Editor’s Note: Translation courtesy of CRE.

From: CNews (Russia)

Russia’s Security Council has submitted a document which defines the policy on the protection of national critical infrastructure control systems. IThe document discusses; creating by 2020 a unified State system of detecting and preventing cyber attacks, and main functions the policy implementation gives the FSB.

Russia’s Security Council has published guidelines of state policy “in the field of security systems, industrial control and process critical infrastructure.” The document states that it was created in order to implement the main provisions of the National Security Strategy of Russia until 2020, which calls for improving IT infrastructure of critical facilities in order to protect them from threats.

For mission-critical facilities whose failure could lead to loss of infrastructure management, its destruction and negative changes in the economy of the country or region where the object is located. The aim of policy is to reduce to the lowest possible level the risk of uncontrolled intervention in the functioning of IT systems, as well as minimizing the negative effects of such intervention.

Weak spots. What do I do?

Among the negative factors affecting the formation of the state policy document, the authors mention “forced” recruitment management systems on foreign suppliers and hardware processing, storage and transmission of information, the trend among the owners and operators of critical facilities to hide violations of their work, lack of education and training staff manage critical system objects, the lack of regulation in this area.

To solve the problem of security management systems critical objects, the authors propose five major areas: the legal framework, government regulation, industry and science and technology policy, technology and means of ensuring information security, as well as advanced training.

The government really took care of the IT protection of critical facilities in Russia

In the area of ​​regulatory initiatives, is necessary to note the authors of the document need to define and consolidate the rights and obligations of owners of IT systems management of critical infrastructure, regulation of the order of entry, operation and modernization of these systems, as well as the introduction of liability for violations in the process, increased liability for the creation and application of computer attacks.

Among the objectives of regulation, the document’s authors distinguish the creation of a unified State system of detecting and preventing cyber attacks on critical infrastructure, establishment and maintenance of permanent rstand-by forces and the means of eliminating the effects of computer incidents creating a standard storage software which is used in critical infrastructure IT systems, creating conditions stimulating the development of Russian production of telecom equipment resistant to cyber attacks. The state, the authors of the document and assign selection (attraction) relevant sources and amounts of financial resources.

eadiness of forces and means of eliminating the consequences of incidents in her computer, creating a standard storage software, which is used in IT systems of critical infrastructure, creation of conditions stimulating the development of Russian production of telecom equipment resistant to cyber attacks. TThe State also sponsors the document and assigns selection of relevant sources and amounts of financial resources.  

In the scientific and technological field, many of the problems identified by the authors relate to the need for various developments in the field of critical infrastructure and information security control systems.

The Road Map

Implement of the policies is proposed in three stages; 2012-2013, 2014-2016, and 2017-2020. The first stage involves developing a work plan for implementating key policies, the development of the concept of the use of force and means of eliminating the effects of computer incidents in critical information infrastructure, preparation of proposals to amend the approved State program and adjust the planned programmes, etc.

In the second stage, is serious work in the field of legal regulation concerning the regulation of various processes and the division of responsibilities, developments in the field of information security, and the commissioning of the first phase of the  unified State system Situation Center for detecting and preventing cyber attacks on critical information infrastructure.  At this same stage is establishment of forces to eliminate the consequences of computer incidents. At the same stage of the creation account of forces and means to remove the effects of computer incidents.

The third stage involves, among other things, the introduction of integrated security systems at the facilities put into operation, the first stage of storage of the reference software, commissioning a unified State system for detecting and preventing cyber attacks on critical infrastructure and the Situation Center.

Experts and market participants took a generally positive view of the document and indicated that its contents (and the fact it appeared) is consistent with international practice.  However, experts CNews interviewed said the document has a number of problem areas, such as the lack of an exhaustive list of critical infrastructure and high-risk facilities in Russia, and the lack of references in the document FSTEC Russia, despite the fact that it is important for FSTEC valuable documents and security of critical infrastructures.