Protection of automated process control systems in Russia: we investigate new requirements of FSTEC

It seems that even children have already heard about cyber attacks on industrial control systems and one-click industrial diversions by 2014. Here both havex and Shodan’s “most terrible search engine” (where, by the way, they recently published an automated process control system map ), and a dozen incidents described in the latest Novetta report .

For the time being, Russian organizations responsible for security regulation did not pay attention to the vulnerabilities of industrial systems, but the order of FSTEC No. 31 of March 14, 2014 promises to radically change the situation.
')
It cannot be said that earlier in Russia the safety of the process control system (SCADA) was not regulated at all. Since 2007, the IS processes at key critical facilities are governed by the requirements for “key information infrastructure systems” (FIAS), however, the guidelines in this document have limitations on distribution: the enterprises to which they are addressed must be included in a special list. In this list, the FIAS could, turn out to be banks and any other organizations, but it did not take into account the peculiarities of using automated process control systems as real-time systems, as well as trends in the development of IT infrastructures (for example, work in visualized environments). Separating the process control system, taking into account the specific architecture and weak points of such systems is the task of the requirements formulated in order No. 31.

Russian rule-making is often blamed for being divorced from international best practices and not in line with recent trends. To believe this assumption, we compared the requirements of the order of FSTEC No. 31 with the leading foreign standards in the field of industrial automation systems, namely:

• the family of industry standards NERC Critical Infrastructure Protection (NERC CIP);
• the ISA / IEC 62443 family of standards for Industrial Automation and Control Systems Security;
• NIST SP 800-82 Guideline for Industrial Control Systems (ICS) Security recommendations and NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.

What is interesting in the order of FSTEC No. 31 is already now

Develop and document security policies and procedures ( these security measures are numbered 0). These are important measures: any process of ensuring security, and not only information, is begun to be built with careful documentation of all procedures. Regular checks can be compared with pre-flight inspection of the aircraft and checking the logbook, and it all sounds boring for a passenger only until the passenger has risen to an altitude of 10 thousand meters.

Requirements for the protection of the virtualization environment (VSC) . Virtualization technologies allow you to optimize resources, but generate new threats. It is clear that cost reduction is more interesting than the struggle for security, therefore, critical systems in general and process control systems in particular, very quickly find themselves in not entirely safe clouds, and this process must somehow be controlled. The corresponding clauses in order No. 31 are welcome, but in the foreign standards we have listed, the protection of virtual environments is not addressed.

Training and testing user actions in case of emergency (unforeseen) situations (CSN) . Increasing staff awareness reduces, at a minimum, the risks associated with social engineering. The rehearsal of the "rescue plan" is also important for employees to understand their role in security incident management processes.

Requirements for secure software development (OBR) . The code in the software of the process control system is often simply terrible, and most critical enterprises can detect vulnerabilities 10-15 years ago. Updates are often not installed in principle, which is due to a variety of factors, ranging from the continuity of the technological process to the lack of awareness of employees about threats. Therefore, the best solution is to take all possible measures to correct errors in the process control system during the development phase. Such requirements are practically not reflected in foreign standards, which once again speaks in favor of the authors of the Russian document.

Requirements for incident management (ICE) and security threat analysis (UBI) . These requirements are the essence of the risk-based approach, as reflected in order No. 31. Their presence means the formation of protection based on the risks characteristic of the system: this allows you to take into account new threats and improve the processes of ensuring information security.

What I would like to see

The earliest appearance of detailed recommendations and guidelines for IS specialists and auditors . Now the order of FSTEC No. 31 is a fairly high-level document.

The separation at the network level of corporate LAN and technology networks by analogy with IEC-62443-2-1 and NIST SP 800-82 . There is a requirement for the need for segmentation of the LAN in the order (ZIS-17), but in the relevant methodological document, the best solution would be to clearly note the need to separate technological networks from corporate ones.

Recommendations for building a safe architecture of the components of the process control system, taking into account the division into levels , as done in the standards IEC-62443-2-1, NIST SP 800-82: the lower level is field, the middle level is PLC, the upper level is SCADA.

Inventory of components of industrial control system . The similar requirement is in all considered documents. At the same time, the inventory provides not only the identification of components involved in technological processes, but also the storage of additional information, which allows to determine their purpose, degree of significance, etc. This procedure has one of the primary values ​​for the risk-based approach, therefore we are waiting for its appearance in further revisions of the document.

Personnel check before granting admission to work with ACS TP . Such requirements are NERC CIP and ISA / IEC 62443, but the current version of order number 31 has not yet entered.

The activities associated with the dismissal of personnel . Not the most fun, but necessary actions, including blocking accounts, changing passwords, etc., are spelled out in ISA-62443-2-1 and NERC-CIP. They say that former investigators are best able to destroy evidence, and the ex-officer of KVO, who is well acquainted with the technological process, can be much more dangerous than the violator from the outside. I would like to see in the further versions of order No. 31 requirements for activities related to the dismissal of employees of the QUA.

In general, despite the individual roughness, the document meets the best international standards and practices in the field of information security of the automated process control system, and in some points introduces the most modern requirements, the need for which is just overdue.

A more detailed comparison of the requirements of the order of FSTEC of March 14, 2014 No. 31 with similar items of international standards is presented on the website of Positive Technologies.