Review of Russian legislation to protect critical information infrastructure

Friends, in a previous publication we examined the protection of personal data from the point of view of Russian and international legislation. However, there is another urgent topic regarding a large number of Russian companies and organizations - we are talking about protecting critical information infrastructure. The security and stability of IT systems of both individual large companies and entire industries in modern conditions play a decisive role. All over the world, attempts are being made to carry out targeted and sophisticated cyberattacks on infrastructure, and it would be very short-sighted to ignore such facts. The creation of GosSOPKA (the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation), as well as the signing of the Federal Law of July 26, 2017 No. 187- “On the Security of Critical Information Infrastructure of the Russian Federation” and the development of relevant by-laws served logical answer to the challenges of current realities.



Consider this aspect of information security in more detail. Forward!

Key Points

The start of work to protect the information infrastructure on a national scale was signed with the Decree of the President of the Russian Federation dated January 15, 2013 No. 31c “On the creation of a state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation”. Further, in July 2017, Federal Law of July 26, 2017 No. 187-FZ “On the Security of Critical Information Infrastructure of the Russian Federation” was signed, which entered into force on January 1, 2018. Critical information infrastructure (hereinafter - KII) refers to information systems, information and telecommunication networks, automated control systems of KII subjects, as well as telecommunication networks used to organize their interaction. The subjects of KII are companies operating in areas strategically important for the state, such as healthcare, science, transport, communications, energy, banking, the fuel and energy complex, in the field of nuclear energy, defense, rocket and space, mining, metallurgical and chemical industries , as well as organizations that ensure the interaction of systems or networks of KII. A computer attack is defined as a targeted malicious effect on the objects of the KII to violate or stop their functioning, and a computer incident - as the fact of a violation or termination of the operation of the KII and / or security breach of the information processed by the object.



It is also worth noting that for companies in the fuel and energy sector there are standards that are defined by the Federal Law of July 21, 2011 No. 256- “On the Safety of Fuel and Energy Complex Facilities”, which also dictate the need to ensure the security of information systems of fuel and energy facilities -energy complex by creating information protection systems and information and telecommunication networks from illegal access, destruction, modification, blocking of information and other illegal actions, as well as the need to ensure the functioning of such systems.



FSTEC of Russia was appointed by the federal executive body authorized in the field of security of critical information infrastructure of the Russian Federation. The Federal Security Service of the Russian Federation was entrusted with the functions of the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation (hereinafter referred to as GosSOPKA). In addition, by the order of the Federal Security Service of the Russian Federation in 2018, the National Coordination Center for Computer Incidents (NCCTC) was created, which coordinates the activities of KII subjects and is an integral part of the forces designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, and the technical The NCCCI infrastructure is used for the functioning of the State SOPKA system. In simple words, the NCCA is the state CERT (Computer Emergency Response Team), and the State SOPCA is the “big SIEM” on the scale of the Russian Federation. It functions as follows: information on a computer incident that has occurred in the amount corresponding to the provisions of the Order of the Federal Security Service of the Russian Federation No. 367 (date, time, technical details and consequences of the incident and its connection with other incidents, location of the KII object, the presence of a connection between the identified attack and the incident), must be transferred by the subject of KII to the State SOPKA system within 24 hours from the date of detection of a computer incident. At the same time, there is a tendency towards a transition to automated data sending.



Then, the Decree of the Government of the Russian Federation dated February 8, 2018 No. 127 “On approval of the Rules for categorizing objects of critical information infrastructure of the Russian Federation, as well as the List of indicators of criteria for the importance of objects of critical information infrastructure of the Russian Federation and their values” was signed, which impose specific requirements for CII subjects on the categorization of KII objects in their area of ​​responsibility, and also contain a list of criteria for the significance of KII objects - quantitative by azateley for the correct choice of the significance of the category. The category of significance of a CII object can take one of three values ​​(where the highest category is the first, the lowest is the third) and depends on quantitative indicators of the significance of this object in the social, political, economic and defense spheres. For example, if a computer incident at the KII facility can cause damage to life and health of more than 500 citizens, then the facility is assigned the maximum first category, and if transport services as a result of the incident may become unavailable to 2 thousand - 1 million citizens, then the facility is assigned minimum third category.



