In particular, the order lists the requirements that apply to "technical, software, software and hardware and other means" used to search for signs of computer attacks, their detection, prevention and elimination of consequences, as well as to information exchange systems required by subjects in the event that if there is a cyber incident. Requirements for cryptographic means of protecting such information are also described.

It is stipulated that user passwords, if used for authentication, must be stored encrypted and that users must be notified to change their passwords.

Other - quite standard, but often overlooked - security procedures are prescribed, such as blocking a session after a specified idle time, notification of unsuccessful attempts to access control of GosSOPKA funds, and recording all user actions from the moment of authorization in an electronic log.

For the means of PPKA, the need to maintain electronic journals for recording the technical condition and protect these journals from editing and deleting information in them is specifically indicated.

The document also stipulates the possibility of "regular software self-testing during operation".

In general, the order of the FSB stipulates in detail every aspect of the functioning of the GosSOPKA funds, and, according to experts, there can be no excessive detail in this case.

GosSOPKA means are the main protection of the critical information infrastructure of the Russian Federation. Their implementation should be regulated in as much detail as possible, without any ambiguity, the possibility of ambiguous interpretation. The task of the order is to determine the functions and capabilities that must be present in the GosSOPKA systems, and also indicate what should not be there. In any document, you can find flaws, but in this case everything looks very clear: the organizations that will deal with the final implementation of the GosSOPKA funds have been set a specific framework in which they will have to perform the tasks assigned to them,

Special attention should be paid to the requirement related to ensuring the security of information during its exchange with participants in information interaction (the National Coordination Center for Computer Incidents): the cryptographic information security means (CIP) used in GOSOPKA must be certified in the CIPF certification system.

General requirements for GosSOPKA facilities are presented in Sections 2, 8 and 9 of the document under consideration, which respectively define general requirements, requirements in terms of implementing security functions, requirements in terms of building and visualizing reports, respectively.

So, the requirements listed in section 2 imply the exclusion of the possibility of managing the funds of GosSOPKA by third parties and unauthorized transfer of information to such persons. In addition, it is worth paying attention to the requirements for persons modernizing GosSOPKA facilities and their technical support - Russian organizations that are not under the control of foreign persons.

In section 8, the regulator describes in detail the requirements for safety functions that must be provided by the GosSOPKA facilities. The requirements are grouped into the following categories:

• 1. Identification and authentication of users of GosSOPKA facilities.
• 2. Differentiation of rights of access to information and means of Gosopka.
• 3. Registration of IB events.
• 4. Updating software and service databases of Gosopka tools.
• 5. Reservation and restoration of funds of GosSOPKA.
• 6. Control of software integrity of GosSOPKA facilities.
• 7. Synchronization of network time.

Finally, in the means of GosSOPKA, there should be a functionality for visualizing all processed information: information security events, incidents, vulnerabilities, and so on. Such information should be collected in reports (graphs, tables) in a “manual” mode or automatically, stored for a specified period and, if necessary, exported and corrected to direct addressees.

"Informzashita" received the right to perform the functions of the center of GosSOPKA for government agencies, legal entities and individual entrepreneurs of Russia

2018

Sberbank subsidiary will connect small business to GosSOPKA

On September 17, 2018, it became known that Sberbank's subsidiary Safe Information Zone (Bizon) will connect small businesses to the state system for protecting against computer attacks (GosSOPKA). Kommersant writes about this with reference to the plan of measures for information security of the national project “Digital Economy”.

Sberbank confirmed to the edition its intention to use its experience for cyber protection of small companies. The credit institution calls Bizon the “visionary” of the Russian cybersecurity market, among whose clients there are “the largest companies” in the fields of finance, energy, air transportation, etc.

Losses of small and medium-sized businesses in Russia from hacker attacks in 2017 amounted to 12 billion rubles, estimates the marketing director of Rostelecom-Solar Valentin Krokhin. Such companies, according to the expert, are much less protected from cybercriminals than big business due to small information security budgets.

The source of the newspaper on the cybersecurity market notes that a large amount of money was poured into Bizon, and now it needs to be recouped somehow.

The FSB has identified a list of information for mandatory sending to GosSOPKA

As it became known on September 10, 2018, the Federal Security Service has identified a list of information that must be sent to the state system for detecting, preventing and eliminating the consequences of computer attacks (GosSOPKA). The order is dated July 24, 2018, but was published only in the first ten days of September.

According to the first appendix to the order of the FSB, information directly or indirectly related to the operation of critical information infrastructure of the Russian Federation should be sent to GosSOPKA.

That is, firstly, this is information about the objects themselves, enrolled in the register of critical infrastructure, as well as about their possible exclusion from this register.

