THE ORDER OF THE FEDERAL SERVICE OF THE RUSSIAN FEDERATION ON ENGINEERING AND EXPORT SUPERVISION

of March 14, 2014 No. 31

About approval of Requirements to ensuring information security in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment

According to the Regulations on the Federal Service for Technical and Export Control approved by the Presidential decree of the Russian Federation of August 16, 2004 No. 1085 (The Russian Federation Code, 2004, No. 34, Art. 3541; 2006, No. 49, Art. 5192; 2008, No. 43, Art. 4921; No. 47, Art. 5431; 2012, No. 7, Art. 818; 2013, No. 26, Art. 3314; to No. 52, of the Art. 7137), I order:

Approve the enclosed Requirements to ensuring information security in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment.

Approved by the Order of Federal Service for Technical and Export Control of Russia of March 14, 2014, No. 31

Requirements to ensuring information security in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment

I. General provisions

1. Requirements to ensuring information security which processing is performed by automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, objects posing the increased hazard to life and human health and for the surrounding environment (further - automated control systems), from illegal access, destruction, modifying, blocking, copying, provision, distribution, and also other wrongful acts concerning such information, including from destructive information impacts (the computer attacks) which consequence violation of functioning of automated control system can turn out to be are hereunder established.

Safety of the automated control systems which are significant objects of critical information infrastructure of the Russian Federation is performed according to the Safety requirements of significant objects of critical information infrastructure of the Russian Federation approved by the order of the Federal Service for Technical and Export Control of December 25, 2017 No. 239, and also the Requirements to creation of security systems of significant objects of critical information infrastructure of the Russian Federation and ensuring their functioning approved by the order of the Federal Service for Technical and Export Control of December 21, 2017 No. 235 (registration No. 50118) is registered by the Ministry of Justice of the Russian Federation on February 22, 2018.

These Requirements are applied in case of acceptance by the owner of automated control system of the decision on ensuring information security which processing is performed by this system and which violation of safety can lead to violation of functioning of automated control system.

In case of need application of cryptographic methods of information security and the cryptographic (cryptographic) means of information protection is performed in accordance with the legislation of the Russian Federation.

2. These Requirements are aimed at providing functioning of automated control system in the normal mode in case of which observance of project limits of parameter values of accomplishment of criterion functions of automated control system in the conditions of impact of safety hazards of information is provided, and also on decrease in risks of illegal intervention in processes of functioning of automated control systems of the crucial objects, potentially dangerous objects, objects posing the increased hazard to life and human health and for the surrounding environment, including hazardous production facilities (further - the managed (controlled) objects) which safety is ensured in accordance with the legislation of the Russian Federation about safety of objects of fuel and energy complex, about transport safety, about use of atomic energy, about industrial safety of hazardous production facilities, about safety of hydraulic engineering constructions and other legal acts of the Russian Federation.

3. Action of these requirements extends to the automated control systems providing control and management of processing and (or) production equipment (actuation mechanisms) and implemented on it technological and (or) production processes (including systems of dispatching management, system of collection (transfer) of data, the systems constructed on the basis of programmable logical controllers, distributed control systems, management systems by machines with numerical control).

4. These Requirements are intended for persons establishing requirements to information security in automated control systems (further - the customer), persons providing operation of automated control systems (further - the operator), and also persons involved in accordance with the legislation of the Russian Federation in work on creation (designing) of automated control systems and (or) their systems of protection (further - developer).

5. When processing in automated control system of information which is the state secret, its protection is provided in accordance with the legislation of the Russian Federation about the state secret.

6. Information security in automated control system is provided by accomplishment by the customer, operator and developer of requirements to the organization of information security in automated control system and requirements to information measures of protection in automated control system.

II. Requirements to the organization of information security in automated control system

7. The automated control system, as a rule, has multi-level structure:

level of operator (dispatching) management (top level);

level of automatic control (average level);

level of input (conclusion) of data, actuation mechanisms (lower (field) level).

The automated control system can include:

a) at the level of operator (dispatching) management:

operator (dispatching offices), the engineering automated workplaces, industrial servers (SCADA servers) with established on them system-wide and application software, the telecommunication equipment (switches, routers, firewalls, other equipment), and also communication channels;

b) at the level of automatic control:

the programmable logical controllers, other technical means with the established software obtaining the data from the lower (field) level transferring data to the top level for decision making on management of object and (or) process and forming managing teams (managing (command) information) for actuation mechanisms and also industrial data transmission network;

c) at the level of input (conclusion) of these (actuation mechanisms):

sensors, executive mechanisms, other hardware devices with the microprograms and machine controllers established in them.

The number of levels of automated control system and its structure on each of levels depends on purpose of automated control system and the criterion functions which are carried out by it. At each level of automated control system on functional, territorial or other signs additional segments can be allocated.

In automated control system for subjects to protection are:

information (data) on parameters (condition) of the managed (controlled) object or process (input (output) information, managing (command) information, control and measuring information, other crucial (technological) information);

the software and hardware complex which is turning on technical means (including the automated workplaces, industrial servers, the telecommunication equipment, communication channels, programmable logical controllers, actuation mechanisms), the software (including microprogram, system-wide, applied), and also means of information protection.

8. Information security in automated control system is component of works on creation (upgrade) and operation of automated control system and is provided at all stages (stages) of its creation and during operation.

Information security in automated control system is reached by acceptance within system of protection of automated control system of set of the organizational and technical measures of protection of information directed to blocking (neutralization) of safety hazards of information which realization can lead to violation of the normal mode of functioning of automated control system and the managed (controlled) object and (or) process, on localization and minimization of effects from possible realization of safety hazards of information, recovery of the normal mode of functioning of automated control system in case of realization of safety hazards of information.

The taken organizational and technical measures of protection of information:

shall provide availability of information (exception of illegal blocking of information) processed in automated control system, its integrity (exception of illegal destruction, modifying of information), and also, if necessary, confidentiality (exception of illegal access, copying, provision or distribution of information);

shall correspond to measures for industrial, physical, fire, ecological, radiation safety, other measures for safety of automated control system and the managed (controlled) object and (or) process;

shall not exert negative impact on the normal mode of functioning of automated control system.

9. Work on information security according to these Requirements during creation (upgrade) and operation of automated control system is performed by the customer, the operator and (or) the developer independently and (or) if necessary with involvement in accordance with the legislation of the Russian Federation of the organizations having the license for activities for technical protection of confidential information according to the Federal Law of May 4, 2011 No. 99-FZ "About licensing of separate types of activity" (The Russian Federation Code, 2011, No. 19, Art. 2716; No. 30, Art. 4590; No. 43, Art. 5971; No. 48, Art. 6728; 2012, No. 26, Art. 3446; No. 31, Art. 4322; 2013, No. 9, Art. 874; No. 27, Art. 3477).

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info