So, the objects of KII should be categorized. This is carried out by a permanent internal commission for categorizing the subject of KII, which also produces and documents the following actions:

• identifies the objects of KII that provide managerial, technological, production, financial, economic and (or) other processes (we will call them “the main processes of KII subjects”) within the framework of the activities of the KII subject;
• identifies critical processes, violation or termination of which can lead to negative consequences in the social, political, economic and defense spheres;
• installs KII objects that process information for the processes described above and / or carry out management, control or monitoring of critical processes (we will call them “auxiliary KII objects”);
• builds models of violators and threats, while the commission should consider the worst-case attack scenarios with maximum negative consequences;
• assesses possible consequences, taking into account the interconnections between objects and dependencies between them;
• assigns each object one of three categories of significance or makes a reasoned decision not to assign such a category, with the preparation of an act of categorizing the object of CII or an act on the absence of the need to assign a category of significance to it.

The categorization results are sent to the FSTEC of Russia, where the correctness of the categorization procedure and the correctness of the assignment of the significance category are checked, and in the absence of comments, the information received is entered into the register of KII objects. Periodic (1 time in 5 years) and planned (when changing indicators of significance criteria) review of established categories of significance is provided.

State hosiery

In accordance with the document No. 149/2 / 7-200 of December 24, 2016 “Methodological recommendations for the creation of departmental and corporate centers of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation” developed by the Federal Security Service of the Russian Federation, the functions of the State SOPKA are:

• inventory of information resources;
• identifying vulnerabilities in information resources;
• analysis of threats to information security;
• advanced training of personnel of information resources;
• receiving messages about possible incidents from personnel and users of information resources;
• detection of computer attacks;
• security event data analysis;
• incident logging;
• incident response and response;
• establishing the causes of incidents;
• analysis of the results of the elimination of the consequences of incidents.

GosSOPKA system centers are divided into departmental and corporate:

• departmental Centers carry out licensed activities to protect information resources in the interests of public authorities;
• Corporate Centers carry out licensed activities to protect information resources in their own interests, and also have the right to provide services for the prevention, detection and elimination of the consequences of computer attacks.

If we can call the GosSOPKA system itself exaggerated “big SIEM” nationwide, then the GosSOPKA Centers will be correctly compared rather with the Information Security Monitoring Centers (Eng. Security Operations Center, SOC).



So, the subject of KII related to the state authority, in accordance with current legislative standards, should connect to the relevant departmental Center of the State Social Protection and Certification Agency. A KII subject, which is not a public authority, has the opportunity to either independently connect to the GosSOPKA system, either create its own GosSOPKA corporate Center, or connect to the already created Center that provides services for connecting to the GosSOPKA system.



With independent connection to the Center of the State SOPKA, the subject of KII will have to solve the following tasks:

• the creation of its own Information Security Monitoring Center, taking into account the requirements of regulatory documents of the Federal Security Service of the Russian Federation, FSTEC of Russia, other regulatory legal acts;
• implementation and support of technical tools and solutions that comply with the methodological recommendations of the Federal Security Service of the Russian Federation on the creation of departmental and corporate centers of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation;
• implementation and support of technical tools and solutions that meet the requirements of the FSTEC of Russia licensee for monitoring information security of monitoring tools and systems;
• Obtaining a license from the FSTEC of Russia for technical protection of confidential information (TZKI) regarding the list of works and services for monitoring the information security of monitoring tools and systems (in the case of providing commercial services to other organizations or when working as part of a holding structure);
• Obtaining a license from the Federal Security Service of the Russian Federation for the development, production, distribution of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means, performing work, providing services in the field of information encryption, and maintenance of encryption (cryptographic) means , information systems and telecommunication systems protected using encryption (cryptographic) means (if provided mmercheskih services to other organizations, or working as a part of the holding structure);
• interaction with the NCCSC in accordance with the rules of interaction between the FSB units of the Russian Federation and the State SOPKA subjects in the implementation of information exchange in the field of detection, prevention and elimination of the consequences of computer attacks;
• attraction, training, retention of employees of the Information Security Monitoring Center;
• development and continuous updating of attack and monitoring scenarios;
• analytics of events and incidents, reporting building.

