RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/09/27 12:59:37

Security of critical information infrastructure of the Russian Federation

The article is devoted to regulatory regulation and practical aspects of ensuring the security of critical information infrastructure facilities in the Russian Federation.

Content

Main article: Critical information infrastructure of Russia

2024

In Russia, created ANO "Digital Horizon" for the introduction of IT solutions in critical infrastructure

On October 1, 2024, a new autonomous non-profit organization (ANO) "Digital Horizon" was officially presented in Moscow. The project aims to develop and implement advanced technologies in key sectors of the country's economy, in particular in the field of critical information infrastructure. Read more here

The Ministry of Industry and Trade is allocated 553 million rubles to create a cybersecurity center in industry

The federal budget of Russia will allocate ₽553 million to create and ensure the activities of the industry competence center for information security in industry. The decision on financing was made in September 2024 within the framework of the federal project "Information Security" of the national program "Digital Economy."

According to CNews, the curator of this event is the Ministry of Industry and Trade of the Russian Federation. The competence center was created on the basis of the Gamma research and production enterprise subordinate to the ministry, which has been the parent organization for the protection of information in the structure of the Ministry of Industry and Trade since 1991.

Programmer

The main tasks of the center include the detection, prevention and elimination of the consequences of computer attacks on the information resources of Russian industrial enterprises. In addition, the center will assess the degree of security of facilities, analyze the causes of computer incidents and collect data on the state of information security in the industry.

During the project implementation, it is planned to develop a standard technological solution for creating early warning subsystems for information security threats. Guidelines for departmental monitoring of the state of work on categorization of critical information infrastructure facilities will also be prepared.

The relevance of the creation of such a center is due to a sharp increase in the number of cyber attacks on Russian industrial enterprises since 2022. According to the monitoring and response center, in cyber attacks MTS RED SOC the first half of 2024, more than 22 thousand attacks on industrial companies were reflected, of which about 15% had critical status.

Roman Safiullin, Head of Information Protection at InfoWatch Arma, notes the difficulty of ensuring information security at industrial facilities due to their uniqueness and the need for an individual approach to each enterprise. He also points to a shortage of safety specialists in automated process control systems.[1]

The government changed the procedure for categorizing CII objects, giving rise to many questions

On September 19, the Government of the Russian Federation adopted Resolution No. 1281 on amending the Decree of the Government of the Russian Federation of February 8, 2018 No. 127. The latter previously determined the procedure for categorizing critical information infrastructure (CII) objects, which has been in effect so far. The current change to this procedure consists of three points:

  • Invalidate the requirement to form a list of objects subject to categorization (subclause "d" of paragraph 5 of Resolution No. 127);
  • Remove from the authority of the categorization commission the possibility of forming a list of objects and assessing the need to categorize the objects being created (exclusion of the relevant powers from subparagraph "c" of paragraph 14 of Resolution No. 127);
  • The requirement for coordinating the list with regulators, as well as all deadlines, including the following, has been removed: "The maximum categorization period should not exceed one year from the date of approval by the subject of the CII of the list of objects" (the entire paragraph 15 of Resolution No. 127 has been removed).

source = Russian Government
Changes adopted by the Government of the Russian Federation are placed on one sheet

In fact, the adopted resolution means that a whole stage is removed from the categorization process - the preparation of a list of objects that are subject to categorization. However, it was from the registration of this list that the year that was allocated for the categorization of objects was previously counted, and now the deadlines seem to be becoming less defined. So, according to Daniil Socol, the owner of the Nota Kupol project developed by Nota (Holding T1):

File:Aquote1.png
The stage of forming a list of objects for categorization was critical in the process of implementing Resolution No. 127, as it served as a start for further categorization and protection of objects, as well as a signal to the regulator that work on the subject of CII had begun. Without a formal list and the requirements of its approval with the FSTEC of Russia (sending the list within 5 days after approval), there are risks of missing and incorrectly identifying critical objects of CII.
File:Aquote2.png

However, experts believe that the list of CII objects that are subject to categorization still needs to be compiled after the changes adopted by the government.

File:Aquote1.png
Nobody canceled the stage of forming the list of KII objects as such, "Oleg Nesterovsky, deputy director of the ARinteg consulting and audit department, explained to TAdviser. - Duplication is excluded. Subparagraph "c" of paragraph 5 of Resolution No. 127 already implies the formation of the specified list, namely: the definition of critical information infrastructure facilities that process the information necessary to ensure critical processes, and (or) control, control or monitor critical processes. Regarding the abolition of the maximum term for categorizing CII objects, this is a big question. We are waiting for the clarifications of the regulator.
File:Aquote2.png

It should be noted that the categorization procedure is now changing video. The government has already appointed responsible regulators for each industry of those listed in Law No. 187-FZ "On the Safety of the CII of the Russian Federation," for the implementation of which Resolution No. 127 was adopted. Now they have all prepared lists of typical CII facilities in each specific industry, and they must control the process of categorizing their wards in accordance with these industry lists.

File:Aquote1.png
The stage of forming a list of CII objects for categorization was important as long as the country formed lists of standard sectoral objects of critical information infrastructure operating in various areas established by paragraph 8 of Article 2 No. 187-FZ "On the Safety of the CII of the Russian Federation," Maxim Fokin, head of certification and secure development of the MSVSFERA OS (Softline Group of Companies). - To date, such lists have been formed in full, and it makes no sense to form lists of objects for categorization by the forces of KII subjects, since this process was quite difficult and incomprehensible for such organizations. When forming lists on the ground, much depended on the competence of specialists operating in various subjects of the CII.
File:Aquote2.png

According to the expert, the independent formation of the list of objects by the organization (subject of CII) led to the formation of an excess list of CII objects. In some cases, companies "forgot" to add objects that were really important for the state to the lists. That is why the government tried to attract regulators in the relevant industries to form lists.

Now you can simply take ready-made lists of typical industry objects of CII and correlate with the objects of your organization, which will allow you to unambiguously identify all objects of CII in organizations. This will help to reduce the time of work on categorizing CII facilities by an order of magnitude, unload the regulator, reduce the costs of organizations to ensure the safety of redundant facilities, as well as ensure the protection of CII facilities key to the state's information security.

File:Aquote1.png
For KII subjects, such changes facilitate the process of categorizing and coordinating the list of KII objects, especially when it is necessary to exclude an object from the Russian base FSTEC , on the other hand, give more opportunities to make a mistake in determining KII objects, - said Daniil Socol. - The regulator's work is complicated by the fact that the formation of the list helped state bodies and regulators to control the process of starting categorization and ensure compliance with the norms and requirements of the legislation, as well as determined the period for which it was necessary to categorize. Without a clear stage of registration of the list, it may be difficult for the regulator to establish specific terms of categorization on the subject of CII. There will be no changes for the subjects of CII, the work on determining the list of objects will remain the same, while recommendations on typical CII objects, which are adopted in industry regulators, can be used.
File:Aquote2.png

Oleg Nesterovsky expressed a similar opinion on simplifying the procedure for forming lists of KII objects:

File:Aquote1.png
Lists of typical industry objects of CII are used to form a list of CII objects, but are not exhaustive. They do not exclude the presence of other IEs, ITCS, APCS, implementing and providing critical processes. The order of generation of the list of objects to be categorized does not change.
File:Aquote2.png

Only the issue of coordinating the list with FSTEC or other regulators remains. However, experts cannot independently answer it and expect clarification from regulators.

The Ministry of Digital Development assessed the import substitution of cybersecurity tools at KII facilities in Russia

The Ministry of Digital Development, Communications and Mass Media of Russia in September 2024 announced that the readiness for full import substitution of information protection tools at critical information infrastructure (CII) facilities is assessed as high. These data were announced in Moscow by the director of the cybersecurity department of the Ministry of Digital Science Yevgeny Khasin.

According to Hasin, most cybersecurity tools at KII facilities already have domestic counterparts. However, there are certain technological difficulties with high-performance protection systems, but active work is underway to improve their characteristics. He also confirmed that the postponement of the implementation of presidential decrees regarding the ban on the use of foreign software (software) and cybersecurity services is not planned.

The Ministry of Digital Development assessed the import substitution of cybersecurity tools at KII facilities in Russia


According to TASS, in addition, Ilya Massukh, director of the competence center for import substitution in the ICT sector, said that in some segments the replacement approached 100%. In particular, for firewalls and backup tools, this figure is 75-80%, and for databases and operating systems - about 50%. Massukh noted that most companies subject to the decrees take this issue seriously and will comply with all regulatory requirements on time.

In March 2022, Russian President Vladimir Putin signed a decree aimed at ensuring the technological independence and cybersecurity of Russia's critical information infrastructure. According to this decree, from March 31, 2022, a ban was introduced on the purchase of foreign software for CII facilities without the consent of authorized bodies. The ban also extended to purchases of services necessary to use such software.

In addition, the presidential decree establishes that from January 1, 2025, state authorities will be prohibited from using foreign software at CII facilities. This decision was made as part of a strategy to increase Russia's independence in the field of information technology and cybersecurity.[2]

The Ministry of Industry and Trade decided to tighten the requirements for information security for trusted software and hardware systems

The Ministry of Industry and Trade in August 2024 on the federal portal of NPA projects published a proposal to amend[3] of the Government of the[4] in the PP-1912 "On the procedure for the transition of the subjects of[5] to the preferential use of trusted PAC at their significant objects of the Russian Federation KII." The main changes are supposed to be made to the appendices to the rules approved in the PP-1912 for the transition of CII subjects to the preferential use of trusted PAC at their significant CII facilities.

In particular, Appendix No. 1 to the rules states that trusted are PACS that are contained not only in the register of Russian radio-electronic products, as was originally the case, but also in the register of Russian industrial products. Both registers are maintained by the Ministry of Industry and Trade, although the section Ministry of Digital Development[6] has already appeared in the register of domestic software, which is supported by [7]. It contains 296 entries at the beginning of August.

File:Aquote1.png
The state register of trusted PACS does not exist today, "Valery Andreev, Ph.D. and Deputy General Director for Science and Development of IVK. - There is a register of PACS Ministry of Digital Development of the Russian Federation, but the criteria for the power of attorney of the software and hardware systems included in it are not spelled out anywhere, there are not even marks in the register about whether the PAC is trusted. The software part of PAC can be trusted - this is confirmed by the certificate of the FSTEC of Russia or the FSB of Russia. It can be entered into the Unified Register of Programs of the Ministry of Digital Development of the Russian Federation, but information about the presence of certificates on the product page is not provided. That is, the user, viewing the software tools of interest to him in the registry, cannot immediately find out whether they are certified.
File:Aquote2.png

source = Ministry of Digital Development
An example of a registry entry of PACS of the Ministry of Digital Development. It can be seen that the device would be contained in the register of industrial products, therefore, according to the old Persia, PP No. 1912 would not be trusted

Actually, in PP No. 1912 there are criteria for trusted PAC (not for the register of PACS Ministry of Digital Development) - they are formulated just in Appendix No. 1 and consist of three points:

  1. Inclusion of information about the device in the register of Russian radio electronic products[8] and, if a change is made, in the register of Russian industrial products[9]
  2. Software complies with the requirements of Resolution No. 1478 of August 22, 2022;
  3. If the PAC has security functions, then it must have the appropriate FSTEC and FSB certificates. If all these three points are completed, then the PAC is considered trusted.
source = Ministry of Industry and Trade
An example of an entry from a single register of electronic products, where, in fact, information on both software certification and the device itself is missing.

For the third item, the project also provides for changes. If the PAC contains security functions, then the requirements of the FSTEC and the FSB will be presented not only to these mechanisms themselves, but also to electronic products that are part of this PAC. Moreover, information that the PAC itself and the element base used in it meet the requirements of the FSTEC and the FSB must be confirmed by certificates. Now there are not only devices certified by these departments, but also the requirements of these regulators for trusted PAKs have not been approved.

The only thing that is there is a preliminary standard for trusted PAC PNST 905-2023, which was approved by the technical committee No. 167 of Rosstandart under the name "Software and hardware complexes for critical information infrastructure and software for them." This TK is controlled by the Rosatom structure under the name NPO KIS. Therefore, it is unlikely that the Ministry of Industry and Trade, FSTEC or the FSB will refer to the standards prepared by him in their documents.

File:Aquote1.png
The hardware of PAC can be entered into the Unified Register of Electronic Products of the Ministry of Industry and Trade of the Russian Federation, - explained Valery Andreev. - But information on the certification of the product in its software part is also not provided here, as well as the mention of the software itself, with the exception of microcode. It turns out that the operator or customer needs to keep their register of trusted PACS. Where to get this information, how to track changes? Does it make sense to duplicate this work in many ways? Obviously not. A Unified State Register of Trusted PACS is needed.
File:Aquote2.png

Moreover, the draft resolution proposes to expand the list of data that CII subjects must inform regulatory authorities about the PACS expected to be installed. In particular, it is proposed to indicate the number of central processors and their architecture, channel capacity and number of ports, as well as other maximum detailed characteristics of the PAC. In the face of the risk of sanctions against supply chains, the publication of such information is fraught with the imposition of sanctions - there have already been such precedents.

File:Aquote1.png
The question of the availability of a sufficient amount of domestic element base for the production of PAC remains open, however, with active investments and efforts from both public and private structures, one can count on positive dynamics in this direction, "Elena Kutz, head of the expert and analytical department of ALMI Partner, shared her thoughts with TAdviser. - Despite the fact that there is an active development of the Russian element base for PAC production, many enterprises still depend on imported components, which entails certain risks and difficulties. In addition, PAC companies will face the need to adapt their products to new requirements, which will require additional investment and resources.
File:Aquote2.png

Indeed, resolution No. 1912 begins on September 1, 2024, and changing it at the last moment could have a negative impact on PAC manufacturers: in a month they are unlikely to be able to quickly redesign their devices in order to meet the requirements of legislators, who, as it was said, are not yet. Therefore, it is highly likely that by the time the decree comes into force, the necessary devices with the appropriate certificates will simply not be on the market.

File:Aquote1.png
For the production of PAC, a developed element base is needed, "said Kamil Baimashkin, Deputy Executive Director of R-Vision, in a conversation with TAdviser. - In Russia there are a number of enterprises producing electronic components. However, to fully meet the needs of the PAC, further development of the domestic electronics industry is necessary. In the short term, for some types of products, a new version of the decree may temporarily limit the choice of available PACs. In general, the proposed changes are a step in the right direction, since in the current conditions the insufficient security of critical information infrastructure facilities, their vulnerability to external attacks poses a threat to the security of the state.
File:Aquote2.png

The requirements of the draft resolution are important for the development of the domestic radio-electronic industry. It is very difficult to compete with prices with Chinese established industries, so the transition to the predominant use of Russian components should be stimulated by law.

File:Aquote1.png
In the future, 2-3 years, customer demand for Russian RAP should be satisfied, "Kirill Semion, General Director of ANO NCC ISU, told TAdviser. - Producers of the element base are now actively increasing production volumes. The main thing that they need for this process is investment and technical specialists. In general, the preferred use of trusted PACs is convenient for customers. But it is important that all the characteristics of PACS are described in detail. It is also necessary to make confirmation by external expertise mandatory. In this case, it will be easy for customers to design their architecture.
File:Aquote2.png

FSTEC will oblige government agencies, banks and enterprises of the fuel and energy complex to store information about cyber attacks for 3 years

In early August 2024, it became known that the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) has developed new requirements for the protection of information in government agencies and organizations related to critical information infrastructure (CII ). We are talking about banks, enterprises of the fuel and energy complex (fuel and energy complex), etc.

According to the Kommersant newspaper, the FSTEC document provides for a change in the requirements for the safe storage of data that do not constitute a state secret in government agencies and at KII facilities. Such organizations will need to implement antivirus protection of IT systems, ensure the prevention of intrusions into the infrastructure and control the protection of information in general. In addition, information systems of CII facilities must have the resources necessary to pass traffic twice the volume of conventional indicators.

FSTEC has developed new requirements for the protection of information in government agencies and organizations related to critical information infrastructure

In the event of a cyber threat, the participants of the market in question need to interact with the state system for detecting computer attacks, as well as with the hosting provider or organization providing communication services. Security threats in the document mean cyber attacks based on the DDoS model.

The new rules also suggest that organizations will have to store information about cyber incidents for three years. Such information should include the date and time when the attack began and ended, the type of threat, its intensity (Gbps), the list of network addresses that are the source of threats, and the protection measures that have been taken.

The general director of the hosting provider RUVDSNikita Tsaplin believes that the proposed measures are necessary for the market, since DDoS attacks have become a regular phenomenon. However, the implementation of the requirements can lead to additional costs for companies due to the need to upgrade hardware and software systems.[10]

Russian GOST on cybersecurity at nuclear power plants has become international

The Russian GOST, which regulates the methods of cyber protection of nuclear power plant control systems, received the status of an international standard. This became known at the end of July 2024. Read more here.

Putin banned the use of cybersecurity services from unfriendly countries

On June 13, 2024, the President by Russia Vladimir Putin his decree No. 500 [11] approved amendments to Decree No. 250" On Additional Measures to Ensure Information Security of the Russian Federation. " In accordance with the document, from January 1, 2025, the use of protective equipment, as well as cybersecurity services from unfriendly countries, is prohibited. In addition, the decree requires only accredited response centers to be State system of detection, prevention and elimination of consequences of computer attacks to the system.