Secondly, this is information about computer incidents affecting the functioning of CII objects, with all available details: date, time, location of the object; the presence of a "causal relationship between a computer incident and a computer attack"; possible connection with other incidents; composition of technical parameters of computer incidents and its consequences.

In addition, GosSOPKA should receive information on the identification of significant violations of the safety requirements of significant CII facilities, if as a result of them, preconditions for the occurrence of computer incidents are created.

A separate item is "other information" in the field of detection, prevention and elimination of the consequences of cyber attacks and incident response. It can be provided by both CII entities and other bodies and organizations that are not part of the critical infrastructure of the Russian Federation, including international ones.

The second appendix to the order describes the procedure for providing information to GosSOPKA. In particular, it is stipulated that general information from the CII register and information on the results of state control should be sent to the National Coordination Center for Computer Incidents (NCCCI) at least once a month and no later than one month from the moment the CII object is included in the register of significant objects or exclusion from it, changing the category of its significance or drawing up an inspection report based on the results of state control (if violations are identified).

The format in which the notified body sends this information is determined by the authorized body itself.

As for information about specific incidents, they should be sent in accordance with the formats defined by the NCCCI, and using the technical infrastructure of the Coordination Center, designed to receive and process data about incidents.

If the KII facility does not have access to this infrastructure for any reason, then the information is sent through some other channel, including by post, fax or electronic communication to the addresses or telephone numbers of the NKTsKI.

Information should be received by the NKTsKI no later than 24 hours after the incident was discovered. Another 24 hours are allotted for the NKTsKI to notify the subject of the CII about the receipt of this information.

The list of information received by GosSOPKA could be supplemented with the results of past security audits carried out at KII facilities by commercial structures specializing in searching for vulnerabilities in digital infrastructure, - said Dmitry Gvozdev, General Director of Information Technologies of the Future. - It would also make sense to regularly enter data into GosSOPKA about which vulnerabilities could be identified in the software used at the CII facilities, and which of them were fixed. This will help with the prevention of computer incidents and cyber attacks.

Read the text of the Order of the Federal Security Service of the Russian Federation dated July 24, 2018 No. 367 "On Approval of the List of Information Submitted to the State System for Detection, Prevention and Elimination of the Consequences of Computer Attacks on Information Resources of the Russian Federation, and the Procedure for Submitting Information to the State System for Detection, Prevention and Elimination of the Consequences of Computer attacks on information resources of the Russian Federation "is possible.

The law on the security of the KII RF obliged the subjects of the KII to inform state bodies about cyber incidents

This legal act assigns to the FSB the authority to ensure the operation of the state system for detecting, preventing and eliminating the consequences of computer attacks (GosSOPKA). This refers to computer attacks on information systems, information and telecommunication networks and automated control systems located in Russia itself, as well as in diplomatic missions and consulates.

The decree lists the tasks to be performed by GosSOPKA. These include forecasting the information security situation in the country, ensuring cooperation between telecom operators and owners of information resources in the field of cyber security, monitoring the security of Russian information resources and determining the causes of information security incidents.

In addition to directly ensuring and controlling the functioning of GosSOPKA, the FSB will be engaged in the formation and implementation of the state scientific and technical policy in the field of combating cyber attacks, as well as develop methodological recommendations for their detection, prevention, determination of causes and elimination of consequences.

Positive Technologies and Solar Security undertook the creation of GosSOPKA centers on a turnkey basis

To help Russian organizations solve this problem, Positive Technologies and Solar Security have combined proven Russian products with the experience and expertise of the largest commercial center for monitoring and responding to cyber attacks.

Within the framework of this direction: · Positive Technologies provides the customer with a set of technological solutions required for the creation of a GosSOPKA center. It includes products for building information interaction with the main center of GosSOPKA, incident management, security control of the internal infrastructure and perimeter, protection of critical web services of the organization, detection and blocking of malicious mailings; · Solar Security operates these solutions, controls the security of the infrastructure, monitoring and responding to information security incidents, as well as interaction with the main center of GosSOPKA; · Investigation of incidents is carried out using the combined expertise of partners.

The use of this service allows organizations to quickly increase the overall level of security of critical infrastructure, as well as to ensure compliance with the requirements of N 187-FZ and guidelines for the creation of departmental and corporate centers of the GosSOPKA.

Federation Council approves criminal liability for attacks on critical IT infrastructure

On July 19, it became known that the Federation Council approved the law "On the security of critical information infrastructure" developed by the Federal Security Service (FSB) and submitted to the State Duma by the Government in December 2016. The document will enter into force from the beginning of 2018.

The law introduces a classification of objects of critical information infrastructure and involves the creation of a register of such objects, while determining the rights and obligations of both the owners of the objects and the authorities that protect these objects. The body that will be responsible for ensuring the security of the infrastructure has not yet been appointed.

