certified by these departments, but also the requirements of these regulators for trusted PAKs have not been approved.

The only thing that is there is a preliminary standard for trusted PAC PNST 905-2023, which was approved by the technical committee No. 167 of Rosstandart under the name "Software and hardware complexes for critical information infrastructure and software for them." This TK is controlled by the Rosatom structure under the name NPO KIS. Therefore, it is unlikely that the Ministry of Industry and Trade, FSTEC or the FSB will refer to the standards prepared by him in their documents.

The hardware of PAC can be entered into the Unified Register of Electronic Products of the Ministry of Industry and Trade of the Russian Federation, - explained Valery Andreev. - But information on the certification of the product in its software part is also not provided here, as well as the mention of the software itself, with the exception of microcode. It turns out that the operator or customer needs to keep their register of trusted PACS. Where to get this information, how to track changes? Does it make sense to duplicate this work in many ways? Obviously not. A Unified State Register of Trusted PACS is needed.

Moreover, the draft resolution proposes to expand the list of data that CII subjects must inform regulatory authorities about the PACS expected to be installed. In particular, it is proposed to indicate the number of central processors and their architecture, channel capacity and number of ports, as well as other maximum detailed characteristics of the PAC. In the face of the risk of sanctions against supply chains, the publication of such information is fraught with the imposition of sanctions - there have already been such precedents.

The question of the availability of a sufficient amount of domestic element base for the production of PAC remains open, however, with active investments and efforts from both public and private structures, one can count on positive dynamics in this direction, "Elena Kutz, head of the expert and analytical department of ALMI Partner, shared her thoughts with TAdviser. - Despite the fact that there is an active development of the Russian element base for PAC production, many enterprises still depend on imported components, which entails certain risks and difficulties. In addition, PAC companies will face the need to adapt their products to new requirements, which will require additional investment and resources.

Indeed, resolution No. 1912 begins on September 1, 2024, and changing it at the last moment could have a negative impact on PAC manufacturers: in a month they are unlikely to be able to quickly redesign their devices in order to meet the requirements of legislators, who, as it was said, are not yet. Therefore, it is highly likely that by the time the decree comes into force, the necessary devices with the appropriate certificates will simply not be on the market.

For the production of PAC, a developed element base is needed, "said Kamil Baimashkin, Deputy Executive Director of R-Vision, in a conversation with TAdviser. - In Russia there are a number of enterprises producing electronic components. However, to fully meet the needs of the PAC, further development of the domestic electronics industry is necessary. In the short term, for some types of products, a new version of the decree may temporarily limit the choice of available PACs. In general, the proposed changes are a step in the right direction, since in the current conditions the insufficient security of critical information infrastructure facilities, their vulnerability to external attacks poses a threat to the security of the state.

The requirements of the draft resolution are important for the development of the domestic radio-electronic industry. It is very difficult to compete with prices with Chinese established industries, so the transition to the predominant use of Russian components should be stimulated by law.

In the future, 2-3 years, customer demand for Russian RAP should be satisfied, "Kirill Semion, General Director of ANO NCC ISU, told TAdviser. - Producers of the element base are now actively increasing production volumes. The main thing that they need for this process is investment and technical specialists. In general, the preferred use of trusted PACs is convenient for customers. But it is important that all the characteristics of PACS are described in detail. It is also necessary to make confirmation by external expertise mandatory. In this case, it will be easy for customers to design their architecture.

Russian GOST on cybersecurity at nuclear power plants has become international

The Russian GOST, which regulates the methods of cyber protection of nuclear power plant control systems, received the status of an international standard. This became known at the end of July 2024. Read more here.

Putin banned the use of cybersecurity services from unfriendly countries

On June 13, 2024, the President by Russia Vladimir Putin his decree No. 500 ^[14] approved amendments to Decree No. 250" On Additional Measures to Ensure Information Security of the Russian Federation. " In accordance with the document, from January 1, 2025, the use of protective equipment, as well as cybersecurity services from unfriendly countries, is prohibited. In addition, the decree requires only accredited response centers to be State system of detection, prevention and elimination of consequences of computer attacks to the system.

The adopted changes contain a number of key adjustments and clarifications of additional measures to ensure information security of the Russian Federation and are aimed at optimizing control and monitoring of the activities of the State system of detection, prevention and elimination of consequences of computer attacks centers, as well as expanding bans on interaction with persons with foreign participation in the framework of ensuring information security, - said Andrei Medunov, head of the group for supporting GR projects of the Solar Group of Companies. - It should be noted that these are timely and logical clarifications that will contribute to increasing the cyber stability of the state's economy and the technological independence of the cybersecurity industry.

Initially, Decree No. 250 defines the requirements for government agencies, state corporations and subjects of critical information infrastructure (CII) in terms of responding to cyber incidents. One of the amendments concerns accredited centers that will be involved "if necessary" to prevent cyber attacks and eliminate their consequences.

The new Decree No. 500 contains instructions for the FSB of Russia, according to which it is necessary to determine the requirements for the GosSOPKA centers, establish the procedure for their accreditation and suspension of this accreditation, "Alexander Bykov, head of the protection services of the cloud provider NUBES, explained to TAdviser. - In this part, an adjustment to the previous Decree No. 250 was necessary, since this will make the CII more efficient in responding to attacks.

For such centers, the procedure for their accreditation will be determined, including the procedure for suspending the accreditation procedure, suspending the accreditation and revoking accreditation. That is, the FSB will have to develop, approve and control the accreditation rules for State system of detection, prevention and elimination of consequences of computer attacks centers, which provide monitoring, elimination of the consequences of computer attacks, as well as security analysis.

Russian President Vladimir Putin

In addition, organizations covered by the decree have been prohibited from using cybersecurity work or services provided by companies from unfriendly states since 2025. Alexey Lukatsky, a business consultant for information security at Positive Technologies, says that these measures cover a wide range of services. These can be, in particular, cloud services to ensure information security, consulting services, security analysis, penetration testing, etc.

Now in Russia they continue to use foreign services WAF (firewalls for protecting web applications) and NGFW (firewalls for filtering traffic) to a minimum, but this is more true for large foreign companies, - commented on the current situation for TAdviser Alexander Khonin, head of consulting and audit department Angara Security. - They are used, as they are installed in the infrastructure of parent organizations abroad. In other cases, we are talking about the use of such services through "workarounds." In terms of services, most likely there will be a transition to individual information security products in order to preserve the necessary functionality. A number of organizations will refuse such services and replace them with compensatory measures

Rapid digitalization of industry requires proactive protection to repel cyber attacks

Over the past two years Russia countries CIS , the number of and others has been actively growing, cyber attacks with cybercriminals government agencies, large and medium-sized companies from the private sector becoming targets for more and more often, while before hackers private individuals became the main victims. The main reason that attackers are increasingly attacking institutions and enterprises in the CIS countries is geopolitical tension, which creates motives and conditions for cyber espionage and other malicious operations, said information security Orhan Hajizade, an expert in the field, who holds key positions in the largest state-owned companies and AIH, Azerbaijan SOCAR where he built a multi-level system data protection and infrastructure. More. here

FSTEC has developed rules for assessing the security of government agencies and CII facilities

In early May 2024, the Federal Service for Technical and Export Control (FSTEC) published a methodology for assessing the indicator of the state of technical protection of information and ensuring the security of significant objects of the critical information infrastructure (CII) of Russia. The rules apply to government agencies, organizations in the field of communications, power, banking and enterprises of other significant sectors of the economy.

The document says that the methodology defines an indicator characterizing the current state of technical protection of information that does not constitute a state secret, and (or) ensuring the safety of significant objects of CII. Assessment should be carried out at least once every six months. Organizations should conduct an extraordinary security check in the event of an information security incident with negative consequences or when changing the architecture of information systems. In addition, such a check can be initiated at the request of FSTEC.

FSTEC has published a methodology for assessing the indicator of the state of technical protection of information

The initial data required to assess the security indicator may be: reports, protocols or other documents drawn up based on the results of internal control of the security level; results of information systems inventory; internal organizational and administrative documents regulating the organization of information protection; external evaluation reports. In addition, the results of a survey of employees of the organization about their performance of functions using information systems and (or) ensuring information security can be taken into account.

Market participants, as noted by the Kommersant newspaper, believe that the FSTEC methodology will help companies focus on the minimum necessary level of protection. Thus, the deputy technical director of Innostage Daniyar Iskhakov says that the requirements are "simple and understandable," and this "should have a positive effect on the desire to fulfill them realistically, and not formally."^[15]

The concept of technological independence of KII was standardized. While temporarily

Rosstandart in early February 2024 published a preliminary standard PNST 905-2023^[16] "Critical Information Infrastructure. Trusted hardware and software complexes. Terms and definitions, "which defines the basic concepts in the field of trusted hardware and software systems (DPAK) for the critical information infrastructure of the Russian Federation.

The standard is preliminary and its validity period is limited - from April 1, 2024 to April 1, 2027. However, it is at this time that it is supposed to ensure the technological independence of the KII of the Russian Federation through import substitution, so the standard may be important for the entire domestic information security market.

The standard states that the terms established by it are recommended for use in all types of documentation and literature in the field of design, development and manufacture of DPAK and their components, as well as in the development of regulatory documents in this area. And if someone does not use the relevant terms, then questions will arise about his competence.

The key concepts of the document are the definitions of such terms as the technological independence of CII and a trusted software and hardware complex. This is "a state of critical information infrastructure, characterized by the possibility of its creation, stable, reliable functioning and development, including in conditions of restrictions in the availability of technologies and components" and "a software and hardware complex that meets the requirements of ensuring the technological independence of critical information infrastructure, functionality, reliability and security," respectively.

At the same time, a number of requirements are put forward for DPAK: just to ensure the technological independence of CII, functionality, reliability and security. To do this, DPAK must have a key technical solution (KTP), which is an integral part of it and essential for meeting the requirements listed above at all stages of the life cycle. What is a PTS is not specified, but the definition is very similar to domestic analogues of the TPM hardware module, which, apparently, will need to be installed in each DPAK.

In addition, the standard defines for DPAK a test site, electronic products (RAP) and electronic component base (ECB), which are used for its design, testing and operation.

There is also a definition for software, which is divided into four categories: built-in, system, application and special. All these categories of software must be stored in the code repository, which must be completely located in Russia.

PNST 905-2023 was developed by NPO Critical Information Systems (KIS) and the Engineering Safety expert organization. It was approved by the technical committee No. 167 of Rosstandart under the name "Software and hardware complexes for critical information infrastructure and software for them" at the end of last year - December 28, 2023 by order of Rosstandart No. 115-pnst.

The standard is preliminary, therefore Rosstandart accepts comments and additions to it, which should be sent to the department no later than 4 months before the completion of the action. The main standard will already be developed on their basis, but this is a completely different story.

Putin allowed transport security officers to shoot down drones

The Russian president signed a law allowing transport security officers to shoot down unmanned aerial vehicles. The corresponding document was published on January 30, 2024. Read more here.

2023

Repel 65,000 attacks on critical information infrastructure

Domestic specialists repelled more than 65 thousand attacks on critical information infrastructure (CII) facilities in 2023. Such information was shared by Deputy Prime Minister of the Russian Federation Chernyshenko, as reported on February 9, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

Critical information infrastructure facilities form the basis of the country's economic system, explained Anton Nemkin.

{{quote "In fact, these include the most important infrastructure facilities: state-owned companies,, banks enterprises industries scientific and organizations, facilities and. transport health care The assumption cyber attacks in this case can lead not only to the leakage of corporate, but also information information related to state secrets. In addition, a cyber incident for an indefinite time can disable the production processes of the organization, the deputy explained. }}

It is because of these reasons that the KII facilities are under close attention from the attackers, Nemkin emphasized.

Let me remind you that in the first half of 2022 alone, the total number of cyber attacks on Russian organizations increased 15 times, compared to the same period in 2021. Of course, the factor of international instability could not but affect here, "he said.

Switching from one system to another sometimes creates gaps in information security that attackers are actively exploiting. We are talking about vulnerabilities both in application software and in the infrastructure itself. At the same time, the optimal level of security largely depends on the speed of integration of new solutions, - said the deputy.

Almost a third of Russian companies with CII faced security incidents

32% of CII subjects experienced safety incidents of varying severity. At least 35% of them entail damage that can be estimated in financial losses. Downtime is the most common consequence of incidents, the cause of which is mainly called DDoS attacks and site hacks. In addition, the following negative consequences are cited: reputational damage, loss of data without recovery and direct financial damage. These data were obtained during the study conducted by K2 Tech. The company announced this on December 26, 2023.

The subjects of CII include organizations on which the work of transport, communication networks, the functioning of the financial system and state, medical and other services depend. Therefore, stopping their activities can cause serious damage to the life and health of people. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" should protect industry, banks, hospitals and other institutions and companies from cyber threats.

Although the law was passed in 2018, a significant number of companies admitted that they still do not know what solutions they will need to implement the requirements of the 187-FZ. 24% of respondents did not decide on the plans. 68% of respondents have a clear idea of ​ ​ the upcoming purchases, 8% found it difficult to answer. Due to the complexity of projects and import substitution requirements, companies are forced to purchase additional solutions and replace existing ones. The most popular class of SMT for December 2023 are firewalls. At the same time, many questions are associated with firewalls, because so far there are no Russian analogues comparable in performance to departed foreign vendors. In second place is the means of protection against malicious code. They are followed by network equipment, cryptographic protection and SIEM.

Many companies only began to work closely in 2023 to fulfill the requirements of the 187-FZ. This is due, firstly, to the emergence of 250 Presidential Decree, which spells out specific practical tasks that need to be completed, deadlines and responsible, and secondly, to the fact that in 2022 the business was focused on combating attacks and fulfilling the instructions of the FSTEC. As of December 2023, most companies are still at the start of implementation. The most important stage for the successful completion of the project is the qualitative categorization and audit of CII objects. More than half (57%) of companies partially or completely trust this process with external contractors. It saves a lot of time. When an organization performs an audit on its own, we sometimes encounter the fact that KII facilities are 3 times more than originally indicated, "said Andrey Zaikin, director of business development at K2 Cybersecurity.

