CII safety: how to determine what to do and what not to do. What does the law on the security of critical information infrastructure promise? Which organizations are covered by this law?
Against the backdrop of the latest global computer attacks, Federal Law No. 187-FZ “On the Security of Critical Information Infrastructure” was adopted on July 26, 2017. Russian Federation", aimed at creating a state system for detecting, preventing and eliminating the consequences of attacks on the country’s information resources, which will come into force on January 1, 2018.
The explanatory note to bill No. 47571-7 “On the security of critical information infrastructure of the Russian Federation” emphasized that “the transition to the information society currently underway in the Russian Federation leads to the fact that the vast majority of decision-making systems and business processes in key sectors of the economy and sphere public administration are implemented or planned for implementation using information technology. Various information systems already store and process significant amounts of information, including those related to issues public policy and defense, financial and scientific-technical spheres, private life of citizens. At the same time, information technologies are being introduced everywhere in the construction of automated production and production management systems. technological processes, used in the fuel and energy, financial, transport and other sectors of critical infrastructure of the Russian Federation."
According to the developers of the bill, “damage to critical information infrastructure can lead to catastrophic consequences, and given that it is a link between other sectors of the national infrastructure, it will inevitably cause damage to these sectors as well. The transition of information and communication technologies to a digital signal system has simplified and partially automated the management of processes, but, at the same time, made them more vulnerable to computer attacks. A malicious program aimed at making changes to the binary code of a program (a program algorithm written in the binary number system) can damage any equipment that operates using binary code. At the same time, attacks carried out for criminal, terrorist and intelligence purposes by individuals, communities, foreign intelligence services and organizations can pose an equal danger.
In the worst-case scenario, a computer attack can completely paralyze the critical information infrastructure of the state and cause a social, financial and/or environmental disaster.”
The explanatory note also noted that “the stability of the socio-economic development of the Russian Federation and its security, in fact, are directly dependent on the reliability and security of the functioning of information and telecommunication networks and information systems.”
To ensure coordination of the activities of subjects of critical information infrastructure on the issues of detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents, a national coordination center for computer incidents will be created (Article 5 Part 2).
The state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation will collect, accumulate, systematize and analyze information that will:
- Enter through means designed to detect, prevent and eliminate the consequences of computer attacks;
- Represent yourself as subjects of critical information infrastructure and a federal authority executive branch, authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, in accordance with the list of information;
- Introduce yourself as other bodies and organizations that are not subjects of critical information infrastructure, including foreign and international ones.
In order to record significant objects of critical information infrastructure, a register will be created (Article 8). Information from it will be sent to the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
The assessment of the security of critical information infrastructure will be carried out by the federal executive body authorized to ensure the functioning of the state system, in order to predict the emergence of possible threats to the security of critical information infrastructure and develop measures to increase the stability of its functioning in the event of computer attacks against it (authorized by the federal executive authority) ( Art. 12).
When performing a safety assessment, the following will be analyzed:
- Data obtained when using tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, including information about the presence of signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure objects;
- Information provided by subjects of critical information infrastructure and the authorized federal executive authority, in accordance with the list of information, as well as other non-subject bodies and organizations, including foreign and international;
- Information submitted to the state system based on the results of state control, about violation of requirements for ensuring the security of significant objects of critical information infrastructure, as a result of which the preconditions for the occurrence of computer incidents are created;
- Other information received by the authorized federal executive authority in accordance with the legislation of the Russian Federation.
“On the security of critical information infrastructure (CII) of the Russian Federation”, which came into force on January 1, 2018, is gradually gaining momentum and is being replenished with new by-laws, which often do not make life easier for an information security specialist. Let's understand the situation with CII (FZ-187), what to expect and what needs to be done.
WHO ARE WE, KII OR NOT KII?
The first step is to find out whether the organization falls under the concept of “CII entity” and this can be done by looking at the legislation. If you haven’t found yourself, breathe out, you have a little less headache.
What criteria indicate that you are a CII subject?
The first criterion is the organization’s OKVED code. All-Russian classifier types of economic activities (OKVED), they, and one enterprise can have many of them, open at any time of activity, so you can look at the current list in the Unified State Register of Legal Entities extract of the enterprise or information and reference services “Kontur Focus”, “Spark”, etc. OKVED will clearly indicate which field of activity your enterprise belongs to and whether it falls under the list of the following industries specified in Federal Law No. 187:
- healthcare;
- science;
- transport;
- connection;
- energy;
- banking sector and others financial spheres;
- fuel and energy complex;
- the field of atomic energy;
- defense industry;
- rocket and space industry;
- mining industry;
- metallurgical industry;
- chemical industry;
- legal entities and/or individual entrepreneurs who ensure the interaction of these systems or networks.
If your organization is in the healthcare sector (OKVED 86), we recommend that you first read this material:
The second criterion is licenses and other permits on various types activities that relate to the above areas and which will be the focus of attention in accordance with Federal Law No. 187.
The third criterion is the constituent documents of organizations, these include charters, regulations of organizations (if we are talking about government bodies), which can specify the type of activity indicating belonging to critical industries.
An example from our experience in carrying out categorization work. The company's main type of economic activity had the OKVED code 46.73.6 “Wholesale trade of other construction materials and products”, at first glance, nothing special, it is not included in the list of industries according to Federal Law No. 187 and you can “sleep peacefully”. But upon a detailed study of the charter and licenses for activities, it turned out that the company has a license to operate the transportation of goods by rail and its own fleet of railway vehicles. Based on these circumstances, the enterprise belongs to the transport industry and, therefore, it is necessary to comply with the requirements of Federal Law No. 187.
Did you meet one of the three criteria? Congratulations, you are a subject of KII! But we must remember that each case is analyzed individually and this is a topic for a separate discussion, dedicated to the categorization of critical information infrastructure objects, which we will consider in the following articles.
The regulatory legal act clearly defines that “subjects of critical information infrastructure include government bodies and institutions, as well as Russian legal entities and/or individual entrepreneurs who, by right of ownership, lease or other legal basis, own information systems, information and telecommunication networks, automated control systems.”
Each CII subject has CII objects:
- information systems;
- automated process control systems;
- information and telecommunication networks.
operating in the field of healthcare, science, transport, communications, energy, banking and other areas of the financial market, fuel and energy complex, in the field of nuclear energy, defense, aerospace, mining, metallurgical and chemical industries, Russian legal entities and (or ) individual entrepreneurs who ensure the interaction of these systems or networks.
|
SUBJECTS OF KII:
|
KII OBJECTS:
|
Critical information infrastructure objects ensure the functioning of management, technological, production, financial, economic and other processes of CII subjects.
The process of determining who belongs to a subject of critical information infrastructure is not as simple as it might seem at first glance. As we said above, there are many non-obvious factors that can influence the result, for example, open additional, non-core, types of activities under OKVED or valid licenses that may classify you as a subject of critical information infrastructure. We recommend a more detailed dive into the issue of determining membership in a CII entity.
WHAT TO DO IF YOU ARE A CIA SUBJECT?
The subject and object of the critical information infrastructure have been sorted out. What do you, as a CII subject, need to do next?
First stage. It is necessary to create an internal categorization commission and determine the composition of the participants from the most competent specialists in your business processes. Why is the emphasis placed on business processes and participant competency levels? Only the “owner” of a business process knows all the nuances that can lead to their violation and subsequent negative consequences. This owner or competent designee must be on the panel to assign the correct significance category to the process.