The document also envisages the creation of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of Russia (GosSOPKA), which will ensure the collection and exchange of information about computer attacks.

Simultaneously with the approval of the law "On the security of the critical information infrastructure of the Russian Federation", the resulting amendments to the laws "On communications", "On state secrets", "On the protection of the rights of legal entities and individual entrepreneurs in the implementation of state control (supervision) and municipal control ", as well as amendments to the Criminal Code of the Russian Federation. Thus, in Chapter 28 of the Criminal Code "Crimes in the field of computer information" there will be article 274.1, which provides for punishment for harm caused to objects of critical information infrastructure.

State Duma approved a draft law on the safety of critical infrastructure

The system is already working - in particular, contractors of the recently held Confederations Cup on football were connected to it. However, there was still no provision for mandatory connection to the system.

In addition, the President will need to identify an authorized body to ensure the security of critical information infrastructure. The FSB and the Federal Service for Technical and Export Control (FSTEC) will prepare the corresponding decree. Interlocutors of CNews in the information security market believe that the FSB will become such an authorized body.

Critical infrastructure actors

The subjects of the critical information infrastructure will be state organizations, legal entities and individual entrepreneurs who own or lease information systems, information and telecommunication networks and automated control systems from a specific list of industries. The list of affected areas included energy, transport, communications, science, healthcare, the fuel and energy complex, banking and other financial sectors, nuclear energy, defense, rocket and space, mining, metallurgy and chemical industries.

The subjects of critical infrastructure (CI) will have to create security systems based on the requirements developed by the state. Also, SKI will have to immediately inform GosSOPKA about computer attacks on them, take measures indicated by the authorized bodies to repel attacks and allow special services to reach their facilities.

In the event of an attack on financial sector facilities, it will also be necessary to inform the Central Bank. To coordinate the activities of the SKI in repelling computer attacks, the FSB will create a National Coordination Center for Computer Incidents.

The body authorized to ensure the security of critical information infrastructure will maintain the SKI register. This register will collect information for GosSOPKA. When the SKI is entered into the register, the category of its significance will be determined - from the first to the third. The category will be assigned based on the economic, social, political, environmental significance of this facility, as well as taking into account its importance for defense.

The authorized body will also be able to conduct scheduled and unscheduled inspections of SKI entered in the register.

Criminal punishment for attacks on KII facilities

At the same time, amendments are being made to the Criminal Code to increase the punishment for causing damage to critical information infrastructure (CII). The creation of computer programs that are deliberately intended for unlawful access to KII facilities will be punishable by forced labor for up to five years with restraint of liberty for up to two years or imprisonment for a term of two to five years with a fine of 600,000 rubles or more. up to 1 million rubles.

Unlawful access to legally protected computer information stored in KII facilities will be punished with forced labor for up to five years with a fine of 500 thousand to 1 million rubles. and restraint of liberty for up to two years or imprisonment for a term of two to six years with a fine of 500 thousand to 1 million rubles.

Violations of the rules for the operation of means of storing, processing and transferring information from objects of the KII or automated control networks and communication networks classified as KII will be punished by forced labor for up to five years with the deprivation of the right to hold certain positions for up to three years, or imprisonment for up to six years, with disqualification from occupying certain positions for up to three years.

2016

Over the past year, GosSOPKA has emerged from infancy. First, the first public swallows appeared - the Center for Detection, Prevention and Elimination of the Consequences of Computer Attacks (KTSOPL) of the Rostec state corporation, the government of the Samara region, the AFK Sistema tender, the FSO's intention to involve the State SOPCU for the creation and operation of the closed state network RSNet. Secondly, the first document that somehow resembles a guiding document “Methodological recommendations for the creation of departmental and corporate centers of GosSOPKA” appeared.

The main organizational and technical component of the system is the centers for detecting, preventing and eliminating the consequences of computer attacks, which will be subdivided according to territorial and departmental characteristics. In particular, the main center, regional, territorial centers of the system, as well as centers of state bodies and corporate centers will be organized. The functioning of the latter will be provided by the organizations that created them.

The system also includes the National Coordination Center for Computer Incidents, created by the FSB, which organizes and exchanges information about them with legal entities that own critical IT infrastructure facilities in the Russian Federation, telecom operators that ensure the interaction of critical IT infrastructure facilities, as well as with foreign government agencies and other organizations working in the area of \u200b\u200bcyber incident response.

The main functions of the system, as indicated in the concept, are to identify signs of computer attacks, determine their sources and other related information, predict the situation in the field of information security in the Russian Federation, collect and analyze information about computer attacks in relation to information resources of the Russian Federation, implement rapid response measures on attacks and liquidation of their consequences, etc.

