Stanislav Darchinov
Chief Technical Officer

According to the data of the State System for Detection, Prevention and Mitigation of Cyber Attacks Consequences (SSDPMCA), a total of 4.3 billion cyber-attacks against the critical information infrastructure of Russia were detected in 2018 so far. Experts are sure that the active digitisation of the country is going to spur growth in cyber-crime. Stanislav Darchinov, Chief Technical Officer in Kazan Branch of STEP LOGIC told us about the goals that hackers seek to achieve and how Federal Law No. 187 "On Security of the Critical Information Infrastructure of Russia" will help the organisations being the subjects of the critical information infrastructure to protect their IT landscape.


- Just the other day, the Russian IT experts discovered a new type of cyber-attack aimed at Eastern European banks, this time the critical IT infrastructure of the financial institutions was penetrated through infected gadgets. Could you please tell us about the weakest points in the information security of organisations?

- Today, the easiest and most obvious type of attack is through social engineering. People are easily misled, so it's relatively easy to take advantage of the natural human gullibility, fears or curiosity to get your mark to violate procedure and security requirements. For example, an employee may get an email that looks like it came from a colleague or partner, and download an infected file attached.

There are two other important vectors of information attacks. The external vector regards the attacks that focus on the points where an organisation's information system connects to the internet; the perpetrators will try and exploit public networks to gain an unauthorised access. The internal vector regards the attacks, which involve the human factor and weaknesses in the information security processes of an organisation. Here we are talking about the personal devices used by employees and visitors to the company. When an infected gadget connects to a corporate network that has vulnerabilities in its security systems, the corporate systems can be seriously harmed. One popular scenario is where perpetrators somehow get logins and passwords allowing them to access financial systems and then proceed to steal money from the client accounts of a bank.

- Are all hacker attacks aimed at extortion or theft of financial assets?

- In most cases, victims of hacker attacks really do end up losing money or sustaining damage to their reputation, however, more and more often now we are seeing new kinds of attacks that have different goals.

Cyber intrusions today are increasingly being used for corporate espionage, undermining the competition, disrupting the operation of companies and state systems.

Another type of cyber-attacks that are on the increase are those that aim to disrupt the operation of companies and organisations that are critical to the ability of the state to perform its functions. In this case, the consequences can be devastating. For example, disruption to the production process at a major manufacturing facility that uses hazardous materials or processes may result in fatalities and global economic and environmental catastrophes.

Unfortunately, a lot of companies still are not paying enough attention to ensuring the security of their IT infrastructure. For this reason, the information security is now regulated by the state so as to make sure that companies minimise risks in those areas where they would not normally even look for them.


- 2018 saw the going into effect of Federal Law 187-FZ "On Security of the Critical Information Infrastructure of Russia". What obligations does it impose?

- The new law has introduced requirements for the security of the information infrastructure that is critical to the functioning of our state. The critical information infrastructure comprises information systems, information transmission and communication networks as well as automated control systems of the critical information infrastructure. The critical information infrastructure is operated by owning companies in 13 sectors: communications, energy, banking, fuel and energy, defence etc. In other words, those are companies that have high economic and social significance. Any disruption to their operation may result in massive losses or disrupt the functioning of the state systems of any Russian region.

- What are the requirements of 187-FZ that companies must meet to protect the critical information infrastructure?

- Step one is to determine the significance of the critical information infrastructure elements. Step two is to define the specific requirements for ensuring the security of the critical information infrastructure elements. Step three is to design and deploy an information security system. And step four is to ensure cooperation with the State System for Detection, Prevention and Mitigation of Cyber Attacks Consequences. This system gets information from all the information security systems of critical elements, and its job is to combat cyber criminals and prevent intrusions.

- Will companies operating the critical information infrastructure need help with implementing 187-FZ compliance measures?

- Companies operating the critical information infrastructure can meet all the requirements of Law 187-FZ on their own; the law does not impose any requirements regarding the use of external systems or hiring of contractors. We believe that companies operating elements of the critical information infrastructure must categories their systems on their own. STEP LOGIC has developed a detailed methodology for how to categorise elements of the critical information infrastructure to help with that. Companies can use it to figure out whether they are subject to the requirements of the new law and do the categorising of their facilities on their own. The methodology contains questionnaires, a detailed action plan, practical examples, and required document templates. It is freely distributed and available for download at our website. However, some companies may have additional questions or run into additional difficulties. In this case, STEP LOGIC is always ready to lend a helping hand in the form of consultations, audits and if needed, we can also do the categorisation for our clients.

And as for determining the requirements for the security of critical information infrastructure elements, the design, construction and subsequent maintenance of the information security system and for how to connect it to the state system of security against cyber-attacks it's best to hire professionals as they will have relevant experience and competencies and thus the overall cost of deploying an information security system will be lower this way.

In addition, seeing the importance of Federal Law 187-FZ, Kazan Branch of STEP LOGIC and Tattelecom PJSC agreed to cooperate in disseminating the methodology and providing such accompanying services as consultancy, help with determining the category of and providing security for critical information infrastructure elements based on our own Security Operation Centre, the situational information security monitoring centre.

The introduction of the SOC greatly simplifies meeting of the requirements of the law with regards to the arrangement of cooperation with the State System for the Detection, Prevention and Mitigation of Cyber Attacks Consequences.


- What is the SOC?

- The SOC is a service that gathers and correlates all information from the security systems installed at a specific facility. Firewalls, systems for detecting and preventing intrusions and other security systems filter events and report any suspicious activities to the common monitoring centre of the Security Operation Centre. The SOC provides an operator who tracks, analyses and responds to all the messages. For example, suppose the operator sees that an attempt has been made to connect to the database by a finance office who usually does not work during these hours. Naturally, the operator understands that this may be an information security incident that requires some response.

Companies can build a SOC on their own or they can use off-the-shelf solutions.

- What should companies opt for: a SOC developed in-house or an off-the-shelf solution?

- For major companies with complex information security systems getting a SOC solution from an outside vendor is the best option. Getting a SOC from an external vendor means they won't have to hire specialised staff, something that would otherwise cost them a lot of money and would be really difficult given the shortage of information security specialists in the labour market. In addition, according to our estimates, using an off-the-shelf SOC solution can reduce the expenses of your company by a factor of three with regards to CAPEX and by 30 percent per year in terms of cost of ownership.

STEP LOGIC's own solution, the STEP SOC, offers the standard situational information security monitoring system as well as the Network Operation Centre service, a monitoring centre for the infrastructure of networks, servers, services, applications as well as Business Intelligence tools. As a result, STEP SOC allows companies to boost their business efficiency by creating predictive models and through improved risk management.

For smaller companies that use fairly simple information security systems, the best option might be to hire their own staff and develop procedures for them.

- What trends do you see becoming relevant in information security in 2019?

- Having become an integral part of our life, information technologies have also opened up new avenues for to be attacked through the information infrastructures that we rely on. It's not just individuals and specific companies that have come under attack but the welfare of entire states. So, protecting the IT infrastructure is now a top priority both for business and the public sector alike. And this trend is only going to gather momentum in future while Federal Law 187-FZ is going to serve as an additional driver in the information security market.

As for our company, we are always ready to offer our clients full support and cutting edge solutions to ensure the security of their IT landscape. Our services include studies and audits, consultancy, threat modelling, design of information security subsystems, deployment of information security solutions, compliance assessment and certification. We count among our clients the companies and organisations in the telecommunications sector, in industry and finance, fuel and energy, the public sector, retail and others. STEP LOGIC products are designed to maximise business efficiency and meet the ever increasing demands of the market.

Source: Business Online

Back to all opinions