File:Aquote1.png
The adopted changes contain a number of key adjustments and clarifications of additional measures to ensure information security of the Russian Federation and are aimed at optimizing control and monitoring of the activities of the State system of detection, prevention and elimination of consequences of computer attacks centers, as well as expanding bans on interaction with persons with foreign participation in the framework of ensuring information security, - said Andrei Medunov, head of the group for supporting GR projects of the Solar Group of Companies. - It should be noted that these are timely and logical clarifications that will contribute to increasing the cyber stability of the state's economy and the technological independence of the cybersecurity industry.
File:Aquote2.png

Initially, Decree No. 250 defines the requirements for government agencies, state corporations and subjects of critical information infrastructure (CII) in terms of responding to cyber incidents. One of the amendments concerns accredited centers that will be involved "if necessary" to prevent cyber attacks and eliminate their consequences.

File:Aquote1.png
The new Decree No. 500 contains instructions for the FSB of Russia, according to which it is necessary to determine the requirements for the GosSOPKA centers, establish the procedure for their accreditation and suspension of this accreditation, "Alexander Bykov, head of the protection services of the cloud provider NUBES, explained to TAdviser. - In this part, an adjustment to the previous Decree No. 250 was necessary, since this will make the CII more efficient in responding to attacks.
File:Aquote2.png

For such centers, the procedure for their accreditation will be determined, including the procedure for suspending the accreditation procedure, suspending the accreditation and revoking accreditation. That is, the FSB will have to develop, approve and control the accreditation rules for State system of detection, prevention and elimination of consequences of computer attacks centers, which provide monitoring, elimination of the consequences of computer attacks, as well as security analysis.

Russian President Vladimir Putin

In addition, organizations covered by the decree have been prohibited from using cybersecurity work or services provided by companies from unfriendly states since 2025. Alexey Lukatsky, a business consultant for information security at Positive Technologies, says that these measures cover a wide range of services. These can be, in particular, cloud services to ensure information security, consulting services, security analysis, penetration testing, etc.

File:Aquote1.png
Now in Russia they continue to use foreign services WAF (firewalls for protecting web applications) and NGFW (firewalls for filtering traffic) to a minimum, but this is more true for large foreign companies, - commented on the current situation for TAdviser Alexander Khonin, head of consulting and audit department Angara Security. - They are used, as they are installed in the infrastructure of parent organizations abroad. In other cases, we are talking about the use of such services through "workarounds." In terms of services, most likely there will be a transition to individual information security products in order to preserve the necessary functionality. A number of organizations will refuse such services and replace them with compensatory measures
File:Aquote2.png

FSTEC has developed rules for assessing the security of government agencies and CII facilities

In early May 2024, the Federal Service for Technical and Export Control (FSTEC) published a methodology for assessing the indicator of the state of technical protection of information and ensuring the security of significant objects of the critical information infrastructure (CII) of Russia. The rules apply to government agencies, organizations in the field of communications, power, banking and enterprises of other significant sectors of the economy.

The document says that the methodology defines an indicator characterizing the current state of technical protection of information that does not constitute a state secret, and (or) ensuring the safety of significant objects of CII. Assessment should be carried out at least once every six months. Organizations should conduct an extraordinary security check in the event of an information security incident with negative consequences or when changing the architecture of information systems. In addition, such a check can be initiated at the request of FSTEC.

FSTEC has published a methodology for assessing the indicator of the state of technical protection of information

The initial data required to assess the security indicator may be: reports, protocols or other documents drawn up based on the results of internal control of the security level; results of information systems inventory; internal organizational and administrative documents regulating the organization of information protection; external evaluation reports. In addition, the results of a survey of employees of the organization about their performance of functions using information systems and (or) ensuring information security can be taken into account.

Market participants, as noted by the Kommersant newspaper, believe that the FSTEC methodology will help companies focus on the minimum necessary level of protection. Thus, the deputy technical director of Innostage Daniyar Iskhakov says that the requirements are "simple and understandable," and this "should have a positive effect on the desire to fulfill them realistically, and not formally."[12]

FSTEC named 6 main reasons for successful cyber attacks on enterprises and government agencies

In mid-February 2024, the Federal Service for Technical and Export Control (FSTEC) listed four main reasons for successful hacker attacks on enterprises and government agencies:

  • weak user and administrator passwords;
  • univariate identification;
  • Using default passwords
  • active accounts of dismissed employees;
  • use of employees' personal devices to access the information infrastructure;
  • use of personal messengers and social networks at workplaces.

File:Aquote1.png
The results of the analysis of computer incidents, which, unfortunately, we have had over the past two years, made it possible to form a rating of the main shortcomings, which very often become prerequisites for the successful implementation of computer attacks, - said Sergey Bondarenko, head of the FSTEC department, speaking about the reasons why IT systems of companies and government agencies are most often hacked.
File:Aquote2.png

FSTEK listed four main reasons for successful hacker attacks on enterprises and government agencies

According to Bondarenko, in order to create reliable cyber protection at enterprises and government agencies, it is necessary to inventory information resources, install antivirus programs, protect the perimeter of the information infrastructure and control mail attachments for malicious software.

In mid-February 2024, Russian Deputy Head of the Ministry of Digital Development Alexander Shoitov said that attacks on critical information infrastructure and state systems of the Russian Federation, including banks, had become more complicated. Often hackers, hiding behind simple DDoS attacks, conduct several more to further negatively affect IT systems.

File:Aquote1.png
We don't even always see, "said Shoitov, speaking at one of the conferences on the topic of information security.[13]
File:Aquote2.png

The concept of technological independence of KII was standardized. While temporarily

Rosstandart in early February 2024 published a preliminary standard PNST 905-2023[14] "Critical Information Infrastructure. Trusted hardware and software complexes. Terms and definitions, "which defines the basic concepts in the field of trusted hardware and software systems (DPAK) for the critical information infrastructure of the Russian Federation.

The standard is preliminary and its validity period is limited - from April 1, 2024 to April 1, 2027. However, it is at this time that it is supposed to ensure the technological independence of the KII of the Russian Federation through import substitution, so the standard may be important for the entire domestic information security market.

Cover of PNST 905-2023 standard

The standard states that the terms established by it are recommended for use in all types of documentation and literature in the field of design, development and manufacture of DPAK and their components, as well as in the development of regulatory documents in this area. And if someone does not use the relevant terms, then questions will arise about his competence.

The key concepts of the document are the definitions of such terms as the technological independence of CII and a trusted software and hardware complex. This is "a state of critical information infrastructure, characterized by the possibility of its creation, stable, reliable functioning and development, including in conditions of restrictions in the availability of technologies and components" and "a software and hardware complex that meets the requirements of ensuring the technological independence of critical information infrastructure, functionality, reliability and security," respectively.

At the same time, a number of requirements are put forward for DPAK: just to ensure the technological independence of CII, functionality, reliability and security. To do this, DPAK must have a key technical solution (KTP), which is an integral part of it and essential for meeting the requirements listed above at all stages of the life cycle. What is a PTS is not specified, but the definition is very similar to domestic analogues of the TPM hardware module, which, apparently, will need to be installed in each DPAK.

In addition, the standard defines for DPAK a test site, electronic products (RAP) and electronic component base (ECB), which are used for its design, testing and operation.

There is also a definition for software, which is divided into four categories: built-in, system, application and special. All these categories of software must be stored in the code repository, which must be completely located in Russia.

PNST 905-2023 was developed by NPO Critical Information Systems (KIS) and the Engineering Safety expert organization. It was approved by the technical committee No. 167 of Rosstandart under the name "Software and hardware complexes for critical information infrastructure and software for them" at the end of last year - December 28, 2023 by order of Rosstandart No. 115-pnst.

The standard is preliminary, therefore Rosstandart accepts comments and additions to it, which should be sent to the department no later than 4 months before the completion of the action. The main standard will already be developed on their basis, but this is a completely different story.

Putin allowed transport security officers to shoot down drones

The Russian president signed a law allowing transport security officers to shoot down unmanned aerial vehicles. The corresponding document was published on January 30, 2024. Read more here.

2023

Increase in the number of cyber attacks on critical information infrastructure facilities in Russia by 16%

The number of cyber attacks on critical information infrastructure (CII) facilities in Russia in 2023 increased by 16% compared to 2022. This is evidenced by the data of the National Coordination Center for Computer Incidents (NCCCI), which became known in May 2024.

According to Kommersant, citing materials from the center, about a third of KII owner organizations have vulnerable resources in their infrastructure. The most common reason is the use of foreign software without technical support and updates.

The number of cyber attacks on critical information infrastructure (CII) facilities in Russia in 2023 increased by 16% compared to 2022

File:Aquote1.png
If we analyze the cases of compromise in closed sessions with the NCCC, it turns out that only a small part of the attacks on KII is associated with complex targeted computer attacks at the level of the ability of foreign special services, "says Pavel Boglay, head of the cybersecurity department of Kryptonit.
File:Aquote2.png

According to him, the largest number of attacks on CII objects occurs using DDoS attacks, the use of Trojan viruses, as well as when exploiting the human factor (identical passwords, sending important data through third-party instant messengers, etc.).

Experts of the information security company Solar note that the attackers have begun to carefully prepare for attacks, making them more targeted and complex. Also, hackers are actively using cyber intelligence and social engineering tools in the preparation and development of the attack, the group added.

According to a study by Angara Security specialists, about 40% of attacks on the IT infrastructure of departments and CII objects are associated with malicious software, phishing and DDoS attacks on network equipment, sites and servers.

The head of the InfoWatch ARMA product development department, Demid Balashov, stressed that the important conditions for ensuring cyber protection of the CII object are planning the most secure IT infrastructure, creating a defense architecture, applying the Secure-by-Design approach to minimize vulnerabilities and reducing the surface for attacks.[15]

Repel 65,000 attacks on critical information infrastructure

Domestic specialists repelled more than 65 thousand attacks on critical information infrastructure (CII) facilities in 2023. Such information was shared by Deputy Prime Minister of the Russian Federation Chernyshenko, as reported on February 9, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

Critical information infrastructure facilities form the basis of the country's economic system, explained Anton Nemkin.

{{quote "In fact, these include the most important infrastructure facilities: state-owned companies,, banks enterprises industries scientific and organizations, facilities and. transport health care The assumption cyber attacks in this case can lead not only to the leakage of corporate, but also information information related to state secrets. In addition, a cyber incident for an indefinite time can disable the production processes of the organization, the deputy explained. }}

It is because of these reasons that the KII facilities are under close attention from the attackers, Nemkin emphasized.

File:Aquote1.png
Let me remind you that in the first half of 2022 alone, the total number of cyber attacks on Russian organizations increased 15 times, compared to the same period in 2021. Of course, the factor of international instability could not but affect here, "he said.
File:Aquote2.png

File:Aquote1.png
Switching from one system to another sometimes creates gaps in information security that attackers are actively exploiting. We are talking about vulnerabilities both in application software and in the infrastructure itself. At the same time, the optimal level of security largely depends on the speed of integration of new solutions, - said the deputy.
File:Aquote2.png

Almost a third of Russian companies with CII faced security incidents

32% of CII subjects experienced safety incidents of varying severity. At least 35% of them entail damage that can be estimated in financial losses. Downtime is the most common consequence of incidents, the cause of which is mainly called DDoS attacks and site hacks. In addition, the following negative consequences are cited: reputational damage, loss of data without recovery and direct financial damage. These data were obtained during the study conducted by K2 Tech. The company announced this on December 26, 2023.

The subjects of CII include organizations on which the work of transport, communication networks, the functioning of the financial system and state, medical and other services depend. Therefore, stopping their activities can cause serious damage to the life and health of people. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" should protect industry, banks, hospitals and other institutions and companies from cyber threats.

Although the law was passed in 2018, a significant number of companies admitted that they still do not know what solutions they will need to implement the requirements of the 187-FZ. 24% of respondents did not decide on the plans. 68% of respondents have a clear idea of ​ ​ the upcoming purchases, 8% found it difficult to answer. Due to the complexity of projects and import substitution requirements, companies are forced to purchase additional solutions and replace existing ones. The most popular class of SMT for December 2023 are firewalls. At the same time, many questions are associated with firewalls, because so far there are no Russian analogues comparable in performance to departed foreign vendors. In second place is the means of protection against malicious code. They are followed by network equipment, cryptographic protection and SIEM.

File:Aquote1.png
Many companies only began to work closely in 2023 to fulfill the requirements of the 187-FZ. This is due, firstly, to the emergence of 250 Presidential Decree, which spells out specific practical tasks that need to be completed, deadlines and responsible, and secondly, to the fact that in 2022 the business was focused on combating attacks and fulfilling the instructions of the FSTEC. As of December 2023, most companies are still at the start of implementation. The most important stage for the successful completion of the project is the qualitative categorization and audit of CII objects. More than half (57%) of companies partially or completely trust this process with external contractors. It saves a lot of time. When an organization performs an audit on its own, we sometimes encounter the fact that KII facilities are 3 times more than originally indicated, "said Andrey Zaikin, director of business development at K2 Cybersecurity.
File:Aquote2.png

File:Aquote1.png
Over the years, we have seen a significant increase in the maturity of our industrial customers in the field of information security. The problems that we have encountered before, such as the denial of the need to protect process control systems (APCS) and critical information infrastructure (CII), the absence of responsible persons for ensuring information security, the use of corporate solutions for protecting APCS, now fade into the background. Nevertheless, the development of the information security market of industrial infrastructures dictates the need to move from protecting CII facilities, primarily industrial automation systems, using passive monitoring, to more tightly integrating protective equipment into the perimeter of such systems and implementing active actions to respond to emerging incidents and (or) prevent them. Increasing customer readiness to implement such an approach in industrial networks is something that still has to be worked on, "said Andrey Bondyugin, head of the Kaspersky Lab industrial infrastructure protection projects support group.
File:Aquote2.png

File:Aquote1.png
Recently, the number of cyber attacks on supply chains has increased, as a result of which hackers inject malicious code into software on the side of a hacked IT company, which then imperceptibly enters customer infrastructure, for example, along with the next update. In terms of potential negative impact, such a cyber attack can really be compared with hacking a significant CII object, especially since a malicious module embedded in the software can enter the infrastructures of many CII subjects at once. One of the options for solving the problem could be the organization of a state service for checking the security of software and IPS, for example, using sandboxes, compositional analysis methods and static, dynamic, interactive analysis tools; after such a check of the absence of "bookmarks" in the distribution kit or service pack, the value of the installer hash sum can be placed in the publicly available register of reliable software, with which KII subjects will be checked without fail, "said Ruslan Rakhmetov, General Director of Security Vision.
File:Aquote2.png

The Ministry of Digital Development allocates 25.2 billion rubles for the development of GIS in the field of cybersecurity

On November 28, 2023, it became known that the Ministry of Digital Development of the Russian Federation intends to allocate 25.2 billion rubles for the development of state systems in the field of cybersecurity. The initiative is designed to speed up import substitution in this area, as well as increase the effectiveness of existing protection systems against hacker intrusions, malware, etc.

According to the Kommersant newspaper, the initiative is stated in the materials of the national project "Data Economics." The indicated amount of the Ministry of Digital Development proposes to invest in the period until 2030. It is planned that all foreign products in the field of information security (information security) will receive Russian analogues. This will help companies and government agencies to abandon import solutions, which is important in the conditions of the formed geopolitical situation.

The Ministry of Digital Development intends to allocate 25.2 billion rubles for the development of state systems in the field of cybersecurity

Of the total amount of 25.2 billion rubles, the Ministry of Digital Development will allocate 7.1 billion rubles for the development of a new system for countering computer attacks "Multiskaner" based on State system of detection, prevention and elimination of consequences of computer attacks (state system for detecting, preventing and eliminating the consequences of computer attacks; controlled by the FSB). This platform will be able to process more than 90 million files per year. Multiscaner will become an analogue of the free American service VirusTotal, which analyzes objects for malicious code. The full implementation of the new protective complex is scheduled for 2025.

Another 3.7 billion rubles will go to the development of state systems Antifraud"" (countering fraudulent calls;) Roskomnadzor and "" Anti-phishing(blocking fraudulent sites; Ministry of Digital Development). The Ministry of Digital Development intends to spend approximately 2.4 billion rubles on assessing the security of key state information systems (GIS). About 12 billion rubles will be required for other cybersecurity systems, including cryptographic tools.

However, market participants say that the investments announced under the project "look somewhat overestimated" even taking into account inflation. At the same time, the commercial director of the Security Code, Fedor Dbar, emphasizes that "financing in itself does not guarantee any result."[16]

FSTEC revealed hundreds of violations in the protection of Russia's information infrastructure

The Federal Service for Technical and Export Control (FSTEC), following an assessment of the security of critical information infrastructure in relation to 900 subjects, revealed about 600 violations. Pavel Zenkin, deputy head of the department's department, spoke about this in mid-November 2023. According to him, in terms of the number of violations detected, the situation has almost not changed compared to 2022.

File:Aquote1.png
These are all the same organizational measures: the subject does not know his objects of the critical information infrastructure that he has, does not know their architecture, specialists do not know that they work on AI objects and ensure their security. As for technical measures, there is also nothing new here - standard passwords, connection to external networks, vulnerability analysis is not carried out, threats are not blocked, - Zenkin said during the IT forum in Novosibirsk (quoted by RIA Novosti).
File:Aquote2.png

FSTEC revealed about 600 violations in the protection of CII

The representative of the FSTEC noted that since the start of the special military operation, the FSTEC of Russia has sent more than 160 measures to the subjects of the information infrastructure aimed at increasing the security of facilities, including vulnerability analysis and software updates in the context of the sanctions policy. According to Zenkin, hundreds of violations in the protection of Russia's information infrastructure are "just a colossal figure."

File:Aquote1.png
All the flaws that I said lead to incidents..., "he added.
File:Aquote2.png

In mid-November 2023, Deputy Director of FSTEC Vitaly Lyutikov noted that the main reason for the large number of vulnerabilities in the software of KII objects was the departure of foreign vendors who stopped supporting their solutions installed on the infrastructure of Russian customers.[17]

"Here it is necessary to build vulnerability management processes in order to minimize at least critical ones," he said.