Connecting to the external (commercial) center of GosSOPKA, which provides relevant services, allows you to transfer most of the above tasks to a specialized organization. All that is required of the customer is to connect the sources of events to the GosSOPKA commercial center, agree on the format and rules of interaction, and notify in a timely manner of changes in its IT infrastructure. In addition, using the services of an external center of GosSOPKA, the organization transfers to the executor the risks of non-compliance with the legislation of the Russian Federation in the field of illegal business (Article 171 of the Criminal Code of the Russian Federation) in terms of conducting activities without the corresponding licenses of the Federal Security Service of the Russian Federation and / or FSTEC of Russia.

APCS

Let's move on to the principles of protecting automated control systems for production and technological processes. Order of the FSTEC of Russia dated March 14, 2014 No. 31 “On the Approval of Requirements for the Protection of Information in Automated Control Systems for Production and Technological Processes at Critical Facilities, Potentially Hazardous Facilities, and also Facilities that pose an increased danger to human life and health and to environment ”(as amended by Order of the FSTEC of Russia dated August 9, 2018 No. 138) establishes legislative requirements in the field of ensuring the safety of automated control systems for manufacturing single and technological processes (hereinafter - the process control system). Despite the existence of two seemingly duplicate areas of protection of KII (187- on KII with by-laws and the indicated Order No. 31 on process control systems), at present, state regulators adhere to the following point of view: if the object of KII is recognized as significant (i.e. it is assigned one of three categories of significance), then the FSTEC Order of December 25, 2017 No. 239 “On approval of the requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation” is used, and if the KII object is not recognized recognizable (i.e., the category of significance was not assigned), then, by the decision of the subject of KII, it is possible to apply both Order No. 31 for process control and Order No. 239 for KII.



In accordance with Order No. 31, the objects of protection in the process control system are information about the parameters or condition of the managed object or process, as well as all related technical means (workstations, servers, communication channels, controllers), software, and protective equipment. This document indicates that the organizational and technical measures taken to protect the process control system should, first of all, ensure the accessibility and integrity of the information processed in the process control system, and ensuring confidentiality is logically placed in second place. In addition, it is indicated that the measures taken should be harmonized with measures to ensure other types of safety, for example, industrial, fire, environmental, and should not adversely affect the regular functioning of the process control system. Requirements are also imposed on the information protection system in the process control system - they must pass a conformity assessment.



The document describes the organizational steps to protect information (hereinafter - ZI) in the process control system: the formation of requirements for the process control system, the development and implementation of the control system of the process control system, the provision of the process control system during operation of the process control system and during its decommissioning. It is at the stage of formation of requirements that important work is carried out on the classification of process control systems: one of the three security classes is established (where the lowest class is the third, the highest is the first), while the security class is determined depending on the significance level of the information being processed, i.e. the extent of potential damage from violation of its security properties (integrity, availability and, if applicable, confidentiality). The degree of damage can be high (state of emergency of a federal or inter-regional scale), medium (state of emergency of a regional or inter-municipal scale) or low (an incident is local in nature).



In addition to the classification of process control systems, at the stage of formation of requirements, the process control security threats are determined by compiling a threat model: the sources of threats are identified, the capabilities of the violators are evaluated (i.e., the model of the violator is created), vulnerabilities of the systems used are analyzed, possible ways of implementing threats and the consequences of this are determined, while should be used FDTC FSTEC Russia. The importance of creating an intruder model at this stage also lies in the fact that the applied protective measures in an industrial control system of the 1st security class should ensure neutralization of the actions of an intruder with high potential, in an automatic control system of a second security class - an intruder with a potential of at least average, in an automatic control system 3rd class of security - an intruder with a low potential (the potential of violators is given a definition on the BDU page ).