Second stage. At this stage, initial data is collected, a pre-project survey is carried out and, based on the data obtained, the commission decides on the availability of a list of critical information infrastructure objects to be categorized and assigns a category of significance. According to the Decree of the Government of the Russian Federation dated 02/08/2018 N 127 “On approval of the Rules for the categorization of critical information infrastructure objects of the Russian Federation, as well as the list of indicators of criteria for the significance of critical information infrastructure objects of the Russian Federation and their values,” there are three categories of significance, the 1st is the highest.
- social;
- political;
- economic;
- environmental;
- significance for ensuring national defense, state security and law and order.
At this stage, there is one caveat: after approval of the list of CII objects subject to categorization, the CII subject is obliged to notify the FSTEC of Russia about this within 5 days. From this moment on, a maximum of 1 year is allotted for categorization procedures. If a CII object does not fall under one of the indicators of the significance criteria, then it does not need to be assigned a category of significance, but nevertheless, the enterprise is a CII subject that does not have critically significant CII objects.
The result of the second stage is the “Act of Categorization of the CII Object”, which is signed by the members of the commission and approved by the head of the CII subject. The act must contain complete information about the CII object and is stored by the subject until the subsequent revision of the significance criteria. From the moment the act is signed, the CII subject within 10 days sends information about the results of categorization according to the approved form to the FSTEC of Russia (at the time of writing, the form is at the stage of agreeing on the final version). Within 30 days, FSTEC checks compliance with the procedure and correctness of categorization and, in case of a positive conclusion, enters information into the register of significant CII objects with subsequent notification of the CII subject within 10 days.
The third stage, the final one. Perhaps one of the most time-consuming and expensive is meeting the requirements for ensuring the safety of significant CII facilities. We will not go into details now, but will list the key stages to ensure the safety of CII facilities:
- development terms of reference;
- development of an information security threat model;
- development of a technical project;
- development of working documentation;
- putting into operation.
More detailed information on the timing and stages of fulfilling the requirements of Federal Law-187 can be found in our article: "". Also on the page you can download a FREE starter set of documents to begin work on categorizing CII objects.
WHAT HAPPENS IF YOU DON'T DO THIS?
We looked at who the subject of critical information infrastructure is, what a CII object is, and what actions need to be taken to comply with the requirements of the FSTEC. Now I would like to talk a little about the liability that arises in case of failure to comply with requirements. According to Decree of the President of the Russian Federation dated November 25, 2017 No. 569 “On amendments to the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation dated August 16, 2004 No. 1085” federal body The executive branch (federal executive authority) authorized in the field of ensuring the security of KII is FSTEC. State control in the field of ensuring the safety of significant CII facilities will be carried out by FSTEC in the form of scheduled and unscheduled inspections with subsequent orders in case of identified violations. Scheduled checks are carried out:
- after 3 years from the date of entering information about the CII facility into the register;
- after 3 years from the date of the last scheduled inspection.
Unscheduled inspections will be carried out in the following cases:
- upon expiration of the deadline for the CII subject to comply with the order to eliminate the identified violation;
- occurrence of a computer incident leading to negative consequences;
- on behalf of the President of the Russian Federation or the Government of the Russian Federation, or on the basis of a request from the Prosecutor's Office of the Russian Federation.
If FSTEC reveals a violation, an order will be issued with a specific period for elimination, which can be extended for good reasons, but in cases with the Prosecutor's Office of the Russian Federation it will be increasingly more difficult, because she will come to you with a resolution on an administrative offense, referring to Article 19.5 Part 1 of the Code of Administrative Offenses of the Russian Federation on failure to comply with deadline resolutions of the state supervisory authority.
And a little more about the penalties that were introduced for non-compliance with the requirements for ensuring the security of a critical information structure. According to the Federal Law of July 26, 2017 No. 194-FZ “On Amendments to the Criminal Code of the Russian Federation and the Code of Criminal Procedure of the Russian Federation in connection with the adoption of the Federal Law “On the Security of Critical Information Infrastructure of the Russian Federation”, the maximum penalty for violations of security standards of CII is imprisonment of up to 10 years . Perhaps a powerful argument!
In further articles we will talk in more detail about each of the stages of fulfilling the FSTEC requirements in the field of ensuring the security of critical information infrastructure. Subscribe to notifications on our website, join us on Facebook and bookmark the blog.
We write about what we do!
Contact the company "IC REGIONAL SYSTEMS"! In the context of the requirements of Federal Law No. 187 on the security of critical information infrastructure, the company’s specialists will carry out the following types of work:
- audit of existing infrastructure;
- classification of available information assets;
- information security risk assessment;
- development of an information security threat model;
- carrying out categorization of critical information infrastructure objects;
- determining the level of compliance with regulatory requirements for information security;
- development of a plan for the phased implementation of legislative requirements to ensure the safety of CII facilities;
- creating a budget for information security activities.
They will also create a comprehensive turnkey production security system, taking into account the architecture and specifics of your production. Using the best Russian and global practices for creating security systems, we will reduce business risks and threats to a minimum level.
| Send request |
RUSSIAN FEDERATION
FEDERAL LAW
ON THE SECURITY OF CRITICAL INFORMATION INFRASTRUCTURE OF THE RUSSIAN FEDERATION
State Duma
Federation Council
Article 1. Scope of this Federal Law
This Federal Law regulates relations in the field of ensuring the security of the critical information infrastructure of the Russian Federation (hereinafter also referred to as the critical information infrastructure) for the purpose of its sustainable functioning in the event of computer attacks against it.
Article 2. Basic concepts used in this Federal Law
For the purposes of this Federal Law, the following basic concepts are used:
1) automated control system - a set of software and hardware designed to control technological and (or) production equipment (actuators) and the processes they produce, as well as to control such equipment and processes;
2) security of critical information infrastructure - the state of security of critical information infrastructure, ensuring its stable functioning when carried out against computer attacks;
3) significant object of critical information infrastructure - an object of critical information infrastructure that has been assigned one of the categories of significance and which is included in the register of significant objects of critical information infrastructure;
4) computer attack - the targeted impact of software and (or) hardware and software on objects of critical information infrastructure, telecommunication networks used to organize the interaction of such objects, in order to disrupt and (or) stop their functioning and (or) create a threat to the security of the processed such information objects;
5) computer incident - the fact of a violation and (or) termination of the functioning of a critical information infrastructure object, a telecommunication network used to organize the interaction of such objects, and (or) a violation of the security of information processed by such an object, including that which occurred as a result of a computer attack;
6) critical information infrastructure - objects of critical information infrastructure, as well as telecommunication networks used to organize the interaction of such objects;
7) objects of critical information infrastructure - information systems, information and telecommunication networks, automated control systems of subjects of critical information infrastructure;
8) subjects of critical information infrastructure - government bodies, government agencies, Russian legal entities and (or) individual entrepreneurs who, by right of ownership, lease or other legal basis, own information systems, information and telecommunication networks, automated control systems operating in the field healthcare, science, transport, communications, energy, banking and other areas of the financial market, fuel and energy complex, nuclear energy, defense, rocket and space, mining, metallurgical and chemical industries, Russian legal entities and (or) individual entrepreneurs , which ensure the interaction of these systems or networks.
Article 3. Legal regulation of relations in the field of ensuring the security of critical information infrastructure
1. Relations in the field of ensuring the security of critical information infrastructure are regulated in accordance with the Constitution of the Russian Federation, generally recognized principles and norms international law, this Federal Law, other federal laws and other normative laws adopted in accordance with them legal acts.
2. The specifics of the application of this Federal Law to public communication networks are determined by the Federal Law of July 7, 2003 N 126-FZ “On Communications” and the regulatory legal acts of the Russian Federation adopted in accordance with it.
