SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Implementation of the requirement to ensure the security of critical information infrastructure through automation

Implementation of the requirement to ensure the security of critical information infrastructure through automation
09.04.2026

Yuri Podgorbunsky, Security Vision

Introduction

The requirements for the security of critical information infrastructure (hereinafter referred to as CII) are established by Federal Law No. 187-FZ dated July 26, 2017 "On the Security of Critical Information Infrastructure of the Russian Federation" (hereinafter referred to as the Federal Law).


The purpose of the Federal Law is to establish security requirements to ensure the stable functioning of the CII when conducting computer attacks against it.

Basic concepts

A computer attack is a targeted impact of software and (or) hardware and software on CII objects, telecommunication networks used to organize the interaction of such objects, in order to disrupt and (or) terminate their functioning and (or) create a threat to the security of information processed by such objects.


A computer incident is the fact of a violation and (or) termination of the operation of a CII facility, an telecommunication network used to organize the interaction of such facilities, and (or) a security breach of the information processed by such an object, including as a result of a computer attack.


The remaining basic concepts in the article will be discussed sequentially below. 

What exactly are CII?

In general, CII are CII facilities, as well as telecommunication networks (networks of telecom operators) used for the interaction of such facilities.


And the CII objects themselves are the following systems and networks:

• Information systems (hereinafter referred to as IS).

• automated control systems (hereinafter referred to as ACS).

• Information and telecommunication networks (hereinafter referred to as ITCS).


But by themselves, the above–mentioned systems and networks will not become objects of CII, for this there is another component - a certain field of activity (the list of areas will be indicated below) in which the organization operates.


The Federal law has defined the following principles for ensuring the safety of CII:

• legality (as a rule, this is provided by default).

• Continuity of CII security (continuity involves the implementation of cybersecurity processes and their continuous improvement).

And the priority is allocated:

• prevention of computer attacks.

Basic requirements

The main requirements of the Federal Law are:

  • categorization of CII objects is a procedure in which a CII object is assigned one of the categories of significance or there is no need to assign a category (the categorization procedure will be discussed below);
  • Informing the National Computer Incident Coordination Center (hereinafter – NCCC). about computer attacks and computer incidents;
  • responding to computer incidents, taking measures to eliminate the consequences of computer attacks carried out against significant CII facilities;
  • the use of trusted software and hardware at significant CII facilities;
  • compliance with the requirements for ensuring the safety of significant CII facilities established by FSTEC Orders No. 235 and No. 239, etc. (to be discussed in the following articles);
  • as well as the implementation of continuous interaction with the GOSSOP infrastructure in accordance with the procedure established by the FSB of Russia.

Explanations of the above requirements

Sometimes some explanations are still needed, because often a lot can be hidden under any word or abbreviation. Here I highlighted the following:


the NCC is an integral part of the forces of the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks on information Resources of the Russian Federation (hereinafter referred to as GosSOPKA).


The main task of the NCC is to coordinate the activities of the subjects of the CII on the detection, prevention and elimination of the consequences of computer attacks and responding to computer incidents.


GosSOPKA is a single geographically distributed complex that includes forces and facilities designed to detect, prevent, and eliminate the consequences of computer attacks and respond to computer incidents.


In turn, the subjects of the CII are state organizations and enterprises, as well as legal entities operating in the fields of:

  • Healthcare;
  • Sciences;
  • transport;
  • connections;
  • energy companies;
  • state registration of rights to real estate and transactions with it;
  • banking and other areas of the financial market;
  • fuel and energy complex;
  • Atomic energy;
  • Defense;
  • Rocket and space;
  • Mining industry;
  • metallurgical industry;
  • chemical.

And to whom the CII facilities belong by right of ownership or lease.


If an organization falls into any of the above-mentioned fields of activity and it has an IP, automated control system, or ITCS, it is a subject of the CII.


A significant CII object is an object that has been assigned one of the significance categories.