Further, Order No. 31 offers an algorithm for selecting and applying security measures, already familiar to us from the FSTEC Orders of Russia No. 21 (PDN) and No. 17 (GIS): first, a basic set of measures is selected based on the proposed list, then the selected basic one is adapted a set of measures, which supposes the exclusion of irrelevant basic measures depending on the characteristics of information systems and technologies used, then the adapted basic set of measures is specified to neutralize current threats not previously selected erami, and finally the addition is carried out a core set of proximate adapted measures established by other applicable legal documents. At the same time, Order No. 31 emphasizes the importance of the continuity of technological processes: compensating protective measures can be applied in the event of a predicted negative impact on the regular operation of the process control system.



In Order No. 31 the following groups of measures for ensuring the safety of the control system are indicated, which should be applied depending on the required protection class of the control system:

• identification and authentication;
• access control;
• software environment restriction;
• protection of computer storage media;
• security audit;
• antivirus protection;
• intrusion prevention (computer attacks);
• ensuring integrity;
• accessibility;
• protection of hardware and systems;
• protection of the information (automated) system and its components;
• response to computer incidents;
• configuration management;
• software update management;
• safety planning;
• provision of actions in emergency situations;
• informing and training staff.

At the same time, the document emphasizes that when implementing technical means of information protection, first of all, it is necessary to use the standard protective functionality of the systems used in the process control system, and then the superimposed SZI, which also have certain requirements: if certified SZI are used to protect information in the process control system, then it is necessary to be guided by the requirements for their classes, as well as for CBT classes and levels of control of the absence of NDV, described in paragraph 24 of Order No. 31.

Security of significant KII objects

Now we will consider one of the main by-laws on the protection of KII objects, namely the Order of the FSTEC of Russia dated December 25, 2017 No. 239 “On approval of the requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation”.



The requirements set forth in the Order of the FSTEC of Russia No. 239 are imposed on information systems, automated control systems and information and telecommunication networks of significant KII objects. The criteria for classifying KII objects as significant are described in Government Decision No. 127, which is described above. Fulfillment of the requirements of the considered order assumes that the categorization of KII objects has already been carried out previously, again in accordance with the PP-127 standards. In addition to significant objects, according to the decision of the subject of KII, the norms of the document in question can be applied to insignificant objects, as well as the requirements of Order No. 31. Order No. 239 separately states that KII objects processing PDs are also subject to PDN protection standards, and if the KII object is GISIS, the norms of the FSTEC Order No. 17 on GIS protection are applied and certification of a significant KII object is carried out.



Order No. 239 indicates that the development of ZI measures for a significant KII facility should include an analysis of security threats and the development of a threat model, and the implemented protection measures should not adversely affect the functioning of the facility itself. As in Order No. 31, the threat analysis should include identifying the sources of threats, assessing the capabilities of violators (i.e., creating a model of the violator), analyzing the vulnerabilities of the systems used (including penetration testing - pentest), identifying possible ways to implement threats and their consequences; in this case, the FSTEC Russia NOS should be used.



Order No. 239 specifically stipulates that in the case of the development of new software as part of the security subsystem of a significant KII object, standards for safe software development should be applied. When using SZI, priority is given to the standard protective functionality, and when responding to computer incidents, it is required to send information about them to the State SOPKA system.



The list of organizational and technical measures provided for by the provisions of this order, depending on the category of significance of the object of KII and threats to the security of information, indicates items similar to those in Order No. 31:

• identification and authentication;
• access control;
• software environment restriction;
• protection of computer storage media;
• security audit;
• antivirus protection;
• intrusion prevention (computer attacks);
• ensuring integrity;
• accessibility;
• protection of hardware and systems;
• protection of the information (automated) system and its components;
• safety planning;
• configuration management;
• software update management;
• information security incident response;
• provision of actions in emergency situations;
• informing and training staff.