Article 4. Principles for ensuring the security of critical information infrastructure
The principles of ensuring the security of critical information infrastructure are:
1) legality;
2) continuity and comprehensiveness of ensuring the security of critical information infrastructure, achieved, inter alia, through the interaction of authorized federal executive authorities and subjects of critical information infrastructure;
3) priority of preventing computer attacks.
Article 5. State system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation
1. The state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation is a single, geographically distributed complex, including forces and means designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents. For the purposes of this article, information resources of the Russian Federation are understood as information systems, information and telecommunication networks and automated control systems located on the territory of the Russian Federation, in diplomatic missions and (or) consular offices of the Russian Federation.
2. The forces intended to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents include:
1) divisions and officials of the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation;
2) an organization created by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, to ensure coordination of the activities of subjects of critical information infrastructure on the issues of detecting, preventing and eliminating the consequences of computer attacks and response to computer incidents (hereinafter referred to as the national coordination center for computer incidents);
3) divisions and officials of subjects of critical information infrastructure who take part in detecting, preventing and eliminating the consequences of computer attacks and in responding to computer incidents.
3. Tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents are technical, software, hardware and other detection tools (including for searching for signs of computer attacks in telecommunication networks used to organize interaction objects of critical information infrastructure), prevention, elimination of the consequences of computer attacks and (or) exchange of information necessary for subjects of critical information infrastructure when detecting, preventing and (or) eliminating the consequences of computer attacks, as well as cryptographic means of protecting such information.
4. The National Coordination Center for Computer Incidents carries out its activities in accordance with the regulations approved by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
5. In the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, the collection, accumulation, systematization and analysis of information that enters this system through means intended for detecting, preventing and eliminating the consequences of computer attacks, information that is presented by the subjects of critical information infrastructure and the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner determined by the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevention and mitigation of consequences computer attacks on the information resources of the Russian Federation, as well as information that may be provided by other bodies and organizations that are not subjects of the critical information infrastructure, including foreign and international ones.
6. The federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, organizes in the manner established by it the exchange of information about computer incidents between subjects of critical information infrastructure, as well as between subjects of critical information infrastructure and authorized bodies of foreign states, international, international non-governmental organizations and foreign organizations operating in the field of responding to computer incidents.
7. Provision of information constituting a state or other secret protected by law from the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation is carried out in accordance with the legislation of the Russian Federation.
Article 6. Powers of the President of the Russian Federation and bodies state power Russian Federation in the field of ensuring the security of critical information infrastructure
1. The President of the Russian Federation determines:
1) the main directions of state policy in the field of ensuring the security of critical information infrastructure;
2) the federal executive body authorized to ensure the security of the critical information infrastructure of the Russian Federation;
3) the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation;
4) the procedure for creating and tasks of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
2. The Government of the Russian Federation establishes:
1) indicators of criteria for the significance of critical information infrastructure objects and their significance, as well as the procedure and timing for their categorization;
2) the procedure for exercising state control in the field of ensuring the security of significant objects of critical information infrastructure;
3) the procedure for preparing and using the resources of the unified telecommunication network of the Russian Federation to ensure the functioning of significant objects of critical information infrastructure.
3. Federal executive body authorized to ensure the security of critical information infrastructure of the Russian Federation:
2) approves the procedure for maintaining a register of significant objects of critical information infrastructure and maintains this register;
3) approves the form for sending information about the results of assigning one of the categories of significance to an object of critical information infrastructure or about the absence of the need to assign it one of such categories;
4) establishes requirements for ensuring the security of significant objects of critical information infrastructure (requirements for ensuring the security of information and telecommunication networks, which are assigned one of the categories of significance and which are included in the register of significant objects of critical information infrastructure, are established in agreement with the federal executive body exercising the functions on the development and implementation of state policy and legal regulation in the field of communications), as well as requirements for the creation of security systems for such objects and ensuring their functioning (in the banking sector and in other areas of the financial market, establishes these requirements in agreement with the Central Bank of the Russian Federation) ;
5) carries out state control in the field of ensuring the security of significant objects of critical information infrastructure, and also approves the form of the inspection report drawn up based on the results of the said control.
4. The federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation:
1) makes proposals for improving regulatory legal regulation in the field of ensuring the security of critical information infrastructure to the President of the Russian Federation and (or) to the Government of the Russian Federation;
2) creates a national coordination center for computer incidents and approves the regulations on it;
3) coordinates the activities of subjects of critical information infrastructure on the issues of detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents;
4) organizes and conducts security assessments of critical information infrastructure;
5) determines the list of information submitted to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, and the procedure for its submission;
6) approves the procedure for informing the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks carried out against significant objects of critical information infrastructure (in the banking sector and in other areas of the financial market, approves the specified procedure in agreement with the Central Bank of the Russian Federation);
7) approves the procedure for the exchange of information about computer incidents between subjects of critical information infrastructure, between subjects of critical information infrastructure and authorized bodies of foreign states, international, international non-governmental organizations and foreign organizations operating in the field of responding to computer incidents, as well as the procedure for subjects receiving critical information information infrastructure information about the means and methods of carrying out computer attacks and methods for their prevention and detection;
8) organizes the installation at significant objects of critical information infrastructure and in telecommunication networks used to organize the interaction of objects of critical information infrastructure, tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents;
9) establishes requirements for tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents;
10) approves the procedure, technical conditions for the installation and operation of tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, with the exception of tools designed to search for signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure objects (in the banking sector and in other areas of the financial market, approves the specified procedure and technical conditions in agreement with the Central Bank of the Russian Federation).
5. The federal executive body, which carries out the functions of developing and implementing state policy and legal regulation in the field of communications, approves, in agreement with the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, procedure, technical conditions for the installation and operation of tools designed to search for signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure objects.
1. Categorization of an object of critical information infrastructure is the establishment of compliance of an object of critical information infrastructure with criteria of significance and indicators of their values, assignment to it of one of the categories of significance, verification of information about the results of its assignment.
1) social significance, expressed in the assessment of possible damage caused to the life or health of people, the possibility of termination or disruption of the functioning of life support facilities for the population, transport infrastructure, communication networks, as well as the maximum time of lack of access to public service for recipients of such services;
2) political significance, expressed in the assessment of possible damage to the interests of the Russian Federation in matters of domestic and foreign policy;
3) economic significance, expressed in the assessment of possible direct and indirect damage to subjects of critical information infrastructure and (or) budgets of the Russian Federation;
4) environmental significance, expressed in assessing the level of impact on the environment;
5) the importance of a critical information infrastructure facility for ensuring the country’s defense, state security and law and order.
3. Three categories of significance of critical information infrastructure objects are established - first, second and third.
4. Subjects of critical information infrastructure, in accordance with the criteria of significance and indicators of their values, as well as the procedure for categorization, assign one of the categories of significance to objects of critical information infrastructure belonging to them by right of ownership, lease or other legal basis. If an object of critical information infrastructure does not meet the criteria of significance, the indicators of these criteria and their values, it is not assigned any of these categories.
5. Information on the results of assigning an object of critical information infrastructure one of the categories of significance or on the absence of the need to assign it one of such categories, subjects of critical information infrastructure in writing, within ten days from the date of their adoption of the corresponding decision, are sent to the federal executive body authorized in the region ensuring the security of the critical information infrastructure of the Russian Federation, according to the form approved by it.
6. The federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, within thirty days from the date of receipt of the information specified in Part 5 of this article, verifies compliance with the procedure for categorization and the correctness of assigning an object of critical information infrastructure one of the categories of significance or not assigning him any of these categories.