IT officials in Russia will be forced to comply with cybersecurity requirements

The Federal Service for Technical and Export Control (FSTEC) develops requirements for IT officials to ensure the information security of IT systems. The deputy head of the department Vitaly Lyutikov told about this on November 14, 2023.

According to him, cybersecurity requirements for state contractors providing IT development services are necessary because most hacks and data leaks from government information systems occur through development contractors, to which no mandatory requirements are imposed.

FSTEC develops requirements for IT officials to ensure information security of IT systems
File:Aquote1.png
The number of threats is growing, the damage from them is increasing. All the old [threats] remain. These problems have to be solved at the legislative level, - said Lyutikov (quoted by Vedomosti).
File:Aquote2.png

He noted that FSTEC checked 40 thousand systems of critical information infrastructure and a third of them were sent for revision "in terms of reassessing possible damage" in case of violation of work during hacking. Almost every second system inspected by the Federal Service for Technical and Export Control contains critical vulnerabilities, Lutikov said.

According to the FSTEC, by mid-November 2023, about 19% of verified InformSystems were included in the register of KII facilities. For another 50% of InformSystems, categories are not assigned, and 31% of applications for assigning a particular category of significance are returned. At the same time, about 1.6 thousand requirements for the implementation of legislation in terms of security were sent to the owners of KII facilities.

File:Aquote1.png
The number of systems is growing, the number of objects included in the register of significant objects of CII is increasing. The problem is that operators or owners of CII facilities are trying to underestimate the damage, minimize and show when determining the facility that no consequences, no damage will occur. But those incidents that have occurred over the past two years, they indicate the opposite, "added the deputy director of FSTEC.[18]
File:Aquote2.png

FSTEC will create a centralized database to control KII facilities - Putin's decree

The President Russia Vladimir Putin signed a decree that expanded the powers of the Federal Service for Technical and Export Control (FSTEC). The corresponding document was published in November 2023. More. here

FSB detained a citizen of the Russian Federation who entered the cyber intelligence of Ukraine to attack the Russian KII

FSB officers of the Russian Federation detained in the city of Belovo, Kemerovo Oblast, a Russian citizen who conducted illegal activities against the security of the Russian Federation. The detainee was charged with committing a crime under Art. 275 of the Criminal Code of Russia (high treason in the form of providing other assistance to a foreign organization), a preventive measure was chosen in the form of detention. Information about this was published on the official website of the FSB in a message dated October 31, 2023.

source = Operational shooting of the FSB of Russia

It was established that the detainee, with Internetmessenger the Ukrainian Ukraine computer attacks the help of, entered into a cyber unit operating in the interests of the intelligence services, which included using malicious software information resources from Russia, which led to a violation of the operability of the facilities. country's critical infrastructure

source = Operational shooting of the FSB of Russia

According to the FSB, investigative actions and operational-search measures were carried out in the addresses of residence and work of the defendant in the criminal case, as well as his connections, during which computer equipment and communications were seized, data were obtained confirming his anti-Russian activities.[19]

The Ministry of Digital Development of the Russian Federation will oblige TV channels and telecom operators to create information security units

In mid-October 2023, it became known that the Ministry of Digital Development of the Russian Federation developed new requirements, according to which Russian companies - owners of the media (media), as well as operators of cellular communications and satellite television are obliged to create information security units (IS). The new rules will come into force on January 1, 2025.

According to the Vedomosti newspaper, the requirements apply to all channels of the first and second multiplexes, to Rossiyskaya Gazeta, ITAR-TASS and MIA Rossiya Segodnya. These organizations and telecom operators should switch to domestic means of protecting information, while the use of relevant solutions from unfriendly countries is prohibited. The information security division will become a kind of "internal auditor" of the IT infrastructure, as the number of cyber attacks on Russian companies is growing in light of the current geopolitical situation.

The Ministry of Digital Science has developed new information security Ministry of Digital Development for owners of Russian media

The new requirements partially duplicate the provisions of Decree No. 250 (adopted in May 2022), which applies to subjects of critical information infrastructure (CII). Such organizations are obliged to provide a certain standard of protection against emergencies and attempts and consequences of deliberate destructive impact on them. Market participants say that if the strict requirements of KII are extended to the entire operator business and the media, huge financial costs will be required.

In general, the size of investments in the creation of information security units depends on a number of parameters, including the number of employees in the organization, the volume of information infrastructure, etc. The minimum internal information security department will consist of a manager, an information security specialist and a personal data specialist. B1 partner Sergei Nikitchuk believes that, depending on the size of the business, compliance with the new requirements will require investments from 5 million to 50 million rubles a year. In addition, additional costs will be needed due to the need for import substitution of SSI.[20]

Details of cyber attacks on Russian defense industry enterprises through Microsoft Office revealed

Positive Technologies experts Denis Kuvshinov and Maxim Andreev, with the participation of the Incident response and Threat intelligence PT Expert Security Center teams, prepared a detailed report with an analysis of the Trojan program they called MataDoor. The Trojan was previously spotted in Malwarebytes and Kaspersky Lab reports, where it was named MATAv5 and attributed as part of the activities of the Lazarus hacker group. Positive Technologies experts received a test sample at one of the defense industry enterprises in the fall of 2022.

Presumably, experts associate the initial vector of malware penetration into the enterprise infrastructure with the exploitation of a vulnerability in the Microsoft Internet Explorer component number CVE-2021-40444. Unfortunately, the same component is used in Microsoft Office office applications, which allows you to make an exploit that will start downloading and executing malicious code on the victim's machine. For a successful attack, the victim needs to download the document in DOCX format and open it for editing in Microsoft Office.

MataDoor can be used to steal valuable, classified or personal information, as well as to implement listening, tracking components and logic bombs

Letters containing documents with exploits for the CVE-2021-40444 vulnerability were sent according to researchers to Russian enterprises of the military-industrial complex in August-September 2022. Some of them related in content to the field of activity of the attacked enterprises, some were compiled in such a way as to simply attract the attention of the addressee. However, earlier - in September 2021 - Malwarebytes recorded and investigated similar mailings, but with a different exploit.

Letters with a vulnerability exploit should CVE-2021-40444 prompt the user to activate the document editing mode, which is a prerequisite for working it out. These letters used a specific design of the text, which was supposed to encourage the user to turn on the editing mode and change the font color to a more contrasting one. When editing mode is enabled, malicious code is downloaded and executed from the resource controlled by the attackers. Therefore, if your employees received and viewed letters with non-contrast or other inconvenient design, then it is worth examining your infrastructure using the compromise indicators that the researchers published in the report.

It should be noted that MataDoor is focused on long-term hidden functioning in a compromised system. Its files are named after names similar to legal software installed on infected devices. In addition, a number of samples had a valid digital signature. Also, the identified executables and libraries were processed with a Themida protector to complicate their analysis and detection.

The malware itself is a modular Trojan, which consists of a kernel (orchestrator) and modules (plugins), which just provide all the black work of the malware, depending on which computer it is installed on. MataDoor also provided infrastructure for its modules to transfer data to the control server and asynchronously execute commands loaded from it. Thus, MataDoor can be used both to steal valuable, secret or personal information, and to introduce listening, tracking components and logic bombs. The damage caused by the detected malware and its brothers is still difficult to assess - in each individual case, a thorough investigation must be carried out.

Government May Ease Import Substitution Requirements in Critical Information Infrastructure

The requirements of the decree of President Vladimir Putin on the transfer of critical information infrastructure (CII) facilities to domestic solutions may be mitigated. In accordance with the decree signed on March 30, 2022, all software and hardware complexes (PAC) at KII facilities should be replaced by domestic ones by January 1, 2025.

But for PACS, it is possible to extend until the end of the service life of existing solutions. Such an amendment to the decree was developed by the Ministry of Industry and Trade, a federal official told Vedomosti and confirmed by a top manager of one of the oil and gas companies. According to them, the document was submitted to the government.

Ministry of Digital Development will create a software registry for critical information infrastructure objects

On August 7, 2023, it became known that the Ministry of Digital Development of the Russian Federation developed a new bill on the security of critical information infrastructure (CII). The document in the future will lead to the formation of a special register of software allowed for use in CII systems.

According to the Kommersant newspaper, the document "empowers the government to determine for each industry (and not just state-owned companies) standard solutions that will be attributed to KII facilities, as well as establish for them the timing of the transition to Russian solutions." In addition, it is planned to select typical IT solutions that will be classified as CII facilities. In other words, information systems used in certain industries will be equated directly to CII objects.

Ministry of Digital Development has developed a new bill on the security of critical information infrastructure

As of the beginning of August 2023, the subjects of the KII include government agencies, organizations in the field of communications, health, science, transport, power, banking, the fuel and energy complex and other significant sectors of the economy.

Categorizing the InformSystems themselves of significant industries, in fact, will expand the scope of the law by including objects that were not previously such. And this will lead to the emergence of a register of software recommended for use in enterprises and organizations in various sectors of the economy.

Market participants believe that the new bill will contribute to the fact that it will be easier for specialists in KII subjects to categorize based on government-approved lists. On the other hand, it could "strengthen regulatory barriers for the industry." Belonging to the CII imposes on organizations a number of working conditions, including security and import substitution. According to the decree of the President of the Russian Federation of March 2022, government agencies and state-owned companies are prohibited from using foreign software at KII facilities from January 1, 2025.[21]

Ministry of Digital Development of the Russian Federation asked government agencies to create an additional IT infrastructure with georeservation

On August 4, 2023, it became known that the Ministry of Digital Development of the Russian Federation sent methodological recommendations to the departments to strengthen the stability of information infrastructure. In particular, it is proposed to back up communication channels and ensure the geographical distribution of data centers (data centers).

According to the Kommersant newspaper, the IT systems of federal departments belong to the critical information infrastructure (CII). In the current geopolitical situation, the number of cyber attacks on such resources has increased significantly, which leads to the need to strengthen protection. Redundancy of communication channels is required if, for example, in a data center where one or more departments store data, access is organized on a single line. In the event of a cyber attack or physical damage to the network channel, access to the department's information system will not be possible.

The Ministry of Digital Development sent methodological recommendations to the departments to strengthen the stability of information infrastructure

Against the background of new threats in cyberspace, an effective protective solution can be the creation of geodistributed virtual and physical data centers with backup communication channels. If this is not possible, then at least it is necessary to connect additional communication channels to the information system, which will be built along geographically different routes.

Market participants say that the recommendations of the Ministry of Digital Development have already influenced, among other things, the growth in demand for the placement of data in regional data centers. Thus, some Russian companies transfer the processing and storage of information from data centers in the Moscow region beyond the Urals. Providers note an increase in demand in the cloud services segment Yekaterinburg in and. Novosibirsk However, the formation IT infrastructures with georeservation and the deployment of additional information transmission channels will entail an increase in the costs of departments for information infrastructure. Costs can rise by 10% due to the need to lease additional servers and create auxiliary network channels.[22]

Real estate data in Russia will protect against cyber attacks

At the end of June 2023 State Duma , it adopted in the third (final) reading amendments to the federal law "On Security" critical information infrastructure RUSSIAN FEDERATION in terms of clarifying the subjects of critical information infrastructure.

The document refers to such subjects information systems, information and telecommunication networks and automated control systems operating in the field of state real estate registration. In addition, CUES persons who own such systems and networks will also be considered subjects.

CII will include information systems, information and telecommunication networks and automated control systems operating in the field of state registration of real estate

This initiative, according to its authors, will allow extending to the real estate sector a set of measures that are used by the state to protect critical information infrastructure. New norms are being introduced to ensure the security of real estate registration data "to protect them from hacker attacks and abduction," says Vasily Piskarev, chairman of the Duma security committee.

File:Aquote1.png
One can only assume the consequences of hackers' attempts to hack into databases and, for example, change data on real estate owners or simply steal this information for fraudulent purposes, he said.
File:Aquote2.png

The adoption of the bill will make it possible to implement a set of measures to detect, prevent and eliminate the consequences of computer attacks carried out against objects of this sphere, and will create conditions for countering crimes, the explanation to the document says.

Nikita Chaplin, a member of the Committee on Budget and Taxes, stressed that it is extremely important to pay special attention to protection against theft of registration data in the field of real estate, especially when it comes to the critical information infrastructure of the Russian Federation. At the same time, he noted that the Russian special services successfully repel attacks.[23]

The FSB Cyber ​ ​ Security Center records the growth of cyber attacks through IT contractors. What is recommended to do

Cyber ​ ​ attacks on the information systems of government agencies and subjects of critical information infrastructure (CII) through the supply chain, through the IT infrastructure of contractors in the National Coordination Center for Computer Incidents (NCCC), subordinate to the FSB, are called one of the key trends in 2023.

NKCKI expert Andrei Rayevsky, speaking at an international conference on information security on June 6, explained that often the IT contractor develops and submits a project, but he still has administrator rights for author supervision or further support of the system. And there is a tendency to penetrate the infrastructure of government agencies and KII entities through the administrative rights of the IT contractor.

At the same time, at the legislative level, there are no requirements in the field of information security for the information systems of such contractors. According to the expert, the NKCKI is thinking about providing for requirements at the legislative level, first of all, for IT contractors performing work for government agencies and KII entities.

From the presentation of Andrei Rayevsky

NCCC, for its part, recommends that customers, within the framework of technical assignments for IT projects, prescribe requirements for the information security of contractors' IT resources. And some serious organizations are already doing this, notes Andrei Rayevsky.

In addition, NCCCA recommends limiting the number of privileged users from among contractors who are assigned to their systems.

There are domestic developments in the market in the field of privileged access tools. Their use becomes very relevant. NKCKI believes that it is worth taking a closer look at these developments.

It is also necessary to monitor the appearance of information about leaks and computer incidents in contractors, and in the event of such leaks in relation to their information resources, it is necessary to ask developers to respond and investigate the causes of leaks.

FSB approved the procedure for monitoring the security of sites of CII subjects

On June 2, 2023, the Federal Security Service of the Russian Federation (FSB) approved the procedure for monitoring the security of sites of subjects of critical information infrastructure (CII).

We are talking about resources belonging to the federal executive bodies, the highest executive bodies of state power of the constituent entities of the Russian Federation, state funds, state corporations (companies) and other organizations created on the basis of federal laws. In addition, the document applies to strategic enterprises and joint-stock companies, backbone organizations of the Russian economy, as well as legal entities that are subjects of CII.

The FSB of the Russian Federation approved the procedure for monitoring the security of sites of subjects of critical information infrastructure

It is said that monitoring is carried out in order to assess the ability of information resources of organizations to counter threats to information security. Relevant work will be carried out by the FSB Information Protection and Special Communications Center and territorial security agencies. Monitoring includes information systems (including sites on the Internet), information and telecommunication networks and automated control systems.

According to the order of the FSB, organizations must send to the e-mail address monitoring@fsb.ru information about domain names and external network addresses of their information resources, as well as about changes in such names and e-mail addresses. Security monitoring is carried out continuously and includes the collection and analysis of information and documents about the information resources used; identification of functioning services and detection of vulnerabilities; assessment of system security. Identification of working resources and search for potential problems are carried out remotely without first notifying organizations of the start of work.[24]

FSTEC calls on government agencies and banks to disable access to corporate mail through foreign IP

On March 21, 2023, it became known about the recommendations in terms of information security, which the Federal Service for Technical Export Control (FSTEC) to security entities of critical information infrastructure (CII - government agencies, communications, finance, fuel and energy complex, telecom operators, etc.).

In particular, as Kommersant"" writes with reference to the presentation, FSTEC the department calls for disabling remote access to critical nodes and networks, prohibiting open relay (allowing servers you to uncontrollably pass mail through yourself), as well as interaction through e-mail with foreign IP addresses.

It is recommended that CII objects disable remote access to critical nodes, prohibit open relay and interaction via mail with foreign IP

FSTEC explained that these measures will further protect the postal systems of significant companies in the Russian Federation related to KII. FSTEC also recalled the need to record the actions of all privileged users in the IT systems of CII facilities to combat possible "internal violators," including those who ensure the technological processes of companies as part of an outsource or involved in the work of third-party employees from other departments.

==

File:Aquote1.png
File:Aquote2.png

File:Aquote1.png
File:Aquote2.png

File:Aquote1.png
File:Aquote2.png

==

==

File:Aquote1.png
File:Aquote2.png

File:Aquote1.png
File:Aquote2.png

2022

==

==

==

File:Aquote1.png
File:Aquote2.png

==

File:Aquote1.png
File:Aquote2.png

File:Aquote1.png
File:Aquote2.png

==

File:Aquote1.png
File:Aquote2.png

==

File:Aquote1.png
File:Aquote2.png

==

==

==

==

==

==

==

File:Aquote1.png
File:Aquote2.png

File:Aquote1.png
File:Aquote2.png

!|Tasks!! Comments by Russian President Vladimir Putin |- |Усовершенствовать и донастраивать механизмы обеспечения information security of industry critical facilities, on which the country's defense capability, stable development of the economy and social sphere directly depend||So far, there are no structural units for information protection for a third of such facilities. Meanwhile, such units should be created as quickly as possible, and they include specialized specialists who know the industry specifics well. At the same time, coordination of the actions of all structures for ensuring information security of critical facilities should be fixed at the strategic level, and personal responsibility for solving these issues in accordance with the provision of Decree No. 250 is assigned to the heads of organizations. |- | Повысить защищенность информационных систем и сетей связи в государственных органах. Проведенные в 2021 году проверки показали, что большинство действующих там ресурсов уязвимы для массированных атак, для деструктивного внешнего воздействия, тем более при использовании зарубежных технологий последнего поколения || It is necessary to strengthen the defense of the domestic digital space - there should be no weak places. It is fundamentally important to negate the risks of leaks of confidential information and personal data of citizens, including through stricter control of the rules for the use of official equipment, communications, communications. It is necessary to consider the creation of a state information protection system. The President expects concrete proposals from the Security Council participants on what additional steps should be taken to ensure the sustainable operation of the information infrastructure in authorities and public administration. |- | Кардинально снизить риски, связанные с использованием зарубежных программ, вычислительной техники и телекоммуникационного оборудования. || The government needs to create a modern Russian electronic component base in the shortest possible time. It is necessary to develop and implement domestic technological equipment for this, including those necessary for the production of software and hardware systems. Part of the work has already been completed: a national crisis headquarters has been created to prevent targeted computer attacks. In each federal district, information security commissions have been formed under the plenipotentiary representatives of the President of Russia. |}

Mishustin approved the procedure for conducting an experiment to increase the level of protection of GIS

In mid-May 2022, Prime Minister Mikhail Mishustin signed a decree approving an experiment to increase the level of security of state information systems (GIS) of federal executive bodies (FOIV) and institutions subordinate to them.

