Industrial Cyber Security in Russia is Now a Serious Thing

By Massimiliano Latini, Research and Projects Director, H-ON Consulting 

Industrial Cyber Security in Russia is now going through a more mature stage compared to other countries. A major interest in this topic increased dramatically due to the famous cyber-attacks caused by the Petya and WannaCry viruses. Thanks to this alarm bell, Russian security legislation has intervened in a restricted manner in order to fix the collapse of industrial businesses which had been damaged by cyber-attacks. As a result, Cyber Security within the Russian Federation is now subject to the brand new and mandatory FSTEC requirements. In this article you will find a few tips dedicated to foreign manufacturers to help them find their way in this marketplace and export control and automation systems in compliance with Russian Cyber Security standards.

What FSTEC is and what it says about Cyber Security

The FSTEC certification system (Federal Service for Technical and Export Control) is the compulsory requirement introduced in 2018 that, among other, certifies the conformity of components to Russian Industrial Cyber Security standards. It means that FSTEC is addressed to Operational Technologies and industrial control systems employed within the Russian Federation. FSTEC aims at fostering the domestic market of control and automation systems. For this reason, mandatory fulfilments and procedures to get the FSTEC certification have a strong impact on foreign suppliers of OT systems.

The certification process in the Russian FSTEC system is conducted by certification bodies and laboratories accredited by FSTEC. Compared to traditional certification of conformity processes, we find here more restrictions, for instance:

1. The program coding must be fully disclosed and transmitted to Russian laboratories.
2. The certification application must be validated by the owner of the device/software, while the manufacturer must obtain the permission to certify the equipment.
3. All laboratory tests must be carried out inside the territory of the Russian Federation (testing in other countries is not allowed).

Further, FSTEC imposes every security relevant component of a control system - hardware and software which is addressed to the Russian marketplace - to be certifiedand compliant with safety requirements. More in general, all hardware and software systems which protect equipment shall be certified and registered in the FSTEC system.

How to deal with OT systems addressed to the Russian market

The application of such mandatory requirements and restrictive measures has shown technical and organization issues for foreign manufacturers of OT devices, SCADAs and PLCs, hardware and software components intended to be exported to Russia.

The most convenient solution for foreign manufacturers is to supply already certified equipment, including software. Otherwise, the supplier shall certify its equipment from scratch, including the disclosure of software coding to Russian state-owned certification bodies and laboratories. In the specific case of an industrial supply from US (or Europe) to the Russian Federation, the supplier must include in its own contract references to FSTEC and Cyber Security requirements and comply with them. These requirements will have to be described in the purchasing specifications, in relation to the technical Cyber Security standards to be implemented during the design, procurement and manufacturing phases.

About the Author