Over the years, we have seen a significant increase in the maturity of our industrial customers in the field of information security. The problems that we have encountered before, such as the denial of the need to protect process control systems (APCS) and critical information infrastructure (CII), the absence of responsible persons for ensuring information security, the use of corporate solutions for protecting APCS, now fade into the background. Nevertheless, the development of the information security market of industrial infrastructures dictates the need to move from protecting CII facilities, primarily industrial automation systems, using passive monitoring, to more tightly integrating protective equipment into the perimeter of such systems and implementing active actions to respond to emerging incidents and (or) prevent them. Increasing customer readiness to implement such an approach in industrial networks is something that still has to be worked on, "said Andrey Bondyugin, head of the Kaspersky Lab industrial infrastructure protection projects support group.

Recently, the number of cyber attacks on supply chains has increased, as a result of which hackers inject malicious code into software on the side of a hacked IT company, which then imperceptibly enters customer infrastructure, for example, along with the next update. In terms of potential negative impact, such a cyber attack can really be compared with hacking a significant CII object, especially since a malicious module embedded in the software can enter the infrastructures of many CII subjects at once. One of the options for solving the problem could be the organization of a state service for checking the security of software and IPS, for example, using sandboxes, compositional analysis methods and static, dynamic, interactive analysis tools; after such a check of the absence of "bookmarks" in the distribution kit or service pack, the value of the installer hash sum can be placed in the publicly available register of reliable software, with which KII subjects will be checked without fail, "said Ruslan Rakhmetov, General Director of Security Vision.

The Ministry of Digital Development allocates 25.2 billion rubles for the development of GIS in the field of cybersecurity

On November 28, 2023, it became known that the Ministry of Digital Development of the Russian Federation intends to allocate 25.2 billion rubles for the development of state systems in the field of cybersecurity. The initiative is designed to speed up import substitution in this area, as well as increase the effectiveness of existing protection systems against hacker intrusions, malware, etc.

According to the Kommersant newspaper, the initiative is stated in the materials of the national project "Data Economics." The indicated amount of the Ministry of Digital Development proposes to invest in the period until 2030. It is planned that all foreign products in the field of information security (information security) will receive Russian analogues. This will help companies and government agencies to abandon import solutions, which is important in the conditions of the formed geopolitical situation.

Of the total amount of 25.2 billion rubles, the Ministry of Digital Development will allocate 7.1 billion rubles for the development of a new system for countering computer attacks "Multiskaner" based on State system of detection, prevention and elimination of consequences of computer attacks (state system for detecting, preventing and eliminating the consequences of computer attacks; controlled by the FSB). This platform will be able to process more than 90 million files per year. Multiscaner will become an analogue of the free American service VirusTotal, which analyzes objects for malicious code. The full implementation of the new protective complex is scheduled for 2025.

Another 3.7 billion rubles will go to the development of state systems Antifraud"" (countering fraudulent calls;) Roskomnadzor and "" Anti-phishing(blocking fraudulent sites; Ministry of Digital Development). The Ministry of Digital Development intends to spend approximately 2.4 billion rubles on assessing the security of key state information systems (GIS). About 12 billion rubles will be required for other cybersecurity systems, including cryptographic tools.

However, market participants say that the investments announced under the project "look somewhat overestimated" even taking into account inflation. At the same time, the commercial director of the Security Code, Fedor Dbar, emphasizes that "financing in itself does not guarantee any result."^[17]

FSTEC revealed hundreds of violations in the protection of Russia's information infrastructure

The Federal Service for Technical and Export Control (FSTEC), following an assessment of the security of critical information infrastructure in relation to 900 subjects, revealed about 600 violations. Pavel Zenkin, deputy head of the department's department, spoke about this in mid-November 2023. According to him, in terms of the number of violations detected, the situation has almost not changed compared to 2022.

These are all the same organizational measures: the subject does not know his objects of the critical information infrastructure that he has, does not know their architecture, specialists do not know that they work on AI objects and ensure their security. As for technical measures, there is also nothing new here - standard passwords, connection to external networks, vulnerability analysis is not carried out, threats are not blocked, - Zenkin said during the IT forum in Novosibirsk (quoted by RIA Novosti).

The representative of the FSTEC noted that since the start of the special military operation, the FSTEC of Russia has sent more than 160 measures to the subjects of the information infrastructure aimed at increasing the security of facilities, including vulnerability analysis and software updates in the context of the sanctions policy. According to Zenkin, hundreds of violations in the protection of Russia's information infrastructure are "just a colossal figure."

All the flaws that I said lead to incidents..., "he added.

In mid-November 2023, Deputy Director of FSTEC Vitaly Lyutikov noted that the main reason for the large number of vulnerabilities in the software of KII objects was the departure of foreign vendors who stopped supporting their solutions installed on the infrastructure of Russian customers.^[18]

"Here it is necessary to build vulnerability management processes in order to minimize at least critical ones," he said.

IT officials in Russia will be forced to comply with cybersecurity requirements

The Federal Service for Technical and Export Control (FSTEC) develops requirements for IT officials to ensure the information security of IT systems. The deputy head of the department Vitaly Lyutikov told about this on November 14, 2023.

According to him, cybersecurity requirements for state contractors providing IT development services are necessary because most hacks and data leaks from government information systems occur through development contractors, to which no mandatory requirements are imposed.

The number of threats is growing, the damage from them is increasing. All the old [threats] remain. These problems have to be solved at the legislative level, - said Lyutikov (quoted by Vedomosti).

He noted that FSTEC checked 40 thousand systems of critical information infrastructure and a third of them were sent for revision "in terms of reassessing possible damage" in case of violation of work during hacking. Almost every second system inspected by the Federal Service for Technical and Export Control contains critical vulnerabilities, Lutikov said.

According to the FSTEC, by mid-November 2023, about 19% of verified InformSystems were included in the register of KII facilities. For another 50% of InformSystems, categories are not assigned, and 31% of applications for assigning a particular category of significance are returned. At the same time, about 1.6 thousand requirements for the implementation of legislation in terms of security were sent to the owners of KII facilities.

The number of systems is growing, the number of objects included in the register of significant objects of CII is increasing. The problem is that operators or owners of CII facilities are trying to underestimate the damage, minimize and show when determining the facility that no consequences, no damage will occur. But those incidents that have occurred over the past two years, they indicate the opposite, "added the deputy director of FSTEC.[19]

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree that expanded the powers of the Federal Service for Technical and Export Control (FSTEC). The corresponding document was published in November 2023. More. here

The Ministry of Digital Development of the Russian Federation will oblige TV channels and telecom operators to create information security units

In mid-October 2023, it became known that the Ministry of Digital Development of the Russian Federation developed new requirements, according to which Russian companies - owners of the media (media), as well as operators of cellular communications and satellite television are obliged to create information security units (IS). The new rules will come into force on January 1, 2025.

According to the Vedomosti newspaper, the requirements apply to all channels of the first and second multiplexes, to Rossiyskaya Gazeta, ITAR-TASS and MIA Rossiya Segodnya. These organizations and telecom operators should switch to domestic means of protecting information, while the use of relevant solutions from unfriendly countries is prohibited. The information security division will become a kind of "internal auditor" of the IT infrastructure, as the number of cyber attacks on Russian companies is growing in light of the current geopolitical situation.

The new requirements partially duplicate the provisions of Decree No. 250 (adopted in May 2022), which applies to subjects of critical information infrastructure (CII). Such organizations are obliged to provide a certain standard of protection against emergencies and attempts and consequences of deliberate destructive impact on them. Market participants say that if the strict requirements of KII are extended to the entire operator business and the media, huge financial costs will be required.

In general, the size of investments in the creation of information security units depends on a number of parameters, including the number of employees in the organization, the volume of information infrastructure, etc. The minimum internal information security department will consist of a manager, an information security specialist and a personal data specialist. B1 partner Sergei Nikitchuk believes that, depending on the size of the business, compliance with the new requirements will require investments from 5 million to 50 million rubles a year. In addition, additional costs will be needed due to the need for import substitution of SSI.^[20]

Government May Ease Import Substitution Requirements in Critical Information Infrastructure

The requirements of the decree of President Vladimir Putin on the transfer of critical information infrastructure (CII) facilities to domestic solutions may be mitigated. In accordance with the decree signed on March 30, 2022, all software and hardware complexes (PAC) at KII facilities should be replaced by domestic ones by January 1, 2025.

But for PACS, it is possible to extend until the end of the service life of existing solutions. Such an amendment to the decree was developed by the Ministry of Industry and Trade, a federal official told Vedomosti and confirmed by a top manager of one of the oil and gas companies. According to them, the document was submitted to the government.

Ministry of Digital Development will create a software registry for critical information infrastructure objects

On August 7, 2023, it became known that the Ministry of Digital Development of the Russian Federation developed a new bill on the security of critical information infrastructure (CII). The document in the future will lead to the formation of a special register of software allowed for use in CII systems.

According to the Kommersant newspaper, the document "empowers the government to determine for each industry (and not just state-owned companies) standard solutions that will be attributed to KII facilities, as well as establish for them the timing of the transition to Russian solutions." In addition, it is planned to select typical IT solutions that will be classified as CII facilities. In other words, information systems used in certain industries will be equated directly to CII objects.

As of the beginning of August 2023, the subjects of the KII include government agencies, organizations in the field of communications, health, science, transport, power, banking, the fuel and energy complex and other significant sectors of the economy.

Categorizing the InformSystems themselves of significant industries, in fact, will expand the scope of the law by including objects that were not previously such. And this will lead to the emergence of a register of software recommended for use in enterprises and organizations in various sectors of the economy.

Market participants believe that the new bill will contribute to the fact that it will be easier for specialists in KII subjects to categorize based on government-approved lists. On the other hand, it could "strengthen regulatory barriers for the industry." Belonging to the CII imposes on organizations a number of working conditions, including security and import substitution. According to the decree of the President of the Russian Federation of March 2022, government agencies and state-owned companies are prohibited from using foreign software at KII facilities from January 1, 2025.^[21]

Ministry of Digital Development of the Russian Federation asked government agencies to create an additional IT infrastructure with georeservation

On August 4, 2023, it became known that the Ministry of Digital Development of the Russian Federation sent methodological recommendations to the departments to strengthen the stability of information infrastructure. In particular, it is proposed to back up communication channels and ensure the geographical distribution of data centers (data centers).

According to the Kommersant newspaper, the IT systems of federal departments belong to the critical information infrastructure (CII). In the current geopolitical situation, the number of cyber attacks on such resources has increased significantly, which leads to the need to strengthen protection. Redundancy of communication channels is required if, for example, in a data center where one or more departments store data, access is organized on a single line. In the event of a cyber attack or physical damage to the network channel, access to the department's information system will not be possible.

Against the background of new threats in cyberspace, an effective protective solution can be the creation of geodistributed virtual and physical data centers with backup communication channels. If this is not possible, then at least it is necessary to connect additional communication channels to the information system, which will be built along geographically different routes.

Market participants say that the recommendations of the Ministry of Digital Development have already influenced, among other things, the growth in demand for the placement of data in regional data centers. Thus, some Russian companies transfer the processing and storage of information from data centers in the Moscow region beyond the Urals. Providers note an increase in demand in the cloud services segment Yekaterinburg in and. Novosibirsk However, the formation IT infrastructures with georeservation and the deployment of additional information transmission channels will entail an increase in the costs of departments for information infrastructure. Costs can rise by 10% due to the need to lease additional servers and create auxiliary network channels.^[22]

Real estate data in Russia will protect against cyber attacks

At the end of June 2023 State Duma , it adopted in the third (final) reading amendments to the federal law "On Security" critical information infrastructure RUSSIAN FEDERATION in terms of clarifying the subjects of critical information infrastructure.

The document refers to such subjects information systems, information and telecommunication networks and automated control systems operating in the field of state real estate registration. In addition, CUES persons who own such systems and networks will also be considered subjects.

This initiative, according to its authors, will allow extending to the real estate sector a set of measures that are used by the state to protect critical information infrastructure. New norms are being introduced to ensure the security of real estate registration data "to protect them from hacker attacks and abduction," says Vasily Piskarev, chairman of the Duma security committee.

One can only assume the consequences of hackers' attempts to hack into databases and, for example, change data on real estate owners or simply steal this information for fraudulent purposes, he said.

The adoption of the bill will make it possible to implement a set of measures to detect, prevent and eliminate the consequences of computer attacks carried out against objects of this sphere, and will create conditions for countering crimes, the explanation to the document says.

Nikita Chaplin, a member of the Committee on Budget and Taxes, stressed that it is extremely important to pay special attention to protection against theft of registration data in the field of real estate, especially when it comes to the critical information infrastructure of the Russian Federation. At the same time, he noted that the Russian special services successfully repel attacks.^[23]

FSB approved the procedure for monitoring the security of sites of CII subjects

On June 2, 2023, the Federal Security Service of the Russian Federation (FSB) approved the procedure for monitoring the security of sites of subjects of critical information infrastructure (CII).

We are talking about resources belonging to the federal executive bodies, the highest executive bodies of state power of the constituent entities of the Russian Federation, state funds, state corporations (companies) and other organizations created on the basis of federal laws. In addition, the document applies to strategic enterprises and joint-stock companies, backbone organizations of the Russian economy, as well as legal entities that are subjects of CII.

It is said that monitoring is carried out in order to assess the ability of information resources of organizations to counter threats to information security. Relevant work will be carried out by the FSB Information Protection and Special Communications Center and territorial security agencies. Monitoring includes information systems (including sites on the Internet), information and telecommunication networks and automated control systems.