7. If the subject of critical information infrastructure has followed the categorization procedure and the critical information infrastructure object belonging to it by right of ownership, lease or other legal basis has been correctly assigned one of the categories of significance, the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, enters information about such an object of critical information infrastructure into the register of significant objects of critical information infrastructure, of which the subject of the critical information infrastructure is notified within ten days.
8. In the event that the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation identifies violations of the procedure for categorization and (or) an object of critical information infrastructure owned by right of ownership, lease or other legal basis to the subject of the critical information infrastructure , one of the categories of significance was incorrectly assigned and (or) none of such categories was unreasonably assigned and (or) the subject of the critical information infrastructure provided incomplete and (or) unreliable information about the results of assigning one of the categories of significance to such an object of critical information infrastructure or about the absence the need to assign it one of these categories, the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation, within ten days from the date of receipt of the submitted information, returns it in writing to the subject of the critical information infrastructure with a reasoned justification for the reasons for the return.
9. The subject of critical information infrastructure, after receiving a reasoned justification for the reasons for returning the information specified in part 5 of this article, within no more than ten days, eliminates the noted deficiencies and re-sends such information to the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation. Federation.
10. Information about the absence of the need to assign an object of critical information infrastructure one of the categories of significance after checking it is sent by the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation Federation, of which the subject of critical information infrastructure is notified within ten days.
11. If a subject of critical information infrastructure fails to provide the information specified in Part 5 of this article, the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation sends to the specified subject a requirement about the need to comply with the provisions of this article.
1) by a reasoned decision of the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, adopted based on the results of an audit carried out as part of state control in the field of ensuring the security of significant objects of critical information infrastructure;
2) in the event of a change in a significant object of critical information infrastructure, as a result of which such an object no longer meets the criteria of significance and indicators of their values, on the basis of which it was assigned a certain category of significance;
3) in connection with the liquidation, reorganization of a subject of critical information infrastructure and (or) change in its organizational and legal form, as a result of which the characteristics of a subject of critical information infrastructure were changed or lost.
Article 8. Register of significant objects of critical information infrastructure
1. In order to record significant objects of critical information infrastructure, the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation shall maintain a register of significant objects of critical information infrastructure in the manner established by it. The following information is entered into this register:
1) name of a significant object of critical information infrastructure;
2) name of the subject of critical information infrastructure;
3) information about the interaction of a significant object of critical information infrastructure and telecommunication networks;
4) information about the person operating a significant object of critical information infrastructure;
6) information about software and hardware used at a significant facility of critical information infrastructure;
7) measures taken to ensure the security of a significant object of critical information infrastructure.
2. Information from the register of significant objects of critical information infrastructure is sent to the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
3. If a significant object of critical information infrastructure loses its category of significance, it is excluded by the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation from the register of significant objects of critical information infrastructure.
Article 9. Rights and obligations of subjects of critical information infrastructure
1. Subjects of critical information infrastructure have the right:
1) receive from the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, information necessary to ensure the security of significant objects of critical information infrastructure owned by them by right of ownership, lease or other legal basis, including about security threats the information processed by such objects and the vulnerability of software, equipment and technologies used at such objects;
2) in the manner established by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, receive from the said body information about the means and methods of carrying out computer attacks, as well as about their methods warnings and detections;
3) with the consent of the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, at its own expense, acquire, rent, install and maintain means intended for detection, prevention and elimination consequences of computer attacks and response to computer incidents;
4) develop and implement measures to ensure the security of a significant object of critical information infrastructure.
2. Subjects of critical information infrastructure are obliged to:
1) immediately inform about computer incidents the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, as well as the Central Bank of the Russian Federation (if the subject of critical information infrastructure operates in the banking sector and in other areas of the financial market) in the order established by the specified federal executive body (in the banking sector and in other areas of the financial market, the specified procedure is established in agreement with the Central Bank of the Russian Federation);
2) provide assistance to officials of the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, in detecting, preventing and eliminating the consequences of computer attacks, establishing the causes and conditions for the occurrence of computer incidents;
3) in the case of installation at critical information infrastructure facilities of tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, ensure compliance with the procedure, technical conditions for the installation and operation of such tools, and their safety.
3. Subjects of critical information infrastructure, which own significant objects of critical information infrastructure by right of ownership, lease or other legal basis, along with fulfilling the obligations provided for in Part 2 of this article, are also obliged to:
1) comply with the requirements for ensuring the security of significant objects of critical information infrastructure, established by the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation;
2) follow instructions officials federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, on the elimination of violations in terms of compliance with requirements for ensuring the security of a significant object of critical information infrastructure, issued by these persons in accordance with their competence;
3) respond to computer incidents in the manner approved by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, take measures to eliminate the consequences of computer attacks carried out against significant critical objects information infrastructure;
4) ensure unimpeded access to officials of the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation to significant objects of the critical information infrastructure when these persons exercise the powers provided for in Article 13 of this Federal Law.
Article 10. Security system of a significant object of critical information infrastructure
1. In order to ensure the security of a significant object of critical information infrastructure, the subject of critical information infrastructure, in accordance with the requirements for the creation of security systems for such objects and ensuring their functioning, approved by the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, creates a security system such an object and ensures its functioning.
2. The main objectives of the security system of a significant object of critical information infrastructure are:
1) prevention of unauthorized access to information processed by a significant object of critical information infrastructure, destruction of such information, its modification, blocking, copying, provision and distribution, as well as other misconduct in relation to such information;
2) preventing impact on technical means of information processing, as a result of which the functioning of a significant object of critical information infrastructure may be disrupted and (or) terminated;
3) restoration of the functioning of a significant object of critical information infrastructure, ensured, among other things, by creating and storing backup copies of the information necessary for this;
4) continuous interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.
Article 11. Requirements for ensuring the security of significant objects of critical information infrastructure
1. Requirements for ensuring the security of significant objects of critical information infrastructure, established by the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation, are differentiated depending on the category of significance of objects of critical information infrastructure and these requirements provide for:
1) planning, development, improvement and implementation of measures to ensure the security of significant objects of critical information infrastructure;
2) taking organizational and technical measures to ensure the security of significant objects of critical information infrastructure;
3) establishing the parameters and characteristics of software and hardware used to ensure the security of significant objects of critical information infrastructure.
2. State bodies and Russian legal entities performing functions for the development, implementation or implementation of state policy and (or) legal regulation in the established field of activity, in agreement with the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation , may establish additional requirements for ensuring the security of significant objects of critical information infrastructure, containing the features of the functioning of such objects in the established field of activity.
Article 12. Security assessment of critical information infrastructure
1. The assessment of the security of critical information infrastructure is carried out by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, in order to predict the emergence of possible threats to the security of critical information infrastructure and develop measures to increase sustainability its functioning when carried out in relation to its computer attacks.
2. When assessing the security of critical information infrastructure, the following is analyzed:
1) data obtained when using tools designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents, including information about the presence of signs of computer attacks in telecommunication networks used to organize the interaction of critical information infrastructure objects;
2) information provided by subjects of critical information infrastructure and the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner determined by the federal executive body authorized in the field of ensuring the functioning of the state detection system, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, as well as other bodies and organizations that are not subjects of critical information infrastructure, including foreign and international;
3) information submitted to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation based on the results of state control in the field of ensuring the security of significant objects of critical information infrastructure, about violation of the requirements for ensuring the security of significant objects of critical information infrastructure, as a result which creates the preconditions for the occurrence of computer incidents;
4) other information received by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, in accordance with the legislation of the Russian Federation.
