''Information technologies have become very interesting for intruders, and they decided to do business on it''
Is it true that Russian industrialists do not adequately assess the risks and leave the issue of cybersecurity ''for later''?
How did the business based on the use of cyber weapons appear? How many viruses appear in the world every day? Can a connected to an active computer call phone stop production or lead to major accidents in an industrial plant? How carefully do Volga Federal District's enterprises comply with the requirements of the newly adopted law ''On protection of critical information infrastructure''? Whether this law will kill part of small businesses? How do Tatarstan enterprises look like against the general background? The answers to these questions were voiced at the joint press conference of Softline and Kaspersky Lab, dedicated to cyber threats. Read the details in the material of Realnoe Vremya.
''Earlier, virus creators just asserted themselves — tried to write a programme, not to harm''
One of the speakers at the press conference dedicated to cyber threats and the protection of the industrial enterprises, held on 11 April, was specialist in protection of Critical Information Infrastructure at Softline group Maksim Prokhorov and head of the separate division of Innopolis Kaspersky Lab Andrey Uzhakov.
First of all, the audience was presented with interesting statistics on how the number and nature of cyber incidents changed. For example, if back in 1994 one new virus appeared hourly, then in 2011 — every second, in 2018 one day accounted for more than 360 thousand new malware. According to Uzhakov, the number of malware is growing exponentially, and now it has reached the point that they are very difficult to handle.
''If we talk about the types of threats, most of them are typical malware, which originates from the appearance of the first computers. At that time, the creators of viruses just asserted themselves — they were trying to write a programme, not to harm. But since a certain point, information technologies have become very interesting for intruders, and they decided to do business on it. Accordingly, there appeared APT attacks (cyber weapons), the share of which is still quite small,'' said the representative of Kaspersky Lab.
According to the statistics, the number of attacked users in Russia in 2018 amounted to 33% (corporate users — 21%), in Tatarstan — 25% (corporate — 16%), in Bashkortostan — 24% (corporate — 16%). At the same time, the share of Automatic Process Control System (APCS), on which malicious objects were detected, about 45% across Russia. For comparison, in Africa this figure reaches 61%.
If we talk about the causes of incidents related to cybersecurity in the industrial sector, then in 64% of cases the usual malware is to blame. The second place in popularity is taken by the attacks of ransomware, then errors or negligence of employees, then — threats on the side of suppliers (for example, in the supply chain or partners). In the last place — sabotage by employees, it occurs only in 5% of cases.
''Enterprises are at different levels of preparedness''
According to Andrey Uzhakov, just three years ago it was enough to protect the host with a simple antivirus to ensure security. Today, the antivirus programme has acquired a huge functionality. ''To protect hosts today is not enough — for example, it is necessary to at least conduct a security analysis that allows employees to see the state of their protection,'' the expert says.
It should be noted that the risks for enterprises are great: from downtime, damage to equipment and data leakage to harm to the environment and human health. If we talk about the risks for the state, the lack of attention to cybersecurity can lead to real social consequences and, of course, reduce defense capability. At the same time, as the speakers themselves admit, often the cybersecurity of industrial networks is something that is left ''for later''.
''From the point of view of IT, there is an IT expert, he has infrastructure, servers, viruses — everything is clear, developed for years, and he fights against it long ago. At the level of APCS it is very difficult to determine the responsible ones. Often the level of the technological segment of the network remains somewhat abandoned due to that each plant within the enterprise has different protection systems, respectively, it is very difficult to control them. Plus, when a person in the workplace put the bar of the product, it is not up to the provision of information security. And it's a daily process that must be followed to avoid incidents,'' says Uzhakov.
At the same time, the error of an ordinary employee can easily lead to at least downtime of the enterprise. For example, on a smartphone through the social network gets malicious, the owner of the gadget decides to connect the phone to a working computer to charge, which is why the system of the enterprise will get a virus without hindrance.
