Interaction module with NCCI on the Security Vision platform

30.08.2022

| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |

Ruslan Rakhmetov, Security Vision

In early autumn, Federal Law No. 266-FZ dated 14.07.2022 will come into force, aimed at strengthening the protection of personal data of citizens. The law significantly increases the responsibility of personal data operators and imposes a number of new obligations on them, including informing the Federal Security Service of Russia about computer incidents resulting in unlawful transfer (provision, distribution, access) of personal data, as well as ensuring interaction with the State Security Service.

Interaction with GOSSOPKA has been mandatory for several years for critical information infrastructure entities as well.

Information exchange between organisations and GOSSOPKA can be carried out by connecting them to the technical infrastructure of NCCI or by postal, fax or electronic communication. Obviously, the first option is more preferable. The use of automation tools for information exchange with GOSSOPCA and timely reporting of IS incidents and receipt of security bulletins make it possible both to fulfil regulatory requirements and to modernise the very process of dealing with information security threats.

The module of interaction with NCCI of the Security Vision 5 platform is a reliable means of solving this task. It has been developed taking into account the NCCI regulations and allows for prompt two-way exchange of information on IS incidents and threats.

1 GOSOPKA AND NCCI

GOSSOPKA is a state system for detecting, preventing and eliminating the consequences of computer attacks, created to prevent and eliminate the consequences of computer attacks on the critical information infrastructure of the Russian Federation. GOSSOPCA is a hierarchically interacting state and commercial centres that continuously share information on recorded incidents and ways to counteract them. The key tasks of GOSSOPCA are forecasting information security situations, ensuring interaction between owners of IT resources in solving tasks related to the detection and elimination of computer attacks, with telecom operators and other organisations engaged in information protection activities. The list of the system's tasks also includes assessing the degree of protection of critical IT infrastructure from computer attacks and determining the causes of such incidents.

The main link in the GOSOPCA hierarchy and a ‘single window’ for interaction of organisations with GOSOPCA in case of incidents is the National Computer Incident Coordination Centre (NCICC), which is the responsibility of the Federal Security Service of Russia. The NCCI performs the following main functions:

- Coordinates and participates in response activities

- Organises and exchanges information on computer incidents between CII subjects

- Provides methodological support on the issues of detection, prevention and elimination of consequences of computer attacks, as well as response to computer incidents.

- Directly participates in the processes of detecting, preventing and eliminating the consequences of computer attacks

- Ensures timely informing of CII subjects about threats and methods of their detection and prevention.

- Collects, stores and analyses information on computer incidents and attacks

- Ensures the functioning, operation and development of its own technical infrastructure.

Interaction with GOSSOPCA is regulated by a number of legal acts, such as:

- Federal Law ‘On the Security of Critical Information Infrastructure of the Russian Federation’ dated 26.07.2017 N 187-FZ

- Order of the FSTEC of Russia dated 21 December 2017. N 235 ‘On Approval of Requirements for Establishing Security Systems for Significant Objects of the Critical Information Infrastructure of the Russian Federation and Ensuring Their Operation’

- Order of the FSTEC of Russia dd. 25.12.2017 N 239 ‘On Approval of the Requirements for Ensuring Security of Significant Objects of the Critical Information Infrastructure of the Russian Federation’

- Order of the Federal Security Service of Russia of 24 July 2018 N 367 ‘On Approval of the List of Information Submitted to the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation and the Procedure for Submission of Information to the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation’

- Order of the Federal Security Service of Russia No. 282 of 19 June 2019 ‘On Approval of the Procedure for Informing the Federal Security Service of Russia about Computer Incidents, Responding to them, and Taking Measures to Eliminate the Consequences of Computer Attacks Conducted against Significant Objects of the Critical Information Infrastructure of the Russian Federation’

Pursuant to 266-FZ, by 01.09.2022 the operators of Personal Data will be obliged to ensure interaction with GSSOPKA in accordance with the procedure determined by the Federal Security Service of Russia, as well as to inform the Federal Security Service of Russia about computer incidents resulting in unlawful transfer (provision, distribution, access) of Personal Data; the said information is then transferred by the Federal Security Service of Russia to Roskomnadzor.

In addition, from the moment of detection of an incident in the field of Personal Data, i.e. the fact of unlawful or accidental transfer (provision, distribution, access) of Personal Data resulting in violation of the rights of the subjects of Personal Data, the operator of Personal Data must send a notification to Roskomnadzor:

- within 24 hours - on the incident that occurred, on the alleged reasons that led to the violation of the rights of personal data subjects and the alleged harm caused to the rights of personal data subjects, on the measures taken to eliminate the consequences of the relevant incident;

- within 72 hours - on the results of the internal investigation of the detected incident, as well as provide information on the persons whose actions caused the detected incident.

According to 266-FZ, starting from 01.03.2023, Roskomnadzor will keep a register of incidents in the field of personal data, determine the procedure and terms of interaction with the operators of personal data within the framework of keeping the said register, as well as transfer the information to the Federal Security Service of Russia.

The exchange of information with GOSSOPKA is no less relevant for the subjects of critical information infrastructure (CII). Critical information infrastructure (abbreviated as CII) is information systems, information and telecommunication networks, automated control systems of CII subjects, as well as telecommunication networks used to organise their interaction. In turn, CII subjects are companies operating in areas of strategic importance for the state, such as healthcare, science, transport, communications, energy, banking, fuel and energy complex, nuclear energy, defence, missile and space, mining, metallurgical and chemical industries, as well as organisations ensuring interaction of CII systems or networks. GOSSOPKA, in essence, is an aggregator of information on computer incidents and threats to the security of information assets of CII subjects, which, in turn, allows for proactive response and measures to promptly prevent damage to CII facilities of the Russian Federation.

Thus, interaction with GOSSOPKA is mandatory for many public authorities and private companies.

2 The module of interaction with NCCI

Below we will dwell in more detail on the main capabilities provided by the module of interaction with NCCI on the Security Vision 5 platform and technical aspects of their implementation.

2.1 Receiving notifications

Notifications about threats and vulnerabilities (Figures 1 and 2) are received from the NCCI portal automatically according to customisable schedules (Figure 3).

Figure 1 - Received threat notification

Figure 2 - Vulnerability notification received

Figure 3 - Security Threat Notification Schedule Settings

2.2 Sending Notifications

Sending notifications about incidents, attacks and vulnerabilities from the Security Vision platform is done through a separate entity called ‘Send to NCCI’ - the appearance of its card is shown in Figures 4-6.

Figure 4 - Basic Information tab of the computer incident notification generated for sending a computer incident notification

Figure 5 - General Information tab of the controlled resource

Figure 6 - Tab of information about the location of the monitored resource

Depending on the selected category and type of IS event, the card offers the corresponding sets of additional fields in the technical and basic information tabs (fig. 7).