As follows from the document, the experiment will be conducted by the Ministry of Digital Development from May 16, 2022 to March 30, 2023 as part of the federal project "Information Security" of the national program "Digital Economy." The purpose of the experiment will be to assess the level of security of GIS, inventory of protection systems, as well as identify shortcomings in infrastructure, architectural and organizational solutions. As a result, it is planned to develop a list of measures to neutralize GIS vulnerabilities.

Mishustin approved the procedure for conducting an experiment to increase the level of protection of GIS

According TASS to the press service of the Ministry of Digital Development, as part of the experiment, FOIV or their subordinate institutions will be able to apply for work to improve the security of GIS.

File:Aquote1.png
The Ministry of Digital Development with the involvement of leading commercial companies in the field of information security will hold measures that will assess the current level of GIS security, check the practical possibility of exploiting vulnerabilities, and identify shortcomings in the GIS protection system, the press service of the department explained.
File:Aquote2.png

As a result of the experiment, Ministry of Digital Development, together with the FSB of Russia and the Federal Service for Technical and Export Control of Russia, will develop and provide the participants in the experiment with recommendations for neutralizing GIS vulnerabilities.

In addition, the Ministry of Digital Development will have to:

  • ensure the conclusion of cooperation agreements and organize the implementation of work to increase the level of protection of the GIS of the participants in the experiment;
  • monitor the progress of elimination of deficiencies (vulnerabilities) identified within the framework of the experiment[25]

Putin signed a decree on the creation of cybersecurity departments in medical organizations

In early May 2022, the president Russia Vladimir Putin signed a decree creating a separate cyber security one at facilities critical information infrastructure (), CUES including institutions. health care Such structures should be headed by one of the deputy heads of the organization. His duties, as well as the functions of the department government , will be approved within a month.

According to the document, cybersecurity departments are obliged to cooperate in the FSB, provide service employees with unhindered access (including remote) to information resources for monitoring, follow their instructions, data based on the results of the audit.

Putin signed a decree on the creation of cybersecurity departments in medical organizations

From January 1, 2025, when providing cybersecurity to health care institutions and other CII facilities, it is forbidden to use data protection tools made in unfriendly countries. The equipment of firms that are under the direct or indirect control of an unfriendly country affiliated with it also falls under the ban.

Explanations on the application of the decree will be given by the Ministry of Finance and the Central Bank, follows from the decree. The government was instructed to approve the list of persons under sanctions within 10 days and determine additional criteria for classifying transactions as prohibited.

The activity of cybercriminals in relation to medical institutions is steadily growing. By 2022, medicine is one of the three leaders in the number of various kinds of cyber attacks, second only to government agencies and industry, displacing banks and financial companies from the top.

The variety of information systems in different medical and preventive institutions (LPUs), which can be public, private and departmental, leads to the fact that different approaches to information protection are applied. Often, the protection of systems in LPUs is fragmented, which complicates their cyber protection.[26]"

Created an interdepartmental commission of the Security Council of the Russian Federation to ensure the technological sovereignty of the country in the field of CII development

By presidential decree, an interdepartmental commission of the Security Council was created in Russia to ensure the country's technological sovereignty]] in the development of critical information infrastructure (CII). This was announced on April 25, 2022 by IVK. The main task of the commission will be to develop measures to ensure the safety of CII. Read more here.

Positive Technologies: government agencies are the worst protected from cyber attacks

In Russia, state bodies are worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies. Experts made the corresponding statement in mid-April 2022.

File:Aquote1.png
Federal ministries and departments show the least degree of readiness for cyber attacks. Officials are now forced to live in the paradigm of the past time - said Maxim Filippov, director of business development at Positive Technologies in Russia.
File:Aquote2.png

In Russia, government agencies are the worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies.

According to him, the procurement procedures are defined 44-FZ, 223-FZ. In order to purchase some kind of means of protection, which by April 2022 has become more relevant than ever, or to allow experts to their facilities to conduct a retrospective investigation or reconfiguration of means of protection, they need to go through a large number of difficult procedures. They do not have time to respond, and the dynamics and types of attacks change every minute. If you do not quickly detect and respond, then there will be nothing to protect, Filippov said.

He also pointed out that state structures and companies with state participation are opponents of information exchange with experts about past cyber attacks.

File:Aquote1.png
Government agencies are afraid of publicizing these incidents even in the circle of expert companies. This is not at all clear to me personally. In the current environment, collaboration with experts who are focused on ensuring the security of infrastructure in cyberspace, they need as air, he added.
File:Aquote2.png

Positive Technologies Business Development Director cited data according to which the activity on cyber attacks on companies and government agencies in the Russian Federation from late February to mid-April 2022 increased 100 times, while banks were most prepared for cyber attacks, and least of all - federal departments and companies with state participation.[27]

FSTEC creates a system for secure development of software for 0.5 billion rubles

On February 16, 2022, the Federal Service for Technical and Export Control (FSTEC) of Russia announced a tender for "creating a unified environment for the development of safe domestic software." The initial (maximum) contract price is 510 million rubles. Read more here.

2021

The number of criminal cases due to attacks on government agencies and banks in Russia has tripled

In 2021, 70 criminal cases were opened in Russia due to cyber attacks and other unlawful impact on critical information infrastructure (CII - IT systems of government agencies, banks, transport, fuel and nuclear industry, power, etc.) against 22 a year earlier. This is evidenced by the data of the InfoWatch study conducted using statistics from the Ministry of Internal Affairs and data from the state automated system "Justice." Read more here.

More than 90% of attacks by highly professional groups are directed at critical infrastructure facilities

The vast majority (92%) of cyber attacks committed by highly professional attackers in 2021 were aimed at critical information infrastructure (CII) facilities. Most often, the attention of highly qualified hackers - cyber recruits and pro-government groups - was attracted by state organizations, power enterprises, industry and the military-industrial complex. Such figures were announced on December 7, 2021 by the vice-president of Rostelecom for cybersecurity, the general director of Rostelecom-Solar Igor Lyapunov.

In total, according to a study by Rostelecom-Solar, in 2021, over 300 attacks carried out by professional attackers were recorded, which is one third higher than in 2020. Most of the attacks were carried out by groups with an average qualification - cyber crime. Such hackers use customized tools, available HPE and vulnerabilities, social engineering, and their main goal is to directly monetize an attack using encryption, mining or cash withdrawal.

Highly professional groups accounted for 18% of the attacks committed during the reporting period. Such cybercriminals use complex tools: self-written software, 0-day vulnerabilities, previously implemented "bookmarks." As a rule, they are aimed at custom work, cyber espionage, hacktivism, complete seizure of infrastructure, and their victims are large businesses and CII facilities.

File:Aquote1.png
Such attacks are almost always targeted, so at first attackers carefully study the attacked organization. Moreover, cyber recruits and pro-government groups conduct reconnaissance not only against the victim's IT perimeter, but also against its contractors, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center at Rostelecom-Solar. - These groups are well acquainted with the logic of the basic means of information protection, which allows them to remain unnoticed for a long time. And the damage from their actions can amount to hundreds of millions of rubles. If we are talking about CII, then there are also risks associated with the impact on the country's economy as a whole, the security of citizens and the political situation.
File:Aquote2.png

The key techniques used by professional hackers to hack the perimeter have changed slightly over the year. Phishing still occupies a leading position among medium-level attackers (60% of attacks), which is explained by its cheapness and mass.

In 50% of attacks, highly qualified hackers exploit web vulnerabilities. This is due to the fact that web applications of CII objects and state authorities (for example, corporate portals or web mail) are still poorly protected and have a huge number of errors. In addition, highly professional attackers more often than cybercriminal resort to attacks through a contractor, an increase in the number of which has been observed for several years. Phishing, on the contrary, is used by them only in 2% of cases. The most popular hacking techniques in 2021 also added exploitation of vulnerabilities in MS Exchange, which were published at the end of 2020.

As a year earlier, cybercriminals most often used startup mechanisms and system services to secure inside the network. And for the development of the overwhelming number of attacks - remote services RDP, SMB, SSH. In particular, this is due to the massive transition to remote operation: companies have begun to actively use these protocols, which allow organizing remote access to files and devices.

Ministry of Digital Development will check the safety of its GIS for almost 150 million rubles

Ministry of Digital Development is ready to pay 149,681,625,9 rubles for an independent security check of state information systems (GIS), including mobile applications. Information about this appeared at the end of October on the public procurement portal. The winner of the tender will be determined in early December 2021. The GIS check should be completed on March 30, 2022.

The Ministry did not answer the question about the purpose of the GIS check and did not specify which systems they plan to check. The ministry itself and through subordinate structures is responsible for more than 30 GIS, including:

  • "Unified Portal of State and Municipal Services (Functions)" (State Public services Portal);
  • "Unified System of Interdepartmental Electronic Interaction" (SMEV);
  • "Unified Identification and Authentication System" (ESIA);
  • "State Information System of Housing and Communal Services" (GIS Housing and Communal Services);
  • "Unified Interdepartmental Information and Statistical System" (UIISS);
  • "Federal Portal of Public Service and Management Personnel";
  • Unified Regulatory Reference Information System (ESNSI);
  • "The official website of the Russian Federation in the information and telecommunication network" Internet "for posting information about the bidding" (Portal Gosprodazh)
  • "AIS" Management of departmental and regional informatization ";
  • IS "Independent Registrar," etc.

The Ministry of Digital Development is ready to pay for an independent check of the security of GIS. Photo - Open Sources

In Russia, in accordance with the provisions of Federal Law No. 149-FZ of the 27.07.2006 "On Information, Information Technologies and Information Protection," FSTEC (Federal Service for Technical and Export Control) is responsible for the verification and certification of GIS. Accordingly, all requirements for GIS are spelled out in FSTEC Order No. 17 of February 11, 2013 "On Approval of Requirements for the Protection of Information Not Constituting State Secrets Contained in State Information Systems." Conducting its own inspections of GIS by state authorities is not regulated in the legislation.

Alexey Lukatsky, a security business consultant at Cisco Systems, commenting on the tender, noted that the business regularly checks information systems for vulnerabilities. In large international companies, scheduled checks of information protection systems are carried out once every six months, and sometimes once a quarter. Due to the lack of information security budgets, state structures conduct such checks much less often, or even do not conduct them at all.

The practice of regularly checking GIS, according to the expert, appeared in Russia only a few years ago. When vulnerabilities are detected, they are most often fixed using "patches" or reconfiguration of information security systems. If we are talking about architecture defects, then a TA is formed for the revision of the information security system.

According to Alexei Lukatsky, the price of services for finding vulnerabilities in information security systems depends on the scale of the tested GIS and the depth of analysis.

Hacker group attacking Russian fuel and energy complex and aviation industry discovered

At the end of September 2021, it became known about the appearance of a new hacker group ChamelGang, which was seen in attacks on critical information infrastructure, including in Russia. Read more here.

How to protect critical infrastructure. Review of a large expert discussion

As part of the ITSF-2021 Digital Forum held in June, a discussion panel was held on the information security of critical infrastructure. Experts discussed a wide range of issues, including: the practice of implementing FZ-187, categorizing CII, import substitution, assessing damage under various threats, and much more. The session was moderated by an independent information security expert Alexei Lukatsky. Read more here.

Mission impossible: banks will soften the conditions for the transition to domestic software and equipment

On July 16, 2021, the working group on the transition of financial organizations to domestic software and equipment under the State Duma Committee on the Financial Market received approval from regulators of several proposals for draft acts in the field of import substitution in the financial sector. This was announced at an online meeting with the press by Anatoly Aksakov, head of the State Duma Committee on the Financial Market.

Import substitution in the financial sector, we recall, is carried out in connection with the instructions of the president in the field of ensuring the security of critical information infrastructure (CII).

One of the critical issues raised at the meeting of the working group with the participation of regulators was the timing of the transition of CII subjects in the financial sector to domestic software and equipment. The current deadline is designated 2023, but banks have repeatedly criticized such a deadline as hardly achievable, and several times asked to shift the transition dates until 2028.

Anatoly Aksakov said that, despite the wishes of the bankers, the timing will still be quite tough. However, it was possible to agree on a compromise: it turned out to agree with the regulators on a delay situation when import substitution can be delayed even for a period later than 2023, if by this time the financial sector's KII constituent organizations have not yet expired their licenses for imported software already in use or the depreciation period for imported equipment is not yet suitable.

Russian banks will have to switch to domestic software and equipment in a tough time, but on more flexible conditions "(photo - eprussia.ru)"
File:Aquote1.png
Switching to domestic software and equipment means very high costs, because you need to write off the old one and essentially pay for licenses, despite the fact that you are switching to your Russian counterpart. And now we were allowed to wait for the expiration of software licenses and the timing of the write-off of depreciation equipment and then switch to Russian counterparts. This means that the costs of the banking industry will be significantly reduced, which is a significant criterion for the stability of the banking sector in our country, "says Maria Shevchenko, chairman of the working group, member of the Association of Russian Banks, chairman of the board of directors of Kiwi Bank. - It removed, probably, the main contradictions between participants.
File:Aquote2.png

Thus, despite the fact that the transition period to domestic software and equipment for CII subjects in the financial sector will remain tight, banks will have more flexibility in planning. CII banks will have to develop transition plans taking into account the validity of software licenses and depreciation of equipment, choosing Russian analogues according to the lists agreed with the Bank of Russia.

The inclusion of the Bank of Russia in the import substitution procedure as a profile regulator was another important achievement of the working group following the discussion. According to Anatoly Aksakov, the Bank of Russia will participate, including in the selection of domestic software, equipment for financial institutions, for their subsequent implementation in the financial market. Banks will be guided by these lists when drawing up their import substitution plans.

At the same time, given that the Bank of Russia itself is a subject of the implementation of the law on the security of CII, that is, it will also have to introduce domestic solutions, it will be very attentive to what is proposed to the financial sector, Aksakov noted.

File:Aquote1.png
We are grateful to the Bank of Russia for its assistance in this process, as well as the Ministry of Digital Development for supporting the proposal. This innovation will allow synchronizing the process of transition to preferential import substitution in the financial sector with the current requirements for the subjects of this market, taking into account their characteristics and minimizing possible risks for the financial system, says Maria Shevchenko.
File:Aquote2.png

In addition, they say in the working group, agreements were reached on the distribution of import substitution requirements only for significant objects of CII. And for those who do not have categories of significance, the provisions will be advisory in nature. This will allow you to focus on the most important objects for the state.

Now it remains to wait for the release of documents that would legalize the agreements reached with the regulators. We are talking about the draft presidential decree, the draft government decree, which approves the requirements for software and equipment and the procedure for switching to preferential import substitution. Separately, there is also a government decree No. 1236 with requirements for software to be entered into the register of Russian software, and as of July, changes are also being developed to it: in particular, to simplify the process of including in the register of domestic software solutions developed by the banks themselves. The working group expects that the documents will be ready by the fall of 2021, and will enter into force from March 2022.

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%. This became known on July 12, 2021.

In 2020, the figure also increased, but by only 40%. Ransomware mainly attacked the educational and scientific spheres, as well as the industry. They accounted for 30% of the total number of attacks.

The Russian company Group-IB has calculated that 40% of all attacks are carried out by "classic" cybercriminals. But the remaining 60% are accounted for by pro-government agencies of other states.

Industrial companies are attacked by ransomware in most cases. It turns out that every large company is a potential victim for cybercriminals. And the amount of buybacks is increasing.

Experts predict that the number of cyber attacks in the future will only increase, and the amounts requested by fraudsters will grow[28]

8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure

On June 24, 2021, Group-IB announced that on average, 8 out of 10 industrial enterprises in Russia have problems with servicing the IT infrastructure. In the first half of 2021, almost 3 times more attacks on critical infrastructure facilities were recorded in Russia than in the entire 2019.

Problems with maintaining the IT infrastructure of organizations are caused by a lack of resources, outdated software and an often unfinished patch management process (the process of closing vulnerabilities thanks to timely software updates), which means they are a potential target for cybercriminals, Group-IB said.

As of June 2021, according to Group-IB Threat Intelligence & Attribution, a total of 137 groups, of which 122 cyber-criminal groups and 15 pro-state groups, are aimed at critical infrastructure. The main motivation of cybercriminal groups is still financial, most of them are "ransomware," that is, hackers attacking organizations for ransom for decryption. The goals of pro-government hacker groups are espionage, sabotage and sabotage. Group-IB cites statistics: the number of attacks on critical infrastructure in the world has grown 12 times since 2019.