Also, within the framework of the system, it is planned to organize interaction with law enforcement and other government agencies, owners of information resources of the Russian Federation, telecom operators and Internet providers at the national and international levels. It will include the exchange of information on detected computer attacks and the exchange of experience in the field of identifying and eliminating software and hardware vulnerabilities and responding to computer incidents.

For the functioning of the system, it is planned to create an appropriate legislative framework, to determine the procedure for recording and exchanging information about computer attacks, the activities of the system's subjects in the field of detecting, preventing and eliminating the consequences of attacks.

Technical problems of GosSOPKA

• lack of own software of many classes, both system-wide (operating systems, database management systems) and applied (for example, software for modeling fields), so, for example, the Central Bank of the Russian Federation uses 40% of applied software of foreign production, foreign databases, OS, hardware and software - 95%;
• lack of own element base;
• the practical absence of domestic telecommunications equipment throughout the country;
• the topology of the country's transport network from the point of view of ensuring its survivability requires improvement.

Possible approaches to the design of GosSOPKA

An approach is possible based on the classification of information assets of organizations according to the degree of their value, importance for ensuring government administration and preserving the knowledge necessary for the country's development. Differentiated requirements for the protection of information assets classified in this way can be established by law, by placing responsibility on the departments themselves in charge of information resources - without involving organizations accredited by the FSTEC of Russia.

In this case, it will be possible to create an arbitrary structure of GosSOPKA (system segments by ministries, departments, organizations, constituent entities of the Russian Federation) and significantly reduce the cost of development, the cost of work (you do not need to create your own software and hardware). Reliability will not be affected - isolating the critical elements of the IT infrastructure will be safer than connecting through trusted means.

An organic drawback of this approach is the isolation of a part of the system, which entails a decrease in the efficiency of the system and inconvenience for users.

An alternative approach is to locate critical infrastructure spots and protect them with trusted means. In this case, the classification of information resources by the degree of their importance is irrelevant, but a domestic software and hardware platform is necessary (or at least highly desirable).

The benefits of the second approach are significant. Firstly, there is no need to isolate system segments and create a single protected information space with "transparent" administration. As a result, efficiency increases, control of all processes is improved. Secondly, the protection of the entire infrastructure of the country is provided by domestic software and hardware with the highest level of protection.

The payback for these benefits is the high project cost and long development time.

What threats should GosSOPKA confront

The most dangerous are cyber attacks, which are backed by well-organized groups of cybercriminals and / or states. But the cumulative damage done to the economy by multiple, less dangerous attacks can, over time, be seen as a serious threat to the country.

2013

FSB has prepared draft laws on the security of KII

The first of the draft laws defines how the security of critical IT infrastructure is ensured in Russia and establishes the principles for ensuring such activities, as well as the powers of government agencies in this area.

A significant part of critical IT systems is not owned by the state, therefore the bill also provides for "additional burdens" for persons who own such systems as property.

Its authors explain the need for the above law by the fact that the stability of the socio-economic development of Russia and its security, in fact, are directly dependent on the reliability and safety of the functioning of information and communication networks and IT systems, and at the same time, the existing laws governing relations in the area of \u200b\u200bcritical IT infrastructure security are absent. This, according to the FSB, leads to "inconsistency and insufficient effectiveness of legal regulation in this area."

The second bill defines liability measures for violation of legislation on the security of critical information infrastructure. At the same time, along with disciplinary, civil and administrative law, criminal liability is also provided for violation of the law developed by the FSB.

For example, Article 272 of the Criminal Code (“Illegal access to computer information”) of the FSB proposes to add a fifth part, establishing responsibility for illegal access to computer information protected by law, which caused damage to the security of critical information infrastructure or created a threat of its occurrence. The punishment provided for this will be up to 10 years in prison.

The draft law also provides criminal liability for violation of the rules for the operation of storage, processing or transmission of protected computer information or information and telecommunication networks and equipment, as well as for violation of the rules for access to such networks, which caused damage to the security of critical information infrastructure or created a threat of its occurrence. For this, the FSB proposes to punish with imprisonment for up to 7 years.

As planned by the FSB, after being signed by the President, both bills should enter into force in January 2015.

Details of the work on the project from the FSB

The FSB expects that most of the legislative acts concerning the creation and functioning in Russia of a unified state system of protection against computer attacks will be developed and published by the end of 2013, a source in the department told TAdviser on April 12, 2013. He notes that now the FSB is active in this direction.

The architecture of the system itself, according to the source, has not yet been worked out. Most likely, it will use an already existing Russian solution, which will be refined specifically for this project, the interlocutor of TAdviser believes. Then it is planned to deploy this solution at the sites of telecom operators, he adds.