Categorizing CII objects

The federal law requires the categorization of CII objects, which must be carried out in accordance with the Decree of the Government of the Russian Federation dated 08.02.2018 No. 127 "On Approval of the Rules for Categorizing objects of the Critical Information Infrastructure of the Russian Federation, as well as the list of indicators of criteria for the significance of objects of the critical information infrastructure of the Russian Federation and their values".


The CII objects are categorized by the CII subject (organization), which owns the CII objects (IP, automated control system, ITCS) by right of ownership or lease.


CII objects corresponding to the types of IS, automated control systems, and ITCS included in the lists of typical CII industry objects are subject to categorization.


The lists of typical CII industry facilities were created to systematize the types of CII facilities and are grouped by field of activity (hereinafter referred to as the lists of typical CII facilities).


The categorization includes the following:

  • identification of ICS, automated control systems, and ITCS corresponding to the standard CII facilities included in the lists of standard CII facilities;
  • assessment of compliance with a list of indicators of criteria for the significance of the scale of possible consequences in the event of computer incidents at CII facilities;
  • assigning one of the significance categories to each of the CII objects or deciding that there is no need to assign one of the significance categories to them.

 

There are three categories of significance that can be assigned to CII objects:

  • the first one (the highest, and accordingly, more requirements and security measures are used);
  • the second;
  • the third (the lowest, with fewer requirements and measures – the basic level of security).

 

To carry out the categorization of CII objects, a permanent categorization commission (hereinafter referred to as the categorization commission) should be established, which should at least include:

  • the head of the organization or a person authorized by him;
  • employees who are specialists in the field of functions performed or activities carried out;
  • employees of the operating units;
  • employees who are responsible for ensuring the safety of CII facilities.

 

The Categorization Commission in the course of its work:

  • identifies CUE objects corresponding to the standard ones included in the lists of standard CUE objects;
  • considers possible actions of violators in relation to CII facilities, as well as other sources of information security threats;
  • analyzes information security threats that may lead to computer incidents at CII facilities;
  • evaluates, in accordance with the list of indicators of significance criteria, as well as taking into account industry-specific categorization, the scale of possible consequences in the event of computer incidents at CII facilities, determines the values of each of the indicators of significance criteria or justifies their inapplicability;
  • sets one of the significance categories for each CII object or decides that there is no need to assign significance categories to them.

Additions and explanations

When considering violators and threats to information security, the commission should consider the worst-case scenarios for computer attacks on CII facilities, which result in disruption or termination of the operation of CII facilities.


The list of indicators of criteria for the significance of CII facilities of the Russian Federation and their values includes the following areas (sounds like significance) in which damage may be caused:

  • social;
  • Political;
  • Economic;
  • Environmental;
  • National defense, State security and law and order.

In each of the above-mentioned areas (in relation to a specific organization), indicators and corresponding indicator values are evaluated, based on which the category of significance for the CII facility is determined in the event of a violation and termination of the operation of this facility.

Categorization results

The decision of the categorization commission is formalized by an act that must contain information about the CUE object, as well as information about assigning a certain category of significance to the CUE object or about the absence of the need to assign it one of such categories.


The act is signed by the members of the categorization commission and approved by the head of the organization or a person authorized by him.


Within 10 days from the date of approval of the act of categorization, the organization sends to the FSTEC of Russia, in the prescribed form, information on the results of assigning a CII object to one of the categories of significance or on the absence of the need to assign one of such categories to it (hereinafter referred to as information on the results of categorizing a CII object).


The information form on the results of categorization of the CII object was approved by the Order of the FSTEC of Russia dated 22.12.2017 N 236 "On approval of the form for sending information on the results of assigning a critical information infrastructure object to one of the categories of significance or on the absence of the need to assign it one of such categories" and includes the following:

  • information about the CUE object;
  • information about the CII entity (organization) that owns or leases the CII facility.;
  • information about the interaction of the CII facility and telecommunication networks;
  • information about the person operating the CII facility;
  • information about the software and hardware used at the CII facility;
  • information about information security threats and categories of violators in relation to the CII facility;
  • possible consequences in case of computer incidents at the CII facility;
  • the category of significance that is assigned to the CII object, or the absence of the need to assign a category;
  • Organizational and technical measures taken to ensure the safety of the CII facility;
  • domain names and network addresses of the CII facility in case of connection to public networks.


