Deadline is set for critical infrastructure
Recently, a court heard the case of a mobile operator whose employee sent the client database to his personal email. The employee's actions were classified as a violation of the rules for handling protected information, because in addition to the database of the operator's subscribers, the file also contained information about the location of the communications nodes used by government agencies and special services.
The defendant was given a suspended sentence. But he could have ended up in a lot more trouble: there was every chance he could have been sentenced to three years in prison. If the company had the requisite regulations and all of its staff had been made aware of the consequence of negligence when handling critical information, this unfortunate incident may never have happened.
Thinking in categories
Under the domestic security policy, the process of ensuring the security of critical information infrastructure facilities is supposed to be strictly monitored. First, the organisations operating critical information infrastructure elements must categorise them; then, measures must be put in place to protect critical facilities. At the moment, the deadlines for the categorisation of critical infrastructure elements have only been set for state-owned companies: under the law 'On the Security of the Critical Information Infrastructure of the Russian Federation', state organisations must notify the Federal Service for Technical and Export Control of Russia about the results of the categorisation of their facilities by 1 September. For private companies, all deadlines are just recommendations. Some private companies believe that if they don't categorise their critical infrastructure facilities and don't notify the regulators about them, it means they are under no obligation to abide by any of the other requirements.
According to the statistics of the Federal Service for Technical and Export Control of Russia, in 2019, 3,500 critical information infrastructure operators completed the categorisation of the critical information infrastructure elements they operated and had them registered. Based on critical information infrastructure categorisation orders that STEP LOGIC has been receiving from clients, so far this process has been taking place at the fastest pace in the energy sector (22% of all categorisation orders), the oil, gas, and mining sector (19%), machine engineering (16%), the financial market (13%), and in transport and telecommunications (9% each).
Meanwhile, some 40% of critical information infrastructure operators haven't completed the process yet. What this means is that other companies are ignoring the requirements of 187-FZ for the time being.
Federal Law No. 187-FZ went into effect over two years ago and defines the measures that organisations must put in place to protect critical information infrastructure against cyber attacks.
Critical information infrastructure elements are operated by both state-owned organisations and private businesses. The law specifically identifies 13 sectors of the economy that account for more than 50% of the GDP. These include companies of the defence and mining industries, aerospace and missile manufacturers, metal producers, petrochemical companies, oil and energy companies, and nuclear power plant operators. The list also includes financial organisations, healthcare providers, research and development shops, transport, communications, and energy companies.
Companies that are subject to 187-FZ must categorise the information, telecommunications, and automated control systems they operate by assigning different categories of importance to them. After that, they have to develop and implement protective measures for them.
Information about any and all incidents at all critical information infrastructure facilities, both significant and insignificant ones, must be passed by their owners/operators to the state system for the detection, prevention, and liquidation of the consequences of cyber attacks, after connecting to it independently or with the help of corporate centres or government agencies.
Justice department begins audits
What's interesting is that some companies that don't operate in any of the industries directly mentioned in 187-FZ are still subject to this law. One example would be a company that runs a data processing centre housing the information systems of critical information infrastructure operators or any company that sells bus tickets even if it is not, strictly speaking, a transportation company. They, too, can own and operate critical information infrastructure facilities, often without even realising it.
In order to determine whether a company needs to bring its infrastructure into alignment with the law on the security of critical information infrastructure, it must answer two important questions.
The first one is whether the company really qualifies as a critical information infrastructure operator. The way to answer this question is by looking at the articles of association, the business activities the company declared to be carrying out in accordance with the national classifier of business activities, any licenses that the company holds in order to determine whether any of the business activities mentioned in any of these documents are amongst those mentioned in 187-FZ.
The second question is whether the company operates any significant critical information infrastructure facilities. Categorisation is how critical infrastructure facilities are classified by the level of their significance or importance. The goal of categorisation is to assess the consequences of complete or partial disruption of the operation of the critical information infrastructure elements and any critical processes related to them.
There is a plethora of methodological elements that can be found online and that you can use to categorise your information infrastructure elements on your own.
In any event, every organisation gets to decide on its own whether it's going to abide by the requirements of regulators or whether it's going to ignore them. At the moment, the punitive measures for failure to categorise critical information infrastructure facilities or categorising critical information infrastructure elements as not critical are rather ephemeral, but it should be borne in mind that amendments to the administrative violations code that define liability for violations related to the categorisation of critical information infrastructure or failure to abide by the requirements to ensure security of critical information infrastructure are already completing the final stages of approval. Furthermore, at the most recent thematic conference held on 17 September, representatives of the Federal Service for Technical and Export Control of Russia warned market players that critical information infrastructure audits were being launched in conjunction with the justice department and that said audits would be conducted regardless of whether or not specific elements of the critical information infrastructure have been categorised.
Critical import substitution
This February, the Ministry of Industry and Trade and the Federal Service for Technical and Export Control of Russia presented a draft document requiring that equipment used for the protection of critical information infrastructure must be developed and manufactured using Russian hardware and Russian sourced microelectronics. It is expected that these requirements will go into effect in 2024 and 2028 respectively.
The Ministry of the Digital Economy took this issue one step further: in late May, the Ministry published proposals under which critical information infrastructure operators are to be obligated to switch to Russian software from 1 January 2021 and to Russian hardware from 2022.
On the one hand, it's good news for domestic vendors, as the import substitution programme is now being extended to entire sectors of the economy. On the other, if critical information infrastructure has to be switched over to Russian hardware in its entirety and within a limited period of time, then critical information infrastructure operators are going to be looking at some serious expenses even if the state offers programmes of support. Analysts estimate that switching to domestic software and hardware will set financial organisations back some RUB 700 billion, while state companies may have to shell out as much as RUB 150 billion.
One way or another, import substitution for critical information infrastructure operators is practically a done deal: all the requisite amendments to relevant regulations have already been developed, regulators are now approving further plans for the migration to domestically sourced solutions. The sectors of the economy enumerated in 187-FZ need to start getting ready for the new requirements.
By the way, 15 September saw the approval of amendments to Order No. 239 of the Federal Service for Technical and Export Control of Russia that governs the requirements for the use of secure methods for the development and testing of application software and critical information infrastructure security systems for vulnerabilities, with the new requirements scheduled to go into effect from 2023.
According to the document, security systems for critical information infrastructure must be developed in accordance with special methodologies, access to which must be restricted and which the Federal Service for Technical and Export Control of Russia will disclose at request. It would appear at first glance that these measures have nothing to do with import substitution, but foreign developers won't be able to access these top-secret methodologies, and that means they won't be able to meet the aforementioned requirements. In effect, it's a barrier measure.
By: Nikolai Zabusov, Head of Information and Network Security at STEP LOGIC