3. To implement the provisions provided for in parts 1 and 2 of this article, the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, organizes installation in telecommunication networks used to organize interaction objects of critical information infrastructure, tools designed to search for signs of computer attacks in such telecommunication networks.
4. In order to develop measures to improve the security of critical information infrastructure, the federal executive body authorized in the field of ensuring the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, sends to the federal executive body authorized in the field of security critical information infrastructure of the Russian Federation, results of the assessment of the security of critical information infrastructure.
Article 13. State control in the field of ensuring the security of significant objects of critical information infrastructure
1. State control in the field of ensuring the security of significant objects of critical information infrastructure is carried out in order to verify compliance by subjects of critical information infrastructure, which own significant objects of critical information infrastructure by right of ownership, lease or other legal basis, with the requirements established by this Federal Law and adopted in accordance with with it regulatory legal acts. The specified state control is carried out by the federal executive body authorized to ensure the security of the critical information infrastructure of the Russian Federation, scheduled or unscheduled inspections.
2. The basis for carrying out a scheduled inspection is the expiration of three years from the date of:
1) entering information about an object of critical information infrastructure into the register of significant objects of critical information infrastructure;
2) completion of the last scheduled inspection in relation to a significant object of critical information infrastructure.
3. The basis for carrying out an unscheduled inspection is:
1) expiration of the deadline for the subject of the critical information infrastructure to comply with the order issued by the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation to eliminate the identified violation of the requirements for ensuring the security of significant objects of the critical information infrastructure;
2) the occurrence of a computer incident that entailed negative consequences at a significant facility of critical information infrastructure;
3) order (instruction) of the head of the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation, issued in accordance with the instructions of the President of the Russian Federation or the Government of the Russian Federation or on the basis of the request of the prosecutor to carry out an unscheduled inspection as part of supervision of execution laws on materials and appeals received by the prosecutor's office.
4. Based on the results of a scheduled or unscheduled inspection, the federal executive body authorized to ensure the security of the critical information infrastructure of the Russian Federation draws up an inspection report in the form approved by the specified body.
5. Based on the inspection report, in the event of a violation of the requirements of this Federal Law and normative legal acts adopted in accordance with it to ensure the security of significant objects of critical information infrastructure, the federal executive body authorized in the field of ensuring the security of critical information infrastructure of the Russian Federation issues to the subject a critical information infrastructure, an order to eliminate the identified violation, indicating the time frame for its elimination.
Article 14. Liability for violation of the requirements of this Federal Law and other regulatory legal acts adopted in accordance with it
Violation of the requirements of this Federal Law and other regulatory legal acts adopted in accordance with it entails liability in accordance with the legislation of the Russian Federation.
Article 15. Entry into force of this Federal Law
President
Russian Federation
Moscow, Kremlin
The Ministry of Economic Development intends to ban the use of foreign software and equipment at Russian CII facilities
On November 1, 2019, it became known that the Ministry of Economic Development is preparing amendments to the law “On Security (KII)”, which involve the replacement of foreign software and equipment at KII facilities with Russian ones. The order to prepare the amendments was given several months ago by Deputy Prime Minister Yuri Borisov, who is in charge of the defense industry. RBC reports this with reference to a letter from Deputy Minister of Economy Azer Talibov.
Talibov writes that in its current form Russian laws do not allow the government to require the use of only domestic software and equipment at CII facilities. To make this possible, this norm must be spelled out in the law “On the Safety of CII”. A schedule for replacing foreign products with domestic ones for existing CII facilities will be formed separately.
In addition, the law should prohibit foreign companies interact with CII networks and information systems. That is, the final beneficiaries of legal entities that are involved in this should be Russian citizens, not having dual citizenship. The same rule will affect individual entrepreneurs who work with CII. As a result, access of foreign states and their citizens to the maintenance and development of CII will be minimized, Talibov believes.
The recipients of Talibov's letter are the board of the Military-Industrial Commission of Russia, which is headed by Borisov, Federal service for technical and export control (FSTEC) and the Ministry of Telecom and Mass Communications. The Ministry of Telecom and Mass Communications responded that FSTEC and the Ministry of Industry and Trade are working on issues of import substitution of foreign equipment on behalf of the government, and that CII will function more safely and stably using Russian software, and the share of domestic developers in the government procurement market will increase.
About 17 thousand cyberattacks on CII were recorded in Russia
In August 2019, a representative of the Security Council reported that in 2018, about 17 thousand cyber attacks on CII were recorded in Russia. The attackers tried to install malware on another 7 thousand objects. About 38% of attacks occurred against financial institutions.
ADE has published guidelines for categorizing CII objects in accordance with No. 187-FZ
On July 9, 2019 it became known that the Documentary Telecommunications Association (ADE) published guidelines for categorizing critical information infrastructure (CII) objects. The document was developed on the basis of materials from telecom operators and other organizations - members of the ADE. Methodical recommendations are aimed at detailing and standardizing the procedure for categorizing CII objects, which is provided for by the Federal Law “On the Security of Critical Information Infrastructure of the Russian Federation” dated July 26, 2017 No. 187-FZ.
The recommendations contain a set of rules on the basis of which operators should classify CII objects as various types. The published version of the document has been agreed upon by the FSTEC of Russia and the 8th Center of the FSB of Russia and can be used by telecom operator companies. When the regulatory framework changes, comments and suggestions are received based on the results of applying the methodological recommendations, the association plans to make changes to the text of the methodology.
A federal official who wished to remain anonymous said that the association is essentially a public organization and its recommendations have no legal force.
| When preparing the document, operators needed to carry out analytical work on categorizing objects. Recommendations were developed by market participants and routinely agreed upon with relevant authorities. Categorization is a necessary stage in the implementation of the requirements of Federal Law-187. The purpose of the methodology is to define criteria and unify the procedure so that the results do not raise questions among industry regulators. We believe that operators will begin to use the document, and practice will show the need for further approval by executive bodies, |
MegaFon "said that the published version of the document has been approved by the main regulators under Federal Law-187 and can be used by telecom operator companies. The industry document is not mandatory, but recommended by FSTEC and the FSB for use in the communications industry.
| First of all, it is intended to help market participants in the implementation of Federal Law-187. This is a consolidated vision of major industry players to implement the requirements of regulatory legal acts in the field of ensuring the safety of CII. Recommendations are important, since Federal Law-187 and by-laws formulate general principles and measures to ensure the safety of CII, without going into industry specifics. The methodology is an attempt to apply the norms formulated by the legislator to a specific operator infrastructure; it is of a purely applied nature, and this is its value. For the Big Four operators, of course, the document will be the main one. For other operators, we hope, too, since the use of methodological recommendations will contribute to a unified and understandable information field in the process of interaction between the operator community and regulators, commented a representative of the MegaFon press service |
A representative of the press service of MTS PJSC said that the recommendations will be used by telecom operators when categorizing critical information infrastructure (CII) objects and building security systems for these objects.
| It seems that it would be more expedient to adopt the document in the form of a regulatory legal act of the regulator. For now, these are essentially recommendations. Telecom operators will decide for themselves whether the technique can be used. The work has already been partially completed. MTS has developed and sent to the FSTEC of Russia a list of facilities of its own CII. In accordance with the plan, by the end of 2019 we will categorize these objects. The methodology allows us to introduce certainty and uniformity in the approach to categorizing CII objects by telecom operators. The costs of MTS will be clear after the categorization of CII objects, answered the representative of the MTS press service |
A representative of the Akado Telecom press service said that the initiative to develop recommendations is correct and timely.