According to the results of categorization, if a CII object is assigned one of the significance categories, the actual CII object becomes significant (taking into account that the FSTEC of Russia will add this CII object to the register of significant objects). Otherwise, the category is not assigned, and the CUE object has no significance category.

How can automation help you meet security requirements?

Taking into account the growing security requirements from regulators (FSTEC of Russia, etc.), the increasing number and complexity of cyber attacks on CII emanating from violators, automation of information security processes has already become a necessity. I will give examples of the implementation of the requirements mentioned above using automation systems.


The categorization of CII objects (the procedure was discussed above) can be automated using Security Vision CII.:

  • formation of CII objects;
  • carrying out categorization with automatic calculation of the category of significance of the CII object;
  • generating information about the results of the CII object categorization (more details are provided below);
  • formation of the act of categorizing the object of the CII.


As for informing about computer incidents, as well as continuous interaction with the GosSOPKA infrastructure, they can be automated using the Security Vision GosSOPKA system (hereinafter referred to as the module), which allows for operational two-way information exchange.:

  • Notification of information security incidents;
  • receiving reports of suspected incidents involving the organization's controlled resources;
  • receiving operational bulletins about threats and vulnerabilities from the regulator.


The interaction module has been developed taking into account the regulations of the NCCC. The main method of data transfer is through integration with the personal account of the state security entity through the Application Programming Interface (API) – this integration is precisely the way of continuous interaction.

But in order to implement the requirement to respond to computer incidents and take measures to eliminate the consequences of computer attacks, in the current reality it is necessary to act very quickly, because any delay can give violators the opportunity to cause the greatest damage to the organization. In this case, it is possible and necessary to use automation tools for responding to computer incidents, for example, Security Vision SOAR, which is used in an automated and automated mode.:


• receiving an incident from the Security Vision SIEM;
• incident enrichment (from analytical services, sigma rules, etc.);
• incident classification and analysis (MITRE ATT&CK, Kill Chain, host casts, digital certificates);
• blocking and isolation (of accounts, hosts, malicious URL/Email domains);
• responding based on predefined actions for hosts, accounts, etc.;
• returning compromised objects to their original state.

And what's next?

Significant CII facilities are subject to security requirements: creating a security system for significant CII facilities, ensuring the security of significant CII facilities, modeling information security threats, etc., which will be discussed in the following articles. But as for CII facilities without a category of significance, of course, there are certain general safety requirements for CII facilities, regardless of significance. But basically, such a subject independently decides on what protection measures will be implemented.

Recommended

From user journey to secure systems: how UX / UI influences cybersecurity
From user journey to secure systems: how UX / UI influences cybersecurity

06.02.2025

Technical knowledge of a first-class SOC specialist
Technical knowledge of a first-class SOC specialist

28.10.2024

Organizing networking within teams to improve efficiency
Organizing networking within teams to improve efficiency

20.04.2026

How Zeek and Malcolm help you not only passively analyse network traffic, but also respond to threats in a timely manner
How Zeek and Malcolm help you not only passively analyse network traffic, but also respond to threats in a timely manner

06.03.2025

IT asset management
IT asset management

09.09.2024

What is the Trusted Platform Module (TPM Module) and how is it used to ensure the cybersecurity of endpoints?
What is the Trusted Platform Module (TPM Module) and how is it used to ensure the cybersecurity of endpoints?