“In Russia, there is no ready-made solution that can fully compete with foreign products like Arbor,” says the interlocutor of TAdviser from the FSB. "And developing such a solution from scratch would take a long time."

The greatest damage to the state is caused by DDos attacks, a source in the FSB noted in a conversation with TAdviser, therefore a solution that is suitable for use in the state system for preventing and eliminating the consequences of computer attacks should be especially effective in this area.

He signed a decree on the creation in Russia of a system for detecting, preventing and eliminating the consequences of computer attacks on information resources located in the country and in diplomatic missions and consular offices of Russia abroad.

Its key tasks, in accordance with the presidential decree, should be forecasting situations in the field of [[information security, ensuring interaction of owners of IT resources in solving problems related to the detection and elimination of computer attacks, with telecom operators and other organizations carrying out activities on information protection. The list of system tasks also includes assessing the degree of security of critical IT infrastructure "

PRESIDENT OF THE RUSSIAN FEDERATION

On improving the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation

In order to improve the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation and in accordance with Article 6 of the Federal Law of July 26, 2017 N 187-FZ "On the security of the critical information infrastructure of the Russian Federation"

i decree:

1. To entrust the Federal Security Service of the Russian Federation with the functions of a federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation - information systems, information and telecommunication networks and automated control systems located on the territory of the Russian Federation, in diplomatic missions and consular offices of the Russian Federation.

2. To establish that the tasks of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation are:

a) forecasting the situation in the field of ensuring the information security of the Russian Federation;

b) ensuring interaction between the owners of information resources of the Russian Federation, telecom operators, and other entities carrying out licensed activities in the field of information security when solving problems related to the detection, prevention and elimination of the consequences of computer attacks;

c) monitoring the degree of protection of information resources of the Russian Federation from computer attacks;

d) establishing the causes of computer incidents related to the functioning of the information resources of the Russian Federation.

3. Establish that the Federal Security Service of the Russian Federation:

a) ensures and controls the functioning of the state system named in paragraph 1 of this Decree;

b) forms and implements, within its powers, the state scientific and technical policy in the field of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation;

c) develops guidelines:

to detect computer attacks on information resources of the Russian Federation;

to prevent and establish the causes of computer incidents related to the functioning of information resources of the Russian Federation, as well as to eliminate the consequences of these incidents.

4. Introduce into clause 9 of the Regulations on the Federal Security Service of the Russian Federation, approved by the Decree of the President of the Russian Federation of August 11, 2003 N 960 "Issues of the Federal Security Service of the Russian Federation" (Collected Legislation of the Russian Federation, 2003, N 33, Article 3254; 2004, N 28, Art.2883; 2005, N 36, Art.3665; N 49, Art.5200; 2006, N 25, Art.2699; N 31, Art.3463; 2007, N 1, Art.205; 49, Art.6133; N 53, Art.6554; 2008, N 36, Art.4087; N 43, Art.4921; N 47, Art.5431; 2010, N 17, Art. 2054; N 20, Art .2435; 2011, N 2, Art.267; N 9, Art.1222; 2012, N 7, Art.818; N 8, Art.993; N 32, Art.4486; 2013, N 12, Art.1245 ; N 26, Art. 3314; N 52, Art. 7137, 7139; 2014, N 10, Art. 1020; N 44, Art. 6041; 2015, N 4, Art. 641; 2016, N 50, Art. 7077 ; 2017, N 21, Article 2991), the following changes:

a) subparagraph 20_1

"20_1), within the limits of its authority, develops and approves regulatory and methodological documents on ensuring information security of information systems created using supercomputer and grid technologies, information resources of the Russian Federation, and also exercises control over ensuring information security of these systems and resources;" ;

b) subparagraph 47 shall be stated in the following edition:

"47) organizes and conducts research in the field of information security, expert cryptographic, engineering-cryptographic and special studies of encryption means, special and closed information and telecommunication systems, information systems created using supercomputer and grid technologies, as well as information resources of the Russian Federation ; ";

c) subparagraph 49 shall be stated in the following edition:

"49) prepares expert opinions on proposals for work on the creation of special and protected using encryption (cryptographic) means of information and telecommunication systems and communication networks, information systems created using supercomputer and grid technologies, as well as information resources of the Russian Federation ; ".

5. To add to the Decree of the President of the Russian Federation of January 15, 2013 N 31c "On the creation of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation" (Collected Legislation of the Russian Federation, 2013, N 3, Article 178) the following changes:

a) from clause 1 the words "- information systems and information and telecommunication networks located on the territory of the Russian Federation and in diplomatic missions and consular offices of the Russian Federation abroad" shall be deleted;

b) clause 2 and sub-clauses "a" - "e" of clause 3 shall be declared invalid.