Data about cyber attacks on critical facilities in the Russian Federation are leaking abroad. Companies break the law
Russian companies whose responsibilities include managing critical infrastructure facilities share data on cyber attacks with foreign colleagues without the knowledge of the FSB. RBC reported this on Thursday, June 27, citing materials from the Federal Service for Technical and Export Control (FSTEK), which in turn refers to the FSB.
According to the law “On the Security of Critical Information Infrastructure”, which has been in force since last year, companies managing critical infrastructure facilities are required to provide data about them to the Federal Service for Technical and Export Control (FSTEC) to assign them the appropriate category (security requirements for each category are different) . In addition, they are required to connect to the State System for Detection, Prevention and Elimination of the Consequences of Computer Attacks (GosSOPKA) created by the FSB and report cyber attacks on their facilities to the National Coordination Center for Computer Incidents (NKTsKI).
However, not all companies comply with the requirements of the law and report cyberattacks on their systems to the NCCCC. For this reason, the center does not have complete information about incidents at critical infrastructure facilities and cannot adequately respond to them and make predictions.
Be that as it may, companies exchange information about cyber attacks with foreign organizations. By this they violate FSB orders No. 367 and No. 368, according to which the exchange of data with foreign organizations must be consistent with FSTEC. However, the service has not received a single request on this issue.
FSTEC believes that information provided to foreign companies about cyber attacks on critical infrastructure facilities in the Russian Federation ultimately falls into the hands of foreign intelligence services, which can use it to assess the state of security of Russian critical infrastructure.
As RBC writes, perhaps in this way companies are trying to avoid image and financial losses. But the practice of sending data abroad primarily threatens the companies themselves. Since the National Coordination Center for Computer Incidents NKTsKI, controlled by the FSB, does not have complete information about incidents, it cannot adequately respond to them and make accurate forecasts on the development of the situation, FSTEC notes.
The Law “On the Security of Critical Information Infrastructure” has been in force in Russia since 2018. Its main goal is to protect the country's most important enterprises from cyber attacks.
According to FSTEC, the law does not work in full force for several reasons. Firstly, last year the department already noted the lack of information about the “criticality” of its facilities from banks and telecom operators. Secondly, some of the by-laws that should approve the details of interaction between organizations within the framework of this law have not yet been adopted.
The FSB has formulated requirements for GosSOPKA funds to protect the Russian Federation CII
FSTEC and FSB will introduce liability for violation of requirements for critical IT infrastructure in Russia
On March 26, 2019, a notice was posted on the Federal portal of regulatory legal projects about the beginning of the development of the draft federal law “On Amendments to the Code of the Russian Federation on administrative offenses(in terms of establishing liability for violation of requirements for ensuring the safety of CII facilities).”
For now, this is only a notification of the start of work on the relevant document. Law No. 187-FZ “On the Security of Critical Information Infrastructure of the Russian Federation” requires structures that manage significant objects of critical information infrastructure of the Russian Federation to comply defined by law And regulations requirements for ensuring the safety of such facilities.
In particular, there is Article 274.1 of the Criminal Code, which provides criminal liability for unlawful influence on the critical information infrastructure of the Russian Federation.
However, there is no law defining cases where there was non-compliance with these requirements, but it did not result in undue influence on the CII.
| In order to differentiate punishment depending on the social danger of the consequences of violating the requirements of the legislation of the Russian Federation on the security of critical information infrastructure, it seems appropriate to introduce administrative responsibility for non-compliance by subjects of critical information infrastructure with the requirements for ensuring the security of significant objects of critical information infrastructure established in accordance with federal law and other regulatory legal acts adopted in accordance with it, says the description of the project. |
| Critical information infrastructure needs legislation that would meet the constantly changing realities of information security, - noted Dmitry Gvozdev, general manager"Information Technologies of the Future" company. - The process of forming this legislation is still far from complete; some gaps remain that need to be addressed as soon as possible. The development of measures of administrative responsibility in this case is not so much the promise of new punishments for the sake of the punishments themselves, but rather filling in the gaps and adequately delineating responsibility in accordance with the probable threat. Ultimately, in the field of CII, even minor negligence can be unpredictably expensive. |
The main developer of the project should be FSTEC, but the Federal Security Service of the Russian Federation is indicated as co-executors.
The planned date for adoption of the bill is January 2020. You can familiarize yourself with the document.
FSTEC proposes to prohibit the processing abroad of information related to Russian CII
The project contains a number of various clarifications, among which the requirements related to equipment, software and procedures for processing information from critical infrastructure facilities.
In particular, it is proposed to supplement paragraph 31 of the order with the following paragraph:
| The software and hardware included in a significant object of the 1st category of significance that store and process information must be located on the territory of the Russian Federation (except for cases when the placement of these funds is carried out in foreign countries). separate divisions subject of critical information infrastructure (branches, representative offices), as well as cases established by the legislation of the Russian Federation and (or) international treaties Russian Federation). |
The previous version of the order did not impose such restrictions.
| In fact, this means a ban on the processing of data outside the territory of Russia related to critical infrastructure objects of the first category of importance, minus specified exceptions, noted Dmitry Gvozdev, CEO of the Information Technologies of the Future company. - In general, this document is of a clarifying nature. The development of standards and rules by which Russia's critical infrastructure should operate is a process that is still very far from completion: the number of interested parties is large, and the risks are too high, so the regulation should be as detailed as possible. Accordingly, new amendments, additions and clarifications will continue to be introduced, and for quite some time. |
In addition, the document proposes to oblige the most significant critical infrastructure enterprises to use only routers certified to comply with information security requirements. However, we are talking only about newly created or modernized CII facilities and only the first (maximum) category of significance.
It is stipulated that if it is not technically possible to use only certified devices as border routers (that is, those through which access is provided from the local network to the Internet), the security of the devices actually used will have to be assessed as part of the acceptance or testing of significant objects.
The full text of the draft order is available at this link.
2018
In 2018, about 4.3 billion cyber attacks were committed in the Russian Federation
“I order the approval of the attached procedure for informing the FSB of Russia about computer incidents, responding to them, and taking measures to eliminate the consequences of computer attacks carried out against significant objects of the critical information infrastructure of the Russian Federation,” follows from the order.
As noted in the explanatory note, the project is aimed at improving legal regulation in the field of coordinating the activities of subjects of critical information infrastructure of the Russian Federation on the issues of detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents.
According to the order, in the event of a computer incident, subjects of the critical information infrastructure of the Russian Federation are obliged to immediately inform the National Coordination Center for Computer Incidents (NCCCI) about it. If there is no connection to this technical infrastructure, information should be sent via fax, email and telephone to the addresses or telephone numbers of the NCCCI indicated on the department’s website.
In addition, if an incident occurred at a CII facility operating in the banking and other areas of the financial market, it is also necessary to inform the Central Bank of the Russian Federation.
CII entities will also be required to develop a plan for responding to computer incidents and taking measures to eliminate the consequences of computer attacks and, at least once a year, conduct training to practice the plan’s activities.
Information about the security of CII from cyber attacks was classified as a state secret
The Decree supplements the list of information classified as state secrets, approved by Decree of the President of the Russian Federation of November 30, 1995 No. 1203 “On approval of the list of information classified as state secrets,” with a new paragraph. According to the document, such data now includes information that reveals measures to ensure the security of the critical information infrastructure of the Russian Federation and information that reveals the state of security of CII from computer attacks.
The authority to dispose of such data is vested in the FSB and the Federal Service for Technical and Export Control.
