STEP LOGIC: recommendations on implementation of requirements No. 187-FZ
The Federal Law "On the Security of the Critical Information Infrastructure of the Russian Federation" No. 187-FZ dated July 26, 2017 entered into force on January 1, 2018 and introduced the concepts of objects and subjects of the critical information infrastructure (CII), as well as the responsibilities of organizations ensuring the security of CII facilities.
The CII subjects, to which the requirements of the law apply, are state and commercial institutions operating in areas that form the basis of the functioning of the state: healthcare, science, transport, communications, energy, banking and other areas of the financial market, fuel and energy sector, in the field of atomic energy, defence, rocket and space, mining, metallurgical and chemical industries. CII objects imply information systems (IS), information and telecommunication networks (ITN), automated control systems (ACS) of CII subjects.
In accordance with the requirements of the law, enterprises and organisations should categorise their CII objects and notify the Federal Service for Technical and Export Control of the Russian Federation about the results. The recommended deadline is January 2019. However, many organisations have either not yet begun categorising their objects or are at the very beginning of their journey. At the same time, some companies and enterprises do not understand both how to categorise and whether they fallwithin the scope of this Federal Law.
In the article, we offer the best option for implementing the requirements for the protection of CII facilities, clarify what you should pay attention to when carrying out these works, and also talk about factors affecting the cost of such projects.
Denis Pashchenko, Leading Analyst of Consulting and Information Security Audit Department, STEP LOGIC
Where to start?
The very first question to be answered: whether your organisation is a CII subject. For this purpose, the regulator (Federal Service for Technical and Export Control of the Russian Federation) recommends the search for the thirteen types of activities specified in the charters, the Russian National Classifier of Types of Economic Activity, and licenses of the organization. If your company meets this criterion, you must proceed to the categorisation of objects.
Why categorisation should not be treated as another formality
Without categorizing CII objects, it is impossible to determine the necessary technical and organisational protection measures. The results of the categorisation further determine volumes of work in the field of information security.
In the case of investigations into IS incidents, it is possible that the agencies involved will find violations in the protection of the CIA facilities due to the lack of categorisation or its undervaluation. This may entail criminal liability in accordance with the Criminal Code (article 274.1).
In addition, the introduction in the beginning of 2019 of administrative responsibility for the incorrect categorization of CII objects and violation of the established deadlines has already been announced. The deadline for the categorisation will be strictly regulated, and if the process will not start right now, there is a chance to catch delay.
Categorisation: use outsourcing or to carrying out independently?
Many organisations prefer to give this part of the work to contractors. There are many examples where a customer asks not only to categorise but in general "bring all the CII objects in line with 187-FZ". We recommend to carry out categorisation independently, and involve third-party executors only for consultation on private issues.
Firstly, in accordance with the legislation, the responsibility for making decisions falls solely on the head of the organisation and the commission, including the heads of departments and other responsible employees, and not on the contracting organisation.
Secondly, the basis of the categorisation is an assessment of the consequences of the disruption of the functioning of critical processes and the corresponding CII objects. A priori, integrators and consultants cannot know all the details and nuances of your activity, all possible consequences and their interconnections. In our experience, even within a group of companies, the same processes are sometimes implemented differently, and such nuances can have a significant impact on the results of the categorisation. Therefore, third-party specialists, having studied, for example, ten plants, will not be able to quickly and ideally describe the eleventh without a survey—all information will eventually be requested again from responsible employees. Thus, an array of data for categorisation is provided by the organisation itself, and the essence of the services of contractors in 90% of cases consists in the availability of elaborated templates and reporting forms, as well as their experience in working with a specific area.
Thirdly, the contractor needs to fully study all the organisation’s business processes, its infrastructure, performance indicators (contracts, financial statements, other statistics) to carry out a qualitative categorisation. It is obvious that in this case the project will take more than one month, and the cost of work can be estimated at millions of roubles if we are talking about large enterprises or groups of companies. Is this justified in view of the above?
The categorisation using own resources is another reason to thoroughly understand the organisation’s business processes, assess all risks and answer the main question: what are the consequences of insufficient compliance with organisational and technical data protection measures. The organisation itself has to understand it, including in the further implementation of protective measures and justification of relevant projects.
If you decide to carry out categorisation using your own resources, you can get answers to individual questions from the following sources:
- Via helpline of the FSTEC of Russia: 8 (499) 246-11-89, at the methodological gatherings of the regulator and conferences, where experts FSTEC deliver speeches;
- In the detailed methodology of categorising CII objects developed by STEP LOGIC with templates of necessary documents and answers to frequently asked questions. The method is distributed free of charge, is available for download on the company's website and is constantly updated to reflect the interaction with the regulator and the experience gained;
- On specialised resources (for example, CII 187-FZ chat in Telegram);
- It is also possible to engage consultants to address specific issues. However, in this case it is a private opinion based on subjective knowledge and experience, and it will not always be true. It is better to compare information from several sources.
The categorisation is done. What's next?
Further steps will differ depending on whether the organisation has significant CII objects based on the categorisation results.