In the first 6 months of 2021, 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% by pro-state attackers.

Russia and the USA want to create expert group on cyber security for the purpose of protection CUES from cyber attacks

Presidents of Russia and the USA want to create expert group on cyber security. However both parties are sure that the opponent collects data on the enterprises of critical infrastructure and makes the hacker attacks against colleagues.

The United States has repeatedly asked Russia to stop hacking against American companies. However, Russia does not remain in debt: they are sure that most hacker attacks on critical infrastructure () CUES are carried out from the United States.

A meeting of the leaders of the two states took place in Geneva on June 16, 2021. Russian President Vladimir Putin, before meeting with US President Joe Biden, said that the issue of cybersecurity is one of the most important on a global scale.

File:Aquote1.png
"Because all sorts of disconnections of entire systems lead to very serious consequences. And this, it turns out, is possible, "Vladimir Putin said in an interview on the Russia 1 TV channel.
File:Aquote2.png

Following the talks, the leaders discussed the creation of an expert group on cybersecurity. Joe Biden said that cyber attacks should not be carried out on critical infrastructure.

File:Aquote1.png
"We agreed to instruct to work out which targets should not be subjected to cyber attacks." But, Joe Biden promised, if the agreements are violated, the United States will react.
File:Aquote2.png

During the summit, Putin and Biden agreed to begin consultations in this area and involve experts to discuss issues of protection against hacker attacks. Joe Biden has proposed a list of 16 infrastructure sectors against which cyber attacks will be banned.[29]

Every tenth IT infrastructure of government agencies, banks and fuel and energy complex in the Russian Federation is infected with the virus

In early June 2021, it became known that every tenth of IT infrastructure state agencies banks, ENERGY INDUSTRY transport and defense institutions were infected. virus Such data led to the company "."Rostelecom-Solar

According to experts, even low-skill hackers can successfully attack critical information infrastructure, and most of the vulnerabilities in such networks have existed for more than 10 years.

Experts explain this situation by the fact that the software update process is absent in more than 90% of organizations, and the average time to install updates is more than 42 days.

In Russia, every tenth organization - subject of CII is infected with malware

The most common vulnerabilities in KII: Heartbleed, EternalBlue, which appeared in 2011 (in 2017 it caused the spread of the WannaCry ransomware) and BlueKeep, discovered in 2019. All of them are actively used by hackers to implement cyber attacks.

The study notes that the COVID-19 coronavirus pandemic has significantly weakened the IT perimeters. Over the year, by the beginning of June 2021, the number of automated process control systems (APCS) available from the Internet increased by more than 60%.

In addition, almost 2 times the number of hosts with a vulnerable SMB protocol has increased. This is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are especially dangerous, as they allow hackers to remotely run arbitrary code without authentication, infecting malware on all computers connected to the local network.

The main problem in internal networks in the company "Rostelecom-Solar" called incorrect password management. Weak and dictionary passwords are extremely common, which allow an attacker to penetrate the internal network of the organization. Password matching is used by both amateur hackers and professional attackers.[30]

The mysterious hacker group has been "hanging" in the IT infrastructures of federal government agencies in Russia for three years

The National Coordination Center for Computer Incidents (NCCC) of the FSB of Russia and Rostelecom-Solar in May 2021, at a meeting with journalists, spoke about the identification of a series of targeted attacks by professional cyber groups on Russian federal executive bodies (FOIV).

File:Aquote1.png
Based on the complexity of the means and methods used by the attackers, as well as the speed of their work and the level of training, we have reason to believe that this group has resources at the level of a foreign special service, "said Nikolai Murashov, deputy director of the NKCKI FSB of Russia.
File:Aquote2.png

Nikolai Murashov also called the discovered attacks a precedent

The attacks were identified in 2020. And the story of the discovery began at the end of 2019, when Rostelecom-Solar provided IT security to one of the government agencies, the company said. Then an attempt was discovered to touch one of the customer's protection servers. Usually attacks of this kind are not detected by standard means of protection and antiviruses: these were traces that quickly disappeared, but gave a clue to understand what is happening, where the group came from and what methods it uses.

As a result of the analysis, it turned out that the same group was present in the systems and other FNIVs. Moreover, the first signs of presence dated back to 2017. That is, for more than 3 years the group worked and carried out its actions in the IT infrastructures of state organizations, says Igor Lyapunov, vice president for information security at Rostelecom.

The names of the attacked government agencies are not specifically named - for security reasons. The number of attacked FOIVs in the NKCKI also preferred not to specify.

In all the identified operations, the main targets of the attackers were complete compromise of the IT infrastructure, as well as theft of confidential information, such as mail correspondence, general and limited access files, infrastructure and logic schemes, etc., according to an analysis conducted by the NKCKI FSB of Russia and Rostelecom-Solar.

File:Aquote1.png
The damage, from our point of view, is rather reputational, - said the deputy director of the NKCKI FSB of Russia, answering a TAdviser question about the damage caused by the group.
File:Aquote2.png

Nikolai Murashov added that the information constituting state secrets could not be stolen in this way. He also recalled that in Russia there are about 40 types of secrets, including tax, medical, and many others. Here, certain information that contained partially personal data and the like could have been taken out of the system, says a representative of the NCCCA.

File:Aquote1.png
But, in my opinion, the most important thing in the functioning of this system is that it was designed for a long term, - said the representative of the NKCKI FSB of Russia, answering TAdviser questions. "It's like a system that just in case exists. They penetrate and then very neatly... After all, colleagues talked about how carefully they acted. That is, all the actions of such an attack were designed for the long term.
File:Aquote2.png

The tools used by cyberplayers were professional, very complex and allowed hidden movement inside the IT infrastructure, says Igor Lyapunov. And the level of consolidation in the infrastructure was very extensive: attackers created up to 10-15 different access channels.

From the presentation of Rostelecom-Solar

This level of attack is not the result of the activities of ordinary commercial groups. There is no possibility of monetization, and the cost of such an attack is large, since it requires very specialized software, Rostelecom notes.

And to penetrate FOIV infrastructures, attackers used three main attack vectors : phishing; exploitation of vulnerabilities in web applications published on the Internet; hacking the infrastructure of contractors (Trusted Relationship).

It is noteworthy that the malware developed by the attackers to unload the collected data was used by the cloud storage facilities of the Russian companies Yandex and VK (formerly Mail.ru Group), and in its network activity it disguised itself as legitimate utilities Yandex.Disk and Disk-O produced by these companies, the NKCKI of the FSB of Russia and Rostelecom-Solar found Rostelecom-Solar.

The State Duma approved fines for violation of the security of critical IT infrastructure

On May 18, 2021, the State Duma of the Russian Federation adopted in the third (final) reading a bill on fines for violating the security of critical information infrastructure. We are talking about systems in the fields of health care, science, transport, communications, power, banking, etc.

According to the new standards, which should enter into force on September 1, 2021, fines will be threatened for violations of the requirements for the creation of security systems for significant objects of critical information infrastructure, ensuring their operation and security. Their amount will be from 10,000 to 50,000 rubles for officials and from 50,000 to 100,000 rubles for legal entities.

The State Duma approved fines for violation of the security of critical IT infrastructure - in the fields of healthcare, science, transport, communications, power, banking

For violation of the "procedure for informing about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks" will be punished even more seriously: fines will range from 10,000 to 50,000 rubles for officials, from 100,000 to 500,000 rubles for legal entities.

For violations of the procedure for exchanging data on incidents between subjects of such infrastructure, foreign authorized bodies, international organizations and NGOs working in the field of responding to cyber threats, fines are provided: for officials - from 20,000 to 50,000 rubles, for legal entities - from 100,000 to 500,000 rubles.

According to the explanatory note to the bill, "the size of the proposed fines takes into account the average salary of heads of structural units for ensuring information security."

As noted, TASS Information Agency of Russia justifying virus encoder WannaCry the need for the adoption of the law, the authors point to the attack recorded in 2017 using, which hit a large number of computer equipment in a number of state-owned companies, which took up to three days to restore. The reason for the damage was the failure to comply with the established requirements, including the requirement for timely update. software[31]

Cyber ​ ​ attacks through contractors hit banks and enterprises of the fuel and energy complex in Russia

At the end of March 2021, a service for protecting information assets Rostelecom-Solar published a study in which it reported a twofold increase in the number of attacks on objects critical information infrastructure (:, CUES banks enterprises ENERGY INDUSTRY , etc.) by penetrating through the contractor's infrastructure (supply chain method) in 2020. cyber attacks Solar JSOC The Rostelecom-Solar Monitoring and Response Center identified and reflected over 1.9 million, which is attacks 73% more than in 2019.

According to experts, hacking a contractor has become the most effective method for penetrating infrastructure targeted for cybercriminals, including, as a rule, the largest federal public sector organizations and KII facilities. This is also confirmed by international experience. At the end of 2020, it became known about the hacking of the developer company, ON SolarWinds as a result of which such clients as,, Microsoft Cisco FireEye as well as several key ministries and departments suffered. USA Solar JSOC records similar attempts at attacks on authorities and objects. Russia

"Rostelecom-Solar" recorded a twofold increase in attacks on KII through contractors' infrastructures

The active use of the supply chain method is associated with an increase in the number of more complex targeted attacks. In addition, organizations are increasingly outsourcing part of their internal processes, but they rarely monitor their own infrastructure and practically do not control the connection points of third-party companies to their network. As a result, the problem can remain out of focus for a long time. This is what led to the growth of such attacks in 2020.

Rostelecom The company "-Solar" noted that the growing popularity of the supply chain method indicates not just a change in the technical specifics of attacks, but the emergence of a new key threat cyber security at the state level. However, there is no clear solution to how to minimize risks yet. Even a contractor certified by the regulator for compliance with information security standards can be successfully attacked by attackers. At the same time, the customer company does not have the ability to directly control the level of information security protection of the outsourcer, experts added.

File:Aquote1.png
Obviously, advanced ART groups will increasingly use the supply chain technique, so the information security community needs to develop a fundamental approach to solving the problem as soon as possible, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center at Rostelecom-Solar.
File:Aquote2.png

Also, for the first time since 2017, Solar JSOC experts record an increase in violations committed by internal users - ordinary employees of companies. More than half (53%) of internal incidents were related to: information leaks by switching to, remote operation mode employees began to commit violations, including theft and draining, data which they would not dare to do in the office. In addition, pandemic it has led to an increase in violations regarding access to. Internet It is not only about visiting suspicious sites from a worker. computer Remote workers could also gain illegitimate access to the company's closed resources, since it is VPN difficult to correctly segment the corporate network on the basis.

The most common tool for external attackers has become malware, and the main way to deliver it to the victim's infrastructure is phishing emails, most of which have speculated on the topic of COVID-19. At the same time, there is a significant increase (by a third) in the number of attacks using ransomware: during the period of mass "remote control," when many companies have weakened information security, this already simple method of monetization has become even more popular.

In 2020, the number of attacks aimed at gaining control over infrastructure increased by 30%, while the number of attacks aimed at stealing funds increased slightly (by less than 10%). This indicates a significant increase in the qualifications of attackers and the complication of their tools.

2020 Report on Attacks and Tools of Professional Groups

Detection of more than 6300 vulnerable CCTV cameras at critical infrastructure facilities of the Russian Federation

On March 12, 2021, it became known about the vulnerability of more than 6,300 video surveillance cameras installed at critical infrastructure facilities and industrial enterprises in Russia. Due to flaws in this equipment, it is easy to hack.

The vulnerability of cameras at power plants, industrial enterprises, gas stations, etc., was reported in the company Avast with reference to the data of the search engine for internet of things Shodan.io. - IP the addresses of these cameras are open, and cybercriminals can access them, experts said To the businessman.

Access to a number of cameras today is protected by the simplest passwords that can be easily selected, Igor Bederov, general director of Internet Search, confirmed to the publication. Such cameras, he said, can be placed, including in banks, which potentially threatens to leak credit card data and customer passports. On the basis of open IP cameras, an illegal video surveillance or analytics system can be organized, Bederov admitted. If you supplement such a system with facial recognition modules, you get a total surveillance system, he said.

Thousands of vulnerable cameras found at gas stations and enterprises in Russia

Ekaterina Rudaya, an expert at the laboratory of practical security analysis of the Information Security Center of Jet Infosystems, in a conversation with RBC, noted that data from cameras, for example, can serve as a source of information about human movement.

File:Aquote1.png
If desired, an attacker can map the movement of a person around the city. In case, of course, if the quality from the cameras allows you to recognize a certain person. This problem is unlikely to concern most citizens, since it is difficult to imagine that a simple programmer or teacher will be monitored. But in any case, the very fact of having the opportunity cannot be considered the norm to which you can safely close your eyes, "she explained.[32][33] in Russia
File:Aquote2.png

Cisco expert: Until there are criminal cases, business will not seriously invest in the implementation of the law on critical infrastructure

At the beginning of 2021, FSTEC announced its intentions to strengthen control over the implementation of the law on the security of critical information infrastructure (CII) in Russia ( 187-FZ). The agency plans to increase the number of inspections, including with the participation of the prosecutor's office, to involve industry departments in the work on bringing KII facilities in line with the requirements of the law. In addition, in addition to the liability already provided for in the Criminal Code, the introduction of administrative responsibility for non-compliance with the law on the security of CII, which provides for fines, is on the way.

Cisco cybersecurity expert Alexei Lukatsky believes that tightening control by the FSTEC over the implementation of this law will attract the interest of the owners of KII facilities to ensure their safety, but not earlier than in a year and a half. This is due to the fact that the first checks at FSTEC will begin in the second half of 2021, and while a small number of them are planned, not enough to talk about the trend, he explained to Tadviser.

File:Aquote1.png
And until there are real fines or initiated criminal cases brought to the verdict, Russian business will not seriously invest in ensuring legislative requirements, unfortunately. Because there are a lot of costs, and the benefit is completely unobvious, - believes Alexey Lukatsky.
File:Aquote2.png

According to the FSTEC, since the entry into force of the 187-FZ in 2018, more than 50 thousand CII facilities have been identified, of which 10 thousand are classified as the most significant systems and networks "(photo - pixabay.com)"

Speaking about threats to CII facilities, the expert separately stopped at the APCS.

File:Aquote1.png
We see the attention of cybercriminals to APCS, we see that they are trying their hand, developing malicious code that carries out some kind of intelligence activity - that is, collecting data on the internal assets of industrial sites. But so far, in the conditions of low informatization of industrial sites and a lack of understanding of how these attacks can be monetized, attackers do not actively use this in their activities, - said a Cisco cybersecurity expert.
File:Aquote2.png

And the rest of the CII facilities are mainly business and office systems that are no different from what was not previously called CII facilities. Lukatsky noted that attacks on banking systems, which now belong to KII facilities, on office systems of industrial, transport, state-owned enterprises both happened earlier and occur.

As for industrial enterprises, in particular, here attacks are most often carried out not on APCS, but on office systems: for example, on those responsible for transport, supply management, shop work, etc., after which attackers demand a ransom for restoring management functions, but not hacking the industrial sites themselves.

However, this does not mean that there will be no more attacks on APCS in the future, when attackers learn to use hacks to monetize their actions, Aleksey Lukatsky emphasized. And the problem for most industrial enterprises is that their APCSs use outdated protocols and components that are susceptible to attacks.

According to FSTEC, a total of 55% of the most significant systems and networks related to CII do not use the required means of protection against computer attacks (for more details, see the block below).

55% of the systems of the most significant critical infrastructure are poorly protected from hacker attacks - FSTEC

Speaking To the State Duma at the end of February 2021 in defense of a bill involving the introduction of administrative fines for violating the security law critical information infrastructure (), CUES the deputy director FSTEC Russia Vitaly Lyutikov cited the indicators of the current level of its protection.

Since the entry into force in 2018, the 187-FZ on the safety of CII has identified more than 50 thousand CII facilities, of which 10 thousand are classified as the most significant systems and networks to be protected in accordance with the established requirements. An analysis of their security status showed that 55% of systems and networks do not use the required means of protection against computer attacks, Lyutikov said. And 25% of KII subjects do not have specialized specialists.

According to the State system of detection, prevention and elimination of consequences of computer attacks system, in 2020 more than 120 thousand impacts on the information infrastructure of the Russian Federation were identified, added the deputy director of FSTEC.

File:Aquote1.png
Under these conditions, there is a real threat of violation of the functioning of control systems for critical and potentially dangerous objects of the most significant sectors of the economy, - said Lyutikov.
File:Aquote2.png

Deputy Director of FSTEC Vitaly Lyutikov spoke about the current state of protection of KII facilities

Vitaly Lyutikov noted that the categorization of CII facilities provided for by the 187-FZ is the basis for taking the necessary protective measures. As of February 2021, more than 700 KII subjects did not categorize within the deadlines set by the government, Vitaly Lyutikov said. Safety requirements at their facilities have not been implemented.

In 2020, 507 computer incidents occurred at KII facilities, of which only 3% were timely provided to State system of detection, prevention and elimination of consequences of computer attacks.

The bill on establishing administrative responsibility for violating the legislation in the field of ensuring the security of the CII was prepared by the FSTEC together with the FSB in pursuance of the instructions of the President of the Russian Federation, Lyutikov recalled. It is proposed to introduce two articles into the administrative code of the Russian Federation: on violation of requirements in the field of ensuring the safety of CII and on failure to provide information provided for by law in the field of ensuring the security of CII. For offenses under these articles, it is proposed to introduce the imposition of fines on officials up to 50 thousand rubles, on legal entities - up to 500 thousand rubles.