2017: What threatens for unlawful influence on the critical IT infrastructure of Russia
According to regulations 187-FZ, financial, transport, energy, telecommunications companies, as well as organizations in the field, are subject to the new requirements. After this, the list of objects is submitted in the form of a notification to the FSTEC of Russia, and for each object from the list, the KII subject determines a category of significance, after which the categorization results are sent for approval to the FSTEC. Based on certain categories, the owner of CII objects needs to build protection in the future.
Unlawful influence includes the creation, distribution and/or use of computer programs or other computer information that is knowingly used to unblock, modify, copy information in critical infrastructure, or neutralize the means of protecting said information.
In addition, sanctions will entail unlawful access to protected computer information contained in the critical information infrastructure of the Russian Federation if it results in damage to this infrastructure.
Punishments are also provided for violation of the rules for operating means of storing, processing or transmitting protected computer information contained in a critical information structure, information systems, information and telecommunication networks, automated control systems and telecommunication networks related to the critical information infrastructure of the country.
For creating malicious programs to impact infrastructure, violators face forced labor for a term of up to five years with possible restriction of freedom for a term of up to two years, or imprisonment for a term of two to five years with a fine in the amount of five hundred thousand to one million rubles or wages or other income of the convicted person for a period of one to three years. For unauthorized access to protected computer information, forced labor for a term of up to five years with a fine of 500 thousand to a million rubles, with possible restriction of freedom for a term of up to two years, or imprisonment for a term of two to six years with a fine of five hundred thousand up to one million rubles.
Violation of the rules for operating means of storing, processing or transmitting protected computer information will result in forced labor for up to five years with possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. There is also a possible imprisonment of up to six years.
If these acts are committed by a group of persons by prior conspiracy, by an organized group or by a person using their official position, the severity of the punishment increases significantly: the law provides for a prison term of three to eight years with possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. years.
If the same acts, committed by a group of persons by prior conspiracy or using their official position, lead to grave consequences, the perpetrators will receive a term of five to ten years with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to five years.
| The emergence of such a law is more than natural in the current conditions, says Georgy Lagoda, CEO of SEC Consult Services. - Attacks on critical infrastructure are no longer an abstraction; they are a hyper-urgent problem for all countries, including Russia. The law is clearly aimed at preventing internal attacks or breaches that increase infrastructure vulnerability. The effectiveness of this law may be subject to debate, but it is encouraging that the problem is recognized at the legislative level. » |
In connection with the approval of a number of regulatory legal acts in the field of CII safety after the publication of this article, on March 22, 2018, changes and additions were made to the text of the article.
On January 1, with the advent of the new year 2018, the Law “On the Security of Critical Information Infrastructure” (hereinafter referred to as the Law) came into force in our country. Since 2013, even at the draft stage, this law was heatedly discussed by the information security community and raised many questions regarding the practical implementation of the requirements put forward by it. Now that these requirements have come into force and many companies are faced with the need to comply with them, we will try to answer the most pressing questions.
What is the Law for?
The new Law is intended to regulate relations in the field of ensuring the security of information infrastructure facilities of the Russian Federation, the functioning of which is critically important for the state’s economy. Such objects in the law are called objects of critical information infrastructure(hereinafter referred to as KII objects ) . According to the Law, information systems and networks, as well as automated control systems operating in the field of:
- healthcare;
- science;
- transport;
- communications;
- energy;
- banking and other areas of the financial market;
- fuel and energy complex;
- nuclear energy;
- defense and rocket and space industries;
- mining, metallurgical and chemical industries.
CII objects, as well as telecommunication networks used to organize interaction between them, constitute the concept critical information infrastructure.
What is the purpose of the Law and how should it work?
The main goal of ensuring the security of CII is the stable functioning of CII when computer attacks are carried out against it. One of the main principles of security is preventing computer attacks.
CII or FSII objects?
Before the advent of the new law on CII in the field of information security, there was a similar concept of key information infrastructure systems (CIIS). However, from January 1, 2018, the concept of FIAC was officially replaced by the concept of “significant CII objects”.
What organizations are covered by the Law?
The requirements of the Law affect those organizations (state bodies and institutions, legal entities and individual entrepreneurs) that own (by ownership, lease or other legal basis) CII objects or which ensure their interaction. Such organizations are called in the Law CII subjects.
What actions should CII subjects take to comply with the Law?
According to the law, CII entities must:
- carry out categorization of CII objects;
- ensure integration (embedding) into State system detection, prevention and elimination of the consequences of computer attacks on information resources of the Russian Federation (GosSOPKA);
- take organizational and technical measures to ensure the safety of CII facilities.
What is subject to categorization?
CII objects that provide managerial, technological, production, financial, economic and (or) other processes within the framework of performing functions (powers) or carrying out types of activities of CII subjects are subject to categorization.
What does the categorization of CII objects include?
Categorizing a CII object involves determining its category of significance based on a number of criteria and indicators. There are three categories in total – first, second or third (in descending order of importance). If a CII object does not meet any of the established criteria, it is not assigned a category. Those CII objects that have been assigned one of the categories are called in the law significant CII objects.
- name of the significant CII facility;
- name of the KII entity;
- information about the interaction of a significant CII object and telecommunication networks;
- information about the person operating a significant CII facility;
- assigned significance category;
- information about software and hardware used at a significant CII facility;
- measures taken to ensure the safety of a significant CII facility.
It is important to note that if during the categorization process it was determined that a CII object does not have a category of significance, the results of the categorization must still be submitted to the FSTEC of Russia. The regulator checks the submitted materials and, if necessary, sends comments that the CII entity must take into account.
If the CII subject does not provide categorization data, FSTEC of Russia has the right to demand this information.
The procedure for maintaining the register of significant CII objects is determined by the order of the FSTEC of Russia dated December 6, 2017 No. 227 “On approval of the Procedure for maintaining the register of significant objects of critical information infrastructure of the Russian Federation.”
How to categorize CII objects?
Indicators of significance criteria, as well as the procedure and timing of categorization are defined in the “Rules for the categorization of critical information infrastructure objects of the Russian Federation” approved by the relevant government decree of February 8, 2018 No. 127 (hereinafter referred to as the Rules). The rules regulate the categorization procedure and also contain a list of criteria and their indicators for significant CII objects of the first, second and third categories.
According to the Rules, the categorization procedure includes:
- Determination by the CII subject of a list of all processes performed within the framework of its activities.
- Identification of critical processes, that is, those processes, the violation and (or) termination of which can lead to negative social, political, economic, environmental consequences, consequences for ensuring the country's defense, state security and law and order.
- Definition of CII objects that process the information necessary to support, manage and control critical processes.
- Formation of a list of CII objects subject to categorization. The list of objects for categorization is subject to agreement with the regulatory agency, approved by the CII entity and sent to the FSTEC of Russia within 5 working days after approval.
- Scale assessment possible consequences in case of computer incidents at KII facilities in accordance with the indicators specified in the Rules. In total, 14 indicators are provided that determine the social, political, economic significance of the CII facility, as well as its significance for ensuring law and order, defense and security of the country.
- Assigning each of the CII objects one of the categories of significance in accordance with the highest value of the indicators, or making a decision that there is no need to assign a category.
Categorization should be carried out for both existing and newly created or modernized CII facilities by a special commission chaired by the head of the CII subject (or his authorized person), his employees and, if necessary, invited specialists from regulatory agencies in the relevant field. The commission's decision is formalized in a corresponding act and within 10 days after its approval is sent to the FSTEC of Russia. The submitted materials, within thirty days from the date of receipt, are checked by the regulator for compliance with the categorization procedure and the correctness of the category assignment is assessed.
