Protection of industrial control systems in Russia: exploring the new requirements of FSTEC
By 2014, it seems that even children have already heard about cyber attacks on automated process control systems and industrial one-click sabotage. Here are havex, and the “scariest search engine” Shodan (where, by the way, they recently published the ICS map ), and a dozen incidents described in the latest Novetta report .
For the time being, the Russian organizations responsible for security regulation did not pay attention to the vulnerabilities of industrial systems, but FSTEC order No. 31 of March 14, 2014 promises to fundamentally change the situation.
It cannot be said that earlier in Russia the safety of the automated process control system (SCADA) was not regulated at all. Since 2007, IS processes at key critical facilities have been regulated by the requirements for “key information infrastructure systems” (FIACs), however, the guidelines in this document have distribution restrictions: the enterprises to which they are addressed must be included in a special list. This list of FIACs could include banks and any other organizations, but they did not take into account the peculiarities of the use of automated process control systems as real-time systems, as well as the development trends of IT infrastructures (for example, work in visualized environments). Separating ACS TP, taking into account the specific architecture and weaknesses of such systems is the task of the requirements formulated in order No. 31.
Russian rulemaking is often reproached for being divorced from international best practices and not in line with the latest trends. To believe this assumption, we compared the requirements of the order of FSTEC No. 31 with the leading foreign standards in the field of industrial automation systems, namely:
- Family of industry standards NERC Critical Infrastructure Protection (NERC CIP);
- family of standards ISA / IEC 62443 Industrial Automation and Control Systems Security;
- recommendations of NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” and NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”.
What is interesting in the order of FSTEC No. 31 is now
Development and documentation of safety rules and procedures (policies) (these security measures are numbered 0). These are important measures: they begin to build any security process, and not only information, with careful documentation of all procedures. Regular check can be compared with a pre-flight inspection of the aircraft and checking the logbook, and all this sounds boring for the passenger only until the passenger has risen to a height of 10 thousand meters.
Virtualization Environment Protection Requirements. Virtualization technologies can optimize resources, but give rise to new threats. It is clear that cost reduction is more interesting than the struggle for security, therefore, critical systems in general and process control systems in particular find themselves in not very safe clouds very quickly, and this process needs to be somehow controlled. The relevant paragraphs in Order No. 31 can only be welcomed, but in the foreign standards listed by us, protection of virtual environments is not addressed.
Training and development of user actions in case of emergency (unforeseen) situations (CSN). Raising staff awareness reduces at least the risks associated with social engineering. Rehearsing a “rescue plan” is also important for employees to understand their role in managing security incidents.
Requirements for Safe Software Development (OBR). The code in the ICS software is often just awful, and vulnerabilities of 10-15 years ago can be found in most critical enterprises. Updates are often not installed in principle, which is due to many factors, from the continuity of the process to the lack of awareness of employees about threats. Therefore, the best solution is to take all possible measures to correct errors in the automatic process control system at the development stage. Such requirements are practically not reflected in foreign standards, which once again speaks in favor of the authors of the Russian document.
Requirements for Incident Management (INC) and Security Threat Analysis (UBI). These requirements are the essence of the risk-based approach reflected in Order No. 31. Their presence means the formation of protection based on the risks specific to the system: this allows you to take into account new threats and improve information security processes.
What I would like to see
The early appearance of detailed recommendations and guidelines for information security experts and auditors . Now the order of the FSTEC No. 31 is a rather high-level document.
Separation at the network level of the corporate LAN and technological networks by analogy with IEC-62443-2-1 and NIST SP 800-82 . There is a requirement about the need for LAN segmentation in an order (ZIS-17), however, in the corresponding methodological document, the best solution would be to clearly note the need to separate technological networks from corporate ones.
Recommendations on the construction of a safe architecture of ICS components taking into account the separation into levels , as is done in the standards IEC-62443-2-1, NIST SP 800-82: lower level - field, medium - PLC, upper level - SCADA.
Inventory of ACS TP components . A similar requirement is in all the documents examined. Moreover, the inventory provides not only the identification of the components involved in the technological processes, but also the storage of additional information to determine their purpose, degree of significance, etc. This procedure is one of the primary values for the risk-based approach, therefore, we are waiting for it to appear in further revisions of the document.
Inspection of personnel before granting access to work with ACS TP . NERC CIP and ISA / IEC 62443 have similar requirements, but they have not yet been included in the current version of Order No. 31.
Activities related to the dismissal of staff. Not the most fun, but necessary actions, including blocking accounts, changing passwords, etc., are prescribed in ISA-62443-2-1 and NERC-CIP. It is said that former investigators are best able to destroy evidence, and an ex-KVO officer who is familiar with the process can be much more dangerous than an outsider. In future versions of Order No. 31, I would like to see the requirements for measures related to the dismissal of KVO employees.
In general, despite certain roughnesses, the document complies with the best international standards and practices in the field of information security of industrial control systems, and in some paragraphs it introduces the most modern requirements, the need for which is just ripe.
A more detailed comparison of the requirements of the FSTEC order of March 14, 2014 No. 31 with similar clauses of international standards is presented on the Positive Technologies website .