The algorithm for selecting and applying protection measures described in Order No. 239 is essentially similar to the algorithm of Order No. 31 (as well as Orders No. 17 and No. 21 for the protection of GIS and PD, respectively), except that the stage of refining the adapted basic set of measures is included in the very stage of adaptation of the basic set. So, first a choice is made of a basic set of measures for the corresponding category of significance of the CII object based on the list proposed in the Order. Then, the selected basic set of measures is adapted, which implies the exclusion of irrelevant basic measures depending on the technologies used and the characteristics of the KII object, as well as the inclusion of other measures necessary to neutralize current threats. Finally, the adapted set is supplemented by measures established by other applicable regulatory legal documents, for example, on the protection of information in GIS, ISPDn, cryptographic protection of information, etc. The document also states that if industrial, functional or physical safety measures sufficient to neutralize current threats to information security are already being applied at the KII facility, then additional protection measures may not be applied. In addition, by analogy with Order No. 31, the importance of the continuity of the operation of the CII facility and the absence of negative impact on it by the measures applied are emphasized: the CII subject can apply more appropriate compensatory measures instead of the basic ones, which will block security threats relevant to the CII object. In addition, compensatory measures should be applied when using new IT solutions and identifying new threats that are not taken into account by the developers of the Order.



Requirements are also imposed on the SZI itself: you can use the tools that have been evaluated for compliance with safety requirements in the form of tests, acceptance or mandatory certification. Tests and acceptance are carried out by KII subjects independently or with the help of licensees of the FSTEC of Russia. When using certified SPI, the requirements for them are as follows: at facilities of the 1st category of significance, it is necessary to use SPI at least of the 4th protection class, at facilities of the 2nd category - SPI at least of the 5th class, and at facilities of the 3rd category - SZI not lower than 6th grade; at the same time, on significant objects of all categories, it is required to use SVT of at least grade 5.



It is also interesting that in Order No. 239 the requirements are also given to the levels of trust of the SZI. Confidence levels (hereinafter - UD) are determined in accordance with the Order of the FSTEC of Russia No. 131 dated July 30, 2018, in which six UDs are established (the lowest is the 6th, the highest is the 1st). So, on objects of the 1st category of significance, SZI corresponding to the 4th or higher UD should be applied, on objects of the 2nd category - SZI corresponding to the 5th or higher UD, and on objects of the 3rd category - SZI, corresponding to the 6th or higher UD. Note that the clauses on the confidence levels of the applied SIS were introduced in March 2019 after the release of the initial version of the Order: earlier, the requirements were imposed on the level of control of the absence of undeclared opportunities (at the objects of the 1st and 2nd categories, it was necessary to use the SIS that had been verified by Level 4 NDV), but with the release of the above Order No. 131, which entered into force in June 2019, the requirements of the guidance document on NDV have actually ceased to apply.



In addition, Order No. 239 emphasizes that at the facilities of the 1st category of importance, devices certified for compliance with information security requirements should be used as border routers, and if it is not possible to use them, the security functions of ordinary border routers should be evaluated at the acceptance or tests of significant objects of KII.



In addition to the previously mentioned, the Order indicates the importance of using SZI, which are provided with warranty and / or technical support, as well as possible restrictions on the use of software / hardware or SZI (apparently, sanctions risks are meant). It is also indicated that at a significant KII facility, it is required to prohibit remote and local uncontrolled access to update or manage persons who are not employees of the KII subject, as well as to prohibit the uncontrolled transfer of information from the KII facility to the manufacturer or other persons. In addition, all the software and hardware of the KII object of the 1st category of significance should be located on the territory of the Russian Federation (with the exception of cases stipulated by law).



As we can see, Order No. 239, in spite of a structure similar to that of other orders of the FSTEC of Russia, has a number of innovations: these are requirements for the compliance of the SIS with confidence levels, and mention of sanctions risks, and increased attention to ensuring the security of network interaction. It should be noted that this order is key in fulfilling the requirements for the protection of KII objects, so KII subjects should study its provisions with special attention.

A responsibility

Responsibility for unlawful influence on the KII of the Russian Federation is provided for in Article 274.1 of the Criminal Code. This article was introduced by the Federal Law No. 194 of July 26, 2017 and is valid from 01.01.2018. In accordance with this article, the following are punishable:

• creation, distribution and use of programs for unlawful influence on KII;
• unlawful access to information in KII with the subsequent harm to KII;
• violation of the rules for the operation of means of storage, processing, transmission of information in KII or the rules of access to information in KII with the subsequent harm to KII;
• the above actions committed by a group of persons in a preliminary conspiracy, or as part of an organized group, or using official position;
• the above actions, if they entailed grave consequences (i.e. damage caused in the amount of more than 1 million rubles); at the same time, liability arises in the form of imprisonment for a term of up to ten years, which automatically transfers this act to the category of serious crimes with a statute of limitations up to 10 years.