The category of a significant CII object can be changed by a reasoned decision of the FSTEC of Russia within the framework of state control over the safety of significant CII objects, in the event of a change in the CII object itself, as well as in connection with the reorganization of the CII subject (including liquidation, change in its organizational and legal form, etc. .d.).
What is GosSOPKA and why is it needed?
GosSOPKA is a single territorially distributed complex, including forces and software and hardware for detecting, preventing and eliminating the consequences of computer attacks (hereinafter referred to as the forces and means of OPL KA).
OPL spacecraft forces include:
- authorized units of the FSB of Russia;
- the national coordination center for computer incidents, which is created by the FSB of Russia to coordinate the activities of CII subjects on the issues of detecting, preventing and eliminating the consequences of computer incidents;
- divisions and officials of CII subjects who take part in detecting, preventing and eliminating the consequences of computer attacks and in responding to computer incidents.
GosSOPKA is designed to ensure and control the security of CII in the Russian Federation and in the country's diplomatic missions abroad.
This system should collect and aggregate all information about computer attacks and incidents received from CII subjects. The list of information and the procedure for submitting it to GosSOPKA will be determined by the relevant order, the draft of which was submitted for public discussion. According to the current version of the document, the deadline for providing information about a cyber attack is 24 hours from the moment of detection.
In addition, within the framework of GosSOPKA, the exchange of information on computer attacks is organized between all CII subjects, as well as international organizations operating in the field of responding to computer incidents.
Technically, GosSOPKA will be a distributed system of GosSOPKA centers deployed by KII subjects, united in a hierarchical structure on a departmental-territorial basis, and connected to them technical means (OPL KA means) installed in specific KII objects. At the same time, GosSOPKA centers can be departmental, that is, organized by government bodies, as well as corporate - built by public and private corporations, telecom operators and other licensee organizations in the field of information security.
Who is the owner of GosSOPKA?
There is no provision for a single owner for GosSOPKA: each of the GosSOPKA centers will belong to a separate owner who has invested in its construction. The state will act only as a regulator and coordinator.
What is meant by integration with GosSOPKA?
Integration into GosSOPKA requires the KII subject to:
- inform the FSB of Russia about computer incidents, as well as the Central Bank of the Russian Federation, if the organization operates in the banking sector and other areas of the financial market;
- provide assistance to the FSB of Russia in detecting, preventing and eliminating the consequences of computer attacks, establishing the causes and conditions for the occurrence of computer incidents.
In addition, by decision of the CII subject, GosSOPKA equipment can be placed on the territory of the CII facility. In this case, the subject additionally ensures its safety and uninterrupted operation. In other words, a KII entity can organize its own GosSOPKA center.
Can a CII subject not create its own State Socio-Supporting Center?
The decision to create its own GosSOPKA center is made by the KII entity independently. That is, the creation of a GosSOPKA center is not mandatory, and, moreover, this step must be agreed upon with the FSB of Russia.
However, for significant CII objects, CII subjects will have to implement measures to detect and respond to computer incidents. And for this, in any case, special technical means and qualified personnel will be required, which, in fact, are the components of GosSOPKA’s own center.
What is required to build your own GosSOPKA center?
According to the document “Methodological recommendations for the creation of departmental and corporate centers of GosSOPKA”, in order to build your own GosSOPKA center it is necessary to ensure the functioning of a set of technical means and processes that perform the following functions:
- inventory of information resources;
- identifying vulnerabilities of information resources;
- information security threat analysis;
- advanced training of information resources personnel;
- receiving reports of possible incidents from personnel and users of information resources;
- ensuring the process of detecting computer attacks;
- security event data analysis;
- incident registration;
- responding to incidents and eliminating their consequences;
- establishing the causes of incidents;
- analysis of the results of eliminating the consequences of incidents.
For this purpose, the following can be used as part of the technical means of spacecraft OPL:
- intrusion detection and prevention tools, including detection of targeted attacks;
- specialized solutions for information protection for industrial networks and the financial sector;
- tools for identifying and eliminating DDoS attacks;
- means of collecting, analyzing and correlating events;
- security analysis tools;
- antivirus protection tools;
- firewall tools;
- cryptographic information protection tools for secure exchange of information with other GosSOPKA centers.
Technical means must be integrated into a single complex, controlled from the GosSOPKA center and interacting with other GosSOPKA centers.
Besides technical support To create a GosSOPKA center, it is necessary to develop appropriate methodological documents, including settings for information security tools, decisive rules for detection of computer attacks, rules for correlating events, instructions for personnel, etc.
The GosSOPKA center can be implemented by a KII entity either independently (using its own technical and human resources) or with the involvement of third-party specialists by outsourcing some functions, for example, analyzing information security threats, staff development, receiving incident reports, security analysis and incident investigation.
What is required to ensure the safety of CII facilities?
For CII objects that are not significant, only integration with GosSOPKA (information exchange channel) must be ensured. Other measures to ensure the safety of the CII facility are implemented at the discretion of the relevant CII subject.
For significant CII objects, in addition to integration into GosSOPKA, CII subjects must:
- Create a security system for a significant CII facility;
- Respond to computer incidents. The procedure for responding to computer incidents must be prepared by the FSB of Russia by the end of April of this year;
- Provide unhindered access to the CII facility to regulators and comply with their instructions based on the results of inspections. The law provides for both scheduled and unscheduled inspections.
The security system of a significant CII facility is a set of organizational and technical measures.
The procedure for creating the system and the requirements for the security measures taken are determined by the order of the FSTEC of Russia dated December 21, 2017 No. 235 “On approval of the Requirements for the creation of security systems for significant objects of critical information infrastructure of the Russian Federation and ensuring their functioning.”
Who controls compliance with the requirements of the Law?
The main control functions in the field of ensuring the safety of CII facilities, including legal regulation, are assigned to the FSTEC of Russia and the FSB of Russia.
FSTEC of Russia is responsible for maintaining a register of significant CII facilities, forming and monitoring the implementation of requirements to ensure their safety.
The FSB of Russia provides regulation and coordination of the activities of CII subjects in the deployment of forces and means of OPL spacecraft, collects information on computer incidents and assesses the security of CII, and also develops requirements for OPL spacecraft means.
In some cases concerning telecommunication networks and CII entities in banking and other areas of the financial market, the requirements developed by the FSTEC of Russia and the FSB of Russia must be coordinated with the Ministry of Telecom and Mass Communications of Russia and the Central Bank of the Russian Federation, respectively.
The procedure for state control in the field of ensuring the safety of significant CII facilities is determined by Decree of the Government of the Russian Federation dated February 17, 2018 No. 162 “On approval of the Rules for the implementation of state control in the field of ensuring the safety of significant CII facilities of the Russian Federation.”
What if the requirements of the Law are not met?
Along with the approval of the Federal Law “On the Safety of CII”, a new article 274.1 was added to the Criminal Code of the Russian Federation, which establishes criminal liability of officials of a CII subject for failure to comply with the established rules for operating the technical means of a CII facility or violation of the procedure for accessing them, up to imprisonment for a period of 6 years. So far, this article does not provide for liability for failure to take necessary measures to ensure the safety of the CII facility, however, in the event of consequences (accidents and emergency situations resulting in major damage) failure to take such measures falls under Article 293 of the Criminal Code of the Russian Federation “Negligence”. Additionally, we should expect changes to administrative legislation regarding the definition of penalties for legal entities for failure to comply with the Law. We can say with a high degree of confidence that the introduction of significant monetary fines will encourage CII entities to comply with the requirements of the Law.