The president
Russian Federation
V. Putin

Electronic text of the document
prepared by JSC "Kodeks" and verified by.

"On the security of the critical information infrastructure of the Russian Federation"). In it, one of the tasks of the critical information infrastructure (CII) security system, in addition to ensuring its own security, declared the continuous interaction of CII facilities, such as healthcare, science, transport, nuclear industry, energy and others, with GosSOPKA.

Moreover, measures to monitor the regular functioning of IT resources, automated control systems and telecommunications equipment, as well as identify and predict threats to information security should be carried out continuously. To solve, among other things, the problem of continuity with limited human resources, there is the possibility of involving commercial organizations that carry out licensed activities in the field of information security.

GosSOPKA. General description of the structure

The state system for detecting, preventing and eliminating the consequences of computer attacks is a geographically distributed set of centers (forces and means), organized according to departmental and territorial principles. One of them is the National Computer Incident Coordination Center.

The following regulations were used to create such a system:

• Decree of the President of the Russian Federation of January 15, 2013 No. 31c;
• The main directions of state policy in the field of ensuring the safety of automated control systems for production and technological processes of critical infrastructure of the Russian Federation (approved by the President of the Russian Federation on February 3, 2012, No. 803);
• Concept of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation (No. К 1274 dated December 12, 2014);
• Federal Law No. 187-FZ of July 26, 2017 "On the Security of the Critical Information Infrastructure of the Russian Federation";
• Methodological recommendations for the creation of departmental and corporate centers of GosSOPKA from the Center for Information Protection and Special Communications of the Federal Security Service.

Hierarchy of interaction between GosSOPKA centers

GosSOPKA. Stages of creation

Globally, in the direction of CII security, several stages of creating a GosSOPKA segment in an organization can be distinguished:

• determination of the area of \u200b\u200bresponsibility, the current composition and state of protected infrastructures and the "threat model";
• launching or adapting the tools required to ensure the functions of the center;
• ensuring the execution of GosSOPKA processes;
• formation and maintenance of up to date detailed information about information resources located in the area of \u200b\u200bresponsibility of the departmental center;
• collection and analysis of information on computer attacks and computer incidents caused by them;
• carrying out measures to promptly respond to computer attacks and computer incidents caused by them, as well as to eliminate their consequences in information resources;
• making management decisions to ensure information security of information resources;
• identifying, collecting and analyzing information about vulnerabilities, as well as conducting measures to assess the security against computer attacks and virus infections of information resources;
• informing interested persons and subjects of GosSOPKA on issues of detection, prevention and elimination of the consequences of computer attacks;
• ensuring the protection of data transmitted between the departmental center and the Main Center through channels protected using information security tools certified by the FSB of Russia;
• provision of additional information on computer incidents in information and telecommunication networks located in the area of \u200b\u200bresponsibility of the departmental center, at the request of the Main Center of the GosSOPKA;
• ensuring interaction with the superior center of GosSOPKA on the state of security and emerging incidents.

Structure and main directions of activity of GosSOPKA
An important role in ensuring security is played by departmental centers, whose functions, in addition to ensuring security in the area of \u200b\u200bresponsibility, include the aggregation of information about security and ongoing incidents from all subordinate organizations. Their tasks also include conducting analytics based on the data obtained, identifying general trends or relevant vectors and transferring information about them to lower-level centers.

As a result, the information received about the types of malware and the attack scenarios used allows GosSOPKA as an “information hub” to analyze the relevance of vectors for other connected organizations and, in the information interaction mode, generate an address signal to the subjects of the critical information infrastructure for organizing preventive protection.

GosSOPKA. Tasks

Determination of the area of \u200b\u200bresponsibility and state of protection

The initial tasks of creating a segment are very similar to the classic work on any information security project:

• determination of the list of information systems and infrastructures that require protection (inventory), separately - accessible from the Internet;
• definition of the threat model (computer incidents that we plan to defend against and to which we plan to respond);
• determination of the actual capabilities of the current infrastructure to implement protection against the incidents specified in the threat model;
• determination of tools and resource (personnel) base that will be required to implement protection.

Despite the seeming simplicity, even the first part of the task - "draw the perimeter" - often becomes extremely difficult. Potential segments of GosSOPKA are sometimes geographically distributed, complex complex infrastructures, and it is a rather laborious, complex task to understand which Internet access channels are available, what services have appeared on the perimeter over the years of the company's existence, for what purpose and why.

When building a prototype, it is important to consider what tasks the center will need to solve on a daily basis. They can be divided into four large functional blocks.

1. Management of information security incidents:
a. analysis of security events;
b. detection of computer attacks;
c. registration of incidents;
d. incident response and elimination of consequences;
e. establishing the causes of incidents;
f. analysis of the results of eliminating the consequences of incidents.