It should be borne in mind that the effect of this article applies to both significant and insignificant objects of KII. Also, this norm does not take into account what was the category of significance of the attacked object of KII, nor does it take into account whether it was categorized at all. The size of the damage caused is an estimated sign and is determined by the court. The investigation department of the Federal Security Service of the Russian Federation will investigate these crimes, and the measure of restraint for the period of the investigation is placement under arrest in a pre-trial detention center. It is also worth noting that the “progenitor” of this article - article 274 - currently has a rather limited application due to the vagueness of the wording and the reference nature, so that the number of criminal cases on it is calculated in units (and before 2013 there were none at all).The publicly known law enforcement practice under the new Article 274.1 is currently quite limited: for example, in May this year a decision was made in the case of a DDoS attack on the website of Roskomnadzor, in September three citizens were convicted of an attack on a KII facility using an encryption virus, and in October, a verdict was passed for "draining" the personal data of subscribers of a telecom operator.



In addition to the above criminal liability, KII subjects and officials are also awaiting possible administrative penalties: currently, amendments to the Code of Administrative Offenses of the Russian Federation are considered, which imply the introduction of two new articles and significant monetary fines for their violation:

• 13.12.1 « » , , , , .
• 19.7.15 « , » , .

In addition to the normative acts discussed above (187-, -127, Orders of the FSTEC of Russia No. 31 and No. 239), currently the issues of protecting KII are legislatively regulated by the following documents:

1. Decree of the President of the Russian Federation of January 15, 2013 No. 31c “On the creation of a state system for the detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation”, which served as the starting point for the creation of the State Social Protection and Control Commission and the National Center for the Protection of the Government of the Russian Federation.
2. Decree of the President of the Russian Federation dated December 22, 2017 No. 620 “On improving the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation”, which determined the range of tasks to be solved by the State Social Security Administration and granted the Federal Security Service of the Russian Federation new powers in protecting KII.
3. , ( 12.12.2014 № 1274), , , .
4. , 03.02.2012 . № 79 .
5. 17.02.2018 № 162 « » 187- , , . , - . , .
6. 06.12.2017 . № 227 « ».
7. 21.12.2017 . № 235 « » , , - , - .
8. 22.12.2017 . № 236 « ».
9. 11.12.2017 . № 229 « , ».
10. 24.07.2018 . № 366 « » , .
11. 24.07.2018 . № 367 « , , , » , . , (, , , , ) 24 .
12. 24.07.2018 . № 368 « , , , , , ». ( , №367), (, CERT') , . , (. Indicators Of Compromise, IOCs), (Tactics, Techniques and Procedures, TTPs).
13. 06.05.2019 № 196 « , , » ( , , ) , , .
14. 19.06.2019 № 281 « , , , , , , » «» , .
15. 19.06.2019 № 282 « , , , » ( ) . , , . : 3 , — 24 . , 48 . : , .10 () .

In addition to the above, the FSB of the Russian Federation also issued a number of other documents on the protection of KII, which, however, are currently not available for free review:

• Methodological recommendations of the Federal Security Service of the Russian Federation on the creation of departmental and corporate centers of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
• Methodological recommendations of the FSB of the Russian Federation on the detection of computer attacks on the information resources of the Russian Federation.
• Methodological recommendations of the FSB of the Russian Federation to establish the causes and eliminate the consequences of computer incidents related to the functioning of the information resources of the Russian Federation.
• Methodological recommendations of the NCCCC FSB of the Russian Federation on measures to assess the degree of protection against computer attacks.
• Requirements for divisions and officials of the State SOPKA subjects.
• The rules of interaction between the units of the FSB of the Russian Federation and GosSOPKA subjects in the implementation of information exchange in the field of detection, prevention and elimination of computer attacks.