''We often hear the phrase: 'Our corporate segment is separated from the technological, and they do not intersect.' But there was an interesting case during the boom of WannaCry, when we were approached for help and said that the whole production stopped, although WannaCry was originally intended for corporate or home computers. Despite the fact that they have 'all separated', the virus penetrated into the technology segment, and all the equipment stopped. We had to rebuild the entire infrastructure from scratch. Check showed that infection happened due to an external drive that one of employees connected to the computer,'' expert on protection of Critical Information Infrastructure at Softline Maksim Prokhorov told.
Our publication asked experts how Tatarstan enterprises show themselves in terms of information security, but there was no exact answer. ''Products are used, but another thing is that each company is at different levels of preparedness. And at different levels of understanding of the possible consequences,'' said the representative of Kaspersky Lab.
''I would like the law to come into force at the time when the greatest number of threats began to appear in Russia''
In addition to the industrial sector, Critical Information Infrastructure include organizations working in the field of healthcare, transport, science and power engineering. The Federal law ''On security of Critical Information Infrastructure of the Russian Federation'', which entered into force at the beginning of this year, forces to revise the approach to ensuring information security at these facilities.
''Of course, I would like the federal law to come into force at the very time when the greatest number of threats began to appear in Russia. But, considering that it is the law, it has to pass agreement. It would be desirable that it was adopted in 2013-2014, but, actually, still nothing is lost: now subjects of Critical Information Infrastructure need to be grouped and start fulfilling requirements of the federal law,'' Maksim Prokhorov answered the question of Realnoe Vremya.
Under the action of the federal law, there fall state bodies, state institutions, as well as Russian legal entities and sole traders. In the event of an incident with serious consequences due to failure to comply with the requirements of the law, the responsible persons face 10 years in prison. For failure to comply with the requirements for the safety of Critical Information Infrastructure and violation of the rules of operation — up to 6 years in prison. For failure to comply with the requirements of the regulator to eliminate violations of the law — an administrative fine of up to 20,000 rubles.
The Softline representative spoke about the situation with the implementation of the requirements of the law at the enterprises of the Volga Federal District: ''There are not such rosy prospects as we would like. If we take other regions, they approached the federal law more responsibly. But it should be borne in mind that a lot depends on budgeting — it is quite a long process.''
''It is very difficult to assess the cost of fulfilling the requirements of the federal law''
The measures to ensure the requirements of the federal law are extensive: from the categorization of the object of Critical Information Infrastructure (inventory of all processes, threat analysis, comparison with indicators, assigning a category) to ensuring continuous interaction of the object of Critical Information Infrastructure with the GosSOPKA (state system of detection, prevention and elimination of the consequences of computer attacks).
''It is very difficult to estimate or name the order of figures in terms of the cost of fulfilling the requirements of the law, because it all depends on the specific enterprise and the complex of work carried out. Much depends on the field of activity. If we take medicine, they don't have many facilities. In this case, the audit stage or categorization and the formation of the terms of reference, plus the design can cost from 300 thousand to 1 million rubles. If we see that out of these several objects it is necessary to protect, for example, only three, we also select the solution,'' the representative of Softline told.
As mentioned above, the subjects of Critical Information Infrastructure are, among other things, individual entrepreneurs. Hence the quite natural question: will the requirements of the federal law to ensure information security ruin the already overloaded Russian business ruin?
The speakers of the event agreed that under the definition of Critical Information Infrastructure there falls not so much Individual Entrepreneur, but those who are still ''lucky'' should be aware of their responsibility. As an example, the medical case was again given: if personal data leak from a private clinic or an x-ray machine is hacked, the consequences will be extremely serious.
The assumption that because of the federal law small businesses will begin to abandon the automation of processes was immediately denied by experts. So, according to Maksim Prokhorov, if the manufacturer ''returns to the sledgehammer and shovel, he will simply be uncompetitive in the market, and his business will live only a few months.''