2. Analysis of infrastructure security:
a. resource inventory;
b. analysis of information security threats.

3. Work with personnel:
a. advanced training of personnel;
b. receiving messages about possible incidents from personnel.

4. Communication with a superior center.

It should be noted that in terms of both incidents and security analyzes, the requirements for the GosSOPKA center are primarily focused on an external attacker, that is, a hacker / cybercriminal. This can be seen, among other things, from the most designated categories of incidents: DDoS, malware, vulnerabilities, scans and brute-force attacks, unauthorized access. This, for all the complexity and sophistication of current cyber attacks, makes it possible to more accurately determine priorities and tools.

GosSOPKA Center Toolkit

In order to implement a sufficient level of security and productive interaction with GosSOPKA, it is necessary to prepare a platform both in organizational and technical terms. If you rely on the tasks and types of incidents described in the paragraph above, then the toolkit seems quite transparent:

• active means of protection aimed at countering the penetration of the perimeter and antivirus protection of hosts;
• an attack detection system aimed at recording attempts to exploit vulnerabilities;
• dDoS protection system;
• vulnerability scanner;
• event collection and correlation system (SIEM) for fixing scans, brute-forcing and facts of unauthorized access;
• service desk and information interaction system for closed loop management of incidents and transfer of information to the superior center of GosSOPKA.

But it seems so only at first glance. On the one hand, with a small amount of infrastructure, these types of incidents can be recorded without SIEM. On the other hand, the term “vulnerability” is interpreted quite broadly, including in current documents. If a possible attack vector can be implemented using a vulnerability of a web application published on the Internet, then it is obvious that an intrusion detection system will not help us fix and react. In this case, an approach to identifying and closing vulnerabilities is possible by starting the process of controlling the vulnerabilities of the program code or using the imposed protection means, for example, Web Application Firewall. Therefore, this issue is currently a point of loose regulation and requires common sense and a practical approach to their own protection from the information security specialists of a particular center.

Center personnel issues and qualification requirements

A rather important question remains unresolved: how should these means of protection be operated in order to effectively ensure the safety of CII and the implementation of the processes described above. It is easy enough to see that the listed tasks and works require significant staff and staff qualifications for operation. The following is an example of an approach to resource planning for a center.

Role	Functions	amount
Computer Attack and Incident Detection Specialist	Analysis of security events, registration of incidents	6
SOC Hardware Maintenance Specialist	Ensuring the operation of technical means placed in the SOC, as well as additional means of protecting information systems	6
Security Assessor	Conducting an inventory of information resources, analyzing the identified vulnerabilities and threats, establishing compliance with information security requirements to the measures taken	2
Specialist in eliminating the consequences of computer incidents	Coordination of actions in response to computer attacks	2
Specialist in determining the causes of computer incidents	Establishing the causes of incidents, analyzing the consequences of incidents	2
Methodist analyst	Analysis of information provided by specialists of the first and second lines; development of regulations and guidelines	2
Technical expert	Expert support in accordance with the specialization (malicious software, setting up protection means, using specialized technical means, security assessment, etc.)	2
Lawyer	SOC Regulatory Support	1
Leader	SOC management	1

Two caveats:

• this table characterizes areas of responsibility, tasks and functions of personnel, and not individual allocated roles. Therefore, it is incorrect to add the numbers in the right column: a methodologist-analyst may well perform tasks to assess security or be the head of a center in combination (although this violates some logic of separation of powers);


• quantitative assessments of specialists in each area are not part of the documents, but describe the opinion of the author of the article. In fact, in order to monitor and respond to incidents around the clock (external attacks are not limited to 8 * 5 mode), one way or another, it is necessary to start a duty shift, the number of which cannot be less than six people. At the same time, the personnel stability of the center requires the reservation of competencies: at least two people must have knowledge of security assessment, analysis of incidents, etc.

Nevertheless, it can be seen from the above table that the expertise required is very diverse: both specialists in the analysis of logs and attacks in the SIEM system, and the response team, ready to block active protection tools, and developers of new scenarios ... One way or another, the personnel structure center GosSOPKA emerges quite massive and can hardly consist of less than ten people.

Naturally, the process parts of ensuring security do not remain outside the documents and specified functions of the GosSOPKA center. Identification rules are defined. There should be profiles or a flight guide for responding to incidents, processes for analyzing the effectiveness of work, including for eliminating incidents. It is necessary to engage in forecasting new threats. All this leads us to the idea that the work, functions and tasks of the GosSOPKA center on the main points coincide with the goals and objectives of the Security Operations Center and their functionality. Which brings the solution of this task closer to the current direction for many companies - the launch of SOC functions in their infrastructure.