According to the order of the FSB, organizations must send to the e-mail address monitoring@fsb.ru information about domain names and external network addresses of their information resources, as well as about changes in such names and e-mail addresses. Security monitoring is carried out continuously and includes the collection and analysis of information and documents about the information resources used; identification of functioning services and detection of vulnerabilities; assessment of system security. Identification of working resources and search for potential problems are carried out remotely without first notifying organizations of the start of work.^[24]

FSTEC calls on government agencies and banks to disable access to corporate mail through foreign IP

On March 21, 2023, it became known about the recommendations in terms of information security, which the Federal Service for Technical Export Control (FSTEC) to security entities of critical information infrastructure (CII - government agencies, communications, finance, fuel and energy complex, telecom operators, etc.).

In particular, as Kommersant"" writes with reference to the presentation, FSTEC the department calls for disabling remote access to critical nodes and networks, prohibiting open relay (allowing servers you to uncontrollably pass mail through yourself), as well as interaction through e-mail with foreign IP addresses.

FSTEC explained that these measures will further protect the postal systems of significant companies in the Russian Federation related to KII. FSTEC also recalled the need to record the actions of all privileged users in the IT systems of CII facilities to combat possible "internal violators," including those who ensure the technological processes of companies as part of an outsource or involved in the work of third-party employees from other departments.

The "Informzaschita" called it a good practice to disable direct remote access to control interfaces and prohibit open relay. Restriction of foreign addresses is a measure that has already been applied by state institutions without special negative consequences for themselves, but it is not always possible to apply such a practice for CII subjects, since companies can interact with counterparties who use foreign IP addresses, the company noted.

The proposed restrictions do not apply to all computers of the subject of KII, but only to those that are part of the critical infrastructure, said Yevgeny Altovsky, head of the information and analytical service of the OD "Information for All." He considers the ban on interaction with foreign IP addresses excessive, since their ownership changes regularly. KII subjects will have to check every time who owns the IP address of the correspondent's mail server, the expert clarifies.^[25]

FSTEK explained what to do if the owner of the CII does not have money for an information security system to ensure its protection

Following the results of the measures taken, the state control FSTEC revealed typical problems in the field of protection of significant objects. critical information infrastructure On March 15, 2023, Elena Torbenko, head of the Russian FSTEC department, spoke about them at an event dedicated to information security APCS critical facilities.

Significant objects of CII, we recall, include such objects of CII, which are assigned one of the categories of significance, and they are included in the corresponding register maintained by the FSTEC.

According to Elena Torbenko, the financial problem of creating a security system for significant KII facilities is one of the main ones. At the same time, when the object is assigned a category of significance in 2019-2020, and in 2023 FSTEC sees that the creation of an information protection subsystem is planned only for 2024-2025, this is negligence, a representative of the regulator said.

Failure to comply with legal requirements is liability. It's good if it's administrative. And if an incident occurs on this issue, it will already be criminal liability.

There is no need to shove the task now - "it was not me, it was before me, we do not have funding." If you cannot implement technical measures, then you need something compensating - organizational measures. They do not require significant costs, - said Elena Torbenko.

If, for example, in an organization in an industrial system with a life cycle of 5-10 years, they cannot implement certain measures, for example, install an antivirus there, then an organizational measure should be applied: leave some intermediate place where an appropriate check of information carriers that work in a significant system, in an industrial facility, explained the representative of FSTEC.

Or, if an organization cannot set a password policy and division of roles, this can be done organizationally, classically - by logging.

Most of these organizational, "zero" measures, as we call them, have already been implemented as part of your industrial safety measures. Just use them in your significant object, document and live in peace, - recommended the head of the FSTEC department of Russia. - But, nevertheless, it is necessary to create a subsystem, including taking into account the organizational measures that you can apply in your significant objects.

Another main problem identified is that the actual composition of such objects does not correspond to what the subjects of the CII provided to the FSTEC earlier. Information about them is not updated. This leads to the fact that neither FSTEC nor NCCC can often warn CII subjects in time about the problems, threats and dangers that arise in the current situation.

The next common problem is that technological facilities are connected to corporate systems, and formally the organization believes that there is no Internet access, but the corporate system often interacts with the Internet without using additional information protection tools.

The minimum protection on the perimeter of your significant CII facility, the minimum means of protection and measures on the perimeter of your corporate system lead to the fact that the offender can safely act on your systems. Statistics show that before the manifestation of the offender in the system, he can be there for up to several months, - said the representative of the FSTEC.

As for the implementation of the rules for categorizing significant objects of CII, here FSTEC indicates that the categorization often does not take into account the interaction of such objects with other objects. Organizations often forget that one object can depend on another in its functioning. As a result, FSTEC is faced with the fact that dependent objects have different categories, which also carries security threats.

And in some organizations they do this: they divide their CII objects into separate small subsystems, trying to be excluded from the register of significant CII objects. But this will not pass, assured Elena Torbenko. From those who do this, the regulator requires to justify the interaction of these objects.

In addition, there is an underestimation of damage that may lead to the termination or violation of the functioning of significant objects of CII. Experts from other ministries are involved in this problem at FSTEC to help develop the necessary methods and recommendations.

Owners of critical IT systems for Russia are stepping on the old rake. FSTEC named typical safety errors

In 2022, representatives of the FSTEC, as part of measures to implement measures by KII entities to protect their facilities, made visits to more than 700 organizations. As a result, representatives of the regulator saw "disappointing results," Elena Torbenko, head of the Russian FSTEC department, said at an industry conference on February 7, 2023.

A number of problematic issues that have been relevant for several years remain unresolved. Among organizations in various areas, typical errors were identified that create the possibility of implementing threats to the security of CII facilities. The representative of FSTEC voiced them.

First of all, on the components of significant CII objects in the perimeter of the organization, there are ON vulnerabilities of a critical level of danger that can be exploited, including due to vulnerabilities in the system architecture.

Security analysis by KII subjects is not carried out, says Elena Torbenko. - Colleagues, if you do not have your own specialists and resources at the expense of which you could do this, it is allowed to attract licensees, because the perimeter security analysis is an analysis of the system that the intruder encounters in the first place. If you leave "holes" there, you leave an open door for the intruder to enter your system.

In addition, FSTEC is still faced with the fact that on significant objects, including the information protection tools used for them, there are default passwords. I.e. software purchased, installed, and pre-installed passwords remained in it. This is also essentially an invitation for the offender to exploit the vulnerability.

The measures that the subject of CII implements are in some cases formal: they are insufficient to ensure full protection of significant objects. At the same time, if it is impossible to implement certain measures at significant facilities, compensating measures are not applied, says the representative of FSTEC. The regulator is faced with the fact that antivirus protection is not installed in information components. And where it is impossible to install an antivirus in automated control systems, additional measures for checking the media that are are not implemented.

Another typical error is the use of unaccounted media, which can be malware peddlers in an organization's systems. And cases of encryption of industrial systems are already found in practice.

Some KII subjects also do not consider it expedient to delineate access rights to systems, Elena Torbenko cited another example. Accordingly, an ordinary operator can do anything from under his account, for example, bring CII objects into a freelance mode of operation.

Interaction with the supply chain remains a problem - that is, with those who serve the systems of CII subjects both in terms of ensuring security and their regular functioning. In some cases, there is no complete control over such an external organization, the contractual relationship does not provide for the issue that suppliers must comply with the requirements of the law and also ensure the safety of CII facilities.

And I'm not talking about such classic violations as controlling machine media, disabling unused USB ports, etc. - that is, the measures that have been used in information systems since time immemorial, "added Elena Torbenko.

The FSTEC representative also said that in 2022, CII subjects continued to work on identifying their IT facilities as CII facilities, classifying them as significant and creating security systems for them. In 2022, the number of objects classified as significant more than doubled compared to 2021, according to the FSTEC.

2022

FSTEC has developed a methodology for assessing cybersecurity for government agencies

The Federal Service for Technical Export Control (FSTEC) has developed a new methodology for assessing the degree of information security in government agencies and organizations with state participation, as well as in companies with critical information infrastructure (CII; these are banks, telecom operators, representatives of the fuel and energy complex, etc.). This became known on November 23, 2022. Read more here.

Sberbank said that organized cyber war is being waged against Russia

In the current realities, software in the field is of particular importance, cyber security"because right now Russia it is organized against, the cyber war purpose of which is to disable everything," country's critical infrastructure said the Deputy Chairman of the Board in early September 2022. Sberbank Stanislav Kuznetsov

In his opinion, only Russian solutions should be applied at significant facilities of the country's critical infrastructure by 2025. As for cybersecurity systems, they need to use exclusively domestic developments, regardless of their scale.

According to Stanislav Kuznetsov, much has been done in this regard, but two areas require special attention and the connection of state institutions - this is the protection of clouds and the protection of highly loaded systems, because for large companies there are still no competitive solutions here.

At the heart of the confrontation to cybercriminals are cyber defense centers, and they should primarily have. In domestic software Sberbank, there is such a center, and in it 90% - the development of Sberbank. However, there are few such centers in the country as a whole - we counted only five. I would like them to be much more, - said the top manager. bank

As he added, Sberbank feels the influence of cyber warfare: over the last quarter, Sberbank withstood about 450 DDoS attacks, and 350 were reflected by its subsidiaries. This is the same as in the last five years. The main activity of criminals is focused on three areas: network attacks, phishing and. telephone fraud Technological solutions, including the creation of a library of voices criminals, allow such actions to be resisted, which allows you to successfully combat telephone fraud.

So, Sberbank has several developments in the field of cybersecurity. Among them are the anti-fraud system, which prevents 99% of telephone fraud, and the cyber threat analysis system. And the bank is ready to share such systems, Stanislav Kuznetsov emphasized.

In the field of cybersecurity, we have only two years left to make another breakthrough and provide our own developments to protect the entire perimeter of the state. Critical infrastructure is used by the largest companies in the country, and it is very important to have reliable protection, because in a cyber war, any mistakes and non-competitive decisions can lead to catastrophic consequences. And it is important not only to unite efforts - there should be a more active role of the state, - the Deputy Chairman of the Management Board of Sberbank is convinced.

According to Stanislav Kuznetsov, in order to successfully solve, the task of switching to domestic software a single governing body is needed, as well as uniform rules and requirements, unified processes that apply to both the state and business. Another sensitive topic is training. Here you cannot do without a state, since it is in the state that an order for personnel is formed. As of the beginning of September 2022, about 5 thousand specialists in the field work in the country, and cyber security it is necessary - 20 times more.

The top manager of Sberbank also added that it is not enough just to have a register of Russian decisions - you need to understand which of them can really be used and in which business segments. It takes an audit of these decisions to understand what stage we are at and what needs to be done. And such work should be carried out under the umbrella of state institutions.

The representative of Sberbank also drew attention to the situation with telephone fraud. On the one hand, the level of cyber literacy is growing, and people are less and less likely to disclose confidential information about their accounts to swindlers. On the other hand, it is important to resist this, including by law. First of all, it is necessary to suppress the still existing practice of providing number substitution without passport data, which is still sinned by some regional telecom companies, thereby helping criminals deceive citizens.

The Ministry of Digital Development creates a register of unacceptable cyber violations

On August 23, 2022, it became known about the decision of the Ministry of Digital Development of the Russian Federation to launch a register of unacceptable events in information security for government agencies and critical information infrastructure (CII) facilities.

The registry will first include scenarios that are dangerous for the IT sphere, which companies "should not be allowed under any conditions." These threats should be identified by auditors together with the heads of the assessed organizations, an informed source told Kommersant.

Companies will also have to determine which of the events may be characteristic of them and report on it. to the government According to another interlocutor of the publication, after that they will monitor the absence of such violations. cyber security

Information about the creation of a register of unacceptable events in the field of cybersecurity was confirmed to the newspaper by the Ministry of Ministry of Digital Development. They said that within the framework of the presidential decree, a number of organizations and bodies were supposed to conduct a security analysis and submit a report to the government. The work done has shown that unacceptable events need to be systematized. The Ministry of Digital Development clarified that the register will be ready by the end of 2022.

Independent cybersecurity expert Alexei Lukatsky said that now companies are sending abstract formulations to the Ministry of Ministry of Digital Development about security risks, which are not behind understanding the problem. According to him, in the case of the register, it will be possible "to show clearly what each company should protect itself from." The expert assures that it is not just a list that is important, but "verification of each event, its demonstration."

According to him, responsible company leaders should understand, for example, that it is possible to stop equipment, what loss the enterprise will incur and what it needs to do so that this does not happen.

Then the register will become a starting point in assessing the vulnerability of companies from all areas, "Lukatsky said.[26]

A special type of malware has appeared in Russia, threatening government agencies and industry

On July 27, 2022, Positive Technologies specialists warned of the appearance in Russia of a special type of malware that threatens government agencies and industry. We are talking about the so-called bootkits, which are launched before the operating system boots. Read more here.

The Government of the Russian Federation has established requirements for top managers responsible for cybersecurity in government agencies and corporations

As it became known at the end of June 2022, the Government of the Russian Federation established requirements for top managers responsible for cybersecurity in state bodies and corporations. The provisions were developed by decree of the President of the Russian Federation Vladimir Putin, according to which responsibility for cyber risks falls on the deputy heads of enterprises.

As Kommersant writes with reference to a government document, the person responsible for ensuring information security is obliged to have a higher specialized education "no lower than a specialist or a master's degree" or undergo vocational training. In addition, he must understand the "impact of information technologies on the work of the organization," ways to build information systems, including restricting access, ensuring the security of the company's internal networks. The specialist should be familiar with "the main threats to cybersecurity, the prerequisites for their occurrence and possible ways of their implementation," as well as their consequences.

Representatives of Group-IB and InfoWatch, in a conversation with the newspaper, explained that in fact, the new requirements describe information security experts with practice and expertise over the years, of which there are not so many in the country now, and the training of current leaders will take a lot of time and funding that should have been laid down last year. Since this was not done, government agencies will have to find resources to prepare leadership as a matter of urgency from other items of expenditure. But even so, the training process can drag on or be interrupted if an employee quits and the company has to look for new personnel to replace him.

