The topic of Digital Transformation draws our attention once again on the issue related to Industrial Cyber Security. More specifically, it draws our attention on Russia, a country where mandatory fulfilments and procedures to get the FSTEC (Federal Service for Technical and Export Control) certification have a strong impact on foreign suppliers of OT systems. In this article you will find a short guideline dedicated to foreign manufacturers to help them find their way in the Russian marketplace.
Industrial Cyber Security in Russia is now going through a more mature stage compared to other countries. A major interest in this topic increased dramatically a few years ago following a famous cyber-attack caused by the Petya and WannaCry viruses, which showed the existence of some weaknesses in Russian commercial security systems, as well as in government security systems. Following this alarm bell, Russian Cyber Security legislation has intervened in a targeted and restricted manner in order to avoid damage in the Russian economy and fix the collapse of industrial businesses which had been weakened by cyber-attacks.
However, the application of legally mandatory requirements and restrictive measures has shown technical and organization issues for foreign manufacturers of OT devices, such as SCADAs and PLCs, hardware and software components addressed to the Russian market. The FSTEC accreditation is a compulsory requirement that certify the conformity of components to Russian Industrial Cyber Security standards.
The Russian Federal Law no. FZ-187and CIF Classification
The Russian Federal Law no. FZ-187 sets up rules for the protection of Critical Infrastructure Facilities (CIF). Under CIF we find governmental bodies and agencies, Russian legal entities and (or) single entrepreneurs who own information systems, information and telecommunication networks, automated management systems operating in many different fields, such as transportation, energy, metallurgy and chemistry.
The authorized body for the execution of the FZ-187 in the Russian Federation is the state-owned company FSTEC, a Federal Service for Technical and Export Control.
Depending on the degree of danger to human health and the environment, and in relation to their political and economic importance, various requirements for usage are imposed to critical infrastructures and components.
According to the Decree no. 127 of the Government of the Russian Federation, components and infrastructures are classified in three assessment levels based on their degree of criticality. The first category represents the maximum level in terms of importance and hazard; for this reason, objects that fall under this category require more robust interventions. The third category includes components or systems with minimum safety requirements.
This categorization is only for manufacturers or main contractors that develop complete infrastructures addressed to Russian end-users. However, every supplier involved in the supply chain shall comply with all technical requirements in relation to the project’s technical specifications.
Two examples of CIF categorizations based on specific sectors are presented in the table below:
|Significance||III Category||II Category||I Category|
|Social (number of deaths)||1-50||51-500||>500|
|Economic (% drop in income)||5-10||11-15||>15|
Other types of damage that may impact categorization are, for example, the unavailability of transport services or communications, as well as the lack of access to public services and violation of defence systems. The CIF category is assigned and registered by FSTEC following the submission of the application form by the facility owner. The latter shall maintain over time the Cyber Security Lifecycle in compliance with Russian Industrial Cyber Security standards.
Protection Measures in compliance with Russian Cyber Security Standards
There are some FSTEC requirements that manufacturers of industrial control systems shall keep in mind in order to examine which critical components can be found in their own systems and shall be compliant with Russian Cyber Security rules.
The list of organizational and technical security measures for significant CIF facilities is included in the order no. 239 of the FSTEC of Russia from December 25, 2017 with reference to the requirements approval to ensure the security of Significant Facilities for the CIF RF.
These requirements are quite rigorous. The protection of significant CIF facilities must be compliant with these requirements, except for non-significant objects where such measures are not applicable.
Among organizational and technical measures for the protection of significant CIF facilities we find some protection measures for industrial control systems, such as:
- Access Control (DAD)
- Protection of computer storage media (ZNI)
- Intrusion Prevention (Computer Attack) (OWL)
- Integrity assurance (OTsL)
- Protection of technical means and systems (ZTS)
The main difference between Russian standards and current regulations in other countries lies in the fact that FSTEC imposes every single component of a control system, hardware and software, which is addressed to the Russian marketplace, to be certified and compliant with safety requirements. Components must pass a conformity evaluation in accordance with the Federal Law No. 184, December 27, 2002 on technical regulation.
Technical assessment includes both compliance certification, in line with the requirements of the EAEU regulations, and any national certification, as indicated in the FSTEC Information Security Registry.
In the next paragraph we will examine the FSTEC Information Security Registry.
The Information Security Registry and FSTEC Process of Certification
To find out about the regulations on the certification of Cyber Security tools in the FSTEC system, consult the content of the FSETC order no. 55.
In general, all hardware and software systems which protect information and are used on critical infrastructure facilities shall be registered in the FSTEC system.
The certification of information security tools is carried out in compliance with the Russian Cyber Security requirements set out by the FSTEC regulatory acts, where all technical specifications, the assigned CIF category and all security tasks agreed between the applicant and FSTEC are also specified.
The certification process in the Russian FSTEC system is conducted by state-owned accredited certification bodies and laboratories. The entire list is available on the official FSTEC Russia website.
The general process of certification in the FSTEC system is structured as follows:
- Submitting the certification application;
- Selecting the Cyber Security OT equipment/software to be certified;
- Carrying out tests to certify the Cyber Security tools;
- Drawing up a report on tests results;
- Developing a project related to the certificate of conformity, and submitting at least a duplicate;
- Labelling the Cyber Security tools;
- Making any changes to the critical items to be approved by the Russian FSTEC.
Subsequently, certificates of conformity will have to be renewed or extended in terms of validity.
Compared to traditional certification processes we find here more restrictions, for instance:
- The program coding must be fully disclosed and transmitted to Russian laboratories.
- The certification application must be validated by the owner of the device/software, while the manufacturer must obtain the permission to certify the equipment.
- All laboratory tests must be carried out inside the territory of the Russian Federation, testing in other countries is not allowed.
Such severe restrictive measures, which were introduced in 2018, are aimed at fostering the domestic market of industrial control and automation systems. For this reason, the certification of foreign OT equipment has become very complex. As of today, not all foreign suppliers are able to send their source software coding to Russian laboratories to allow its registration.
For these reasons, an OT software or hardware manufacturer wishing to establish relations with Russian end-users has to follow certain procedures, as we will examine in the next paragraph.
How to distribute safe OT equipment in Russia
Due to a complex certification process, especially in terms of foreign safety equipment, suppliers of OT technologies have to choose among already certified components that are in compliance with Russian cyber security standards. Otherwise, the complete certification process for each component shall start from the beginning. To check the list of already certified components in the FSTEC registry, please click on this link.
Potential foreign suppliers are therefore highly recommended to get all information from the facility owner, especially to assess whether it is already included in the list of FSTEC, and what CIF category was assigned to the facility.
If this is the case, the most convenient solution for foreign manufacturers is to supply already certified equipment, including software. Otherwise, the supplier shall certify its equipment from scratch, including the disclosure of software coding to Russian state-owned certification bodies and laboratories.
In the specific case of an industrial supply from Europe to the Russian Federation, such as of a machine or a part of an industrial control system to be integrated inside a CIF, the supplier must include in its own contract references to FSTEC and Cyber Security requirements and comply with them. These requirements will have to be described in the purchasing specifications, in relation to the technical Cyber Security standards to be implemented during the design, procurement and manufacturing phases.