File:Aquote1.png
The amount of fines was determined on the basis of an assessment of the consequences of computer attacks using the WannaCry ransomware virus that occurred on certain state-owned companies in 2017, "Vitaly Lyutikov explained, speaking in the State Duma.
File:Aquote2.png

The FSTEC expects that the adoption of the bill will encourage the subjects of the CII to timely adopt protection measures at their CII facilities. Earlier, representatives of the department noted a low percentage of 187-FZ execution and spoke about strengthening work in order to speed up its execution. For this, FSTEC, among other things, connected the prosecutor's office and strengthens inspections.

The bill on the introduction of administrative responsibility, considered in the State Duma and already past the first reading, was prepared back in 2019. He entered the State Duma in November 2020. By the second reading, it has yet to be finalized.

Earlier, following public discussions and public consultations, the document caused comments from market participants and regulators. Thus, the Ministry of Economic Development and Trade earlier in its conclusion on the assessment of the regulatory impact on the bill noted that in the Criminal Code of the Russian Federation (Part 3 of Art. 274.1) criminal liability has already been established, which provides, among other things, imprisonment for up to 6 years for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in CII and related systems and networks, or rules for access to them, if this caused harm to CII.

The Ministry of Economic Development believes that the additional establishment of administrative responsibility measures should be synchronized with a simultaneous decrease in criminal liability measures.

In addition, the adoption of the bill may be fraught with the risk of imposing additional expenditures on the budget, the Ministry of Economic Development noted. According to the information provided by the executive authorities of the constituent entities of the Russian Federation, significant expenses are required to fulfill the requirements of the 187-FZ. For example, the executive authorities of the Republic of Khakassia require financial costs in the amount of more than 200 million rubles to implement the established requirements.

FSTEK has found a way to combat evaders from the implementation of the law on the protection of critical IT infrastructure. He was tested on the Ministry of Energy

Alexey Kubarev, Deputy Head of the FSTEC Department, speaking at a security conference in February 2021, noted the low level of implementation of the federal law on the security of critical information infrastructure (CII) and announced plans to develop interaction with the Federal Security Agency as one of the measures to improve this situation. FSTEC already has experience in such interaction with the Ministry of Energy.

File:Aquote1.png
We have a wonderful experience with the Ministry of Energy of Russia, which we liked. With the help of specialized state authorities, it is more convenient for us to work, so we will expand this practice to other areas, - said Alexey Kubarev.
File:Aquote2.png

Evgeny Novikov, head of the department for ensuring the safety of fuel and energy facilities and CII of the department for economic security of the fuel and energy sector of the Ministry of Energy, at the same conference noted that the main regulators in the field of the security law of CII (187-FZ) are the government of the Russian Federation, FSTEC and the FSB. But in agreement with the FSTEC, the Ministry of Energy in its field can also develop additional requirements for ensuring the safety of significant objects of CII, taking into account the peculiarities of their functioning in the field of fuel and energy complex.

The representative of the Ministry of Energy recalled that there are three main stages of the implementation of the 187-FZ: categorization of the CII facility, ensuring its safety and ensuring interaction with State system of detection, prevention and elimination of consequences of computer attacks. The problems of categorizing CII objects in the fuel and energy complex have industry specifics. Firstly, this is a very large amount of documents that need to be prepared and provided.

File:Aquote1.png
At one time, we received information from FSTEK that buses bring data on the categorization of the facility, - said Evgeny Novikov.
File:Aquote2.png

Slide from the presentation of Evgeny Novikov

Second, there is also an industry law on the safety of fuel and energy complex facilities (256-FZ) and a law on the industrial safety of hazardous production facilities (116-FZ), with which the results of categorization must be coordinated.

And, finally, there is a functional specificity of the fuel and energy complex enterprises. It turns out that for each object, depending on the fuel and energy sector, there should be a different methodology, Novikov explained. With the assistance of the Gubkin Russian State University of Oil and Gas. The Ministry of Energy has developed general methodological recommendations for the definition and categorization of objects of the CII fuel and energy complex and agreed on them with the FSTEC.

File:Aquote1.png
The methodological instructions developed by the Ministry of Energy of Russia are currently the only ones developed by the state authority, - said the representative of the Ministry of Energy.
File:Aquote2.png

In addition, the department conducts a number of other measures to implement 187-FZ and information security in general. So, for example, under the Ministry of Energy, an interdepartmental commission was created to coordinate the security of the CII fuel and energy complex.

Slide from the presentation of Evgeny Novikov

Also at the end of 2020, a departmental information security center State system of detection, prevention and elimination of consequences of computer attacks was introduced under the Ministry of Energy. His area of ​ ​ responsibility includes subordinate enterprises and information resources of the ministry itself.

File:Aquote1.png
Now we are considering the issue of expanding this functionality to the entire fuel and energy complex: at least try to exchange with some corporate centers, connect analytical centers, "said Evgeny Novikov.
File:Aquote2.png

In addition, the Ministry of Energy now has the obligation to organize command and staff training and cyber exercises in the fuel and energy complex. The department has already carried out trial events, FSTEC and the FSB actively participated in them.

According to Novikov, almost all large organizations of the fuel and energy complex have already been categorized, presented data to the FSTEC. But the subjects of CII are also small organizations.

File:Aquote1.png
Three months ago, an organization came out of, in my opinion, the Yamalo-Nenets district, saying that they had received a letter from us about some 187-FZ. To be honest, I almost sat down. What area do you work in? That is, ignorance of the law does not exempt from its implementation, - said Yevgeny Novikov.
File:Aquote2.png

For more information on the problems with the implementation of the CII safety law and the measures to strengthen control that FSTEC plans to take, see the block below.

FSTEK: the law on the protection of critical infrastructure is being implemented poorly, the prosecutor's office is connected, inspections are intensifying

The Federal Law on the Security of Critical Information Infrastructure (CII) of the Russian Federation (187-FZ) has been in effect for three years. Alexey Kubarev, Deputy Head of the FSTEC Department, in February 2021, speaking at a security conference, summed up some of the results of the implementation of this law.

In accordance with the 187-FZ, it was required to categorize CII facilities, create and ensure the functioning of safety systems for significant CII facilities, take measures to ensure the safety of these facilities and interact with State system of detection, prevention and elimination of consequences of computer attacks.

Slide from the presentation of Alexei Kubarev

And in 2019, a government decree was issued, according to which the subjects of the CII had to prepare and submit to the FSTEC of Russia a list of CII objects subject to categorization by September 1 of the same year.

According to FSTEC estimates, the percentage of implementation by the subjects of the federal law turned out to be extremely low. And the department plans to fight this, said Alexey Kubarev.

In the process of organizing work to consider information about the objects of KII, FSTEC encountered a number of phenomena.

File:Aquote1.png
First, many are trying to evade the implementation of federal law by saying "We are not a subject of CII," despite the fact that all direct and indirect signs indicate this. Another way to evade implementation is "We do not have CII objects that need to be categorized." We will also fight this, and we already know about what needs to be done, "said Alexey Kubarev.
File:Aquote2.png

According to the representative of the FSTEC, there are still those who are in no hurry, and violate the deadlines for providing lists of KII facilities. In addition, there is an observation that organizations do not notify the regulator about all the CII facilities they have. In addition to problems with the compilation of lists of CII objects within the deadlines established by government decisions, problems arise at the stage of categorizing objects according to the lists drawn up. This is a violation of the deadlines, and an artificial understatement of the categories of significance of existing CII objects.

File:Aquote1.png
Often we have to insist that the APCS of a hazardous production facility cannot be without a category, especially since it controls, ensures the safety of this facility. In about 30% of the incoming information, we have to argue with the subject of KII, - said Kubarev.
File:Aquote2.png

In addition, at the stage of categorizing an organization, it happens that they provide inaccurate information about CII objects and do not take into account all indicators.

The representative of the FSTEC recalled that in accordance with government decree No. 127 of February 2018, it is necessary to provide FSTEC and information on newly created CII facilities. This is necessary in order to lay in the TA for the creation of a significant object measures and funds for ensuring security. Many do not fulfill this either.

As for the next stage in the 187-FZ - the creation and provision of the functioning of security systems for significant CII facilities - and there are many problems here. In addition to the slowness in the implementation of the federal law, which has been mentioned more than once, often the subjects of the CII underestimate the potential of the violator and have problems with the security forces, the representative of the FSTEC stated.

File:Aquote1.png
In some organizations, the safety of significant objects is provided by economic security units, in some - in general, legal services. For me, this is a paradox, "says Alexey Kubarev.
File:Aquote2.png

He also noted problems with security tools: at many facilities, especially for APCS, only anti-virus protection and standard operating systems tools are used. This is not enough to counter serious threats.

The representative of the FSTEC recalled the government decree No. 743, valid since January 2020. According to him, when connecting a CII object to public networks, such a connection must be coordinated with FSTEC. The FSTEC itself, in pursuance of this decision, developed and approved the corresponding order.

File:Aquote1.png
And we sit, we wait. And what is the result? For more than a year, not a single appeal has been received to coordinate the connection to us, - stated Alexey Kubarev. - I have great doubts that out of thousands of significant objects, none initiated a connection to public networks. We will deal with this.
File:Aquote2.png

Slide from the presentation of Alexei Kubarev

In 2021, Kubarev says, the FSTEC decided to significantly increase the implementation of the federal law on the safety of CII. And for this, the department plans to carry out appropriate measures.

File:Aquote1.png
Let me remind you that since last year, prosecutors have been actively working on the subjects of critical information infrastructure, and moreover, even on potential subjects. They conduct events, field inspections, we participate in them. And for our part, we will connect the relevant federal authorities, the Bank of Russia, state corporations in order to increase the percentage of implementation of the federal law, "says Alexey Kubarev.
File:Aquote2.png

He added that since 2021, FSTEC has had grounds for scheduled inspections, which the department plans to do to carry out state control over the implementation of federal law. Alexey Kubarev assured that the purpose of such control is not punishment, but the provision of methodological assistance to the subjects of KII, but at the same time noted that "good should be with fists," which FSTEC will soon provide itself with.

File:Aquote1.png
A federal law on amending the Administrative Code regarding the introduction of administrative responsibility for violation of the norms of legislation on the safety of CII was developed and submitted to the State Duma. It passed the first reading safely, and, I think, in 2-4 months it will be approved, - explained the representative of the FSTEC.
File:Aquote2.png

FSTEK creates an OS verification center for the public sector

On February 11, 2021, it became known about the plans of the Federal Service for Technical and Export Control (FSTEC) to create a center for security studies of operating systems on the Linux kernel . 300 million rubles have been allocated for the implementation of this project, the winner of the tender will be chosen by March 2, 2021. Read more here.

2020

120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia

More than 120 thousand hacker attacks were committed on the critical information infrastructure of Russia (this includes the IT systems of government agencies, banks, the fuel and energy complex, etc.) in 2020 . This figure was announced on June 24, 2021 by the Secretary of the Security Council of the Russian Federation, Army General Nikolai Patrushev.

According to him, cyberspace is increasingly becoming the scene of the fight against "geopolitical opponents," and Russia is regularly subjected to computer attacks.

Nikolai Patrushev: 120 thousand cyber attacks were carried out on the IT systems of government agencies, banks and the fuel and energy complex of Russia in a year
File:Aquote1.png
Most of them were carried out from the United States, Germany and the Netherlands, and were directed against the objects of public administration, the military-industrial complex, health care, transport, science and education of our country, he said.
File:Aquote2.png

As the Secretary of the Security Council noted, Russia advocates non-politicized cooperation between countries to create a global cybersecurity system.

File:Aquote1.png
Russia advocates the development of international cooperation in the interests of the formation of a global international legal regime that ensures the safe and equal use of information and communication technologies, he stressed in an interview with Rossiyskaya Gazeta.
File:Aquote2.png

On June 24, 2021, Group-IB cited data according to which three times as many attacks on critical infrastructure objects were registered in Russia in the first half of 2020 than in the entire 2019. 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% - by pro-state attackers.

Nikita Kislitsin, head of the Network Security Department of Group-IB, noted that about 8 out of 10 Russian industrial enterprises have problems with servicing the IT infrastructure.

According to experts, problems with servicing the IT infrastructure of organizations are caused by a lack of resources, outdated software and often an unfinished patch management process.[34]

An increase in the number of cyber attacks on authorities by 2 times - FSB information security center

More than half (58%) of cyber attacks in Russia in 2020 fell on state authorities, while in 2019 this share was 27%. Such data at the end of April 2021 were cited by the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI; coordinates the detection, prevention and elimination of the consequences of computer attacks on critical information infrastructure in Russia and response to computer incidents) Nikolai Murashov.

File:Aquote1.png
An analysis of the data conducted by the NCCCA showed that if in 2019 the largest share of computer attacks was aimed at the credit and financial sector - 33%, then in 2020 - at the information resources of state authorities and industrial enterprises, Murashov said at an online briefing (quoted by RIA Novosti).
File:Aquote2.png

The share of cyber attacks on authorities in 2020 doubled

According to him, the share of hacker attacks on the IT systems of industrial enterprises in 2020 reached 38% against 18% a year earlier.

Earlier, Secretary of the Security Council of the Russian Federation Nikolai Patrushev said that the intensity of foreign intelligence in cyberspace has increased significantly against the background of the aggravation of the situation in the world, and the number of hacker attacks on Russian information resources in 2020 increased 1.6 times.

Patrushev noted the annual growth of hacker attacks on the IT resources of authorities and companies "in order to block them, gain access to protected data banks and covert management of information systems."

File:Aquote1.png
At the same time, the issue of exploiting vulnerabilities of software used in government agencies and organizations for intelligence purposes remains relevant. More than 30% of the identified vulnerabilities can be used remotely to conduct computer attacks on the information infrastructure, "said the Secretary of the Security Council of the Russian Federation.[35]
File:Aquote2.png

CII and state organizations became the main targets of advanced cyber groups

According to statistics Rostelecom"," in 2020, the monitoring and response center cyber attacks Solar JSOC recorded more than 200 hacker attacks from professional cyber groups, including massive attempts to influence entire industries and sectors. economies This was announced on December 1, 2020. In Solar (formerly Rostelecom-Solar) about 30 cases, attackers of the highest level of training and qualifications - cyber recruits and cyber groups pursuing foreign interests - were behind the attacks. states Among the most common targets are facilities critical information infrastructure of Russia.

Rostelecom's analytical report is based on data on more than 140 large organizations - Solar JSOC customers in various sectors of the economy (banks, energy and oil and gas sector, government agencies, etc.), as well as on customer companies of the JSOC CERT cyber incident investigation center. In addition, the summary statistics take into account information about attacks and malware collected by the so-called honeypot traps on communication networks and data centers in the Russian Federation and data from other Russian and international CERTs.

According to Solar JSOC experts, the goal of the most professional hacker groups is usually destructive influences and cyber espionage. The damage from attacks of this class is measured not only by financial losses, but also by the impact on the country's economy as a whole, the safety of citizens and the political situation. Only collateral damage from infrastructure compromise, such as theft of personal data of employees and customers, regulatory and reputation risks, the possibility of developing new attacks, if cybercriminals succeed, could reach tens of millions of rubles. The cumulative damage from the full-scale implementation of this kind of attack would amount to several billion rubles.

The weak level of security of web applications at critical information infrastructure (CII) facilities and in government bodies contributed to the fact that this vector of attacks became the most popular among cybercriminals in 2020. In 45% of cases, hackers attacked precisely web applications, in another 35% - they used known and uncovered vulnerabilities in the perimeter of organizations.

After entering the infrastructure, cybercriminals tried to gain access to confidential information of the organization by accessing mail servers (85% of cases) and work computers of top officials, their deputies and secretaries (70% of cases). In parallel, cybercriminals sought to seize maximum control over the infrastructure by attacking the workstations of high-privilege IT administrators (80% of the time) and infrastructure IT management systems (75% of the time). At the same time, software aimed at hiding an attack from standard security tools was most often used; in 20% of attacks, hackers also used legitimate corporate or freely distributed utilities, masquerading as the actions of administrators and users.

File:Aquote1.png
It should be noted that the trend of the so-called supple chain attacks on state authorities and key enterprises of Russia is now gaining momentum. That is, attackers are increasingly attacking not the organization itself directly, but act through its contractor, who cares less about information security and at the same time has access to the infrastructure of the ultimate target of the attack. Therefore, it is very important to pay attention to the level of security of contractors and build a safe way of accessing their infrastructure, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center of Rostelecom-Solar.
File:Aquote2.png

Attacks by mid-level organized groups - cyber-crime - were aimed at direct monetization: withdrawing funds or obtaining a ransom for decrypting company data. The focus of their attention in 2020 remained the credit and financial sector. In 85% of cases, hackers tried to withdraw money from correspondent accounts and attacked various financial systems of companies. At the same time, in the market as a whole, Solar JSOC analysts note, there is a significant decrease in performance and a reduction in damage from attacks, reaching no more than several tens of millions of rubles.

The main weapon of cyber crime remains phishing, implemented due to the low level of literacy of company employees in the field of information security. In 74%, attackers used this, using social engineering to penetrate the infrastructure. To infect workstations and further develop a cyber group attack, massively available darknet-medium software (40% of cases) was used, as well as software for IT administration and security analysis (40% of cases).

Kemerovo resident convicted of cyber attacks on KII RF

Kemerovo resident was convicted of cyber attacks on the KII of the Russian Federation. This became known on November 27, 2020. Read more here.

Preparations for a spy attack by a Chinese APT group on Russian fuel and energy complex enterprises discovered

On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here.

FSTEC issued an order on the use of domestic software to protect CII

The Federal Service for Technical and Export Control (FSTEC) has published an order to use domestic software to protect critical information infrastructure (CII). The document is published on the official Internet portal of legal information.