In conclusion, it should be noted that at the current stage of regulation, the structure of the GosSOPKA topics is rather unusual. Unlike most Russian regulatory documents, the law primarily refers not to the tools and regulatory and administrative framework, but to the presence of security processes in the organization. This approach automatically creates very significant requirements for the general level of security and staffing of the GosSOPKA center, since there are no processes without people. The answer to this challenge in the general staff shortage and the lack of cybersecurity specialists can really be a service approach with the involvement of accredited commercial monitoring and incident response centers to solve labor-intensive and expert-intensive tasks to ensure the security of CII.

(Extract)

In order to ensure the information security of the Russian Federation I decree:

1. To entrust the Federal Security Service of the Russian Federation with the authority to create a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation - information systems and information and telecommunication networks located on the territory of the Russian Federation and in diplomatic missions and consular offices of the Russian Federation abroad.

2. To determine the main tasks of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation:

A) forecasting the situation in the field of ensuring the information security of the Russian Federation;

B) ensuring interaction between the owners of information resources of the Russian Federation, telecom operators, and other entities carrying out licensed activities in the field of information security when solving problems related to the detection, prevention and elimination of the consequences of computer attacks;

C) monitoring the degree of protection of the critical information infrastructure of the Russian Federation from computer attacks;

D) establishing the causes of computer incidents related to the functioning of the information resources of the Russian Federation.

3. Establish that the Federal Security Service of the Russian Federation:

A) organizes and carries out work on the creation of the state system named in paragraph 1 of this Decree, monitors the execution of these works, and also ensures the functioning of its elements in cooperation with state bodies;

B) develops a method for detecting computer attacks on information systems and information and telecommunication networks of state bodies and, in agreement with their owners, on other information systems and information and telecommunication networks;

C) determines the procedure for the exchange of information between federal executive bodies on computer incidents related to the functioning of information resources of the Russian Federation;

D) organizes and conducts, in accordance with the legislation of the Russian Federation, measures to assess the degree of protection of the critical information infrastructure of the Russian Federation from computer attacks;

E) determines the procedure for the exchange of information between federal executive bodies and authorized bodies of foreign states (international organizations) about computer incidents related to the operation of information resources, and organizes the exchange of such information.

4. This Decree shall enter into force on the day of its signing.

President of Russian Federation
V. Putin

Approx. ed .: the decree was published on

1. The state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation is a single geographically distributed complex, which includes forces and means designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents. For the purposes of this article, the information resources of the Russian Federation are understood as information systems, information and telecommunication networks and automated control systems located on the territory of the Russian Federation, in diplomatic missions and (or) consular offices of the Russian Federation.

2. The forces designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents include:

1) divisions and officials of the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation;

2) an organization created by the federal executive body authorized in the field of ensuring the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, to ensure coordination of the activities of the subjects of critical information infrastructure on the detection, prevention and elimination of the consequences of computer attacks and response to computer incidents (hereinafter referred to as the national coordination center for computer incidents);

3) subdivisions and officials of the subjects of critical information infrastructure that take part in the detection, prevention and elimination of the consequences of computer attacks and in responding to computer incidents.

3. Means for detecting, preventing and eliminating the consequences of computer attacks and responding to computer incidents are technical, software, hardware and software and other means for detection (including for searching for signs of computer attacks in telecommunication networks used to organize interaction objects of critical information infrastructure), prevention, elimination of the consequences of computer attacks and (or) the exchange of information required by the subjects of critical information infrastructure in the detection, prevention and (or) elimination of the consequences of computer attacks, as well as cryptographic means of protecting such information.

4. The National Coordination Center for Computer Incidents shall carry out its activities in accordance with the regulations approved by the federal executive body authorized to ensure the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation.

5. In the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, the collection, accumulation, systematization and analysis of information that enters this system through the means designed to detect, prevent and eliminate the consequences of computer attacks, information that is represented by the subjects of critical information infrastructure and the federal executive body authorized in the field of ensuring the security of the critical information infrastructure of the Russian Federation, in accordance with the list of information and in the manner determined by the federal executive body authorized in the field of ensuring the functioning of the state system of detection, prevention and elimination of consequences computer attacks on the information resources of the Russian Federation, as well as information that may be presented by other non-subjects of critical nd information infrastructure by bodies and organizations, including foreign and international.

6. The federal executive body, authorized in the field of ensuring the functioning of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, organizes, in the manner established by it, the exchange of information on computer incidents between subjects of critical information infrastructure, as well as between subjects of critical information infrastructure and authorized bodies of foreign states, international, international non-governmental organizations and foreign organizations that carry out activities in the field of responding to computer incidents.

7. The provision from the state system of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation of information constituting state or other secrets protected by law is carried out in accordance with the legislation of the Russian Federation.