20.10.2025

Bug Bounty How to turn curiosity into earnings
Bug Bounty How to turn curiosity into earnings

12.05.2025

Ecosystem of products for retrospective analysis
Ecosystem of products for retrospective analysis

22.09.2025

Compliance in information security
Compliance in information security

16.12.2024

Network scanning and vulnerability detection technologies
Network scanning and vulnerability detection technologies

10.11.2025

Dynamic behavioral analysis and its tools
Dynamic behavioral analysis and its tools

08.12.2025

How regreSSHion opened a new chapter in old OpenSSH attacks
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

Recommended

From user journey to secure systems: how UX / UI influences cybersecurity

06.02.2025

From user journey to secure systems: how UX / UI influences cybersecurity
Technical knowledge of a first-class SOC specialist

28.10.2024

Technical knowledge of a first-class SOC specialist
Organizing networking within teams to improve efficiency

20.04.2026

Organizing networking within teams to improve efficiency
How Zeek and Malcolm help you not only passively analyse network traffic, but also respond to threats in a timely manner

06.03.2025

How Zeek and Malcolm help you not only passively analyse network traffic, but also respond to threats in a timely manner
IT asset management

09.09.2024

IT asset management
What is the Trusted Platform Module (TPM Module) and how is it used to ensure the cybersecurity of endpoints?

20.10.2025

What is the Trusted Platform Module (TPM Module) and how is it used to ensure the cybersecurity of endpoints?
Bug Bounty How to turn curiosity into earnings

12.05.2025

Bug Bounty How to turn curiosity into earnings
Ecosystem of products for retrospective analysis

22.09.2025

Ecosystem of products for retrospective analysis
Compliance in information security

16.12.2024

Compliance in information security
Network scanning and vulnerability detection technologies

10.11.2025

Network scanning and vulnerability detection technologies
Dynamic behavioral analysis and its tools

08.12.2025

Dynamic behavioral analysis and its tools
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

How regreSSHion opened a new chapter in old OpenSSH attacks

Other articles

What is SQL Injection?
What is SQL Injection?

15.09.2025

Business continuity management
Business continuity management

23.12.2024

CVSS evolution and vulnerability assessment example analysis
CVSS evolution and vulnerability assessment example analysis

04.08.2025

Flooding: from harmless noise to cyberattack
Flooding: from harmless noise to cyberattack

24.03.2025

Autonomous approach to SOC: applying SRE lessons to Security Operation Center
Autonomous approach to SOC: applying SRE lessons to Security Operation Center

04.09.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Ecosystem of products for retrospective analysis
Ecosystem of products for retrospective analysis

22.09.2025

Implementation of the requirement to ensure the security of critical information infrastructure through automation
Implementation of the requirement to ensure the security of critical information infrastructure through automation

09.04.2026

Security Vision SOAR and NG SOAR Upgrade Capabilities
Security Vision SOAR and NG SOAR Upgrade Capabilities

15.05.2025

Other articles

What is SQL Injection?

15.09.2025

What is SQL Injection?
Business continuity management

23.12.2024

Business continuity management
CVSS evolution and vulnerability assessment example analysis

04.08.2025

CVSS evolution and vulnerability assessment example analysis
Flooding: from harmless noise to cyberattack

24.03.2025

Flooding: from harmless noise to cyberattack
Autonomous approach to SOC: applying SRE lessons to Security Operation Center

04.09.2025

Autonomous approach to SOC: applying SRE lessons to Security Operation Center
Auto Compliance: Automation of asset compliance assessment for safety standards and requirements

24.07.2025

Auto Compliance: Automation of asset compliance assessment for safety standards and requirements
Ecosystem of products for retrospective analysis

22.09.2025

Ecosystem of products for retrospective analysis
Implementation of the requirement to ensure the security of critical information infrastructure through automation

09.04.2026

Implementation of the requirement to ensure the security of critical information infrastructure through automation
Security Vision SOAR and NG SOAR Upgrade Capabilities

15.05.2025

Security Vision SOAR and NG SOAR Upgrade Capabilities

This website uses cookies to ensure you get the best experience.