The requirements of the model provision will require costs, in particular, for measures to analyze and assess the state of information security of the organization, said Ivan Melekhin, director of the IZ: SOC cyber attack monitoring and counteraction center at Informzaschita.^[27]

Mishustin approved a list of organizations that need to conduct an audit of the security of their IT systems

In June 2022, Prime Minister Mikhail Mishustin signed Decree No. 1661-r. With this document, the Chairman of the Government of the Russian Federation approved the list of organizations that need to conduct an audit of the security of their IT systems.

The list includes the Ministry of Health, the Ministry of Education and Science, the Ministry of Industry and Trade, the Ministry of Transport, the Ministry of Finance, the Ministry of Digital Development, the Ministry of Energy, the Ministry of Emergency Situations, the Federal Tax Service, Rosreestr, the Treasury, the FFOMS, the Moscow government, the government of St. Petersburg and another 58 key organizations in various fields of activity.

The listed departments and companies need to take measures to assess the level of security of their information systems with the involvement of organizations that have the appropriate licenses of the FSB of Russia and the FSTEC of Russia. The results of the audit will be sent to the government, the information will be taken into account when developing measures to ensure the security of information resources of the Russian Federation, the ministry explained.

In June 2022, the Ministry of Digital Development of the Russian Federation published a standard terms of reference for the implementation of work to assess the level of security of information infrastructure. The department indicated the need to solve the following problems:

• identification and consolidation of strategic risks (unacceptable events) of information security;
• identification of information infrastructure vulnerabilities that can be exploited by external and internal violators for unauthorized actions aimed at violation of confidentiality properties, integrity, availability of processed information, as well as technical information processing means, as a result of which their normal operation mode may be violated, which will lead to unacceptable events;
• identification of deficiencies in the information protection tools and software products used, as well as assessment of the possibility of their use by the offender;
• checking the practical possibility of exploiting vulnerabilities (using the example of the most critical ones);
• obtaining an assessment of the current level of security based on objective evidence;
• development of an information infrastructure modernization roadmap.

The list of key bodies (organizations) that need to take measures to assess the level of security of their information systems can be found here.

Vladimir Putin demanded to strengthen measures in the field of information security and create a state system for the protection of information

Russian President Vladimir Putin during the broadcast of the Security Council of the Russian Federation on May 20, 2022 said that the country is under constant cyber attacks, which are coordinated and applied from different countries. According to him, this is not done by lone hackers, but by government agencies. He recalled that the armies of hotel countries include cyber warfare.

In this regard, Vladimir Putin proposed to strengthen measures to protect the digital space and create a state information protection system in Russia.

I consider it expedient to consider the creation of a state information protection system. I also expect from you specific proposals on what additional steps should be taken to ensure the sustainable operation of the information infrastructure in the authorities and public administration, - said Vladimir Putin at a meeting of the Security Council of the Russian Federation.

According to him, it is important to minimize the risks of leaks of confidential information and personal data of citizens, as well as improve the mechanisms for protecting critical objects on which the country's defense capability, stable development of the economic and social sphere directly depend. The actions of government agencies in the field of information security should be coordinated at the strategic level, and the heads of organizations will be personally responsible for the implementation of the prescribed measures.

The president called the transition to domestic hardware and software one of the main steps. Moreover, according to him, it is necessary not only to copy existing Western solutions, but also to create your own.

Today we can say that cyber aggression against us, as well as the sanctions attack on Russia in general, failed. In general, we were ready for this attack, and this is the result of the systematic work that has been carried out in recent years, "said Vladimir Putin.

Vladimir Putin noted that one of the tools of sanctions pressure on Russia was restrictions on foreign information technologies, programs and products. A number of Western suppliers unilaterally stopped technical support in Russia for their equipment. Cases of restriction of work or even blocking of programs after their update have become more frequent. According to him, this should be taken into account when using Russian companies, authorities and management authorities previously established and introducing new foreign information technologies and products.

Tasks	Comments by Russian President Vladimir Putin
Усовершенствовать и донастраивать механизмы обеспечения information security of industry critical facilities, on which the country's defense capability, stable development of the economy and social sphere directly depend	So far, there are no structural units for information protection for a third of such facilities. Meanwhile, such units should be created as quickly as possible, and they include specialized specialists who know the industry specifics well. At the same time, coordination of the actions of all structures for ensuring information security of critical facilities should be fixed at the strategic level, and personal responsibility for solving these issues in accordance with the provision of Decree No. 250 is assigned to the heads of organizations.
Повысить защищенность информационных систем и сетей связи в государственных органах. Проведенные в 2021 году проверки показали, что большинство действующих там ресурсов уязвимы для массированных атак, для деструктивного внешнего воздействия, тем более при использовании зарубежных технологий последнего поколения	It is necessary to strengthen the defense of the domestic digital space - there should be no weak places. It is fundamentally important to negate the risks of leaks of confidential information and personal data of citizens, including through stricter control of the rules for the use of official equipment, communications, communications. It is necessary to consider the creation of a state information protection system. The President expects concrete proposals from the Security Council participants on what additional steps should be taken to ensure the sustainable operation of the information infrastructure in authorities and public administration.
Кардинально снизить риски, связанные с использованием зарубежных программ, вычислительной техники и телекоммуникационного оборудования.	The government needs to create a modern Russian electronic component base in the shortest possible time. It is necessary to develop and implement domestic technological equipment for this, including those necessary for the production of software and hardware systems. Part of the work has already been completed: a national crisis headquarters has been created to prevent targeted computer attacks. In each federal district, information security commissions have been formed under the plenipotentiary representatives of the President of Russia.

Mishustin approved the procedure for conducting an experiment to increase the level of protection of GIS

In mid-May 2022, Prime Minister Mikhail Mishustin signed a decree approving an experiment to increase the level of security of state information systems (GIS) of federal executive bodies (FOIV) and institutions subordinate to them.

As follows from the document, the experiment will be conducted by the Ministry of Digital Development from May 16, 2022 to March 30, 2023 as part of the federal project "Information Security" of the national program "Digital Economy." The purpose of the experiment will be to assess the level of security of GIS, inventory of protection systems, as well as identify shortcomings in infrastructure, architectural and organizational solutions. As a result, it is planned to develop a list of measures to neutralize GIS vulnerabilities.

According TASS to the press service of the Ministry of Digital Development, as part of the experiment, FOIV or their subordinate institutions will be able to apply for work to improve the security of GIS.

The Ministry of Digital Development with the involvement of leading commercial companies in the field of information security will hold measures that will assess the current level of GIS security, check the practical possibility of exploiting vulnerabilities, and identify shortcomings in the GIS protection system, the press service of the department explained.

As a result of the experiment, Ministry of Digital Development, together with the FSB of Russia and the Federal Service for Technical and Export Control of Russia, will develop and provide the participants in the experiment with recommendations for neutralizing GIS vulnerabilities.

In addition, the Ministry of Digital Development will have to:

• ensure the conclusion of cooperation agreements and organize the implementation of work to increase the level of protection of the GIS of the participants in the experiment;
• monitor the progress of elimination of deficiencies (vulnerabilities) identified within the framework of the experiment^[28]

Putin signed a decree on the creation of cybersecurity departments in medical organizations

In early May 2022, the president Russia Vladimir Putin signed a decree creating a separate cyber security one at facilities critical information infrastructure (), CUES including institutions. health care Such structures should be headed by one of the deputy heads of the organization. His duties, as well as the functions of the department government , will be approved within a month.

According to the document, cybersecurity departments are obliged to cooperate in the FSB, provide service employees with unhindered access (including remote) to information resources for monitoring, follow their instructions, data based on the results of the audit.

From January 1, 2025, when providing cybersecurity to health care institutions and other CII facilities, it is forbidden to use data protection tools made in unfriendly countries. The equipment of firms that are under the direct or indirect control of an unfriendly country affiliated with it also falls under the ban.

Explanations on the application of the decree will be given by the Ministry of Finance and the Central Bank, follows from the decree. The government was instructed to approve the list of persons under sanctions within 10 days and determine additional criteria for classifying transactions as prohibited.

The activity of cybercriminals in relation to medical institutions is steadily growing. By 2022, medicine is one of the three leaders in the number of various kinds of cyber attacks, second only to government agencies and industry, displacing banks and financial companies from the top.

The variety of information systems in different medical and preventive institutions (LPUs), which can be public, private and departmental, leads to the fact that different approaches to information protection are applied. Often, the protection of systems in LPUs is fragmented, which complicates their cyber protection.^[29]"

Created an interdepartmental commission of the Security Council of the Russian Federation to ensure the technological sovereignty of the country in the field of CII development

By presidential decree, an interdepartmental commission of the Security Council was created in Russia to ensure the country's technological sovereignty]] in the development of critical information infrastructure (CII). This was announced on April 25, 2022 by IVK. The main task of the commission will be to develop measures to ensure the safety of CII. Read more here.

FSTEC creates a system for secure development of software for 0.5 billion rubles

On February 16, 2022, the Federal Service for Technical and Export Control (FSTEC) of Russia announced a tender for "creating a unified environment for the development of safe domestic software." The initial (maximum) contract price is 510 million rubles. Read more here.

2021

The number of criminal cases due to attacks on government agencies and banks in Russia has tripled

In 2021, 70 criminal cases were opened in Russia due to cyber attacks and other unlawful impact on critical information infrastructure (CII - IT systems of government agencies, banks, transport, fuel and nuclear industry, power, etc.) against 22 a year earlier. This is evidenced by the data of the InfoWatch study conducted using statistics from the Ministry of Internal Affairs and data from the state automated system "Justice." Read more here.

Ministry of Digital Development will check the safety of its GIS for almost 150 million rubles

Ministry of Digital Development is ready to pay 149,681,625,9 rubles for an independent security check of state information systems (GIS), including mobile applications. Information about this appeared at the end of October on the public procurement portal. The winner of the tender will be determined in early December 2021. The GIS check should be completed on March 30, 2022.

The Ministry did not answer the question about the purpose of the GIS check and did not specify which systems they plan to check. The ministry itself and through subordinate structures is responsible for more than 30 GIS, including:

• "Unified Portal of State and Municipal Services (Functions)" (State Public services Portal);
• "Unified System of Interdepartmental Electronic Interaction" (SMEV);
• "Unified Identification and Authentication System" (ESIA);
• "State Information System of Housing and Communal Services" (GIS Housing and Communal Services);
• "Unified Interdepartmental Information and Statistical System" (UIISS);
• "Federal Portal of Public Service and Management Personnel";
• Unified Regulatory Reference Information System (ESNSI);
• "The official website of the Russian Federation in the information and telecommunication network" Internet "for posting information about the bidding" (Portal Gosprodazh)
• "AIS" Management of departmental and regional informatization ";
• IS "Independent Registrar," etc.

In Russia, in accordance with the provisions of Federal Law No. 149-FZ of the 27.07.2006 "On Information, Information Technologies and Information Protection," FSTEC (Federal Service for Technical and Export Control) is responsible for the verification and certification of GIS. Accordingly, all requirements for GIS are spelled out in FSTEC Order No. 17 of February 11, 2013 "On Approval of Requirements for the Protection of Information Not Constituting State Secrets Contained in State Information Systems." Conducting its own inspections of GIS by state authorities is not regulated in the legislation.

Alexey Lukatsky, a security business consultant at Cisco Systems, commenting on the tender, noted that the business regularly checks information systems for vulnerabilities. In large international companies, scheduled checks of information protection systems are carried out once every six months, and sometimes once a quarter. Due to the lack of information security budgets, state structures conduct such checks much less often, or even do not conduct them at all.

The practice of regularly checking GIS, according to the expert, appeared in Russia only a few years ago. When vulnerabilities are detected, they are most often fixed using "patches" or reconfiguration of information security systems. If we are talking about architecture defects, then a TA is formed for the revision of the information security system.

According to Alexei Lukatsky, the price of services for finding vulnerabilities in information security systems depends on the scale of the tested GIS and the depth of analysis.

How to protect critical infrastructure. Review of a large expert discussion

As part of the ITSF-2021 Digital Forum held in June, a discussion panel was held on the information security of critical infrastructure. Experts discussed a wide range of issues, including: the practice of implementing FZ-187, categorizing CII, import substitution, assessing damage under various threats, and much more. The session was moderated by an independent information security expert Alexei Lukatsky. Read more here.

Mission impossible: banks will soften the conditions for the transition to domestic software and equipment

On July 16, 2021, the working group on the transition of financial organizations to domestic software and equipment under the State Duma Committee on the Financial Market received approval from regulators of several proposals for draft acts in the field of import substitution in the financial sector. This was announced at an online meeting with the press by Anatoly Aksakov, head of the State Duma Committee on the Financial Market.

Import substitution in the financial sector, we recall, is carried out in connection with the instructions of the president in the field of ensuring the security of critical information infrastructure (CII).

One of the critical issues raised at the meeting of the working group with the participation of regulators was the timing of the transition of CII subjects in the financial sector to domestic software and equipment. The current deadline is designated 2023, but banks have repeatedly criticized such a deadline as hardly achievable, and several times asked to shift the transition dates until 2028.

Anatoly Aksakov said that, despite the wishes of the bankers, the timing will still be quite tough. However, it was possible to agree on a compromise: it turned out to agree with the regulators on a delay situation when import substitution can be delayed even for a period later than 2023, if by this time the financial sector's KII constituent organizations have not yet expired their licenses for imported software already in use or the depreciation period for imported equipment is not yet suitable.

Switching to domestic software and equipment means very high costs, because you need to write off the old one and essentially pay for licenses, despite the fact that you are switching to your Russian counterpart. And now we were allowed to wait for the expiration of software licenses and the timing of the write-off of depreciation equipment and then switch to Russian counterparts. This means that the costs of the banking industry will be significantly reduced, which is a significant criterion for the stability of the banking sector in our country, "says Maria Shevchenko, chairman of the working group, member of the Association of Russian Banks, chairman of the board of directors of Kiwi Bank. - It removed, probably, the main contradictions between participants.

