Protection of industrial control system in Russian
In my last post, the protection of automated process control systems in American style, I complained about the fact that in Russia very little attention was paid to the topic of protecting industrial systems. It would be foolish to believe that this particular post influenced our regulators in the field of information security, but on July 4 a very encouraging document appeared on the website of the Security Council “Basic directions of state policy in the field of security of automated systems for managing production and technological processes of critical infrastructure facilities of the Russian Federation " Developed as part of the national security strategy until 2020. The developer was the FSB.
The document, apparently, was written taking into account already existing foreign documents on similar topics, and even includes such a clause as “Requirements for software developers”, which is not often found in regulator documents. I would like to especially note that the document turned out to be surprisingly comprehensive, it takes into account all the key areas of protection of the automated process control system.
Because the document is not so much advisory as an “excursion-familiarization” character; I would especially like to note the desire to create a unified intrusion detection system for state structures, as well as critical industrial facilities, like the American IDSNet.
The document also recognizes the dependence of our infrastructure on foreign suppliers of components and software, including the practice of remotely setting up critical nodes by foreign firms, as well as the use of typed solutions for several objects by these firms in order to reduce costs.
Improvement measures are planned in 3 stages until 2020. The measures include both state regulation and improvement of the regulatory framework, and rather speculative “improvement of fundamental and applied science” and “formation of intolerance in the public consciousness towards people committing illegal actions using information technologies”.
As in reality, all this will be implemented, time will tell. I hope that the information security specialists involved in the protection of automated process control systems will familiarize themselves with this document and find it useful for themselves. I am glad that in Russia they attended to such an important topic, I hope that the regulators will continue to improve the base of documents for the protection of the automated process control system, and soon it will be no worse than the American one.
The document, apparently, was written taking into account already existing foreign documents on similar topics, and even includes such a clause as “Requirements for software developers”, which is not often found in regulator documents. I would like to especially note that the document turned out to be surprisingly comprehensive, it takes into account all the key areas of protection of the automated process control system.
Because the document is not so much advisory as an “excursion-familiarization” character; I would especially like to note the desire to create a unified intrusion detection system for state structures, as well as critical industrial facilities, like the American IDSNet.
The document also recognizes the dependence of our infrastructure on foreign suppliers of components and software, including the practice of remotely setting up critical nodes by foreign firms, as well as the use of typed solutions for several objects by these firms in order to reduce costs.
Improvement measures are planned in 3 stages until 2020. The measures include both state regulation and improvement of the regulatory framework, and rather speculative “improvement of fundamental and applied science” and “formation of intolerance in the public consciousness towards people committing illegal actions using information technologies”.
As in reality, all this will be implemented, time will tell. I hope that the information security specialists involved in the protection of automated process control systems will familiarize themselves with this document and find it useful for themselves. I am glad that in Russia they attended to such an important topic, I hope that the regulators will continue to improve the base of documents for the protection of the automated process control system, and soon it will be no worse than the American one.
')
Source: https://habr.com/ru/post/147566/
All Articles