The changes are aimed at using mainly Russian equipment and software in KII to increase technological independence and safety, as well as to promote domestic products.

The document regulates the clarification of the conditions for the selection of equipment and software for CII facilities, the procedure for its use and operation, as well as tests. At the same time, it is separately indicated that the provision regulating the tests comes into force on January 1, 2023, as well as another one, on the recognition of one of the outdated norms as invalid.

The Federal Service for Technical and Export Control issued an order on the use of domestic software to protect CII

The order FSTEC Russia has nuances that experts are unhappy with. In particular, Alexey Lukatsky he noted:

File:Aquote1.png
The situation looks like the regulator "doesn't care how the requirements are met. The expert drew on the requirement to expand the ban on the use of elements of a significant object of the second category of CII.
File:Aquote2.png

File:Aquote1.png
Goodbye, Zoom clouds and update servers located outside, "Lukatsky of the Russian Federation explained.
File:Aquote2.png

The order of the Federal Service for Technical and Export Control on amending the requirements for ensuring the safety of significant objects of the critical information infrastructure of the Russian Federation was developed in pursuance of the instructions of the president following the results of the special program "Direct Line with Vladimir Putin" on June 20, 2019.

As the publication D-Russia reminds, during the "direct line," the president said that the authorities should provide a market for Russian programmers in sensitive industries for security and sovereignty, and also said that in order to import substitution, Russian corporations should be "forced" to purchase domestic [software] products.[36]"

The Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure facilities

At the end of July 2020, it became known that the Ministry of Telecom and Mass Communications canceled subsidies to the regions for the security of critical information infrastructure (CII) facilities. The department explained this by the "redistribution of budget funds."

File:Aquote1.png
In connection with the optimization (reduction) of basic budgetary allocations in the formation of the draft federal law on the federal budget for 2021 and for the planning period 2022 and 2023, the competitive selection of projects for 2021, aimed at providing subsidies to the budgets of the constituent entities of the Russian Federation to bring the level of security of critical information infrastructure facilities to the requirements established by the legislation of the Russian Federation within the framework of the federal project "Information Security" of the national program "Digital Economy of the Russian Federation," canceled, the Ministry of Telecom and Mass Communications told the D-Russia.ru.
File:Aquote2.png

File:Фото- twitter.com.jpg
Message about subsidies to regions to increase the level of security of CII facilities withdrawn

It is clarified that in 2019 a competition for receiving similar subsidies during 2020 took place. 36 regions took part in it, 12 winners were selected. In 2020-2021, it was planned to spend 250 million rubles on such subsidies, of which 150 million rubles - in 2020 for CII facilities of 1 and 2 categories of significance, 100 million rubles - in 2021 for CII facilities of 3 categories of significance.

At the end of July 2020  , the Ministry of Telecom and Mass Communications began collecting applications from the regions for subsidies in 2021 aimed at improving the security of significant critical information infrastructure facilities. It was assumed that subsidies will be provided from the federal budget to regional budgets to co-finance measures to ensure the sustainable operation of CII in the event of computer attacks.

However, the ministry canceled the collection of applications, and the message to the message address on the ministry's website gives the error "The page does not exist or was deleted" (code 404).[37]

The Ministry of Telecom and Mass Communications of the Russian Federation approved the procedure for installing and operating cyber attack search tools in KII networks

The Ministry of Communications of the Russian Federation approved in June the procedure for installing and operating cyber attack search tools in KII networks .

The order of the department "On approval of the Procedure and Technical Conditions for the installation and operation of means designed to search for signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure facilities of the Russian Federation" On June 25, 2020[38] was published on the official Internet portal of legal information.

In particular, the document indicates what stages the installation and operation of attack search tools consists of:

  • determination of necessity and places of installation of attack search tools;
  • installation of attack search tools, their connection to telecommunication networks and communication channels required to control attack search tools;
  • setting up and checking the operability of the installed attack search tools;
  • commissioning of installed attack search tools;
  • ensuring continuous operation of attack search tools;
  • maintenance, replacement and dismantling of installed means of search for attacks;
  • ensuring the safety of the installed means of searching for attacks; monitoring operation of attack search means.

According to the order, the FSB sends to the telecom operator by registered mail with notification of the delivery of the following information and documents:

  • information on the need to install attack search tools indicating the places of installation on the telecommunication network of the telecom operator;
  • operational characteristics of the installed attack search tools;
  • name of the organization (in case of involvement);
  • surname, name, patronymic (if any), position of an official of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks or the name of the structural unit of the authorized body of State system of detection, prevention and elimination of consequences of computer attacks responsible for the organization of work;
  • instructions for operation of the attack search tool, installation of which is planned on the telecommunication network.

No later than 10 calendar days from the date of receipt of information, the telecom operator shall determine the officials of the telecom operator admitted to this information.

How to maintain the performance of the data center if key employees have contracted COVID-19 or are in quarantine

In March 2020, the Uptime Institute prepared recommendations on how to respond to the COVID-19 coronavirus pandemic in the data center industry. The report was released to help critical infrastructure operators prepare and respond to the impact of the new coronavirus. TAdviser has reviewed the document. Read more here.

The Ministry of Telecom and Mass Communications proposes to unify the procedure for installing means for searching for cyber attacks on CII objects

On February 27, 2020, TAdviser became known that the Ministry of Digital Development, Communications and Mass Media of the Russian Federation prepared a draft order[39]CII[40], regulating the installation and operation of means for finding signs of cyber attacks on critical information infrastructure of the country.

Ministry of Digital Development, Communications and Mass Media

The order describes both the procedure for installation and operation of such means and the technical conditions for their use.

Attack finders themselves are identified as "automated telecommunication network control and monitoring system equipment." Such developments are subject to mandatory state certification in accordance with the current legislation.

The document provides for tripartite interaction between the authorized body of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (State system of detection, prevention and elimination of consequences of computer attacks), the authorized body in the field of communications, and telecom operators.

The means of searching for attacks themselves will belong to the Authorized Body of State system of detection, prevention and elimination of consequences of computer attacks and will be installed at the facility of critical information infrastructure at the expense of the same body. Continuity of operation of attack search means, on the other hand, shall be ensured by the telecom operator at his own expense in accordance with the technical specifications described in the draft order.

According to these conditions, the means of search for attacks should be installed in rooms where all conditions for their continuous functioning are provided, including stable and uninterrupted power supply (it is stipulated that the power allocated for the connection of the electric network "must exceed by at least 20 percent the power required in accordance with the operating manual of the attack search tools"), physical access control, temperature and humidity control, fire extinguishing equipment and, of course, Internet connection and connection to the network of the CII facility.

File:Aquote1.png
The key provision in this document is that the cyber attack search tools themselves should be supplied and on the balance sheet of the State system of detection, prevention and elimination of consequences of computer attacks bodies. That is, the state at the most practical level takes over the protection of CII facilities, using equipment certified for these purposes to avoid surprises,
File:Aquote2.png

2019

Hackers who hacked the IT systems of Russian Railways and S7 were given 10-13 years in prison

At the end of December 2019, the Basmanny District Court of Moscow sentenced three hackers accused of hacking into the ticket systems of Russian Railways and S7. In total, 29 people were involved in the case. Read more here.

Hackers have been preparing attacks on the fuel and energy complex for years

Hackers have been preparing attacks on enterprises in the fuel and energy sector for years. This was announced on November 14, 2019 by Positive Technologies.

According to experts, professional cyber groups conducting targeted attacks do not destructively attack immediately after penetration. They can control all systems of the enterprise for several years without taking any destructive action, but only stealing important information and waiting for the right moment to launch an attack.

Hackers have been preparing attacks on enterprises in the fuel and energy sector for years, while stealing data from them

During the investigation of one of the incidents, experts discovered that the TaskMasters group, which was engaged in the theft of confidential documents and espionage, had been in the infrastructure of the victim company for at least 8 years.

Basically, hackers attack the fuel and energy complex in order to disrupt its production process or to steal corporate information and damage its reputation. Only one in three attacks is aimed at stealing funds, and most often companies are faced with information leaks or data substitution and destruction.

Cyber ​ ​ attacks of the fuel and energy complex with information leakage account for 30% of the total number of incidents. In 26% of cases, data is destroyed or exchanged. 25% of enterprises surveyed said that after the attacks, the company's infrastructure is idle.

According to Alexei Novikov, director of the Positive Technologies security expert center, it is very difficult to detect a targeted attack at the time of intruders entering the system. It is easier and more efficient to disclose the activity of a hacker after entering the infrastructure, for example, when it moves between servers already on the internal network.

File:Aquote1.png
Such movements certainly leave artifacts in network traffic and on the nodes themselves, this allows you to detect the previous penetration retrospectively and eliminate the threat before  the attacker proceeds to active destructive actions or steals important information, Novikov said.[41]
File:Aquote2.png

The Ministry of Economic Development intends to ban the use of foreign software and equipment at the facilities of the Russian CII

On November 1, 2019, it became known that the Ministry of Economic Development is preparing amendments to the law "On the Security of Critical Information Infrastructure (CII)," which imply the replacement of foreign software and equipment at CII facilities with Russian ones. The order to prepare the amendments was given a few months ago by the Deputy Prime Minister Yury Borisov in charge of the defense industry. This was reported by RBC with reference to a letter from Deputy Minister of Economy Azer Talybov.

Talybov writes that in its current form, Russian laws do not allow the government to demand the use of only domestic software and equipment at KII facilities. For this to become possible, this rule must be prescribed in the law "On the safety of CII." The schedule for replacing foreign products with domestic products for existing CII facilities will be formed separately.

In addition, the law should prohibit foreign companies from interacting with networks and information systems of CII. That is, the ultimate beneficiaries of legal entities that do this should be Russian citizens who do not have dual citizenship. The same rule will affect individual entrepreneurs who work with KII. As a result, access of foreign states and their citizens to the service and development of KII will be minimized, Talybov believes.

The recipients of Talybov's letter are the board Military-Industrial Commission Russia headed by Borisov, the Federal Service for Technical and Export Control () FSTEC and. Ministry of Digital Development, Communications and Mass Media The Ministry of Telecom and Mass Communications replied that FSTEC Ministry of Industry and Trade is working on issues import substitution of foreign equipment on behalf of the government, and that KII will function more safely and sustainably using Russian, and the ON share of domestic developers on the market state procurements will grow. The authorities[42]

Recorded about 17 thousand cyber attacks on KII in Russia

In August 2019, a representative of the Security Council said that in 2018, about 17 thousand cyber attacks per CUES century were recorded. Russia Attackers tried to install another 7 thousand objects. harmful ON About 38% of the attacks occurred - creditfinancial the authorities[43]

ADE published methodological recommendations on categorization of CII objects in accordance with No. 187-FZ

On July 9, 2019, it became known that the Documentary Telecommunication Association (ADE) published guidelines for categorizing critical information infrastructure (CII) facilities. The document was developed on the basis of materials from telecom operators and other organizations - members of the ADE. Methodological recommendations are aimed at detailing and standardizing the procedure for categorizing CII objects, which is provided for by the Federal Law "On the Security of the Critical Information Infrastructure of the Russian Federation" dated July 26, 2017 No. 187-FZ.

The recommendations contain a set of rules on the basis of which operators should classify CII objects as different types. The published version of the document was agreed FSTEC Russia by the 8th Center FSB of Russia and can be used by telecom operator companies. When changing the regulatory framework, receiving comments and proposals based on the results of applying methodological recommendations, the association plans to make changes to the text of the methodology.

A federal official who wished to remain anonymous said that the association, in fact, is a public organization, its recommendations have no legal force.

File:Aquote1.png
When preparing the document, operators had to carry out analytical work on the categorization of objects. The recommendations were developed by market participants and agreed in working order with relevant bodies. Categorization is a necessary step in the implementation of FZ-187 requirements. The purpose of the methodology is to define criteria and unify the procedure in such a way that the results do not raise questions among industry regulators. We believe that operators will begin to use the document, and practice will show the need for further approval by the executive bodies,
File:Aquote2.png

The representative of the press service of MegaFon PJSC said that the published version of the document was agreed by the main FZ-187 regulators and can be used by telecom operators. The industry document is optional, but recommended by FSTEC and the FSB for use in the communications industry.

File:Aquote1.png
First of all, it is designed to help market participants in the performance of FZ-187. This is a consolidated vision of major industry players to implement the NPA's security requirements for CII. The recommendations are important, since FZ-187 and by-laws formulate general principles and measures to ensure the safety of CII, without going into industry specifics. The technique is an attempt to apply the norms formulated by the legislator to a specific operator infrastructure, it is of a purely applied nature, and this is its value. For the Big Four operators, of course, the document will be the main one. For other operators, we hope, too, since the application of methodological recommendations will contribute to a single and understandable information field in the process of interaction between the operator community and regulators,
File:Aquote2.png

The representative of the press service of MTS PJSC said that the recommendations will be used by telecom operators when categorizing critical information infrastructure (CII) facilities and building security systems for these facilities.

File:Aquote1.png
It seems that it would be more expedient to adopt a document in the form of a regulatory legal act of the regulator. So far, these are, in fact, recommendations. Telecom operators will decide for themselves on the possibility of using the technique. The work has already been partially carried out. MTS developed and sent to the FSTEC of Russia a list of objects of its own CII. In accordance with the plan, by the end of 2019 we will categorize these facilities. The methodology makes it possible to introduce certainty and uniformity in the approach to categorization of CII objects by telecom operators. The costs of MTS will be clear after the categorization of CII facilities,
File:Aquote2.png

A spokesman for Akado Telecom said the initiative to develop the recommendations was correct and timely.

File:Aquote1.png
But, most likely, the document will need to be adjusted in accordance with changes in regulatory legal acts in terms of CII. In addition, in our opinion, the recommendations are aimed more at mobile operators than fixed communication networks. Therefore, we did not participate in their development. When categorizing CII facilities, our company is guided by government decree No. 127 and FSTEC orders,
File:Aquote2.png

The Ministry of Digital Development, Communications and Mass Media knows about this initiative of the Documentary Telecommunication Association, but did not agree on the document.

From 2020, FSTEC plans to introduce administrative responsibility for non-compliance with safety requirements for CII facilities [44]

Data on cyber attacks on critical facilities in the Russian Federation are leaking abroad. Companies break the law

Russian companies, whose duties include the management of critical infrastructure facilities, without the knowledge of the FSB, share data on cyber attacks with foreign colleagues. This was announced on Thursday, June 27, by RBC with reference to the materials of the Federal Service for Technical and Export Control (FSTEC), which in turn refers to the FSB. 

FSB: owners of critical infrastructure transmit data on cyber attacks abroad without the knowledge of the special services of the Russian Federation

According to the law "On the Security of Critical Information Infrastructure," which has been in force since last year, companies managing critical infrastructure facilities are obliged to provide data about them to the Federal Service for Technical and Export Control (FSTEC) to assign them the appropriate category (safety requirements for each category are different). In addition, they are obliged to connect to the State System for the Detection, Prevention and Elimination of the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks) created by the FSB and report cyber attacks on their facilities to the National Coordination Center for Computer Incidents (NCCCA ).

However, not all companies comply with the requirements of the law and inform NCCCA about cyber attacks on their systems. For this reason, the center does not have complete information about incidents at critical infrastructure facilities, cannot adequately respond to them and make forecasts.

Be that as it may, companies exchange information about cyber attacks with foreign organizations. By this, they violate the orders of the FSB No. 367 and No. 368, according to which the exchange of data with foreign organizations must be coordinated with the FSTEC. However, the service did not receive a single appeal on this issue.

The FSTEC believes that the information provided to foreign companies about cyber attacks on critical infrastructure of the Russian Federation eventually falls into the hands of foreign special services, which can use it to assess the security status of the Russian critical infrastructure.

According to RBC, perhaps in this way companies are trying to avoid image and financial losses. But the practice of sending data abroad threatens primarily the companies themselves. Since the National Coordination Center for Computer Incidents of the NKCKI, controlled by the FSB, does not have complete information about the incidents, it cannot adequately respond to them and make accurate forecasts for the development of the situation, the FSTEC notes.

The Law "On the Security of Critical Information Infrastructure" has been in effect in Russia since 2018. Its main goal is to protect the country's most important enterprises from cyber attacks.

According to FSTEC, the law does not work in full force for several reasons. Firstly, last year the department already noted the lack of information about the "criticality" of its facilities from banks and telecom operators. Secondly, some of the by-laws that must approve the details of the interaction of organizations within the framework of this law have not yet been adopted.[45] 

FSB formulated requirements for State system of detection, prevention and elimination of consequences of computer attacks means to protect the CII of the Russian Federation

On May 6, 2019 Federal Security Service , it issued an order "On approval of requirements for means intended for the detection, prevention and elimination of consequences computer attacks and response to computer incidents. More. here

FSTEC and FSB will introduce responsibility for violation of requirements for the critical IT infrastructure of Russia

On March 26, 2019, the Federal Portal of Draft Regulatory Legal Documents posted a notice of the beginning of the development of the draft federal law "On Amendments to the Code of Administrative Offenses of the Russian Federation (regarding the establishment of liability for violation of requirements for ensuring the safety of CII facilities)."

So far, this is only a notification about the start of work on the relevant document. Law No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation" prescribes to structures in the management of which significant objects of the critical information infrastructure of the Russian Federation are located to comply with the requirements specified by law and regulatory acts to ensure the safety of such objects.

In particular, there is an article of the Criminal Code 274.1, which provides for criminal liability for unlawful impact on the critical information infrastructure of the Russian Federation.

However, there is no law defining cases when there was a failure to comply with these requirements, but it did not entail an unlawful impact on the CII.