Thus, despite the fact that the transition period to domestic software and equipment for CII subjects in the financial sector will remain tight, banks will have more flexibility in planning. CII banks will have to develop transition plans taking into account the validity of software licenses and depreciation of equipment, choosing Russian analogues according to the lists agreed with the Bank of Russia.

The inclusion of the Bank of Russia in the import substitution procedure as a profile regulator was another important achievement of the working group following the discussion. According to Anatoly Aksakov, the Bank of Russia will participate, including in the selection of domestic software, equipment for financial institutions, for their subsequent implementation in the financial market. Banks will be guided by these lists when drawing up their import substitution plans.

At the same time, given that the Bank of Russia itself is a subject of the implementation of the law on the security of CII, that is, it will also have to introduce domestic solutions, it will be very attentive to what is proposed to the financial sector, Aksakov noted.

We are grateful to the Bank of Russia for its assistance in this process, as well as the Ministry of Digital Development for supporting the proposal. This innovation will allow synchronizing the process of transition to preferential import substitution in the financial sector with the current requirements for the subjects of this market, taking into account their characteristics and minimizing possible risks for the financial system, says Maria Shevchenko.

In addition, they say in the working group, agreements were reached on the distribution of import substitution requirements only for significant objects of CII. And for those who do not have categories of significance, the provisions will be advisory in nature. This will allow you to focus on the most important objects for the state.

Now it remains to wait for the release of documents that would legalize the agreements reached with the regulators. We are talking about the draft presidential decree, the draft government decree, which approves the requirements for software and equipment and the procedure for switching to preferential import substitution. Separately, there is also a government decree No. 1236 with requirements for software to be entered into the register of Russian software, and as of July, changes are also being developed to it: in particular, to simplify the process of including in the register of domestic software solutions developed by the banks themselves. The working group expects that the documents will be ready by the fall of 2021, and will enter into force from March 2022.

8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure

On June 24, 2021, Group-IB announced that on average, 8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure. In the first half of 2021, almost 3 times more attacks on critical infrastructure facilities were recorded in Russia than in the entire 2019.

Problems with maintaining the IT infrastructure of organizations are caused by a lack of resources, outdated software and an often unfinished patch management process (the process of closing vulnerabilities thanks to timely software updates), which means they are a potential target for cybercriminals, Group-IB said.

As of June 2021, according to Group-IB Threat Intelligence & Attribution, a total of 137 groups, of which 122 cyber-criminal groups and 15 pro-state groups, are aimed at critical infrastructure. The main motivation of cybercriminal groups is still financial, most of them are "ransomware," that is, hackers attacking organizations for ransom for decryption. The goals of pro-government hacker groups are espionage, sabotage and sabotage. Group-IB cites statistics: the number of attacks on critical infrastructure in the world has grown 12 times since 2019.

In the first 6 months of 2021, 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% by pro-state attackers.

Russia and the USA want to create expert group on cyber security for the purpose of protection CUES from cyber attacks

Presidents of Russia and the USA want to create expert group on cyber security. However both parties are sure that the opponent collects data on the enterprises of critical infrastructure and makes the hacker attacks against colleagues.

The United States has repeatedly asked Russia to stop hacking against American companies. However, Russia does not remain in debt: they are sure that most hacker attacks on critical infrastructure () CUES are carried out from the United States.

A meeting of the leaders of the two states took place in Geneva on June 16, 2021. Russian President Vladimir Putin, before meeting with US President Joe Biden, said that the issue of cybersecurity is one of the most important on a global scale.

"Because all sorts of disconnections of entire systems lead to very serious consequences. And this, it turns out, is possible, "Vladimir Putin said in an interview on the Russia 1 TV channel.

Following the talks, the leaders discussed the creation of an expert group on cybersecurity. Joe Biden said that cyber attacks should not be carried out on critical infrastructure.

"We agreed to instruct to work out which targets should not be subjected to cyber attacks." But, Joe Biden promised, if the agreements are violated, the United States will react.

During the summit, Putin and Biden agreed to begin consultations in this area and involve experts to discuss issues of protection against hacker attacks. Joe Biden has proposed a list of 16 infrastructure sectors against which cyber attacks will be banned.^[30]

Every tenth IT infrastructure of government agencies, banks and fuel and energy complex in the Russian Federation is infected with the virus

In early June 2021, it became known that every tenth of IT infrastructure state agencies banks, ENERGY INDUSTRY transport and defense institutions were infected. virus Such data led to the company "."Rostelecom-Solar

According to experts, even low-skill hackers can successfully attack critical information infrastructure, and most of the vulnerabilities in such networks have existed for more than 10 years.

Experts explain this situation by the fact that the software update process is absent in more than 90% of organizations, and the average time to install updates is more than 42 days.

The most common vulnerabilities in KII: Heartbleed, EternalBlue, which appeared in 2011 (in 2017 it caused the spread of the WannaCry ransomware) and BlueKeep, discovered in 2019. All of them are actively used by hackers to implement cyber attacks.

The study notes that the COVID-19 coronavirus pandemic has significantly weakened the IT perimeters. Over the year, by the beginning of June 2021, the number of automated process control systems (APCS) available from the Internet increased by more than 60%.

In addition, almost 2 times the number of hosts with a vulnerable SMB protocol has increased. This is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are especially dangerous, as they allow hackers to remotely run arbitrary code without authentication, infecting malware on all computers connected to the local network.

The main problem in internal networks in the company "Rostelecom-Solar" called incorrect password management. Weak and dictionary passwords are extremely common, which allow an attacker to penetrate the internal network of the organization. Password matching is used by both amateur hackers and professional attackers.^[31]

The mysterious hacker group has been "hanging" in the IT infrastructures of federal government agencies in Russia for three years

The National Coordination Center for Computer Incidents (NCCC) of the FSB of Russia and Rostelecom-Solar in May 2021, at a meeting with journalists, spoke about the identification of a series of targeted attacks by professional cyber groups on Russian federal executive bodies (FOIV).

Based on the complexity of the means and methods used by the attackers, as well as the speed of their work and the level of training, we have reason to believe that this group has resources at the level of a foreign special service, "said Nikolai Murashov, deputy director of the NKCKI FSB of Russia.

The attacks were identified in 2020. And the story of the discovery began at the end of 2019, when Rostelecom-Solar provided IT security to one of the government agencies, the company said. Then an attempt was discovered to touch one of the customer's protection servers. Usually attacks of this kind are not detected by standard means of protection and antiviruses: these were traces that quickly disappeared, but gave a clue to understand what is happening, where the group came from and what methods it uses.

As a result of the analysis, it turned out that the same group was present in the systems and other FNIVs. Moreover, the first signs of presence dated back to 2017. That is, for more than 3 years the group worked and carried out its actions in the IT infrastructures of state organizations, says Igor Lyapunov, vice president for information security at Rostelecom.

The names of the attacked government agencies are not specifically named - for security reasons. The number of attacked FOIVs in the NKCKI also preferred not to specify.

In all the identified operations, the main targets of the attackers were complete compromise of the IT infrastructure, as well as theft of confidential information, such as mail correspondence, general and limited access files, infrastructure and logic schemes, etc., according to an analysis conducted by the NKCKI FSB of Russia and Rostelecom-Solar.

The damage, from our point of view, is rather reputational, - said the deputy director of the NKCKI FSB of Russia, answering a TAdviser question about the damage caused by the group.

Nikolai Murashov added that the information constituting state secrets could not be stolen in this way. He also recalled that in Russia there are about 40 types of secrets, including tax, medical, and many others. Here, certain information that contained partially personal data and the like could have been taken out of the system, says a representative of the NCCCA.

But, in my opinion, the most important thing in the functioning of this system is that it was designed for a long term, - said the representative of the NKCKI FSB of Russia, answering TAdviser questions. "It's like a system that just in case exists. They penetrate and then very neatly... After all, colleagues talked about how carefully they acted. That is, all the actions of such an attack were designed for the long term.

The tools used by cyberplayers were professional, very complex and allowed hidden movement inside the IT infrastructure, says Igor Lyapunov. And the level of consolidation in the infrastructure was very extensive: attackers created up to 10-15 different access channels.

This level of attack is not the result of the activities of ordinary commercial groups. There is no possibility of monetization, and the cost of such an attack is large, since it requires very specialized software, Rostelecom notes.

And to penetrate FOIV infrastructures, attackers used three main attack vectors : phishing; exploitation of vulnerabilities in web applications published on the Internet; hacking the infrastructure of contractors (Trusted Relationship).

It is noteworthy that the malware developed by the attackers to unload the collected data was used by the cloud storage facilities of the Russian companies Yandex and VK (formerly Mail.ru Group), and in its network activity it disguised itself as legitimate utilities Yandex.Disk and Disk-O produced by these companies, the NKCKI of the FSB of Russia and Rostelecom-Solar found Rostelecom-Solar.

The State Duma approved fines for violation of the security of critical IT infrastructure

On May 18, 2021, the State Duma of the Russian Federation adopted in the third (final) reading a bill on fines for violating the security of critical information infrastructure. We are talking about systems in the fields of health care, science, transport, communications, power, banking, etc.

According to the new standards, which should enter into force on September 1, 2021, fines will be threatened for violations of the requirements for the creation of security systems for significant objects of critical information infrastructure, ensuring their operation and security. Their amount will be from 10,000 to 50,000 rubles for officials and from 50,000 to 100,000 rubles for legal entities.

For violation of the "procedure for informing about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks" will be punished even more seriously: fines will range from 10,000 to 50,000 rubles for officials, from 100,000 to 500,000 rubles for legal entities.

For violations of the procedure for exchanging data on incidents between subjects of such infrastructure, foreign authorized bodies, international organizations and NGOs working in the field of responding to cyber threats, fines are provided: for officials - from 20,000 to 50,000 rubles, for legal entities - from 100,000 to 500,000 rubles.

According to the explanatory note to the bill, "the size of the proposed fines takes into account the average salary of heads of structural units for ensuring information security."

As noted, TASS Information Agency of Russia justifying virus encoder WannaCry the need for the adoption of the law, the authors point to the attack recorded in 2017 using, which hit a large number of computer equipment in a number of state-owned companies, which took up to three days to restore. The reason for the damage was the failure to comply with the established requirements, including the requirement for timely update. software^[32]

Detection of more than 6300 vulnerable CCTV cameras at critical infrastructure facilities of the Russian Federation

On March 12, 2021, it became known about the vulnerability of more than 6,300 video surveillance cameras installed at critical infrastructure facilities and industrial enterprises in Russia. Due to flaws in this equipment, it is easy to hack.

The vulnerability of cameras at power plants, industrial enterprises, gas stations, etc., was reported in the company Avast with reference to the data of the search engine for internet of things Shodan.io. - IP the addresses of these cameras are open, and cybercriminals can access them, experts said To the businessman.

Access to a number of cameras today is protected by the simplest passwords that can be easily selected, Igor Bederov, general director of Internet Search, confirmed to the publication. Such cameras, he said, can be placed, including in banks, which potentially threatens to leak credit card data and customer passports. On the basis of open IP cameras, an illegal video surveillance or analytics system can be organized, Bederov admitted. If you supplement such a system with facial recognition modules, you get a total surveillance system, he said.

Ekaterina Rudaya, an expert at the laboratory of practical security analysis of the Information Security Center of Jet Infosystems, in a conversation with RBC, noted that data from cameras, for example, can serve as a source of information about human movement.

If desired, an attacker can map the movement of a person around the city. In case, of course, if the quality from the cameras allows you to recognize a certain person. This problem is unlikely to concern most citizens, since it is difficult to imagine that a simple programmer or teacher will be monitored. But in any case, the very fact of having the opportunity cannot be considered the norm to which you can safely close your eyes, "she explained.[33][34] in Russia

Cisco expert: Until there are criminal cases, business will not seriously invest in the implementation of the law on critical infrastructure

At the beginning of 2021, FSTEC announced its intentions to strengthen control over the implementation of the law on the security of critical information infrastructure (CII) in Russia ( 187-FZ). The agency plans to increase the number of inspections, including with the participation of the prosecutor's office, to involve industry departments in the work on bringing KII facilities in line with the requirements of the law. In addition, in addition to the liability already provided for in the Criminal Code, the introduction of administrative responsibility for non-compliance with the law on the security of CII, which provides for fines, is on the way.

Cisco cybersecurity expert Alexei Lukatsky believes that tightening control by the FSTEC over the implementation of this law will attract the interest of the owners of KII facilities to ensure their safety, but not earlier than in a year and a half. This is due to the fact that the first checks at FSTEC will begin in the second half of 2021, and while a small number of them are planned, not enough to talk about the trend, he explained to Tadviser.

And until there are real fines or initiated criminal cases brought to the verdict, Russian business will not seriously invest in ensuring legislative requirements, unfortunately. Because there are a lot of costs, and the benefit is completely unobvious, - believes Alexey Lukatsky.

Speaking about threats to CII facilities, the expert separately stopped at the APCS.

We see the attention of cybercriminals to APCS, we see that they are trying their hand, developing malicious code that carries out some kind of intelligence activity - that is, collecting data on the internal assets of industrial sites. But so far, in the conditions of low informatization of industrial sites and a lack of understanding of how these attacks can be monetized, attackers do not actively use this in their activities, - said a Cisco cybersecurity expert.

And the rest of the CII facilities are mainly business and office systems that are no different from what was not previously called CII facilities. Lukatsky noted that attacks on banking systems, which now belong to KII facilities, on office systems of industrial, transport, state-owned enterprises both happened earlier and occur.

As for industrial enterprises, in particular, here attacks are most often carried out not on APCS, but on office systems: for example, on those responsible for transport, supply management, shop work, etc., after which attackers demand a ransom for restoring management functions, but not hacking the industrial sites themselves.

However, this does not mean that there will be no more attacks on APCS in the future, when attackers learn to use hacks to monetize their actions, Aleksey Lukatsky emphasized. And the problem for most industrial enterprises is that their APCSs use outdated protocols and components that are susceptible to attacks.

According to FSTEC, a total of 55% of the most significant systems and networks related to CII do not use the required means of protection against computer attacks (for more details, see the block below).