If there are none significant objects, then additional requirements for the protection of CII objects, as defined by the FSTEC of Russia, are not required. However, this does not mean that it is not necessary to protect anything—it is likely that after assessing the possible damage from incidents, the organisation itself will review the importance of the security of its resources and will be interested in implementing additional protection measures. In accordance with the requirements of 187-FZ, it will be necessary to ensure interaction with the State System for Detection, Prevention and Mitigation of Computer Attacks to provide information about IS incidents. Details on the information transmitted and the organisation of interaction can be found in the relevant orders of the Russian Federal Security Service and the methodological documents of National Computer Incident Coordination Centre (the authority responsible for operating the State System for Detection, Prevention and Mitigation of Computer Attacks).
If an organisation has significant CII objects, it will need to implement a security system to protect these objects in accordance with the regulations of the FSTEC of Russia.
Organisation of projects for the protection of CII objects. Recommendations
Given the high load of divisions and departments on information security and the lack of specialists in the organisations, these works are usually implemented in the form of projects involving contractors. Next, we will try to provide recommendations "from the other side of the barricades", since organisations often play themselves into a corner, and because of trivial inaccuracies in the formulation of the problem, they do not get the results they expected.
1. Divide the project into parts
It is not necessary to combine all the "turnkey" works in a single project (contract). There are several stages, the result of which determines the volume of all subsequent work. Therefore, until their completion, the contractor will not be able to correctly estimate the project’s timeline and budget. Accordingly, there will be either a dumping and not a very high-quality result, in the case of the amount of work above the expected one, or, conversely, an attempt to replenish itself to close its risks. Therefore, we recommend to break the project into stages and implement them consistently, starting the next stage only after the previous one is completed:
- Categorisation of objects. At this stage, the area of further work is actually determined—the list of CII objects and their boundaries;
- Development of IS requirements. This is the key stage at which the threat assessment is carried out and the requirements for the necessary measures and remedies are formulated or the possibility of using existing protective measures is justified;
- All subsequent work related to the implementation of measures identified in the second stage.
2. Use the results of the previous work
Often, CII objects are personal data information systems (PDIS) and/or state information systems (SIS). In such cases, it is necessary to fulfil the requirements of regulatory documents from several areas. It is necessary to include an audit of previously completed projects in the work and answer the following questions:
- Do the "old" and "new" threat models that are implemented for the same system match each other - for example, for SIS (PDIS), which has now also become a CII object?
- How consistent are the previously implemented information security requirements with new ones, which of the existing security tools are planned to be used to protect the CII object?
- How relevant are the existing regulatory and methodological documents of the organization on IS issues to new requirements?
3. Do not reinvent the wheel
The orders of FSTEC No. 235 and No. 239 explicitly identify all the works, their content and documentation, which must be developed during the implementation of projects for the protection of the CII object. When forming a job assignment, we recommend to strictly adhere to these formulations to clearly accomplish the task and not increase the deadlines and budget of the project. Even minor adjustments can sometimes result in noticeable changes to the project.
4. Use protective equipment that has passed the conformity assessment
The use of certified protective equipment is not mandatory in all cases. Use the following wording from the regulatory documents in the requirements in order not to play yourself and the contractor into a corner: "the use of protective equipment that has passed the conformity assessment". A competent contractor will determine the need for certified protection means and the possibility of using alternatives.
Factors affecting the cost of work on the implementation of 187-FZ requirements
Finally, we will touch upon an important issue—the cost of projects, or rather, the factors that may affect it.
Scope of work. Most of the work is directly related to the number of organisation's CII objects since all the facilities need to be studied separately, to understand their interconnections, integration into the general infrastructure. In addition, many mandatory documents are developed for each object. Protection measures in some cases can be implemented separately for objects.
Possible optimisation. We recommend enlarging CII objects during categorisation. If 10 systems implement one technological process and are located in a single network segment, they can be generalised (in some cases, this should be done even with the spread of the increased category of importance to all systems).
Heterogeneity of the objects. If an organisation has 20 “office” integrated circuits located in a standard LAN, then the scope of work will be less than, for example, for 10 “office” integrated circuits and 10 automatic process control systems. These types of systems differ in architecture, will have different IS risks and approaches to their protection.
Centralisation. It makes sense for groups of companies to work within a centralised project. In this case, a standardised approach using model documents and project solutions will be provided. The total volume of objects to be protected will remain the same, but the coefficient of typification of systems will increase, which will reduce the total cost of work.
The maturity of existing IS processes. If an organization has already implemented projects to protect PDIS, SIS, automated process control systems, there is an information management system with streamlined processes, such as risk management, monitoring and identification of information security incidents, configuration management, etc., then it is very likely that the project will be reduced to proper justification of the adequacy of existing measures and the provision of references to relevant documentation.
Belonging to government bodies. For CII objects that are SIS, the requirements for the use of certified protective measures and certification of objects become relevant. If these requirements have not yet been met, this will significantly affect the increase in the budget and the timing of work. For legal entities, we recommend not to include these requirements in work orders, as they are not mandatory.