File:Aquote1.png
In order to differentiate punishment depending on the public danger of consequences from violation of the requirements of the legislation of the Russian Federation on the safety of critical information infrastructure, it seems appropriate to introduce administrative responsibility for non-compliance by subjects of critical information infrastructure with the requirements for ensuring the security of significant objects of critical information infrastructure, established in accordance with federal law and other regulatory legal acts adopted in accordance with it, the project description says.
File:Aquote2.png

File:Aquote1.png
Critical information infrastructure needs legislation that would meet the ever-changing realities of information security, "said Dmitry Gvozdev, General Director of Information Technologies of the Future. - The process of forming this legislation is still far from over, there remain some gaps that need to be addressed as soon as possible. The development of administrative responsibility measures in this case is not so much a promise of new cars for the sake of the cars themselves, but a filling of gaps and an adequate delineation of responsibility in accordance with the likely threat. Ultimately, in the field of CII, even insignificant negligence can be unpredictably expensive.
File:Aquote2.png

The main developer of the project should be FSTEC, however, the Federal Security Service of the Russian Federation is indicated as co-executors.

The planned deadline for the adoption of the bill is January 2020. You can read the document departments = 48 & npa = 89944 here.

FSTEC proposes to prohibit the processing abroad of information related to the CII of Russia

On March 6, 2019, the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) published on the Federal Portal of Draft Regulatory Legal Acts a draft amendment to Order No. 239 "On Amendments to the Requirements for Ensuring the Safety of Significant Objects of the Critical Information Infrastructure of the Russian Federation."

The project contains a number of various clarifications, among which the requirements related to the equipment, software and procedures for processing information of critical infrastructure facilities are emphasized.

In particular, it is proposed to supplement paragraph 31 of the Order[46] with the following paragraph:

File:Aquote1.png
The information storage and processing software and hardware included in the significant object of the 1st category of significance shall be located on the territory of the Russian Federation (except for cases when the specified funds are placed in foreign separate subdivisions of the subject of critical information infrastructure (branches, representative offices), as well as cases established by the legislation of the Russian Federation and (or) international treaties of the Russian Federation).
File:Aquote2.png

The previous version of the order did not impose such restrictions.

File:Aquote1.png
In fact, this means a ban on processing data related to critical infrastructure facilities of the first category of importance outside the territory of Russia, minus the exceptions stipulated, - said Dmitry Gvozdev, General Director of Information Technologies of the Future. - In general, this document is of a clarifying nature. The development of standards and rules by which the critical infrastructure of Russia should operate is a process that is still very far from completion: the number of stakeholders is large, and the risks are too high, so the regulation should be as detailed as possible. Accordingly, new amendments, additions and clarifications will be made in the future, and for a long time.
File:Aquote2.png

In addition, the document assumes to oblige the most significant enterprises of the critical infrastructure to use only routers certified for compliance with information security requirements. However, we are talking only about newly created or modernized objects of the CII and only the first (maximum) category of significance.

It is stipulated that if it is not possible to use only certified devices as border routers (that is, those through which access from the local network to the Internet is carried out), the security of actually used devices will have to be assessed as part of the acceptance or testing of significant objects.

The full text of the draft order is available npa = 89229 at this link.

2018

In 2018, about 4.3 billion cyber attacks were committed on the Russian Federation

According to the National Coordination Center for Computer Incidents, in 2018, more than 4.3 billion cyber attacks were carried out on critical infrastructures of the Russian Federation. This was announced in August 2019 by the Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov in an interview with Rossiyskaya Gazeta.

According to Khramov, the number of cyber attacks over the past six years has grown by 57%. If for the period from 2014 to 2015, cases of coordinated targeted attacks amounted to about 1.5 thousand per year, then in 2018 their number exceeded 17 thousand. Attacks aimed at disabling equipment of critical infrastructure facilities pose a particular danger.

Since the beginning of 2019, the introduction of malicious software on more than 7 thousand objects of critical infrastructures has been prevented. The targets of the attackers' attacks were objects of the credit and financial sphere (38% of all attacks), government bodies (35%), the defense industry (7%), the field of science and education (7%) and the health sector (3%).

According to the American company Webroot, in 2018, the United States accounted for 63% of Internet resources that distribute malware, while the share of China and Russia is only 5% and 3%, respectively.

FSB has prepared a procedure for informing about cyber attacks on KII facilities

The Federal Security Service of the Russian Federation has prepared a draft order approving the procedure for informing about cyber attacks on significant objects of critical information infrastructure (CII). The text of the project is available#[47] on the federal portal of draft regulatory legal[48].

"I order to approve the attached procedure for informing the FSB of Russia about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks carried out on significant objects of the critical information infrastructure of the Russian Federation," follows from the order.

As noted in the explanatory note, the project is aimed at improving legal regulation in the field of coordination of the activities of the subjects of the critical information infrastructure of the Russian Federation on the detection, prevention and elimination of the consequences of computer attacks and response to computer incidents.

According to the order, in the event of a computer incident, the subjects of the critical information infrastructure of the Russian Federation are obliged to immediately inform the National Coordination Center for Computer Incidents (NCCCA) about this. If there is no connection to this technical infrastructure, the information should be sent by fax, electronic and telephone to the addresses or telephone numbers of the NCCC indicated on the agency's website.

In addition, if the incident occurred at a KII facility operating in the banking and other spheres of the financial market, it is also necessary to inform the Central Bank of the Russian Federation.

CII subjects will also have to develop a plan for responding to computer incidents and taking measures to eliminate the consequences of computer attacks and conduct training at least once a year to work out the plan's activities.

Information about the protection of KII from cyber attacks was attributed to state secrets

Russian President Vladimir Putin signed a decree in March 2018, according to which information on the state of protection of critical information infrastructure (CII) from cyber attacks now refers to state secrets. The corresponding document was published on the portal of legal information[49] of the[50]

The decree supplements the list of information classified as state secrets, approved by decree of the President of the Russian Federation of November 30, 1995 No. 1203 "On approval of the list of information classified as state secrets," with a new paragraph. According to the document, such data now include information that discloses measures to ensure the security of the critical information infrastructure of the Russian Federation and information that discloses the state of security of CII against computer attacks.

Information FSB Federal Service for Technical and Export Control[51] was also assigned to state secrets by authority[52] such data[53]

2017

What threatens for the unlawful impact on the critical IT infrastructure of Russia

On January 1, 2018, a 187-FZ comes into force in Russia - the law "On the Security of the Critical Information Infrastructure of the Russian Federation" and the amendments to the Criminal Code adopted simultaneously with it, describing the punishment for damage to the country's critical infrastructure.

Changes are made by Federal Law No. 194-FZ "On Amendments to the Criminal Code of the Russian Federation and Article 151 of the Criminal Procedure Code of the Russian Federation in connection with the adoption of the Federal Law" On the Security of the Critical Information Infrastructure of the Russian Federation. " In particular, chapter 28 of the Criminal Code of the Russian Federation is supplemented by article 2741, describing the punishment for "unlawful impact on the critical information infrastructure of the Russian Federation."[54] "

According to the regulations of the 187-FZ, financial, transport, energy, telecommunications companies, as well as organizations in the field of health, science, fuel and energy complex, nuclear power and industry are subject to the new requirements.

Until February 20, 2019, companies that fall within the scope of the law are obliged to independently categorize CII facilities and coordinate them with FSTEC.

At the same time, this stage includes the creation of a categorization commission, the definition of processes within the framework of the company's main activities and the identification of the most critical of them. The next step is to form a list of CII objects and its coordination with the industry regulator (for example, for the healthcare sector, the Ministry of Health acts as such). After that, the list of objects is submitted as a notification to the FSTEC of Russia, and for each object from the list, the CII subject determines the category of significance, after which the categorization results are sent for approval to the FSTEC. Based on certain categories, the owner of KII facilities in the future needs to build protection.

The unlawful impact includes the creation, distribution and/or use of computer programs or other computer information that is knowingly used to destroy blocking, modifying, copying information in a critical infrastructure, or neutralizing the means of protecting said information.

Severe penalties have been established for crimes aimed at violating the security of the critical information infrastructure of the Russian Federation

In addition, sanctions will entail illegal access to protected computer information contained in the critical information infrastructure of the Russian Federation if it has caused harm to this infrastructure.

Penalties are also provided for violation of the rules for the operation of means of storing, processing or transmitting protected computer information contained in a critical information structure, information systems, information and telecommunication networks, automated control systems and telecommunication networks related to the country's critical information infrastructure.

For the creation of malicious programs to affect the infrastructure of violators, forced labor for up to five years is expected with a possible restriction of freedom for up to two years or imprisonment for a period of two to five years with a fine of five hundred thousand to one million rubles or in the amount of wages or other income convicted for a period from one year to three years. For illegal access to protected computer information, forced labor is supposed for up to five years with a fine of 500 thousand to a million rubles, with possible restriction of freedom for up to two years, or imprisonment for a term of two to six years with a fine of five hundred thousand to one million rubles.

Violation of the rules for the operation of means of storing, processing or transferring protected computer information will be followed by forced labor for up to five years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. A possible imprisonment of up to six years is also envisaged.

If these acts are committed by a group of persons by preliminary conspiracy, organized by a group or a person using his official position, the severity of the punishment increases significantly: the law provides for a prison term of three to eight years with the possible deprivation of the right to hold certain positions or engage in certain activities for up to three years.

If the same acts committed by a group of persons by prior conspiracy or using their official position entailed grave consequences, the perpetrators will receive a term of five to ten years with the deprivation of the right to hold certain positions or engage in certain activities for up to five years or without it.

File:Aquote1.png
The emergence of such a law is more than natural in the current environment, "said Georgy Lagoda, CEO of SEC Consult Services. - Attacks on critical infrastructure have ceased to be an abstraction, this is a hyperactive problem for all countries, including Russia. The law is clearly aimed at preventing internal attacks or violations that increase the vulnerability of infrastructure. The effectiveness of this law may be the subject of debate, but it is encouraging that the existence of the problem is recognized at the legislative level.
File:Aquote2.png

File:Aquote1.png
The law, as well as amendments to the Criminal Code, are themselves necessary, - said Dmitry Gvozdev, General Director of Technologies of the Future LLC, - The question, however, lies in real law enforcement practice. It depends on her whether these laws will work in principle.
File:Aquote2.png

The State Duma approved a package of bills with sanctions for attacks on critical infrastructure

The State Duma approved in January 2017 in the first reading a package of bills that provides for up to 10 years in prison for hackers targeted by the critical information infrastructure (CII) of the Russian Federation. If the bill is approved, the relevant amendments will be made to the Criminal Code of the Russian Federation, TASS news agency CNews[55]

CII means information and telecommunication systems of state bodies. This also includes automated process control systems in the defense, fuel, rocket and space, nuclear, chemical, metallurgical and mining industries, as well as in the fields of health, communications, transport, power and finance.

Punishments for hackers

For example, for the creation or distribution of software designed to harm CII, hackers will be sent to forced labor for 5 years or imprisoned for the same period. Alternatively, it is possible to pay a fine in the amount of p500 thousand to p1 million. The fine can also be calculated based on the income of the criminal - in the amount of salary for a period from 1 year to 3 years.

If a hacker not only created/distributed a malicious program for CII, but also caused real damage to the infrastructure, he can spend from 5 to 10 years in prison. In addition, the offender will lose the opportunity to engage in some activities and work in appropriate positions for 5 years.

There is also punishment for illegal access to information contained in the CII, if this access is carried out using a malicious program and poses a threat to the infrastructure. The fine for this ranges from p1 million to p2 million, or equals the income of the criminal for the period from 3 to 5 years. As an option, it is possible to imprisonment for up to 6 years and a fine in the amount of p500 thousand to p1 million, or in the amount of salary for 1-3 years.

Other punishments

The bill offers penalties not only for causing intentional harm to the KII, but also for violating the rules for handling information contained there. This includes incorrect handling of the equipment on which this information is stored, processed and transmitted. The same item includes a violation of the rules for accessing data and CII systems if this poses a threat to the infrastructure.

For such actions, violators will be imprisoned for 6 years. Another option for punishment: 5 years of forced labor and a ban on some activities for 3 years. If not one person acts, but a group of persons who conspired in advance or use their official position, then they face imprisonment for a term of 3 to 8 years or 5 years of forced labor.

Ensuring safety

The bill considered today by the State Duma also describes the principles of ensuring the security of CII, imposes appropriate powers on government agencies and establishes the duties and responsibilities of infrastructure owners and operators. A special authorized federal body should be responsible for the safety of CII.

All CII facilities should be divided into categories, each category will receive its own safety standards. The separation will be carried out on the basis of the register of significant objects, the creation of which is stipulated by the bill. In addition, security systems will be created for KII, which will cooperate with the system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation. This system was created by presidential decree of January 15, 2013.

Notes

  1. Authorities will spend half a billion on industrial information security
  2. The Ministry of Digital Development assessed the import substitution of information protection tools at CII facilities
  3. [https://regulation.gov.ru/Regulation/Npa/PublicView?npaID=149577# The draft "On Amending the Resolution
  4. Russian Federation of November 14, 2023 No. 1912"]
  5. the Russian Federation
  6. [https://reestr.digital.gov.ru/reestr-pak/ Software Register PACS
  7. ]Ministry of Digital Development
  8. Unified register of Russian radio electronic products (PP RF 878)
  9. Register of Russian industrial products (PP RF 719 of 17.07.2015);
  10. Data storage will be protected by requirements
  11. [http://publication.pravo.gov.ru/document/0001202406130032?index=1 Decree of the President of the Russian Federation dated 13.06.2024 No. 500 "On Amending the Decree of the President of the Russian Federation of May 1, 2022 No. 250" On Additional Measures to Ensure Information Security of the Russian Federation "]
  12. Safety is achieved methodically
  13. law news/ 20240214/309622418.html Expert named the main reasons for successful cyber attacks on enterprises and government agencies
  14. PNST 905-2023
  15. Subject protection
  16. Data counts on money protection
  17. FSTEC revealed hundreds of violations in the protection of Russia's information infrastructure
  18. FSTEC will present cybersecurity requirements to state contractors
  19. The FSB of Russia suppressed the illegal activities of a Russian citizen who committed high treason in the Kemerovo region
  20. TV channels and telecom operators will be obliged to create information security units
  21. InformSystems will be evaluated critically
  22. Servers are distributed across the country
  23. The Duma adopted a law on protection against cyber attacks of registration data in the field of real estate
  24. Order of the Federal Security Service of the Russian Federation No. 213 dated 11.05.2023
  25. The Cabinet of Ministers launched an experiment to increase the security of InformSystems of authorities
  26. Decree of the President of the Russian Federation of 01.05.2022 No. 250 "On additional measures to ensure information security of the Russian Federation
  27. Positive Technologies: government agencies are the worst protected from cyber attacks
  28. The number of cyber attacks on critical infrastructure of the Russian Federation has increased by 150%.
  29. Russia and the United States in cyberspace: keep friends close
  30. In Russia, every tenth organization - subject of CII is infected with malware
  31. The Duma introduced fines of up to 500 thousand rubles for violations in protecting critical IT infrastructure
  32. Video without restrictions. Surveillance cameras with publicly available data were discovered in Russia
  33. and media/12/03/2021/604b14d99a7947feb53b00bb? utm source = yxnews & utm medium = desktop & nw = 1615554911000 Experts have found a vulnerability in thousands of surveillance cameras
  34. Patrushev: 120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia for the year
  35. Hackers have become more likely to attack authorities, the Cyber ​ ​ Threats Center said
  36. Order of the Federal Service for Technical and Export Control dated 20.02.2020 No. 35 "On Amendments to the Requirements for Ensuring the Safety of Significant Critical Information Infrastructure Facilities of the Russian Federation approved by Order of the Federal Service for Technical and Export Control dated December 25, 2017 No. 239
  37. Message about subsidies to regions to increase the level of security of CII facilities withdrawn
  38. , the Order of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation of 17.03.2020 No. 114
  39. npa = 99844 Draft order regulating the installation and operation of means for finding signs of cyber attacks on
  40. facilities
  41. and technologies/ 20191114/830545130.html Hackers prepare attacks on the fuel and energy complex for several years
  42. want to ban foreign software and hardware in banks, medicine, transport, industry and science.
  43. want to ban foreign software and hardware in banks, medicine, transport, industry and science.
  44. [https://www.comnews.ru/content/120693/2019-07-09/u-kii-poyavilis-pravila KII has rules].
  45. FSB announced the leakage of data on cyber attacks on Russian facilities abroad
  46. of December 25, 2017 N 239 on the approval of requirements for ensuring the safety of significant facilities of the critical information infrastructure of the Russian Federation
  47. npa = 78961 On approval of the Procedure for informing the FSB of Russia about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks carried out on significant objects of the critical information infrastructure of the Russian Federation
  48. acts, the FSB has prepared a procedure for informing about cyber attacks on KII facilities
  49. [http://publication.pravo.gov.ru/Document/View/0001201803020009?index=0&rangeSize=1 Decree of the President
  50. Russian Federation of 02.03.2018 No. 98 "On amending the list of information classified as state secrets, approved by Decree of the President of the Russian Federation of November 30, 1995 No. 1203."]
  51. [https://www.securitylab.ru/news/491867.php on the security of KII against cyber attacks
  52. to order
  53. .]
  54. Federal Law of 26.07.2017 No. 194-FZ "On Amendments to the Criminal Code of the Russian Federation and Article 151 of the Criminal Procedure Code of the Russian Federation in connection with the adoption of the Federal Law" On the Security of Critical Information Infrastructure of the Russian  Federation
  55. : Hackers in Russia will be imprisoned for 10 years.