55% of the systems of the most significant critical infrastructure are poorly protected from hacker attacks - FSTEC

Speaking To the State Duma at the end of February 2021 in defense of a bill involving the introduction of administrative fines for violating the security law critical information infrastructure (), CUES the deputy director FSTEC Russia Vitaly Lyutikov cited the indicators of the current level of its protection.

Since the entry into force in 2018, the 187-FZ on the safety of CII has identified more than 50 thousand CII facilities, of which 10 thousand are classified as the most significant systems and networks to be protected in accordance with the established requirements. An analysis of their security status showed that 55% of systems and networks do not use the required means of protection against computer attacks, Lyutikov said. And 25% of KII subjects do not have specialized specialists.

According to the State system of detection, prevention and elimination of consequences of computer attacks system, in 2020 more than 120 thousand impacts on the information infrastructure of the Russian Federation were identified, added the deputy director of FSTEC.

Under these conditions, there is a real threat of violation of the functioning of control systems for critical and potentially dangerous objects of the most significant sectors of the economy, - said Lyutikov.

Vitaly Lyutikov noted that the categorization of CII facilities provided for by the 187-FZ is the basis for taking the necessary protective measures. As of February 2021, more than 700 KII subjects did not categorize within the deadlines set by the government, Vitaly Lyutikov said. Safety requirements at their facilities have not been implemented.

In 2020, 507 computer incidents occurred at KII facilities, of which only 3% were timely provided to State system of detection, prevention and elimination of consequences of computer attacks.

The bill on establishing administrative responsibility for violating the legislation in the field of ensuring the security of the CII was prepared by the FSTEC together with the FSB in pursuance of the instructions of the President of the Russian Federation, Lyutikov recalled. It is proposed to introduce two articles into the administrative code of the Russian Federation: on violation of requirements in the field of ensuring the safety of CII and on failure to provide information provided for by law in the field of ensuring the security of CII. For offenses under these articles, it is proposed to introduce the imposition of fines on officials up to 50 thousand rubles, on legal entities - up to 500 thousand rubles.

The amount of fines was determined on the basis of an assessment of the consequences of computer attacks using the WannaCry ransomware virus that occurred on certain state-owned companies in 2017, "Vitaly Lyutikov explained, speaking in the State Duma.

The FSTEC expects that the adoption of the bill will encourage the subjects of the CII to timely adopt protection measures at their CII facilities. Earlier, representatives of the department noted a low percentage of 187-FZ execution and spoke about strengthening work in order to speed up its execution. For this, FSTEC, among other things, connected the prosecutor's office and strengthens inspections.

The bill on the introduction of administrative responsibility, considered in the State Duma and already past the first reading, was prepared back in 2019. He entered the State Duma in November 2020. By the second reading, it has yet to be finalized.

Earlier, following public discussions and public consultations, the document caused comments from market participants and regulators. Thus, the Ministry of Economic Development and Trade earlier in its conclusion on the assessment of the regulatory impact on the bill noted that in the Criminal Code of the Russian Federation (Part 3 of Art. 274.1) criminal liability has already been established, which provides, among other things, imprisonment for up to 6 years for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in CII and related systems and networks, or rules for access to them, if this caused harm to CII.

The Ministry of Economic Development believes that the additional establishment of administrative responsibility measures should be synchronized with a simultaneous decrease in criminal liability measures.

In addition, the adoption of the bill may be fraught with the risk of imposing additional expenditures on the budget, the Ministry of Economic Development noted. According to the information provided by the executive authorities of the constituent entities of the Russian Federation, significant expenses are required to fulfill the requirements of the 187-FZ. For example, the executive authorities of the Republic of Khakassia require financial costs in the amount of more than 200 million rubles to implement the established requirements.

FSTEK has found a way to combat evaders from the implementation of the law on the protection of critical IT infrastructure. He was tested on the Ministry of Energy

Alexey Kubarev, Deputy Head of the FSTEC Department, speaking at a security conference in February 2021, noted the low level of implementation of the federal law on the security of critical information infrastructure (CII) and announced plans to develop interaction with the Federal Security Agency as one of the measures to improve this situation. FSTEC already has experience in such interaction with the Ministry of Energy.

We have a wonderful experience with the Ministry of Energy of Russia, which we liked. With the help of specialized state authorities, it is more convenient for us to work, so we will expand this practice to other areas, - said Alexey Kubarev.

Evgeny Novikov, head of the department for ensuring the safety of fuel and energy facilities and CII of the department for economic security of the fuel and energy sector of the Ministry of Energy, at the same conference noted that the main regulators in the field of the security law of CII (187-FZ) are the government of the Russian Federation, FSTEC and the FSB. But in agreement with the FSTEC, the Ministry of Energy in its field can also develop additional requirements for ensuring the safety of significant objects of CII, taking into account the peculiarities of their functioning in the field of fuel and energy complex.

The representative of the Ministry of Energy recalled that there are three main stages of the implementation of the 187-FZ: categorization of the CII facility, ensuring its safety and ensuring interaction with State system of detection, prevention and elimination of consequences of computer attacks. The problems of categorizing CII objects in the fuel and energy complex have industry specifics. Firstly, this is a very large amount of documents that need to be prepared and provided.

At one time, we received information from FSTEK that buses bring data on the categorization of the facility, - said Evgeny Novikov.

Second, there is also an industry law on the safety of fuel and energy complex facilities (256-FZ) and a law on the industrial safety of hazardous production facilities (116-FZ), with which the results of categorization must be coordinated.

And, finally, there is a functional specificity of the fuel and energy complex enterprises. It turns out that for each object, depending on the fuel and energy sector, there should be a different methodology, Novikov explained. With the assistance of the Gubkin Russian State University of Oil and Gas. The Ministry of Energy has developed general methodological recommendations for the definition and categorization of objects of the CII fuel and energy complex and agreed on them with the FSTEC.

The methodological instructions developed by the Ministry of Energy of Russia are currently the only ones developed by the state authority, - said the representative of the Ministry of Energy.

In addition, the department conducts a number of other measures to implement 187-FZ and information security in general. So, for example, under the Ministry of Energy, an interdepartmental commission was created to coordinate the security of the CII fuel and energy complex.

Also at the end of 2020, a departmental information security center State system of detection, prevention and elimination of consequences of computer attacks was introduced under the Ministry of Energy. His area of ​ ​ responsibility includes subordinate enterprises and information resources of the ministry itself.

Now we are considering the issue of expanding this functionality to the entire fuel and energy complex: at least try to exchange with some corporate centers, connect analytical centers, "said Evgeny Novikov.

In addition, the Ministry of Energy now has the obligation to organize command and staff training and cyber exercises in the fuel and energy complex. The department has already carried out trial events, FSTEC and the FSB actively participated in them.

According to Novikov, almost all large organizations of the fuel and energy complex have already been categorized, presented data to the FSTEC. But the subjects of CII are also small organizations.

Three months ago, an organization came out of, in my opinion, the Yamalo-Nenets district, saying that they had received a letter from us about some 187-FZ. To be honest, I almost sat down. What area do you work in? That is, ignorance of the law does not exempt from its implementation, - said Yevgeny Novikov.

For more information on the problems with the implementation of the CII safety law and the measures to strengthen control that FSTEC plans to take, see the block below.

FSTEK: the law on the protection of critical infrastructure is being implemented poorly, the prosecutor's office is connected, inspections are intensifying

The Federal Law on the Security of Critical Information Infrastructure (CII) of the Russian Federation (187-FZ) has been in effect for three years. Alexey Kubarev, Deputy Head of the FSTEC Department, in February 2021, speaking at a security conference, summed up some of the results of the implementation of this law.

In accordance with the 187-FZ, it was required to categorize CII facilities, create and ensure the functioning of safety systems for significant CII facilities, take measures to ensure the safety of these facilities and interact with State system of detection, prevention and elimination of consequences of computer attacks.

And in 2019, a government decree was issued, according to which the subjects of the CII had to prepare and submit to the FSTEC of Russia a list of CII objects subject to categorization by September 1 of the same year.

According to FSTEC estimates, the percentage of implementation by the subjects of the federal law turned out to be extremely low. And the department plans to fight this, said Alexey Kubarev.

In the process of organizing work to consider information about the objects of KII, FSTEC encountered a number of phenomena.

First, many are trying to evade the implementation of federal law by saying "We are not a subject of CII," despite the fact that all direct and indirect signs indicate this. Another way to evade implementation is "We do not have CII objects that need to be categorized." We will also fight this, and we already know about what needs to be done, "said Alexey Kubarev.

According to the representative of the FSTEC, there are still those who are in no hurry, and violate the deadlines for providing lists of KII facilities. In addition, there is an observation that organizations do not notify the regulator about all the CII facilities they have. In addition to problems with the compilation of lists of CII objects within the deadlines established by government decisions, problems arise at the stage of categorizing objects according to the lists drawn up. This is a violation of the deadlines, and an artificial understatement of the categories of significance of existing CII objects.

Often we have to insist that the APCS of a hazardous production facility cannot be without a category, especially since it controls, ensures the safety of this facility. In about 30% of the incoming information, we have to argue with the subject of KII, - said Kubarev.

In addition, at the stage of categorizing an organization, it happens that they provide inaccurate information about CII objects and do not take into account all indicators.

The representative of the FSTEC recalled that in accordance with government decree No. 127 of February 2018, it is necessary to provide FSTEC and information on newly created CII facilities. This is necessary in order to lay in the TA for the creation of a significant object measures and funds for ensuring security. Many do not fulfill this either.

As for the next stage in the 187-FZ - the creation and provision of the functioning of security systems for significant CII facilities - and there are many problems here. In addition to the slowness in the implementation of the federal law, which has been mentioned more than once, often the subjects of the CII underestimate the potential of the violator and have problems with the security forces, the representative of the FSTEC stated.

In some organizations, the safety of significant objects is provided by economic security units, in some - in general, legal services. For me, this is a paradox, "says Alexey Kubarev.

He also noted problems with security tools: at many facilities, especially for APCS, only anti-virus protection and standard operating systems tools are used. This is not enough to counter serious threats.

The representative of the FSTEC recalled the government decree No. 743, valid since January 2020. According to him, when connecting a CII object to public networks, such a connection must be coordinated with FSTEC. The FSTEC itself, in pursuance of this decision, developed and approved the corresponding order.

And we sit, we wait. And what is the result? For more than a year, not a single appeal has been received to coordinate the connection to us, - stated Alexey Kubarev. - I have great doubts that out of thousands of significant objects, none initiated a connection to public networks. We will deal with this.

In 2021, Kubarev says, the FSTEC decided to significantly increase the implementation of the federal law on the safety of CII. And for this, the department plans to carry out appropriate measures.

Let me remind you that since last year, prosecutors have been actively working on the subjects of critical information infrastructure, and moreover, even on potential subjects. They conduct events, field inspections, we participate in them. And for our part, we will connect the relevant federal authorities, the Bank of Russia, state corporations in order to increase the percentage of implementation of the federal law, "says Alexey Kubarev.

He added that since 2021, FSTEC has had grounds for scheduled inspections, which the department plans to do to carry out state control over the implementation of federal law. Alexey Kubarev assured that the purpose of such control is not punishment, but the provision of methodological assistance to the subjects of KII, but at the same time noted that "good should be with fists," which FSTEC will soon provide itself with.

A federal law on amending the Administrative Code regarding the introduction of administrative responsibility for violation of the norms of legislation on the safety of CII was developed and submitted to the State Duma. It passed the first reading safely, and, I think, in 2-4 months it will be approved, - explained the representative of the FSTEC.

FSTEK creates an OS verification center for the public sector

On February 11, 2021, it became known about the plans of the Federal Service for Technical and Export Control (FSTEC) to create a center for security studies of operating systems on the Linux kernel . 300 million rubles have been allocated for the implementation of this project, the winner of the tender will be chosen by March 2, 2021. Read more here.

2020

CII and state organizations became the main targets of advanced cyber groups

According to statistics Rostelecom"," in 2020, the monitoring and response center cyber attacks Solar JSOC recorded more than 200 hacker attacks from professional cyber groups, including massive attempts to influence entire industries and sectors. economies This was announced on December 1, 2020. In Solar (formerly Rostelecom-Solar) about 30 cases, attackers of the highest level of training and qualifications - cyber recruits and cyber groups pursuing foreign interests - were behind the attacks. states Among the most common targets are facilities critical information infrastructure of Russia.

Rostelecom's analytical report is based on data on more than 140 large organizations - Solar JSOC customers in various sectors of the economy (banks, energy and oil and gas sector, government agencies, etc.), as well as on customer companies of the JSOC CERT cyber incident investigation center. In addition, the summary statistics take into account information about attacks and malware collected by the so-called honeypot traps on communication networks and data centers in the Russian Federation and data from other Russian and international CERTs.

According to Solar JSOC experts, the goal of the most professional hacker groups is usually destructive influences and cyber espionage. The damage from attacks of this class is measured not only by financial losses, but also by the impact on the country's economy as a whole, the safety of citizens and the political situation. Only collateral damage from infrastructure compromise, such as theft of personal data of employees and customers, regulatory and reputation risks, the possibility of developing new attacks, if cybercriminals succeed, could reach tens of millions of rubles. The cumulative damage from the full-scale implementation of this kind of attack would amount to several billion rubles.

The weak level of security of web applications at critical information infrastructure (CII) facilities and in government bodies contributed to the fact that this vector of attacks became the most popular among cybercriminals in 2020. In 45% of cases, hackers attacked precisely web applications, in another 35% - they used known and uncovered vulnerabilities in the perimeter of organizations.

After entering the infrastructure, cybercriminals tried to gain access to confidential information of the organization by accessing mail servers (85% of cases) and work computers of top officials, their deputies and secretaries (70% of cases). In parallel, cybercriminals sought to seize maximum control over the infrastructure by attacking the workstations of high-privilege IT administrators (80% of the time) and infrastructure IT management systems (75% of the time). At the same time, software aimed at hiding an attack from standard security tools was most often used; in 20% of attacks, hackers also used legitimate corporate or freely distributed utilities, masquerading as the actions of administrators and users.

It should be noted that the trend of the so-called supple chain attacks on state authorities and key enterprises of Russia is now gaining momentum. That is, attackers are increasingly attacking not the organization itself directly, but act through its contractor, who cares less about information security and at the same time has access to the infrastructure of the ultimate target of the attack. Therefore, it is very important to pay attention to the level of security of contractors and build a safe way of accessing their infrastructure, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center of Rostelecom-Solar.

Attacks by mid-level organized groups - cyber-crime - were aimed at direct monetization: withdrawing funds or obtaining a ransom for decrypting company data. The focus of their attention in 2020 remained the credit and financial sector. In 85% of cases, hackers tried to withdraw money from correspondent accounts and attacked various financial systems of companies. At the same time, in the market as a whole, Solar JSOC analysts note, there is a significant decrease in performance and a reduction in damage from attacks, reaching no more than several tens of millions of rubles.

The main weapon of cyber crime remains phishing, implemented due to the low level of literacy of company employees in the field of information security. In 74%, attackers used this, using social engineering to penetrate the infrastructure. To infect workstations and further develop a cyber group attack, massively available darknet-medium software (40% of cases) was used, as well as software for IT administration and security analysis (40% of cases).

FSTEC issued an order on the use of domestic software to protect CII

The Federal Service for Technical and Export Control (FSTEC) has published an order to use domestic software to protect critical information infrastructure (CII). The document is published on the official Internet portal of legal information.

The changes are aimed at using mainly Russian equipment and software in KII to increase technological independence and safety, as well as to promote domestic products.

The document regulates the clarification of the conditions for the selection of equipment and software for CII facilities, the procedure for its use and operation, as well as tests. At the same time, it is separately indicated that the provision regulating the tests comes into force on January 1, 2023, as well as another one, on the recognition of one of the outdated norms as invalid.

The order FSTEC Russia has nuances that experts are unhappy with. In particular, Alexey Lukatsky he noted:

The situation looks like the regulator "doesn't care how the requirements are met. The expert drew on the requirement to expand the ban on the use of elements of a significant object of the second category of CII.

Goodbye, Zoom clouds and update servers located outside, "Lukatsky of the Russian Federation explained.

The order of the Federal Service for Technical and Export Control on amending the requirements for ensuring the safety of significant objects of the critical information infrastructure of the Russian Federation was developed in pursuance of the instructions of the president following the results of the special program "Direct Line with Vladimir Putin" on June 20, 2019.

As the publication D-Russia reminds, during the "direct line," the president said that the authorities should provide a market for Russian programmers in sensitive industries for security and sovereignty, and also said that in order to import substitution, Russian corporations should be "forced" to purchase domestic [software] products.^[35]"

The Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure facilities

At the end of July 2020, it became known that the Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure (CII) facilities. The department explained this by the "redistribution of budget funds."

In connection with the optimization (reduction) of basic budgetary allocations in the formation of the draft federal law on the federal budget for 2021 and for the planning period 2022 and 2023, the competitive selection of projects for 2021, aimed at providing subsidies to the budgets of the constituent entities of the Russian Federation to bring the level of security of critical information infrastructure facilities to the requirements established by the legislation of the Russian Federation within the framework of the federal project "Information Security" of the national program "Digital Economy of the Russian Federation," canceled, the Ministry of Telecom and Mass Communications told the D-Russia.ru.

It is clarified that in 2019 a competition for receiving similar subsidies during 2020 took place. 36 regions took part in it, 12 winners were selected. In 2020-2021, it was planned to spend 250 million rubles on such subsidies, of which 150 million rubles - in 2020 for CII facilities of 1 and 2 categories of significance, 100 million rubles - in 2021 for CII facilities of 3 categories of significance.

At the end of July 2020  , the Ministry of Telecom and Mass Communications began collecting applications from the regions for subsidies in 2021 aimed at improving the security of significant critical information infrastructure facilities. It was assumed that subsidies will be provided from the federal budget to regional budgets to co-finance measures to ensure the sustainable operation of CII in the event of computer attacks.

However, the ministry canceled the collection of applications, and the message to the message address on the ministry's website gives the error "The page does not exist or was deleted" (code 404).^[36]

The Ministry of Telecom and Mass Communications of the Russian Federation approved the procedure for installing and operating cyber attack search tools in KII networks

The Ministry of Communications of the Russian Federation approved in June the procedure for installing and operating cyber attack search tools in KII networks .

The order of the department "On approval of the Procedure and Technical Conditions for the installation and operation of means designed to search for signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure facilities of the Russian Federation" On June 25, 2020^[37] was published on the official Internet portal of legal information.

In particular, the document indicates what stages the installation and operation of attack search tools consists of:

• determination of necessity and places of installation of attack search tools;
• installation of attack search tools, their connection to telecommunication networks and communication channels required to control attack search tools;
• setting up and checking the operability of the installed attack search tools;
• commissioning of installed attack search tools;
• ensuring continuous operation of attack search tools;
• maintenance, replacement and dismantling of installed means of search for attacks;
• ensuring the safety of the installed means of searching for attacks; monitoring operation of attack search means.

According to the order, the FSB sends to the telecom operator by registered mail with notification of the delivery of the following information and documents:

• information on the need to install attack search tools indicating the places of installation on the telecommunication network of the telecom operator;
• operational characteristics of the installed attack search tools;
• name of the organization (in case of involvement);
• surname, name, patronymic (if any), position of an official of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks or the name of the structural unit of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks responsible for the organization of work;
• instructions for operation of the attack search tool, installation of which is planned on the telecommunication network.

No later than 10 calendar days from the date of receipt of information, the telecom operator shall determine the officials of the telecom operator admitted to this information.

How to maintain the performance of the data center if key employees have contracted COVID-19 or are in quarantine

In March 2020, the Uptime Institute prepared recommendations on how to respond to the COVID-19 coronavirus pandemic in the data center industry. The report was released to help critical infrastructure operators prepare and respond to the impact of the new coronavirus. TAdviser has reviewed the document. Read more here.

The Ministry of Telecom and Mass Communications proposes to unify the procedure for installing means for searching for cyber attacks on CII objects

On February 27, 2020, TAdviser became known that the Ministry of Digital Development, Communications and Mass Media of the Russian Federation prepared a draft order^[38]CII^[39], regulating the installation and operation of means for finding signs of cyber attacks on critical information infrastructure of the country.

The order describes both the procedure for installation and operation of such means and the technical conditions for their use.

Attack finders themselves are identified as "automated telecommunication network control and monitoring system equipment." Such developments are subject to mandatory state certification in accordance with the current legislation.

The document provides for tripartite interaction between the authorized body of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (State system of detection, prevention and elimination of consequences of computer attacks), the authorized body in the field of communications, and telecom operators.

The means of searching for attacks themselves will belong to the Authorized Body of State system of detection, prevention and elimination of consequences of computer attacks and will be installed at the facility of critical information infrastructure at the expense of the same body. Continuity of operation of attack search means, on the other hand, shall be ensured by the telecom operator at his own expense in accordance with the technical specifications described in the draft order.

According to these conditions, the means of search for attacks should be installed in rooms where all conditions for their continuous functioning are provided, including stable and uninterrupted power supply (it is stipulated that the power allocated for the connection of the electric network "must exceed by at least 20 percent the power required in accordance with the operating manual of the attack search tools"), physical access control, temperature and humidity control, fire extinguishing equipment and, of course, Internet connection and connection to the network of the CII facility.

The key provision in this document is that the cyber attack search tools themselves should be supplied and on the balance sheet of the State system of detection, prevention and elimination of consequences of computer attacks bodies. That is, the state at the most practical level takes over the protection of CII facilities, using equipment certified for these purposes to avoid surprises, says Oleg Galushkin, CEO of SEQ (formerly SEC Consult Services)

2019

Hackers who hacked the IT systems of Russian Railways and S7 were given 10-13 years in prison

At the end of December 2019, the Basmanny District Court of Moscow sentenced three hackers accused of hacking into the ticket systems of Russian Railways and S7. In total, 29 people were involved in the case. Read more here.

The Ministry of Economic Development intends to ban the use of foreign software and equipment at the facilities of the Russian CII

On November 1, 2019, it became known that the Ministry of Economic Development is preparing amendments to the law "On the Security of Critical Information Infrastructure (CII)," which imply the replacement of foreign software and equipment at CII facilities with Russian ones. The order to prepare the amendments was given a few months ago by the Deputy Prime Minister Yury Borisov in charge of the defense industry. This was reported by RBC with reference to a letter from Deputy Minister of Economy Azer Talybov.

Talybov writes that in its current form, Russian laws do not allow the government to demand the use of only domestic software and equipment at KII facilities. For this to become possible, this rule must be prescribed in the law "On the safety of CII." The schedule for replacing foreign products with domestic products for existing CII facilities will be formed separately.

In addition, the law should prohibit foreign companies from interacting with networks and information systems of CII. That is, the ultimate beneficiaries of legal entities that do this should be Russian citizens who do not have dual citizenship. The same rule will affect individual entrepreneurs who work with KII. As a result, access of foreign states and their citizens to the service and development of KII will be minimized, Talybov believes.

The recipients of Talybov's letter are the board Military-Industrial Commission Russia headed by Borisov, the Federal Service for Technical and Export Control () FSTEC and. Ministry of Digital Development, Communications and Mass Media The Ministry of Telecom and Mass Communications replied that FSTEC Ministry of Industry and Trade is working on issues import substitution of foreign equipment on behalf of the government, and that KII will function more safely and sustainably using Russian, and the ON share of domestic developers on the market state procurements will grow. The authorities^[40]

Recorded about 17 thousand cyber attacks on KII in Russia

In August 2019, a representative of the Security Council said that in 2018, about 17 thousand cyber attacks per CUES century were recorded. Russia Attackers tried to install another 7 thousand objects. harmful ON About 38% of the attacks occurred - creditfinancial the authorities^[41]

ADE published methodological recommendations on categorization of CII objects in accordance with No. 187-FZ

On July 9, 2019, it became known that the Documentary Telecommunication Association (ADE) published guidelines for categorizing critical information infrastructure (CII) facilities. The document was developed on the basis of materials from telecom operators and other organizations - members of the ADE. Methodological recommendations are aimed at detailing and standardizing the procedure for categorizing CII objects, which is provided for by the Federal Law "On the Security of the Critical Information Infrastructure of the Russian Federation" dated July 26, 2017 No. 187-FZ.

The recommendations contain a set of rules on the basis of which operators should classify CII objects as different types. The published version of the document was agreed FSTEC Russia by the 8th Center FSB of Russia and can be used by telecom operator companies. When changing the regulatory framework, receiving comments and proposals based on the results of applying methodological recommendations, the association plans to make changes to the text of the methodology.

A federal official who wished to remain anonymous said that the association, in fact, is a public organization, its recommendations have no legal force.

When preparing the document, operators had to carry out analytical work on the categorization of objects. The recommendations were developed by market participants and agreed in working order with relevant bodies. Categorization is a necessary step in the implementation of FZ-187 requirements. The purpose of the methodology is to define criteria and unify the procedure in such a way that the results do not raise questions among industry regulators. We believe that operators will begin to use the document, and practice will show the need for further approval by the executive bodies,

The representative of the press service of MegaFon PJSC said that the published version of the document was agreed by the main FZ-187 regulators and can be used by telecom operators. The industry document is optional, but recommended by FSTEC and the FSB for use in the communications industry.

First of all, it is designed to help market participants in the performance of FZ-187. This is a consolidated vision of major industry players to implement the NPA's security requirements for CII. The recommendations are important, since FZ-187 and by-laws formulate general principles and measures to ensure the safety of CII, without going into industry specifics. The technique is an attempt to apply the norms formulated by the legislator to a specific operator infrastructure, it is of a purely applied nature, and this is its value. For the Big Four operators, of course, the document will be the main one. For other operators, we hope, too, since the application of methodological recommendations will contribute to a single and understandable information field in the process of interaction between the operator community and regulators,

The representative of the press service of MTS PJSC said that the recommendations will be used by telecom operators when categorizing critical information infrastructure (CII) facilities and building security systems for these facilities.

It seems that it would be more expedient to adopt a document in the form of a regulatory legal act of the regulator. So far, these are, in fact, recommendations. Telecom operators will decide for themselves on the possibility of using the technique. The work has already been partially carried out. MTS developed and sent to the FSTEC of Russia a list of objects of its own CII. In accordance with the plan, by the end of 2019 we will categorize these facilities. The methodology makes it possible to introduce certainty and uniformity in the approach to categorization of CII objects by telecom operators. The costs of MTS will be clear after the categorization of CII facilities,

A spokesman for Akado Telecom said the initiative to develop the recommendations was correct and timely.

But, most likely, the document will need to be adjusted in accordance with changes in regulatory legal acts in terms of CII. In addition, in our opinion, the recommendations are aimed more at mobile operators than fixed communication networks. Therefore, we did not participate in their development. When categorizing CII facilities, our company is guided by government decree No. 127 and FSTEC orders,

The Ministry of Digital Development, Communications and Mass Media knows about this initiative of the Documentary Telecommunication Association, but did not agree on the document.

From 2020, FSTEC plans to introduce administrative responsibility for non-compliance with safety requirements for CII facilities ^[42]

Data on cyber attacks on critical facilities in the Russian Federation are leaking abroad. Companies break the law

Russian companies, whose duties include the management of critical infrastructure facilities, without the knowledge of the FSB, share data on cyber attacks with foreign colleagues. This was announced on Thursday, June 27, by RBC with reference to the materials of the Federal Service for Technical and Export Control (FSTEC), which in turn refers to the FSB. 

According to the law "On the Security of Critical Information Infrastructure," which has been in force since last year, companies managing critical infrastructure facilities are obliged to provide data about them to the Federal Service for Technical and Export Control (FSTEC) to assign them the appropriate category (safety requirements for each category are different). In addition, they are obliged to connect to the State System for the Detection, Prevention and Elimination of the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks) created by the FSB and report cyber attacks on their facilities to the National Coordination Center for Computer Incidents (NCCCA ).

However, not all companies comply with the requirements of the law and inform NCCCA about cyber attacks on their systems. For this reason, the center does not have complete information about incidents at critical infrastructure facilities, cannot adequately respond to them and make forecasts.

Be that as it may, companies exchange information about cyber attacks with foreign organizations. By this, they violate the orders of the FSB No. 367 and No. 368, according to which the exchange of data with foreign organizations must be coordinated with the FSTEC. However, the service did not receive a single appeal on this issue.

The FSTEC believes that the information provided to foreign companies about cyber attacks on critical infrastructure of the Russian Federation eventually falls into the hands of foreign special services, which can use it to assess the security status of the Russian critical infrastructure.

According to RBC, perhaps in this way companies are trying to avoid image and financial losses. But the practice of sending data abroad threatens primarily the companies themselves. Since the National Coordination Center for Computer Incidents of the NKCKI, controlled by the FSB, does not have complete information about the incidents, it cannot adequately respond to them and make accurate forecasts for the development of the situation, the FSTEC notes.

The Law "On the Security of Critical Information Infrastructure" has been in effect in Russia since 2018. Its main goal is to protect the country's most important enterprises from cyber attacks.

According to FSTEC, the law does not work in full force for several reasons. Firstly, last year the department already noted the lack of information about the "criticality" of its facilities from banks and telecom operators. Secondly, some of the by-laws that must approve the details of the interaction of organizations within the framework of this law have not yet been adopted.^[43] 

FSB formulated requirements for State system of detection, prevention and elimination of consequences of computer attacks means to protect the CII of the Russian Federation

On May 6, 2019 Federal Security Service , it issued an order "On approval of requirements for means intended for the detection, prevention and elimination of consequences computer attacks and response to computer incidents. More. here

FSTEC and FSB will introduce responsibility for violation of requirements for the critical IT infrastructure of Russia

On March 26, 2019, the Federal Portal of Draft Regulatory Legal Documents posted a notice of the beginning of the development of the draft federal law "On Amendments to the Code of Administrative Offenses of the Russian Federation (regarding the establishment of liability for violation of requirements for ensuring the safety of CII facilities)."

So far, this is only a notification about the start of work on the relevant document. Law No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" prescribes to structures in the management of which significant objects of the critical information infrastructure of the Russian Federation are located to comply with the requirements specified by law and regulatory acts to ensure the safety of such objects.

In particular, there is an article of the Criminal Code 274.1, which provides for criminal liability for unlawful impact on the critical information infrastructure of the Russian Federation.

However, there is no law defining cases when there was a failure to comply with these requirements, but it did not entail an unlawful impact on the CII.

In order to differentiate punishment depending on the public danger of consequences from violation of the requirements of the legislation of the Russian Federation on the safety of critical information infrastructure, it seems appropriate to introduce administrative responsibility for non-compliance by subjects of critical information infrastructure with the requirements for ensuring the security of significant objects of critical information infrastructure, established in accordance with federal law and other regulatory legal acts adopted in accordance with it, the project description says.

Critical information infrastructure needs legislation that would meet the ever-changing realities of information security, "said Dmitry Gvozdev, General Director of Information Technologies of the Future. - The process of forming this legislation is still far from over, there remain some gaps that need to be addressed as soon as possible. The development of administrative responsibility measures in this case is not so much a promise of new cars for the sake of the cars themselves, but a filling of gaps and an adequate delineation of responsibility in accordance with the likely threat. Ultimately, in the field of CII, even insignificant negligence can be unpredictably expensive.

The main developer of the project should be FSTEC, however, the Federal Security Service of the Russian Federation is indicated as co-executors.

The planned deadline for the adoption of the bill is January 2020. You can read the document departments=48 & npa=89944 here.

FSTEC proposes to prohibit the processing abroad of information related to the CII of Russia

On March 6, 2019, the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) published on the Federal Portal of Draft Regulatory Legal Acts a draft amendment to Order No. 239 "On Amendments to the Requirements for Ensuring the Safety of Significant Objects of the Critical Information Infrastructure of the Russian Federation."

The project contains a number of various clarifications, among which the requirements related to the equipment, software and procedures for processing information of critical infrastructure facilities are emphasized.

In particular, it is proposed to supplement paragraph 31 of the Order^[44] with the following paragraph:

The information storage and processing software and hardware included in the significant object of the 1st category of significance shall be located on the territory of the Russian Federation (except for cases when the specified funds are placed in foreign separate subdivisions of the subject of critical information infrastructure (branches, representative offices), as well as cases established by the legislation of the Russian Federation and (or) international treaties of the Russian Federation).

The previous version of the order did not impose such restrictions.

In fact, this means a ban on processing data related to critical infrastructure facilities of the first category of importance outside the territory of Russia, minus the exceptions stipulated, - said Dmitry Gvozdev, General Director of Information Technologies of the Future. - In general, this document is of a clarifying nature. The development of standards and rules by which the critical infrastructure of Russia should operate is a process that is still very far from completion: the number of stakeholders is large, and the risks are too high, so the regulation should be as detailed as possible. Accordingly, new amendments, additions and clarifications will be made in the future, and for a long time.

In addition, the document assumes to oblige the most significant enterprises of the critical infrastructure to use only routers certified for compliance with information security requirements. However, we are talking only about newly created or modernized objects of the CII and only the first (maximum) category of significance.

It is stipulated that if it is not possible to use only certified devices as border routers (that is, those through which access from the local network to the Internet is carried out), the security of actually used devices will have to be assessed as part of the acceptance or testing of significant objects.

The full text of the draft order is available npa=89229 at this link.

2018

FSB has prepared a procedure for informing about cyber attacks on KII facilities

The Federal Security Service of the Russian Federation has prepared a draft order approving the procedure for informing about cyber attacks on significant objects of critical information infrastructure (CII). The text of the project is available#^[45] on the federal portal of draft regulatory legal^[46].

"I order to approve the attached procedure for informing the FSB of Russia about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks carried out on significant objects of the critical information infrastructure of the Russian Federation," follows from the order.

As noted in the explanatory note, the project is aimed at improving legal regulation in the field of coordination of the activities of the subjects of the critical information infrastructure of the Russian Federation on the detection, prevention and elimination of the consequences of computer attacks and response to computer incidents.

According to the order, in the event of a computer incident, the subjects of the critical information infrastructure of the Russian Federation are obliged to immediately inform the National Coordination Center for Computer Incidents (NCCCA) about this. If there is no connection to this technical infrastructure, the information should be sent by fax, electronic and telephone to the addresses or telephone numbers of the NCCC indicated on the agency's website.

In addition, if the incident occurred at a KII facility operating in the banking and other spheres of the financial market, it is also necessary to inform the Central Bank of the Russian Federation.

CII subjects will also have to develop a plan for responding to computer incidents and taking measures to eliminate the consequences of computer attacks and conduct training at least once a year to work out the plan's activities.

Information about the protection of KII from cyber attacks was attributed to state secrets

Russian President Vladimir Putin signed a decree in March 2018, according to which information on the state of protection of critical information infrastructure (CII) from cyber attacks now refers to state secrets. The corresponding document was published on the portal of legal information^[47] of the^[48]

The decree supplements the list of information classified as state secrets, approved by decree of the President of the Russian Federation of November 30, 1995 No. 1203 "On approval of the list of information classified as state secrets," with a new paragraph. According to the document, such data now include information that discloses measures to ensure the security of the critical information infrastructure of the Russian Federation and information that discloses the state of security of CII against computer attacks.

Information FSB Federal Service for Technical and Export Control^[49] was also assigned to state secrets by authority^[50] such data^[51]

2017

What threatens for the unlawful impact on the critical IT infrastructure of Russia

On January 1, 2018, a 187-FZ comes into force in Russia - the law "On the Security of the Critical Information Infrastructure of the Russian Federation" and the amendments to the Criminal Code adopted simultaneously with it, describing the punishment for damage to the country's critical infrastructure.

Changes are made by Federal Law No. 194-FZ "On Amendments to the Criminal Code of the Russian Federation and Article 151 of the Criminal Procedure Code of the Russian Federation in connection with the adoption of the Federal Law" On the Security of the Critical Information Infrastructure of the Russian Federation. " In particular, chapter 28 of the Criminal Code of the Russian Federation is supplemented by article 2741, describing the punishment for "unlawful impact on the critical information infrastructure of the Russian Federation."^[52] "

According to the regulations of the 187-FZ, financial, transport, energy, telecommunications companies, as well as organizations in the field of health, science, fuel and energy complex, nuclear power and industry are subject to the new requirements.

Until February 20, 2019, companies that fall within the scope of the law are obliged to independently categorize CII facilities and coordinate them with FSTEC.

At the same time, this stage includes the creation of a categorization commission, the definition of processes within the framework of the company's main activities and the identification of the most critical of them. The next step is to form a list of CII objects and its coordination with the industry regulator (for example, for the healthcare sector, the Ministry of Health acts as such). After that, the list of objects is submitted as a notification to the FSTEC of Russia, and for each object from the list, the CII subject determines the category of significance, after which the categorization results are sent for approval to the FSTEC. Based on certain categories, the owner of KII facilities in the future needs to build protection.

The unlawful impact includes the creation, distribution and/or use of computer programs or other computer information that is knowingly used to destroy blocking, modifying, copying information in a critical infrastructure, or neutralizing the means of protecting said information.

In addition, sanctions will entail illegal access to protected computer information contained in the critical information infrastructure of the Russian Federation if it has caused harm to this infrastructure.

Penalties are also provided for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in a critical information structure, information systems, information and telecommunication networks, automated control systems and telecommunication networks related to the country's critical information infrastructure.

For the creation of malicious programs to affect the infrastructure of violators, forced labor for up to five years is expected with a possible restriction of freedom for up to two years or imprisonment for a period of two to five years with a fine of five hundred thousand to one million rubles or in the amount of wages or other income convicted for a period from one year to three years. For illegal access to protected computer information, forced labor is supposed for up to five years with a fine of 500 thousand to a million rubles, with possible restriction of freedom for up to two years, or imprisonment for a term of two to six years with a fine of five hundred thousand to one million rubles.

Violation of the rules for the operation of means of storing, processing or transferring protected computer information will be followed by forced labor for up to five years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. A possible imprisonment of up to six years is also envisaged.

If these acts are committed by a group of persons by preliminary conspiracy, organized by a group or a person using his official position, the severity of the punishment increases significantly: the law provides for a prison term of three to eight years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years.

If the same acts committed by a group of persons by prior conspiracy or using their official position entailed grave consequences, the perpetrators will receive a term of five to ten years with the deprivation of the right to hold certain positions or engage in certain activities for up to five years or without it.

The emergence of such a law is more than natural in the current environment, "said Georgy Lagoda, CEO of SEC Consult Services. - Attacks on critical infrastructure have ceased to be an abstraction, this is a hyperactive problem for all countries, including Russia. The law is clearly aimed at preventing internal attacks or violations that increase the vulnerability of infrastructure. The effectiveness of this law may be the subject of debate, but it is encouraging that the existence of the problem is recognized at the legislative level.

The law, as well as amendments to the Criminal Code, are themselves necessary, - said Dmitry Gvozdev, General Director of Technologies of the Future LLC, - The question, however, lies in real law enforcement practice. It depends on her whether these laws will work in principle.

The State Duma approved a package of bills with sanctions for attacks on critical infrastructure

The State Duma approved in January 2017 in the first reading a package of bills that provides for up to 10 years in prison for hackers targeted by the critical information infrastructure (CII) of the Russian Federation. If the bill is approved, the relevant amendments will be made to the Criminal Code of the Russian Federation, TASS news agency CNews^[53]

CII means information and telecommunication systems of state bodies. This also includes automated process control systems in the defense, fuel, rocket and space, nuclear, chemical, metallurgical and mining industries, as well as in the fields of health, communications, transport, power and finance.

Punishments for hackers

For example, for the creation or distribution of software designed to harm CII, hackers will be sent to forced labor for 5 years or imprisoned for the same period. Alternatively, it is possible to pay a fine in the amount of p500 thousand to p1 million. The fine can also be calculated based on the income of the criminal - in the amount of salary for a period from 1 year to 3 years.

If a hacker not only created/distributed a malicious program for CII, but also caused real damage to the infrastructure, he can spend from 5 to 10 years in prison. In addition, the offender will lose the opportunity to engage in some activities and work in appropriate positions for 5 years.

There is also punishment for illegal access to information contained in the CII, if this access is carried out using a malicious program and poses a threat to the infrastructure. The fine for this ranges from p1 million to p2 million, or equals the income of the criminal for the period from 3 to 5 years. As an option, it is possible to imprisonment for up to 6 years and a fine in the amount of p500 thousand to p1 million, or in the amount of salary for 1-3 years.

Other punishments

The bill offers penalties not only for causing intentional harm to the KII, but also for violating the rules for handling information contained there. This includes incorrect handling of the equipment on which this information is stored, processed and transmitted. The same item includes a violation of the rules for accessing data and CII systems if this poses a threat to the infrastructure.

For such actions, violators will be imprisoned for 6 years. Another option for punishment: 5 years of forced labor and a ban on some activities for 3 years. If not one person acts, but a group of persons who conspired in advance or use their official position, then they face imprisonment for a term of 3 to 8 years or 5 years of forced labor.

Ensuring safety

The bill considered today by the State Duma also describes the principles of ensuring the security of CII, imposes appropriate powers on government agencies and establishes the duties and responsibilities of infrastructure owners and operators. A special authorized federal body should be responsible for the safety of CII.

All CII facilities should be divided into categories, each category will receive its own safety standards. The separation will be carried out on the basis of the register of significant objects, the creation of which is stipulated by the bill. In addition, security systems will be created for KII, which will cooperate with the system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation. This system was created by presidential decree of January 15, 2013.

Notes